1 | P a g e | T h e D i g i t a l E c o n o m y a n d C y b e r s e c u r i t y

Why is Cyber-Security a disruption in the digital economy?

Mark Albala

President, InfoSight Partners

2 | P a g e | T h e D i g i t a l E c o n o m y a n d C y b e r s e c u r i t y

Introduction

As we enter the digital economy, companies will quickly realize that the differentiator in the digital economy is information and information being a valuable resource is subject to theft, hacking, phishing and a host of other issues which compromise a company’s ability to participate in the digital economy. Cybersecurity misfires compromise the trust of buyers and partners necessary to participate in the digital economy. It is up to every company to ensure that the information shared with them is protected to the best of their ability and proactively notify persons and organizations who entrust their information necessary to transact business (any personal identity information including but not limited to addresses, credit card information, social security numbers, account information, credit information, medical records, etc.) with any potential compromises which can yield harm to them by that information either being used maliciously or shared with others.

The digital economy is different than other versions of commerce because in the digital economy, information is the lifeblood of digital commerce that passes through the hands of many platforms involved in a digital event. Each of these platforms are an opportunity to wreak havoc on your well-intended but incomplete intents to protect the information contained within the network you control. In the digital economy, it is not only the network you control, but the platforms that touch the personal data entrusted to you as a means of enabling digital commerce, and several techniques have begun to emerge to protect personal information contained within your information domain and the domain of platforms participating in digital commerce.

Because the life blood of the digital economy is information, information hacked in the digital economy is akin to shrinkage in the legacy economy. Both are means to directly attack your bottom line, whether it is redirecting customers elsewhere because they don’t trust your privacy program, ransomware which makes your site or one of your partner platform sites dangerous to use or some other reason which challenges your ability to participate in the digital economy. Shrinking the potential market share because of information safety and security challenges is a disruption, making cyber-security a disruptive activity, particularly if it is not dealt with swiftly.

If your cyber-security program is focused entirely on protecting the information housed in your four walls, you have exposed yourself to problems you will have difficulty in identifying both the source and the entry point of these issues.

Current State of Cyber-Security

Cyber-Security has been getting a fair amount of attention recently and for good reason. The number of hacks leaking personal information, delivering ransomware and relegating denial of service hacks has been on the rise. Those who are intent on conducting cyber-security have become more creative, even though the entry point for much of the security based problems are sourced through email. 77% of hackers surveyed (Blackhat survey, 2017) believe that no password is safe from hackers, or the government for that matter.

Some Cyber-Security statistics to ponder about (Hewlett Packard Enterprise, 2016) are:

3 | P a g e | T h e D i g i t a l E c o n o m y a n d C y b e r s e c u r i t y

• 2016 is a pivotal year changing the conversation from credit card theft to identify theft. This shift is a direct result from the amount of footprint a consumer has in the digital economy. Consumers have been educated on the risks associated with sharing information digitally and are beginning to be selective in where their identity is stored.

• 2016 is a pivotal year changing the focus of security fixes from point fixes (i.e., virus protection libraries downloaded to PCs) to a broader defensive approach that prevents entire classes of attacks.

• 2016 is a pivotal year which brought cyber-security to the forefront of the political landscape. • Vendors instituting cyber-security solutions are still focused on patching, and should shift their

focus quickly. But the burden will be on the consumer until this shift occurs. • Attackers have shifted their efforts to directly attack applications that serve enterprise data. For

the time being, this is lucrative, because over one third of the enterprise applications have exhibited at least one critical or high severity security vulnerability. The number of commercial applications exhibiting these vulnerabilities increase dramatically in the open source arena, where over 80% have flaws with serious implications for the management of private data.

• The digital economy has resulted in payment systems, bitcoin repositories and Automated Teller Machines becoming a more common source of attack because of the direct monetization of this malware.

The need for initiatives focused on the eradication of cyber-security threats have gained prominence. However, in many organizations, these will be multi-year programs initiated with the 2017 budget cycle, leaving room for those intent on causing harm through cyber-security plenty of room.

Common methods used to gain access to your data

You should not be left panicking, but rather take some actions to watch for specific means of attacks on your organization which will leave trails that you can remediate now. Some of the more common approaches gain access to your data using the following strategies:

• Redirecting a web, mobile, Internet of Things (IOT) device or email session to a malicious web page which gives access to information behind the firewall.

• Injecting code into a web, mobile, IOT device or email session to perform malicious activities. • Attacking insufficient web, mobile, IOT device or email management controls, thereby capturing

passwords, session ids or other key information through cookies and other means. • Writing files on the computer utilizing a web, mobile or email session that collects information

and transmits it through an application loaded on the computer. • Executing remote code which collects information via the remote code loaded into a mobile,

email or web session. • Requesting information by promising false claims, which is commonly returned through email. • Introducing malicious code into a web cache. • Capturing control of a router, computer or collection of IOT devices to deny service.

4 | P a g e | T h e D i g i t a l E c o n o m y a n d C y b e r s e c u r i t y

These methods of security breaches leave an audit trail which should be a proactive defense in an organization’s information arsenal. Companies who do not make cybersecurity a major component of their information arsenal will find themselves appearing in the list of companies shown on figure 2.

Some concerns in cyber-security are (SANS institute, 2014) are:

1. RFID Skimming, which use mobile and wireless techniques to access information 2. USB devices which introduce malware to connected and unconnected systems 3. Hacks introduced through the internet of things, such as imbedded systems, proximity sensors,

smart devices and a host of emerging products. All of these have one thing in common, they have less room for complex code because of their limited computing footprint.

4. Hacks which attack digital payment systems such as bitcoin. These attacks result in theft of digital payments or virtual stockpiles of digital cash (i.e., bitcoin).

5. Point of Sale Malware introduced through one of the participants in a digital transaction 6. Targeted hacks which use email as an entry point to deliver malware, keyboard trackers or other

hacks. 7. Social media sites which harvest personal information, thereby utilizing the social media site as

a hack. 8. Webmail account takeover

What should be done now

If it isn’t obvious, cyber security attacks may not start with your data. Because the lifeblood of the digital economy is information, cyber-security attacks take on a different level of importance than they have in the past, and there is a need at organizations to rethink their cyber-security approaches. Some of the things companies can do is:

1. Assign a person to be responsible for eradicating cyber-security threats. There will be resistance from inside the organization because it will require changes to digital products launched and could impact both the costs and timelines for delivered commerce exchanges, so the person assigned to this role must have sufficient organizational teeth to foster the change and expect compliance to any recommended alterations to cyber-security capabilities.

2. Institute the cyber-security defenses advocated by the National Institute of Standards and Technology, a revised framework (version 1.1 was proposed January, 2017) can be found at http://nist.gov/cyberframework. Version 1.1 is still in draft form, and focuses on the ability to govern, assess risk, educate and eradicate risks when they occur.

3. Construct metrics to manage the dwell time, which is the time between a company is hacked, the time when the hack is detected, the time to dispense with the hack and the time to communicate the attack and deliver a remediation plan to those impacted. The purpose of these metrics is to drive down the time required to deal with cyber-security threats.

4. Run test cyber-security attacks, which exercise the platforms participating in your digital commerce, whether they are on your site or at a partner handling a component of your digital

5 | P a g e | T h e D i g i t a l E c o n o m y a n d C y b e r s e c u r i t y

commerce. If a partner is unwilling or unable to remediate exposures, be prepared to work with an alternative partner to handle the component of your digital fabric handled by that partner.

5. If you use a data lake as part of your data ecosphere, you have an especially high risk because most of the security frameworks you have in your environment do not provide the same stringency of security to the data lake. It is strongly suggested that you adopt an encryption strategy for any personal identifiable information written to the data lake, whether it is in the right columns or not. Some method of identifying PII data, through patterns or other means is necessary to ensure that credit card, bank routing numbers, social security numbers, and other information written to intended fields, comment fields or other columns because of limitations of feeder systems will be a time bomb if not addressed as soon as possible.

6. If critical information containing PII data is stored on LANS and computers managed by your employees, your security plan against cyber-security is only as strong as the weakest link in your plan. If your employees have laptops and they infect their laptop off premises, they can introduce cyber-security issues when they return to the office, whether on premise or remotely.

7. If you provide access to your network and critical customer data to your agents and partners, you must have your cyber-security plan reach the computing platforms operated by them as well.

8. Hide the candy. If you move around personal identifiable information (PII) through your network for analytical purposes, encrypt the PII information so should it be hacked, the level of exposure is mitigated. If that information is required, those really needing it can get it from a tightly secured area.

9. Solutions that predict the most likely methods of attack based on your software portfolio, network infrastructure and platforms participating in your digital and legacy channels of commerce. These solutions (SAIC, BitSight, Cyberisk to name a few) should be researched to either obtain these solutions or determine what features of your cyber-security arsenal are required to be effective.

Devising metrics to improve your ability to detect and eradicate cyber-security threats One of the common themes in treating information as an asset of the organization is percolating metrics used as a means to improve the valuation of information. Having information assets hardened to the challenges of security is one form of eradicating resistance to consuming information.

Some metrics that can be used to manage an organization’s information assets are:

1. Number of detected intrusion attempts per day 2. Number of infections per device per day 3. Number of times per year the security and privacy rules of the organization are reviewed 4. Number of times per year key personnel is reminded of their obligations to oversee security 5. Average elapsed time from intrusion / infection to detection 6. Average elapsed time from detection to intrusion closure / disinfection 7. Average number of personal identity information (PII) items not in the intended locations

6 | P a g e | T h e D i g i t a l E c o n o m y a n d C y b e r s e c u r i t y

8. Average number of PII violations per industry and /or country of origin regulations 9. Number of known and unhandled security vulnerabilities 10. Number of properly configured secure socket layer (SSL) certificates 11. Percentage of peer to peer file sharing as an overall percentage of corporate network activity 12. Percentage of people with super user access 13. Average number of days it takes to eliminate access to information on the organizational

network 14. Average number of times per year high security profile people are reviewed 15. Times per year access permissions are reviewed 16. Number of open ports into the network and on machines with access to the network 17. Number of third party software products not scanned for vulnerabilities prior to deployment 18. Number of times per month suppliers and vendors are reviewed for security issues 19. Number of times per month vendor and partner security controls are reviewed for issues 20. Percentage of partners, vendors and customers having access to information on the network

and who store information on the network are reviewed for security issues

The Metrics chosen should:

• Be actionable, they should be devised to allow decision makers to take swift action to thwart cyber-security risks.

• Be definable in numbers to measure improvements in your cyber-security program. • Be aligned with the information intents of the organization. • Be repeatable, they should be collectible and automatable at a reasonable cost. • Be sufficiently granular so that the programs devised to thwart cyber-security risks can be

identified as helping the cause through metrics.

7 | P a g e | T h e D i g i t a l E c o n o m y a n d C y b e r s e c u r i t y

What’s at Risk It is easy to find examples of cyber-security attacks in the marketplace, attacks to businesses and the government.

Some more devastating cyber-attacks have been:

• Yahoo had 1.5 billion accounts hacked, which put a buyout by Verizon at risk.

• Sony had unreleased films stolen, as well as the identity of 10 million employees and partners.

• The US Office of Personnel Management was hacked twice. One of these attacks resulted in the theft of digital fingerprints.

• If you think the government is immune, the White House, the Army, the Democratic National Caucus and the hacking software published by the NSA were hacked.

• Target had 40 million credit card accounts hacked.

When to start It is important to get started now. The inflection point of when hacking as a means of exposing information to steal a component of digital commerce became an exposed issue most probably in 2015. If you participate in digital commerce, the risk is customers, partners (including partners delivering one or more of the platforms used to deliver digital content and commerce), financiers and vendors within your supply chain will be unwilling to expose their information to you if you have not performed demonstrable diligence on your ability to protect information provided to you for conducting digital commerce.

Those who participate in digital commerce who have not performed the necessary due diligence will be disrupted by the avalanche of hacking attempts and the number of these attempts that have exposed them and their customers, partners and others to the risks of their inability or unwillingness to take the necessary actions. Those who participate in other’s digital commerce by delivering a necessary platform to their digital commerce activities will find the use of their platform dwindling if they let the risks of cyber-security infect the digital commerce ecosphere of those using their platform for digital commerce.

8 | P a g e | T h e D i g i t a l E c o n o m y a n d C y b e r s e c u r i t y

About the Author Mark Albala is the President of InfoSight Partners, LLC, a business consultancy which provides financial and technology advisory services devised to facilitate focus into the value of information assets. InfoSight Partners is led by Mark Albala, who has served in technology and thought leadership roles and serves as an advisor to analyst organizations. Mark can be reached at mark@infosightpartners.com.