Monthly Archives: May 2016

Third-party risks, and why tone at the top matters so much

Larry Ponemon

Larry Ponemon

Tone at the Top and Third Party Risk was sponsored by Shared Assessments and conducted by Ponemon Institute to understand the relationship between tone at the top and the minimization of third party risks. We surveyed 617 individuals who have a role in the risk management process in their organizations and are familiar with the governance practices related to third party risks.

A key takeaway from the research is that accountability for managing third party risk is dispersed throughout the organization. Not having one person or function with ownership of the risk is a serious barrier to achieving an effective third party risk management program.

In the context of this study, tone at the top is a term used to describe an organization’s control environment, as established by its board of directors, audit committee and senior management. The tone at the top is set by all levels of management and has a trickle-down effect on all employees of the organization. If management is committed to a culture and environment that embraces honesty, integrity and ethics, employees are more likely to uphold those same values. As a result, such risks as insider negligence and third party risk are minimized.

Participants in this research agree with this assessment. We asked respondents to rate the importance of tone at the top based on a scale of 1 = not important to 10 = very important. The very important responses (7+) are shown in Figure 1. As shown, 83 percent of respondents believe a positive tone is very important to minimizing business risks within their organization and 78 percent of respondents say it is very important to reducing risks in third party (supply chain) relationships.

A positive tone at the top is thought to provide the following benefits, according to respondents:

  • Reduces the risks of working with third parties that are not trustworthy (71 percent of respondents);
  • Incorporates such values as integrity, ethics and trustworthiness in relationships with third parties (66 percent of respondents); and
  • Increases employee and third party awareness of the importance of security, data protection and business resiliency (43 percent of respondents).

The following are key takeaways from the research:

 

  • Third party risk is considered serious and is increasing. Seventy-five percent of respondents agree that third party risk is serious. Further, 70 percent of respondents say the third party risk in their organization is significantly increasing (21 percent of respondents), increasing (20 percent of respondents) or is staying the same (29 percent of respondents).
  • Third party risk is increasing because of a changing threat landscape. Disruptive technologies such as the Internet of Things (IoT) and migration to the Cloud are expected to increase third party risk. Sixty percent of respondents believe IoT increases third party risk significantly (35 percent + 25 percent), and 68 percent of respondents believe migration to the Cloud will increase risk (36 percent + 32 percent).
  • Cyber attacks and the IoT are expected to have the most significant impact on an organization’s third party risk profile. Seventy-eight percent of respondents say cyber attacks will have a significant impact on the risk profile and 76 percent of respondents say the IoT will have a significant impact. Cloud computing, mobility and mobile devices and big data analytics will have a significant impact, according to 71 percent, 67 percent and 51 percent of respondents, respectively.
  • Despite the seriousness of third party risk, it is not a primary risk management objective. The top two risk management objectives are to minimize downtime (56 percent of respondents) and minimize business disruptions (37 percent of respondents). As discussed above, cyber attacks are expected to have a significant impact on the risk of third party relationships. However, only 27 percent of respondents say a top objective is to prevent cyber attacks. Further, only 8 percent of respondents say improvement of their organization’s relationship with business partners is a top risk management objective for their organizations.
  • The consequences of not managing third party risk can be costly. In the past 12 months, organizations represented in this research spent an average of approximately $10 million to respond to a security incident as a result of negligent or malicious third parties.
  • Third party risk management programs are mostly informal and not effective. As discussed previously, reducing third party risk is considered serious but very few respondents say improvement in third party relationships is a top risk management objective. Thus, the incentive among the various business functions to create a comprehensive program for risk management is low. Only 29 percent of respondents say their organizations have a formal program.
  • The lack of formal programs affects the ability to mitigate third party risk. Respondents were asked to rate the effectiveness of their organizations in mitigating or curtailing third party risk from 1 = not effective to 10 = very effective. Only 21 percent of respondents say their organization’s effectiveness in mitigating or curtailing third party risk is considered highly effective (7+ on the scale of 1 to 10).
  • No one function owns the third party risk management program in organizations represented in this study. Accountability for the third party risk management program is dispersed throughout the organization. Twenty-three percent of respondents say the compliance department is most responsible for managing third party risk and 17 percent of respondents say it is the information security function. Only 9 percent of respondents say risk management has ownership of the risk.
  • Most C-level executives are not engaged in their organization’s third party risk management process. Only 37 percent of respondents agree that the C-level executives in their organization believe they are ultimately accountable for the effectiveness of third party risk management. As a possible consequence of this lack of engagement, 50 percent of respondents do not believe the risk management process is aligned with business goals, which are most likely determined by senior management.
  • Boards of directors are not actively engaged in risk management activities. Similar to the perceived lack of accountability on the part of C-suite executives, only 40 percent of respondents say their boards of directors are significantly involved (17 percent) or have at least some involvement in overseeing risk management activities (23 percent).
  • If boards of directors are engaged, it is mostly to conduct reviews. Fifty-two percent of respondents say the board mainly reviews management’s analysis of the effectiveness of a risk assessment and 42 percent of respondents say the board reviews and approves plans to address any risk management or control weakness. Only 25 percent of respondents say they are actively working with management to establish the vision, risk appetite and overall strategic direction for third party relationships.

To read the full research, visit SharedAssessments.org

The day my bank, yet again, blocked me from my money for 'security' — and why two-factor tools aren't ready for prime time

Bob Sullivan

Bob Sullivan

How can a bank – or any organization — become less secure in its attempts to become more secure?  Let me tell you how.

Security must do two things: Protect and enable.  If your security doesn’t enable people to do what they have to do, they will inevitably circumvent it, creating all sorts of exception conditions as they do. And that is the path to perdition (and hacking).

Security often fails because people who design security are much better at throwing up roadblocks than they are creating pathways.  Both are equally important if a security scheme is to work.

This month brought yet another story chronicling theft of millions of passwords by hackers, once again highlighting the importance of implementing “not-just-passwords security” at places that really matter.

But I’m about to turn off two-factor authentication at my bank, right at the moment when everyone seems hell bent to turn it on. Why?  Because it doesn’t make me safer if it doesn’t work; it just prevents me from accessing my money.

I’ve run into classic 21st Century Red Tape headaches with my bank recently as I try very hard to use its two-factor authentication scheme.  I often don’t like single-anecdote stories, but occasionally they illuminate larger problems so perfectly they are worth telling. So here goes.

A quick review:  Two-factor authentication adds a strong layer of security to a service by requiring two tests be met by a person seeking access — a debit card and a PIN code, for example, representing something you have and something you know.  Online banks and websites are slowly but surely nudging everyone towards various forms of two-factor authentication, because it really does make life harder for hackers.

Most of these two-factor forms involve use of smartphones, as they have become nearly ubiquitous. Log on to a website at a PC, confirm a code sent to your phone.  Something you have (the phone) and something you know (the password). Simple, but elegant, and far harder for bad guys to crack.

And it’s great, when it works. But what about when it doesn’t work?

Here’s a simple problem. Consumers get new phones all the time. If the code is tied to the physical handset, the code doesn’t work any longer. What then?

Turns out this can be a really vexing problem. (Readers of this column know why I had to get a new smartphone recently)

I’ve been a USAA banking customer for decades. The financial services firm has ranked atop customer satisfaction surveys seemingly forever, and for good reason:  It really does take good care of members.

At least it did, until it tried to implement two-factor security. I try not to be hypocritical, and follow my own advice, so I turned on USAA’s flavor of two-factor pretty early on. It’s a solid design: A Symantec app loaded onto your smartphone offers a temporary token — a 6-digit code — that changes every 30 seconds. The token is tied to the physical handset. Only a person who knows your PIN and can access the token on that handset can log into the website. You can see all the layers of protection that creates.

Sure, it’s a tiny hassle to pull out the phone every time you want to log on to the website — a larger hassle if your phone battery is dead. But that’s a fair price to pay for security.

However, the hassle becomes immense when it becomes time to change handsets.   So immense that as I type this, I cannot access my bank…and have no idea when I will be able to do so.(UPDATE: I was able to fix my login woes 24 hours later.) And that’s happened twice to me in the past year. Why? Chiefly because USAA is not set up to deal with the problem of new handsets.

To review: When I tried to access the website it demanded a token from my phone — a token that was no longer valid because I had a new phone.  When I tried to use the phone’s app to access my accounts, USAA asked for a password because it didn’t recognize the phone.  I didn’t have a password, I had a token — an invalid token.  You get the picture.

All that is a predictable technology hiccup that’s not the end of the world.  The real problem came next.

A call to customer service seemed to be my last available option, but that was dismal, too.  At various times I wasn’t been able to get through to customer service phone lines. What’s much worse, however, is what happened when I did get through.

People change phones roughly every two years, so this new handset problem must come up often enough.  Yet it’s obvious to me USAA operators are not ready to handle the problem when consumers call.  Each time I have reached an operator, I had to spend a lot of time explaining the problem — and remember, I do this for a living.  The first successful call today, the operator merely changed my mobile application login settings after putting me on hold for minutes.  When I protested that, she said she had to transfer me to a special department, and then the phone went dead.

After a second call and wait, the operator was sympathetic, but put me on hold quickly and wasted a lot of time trying to set me up with a new phone number.  It took a while before I could convince her that “new phone” meant “new handset” not “new number,” a mistake I will correct in future calls. We eventually agreed that all I needed was someone to turn off two-factor and issue me a temporary password so I could go in and re-establish the connection between my handset and my account.  But after another long hold, and transfers to two other operators, I was told that, sadly, they were having trouble issuing temporary passwords and asked if I could call back in an hour or so.

I’ve left out many steps in this saga.  At each stage, of course, I was subject to strict authentication questions. That’s fine — I was asking for a new password, after all.  But at the end of my fruitless journey through tech support, when I asked if I could somehow get express treatment when I called back just to find out if I could get a temporary password, I was told, “no.”  So I will have to once, again, convince a primary operator who I am, and that I am having token problems and that I need a temporary password.  There is obviously no “token problem” script, ready for my problem.

My experience last time was similar, so I know I am not just the victim of bad luck.

The last time this happened, I was sure to give the operator who finally liberated my account some specific feedback — there needs to be a tidy process for dealing with people who get new handsets.    Obviously, that hasn’t occurred. And so, the first thing I will do when I can access my account is disable the token. (I’ll use another form of two-factor). While I am afraid of hackers, I’m more afraid of not be able to access my money because my bank has poorly implement a security solution.

When I called USAA as a reporter to discuss my experience, the firm owned up to the challenges of implementing two-factor security.

“You’ve encountered an experience we are aware of,” said Mike Slaugh, Executive Director, Financial Crimes Prevention, at USAA. “What we’re working on here is a way to make that experience better. … Multi-factor authentication for us at USAA and the industry in general, it’s important.  (Making this experience better) is top of mind for us as we work to help members protect  themselves.”

USAA is hardly the only firm having trouble dealing with two-factor issues.  Independent security analyst Harri Hursti told me about the foibles consumers face when dealing with two-factor authentication that relies on text messages.

“The moment you start traveling, all bets are off. Text messages over roaming are far from reliable – they either are never delivered, or they experience regular delivery delays over 10-15 minutes, which are the most typical time-out limits on the websites,” he said. Hursti, who was in Portugal when I interviewed him, said he was late paying an electricity bill this month because of two-factor pain points.  “Basically, in order to do banking when travelling internationally, you need to start that by turning all security off. And yet you are knowingly getting into increased security risk environment.”

Gartner security analyst Avivah Litan says these kinds of implementation and customer service issues not only threaten adoption of two-factor security, they actually create more pathways for hackers.

“Two factor, in this case, actually weakens security – rather than strengthens it,” she said. “I always tell our clients that their security is only as strong as its weakest link and surely, when they disable two factor authentication on the account, they likely ask the account holder to verify their identity by answering those easily compromised challenge questions, which any criminal who can buy data on the dark web has access to.  Therefore this is an easy way for criminals to get access to your account.  So not does two factor authentication without proper supporting processes serve to annoy and greatly inconvenience good legitimate customers, it also does little to keep the bad guys out for this and other reasons.”

As Litan is fond of saying, there’s a fallacy that “harder is better” in security.  It “doesn’t keep bad guys out, but it annoys good guys.”

Perhaps this problem isn’t *that* common yet, as uptake on two-factor is still relatively small (USAA acknowledged that, and it’s common across the industry). Don’t worry: With each password hack, more and more people will turn on two-factor.  If companies blow the implementation, consumers will just as quickly turn it off again.  And we might lose them for several years.

Protect and enable, or we’re all at greater risk.

The day my bank, yet again, blocked me from my money for ‘security’ — and why two-factor tools aren’t ready for prime time

Bob Sullivan

Bob Sullivan

How can a bank – or any organization — become less secure in its attempts to become more secure?  Let me tell you how.

Security must do two things: Protect and enable.  If your security doesn’t enable people to do what they have to do, they will inevitably circumvent it, creating all sorts of exception conditions as they do. And that is the path to perdition (and hacking).

Security often fails because people who design security are much better at throwing up roadblocks than they are creating pathways.  Both are equally important if a security scheme is to work.

This month brought yet another story chronicling theft of millions of passwords by hackers, once again highlighting the importance of implementing “not-just-passwords security” at places that really matter.

But I’m about to turn off two-factor authentication at my bank, right at the moment when everyone seems hell bent to turn it on. Why?  Because it doesn’t make me safer if it doesn’t work; it just prevents me from accessing my money.

I’ve run into classic 21st Century Red Tape headaches with my bank recently as I try very hard to use its two-factor authentication scheme.  I often don’t like single-anecdote stories, but occasionally they illuminate larger problems so perfectly they are worth telling. So here goes.

A quick review:  Two-factor authentication adds a strong layer of security to a service by requiring two tests be met by a person seeking access — a debit card and a PIN code, for example, representing something you have and something you know.  Online banks and websites are slowly but surely nudging everyone towards various forms of two-factor authentication, because it really does make life harder for hackers.

Most of these two-factor forms involve use of smartphones, as they have become nearly ubiquitous. Log on to a website at a PC, confirm a code sent to your phone.  Something you have (the phone) and something you know (the password). Simple, but elegant, and far harder for bad guys to crack.

And it’s great, when it works. But what about when it doesn’t work?

Here’s a simple problem. Consumers get new phones all the time. If the code is tied to the physical handset, the code doesn’t work any longer. What then?

Turns out this can be a really vexing problem. (Readers of this column know why I had to get a new smartphone recently)

I’ve been a USAA banking customer for decades. The financial services firm has ranked atop customer satisfaction surveys seemingly forever, and for good reason:  It really does take good care of members.

At least it did, until it tried to implement two-factor security. I try not to be hypocritical, and follow my own advice, so I turned on USAA’s flavor of two-factor pretty early on. It’s a solid design: A Symantec app loaded onto your smartphone offers a temporary token — a 6-digit code — that changes every 30 seconds. The token is tied to the physical handset. Only a person who knows your PIN and can access the token on that handset can log into the website. You can see all the layers of protection that creates.

Sure, it’s a tiny hassle to pull out the phone every time you want to log on to the website — a larger hassle if your phone battery is dead. But that’s a fair price to pay for security.

However, the hassle becomes immense when it becomes time to change handsets.   So immense that as I type this, I cannot access my bank…and have no idea when I will be able to do so.(UPDATE: I was able to fix my login woes 24 hours later.) And that’s happened twice to me in the past year. Why? Chiefly because USAA is not set up to deal with the problem of new handsets.

To review: When I tried to access the website it demanded a token from my phone — a token that was no longer valid because I had a new phone.  When I tried to use the phone’s app to access my accounts, USAA asked for a password because it didn’t recognize the phone.  I didn’t have a password, I had a token — an invalid token.  You get the picture.

All that is a predictable technology hiccup that’s not the end of the world.  The real problem came next.

A call to customer service seemed to be my last available option, but that was dismal, too.  At various times I wasn’t been able to get through to customer service phone lines. What’s much worse, however, is what happened when I did get through.

People change phones roughly every two years, so this new handset problem must come up often enough.  Yet it’s obvious to me USAA operators are not ready to handle the problem when consumers call.  Each time I have reached an operator, I had to spend a lot of time explaining the problem — and remember, I do this for a living.  The first successful call today, the operator merely changed my mobile application login settings after putting me on hold for minutes.  When I protested that, she said she had to transfer me to a special department, and then the phone went dead.

After a second call and wait, the operator was sympathetic, but put me on hold quickly and wasted a lot of time trying to set me up with a new phone number.  It took a while before I could convince her that “new phone” meant “new handset” not “new number,” a mistake I will correct in future calls. We eventually agreed that all I needed was someone to turn off two-factor and issue me a temporary password so I could go in and re-establish the connection between my handset and my account.  But after another long hold, and transfers to two other operators, I was told that, sadly, they were having trouble issuing temporary passwords and asked if I could call back in an hour or so.

I’ve left out many steps in this saga.  At each stage, of course, I was subject to strict authentication questions. That’s fine — I was asking for a new password, after all.  But at the end of my fruitless journey through tech support, when I asked if I could somehow get express treatment when I called back just to find out if I could get a temporary password, I was told, “no.”  So I will have to once, again, convince a primary operator who I am, and that I am having token problems and that I need a temporary password.  There is obviously no “token problem” script, ready for my problem.

My experience last time was similar, so I know I am not just the victim of bad luck.

The last time this happened, I was sure to give the operator who finally liberated my account some specific feedback — there needs to be a tidy process for dealing with people who get new handsets.    Obviously, that hasn’t occurred. And so, the first thing I will do when I can access my account is disable the token. (I’ll use another form of two-factor). While I am afraid of hackers, I’m more afraid of not be able to access my money because my bank has poorly implement a security solution.

When I called USAA as a reporter to discuss my experience, the firm owned up to the challenges of implementing two-factor security.

“You’ve encountered an experience we are aware of,” said Mike Slaugh, Executive Director, Financial Crimes Prevention, at USAA. “What we’re working on here is a way to make that experience better. … Multi-factor authentication for us at USAA and the industry in general, it’s important.  (Making this experience better) is top of mind for us as we work to help members protect  themselves.”

USAA is hardly the only firm having trouble dealing with two-factor issues.  Independent security analyst Harri Hursti told me about the foibles consumers face when dealing with two-factor authentication that relies on text messages.

“The moment you start traveling, all bets are off. Text messages over roaming are far from reliable – they either are never delivered, or they experience regular delivery delays over 10-15 minutes, which are the most typical time-out limits on the websites,” he said. Hursti, who was in Portugal when I interviewed him, said he was late paying an electricity bill this month because of two-factor pain points.  “Basically, in order to do banking when travelling internationally, you need to start that by turning all security off. And yet you are knowingly getting into increased security risk environment.”

Gartner security analyst Avivah Litan says these kinds of implementation and customer service issues not only threaten adoption of two-factor security, they actually create more pathways for hackers.

“Two factor, in this case, actually weakens security – rather than strengthens it,” she said. “I always tell our clients that their security is only as strong as its weakest link and surely, when they disable two factor authentication on the account, they likely ask the account holder to verify their identity by answering those easily compromised challenge questions, which any criminal who can buy data on the dark web has access to.  Therefore this is an easy way for criminals to get access to your account.  So not does two factor authentication without proper supporting processes serve to annoy and greatly inconvenience good legitimate customers, it also does little to keep the bad guys out for this and other reasons.”

As Litan is fond of saying, there’s a fallacy that “harder is better” in security.  It “doesn’t keep bad guys out, but it annoys good guys.”

Perhaps this problem isn’t *that* common yet, as uptake on two-factor is still relatively small (USAA acknowledged that, and it’s common across the industry). Don’t worry: With each password hack, more and more people will turn on two-factor.  If companies blow the implementation, consumers will just as quickly turn it off again.  And we might lose them for several years.

Protect and enable, or we’re all at greater risk.