Monthly Archives: May 2018

‘Knowledge asset’ risk comes into focus; nation-states a bigger concern

Larry Ponemon

The Second Annual Study on the Cybersecurity Risk to Knowledge Assets, produced in collaboration between Kilpatrick Townsend and Ponemon Institute, was done to see whether and in what ways organizations are beginning to focus on how they are safeguarding confidential information critical to the development, performance and marketing of their core businesses in a period of targeted attacks on these assets.

Ponemon Institute surveyed 634 IT security practitioners who are familiar and involved with their organization’s approach to managing knowledge assets. All organizations represented in this study have a program or set of activities for managing knowledge assets. The first study, Cybersecurity Risk to Knowledge Assets, was released in July 2016

Awareness of the risk to knowledge assets increases. More respondents acknowledge that their companies very likely failed to detect a breach involving knowledge assets (an increase from 74 percent of respondents in 2016 to 82 percent of respondents in this year’s research). Moreover, in this year’s research, 65 percent of respondents are aware that one or more pieces of the company’s knowledge assets are now in the hands of a competitor, an increase from 60 percent of respondents in the 2016 study.

The cost to recover from an attack against knowledge assets increases. The average total cost incurred by organizations represented in this research due to the loss, misuse or theft of knowledge assets over the past 12 months increased 26 percent from $5.4 million to $6.8 million.

Eighty-four percent of respondents state that the maximum loss their organizations could experience as a result of a material breach of knowledge assets is greater than $100 million as compared to 67 percent of respondents in 2016.

Actions taken that support the growing awareness of the risk to knowledge assets

Following are findings that illustrate how the growing awareness of the risk to knowledge assets is improving cybersecurity practices in many of the companies represented in this study.

  • Companies are making the protection of knowledge assets an integral part of their IT security strategy (68 percent of respondents vs. 62 percent of respondents in 2016).
  • Boards of directors are requiring assurances that knowledge assets are managed and safeguarded appropriately (58 percent of respondents vs. 50 percent of respondents in 2016).
  • Companies are addressing the risk of employee carelessness in the handling of knowledge assets. Specifically, training and awareness programs are focused on decreasing employee errors in the handling of sensitive and confidential information (73 percent of respondents) and confirming employees’ understanding and ability to apply what they learn to their work (68 percent of respondents).
  • Companies are adopting specific technologies designed to protect knowledge assets. The ones for which use is increasing most rapidly include big data analytics, identity management and authentication and SIEM.
  • There is a greater focus on assessing which knowledge assets are more difficult to secure and will require stricter safeguards for their protection. These are presentations, product/market information and private communications.
  • There is greater recognition that third party access to a company’s knowledge assets is a significant risk. As a result, more companies are requiring proof that the third party meets generally accepted security requirements (an increase from 31 percent of respondents in 2016 to 41 percent in this year’s study) and proof that the third party adheres to compliance mandates (an increase from 25 percent of respondents in 2016 to 34 percent in this year’s study).
  • Companies are aware that nation-state attackers are targeting their company’s knowledge assets (an increase from 50 percent to 61 percent in this year’s study) and 79 percent of respondents believe their companies’ trade secrets or knowledge assets are very valuable or valuable to a nation-state attacker.

To download the full study at Kilpatrick Townsend, click here 

Why my futile search for tuxedo pants shows the Russians are winning

Bob Sullivan

I’ve been raging about Facebook-style privacy invasions for a long time, so I’m glad that folks *seem* to be listening now –though the distance between noise and action is quite far.

I’m not a Luddite, however. My complaints are a lot more practical.  I’ll often make this point: On one side of the ledger, we are surrendering privacy at unprecedented levels, granting black checks to future corporations and governments with consequences we can’t possibly imagine. And we’re getting very little for it.  Meanwhile, Russia, China, and other enemies now have an incredibly powerful weapon to use against us and our freedom. That’s a bad deal. Let me explain.

What are we supposed to be getting in exchange for all this tracking of our every move? Better ads! I will concede that better ads would certainly be lovely. But, as anyone who’s ever worked in advertising knows, there’s still an awful lot of snake oil being sold in the name of better ads.  In fact, today’s “targeted” ads continue to create some of the singularly worst ads imaginable.  Even when some of the biggest and most honorable names in retail and media are involved. Let me show you.

I have a black tie event to attend soon, which means dragging my, ahem, inexpensive tuxedo out of the back of my closet.  Not surprisingly, the pants no longer fit.  So I did what any sensible consumer who attends a black tie event every five years would do — I poked around Nordstrom Rack hoping to find a pair that could pass for a single evening.  I’ll be sitting at a table most of the night, so who’ll notice if they aren’t a perfect match? (Sorry, Kim Peterson. You tried your best.)

I gave up in about 3 minutes, when the small degree of fashion pride I had set in, realizing that my plan wouldn’t work.  So I schlepped to a Nordstrom Rack store the next day and tried on a bunch of black pants to make sure I wouldn’t embarrass myself.  Let me note that I shop at the store often enough that I am a member, because hey, I like deep discounts.

These two great brands are getting hoodwinked.  The consequences are larger than you think.

Fast forward to this morning when I open my daily New York Times email, which came with an enticing headline about allergies.  And what do I see at the top of the email? An ad for tuxedo pants.  I’ve made this point before, and I’ll continue to make it, perhaps for decades.  Do you see what happened there?  Billions of dollars and huge media companies conspired to deliver me an ad that was not just bad, it was uniquely bad. It was catastrophically bad. It was targeted bad.  It was an ad for something that I had just purchased…in fact, something I had just purchased from the very store that paid for the ad. There could be no worse time to show me this ad. Any random ad would be better than an ad for the very thing I need to buy the least, right?  And again, delivering this uniquely, targeted terrible ad required creation of a system that cost billions, robs million of their privacy, and outfits America’s enemies with a devastating weapon.

But wait: There’s even more wrong with my tuxedo-ad experience. Being the game consumer that I am, I clicked on the ad to see what would happen. Maybe there’s a cheaper price for the pants I’d just purchased, and I could return them and save a few bucks. Alas, when I do, I see the curious chart above. While the price for the pants is indeed competitive, fully 16 of the 17 sizes shown are unavailable.  Only a single size — 42×32 — is actually for sale.  Meaning, in reality, I got an ad for something that wasn’t for sale.  And that flat-out irritated me. It wasted my time.

Here’s what I know: Someone is stealing Nordstrom’s advertising money.  (I don’t know why my newsletter doesn’t have a sponsor yet.  I could do better than this.)

I know I’m telling you something you know. We’ve all glanced at a product online, only to be stalked by that product for days, at every website we visit. I’m sure it works to some degree.  For every person shown an ad for a product they’ve purchased, there’s another who needs to see it 5 or 10 times before they pull the trigger. So sure, those ads might be better than random ads in some cases. The ad industry calls this re-targeting, and claims these ads have superior click-through rates.   Solid data from the ad industry is hard to come by, however.

And don’t forget, I’m a Nordstom Rack member.  The firm knows my email address, and what I’ve purchased.  Now, I have clicked opt-out on enough data sharing arrangements that there’s might be some reason the datastream broke down and I got an ad for a product that I couldn’t buy, at the very moment when I least needed it, shortly after I had just purchased that item from the store which paid to get in front of me. More likely, however, that this ad delivery system is just flawed.

So, to repeat my main point: All this technology works great if you want to attack a society with propaganda. It works terribly to help commerce and consumers.

This is my privacy problem. It’s just a bad deal.

Look, I’d love to have seen ads for tuxedo pants that actually fit me last week.  Instead, the only thing I can count on is I now will wonder how all these data points might be used by hackers against me, or by a nation-state to manipulate me and my friends, in the future.

This is not a story about tuxedo pants.  Or about annoying ads. This is a story about the false promise that is the utopia of targeted advertising, and the unexpected consequences that this foolish quest creates.  Years ago, when I first ranted against retargeting, I talked — as I always do — about future unintended consequences.  In my wildest dreams, I didn’t imagine that this kind of data hoarding could help a nation-state attack our democracy.  This is *exactly* the point of today’s story. Who knows how my search for pants today might be used against me tomorrow?  Will it signal to my health insurance company that my rates need to go up?  Will a potential future employer use that information to turn me down for a job?  Will a propaganda pusher in St. Petersburg put me in a “bucket” and prod me with cleverly-crafted political ads?

I don’t know. But I do know these ads didn’t help. And they might hurt. That’s a bad deal for everyone.