igor - Fotolia

Focus needs to shift to breach impact, says McAfee researcher

Breach investigations commonly focus on the attackers and their motives, but a security researcher believes there needs to be more emphasis on business impact

All too often, cyber attack and breach investigations centre around who is responsible and why they carried out the attack, said Raj Samani, chief scientist and fellow at McAfee.

“In the WannaCry attacks 8,000 medical procedures were impacted and patients in hospital were cut off from the internet, which had a significant effect on their sense of well-being. That is what should have been the focus of the story, and yet impact is seldom the focus,” he said.

“We should be focussing more on the business impact,” he told Computer Weekly, predicting that the Equifax breach will become a top business case study for student in information management and security, replacing TalkTalk and TJX.

“The Equifax breach is remarkable because of the impact that it has had, not only on the Equifax business itself, but on the company’s executives,” he said, alluding to the resignations of the chief information officer, chief security officer and chief executive officer in the wake of the breach becoming public.

“This is also a sign that things are beginning to change, with more attention being paid to the business impact, but one reason we do not see those stories earlier on is that it takes time for the full impact to be understood and come to the fore,” said Samani.

The reality of modern business is that success is ultimately tied in some way to IT, he said, which means that IT-related risk needs to be viewed in the same light as all other business risks.

Similarly, he said as organisations are increasingly collecting and processing personal data to gain a variety of business benefits, more attention needs to be paid to reducing the business risk of those activities by ensuring the best possible data protection.

Service providers should also improve the way they manage data, said Samani, and should not be allowed to hold people’s data to ransom by threatening to bar access if users refuse to accept new terms and conditions, and privacy policies that give those providers increasing access to personal data.

Read more about data protection

  • MEPs push for stronger data protection by EU institutions
  • Despite the focus on data protection, many organisations are still leaving their data wide open for attack.
  • Government to strengthen UK data protection law
  • A Computer Weekly buyer’s guide to EU General Data Protection Regulation.

However, although most organisations see IT and information security as crucial to their longevity, few are promoting anyone from those backgrounds in the company to board-level roles.

“The fact that information security professionals rarely have a seat at the boardroom table shows that organisations are still not really taking the issues of information security and cyber risk as seriously as they should be,” said Samani.

Fortunately, he said, it is beginning to change, with the boards of some financial institutions consulting regularly with their chief information security officers (CISOs).

“But I would like to see more people with information security backgrounds occupying a seat on the board, moving into CIO roles,” said Samani.

“The reality is that, for many organisations, IT or cyber risk is now a top business risk because IT is a fundamental enabler for every business. So why wouldn’t those organisations want someone who lives and breathes technology to be sitting and working alongside those who determine the strategy and future of every company?”

Effect of breaches

Data breaches are becoming increasingly common, said Samani, with around 1.9 billion records leaked or stolen in the first half of 2017, which is greater than the total for the whole of 2016.

“We really have to consider what that means. It is such a big number that it is difficult to comprehend. But it means 1.9 billion people’s lives have been affected by the fact that their data is in the hands of [a stranger].

“The impact could be fairly long-lasting depending on the nature of the data because, while it is fairly easy to get a replacement credit card, it is different if the data is your address or your medical records – you can’t change your blood type,” said Samani.

Although the exact nature and duration of the impact is difficult to know, he said it is certain to have some effect. In many cases, this could simply be a loss of trust because businesses failed to look after 1.9 billion people’s data.

“The breaches are escalating and they are often child’s play to carry out – it is easy to buy the necessary tools and services, so organisations need to understand that the CISO is not an IT function, and that the CISO function is not disabling function,” he added.

Tenets of data

Samani believes that every organisation across the planet has the “opportunity to do something remarkable” and that technology can be the way of doing that.

“There is a remarkable business opportunity in identifying the individuals who can be part of the strategic discussion and drive innovation, and instead of just saying personal data is the new oil and taking as much of it as they can, organisations should look ways of returning value,” he said.

The insurance industry is a leader in this regard, he said, because by collecting and processing personal data, they are able to offer discounts to some people and give value back.

“This is a great business model, one that has persuaded me to use my Tesco clubcard so that I can use self-scanners in stores. Although this means they get data about what I am buying, I get value back in return in the form of saved time and tailored services based on my purchasing habits,” said Samani.

Moving forward, he believes that businesses need to observe three tenets: transparency, informed consent and value.

“If they observe these tenets, businesses can start to offer services using PII [personally identifiable information]. With this approach, consumers will know what data is collected, where it goes, who it is shared with and how it is used,” said Samani.

“If businesses are informing me what they are doing with my data and theyare demonstrating value, then I am happy to give my PII,” he said.

But the challenge right now, according to Samani, is that unless the market changes, and unless people recognise the value of what they are doing and the value of their data, then by simply clicking “OK”, they are “sleepwalking towards a scenario in which the perceived value of our data is going to be less than zero”.

“At the same time, we are seeing companies that are recognising the actual value of data, which is significantly higher than the perceived value. People are not recognising the value of the data they are giving up,” he added.

Samani said he would like to see the security team be part of the group that develops any new services, and then he would like to see informed consent, real transparency and value.

“It is up to the cyber security industry to help communicate and articulate this message, and part of that is starting to focus on the impact of breaches and what that really means,” he said.

Read more on Privacy and data protection