Monthly Archives: July 2023

Closing the IT security gap: What are high performers doing differently?

This year, 2023, marks the beginning of a new age of data-driven transformation. Security and IT teams must scale to keep pace with the needs of business to ensure the protection of any data, anywhere. Modern hybrid cloud landscapes present complex environments and daunting security challenges for security and IT teams who are responsible for the protection of data and apps and workloads operating across a heterogenous landscape of data centers, hybrid clouds and edge computing devices. As the volume of data generated by IoT devices and systems grows exponentially, the ability to close the IT security gap is proving to be elusive and frustrating.

The 2023 Global Study on Closing the IT Security Gap: Addressing Cybersecurity Gaps from Edge to Cloud, now in its third year, is sponsored by Hewlett Packard Enterprises (HPE) to look deeply into the critical actions needed to close security gaps and protect valuable data. In this year’s research, Ponemon Institute surveyed 2,084 IT and IT security practitioners in North America, the United Kingdom, Germany, Australia, Japan, and for the first time, France. All participants in this research are knowledgeable about their organizations’ IT security and strategy and are involved in decisions related to the investment in technologies.

Security and IT teams face the challenge of trying to manage operational risk without preventing their organizations from growing and being innovative. In this year’s study, only 44 percent of respondents say they are very effective or highly effective in keeping up with a constantly changing threat landscape. However, as shown in this research there are strategies security and IT teams can implement to defend against threats in complex edge-to-cloud environments.

The IT security gap is not shrinking because of the lack of visibility and control into user and device activities. As the proliferation of IoT devices continues, respondents say identifying and authenticating IoT devices accessing their network is critical to their organizations’ security strategy (67 percent of respondents). However, 63 percent of respondents say their security teams lack visibility and control into all the activity of every user device connected to their IT infrastructure.

How high-performing teams are closing the IT security gap

Seventy percent of respondents self-reported their organizations are highly effective in keeping up with a constantly changing threat landscape and close their organizations’ IT security gap (9+ responses on a scale of 1 = not effective to highly effective). We refer to these organizations as “high performers”. In this section, we analyze what these organizations are doing differently to achieve a more effective cybersecurity posture and close the IT security gap as compared to the 80 percent of respondents in the other organizations represented in this research.

As evidence of their effectiveness, high-performing organizations had fewer security breaches in the past 12 months that resulted in data loss or downtime. Almost half of respondents (46 percent) say their organizations had at least 7 and more than 10 incidents in just the past 12 months. In contrast, only 35 percent of high performers say their organizations had between 7 and more than 10 security incidents.

High-performing organizations have a larger IT security function. Fifty-four percent of high performing organizations say their organizations have a minimum of 21 to more than 50 employees in their IT security function. Only 44 percent of respondents of other organizations had the same range of employees in IT security.

 High performers are more likely to control the deployment of zero trust within a Network as a Service (NaaS) deployment. Of those familiar with their organization’s zero-trust strategy, more high performers (36 percent of respondents) than others (28 percent of respondents) say their organization is responsible for implementing zero trust within a NaaS. Only 20 percent of high performers say it is the responsibility of the NaaS provider and 10 percent say a third-party managed service provider is responsible.

 High performers centralize decisions about investments in security solutions and architectures. Sixty percent of high performers say it is either the network team (30 percent) or security team (30 percent) who are the primary decision makers about security solutions and architectures. Only 15 percent say both functions are responsible.

 More high performers have deployed or plan to deploy the SASE architecture. Forty-nine percent of high performers have deployed (32 percent) or plan to deploy (17 percent) the SASE architecture. In contrast only 39 percent of respondents in the other organizations have deployed (24 percent) or plan to deploy (15 percent) the SASE architecture.

 More high performers have achieved visibility of all users and devices. High performers are slightly more confident (38 percent of respondents) than other respondents (30 percent of respondents) that their organizations know all the users and devices connected to their networks all the time.

 Far more high performers are positive about the use of Network Access Control (NAC) solutions and their importance to proving compliance. These respondents are more likely to use these solutions for IoT security. Fifty-one percent of high performers say NAC solutions are an essential tool for proof of compliance vs. 42 percent of respondents in other organizations. Fifty-five percent of high performers vs. 38 percent of other respondents say NAC solutions are best delivered by the cloud.

 High performers recognize the importance of the integration of NAC functionality with the security stack. Respondents were asked to rate the importance of the integration of NAC functionality with other elements of the security stack on a scale from 1 = not important to 10 = highly important. Sixty-two percent of high performers vs. 54 percent of other respondents say such integration is important.

 High performers are more likely to believe continuous monitoring of network traffic and real-time solutions will reduce IoT risks. Sixty-two percent of high performers vs. 52 percent of other respondents say continuous monitoring of network traffic for each IoT device to spot anomalies is required. Forty-seven percent of high performers vs. 38 percent of other respondents say real-time solutions to stop compromised or malicious IoT activity is required.

 High performers are more likely to require current security vendors to supply new security solutions as compute and storage moves from the data center to the edge. Forty percent of high performers vs. 30 percent of other respondents say their organizations will require current security vendors to supply new security solutions. Respondents in other organizations say their infrastructure providers will be required to supply protection (45 percent vs. 34 percent in high performing organizations).

 High performers are more likely to require servers that leverage security certificates and infrastructures that leverage chips and/or certificates. The research reveals significant differences regarding compute and storage requirements. Specifically, high performers require servers that leverage security certificates to identify that the system has not been compromised during delivery (67 percent vs. 60 percent in other organizations). High performers are more likely to require infrastructure that leverages chip and/or certificates to determine if the system has been compromised during delivery (64 percent vs. 56 percent in other organizations). High performers also are more likely to believe data protection and recovery are key components of their organizations’ security and resiliency strategy (58 percent vs. 50 percent in other organizations).

 Conclusion: Recommendations to close the IT security gap

According to the research, the most effective steps to minimize stealthy or hidden threats within the IT infrastructure are the adoption of technologies that automate infrastructure integrity verification and implement network segmentation. The research also reveals there is a growing adoption of zero trust and Secure Access Service Edge (SASE) architectures to manage vulnerabilities and user access. Important activities to achieving a stronger level of IoT security, according to the research, is the continuous monitoring of network traffic for each IoT device to spot anomalies and real-time solutions to stop compromised or malicious IoT activity.

Other actions to be considered in the coming year include the following:

  • Require servers that leverage security certificates and infrastructures that leverage chips and/or certificates.
  • Invest in having a fully staffed and well-trained IT security function. Such expertise is critical to ensuring data protection and recovery are key components of an organization’s security and resiliency strategy. A lack of skills and expertise is also the primary deterrent to adopting a zero-trust framework.
  • Consider centralizing decisions about investments in security solutions and architectures as high performers in this research tend to do. A concern of respondents is the inability of IT and IT security teams to agree on the activities that should be prioritized to close the IT security gap. This concern is exacerbated by the siloed or point security solutions in organizations.
  • Deploy Network Access Control (NAC) solutions to improve IoT and BYOD security. These solutions support network visibility and access management through policy enforcement for devices on users of computer networks. NAC solutions can improve visibility and verify the security of all apps and workloads.

Click here to download the full report from Hewlett Packard

Hundreds of supplement companies warned about ads; is this any way to protect consumers?

Bob Sullivan

I’m often asked, “Isn’t there a truth in advertising law?!!??” by consumers who feel cheated by a company that embedded a gotcha in its advertisements.  My sad answer is often some variation of “No, not really.” At least that’s been the on-the-ground reality for some time.  There’s a glimmer of hope that things might be changing, however. The Federal Trade Commission recently sent out hundreds of letters warning companies that sell OTC drugs, homeopathic products, or dietary supplements that they’re being watched for potentially bogus ads — which is both a hopeful sign and a demonstration of just how weak consumer protection efforts are in the USA.

First, to get this out of the way, I’m not a lawyer, and there are actually many, many laws that govern advertising — some generic, some very industry specific. But as I say with only a hint of sarcasm, everything is legal until there’s a lawsuit or an arrest, and that’s the reality most consumers face every day.  Basically, TV and radio wouldn’t exist if it weren’t for aggressive snake-oil pitches from companies claiming their lab-tested products will make you younger, or stronger, or more focused — most backed by junk “science,” if at all.  But these firms have been given the tacit green light for decades by understaffed federal agencies that could hardly pick one in 1,000 battles to fight. And even worse, they’ve often seen a wink and a nod from agencies controlled by a hands-off philosophy derived from a perverted notion of how free markets are supposed to operate.

That’s why I’m encouraged by the announcement recently that the FTC had sent out a pile of so-called “Notice of Penalty Offenses” letters about “substantiation of product claims.” The approximately 700 recipients — large and small firms alike — have been put on notice that the FTC is worried they might be making claims that deceive consumers. The letters do not constitute a legal finding; but they do include warnings that should such a finding occur, the penalty could be about $50,000 per incident.  And the letters include reminders of what potential violations look like. Like this:

“Failing to have adequate support for objective product claims; claims relating to the
health benefits or safety features of a product; or claims that a product is effective in the cure,
mitigation, or treatment of any serious disease. These unlawful acts and practices also include:
misrepresenting the level or type of substantiation for a claim, and misrepresenting that a product claim has been scientifically or clinically proven.”

A particular pet peeve of mine in the age of social media is the deceptive use of consumer reviews and other endorsements.  Apparently, that’s a pet peeve of the current FTC too, because the warning letters also include reminders about that:

“Such unlawful acts and practices include: falsely claiming an endorsement by a third party; misrepresenting that an endorsement represents the experience or opinions of product users; misrepresenting that an endorser is an actual, current, or recent user of a product or service; continuing to use an endorsement without good reason to believe that the endorser continues to hold the views presented; using an endorsement to make deceptive performance claims; failing to disclose an unexpected material connection with an endorser; and misrepresenting that the experience of endorsers are typical or ordinary. Note that positive consumer reviews are a type of endorsement, so such reviews can be unlawful if they are fake or if a material connection is not adequately disclosed.”

“Everyone gets sick, and most of us will experience the infirmities that accompany aging,” wrote FTC Commissioner Rebecca Slaughter about the orders. “That shared vulnerability leaves us all susceptive to health-claim scams and to plausible-sounding treatments that promise to alleviate pain, to restore lost virility, or to help cure the most deadly and tragic of illnesses. At best, many of these product claims are unreliable and waste tens of billions of consumer dollars a year, and, even worse, they can cause serious health problems requiring acute medical attention.”

Advertising is a touchy area and a tough business.  There is a centuries-old tradition of sellers doing what they can to get buyers’ attention, with ad-makers walking up to and over the line of what’s deemed legal.  That’s to be expected.  With attention so divided in our time, those lines have become even more blurry, and the attempts to get consumers’ attention even more desperate.  Warning letters sent before dramatic fines certainly seem like a positive way to clean up a murky marketplace before doling out what might be death penalties to smaller companies.

However, the list of warning notice recipients certainly includes companies that could afford to do better research before publishing their ads.  Kellogg, AstraZeneca, BASF and Bausch and Lomb are on the list. So are Amazon, Goop, and Kourtney Kardashian’s Lemme, Inc. Again, there is no finding of illegality in these letters. You can see the list yourself.

This isn’t the first set of such warning notices sent out by the FTC recently.  In October of 2021, a batch 70 letters went to for-profit colleges focused on alleged exaggerated claims about the future workplace success of graduates.    And later that month, another 700 letters went to advertising firms about potentially illegal testimonials and endorsements.  And still another 1,000-plus notices went out to companies advertising get-rich-quick offerings to freelancers.

To my knowledge, none of the firms mentioned in the letters have faced fines or penalties, or been found guilty of anything related to the letters.

It might seem uncontroversial to have the nation’s federal watchdog for consumers send out warning letters to companies that could be engaging in deceptive conduct.  After all, I’d sure like a warning letter when I’m illegally parked.  However, all things have a context, and the strategy of FTC notice of penalty offenses has a deep past.

They were added to the FTC’s toolkit in the 1970s in an effort to more swiftly deal with potential consumer harms. Suing a company takes a long time, and the FTC authority to obtain penalties from law-breaking companies is severely limited.  In many cases, the FTC can only claw back ill-gotten gains from misbehaving firms — allowing them a so-called first bite of the apple.  In these cases, only after a firm agrees to a settlement with the FTC, then engages in the bad behavior AGAIN, can criminal penalties be assessed. In a fast-changing world, this is an ineffective tool for making sure consumer harm is quickly stopped.

Notice of penalty offenses were added to let the FTC skip to that second step. By telling companies that *other* companies had engaged in the same behavior, and been penalized, that one-bite-of-the-apple step could be skipped. The FTC could go after misbehaving companies straight away, after this warning notice, skipping what I think of as the “FTC two-step.”

This effort is not uncontroversial, however. Use of the letters fell out of practice in the 1980s and instead FTC lawyers used a different legal strategy (the so-called Section 13(b) authority — here’s a history lesson) to obtain penalties or seize and freeze assets belonging to companies engaged in deceptive behavior.  That strategy was challenged by a payday lender and in 2021, the U. S. Supreme Court sided with the lender, eliminating this route. So FTC staff resurrected the warning letters.

(Again, I’m not a lawyer. For a different version of this history lesson, visit Veneble’s website).

It’s not hard to find lawyers who think the FTC is on weak legal ground using the warning letters as this first step in the FTC two-step. Cases cited in some of these letters are decades old.  I don’t think anyone disagrees this is a workaround, and a less ideal solution than a new law passed by Congress that makes clear the FTC can freeze assets and penalize misbehaving companies on the first offense, the treatment that consumers expect from their local police officer.

If you’ve made it this far, you’ve come to understand my first point, which is how convoluted our efforts are to protect consumers in America — and how we still lay out the welcome mat to scammers and deceptive companies.  And I haven’t even delved into all the lame ways advertisers can shield themselves from federal (and state) “truth in advertising” laws.  Like “This product is not intended to diagnose, treat, cure or prevent any disease.” Or by our liberal use of the concept of “puffery,” which is legally protected. (It’s ok to say this is the “world’s favorite blog” but it’s not ok to say “4 out of 5 readers prefer this blog” unless I have something to back up that data.)

As I’m fond of saying, free markets are not free-for-all markets. True free markets require perfect information. We don’t have that. And the more imperfect our information is, the more markets require rules to protect the vulnerable.  Warning letters take us a step closer to that.  Armies of lawyers arguing about Section 12(b) authority for many years does not.