Companies focus on growth, lagging behind threat

In the world of cybersecurity, the equivalent of a deadbolt lock on the factory door and keeping the lights on became obsolete years ago.

But too many companies are still stuck in the mentality that some security is enough, and a culture that values growth over security, says Shellye Archambeau, CEO of MetricStream, a provider of governance, risk, compliance and management services.

In the wake of recent data breaches of the popular professional networking site LinkedIn, the dating site eHarmony and the music site, Archambeau said those companies are simply not keeping up with evolving threats.

"They aren't leaving their door wide open. But they're not counting on somebody having glass cutters either. Now you need to have wire mesh on your windows, because the people focused on hacking have more and more tools," she said.

Combine that with the fact that data "doesn't stay put," means that the need for more sophisticated and layered security ought to be obvious, Archambeau said. "Data is moving all over the place on many devices," she said. "So securing it is a lot harder."

LinkedIn, a mature, profitable company with an estimated 160 million members, is only one of the more recent examples of what experts say is a stunning lack of basic security among some data companies. Since the breach last week of about 6.5 million passwords, it has been widely reported that the company wasn't even following "Security 101" protocols.

As CSO reported last week, LinkedIn was protecting passwords with only the most basic encryption. The process, known as "hashing," scrambles a password with a mathematical algorithm and stores only the encoded, or "hashed," version.

But that is not nearly enough to stop today's hackers, who use automated tools that can test up to a million passwords a second. The current standard for security of stored passwords is to add a series of random digits to the end of each hashed password, known as "salting." It is relatively simple and can be done at no cost.

Not only was LinkedIn failing to do that, it does not have a chief information officer (CIO) or a chief information security (CISO) officer either.

Archambeau and others say one of the reasons for the continuing spike in successful data breaches is that "while companies get a bit of a black eye, there are no major consequences for it."

Nicole Perlroth reported in The New York Times that "part of the problem may be that there are few consequences for companies with a devil-may-care attitude toward data. There are no legal penalties. Customers rarely defect. And in LinkedIn's case, its stock price actually rose in the days after the breach."

Archambeau believes enterprise leaders do care about securing their data, especially when they amount to the "crown jewels" of the operation, as is the case with LinkedIn. But she said she thinks part of the problem is a cultural attitude she calls the "startup mentality."

"Companies only exist when they are taking risks," Archambeau said. "The environment and culture around that - that's all good. But at same time, as companies mature, they need to understand not only how to take risks, but how to manage it. They're not doing enough on that."

Why they aren't mystifies some experts. Security makes obvious financial sense. Jeremiah Grossman, founder and chief technology officer (CTO) of WhiteHat Security, told Nicole Perlroth at The Times that the cost of setting up proper password, web server and application security for a company like LinkedIn would be a one-time cost of "a couple hundred thousand dollars," while the average breach costs a company $5.5 million, or $194 per record.

If there are no severe consequences for lax security, however, what will force enterprises to take security more seriously? Some argue for legal or regulatory penalties for breaches. In California, a unique state law aimed at protecting health records, the Confidentiality of Medical Information Act of 1981, provides for damages of $1,000 per person, per violation. That law is currently being tested in court.

Paul Kocher, president of Cryptography Research, in an interview with Perlroth, compared the decline in airplane fatalities -- thanks to the Federal Aviation Administration in 1958 and better security and maintenance regulations -- to computer security threats, which have increased 10,000-fold since 2002.

The reason for lax security in the face of those threats, he said, is a lack of liability.

Archambeau said she would prefer to see industry collaboration rather than government bringing a regulatory or legal hammer down. "I'm a big proponent of industries coming together and setting standards," she said. "Regulation is a fallback to when nothing else works."

Read more about security awareness in CSOonline's Security Awareness section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place