Privacy Worries Cost Companies Real Money

It’s easy to get a business executives’ attention: Just take away the money. It’s one of the great equalizers because it doesn’t matter what race, nationality, gender, or religion describes the executive. If you start taking money off the table, you have their attention.

According to a new study released by Cisco, concerns about privacy are now doing just that around the world. In fact, nearly two-thirds of the businesses surveyed — 65 percent — said that privacy concerns are lengthening sales cycles and adding significant delays to sales. And when it comes to the sales cycle, time is, indeed, money. How much money are we talking about, here? A lot. The companies surveyed reported that, on average, privacy concerns are adding 7.8 weeks to their sales cycle. Those weeks matter in the hyper-competitive markets in which most companies now operate.

Privacy.jpg

As with most things, the exact delay differs depending on the industry involved; government and healthcare report the longest delays. And there’s another factor playing with the delay being thrown into so many sales processes: GDPR is coming and few organizations know precisely how it will ultimately affect their sales.

But with all those differences and uncertainties the one constant is that privacy concerns are expensive. The great variable, it seems, is how mature an organization’s privacy regimen is. Companies with mature, well-developed privacy policies and practices suffer delays that are about 1/4 those of companies with ad hoc or immature privacy practices.

Given the potential effects of these delays on sales and revenues, Cisco advises organizations to take the following steps:

  • Measure current delays: Assess the scope of sales delays due to data privacy issues and understand how much sales revenue might be affected by the delays.
  • Assess root causes: Portions of a delay may be caused by sales teams being unable to address customer concerns, incomplete or inaccessible corporate policies, or engineering/design issues. Executives need to know root causes to determine resolutions.
  • Establish ongoing metrics and targeted initiatives: Regularly measure and track the sales delay metric, and set priorities for appropriate investments to reduce the delays.
  • Explore effects on cyber losses: Assess the cause of any data breaches and losses that might have been avoided through more mature data privacy processes.
  • Develop a data privacy and protection plan: If such a plan does not currently exist, plan to create policies and protocols that contribute to good security hygiene.

All of this starts, though, with simply paying attention. It’s far too tempting to assume that privacy is someone else’s problem, or that the most cost-effective strategy is to wait until there’s a problem and just pay the piper. What this study shows is that the piper is always there holding out a hand for more cash — and it’s easy enough to cut down the bill for this particular set of tunes.

Spear Phishing Gets Worse

We’re all pretty much used to phishing email messages — the steady stream of mail telling us that we’ve won something from Amazon or Microsoft, or that our bank (or credit card company, or…) needs us to verify all our personal information to keep them from freezing our account. If you pay attention at all, run-of-the-mill phishing attacks are pretty straight-forward to avoid.

Spear-phishing is another matter. A carefully crafted spear-phishing attack using personal information, spoofed to appear to come from a trusted business associate or internal email address, can fool even the most diligent individual. For most of us, spear-phishing is a remote danger because it’s a labor-intensive tactic that tends to be used against high-value individuals who control high-value assets.

For those in war zones or politically troubled regions, though, spear-phishing can be constant threat. Researchers at RiskIQ have identified individuals in Turkey who were the targets of a sophisticated spear-phishing campaign. The mechanism was fairly simple and common — a message that appeared to be from a known address (in this case, the tax collection office) containing an Excel spreadsheet. And it’s that spreadsheet that started the real attack.

The spreadsheet was the host of a RAT — a remote-access trojan — that embedded itself on the victim’s computer. Once that happens, the victim’s computer might as well be sitting on the attacker’s desktop. The RAT used in the Turkish attacks is the same one used in earlier attacks against Asian targets. It’s assumed to have been developed by hackers in China and has been used in a growing number of attacks against political targets.

rat.jpg

This series of attacks marks an escalation of spear-phishing as a tool of cyber spies and political operatives. And it has some significant implications for officials, politicians, and political staffers in the U.S. 2018 is a mid-term election year and by now it’s well known that international agencies were involved in the 2016 U.S. elections. It’s a safe bet that there will be more attacks this year and that they will be more sophisticated than those in 2016.

So what are we supposed to do with information like this? Prepare. Pay attention to research reports on new attack methods, new payloads, and the victims who weren’t as prepared as you. Educate your employees on what to look for and (here’s the important thing) turn up the wick on the paranoia level. Assume that every message coming in is from an attacker and act accordingly.

On the one hand, all this paranoia will be a pain and will probably hasten the decline of email as a valuable messaging medium for business. On the other hand, it’s a pain that pales in comparison to seeing embarrassing information leaked to political opponents, knowing that critical business secrets have been stolen, or helping employees and customers recover from stolen PII.

Encryption’s Double-Edged Sword

In my last piece for Security Now I wrote about the need to encrypt everything.The reasons for being in favor of encryption are pretty straightforward and have been written about countless times — let’s just say that the bad guys are skilled, plentiful, and probably already in your network. If you want to have any hope of keeping your organization’s data safe, you need to have an encryption protocol in place.

With that said, encryption isn’t without its drawbacks. One of the more important is that encryption can mask malicious payloads as easily as it protects sensitive private data. Typical solutions to the problem include terminating VPN tunnels and un-encrypting data to let it pass through IPS, filter, or firewall appliances, then re-encrypting it before sending it down the wire. That can be a functional approach, but it carries serious performance costs and it adds enormous complication if you’ve decided to embrace micro-segmentation with encryption (and, in theory, security stages) between every component of the application.

That’s why today’s announcement from Cisco is important. The company’s Encrypted Traffic Analytics (ETA) — technology that allows encrypted traffic to be scanned for malicious content without being unencrypted — has been around since mid-2017 in the company’s big campus-level switches. Today, though, Cisco announced that ETA is available on the bulk of its enterprise routing platforms, including branch office routers (the ISR and ASR) and virtual cloud services routers (CSR).

Cisco isn’t alone in noting the importance of scanning and protecting encrypted network traffic. SonicWall has encrypted traffic inspection in its enterprise firewalls. Other vendors, like F5, note the importance of looking into encrypted streams but do so by terminating and inspecting tunnels at high speed.

The announcement today is important for Cisco customers but in the long-term it’s meaningful because it increases the pressure on other infrastructure vendors to develop and include similar capabilities in their switches and routers. There’s no question that encryption is going to become SOP for most organizations. If it’s easier to inspect those encrypted data streams for malicious content (as well as impermissible content heading out of the organization), then the shift to encrypted data will be faster and the benefits will be greater for everyone — except the bad guys.