Snapchat.com

Hey parents! You won’t believe the contracts your kids have been roped into.

Like a fine print virus spreading quickly around the globe, under-aged teen-agers are suddenly being shrink-wrapped into contracts of dubious enforceability all around the web. The situation highlights a conundrum for companies targeting the 13-17 crowd: how to set rules with minors who generally can’t actually consent to contract terms, and almost certainly don’t get their parents’ permission to do so.

Snapchat changed its terms of service recently, attracting a lot of attention. While most of it was focused on the company giving itself virtual ownership over content posted on the service, something else in the terms caught my eye.

“By using the Services, you state that: You can form a binding contract with Snapchat—meaning that if you’re between 13 and 17, your parent or legal guardian has reviewed and agreed to these Terms.”

Well, really it caught privacy lawyer Joel Winston’s eye. He called it to my attention.

Let me take a guess and estimate that of Snapchat’s roughly 100 million users, most of them minors, perhaps 43 or so have shown those terms to their agreeable parents.  In other words, if your kid uses Snapchat, he or she has almost certainly lied about you to the company, all in the name of forming a contract – of sorts.

Winston had a different problem with the language.

“A minor cannot declare herself competent to sign a binding contract that would otherwise require consent from an adult,” he said.  There are some exceptions to that, which we’ll get to.  But the headline point remains.  Generally speaking, contracts with minors aren’t really contracts.

So what’s this language doing in Snapchat’s terms of service?  It’s not just Snapchat. That very language appears in lots of kid-focused services, like Skout (a flirting tool), THQ (a game site), and even  PETAkids.com (an animal rights site.)  Similar terms appears across the Web.

Snapchat certainly is a leader in the 13-17 space, however.  I asked the firm to comment about its terms.  It declined.

When I ran Snapchat’s terms by Ira Reinhgold, executive director at the National Association of Consumer Advocates, he was aghast.

“Why did they do this, to frighten people into not suing them?” he said, rhetorically.  “I cannot imagine any court would find this binding.  No lawyer worth his salt would think this would think this is going to stick…a youngster cannot consent.”

Maybe…and maybe not. Last year, a California court actually did rule that, in some circumstances, terms of service are enforceable against minors. That case involved Facebook’s use of member photos in “Sponsored Stories.” Facebook’s terms at the time provided for what amounted to a publicity rights release, and the plaintiffs in the case argued that release was unenforceable. A judge sided with Facebook.

To put a fine point on it, minors can agree to certain kind of contract terms (that allow them to work, for example), but such contracts have a unique status and can be voided at any time by the minor.  Because the plaintiffs in the case continued to use Facebook, they had not voided their contract, and therefore Facebook was protected by the agreement.

“This is a big win for all online services, not only Facebook,” wrote Eric Goldman in a blog post about the case.

The situation highlights the unique problem of dealing with children over 13 but under 18 Goldman, said to me.

“Snapchat may have legally enforceable contracts with minors. Contracts with minors are usually ‘voidable,’ meaning that the minor can tear up the contract whenever he/she wants. However, until the minor disaffirms, the contract is valid. And in the case of social networking services, the courts have indicated that minors can disaffirm the contract only by terminating their accounts, meaning that the contract remains legally binding for the entire period of time the minor has the account,” he said. “As a contracts scholar, I can understand the formalist logic behind this conclusion, but it conflicts with the conceptual principle that minors aren’t well-positioned to protect their own interests in contract negotiations.”

On the other hand, the solution might be worse than the problem itself.

“The counter-story is that most online services don’t have any reliable way to determine the age of their users, and an adhesion contract that works unpredictably on only some classes of users isn’t really useful. And I don’t think anyone would favor web-wide ‘age-gating’ as the solution to that problem,” he said.

Of course, the problem isn’t just the existence of a contract, but what the terms of that contract might be, and whether a minor is capable of understanding and consenting to its terms.  Winston is concerned with what comes after the “parental promise” section in Snapchat’s contract: a binding arbitration agreement and class action waiver. (That’s the kind of waiver the Consumer Financial Protection Bureau is about to ban.)

“All claims and disputes arising out of, relating to, or in connection with the Terms or the use the Services that cannot be resolved informally or in small claims court will be resolved by binding arbitration,” the terms say. “ALL CLAIMS AND DISPUTES WITHIN THE SCOPE OF THIS ARBITRATION AGREEMENT MUST BE ARBITRATED OR LITIGATED ON AN INDIVIDUAL BASIS AND NOT ON A CLASS BASIS.” (Snapchat’s CAPS, not mine)

As Winston sees it, not only is Snapchat requiring a minors to agree to a contract, it’s requiring them to surrender their rights to have their day in court.

“I would certainly be very interested to read any legal ruling that enables a 13 year old to agree that she will ‘waive any constitutional and statutory rights to go to court and have a trial in front of a judge or jury,’ “ he said, echoing the terms.  “I am not currently aware of any case law that enforces a mandatory binding arbitration clause against an adult parent based on the purported ‘consent’ of her minor child.”

Were those terms to survive a court challenge, and if Snapchat tried something like Sponsored Stories, Snapchat’s minor users would have waived their rights to join a class action against the firm.

In the end, you might be wondering why parents – or kids – might want to argue with Snapchat anyway? Winston leaps at a chance to answer that.

“The Snapchat TOS contract is relevant because the company is actively collecting personal data from millions of children. That includes device phonebook, camera and photos, user location information (from) GPS, wireless networks, cell towers, Wi-Fi access points, and other sensors, such as gyroscopes, accelerometers, and compasses,” he said. “It’s also relevant because Snapchat is sharing user data from millions of children with third-parties and business partners for the purpose of advertising and monetization.”

I’m not one to give parents more homework, and I hesitate to advise you to try to read all the terms of service agreements to every app on your child’s phone.  But it might be a good learning moment to ask your kids what they’ve told tech companies about you — and find out what you’ve agreed to.

Bob Sullivan

Bad guys are so much more nimble than good guys that they have a two-month head start in most hacking situations, a new report has found.  Meanwhile, software flaws that are even a decade old continue to be used to hack hundreds of thousands of computers, according to Kenna Security.

In the hacking world, a secret software flaw that can be exploited is known as a “zero-day” vulnerability.  Known only to a select few, zero-day exploits give hackers the ability to break into machines at will, and much has been made of this alarming problem.

But even known vulnerabilities might as well be “zero day” flaws, suggests findings in a report issued Tuesday by Kenna on what it calls the “Remediation Gap.”  Kenna says it examined one billion breach events and came to this disturbing conclusion:

Most organizations require 100-120 days before fixing vulnerabilities; meanwhile, hackers exploit them within 40-60 days.  That’s two months of free shots.

“The public has grown plenty familiar with hacker seeking out a specialized target, such as Ashley Madison. But automated, non-targeted attacks still remain the most significant threat to businesses of all sizes,” said Karim Toubba, CEO of Kenna. “Every company has data that hackers want to get their hands on, but security teams remain one step behind their adversaries. Security teams need to move quickly to remediate critical vulnerabilities, but they don’t have the tools needed to keep pace with hackers.”

The report suggests that too much attention has been placed recently on targeted attacks, while old-fashioned “spray and pray” attacks remain many firms’ greatest threat.

“Of the organizations that Kenna has evaluated, 100 percent are susceptible to vulnerabilities – which correlate to at least one stable publicly available exploit,” the report says.

Kenna said it pulled its sample from a database of 10 million successful attacks per week, collected through AlienVault’s Open Threat Exchange, as well as threat intelligence data as well as data from various partners, including Dell SecureWorks, Verisign, SANS ISC and US-CERT.

“By executing this approach, we were able to estimate the probability that a vulnerability might be exploited, as well as the sheer volume of attacks, based on the volume of attacks displayed by the aggregated data,” the report says.

Security professionals do a poor job of prioritizing which threats they remediate, and often fail to patch old flaws that are known to be popular among hackers in favor of top-of-mind flaws that have been recently announced, the firm argues.

“One of the points we need to make is that the vulnerabilities in question are often very old, well-known weaknesses that simply haven’t been fixed yet. We’ve seen this over and over again as we evaluate the data,” the report says. “In many cases these vulnerabilities are not sexy, and they don’t hog the spotlight – but in many environments they actually represent major weaknesses.”

For example, Kenna spotted 156,000 exploitations of the Slammer worm executed during 2014. Slammer hit so many servers that it dramatically slowed down general Internet traffic – in 2003.

The report also finds that automated attacks are on the rise: Kenna says there have been over 1.2 billion successful exploits witnessed in 2015 to date, compared to 220 million successful exploits witnessed in 2013 and 2014 combined – an increase of 445 percent.

“Companies will continue to face the cold reality that throwing people at the problem is no longer sufficient for remediating vulnerabilities and combating the sheer volume of automated attacks,” Toubba said.”

Larry Ponemon

We are pleased to present the 2015 Cost of Cyber Crime Study: United States, the sixth annual study of US companies. Sponsored by Hewlett Packard Enterprise, this year’s study is based on a representative sample of 58 organizations in both the public and private sectors. While our research focused on organizations located in the United States, most are  multinational corporations.

This is the fourth year Ponemon Institute has conducted cyber crime cost studies for companies in the United Kingdom, Germany, Australia and Japan and the second year for the Russian Federation. This year we added Brazil. The findings from this research are presented in separate reports.

The number of cyber attacks against US companies continues to grow in frequency and severity. Recent cyber attacks include Anthem Blue Cross and Blue Shield, United Airlines, Sabre Corp. and American Airlines. In the public sector, the Office of Personnel Management sustained an attack that resulted in the theft of information about more than 4.2 million current and former federal employees and attacks against the Internal Revenue Service resulted in the theft of personal information about more than 100,000 taxpayers.

While the companies represented in this research did not have cyber attacks as devastating as
these were, they did experience incidents that were expensive to resolve and disruptive to their
operations. For purposes of this study, we refer to cyber attacks as criminal activity conducted via the Internet. These attacks include stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure.

Our goal is to quantify the economic impact of cyber attacks and observe cost trends over time.
We believe a better understanding of the cost of cyber crime will assist organizations in
determining the appropriate amount of investment and resources needed to prevent or mitigate the consequences of an attack.
In our experience, a traditional survey approach does not capture the necessary details required to extrapolate cyber crime costs. Therefore, we conduct field-based research that involves interviewing senior-level personnel about their organizations’ actual cyber crime incidents.

Approximately 10 months of effort is required to recruit companies, build an activity-based cost
model to analyze the data, collect source information and complete the analysis.

For consistency purposes, our benchmark sample consists of only larger-sized organizations (i.e., A minimum of approximately 1,000 enterprise seats). The study examines the total costs
organizations incur when responding to cyber crime incidents. These include the costs to detect, recover, investigate and manage the incident response. Also covered are the costs that result in after-the-fact activities and efforts to contain additional costs from business disruption and the loss of customers. These costs do not include the plethora of expenditures and investments made to sustain an organization’s security posture or compliance with standards, policies and regulations.

Figure 1 presents the estimated average cost of cyber crime for the seven countries represented in this research. These figures are converted into US dollars for comparative purposes. As shown, there is significant variation in total cyber crime costs among participating companies in the benchmark samples. The US sample reports the highest total average cost at $15 million and the RF sample reports the lowest total average cost at $2.4 million.

Key findings:

Cyber crimes continue to be very costly for organizations. We found that the mean
annualized cost for 58 benchmarked organizations is $15 million per year, with a range from $1.9 million to $65 million each year per company. Last year’s mean cost per benchmarked
organization was $12.7 million. Thus, we observe a $2.7 million (19 percent) increase in mean
value. The net increase over six years in the cost of cyber crime is 82 percent.

Cyber crime cost varies by organizational size. Results reveal a positive relationship between
organizational size (as measured by enterprise seats) and annualized cost. However, based on
enterprise seats, we determined that small organizations incur a significantly higher per capita
cost than larger organizations ($1,571 versus $667).

The cost of cyber crime increases for all industries. The average annualized cost of cyber
crime appears to vary by industry segment, where organizations in financial services, energy &
utilities and defense & aerospace experience a higher cost of cyber crime. Organizations in the
consumer products and hospitality industries on average experience a much lower cost of cyber crime.

The most costly cyber crimes are those caused by denial of services, malicious insiders
and malicious code. These account for more than 50 percent of all cyber crime costs per
organization on an annual basis. Mitigation of such attacks requires enabling technologies such
as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions.

Cyber attacks can get costly if not resolved quickly. Results show a positive relationship
between the time to contain an attack and organizational cost. Please note that resolution does
not necessarily mean that the attack has been completely stopped. For example, some attacks
remain dormant and undetected (i.e., modern day attacks).

The average time to resolve a cyber attack was 46 days, with an average cost to participating organizations of $1,988,554 during this 46-day period. This represents a 22 percent increase from last year’s estimated average cost of $1,593,627, which was based upon a 45-day resolution period. Results show that malicious insider attacks can take an average of
approximately 63 days to contain.

Information theft continues to represent the highest external cost, followed by the costs
associated with business disruption. On an annualized basis, information theft accounts for
42 percent of total external costs. Costs associated with disruption to business or lost productivity account for 36 percent of external costs (up 4 percent from the six-year average).

Detection and recovery are the most costly internal activities. On an annualized basis,
detection and recovery combined account for 55 percent of the total internal activity cost with
cash outlays and direct labor representing the majority of these costs. However, since 2013 this has declined from 40 percent to 36 percent in 2015. The application layer has increased in budget allocation from 15 percent in 2013 to 20 percent in 2015.

Deployment of security intelligence systems makes a difference. The cost of cyber crime is
moderated by the use of security intelligence systems (including SIEM). Findings suggest
companies using security intelligence technologies were more efficient in detecting and
containing cyber attacks. As a result, these companies enjoyed an average cost savings of $3.7
million when compared to companies not deploying security intelligence technologies.
Companies deploying security intelligence systems experienced a substantially higher
ROI at 32 percent than all other technology categories presented. Also significant are the
estimated ROI results for companies that extensively deploy encryption technologies (27 percent) and advanced perimeter controls such as UTM, NGFW, IPS with reputation feeds (15 percent).

Deployment of enterprise security governance practices moderates the cost of cyber
crime. Findings show companies that invest in adequate resources, employ certified or expert
staff and appoint a high-level security leader have cyber crime costs that are lower than
companies that have not implemented these practices. Specifically, a sufficient budget can save
an average of $2.8 million, employment of certified/expert security personnel can save $2.1
million and the appointment of a high-level security leader can reduce costs by $2 million.

Click here to read the rest of the report.

Bob Sullivan

A Volkswagen executive recently proclaimed that by 2020, all the automaker’s cars will be smartphones on wheels.

Turns out, Volkswagen cars were a little too smart for their own good. The Environmental Protection Agency on Friday accused the firm of using software to evade U.S.. emissions testing.  Computer code known as a “defeat device” recognized when the car was being tested and kicked on full emissions control systems.  The rest of the time the car chose…let’s say … “performance mode” over Earth-friendly mode.

The Obama administration has ordered the German automaker to recall half a million 4-cylinder Volkswagen and Audi cars from model years 2009-2015 cars and reprogram them.  The firm could also face fines that could range into the billions.  (At the moment, the firm hasn’t issued a statement.)

If accurate, such brazen use of software to evade federal law not only shocks the senses, it raises serious consumer protection issues. Many drivers are today rightly horrified that they were tricked into polluting the planet.  They also were driving cars with with performance that was artificially boosted — perhaps drivers would have chosen other cars if test drives of competitors’ models had been a fair fight.

In short, consumers have been hacked. Their cars’ software was doing things without their knowledge, just as if a virus writer had dropped a Trojan on their machines.

Recently, we talked about the very real fear drivers expressed to Kelley Blue Book — 4 out of 5 said car hacking will be a real problem in the next three years.

The survey referred to hacking by outside criminals, but there’s another kind of hacking going on here — when companies hack their own consumers.  Products we buy are now full of mysterious software, often instructed to do things we never imagined. TVs listen to our conversations; dating sites trick us into flirting with bots; our social networks and grocery stores talk about us; our web software tattles on us to the highest bidder;  and our cars trick emissions officials.

During an age when the very nature of advertising is constantly under siege, it makes sense that firms which already have a presence in our lives try to get a few more pieces of data out of us, and monetize that relationship just a little bit more. The temptation, if not desperation, is great.

But Friday’s Volkswagen story should be the beginning of some really serious soul searching, perhaps even a turning point for the Internet of Things.  It’s inevitable: our light bulbs, toasters, door bells, and our cars will all communicate some day soon.  We need a rock-solid ethic — not just laws, but a social morality — that machines should never do things unless people know all about them.  People should run the gadgets, not the other way around.

If we build a world of sneaky machines, we will deserve the consequences.

Larry Ponemon

With cyber attacks growing increasingly frequent and complex, cybersecurity strategies are shifting: while prevention is still important, it is more about prevailing. Cyber resilience supports businesses efforts to ensure they’ll continue to thrive despite the increased likelihood of a data
breach.

That’s the essence of cyber resilience – aligning prevention, detection, and response capabilities to manage, mitigate, and move on from cyberattacks. But are businesses ready today to face cyber threats head on? To find out, Ponemon Institute, with sponsorship from Resilient Systems, surveyed 623 IT and IT security practitioners about their organizations’ approach to becoming resilient to security threats. The findings are presented in the study, The Cyber Resilient Organization: Learning to Thrive against Threats.

In the context of this research, we define cyber resilience as the capacity of an enterprise to
maintain its core purpose and integrity in the face of cyberattacks. A cyber resilient enterprise is
one that can prevent, detect, contain and recover from a plethora of serious threats against data, applications and IT infrastructure. A cyber resilient enterprise successfully aligns continuity management and disaster recovery with security operations in a holistic fashion.

Figure 1 shows why cyber resilience is emerging as the standard for which to strive. The
protection of high-value intellectual property and compliance with laws and
regulations are best achieved with cyber resilience, according to 91 percent and 90 percent of respondents, respectively. Cyber resilience also is considered to enhance brand value and reputation (75 percent of respondents) and maximize employee productivity (72 percent of respondents).

Key takeaways include the following:
The state of cyber resilience needs improvement. Only 25 percent of respondents rate their
organizations’ cyber resilience as high (7+ on a scale of 1 = low resilience to 10 = high resilience)
based on the definition described in the introduction. Moreover, a key component of cyber
resiliency is the ability to recover from a cyber attack and only 31 percent rate this as high.
Prevention is also rated fairly low at 33 percent. The ability to detect and contain cyber attacks is rated much higher by 45 percent and 47 percent of respondents, respectively.

Only 25 percent of respondents rate their organizations’ cyber resilience as high based on the definition described in the introduction. Moreover, a key component of cyber resiliency is the ability to recover from a cyber attack and only 32 percent rate this as high. Prevention is also rated fairly low. The ability to detect and contain cyber attacks are rated much higher by 44
percent and 47 percent of respondents, respectively.

Human error is the enemy of cyber resiliency. The IT-related threat believed to have the
greatest impact on an organization’s ability to be cyber resilient and the most likely to occur is
human error. Persistent attacks are considered to have the second greatest impact on cyber
resiliency but are less likely to occur. Planning and preparedness is key to cyber resiliency. It is interesting that a lack of knowledgeable staff or enabling technologies is not as much a hindrance as not devoting the necessary time and resources to planning and preparedness (65 percent of respondents) or insufficient risk awareness, analysis and assessments (55 percent of respondents).

The majority of companies are not prepared to respond to a cyber security incident.
Despite the importance to preparedness to cyber resilience, 60 percent of respondents either say their organization either does not have a cybersecurity incident response plan (CSIRP) (30
percent of respondents) or it is informal or “ad hoc” (30 percent of respondents). Only 17 percent of respondents have a well-defined CSIRP that is applied consistently across the entire
enterprise.

A high level of cyber resiliency is difficult to achieve if no one function clearly owns the
responsibility. Only 24 percent of respondents say the Chief Information Officer (CIO) is
accountable for making their organizations’ resilient to cyber threats. This is followed by 20
percent who say it is the business unit leader and 10 percent who say no one person has overall
responsibility.

Collaboration among business functions is essential to a high level of cyber resilience but it rarely happens. Only 15 percent of respondents say collaboration is excellent. Almost one third of respondents (32 percent of respondents) say collaboration is poor or non-existent.
Leadership and responsibility are critical to improving collaboration.

Organizational factors hinder efforts to achieve a high level of cyber resilience. The
importance of cyber resilience is often not recognized by senior management. Only 44 percent of respondents believe their organizations’ leaders recognize that cyber resilience affects enterprise risks and brand image. About half (50 percent of respondents) say cyber resilience does affect revenues. Other factors that are a hindrance are insufficient funding and staffing.
Preparedness and agility are most important to achieving a high level of cyber resilience.
Respondents were asked to rank those factors considered important to achieving a high level of
cyber resilience. Once again preparedness to deal with cyber threats is critical followed by agility and a strong security posture.

Technologies that enable efficient backup and disaster recovery operations are by far
most important to building a cyber resilient enterprise. Seventy-seven percent of
respondents say technologies that support efficient backup and disaster recovery operations are essential or very important. Also important are technologies that provide advance warning about threats and attackers (59 percent of respondents) and those that provide intelligence about the threat landscape (58 percent of respondents).

Read more about resilience, and a Q&A with Larry, at ResiliantSystems.com

Larry Ponemon

CMOs know that website performance in turn drives marketing performance. While marketers
control some of the factors that sharpen the online experience—accurate content and prudent
use of banner ads, for example—the more technical factors are in the hands of colleagues in IT.
Ideally, Marketing and IT collaborate to deliver excellence. Doing that means knowing what visitors like, and don’t.

The purpose of this research, conducted by Ponemon Institute and sponsored by Neustar is to understand the online experience from the customer’s point of view. What expectations do
consumers have for the reliability of the website, security of information they share, and
availability of information? What is the tolerance or tipping point for problems like unavailable
sites, slow-loading pages, or inscrutable navigation?

We surveyed 761 consumers in the United States between the ages of 18 and 65+. On average,
respondents spend 59 hours per week online mostly doing email, shopping, and social
networking. Some respondents do more advanced activities such as posting blogs and creating
websites.

The findings reveal that consumers expect a high level of website performance—and their
frustrations are aimed at marketers and engineers alike.

Perceptions about a website’s security can decide whether consumers stay or go. As
shown in Figure 1, 78 percent of respondents say slow load times cause
them to worry about security. However, just over half of respondents (54 percent
of respondents) are concerned about the reliability of slow loading web pages. The
findings in this research also reveal that 69 percent of respondents have left a
website because of security concerns. Other concerns, but to a lesser extent, are
annoyance with feature ads that interfere with content (55 percent of respondents)
and feature ads that redirect them to different sites (52 percent of respondents).

Seventy-one percent of respondents say that data breaches negatively impacted their perception of company’s brands. On average, respondents have received two notifications from
organizations telling them that their personal information was lost, stolen or compromised. Even after more than a year, 24 percent of respondents say they still do not perceive those companies’ brands in a positive light.

Overall, fifty-five percent of respondents believe security is important to the perception of a
company’s brand and 50 percent say the same about privacy (protection of identity and other
personal information). Not surprising, respondents overwhelmingly expect financial sites to be
secure (95 percent of respondents).

A bad experience is measured in dollars, not just performance metrics. Sixty-one percent of
respondents say they would be willing to give a website that goes offline only two chances before giving up. Consumers are most likely to discontinue using unavailable sites in financial services (80 percent of respondents) and retail (59 percent).

They are also willing to wait no more than an average of 10 seconds to wait for a website to load.

In fact, seventy-eight percent of respondents are very concerned about the security of web pages that load longer than expected. Forty-one percent of respondents say response time is most important when making a payment (at checkout) and navigating to other web pages within the site (23 percent).

Read the full report at Neustar.

Charlie Miller, who helped find the flaw, installing the patch. Click for Twitter feed.

Bob Sullivan

Consumers are becoming more and more aware that hacking isn’t just a gadget nuisance any more.  Computer security problems, like viruses, increasingly come with real-world consequences — like the potential to screw with an airplane’s flight system, or more recently, a car.  Wired’s Andy Greenberg last month revealed to the world the latest hacking horrible — security researchers were able to “kill” a Jeep while he was in it.

“Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system,” Greenberg wrote. “Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass.”

Later, the hackers demonstrated they could stop and steer the car remotely using a software vulnerability.  Yikes.

The digital carjacking incident incident was a huge embarrassment for Jeep maker Fiat Chrysler, which recalled 1.4 million cars to fix the software.

But pity poor Chrysler, which just happened to be the first car maker to end up with egg on its face.  Increasingly, cars are run by computers, and increasingly, that means hacks like this are inevitable.

Consumers  seem to implicitly understand this.  Kelley Blue Book jumped at the news to churn out a survey of users showing that, yes, they all know about the Jeep incident, and yes, they all (Ok, 4 out of 5) think car hacking will be a problem within the next three years. Much to my surprise, many even said they’d pay for hacking protection services, with $8 a month being the preferred cost.  I smell a marketing opportunity for antivirus makers!  I also smell a rat — why should consumers have to pay extra to keep computer criminals out of their cars?  (And while I’m at it, could I make a final, fruitless plea to save at least some dashboard gauges and knobs?  I *hate* digital displays.)

On to the results:

• 72 percent said they are aware of the recent Jeep Cherokee hacking incident.
• 41 percent said they will consider this recent vehicle hacking incident when buying/leasing their next car.
• 78 percent said vehicle hacking will be a frequent problem in the next three years or less.
• 33 percent classified vehicle hacking as a “serious” problem; 35 percent classified it as a “moderate” problem.
• 58 percent do not think there will ever be a permanent solution to vehicle hacking.
• 41 percent think pranking is the most common reason for hacking a vehicle; 37 percent think theft is the most common reason for hacking a vehicle.
• 81 percent think the vehicle manufacturer is most responsible to secure a vehicle from hacking; only 11 percent consider themselves most responsible to secure a vehicle from hacking, and 5 percent see it as the responsibility of their wireless provider.
• 64 percent would prefer to go into a dealership to get a vehicle’s security patch installed; only 24 percent would prefer to do it wirelessly, and a mere 12 percent would prefer to have the software mailed so they could install it themselves.
• 47 percent said they would go to a dealership “immediately” if they knew they had to install a security patch to protect their vehicle from hacking; 31 percent said “within a week,” and 17 percent said “within a month.”
• 44 percent would prefer to be notified via mail, and 41 percent would prefer to be notified via e-mail, in the event their vehicle was recalled.  Only 11 percent preferred notification via a phone call, and 5 percent preferred text.
• 52 percent indicated they would be willing to pay for a monthly subscription to ensure that their vehicle would be completely protected from hacking, with $8 being the average respondents would be willing to pay each month.

“Technology offers a wide range of enhanced convenience for today’s new vehicle buyers, but it also offers the increasing potential for unauthorized access and control,” said Karl Brauer, senior analyst for Kelley Blue Book.  “Cyber-security is still a relatively new area of specialization for automakers, but it’s one they need to take seriously to ensure they are ahead of the curve.  If automotive engineers find themselves playing catch-up in this field, it could have disastrous results for both consumers and the industry.”

Ashley Madison website. Turns out “shhhh” isn’t effective security.

Bob Sullivan

Some secrets are more valuable than others. And some secrets are more valuable TO others.  In perhaps the most predictable extortion hack ever, cheating website Ashley Madison has confirmed to Brian Krebs that some of its data has been stolen.  It now appears that tens of millions of people are at risk of being exposed.  As you’ve already deduced, Ashley Madison users are not really all that worried about having the credit card numbers stolen and used for fraud.

According to Krebs, the hackers — who go by the name The Impact Team — say they will slowly dribble out data from the site until its owners take the cheating site, and companion site “Established Men,” offline.

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails,” Krebs quotes the hackers from a post they left behind.

This is hacking 2.0.  It’s not about the data, it’s about the context.  Using stolen data, like credit cards, to get money is hard work.  Extorting someone who has more to lose than money is a lot more profitable.

When Sony was hit by a combination hack / extortion plot in December, I described this new era of hacking.  Sony corporate emails were stolen by hackers, who then embarrassed the heck out of the firm. Execs said inappropriate, even racist, things.  Actresses were insulted and underpaid.  It all reminded me of a smaller, but no less scary, incident several years ago involving a government contractor named HB Gary, which had Anonymous similarly terrorized.

Criminals don’t have to steal financial information to make money hacking. They just have to steal any data that’s valuable to anyone.

Making matters worse for corporate security teams is this reality: In recent years, they’ve all invested heavily in protecting financial data, spending money fortifying the most valuable data.  Credit cards, yes. Email servers, maybe not. Slowly, this will change.  But right now, every executive at every firm in the country should be hard at work doing an honest assessment about what their valuable data really is.   Then, they need to invest wisely in protecting data that might seem inconsequential if stolen in one context, but a disaster of stolen in another.  Because every company will have to plan for ransom and extortion requests now.

It’s hard to understand why Ashley Madion’s owners didn’t see this coming…particularly when AdultFriendFinder.com was hacked two months ago.  But that is how these things go.

The next question in this incident is: How will Avid Life Media get out of this mess?  One possibility is paying a ransom.  A few months ago, I started researching ransom and what I’ll call “data kidnapping” after I’d gotten a whiff this was going on.  The raging success of malware called cryptolocker, which forced victims to pay a few hundred dollars’ ransom to unscramble their data, certainly proved extortion demands can work.  Cryptolocker made $27 million just in its first two months, from both home users and small organizations. 

When I talked to Lisa Sotto, a cyberlaw expert at Hunton & Williams,  about this recently, she said she believed things were only going to get worse.

“That’s exactly how I see it going. Companies and individuals paying, because they potentially have no choice,” Sotto said to me. In fact, ransoms are already common, she said. “I do not believe there is a heck of a lot of negotiation involved…They are not asking for exorbitant amounts, so for the most part, what I hear is people are paying.”

In February, a blog post by Christopher Arehart made me even more convinced that ransom and extortion are hacking 2.0. Arehard is is the global product manager for crime, kidnap/ransom and extortion, and workplace violence expense insurance for the Chubb Group of Insurance Companies.  In his post, he warned companies that cyber-insurance policies often don’t cover extortion situations.

“Cyber liability insurance policies may  help companies deal with first-party cleanup costs, the cost of privacy notifications and lawsuit expenses, but these policies may only provide limited assistance with extortion threats. Extortion threats should be investigated and handled by professionals and small businesses need to know where to turn for assistance,” he wrote.

He then wrote that many businesses should consider adding the same kind of insurance that multinational companies purchase when they must send employees into dangerous parts of the world.

“A kidnap and ransom policy — technically a kidnap, ransom and extortion (KRE) policy — responds when an extortion threat has been made against a company, before there has been any data breach,” he wrote.

I tried to ask Arehart and Chubb about incidents involving extortion or “data kidnapping,” but the firm just pointed me back to his blog.

“Although some criminals eventually back down and do not follow through with their extortion threats, some threats do get carried out and these incidents can often be expensive. The tools available to criminals are vast and they have the power of the Internet behind them. Businesses, especially small businesses, need access to security consultants to help them manage these threats. A KRE policy would provide small businesses with access to those professionals.”

In other words, kidnapping and ransom policies aren’t just for dealing with employees who might run into the Mexican drug cartel any more.

They are for anyone who has data that might be valuable to someone, in some future context.  Secrets are almost always valuable to someone.

Larry Ponemon

Security risks are pervasive and becoming more difficult to prevent or minimize. Without the support of senior management, much needed investments in people, processes and technologies are not made. The findings of the research reveal the difficulty IT security practitioners face in achieving a stronger security posture because of inadequate budgets and the lack of C-level and boards of directors’ involvement in decisions related to IT security investments. This suggests the importance of IT security practitioners becoming more integral to their companies’ IT spending and investment process.

Ponemon Institute is pleased to present the 2015 Global Study on IT Security Spending & Investments. The purpose of this study is to understand how companies are investing in technologies, qualified personnel and governance practices to strengthen their security posture within the limitations of their budget.

We surveyed 1,825 IT management and IT security practitioners in the following global regions: North America, Europe, Middle East, Africa (EMEA), Asia, Pacific, Japan (APJ) and Latin America (LATAM) in a total of 42 countries. All respondents are involved to some degree in securing or overseeing the security of their organizations’ information systems or IT infrastructure.

They are also familiar with their organization’s budget process and/or spending on IT security activities. According to participants in this research, boards of directors and C-level executives are not often briefed and often not given necessary information to help them make informed budgeting decisions. As shown in Figure 1, 51 percent of respondents do not agree (34 percent) or are unsure (17 percent) that C-level executives are briefed on security priorities and what investments in technology and personnel need to be made.

Fully 64 percent of respondents do not agree (41 percent) or are unsure (23 percent) their boards of directors are made fully aware of security priorities and required investments. The study reveals the following problems with today’s approach to security spending and investments:

• The CEO and boards of directors are rarely believed to be most responsible for ensuring IT security objectives are achieved. Very few participants say their CEO or boards of directors are held most responsible for ensuring IT security objectives are met (6 percent and 3 percent of respondents, respectively). As a consequence of this lack of accountability, only 24 percent of respondents strongly agree that their organization sees security as one of the top two strategic priorities across the enterprise.

• Who owns the IT security budget? It is not the CISO. Only 19 percent of respondents say the IT security leader has control over how resources are allocated. Instead it is the CIO/CTO and business leaders who own the budget. This suggests the importance of security leaders learning how to influence these individuals if they are going to change how budgets are allocated.

• Security spending is not on the board’s agenda. Despite the increase in well-publicized security breaches, IT security investments are not getting the board’s attention and support. Without support from C-level executives and boards it is understandable that 50 percent of respondents say budgets will be flat or decreasing in the next two years.

• The budgeting process is too complex. The majority of respondents say the annual budget process is too complex (53 percent of respondents). This might lead to poor investment decisions such as purchasing technologies that do not lead to a stronger security posture or delayed investment in much needed resources.
• Many organizations are stuck in a middle stage of maturity. Necessary funding and proper planning are critical to move to a more mature security posture. Only 43 percent of respondents say their organizations’ IT security budgets are adequate and most security programs are only partially deployed.

• Companies are disappointed in technology purchases. According to the research, a lack of qualified personnel is undermining the effectiveness of technology solutions and the overall security posture of organizations. This is mainly because they don’t have the necessary in-house expertise and vendor support. Such buyer’s remorse may discourage companies from considering state-of-the art technologies.

• Compliance with regulations is difficult without adequate resources. The majority of respondents (58 percent of respondents) do not have sufficient resources to achieve compliance with security standards and laws. Non-compliance puts organizations at risk for legal action and fines.

Want to read the rest of this report?  Download it from Dell here. 

Larry Ponemon

IBM and Ponemon Institute are pleased to release the 2015 Cost of Data Breach Study: Global Analysis. According to our research, the average total cost of a data breach for the 350 companies participating in this research increased from 3.52 to $3.79 million . The average cost paid for each lost or stolen record containing sensitive and confidential information increased from $145 in 2014 to $154 in this year’s study.

In the past, senior executives and boards of directors may have been complacent about the risks posed by data breaches and cyber attacks. However, there is a growing concern about the potential damage to reputation, class action lawsuits and costly downtime that is motivating executives to pay greater attention to the security practices of their organizations.

In a recent Ponemon Institute study, 79 percent of C-level US and UK executives surveyed say executive level involvement is necessary to achieving an effective incident response to a data breach and 70 percent believe board level oversight is critical. As evidence, CEO Jamie Dimon personally informed shareholders following the JPMorgan Chase data breach that by the end of 2014 the bank will invest $250 million and have a staff of 1,000 committed to IT security.

For the second year, our study looks at the likelihood of a company having one or more data breach occurrences in the next 24 months. Based on the experiences of companies participating in our research, we believe we can predict the probability of a data breach based on two factors: how many records were lost or stolen and the company’s industry. According to the findings, organizations in Brazil and France are more likely to have a data breach involving a minimum of 10,000 records. In contrast, organizations in Germany and Canada are least likely to have a breach. In all cases, it is more likely a company will have a breach involving 10,000 or fewer records than a mega breach involving more than 100,000 records.

In this year’s study, 350 companies representing the following 11 countries participated: United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the Arabian region (United Arab Emirates and Saudi Arabia) and, for the first time, Canada. All participating organizations experienced a data breach ranging from a low of approximately 2,200 to slightly more than 101,000 compromised records4 . We define a compromised record as one that identifies the individual whose information has been lost or stolen in a data breach.

In this report, for the first time, we will examine two factors that affected the financial consequences of a data breach. The first is executive involvement in their organization’s IT security strategy and response to data breaches. The second is the purchase of cyber insurance to mitigate the cost of a data breach. With the increasing cost and volume of data breaches, IT security is quickly moving from being considered by business leaders as a purely technology issue to a larger business risk. This shift has spurred increased interest in cyber insurance.

The three major reasons contributing to a higher cost of data breach in 2015:

Cyber attacks have increased in frequency and in the cost to remediate the consequences. The cost of data breaches due to malicious or criminal attacks increased from an average of $159 in last year’s study to $170 per record. Last year, these attacks represented 42 percent of root causes of a data breach and this increased to 47 percent of root causes in this year’s study.

The consequences of lost business are having a greater impact on the cost of data breach. Lost business has potentially the most severe financial consequences for an organization. The cost increased from a total average cost of $1.33 million last year to $1.57 million in 2015. This cost component includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. The growing awareness of identity theft and consumers’ concerns about the security of their personal data following a breach has contributed to the increase in lost business.

Data breach costs associated with detection and escalation increased. These costs typically include forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors. This total average cost increased from $.76 million last year to $.99 million in this year’s report

More companies are integrating forensic tools into their incident response procedures. In the long-term, deployment of these solutions will prove beneficial to companies because they will provide a clearer picture of the root causes of their data breaches. However, in many cases, these tools enable companies to discover the full extent of the breach. This may result in the reporting of higher data breach costs than in previous years.

NOTE: You may have heard about a Verizon report about data breach costs that came to a different conclusion than our report. We discuss the differences in methodology at this blog post.  And we have a few additional observations about Verizon’s report at this post. 

KEY FINDINGS

• Data breaches cost the most in the US and Germany and the lowest in Brazil and India. The average per capita cost of data breach is $217 in the US and $211 in Germany. The lowest cost is in Brazil ($78) and India ($56). The average total organizational cost in the US is $6.5 million and in Germany $4.9 million. The lowest organizational cost is in Brazil ($1.8 million) and India ($1.5 million).
• The cost of data breach varies by industry. The average global cost of data breach per lost or stolen record is $154. However, if a healthcare organization has a breach the average cost could be as high as $363 and in education the average cost could be as high as $300. The lowest cost per lost or stolen record is in transportation ($121) and public sector ($68). The retail industry’s average cost increased dramatically from $105 last year to $165 in this year’s study.
• Hackers and criminal insiders cause the most data breaches. Forty-seven percent of all breaches in this year’s study were caused by malicious or criminal attacks. The average cost per record to resolve such an attack is $170. In contrast, system glitches cost $142 per record and human error or negligence is $134 per record. The US and Germany spend the most to resolve a malicious or criminal attack ($230 and $224 per record, respectively).
• Malicious or criminal attacks vary significantly by country. Fifty-seven percent of all breaches in the Arabian Cluster and in France 55 percent of all breaches are due to hackers and criminal insiders. Only 32 percent of all data breaches occurring in India are due to malicious attacks and in Brazil it is 30 percent. However, India and Brazil have the most data breaches due to system glitches. Breaches due to human error are highest in Canada.
• Board involvement and the purchase of insurance can reduce the cost of a data breach. For the first time, we looked at the positive consequences that can result when boards of directors take a more active role when an organization had a data breach. Board involvement reduces the cost by $5.5 per record. Insurance protection reduces the cost by $4.4 per record.
• The loss of customers increases the cost of data breach. Certain countries have more problems retaining customers following a data breach and, therefore, can have higher costs. These are France, Italy, UK and Japan. Countries with the lowest churn rate are Canada, India and Brazil. Industries with the highest churn are health, pharmaceuticals and financial services.
• Notification costs remain low, but costs associated with lost business steadily increase. Lost business costs are abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished good will. The average cost has increased from $1.45 million in 2014 to $1.57 million in 2015. Notification costs have declined from $0.19 million in 2014 to $0.17 million in this year’s study.
• Certain countries are more likely to have a data breach. Last year’s study introduced a new analysis on the likelihood of one or more data breach occurrences. It is interesting that the likelihood of a data breach varies considerably across countries. Brazil and France are most likely to have a data breach involving a minimum of 10,000 records. Canada and Germany are least likely to have a data breach.
• Time to identify and contain a data breach affects the cost. For the first time, our study shows the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences. Malicious attacks can take an average of 256 days to identify while data breaches caused by human error take an average of 158 days to identify. As discussed earlier, malicious or criminal attacks are the most costly data breaches.
• Business continuity management plays an important role in reducing the cost of data breach. The research reveals that having business continuity management involved in the remediation of the breach can reduce the cost by an average of $7.1 per compromised record.

To read the entire report, visit IBM’s Cost of a Data Breach website.