BizTech Magazine - Technology Solutions That Drive Business en Black Hat 2020: Security Needs Better Data for Better Policies <p>One thing that binds business leaders together, regardless of company size or industry, is that they have to make key decisions. From personnel choices to budget priorities, leaders are constantly examining data and deciding between different options.</p> <p>But what if the information they’re basing their decisions on is skewed? What if it doesn’t take the right things into consideration? What if the data isn’t accurately represented?</p> <p>That is exactly what is happening when it comes to security, according to research presented this week at <a href="">Black Hat USA 2020</a>. <a href="" target="_blank">Virginia Tech University</a> professor and <a href="" target="_blank">Cyentia Institute</a> co-founder Wade Baker said that some well-known cybersecurity statistics, such as the notion that 60 percent of small businesses close within six months of a data breach, are widely repeated despite the original source of the information being unclear. To put that number into perspective, he said that early studies have shown that up to 50 percent of small businesses have been forced to close as a result of the COVID-19 pandemic.</p> <p>“So this, in a sense, is saying that a single cyberattack is more disastrous for a small company than months and months of lost business from COVID,” Baker said. “And you can see why this would potentially drive some policy changes.”</p> <p>Baker and Cyentia senior data scientist David Severski detailed why organizations may not be looking at security data the right way, and how to change that to ensure that businesses leaders are making the right decisions.</p> <p><a href="" target="_blank"><strong><em>MORE FROM BIZTECH: </em></strong><em>Get insights into the latest in cybersecurity from members of Black Hat's CISO Summit Advisory Board.</em></a></p> <h2>Security Data Focuses on the Wrong Things</h2> <p>Presenting the cost of an average breach can be a good way to convince business leaders to take security seriously. However, that cost is often calculated on a cost-per-record model. That model is flawed, Severski said.</p> <p>For example, a report released earlier this year calculated that cloud misconfigurations cost companies $5 trillion from 2018 to 2019. Severski said that while that may seem reasonable across 196 breaches and 33 billion records being exposed, it doesn’t necessarily make sense if you take it a step further.</p> <p>“For instance, $5 trillion is 25 percent of the U.S. gross domestic product. That’s huge,” Severski said. “Speaking from a world economy perspective, that’s 3.5 percent of the global economy, or to put it into a different perspective, that is $1.5 trillion more than the U.S. spends on healthcare alone.”</p> <p>Severski said that this number is calculated from an average cost per record of $150, but using that average doesn’t provide a clear picture because the costs of breaches vary too widely.</p> <p>“It is very spread out,” said Severski, adding that while a cryptocurrency breach cost $50 million per record, another breach cost only 3 millionths of a cent per record.</p> <p>“Taking $150 cost per record is flat-out wrong,” he said. “And actually, it greatly underestimates the cost of large breaches and overestimates the cost of small breaches.”</p> <p>Those overestimates and underestimates can lead to ill-informed policies and priorities.</p> <p><a href="" target="_blank"><strong><em>WATCH: </em></strong><em>Learn how pushing data protection to the cloud can help bolster defenses in the future of work.</em></a></p> <h2>How Security Data Needs to Change</h2> <p>If the typical way breaches are assessed doesn’t show the whole picture, how should professionals be looking at security data? In their research, Severski and Wade found that changing the focus of the metrics is beneficial.</p> <p>“We can say for the day that we have in our dataset of real, publicly disclosable breaches, the typical cost is about $200,000,” Severski said. “Now, if you compare that against the average loss, which is just taking all the losses and dividing it by the number of events that we have, we have an average loss of $19 million. And that’s saying that 9 out of 10 breaches are less than what is the average or typical loss here. So using a standard arithmetical mean, if you want to be fancy about it, or a typical average is a bad way of estimating losses.”</p> <p>The goal isn’t to downplay cyberthreats, Severski said, but rather to better understand what that threat actually is. From there, business leaders can make better decisions for their organizations.</p> <p>“We can actually do better,” he said. “This is a very exciting time in terms of where the industry is at a maturity level. Risk managers, policymakers, security researchers can do better than this.”</p> <p>“We can create much better models and actually have much better policy decisions that are driving from these models,” Severski said.</p> Keara Dowd EquITy AgilITy Businesses Deploy Biometrics to Secure Facilities <p>Goodbye passwords and ID cards. As organizations look for better ways to secure their facilities, users themselves are becoming the vector to check through biometrics.</p> <p>It’s already present in the workplace: 62 percent of companies in North America and Europe use biometric automation today, and an additional 24 percent plan to use it within two years, according to a <a href="" target="_blank">Spiceworks</a> survey of about 500 IT professionals.</p> <p>Brett Beranek, general manager of security and biometrics for <a href="" target="_blank">Nuance</a>, likens biometrics to what happens if your mother walks through the front door of your home. “You don’t ask her for ID. You don’t ask her for a password. All we’re doing with biometrics is normalizing interactions between technology and human beings to be the same as when human beings interact with human beings,” he says.</p> <p>Of those using biometrics for authentication, 17 percent use it on time clock systems, 11 percent on door locks for server rooms and 9 percent on doors elsewhere in the office, according to Spiceworks.</p> <p>Given that 46 percent are using fingerprints and facial recognition to unlock smartphones, it seems likely that more office workers will soon use biometrics to access facilities too.</p> Jen A. Miller Black Hat 2020: CISO Summit Advisory Board Members Reflect on the State of Security <p>Cybersecurity is always evolving, and that evolution has rapidly accelerated as much of the world has shifted to widespread remote work. As part of Black Hat USA 2020, <em>BizTech</em> spoke with advisory board members of the event’s CISO Summit about the state of the industry. <strong>Wendy Nather</strong>, head of advisory CISOs at <a href="" target="_blank">Cisco’s</a> Duo Security; <strong>Trey Ford</strong>, vice president of trust and strategy at <a href="" target="_blank">Salesforce</a>; and <strong>Justine Bone</strong>, CEO of <a href="" target="_blank">MedSec</a>, discussed current security trends, the evolving role of the CISO and what they believe businesses should be preparing for.</p> <h2><span style="color: #c74037;">BIZTECH:</span> What would you consider the biggest cybersecurity challenge facing organizations today?</h2> <p><strong>NATHER</strong>: Even in periods of stability, it’s a challenge for organizations to keep up, and right now many of our assumptions and priorities are being turned upside down. Remote access, supply chain problems, businesses losses and lack of physical and cross-border access are front and center for most CISOs.</p> <p><strong>FORD</strong>: As cloud migrations pick up steam, I’m specifically concerned about how critical-path control sets (e.g., monitoring and logging) are being shared and managed. While third-party specialty service providers are generally a good thing, it creates new dependencies, failure modes and obstacles for recovering from unplanned outages.</p> <p>For example, companies typically have different teams building infrastructure as code in the public cloud than the ones responsible for building apps on top. The systems and services in use out in the public cloud often have a lot more surface area in terms of third-party and open-source libraries, as well as public API endpoints you no longer control.</p> Keara Dowd The Role of Social Responsibility in the Nonprofit Playbook <p>We live in a world where people now expect more from the organizations that they support.</p> <p>Going back 15 or 20 years, it would have been rare for a CEO to publicly weigh in on a social issue. But times are changing. <a href="" target="_blank">A 2016 study from the Public Affairs Council</a> found that corporations have felt increasingly compelled to speak out on social issues.</p> <p>The reason for this? A growing focus on social responsibility decades in the making. Driven by public sentiment, companies care more than ever about how they are perceived in broader communities. And to achieve this, they’re looking to work with nonprofits that reflect their values. This has long been true, including for CDW, but its importance is growing as companies want to stand for something larger than the bottom line.</p> <h2>The Importance of Technology-Driven Corporate Partnerships</h2> <p>In many ways, the increased partnership between nonprofits and corporations has been positive. Nonprofits are often on the front lines trying to make a difference on broader humanitarian and societal issues, and to bring awareness for medical cures. Corporate support also provides a buffer during times when charitable giving faces gaps — something that is a serious concern during the economic downturn caused by COVID-19. The pandemic has not only placed financial stress on traditional sources of charitable giving, but it has also prevented traditional in-person fundraising events, such as galas and charity runs, from taking place.</p> Jon Myalls It's Time for Businesses to Eliminate Dark Data <p>ta backup has undergone a major transformation during the past decade. Backup now means so much more than just storage; it also includes privacy, protection and compliance. Organizations today must have a strong data protection strategy in place, or risk IT complexities that could prove costly.</p> <p>The fact is, regulations such as the <a href=",rights%20for%20California%20consumers%2C%20including%3A&amp;text=The%20right%20to%20delete%20personal,them%20(with%20some%20exceptions)%3B" target="_blank">California Consumer Privacy Act</a> and the <a href="" target="_blank">General Data Protection Regulation</a> have opened the door for millions of dollars in fines, making data compliance imperative for all organizations.</p> <p>By now, the GDPR is well known. But less is understood about the CCPA, which took effect in January. As enforcement gets underway, organizations must adhere to the regulations or risk facing consequences. With additional states now seeking to implement similar laws, all data must be organized and classified to meet consumer demands under these regulations.</p> Doug Matthews Black Hat 2020 Get Quick Wins with the Data Your Nonprofit Has Already Gathered <p>In many ways, nonprofits are lean, mean, data collecting machines, gathering information on donors and their habits <a href="">through an array of approaches</a>.</p> <p>The problem, however, is finding ways to turn that data into something that will truly impact the overall mission.</p> <p>This is where many nonprofits struggle. <a href="" target="_blank">As a Nonprofit Hub survey explains</a>, charitable organizations use sources as diverse as email, donor management software and online fundraising tools to collect data. However, just 40 percent use that data for making decisions on a regular basis. Nearly half (46 percent) rarely use data for decision-making at all.</p> <p>That means that many nonprofits have a significant amount of information about donors that may be left unused — <a href="">even though that data could help</a> in big ways.</p> <p>Many nonprofits could benefit <a href="">from Big Data tools</a>, but if data analysis is new to them, they may not know where to start.</p> <p>These three tactics offer a useful jumping-off point for your own strategic ambitions.</p> Ernie Smith Reining in the IT Infrastructure Cost of 2020’s Business Disruptions <p>Businesses have been adjusting nearly nonstop to the various disruptions that have defined 2020 so far. In this CDW Tech Talk, explore practical insights and recommendations that every IT shop can implement to help rein in the costs of supporting an increasingly distributed workforce. Find our full coverage <a href="" target="_blank">here</a>.</p>