A Brilliant Insight

By Janet Aschkenasy on January 10, 2014
Alan Brill Senior Managing Director Kroll Advisory Solutions

Alan Brill
Senior Managing Director
Kroll Advisory Solutions

Alan Brill of Kroll Advisory Solutions is the Cyber Risk Network’s first interviewee in what is a regular Weekly Download highlight to give members a glance at the thoughts, opinions and trends from prominent cyber personalities. “The thing that worries me the most is that many organizations act as if they have some sort of magical immunity to incidents,” Brill told Advisen.

Advisen: What do you see as the greatest cyber risks today?

Brill: Interestingly, data breaches don’t always arise from a super high-tech attack from incredibly talented hackers or state sponsored individuals. We see them, but they’re not causing most of the problems.

The key behind the actual threats that materialize is that people don’t take simple steps to protect themselves.

Software manufacturers are always coming up with patches to address known security problems. If you don’t install those you’re running with a known hole. Often we find the attacks that are successful use those known holes because the patches didn’t get installed.

Another risk is that people are using default passwords in their system. The hackers know all the defaults that are put into devices, and if you don’t change them, you should expect that a hacker will try all of the passwords used by the manufacturer, or those known to be too commonly used-like using the word “password” as your password.

A third issue is failing to harden your system. When software is initially installed it’s very often not very secure. Organizations like the National Institutes of Standards and Technology (NIST) offer free ‘hardening guides’ with specific instructions for strengthening the security for a wide range of software and associated hardware. Hackers, of course, study these guides to identify ways of attacking systems that haven’t been hardened, so expect these avenues of attack to be used against you.

When we look at an incident we often find a conflict between security and usability: the technology staff wanted to increase the level of security in a corporation but user-area management resisted. Reaching the right balance is very important – you can’t ignore the problem, but you also can’t load so much security into a system that it becomes impractical to actually use it.

Advisen: Where do you see the greatest threats emerging in the next five years?

Brill: The greatest threat will be to organizations that don’t have a benchmark against which they measure their security. It’s better to assert you’re doing well against known standards than just your own definition of security, and even better if you can demonstrate your compliance with them.

As technical and people threats evolve, it will become increasingly important for IT to talk in terms of measuring its security against a recognized standard, such as the ISO standards or those published by NIST.

While that can be a burden, it also lets management know exactly where their organization stands in terms of compliance using the same standards against which they would be audited. The organizations we’ve worked with tell us that it’s that knowledge that helps their board members get a better night’s sleep.

Advisen: Is the insurance industry doing enough to adequately address cyber risk?

Brill: There’s been a huge amount of work done in putting together policies covering cyber risk. The issue is always: How do you underwrite and understand the risk the organization is facing?

Without an absolute standard to judge how an organization is doing you’re in the difficult position of having to figure things out the hard way.

It’s easy to say, “Here’s how we’re doing-trust me.” But that’s not going to be good enough anymore.

Insurers should also be thinking of measuring information security against a standard, taking cues from The Federal Information Security Management Act (FISMA), NIST, or ISO for instance.

Advisen: What keeps you awake at night?

Brill: I guess the thing that worries me the most is that many organizations act as if they have some sort of magical immunity to incidents.

It’s the same “security versus usability” challenge I mentioned earlier. Some organizations end up in a situation where nobody wants to take any real responsibility for the security of sensitive information

We see this through the failure to take basic precautions, like the use of encryption in laptops and other portable devices, or lack of testing or updating new systems for security. Basically we see people not putting a priority on identifying problems or on actually fixing the problems they find.

Advisen: In your opinion, what’s been the most important cyber risk development in the past 12 months?

Brill: The rapid growth of BYOD and BYOC-Bring your own device and bring your own cloud – is scary.

We’re seeing a tremendous increase in the adoption of BYOD where people want to use their own phones and their tablets to access and process company information outside of the workplace.

Some companies have, in fact, done a very good job of installing mobile device management (MDM) systems. The idea with MDM systems is to keep company information in a “sandbox” within the device where it can be protected, controlled, and synchronized to servers at the company, and for that information to be able to be remotely destroyed if the device is lost.

With regard to BYOC, employees may for example have a Dropbox account or use Microsoft SkyDrive or some other remote storage services to store company information on a remote server without the company’s authorization.

I saw a recent survey where 70 percent of employees said they had personal storage on the Internet so this is a real issue.

Some companies are addressing this issue by prohibiting storage of company data on personally controlled internet-based storage systems or by using filters that can prevent employees on the company network from accessing common cloud storage sites.

Network monitoring may also be able to detect sensitive information leaving the network and report it so that it can be looked at and understood. But right now, doing that is the exception, rather than the rule.


About Alan Brill

Alan Brill is senior managing director for Kroll Advisory Solutions. He consults with law firms and corporations on investigative issues relating to computers and digital technology, including the investigation of computer intrusions, Internet fraud, identity theft, misappropriation of intellectual property, cases of internal fraud, data theft, sabotage and computer security projects designed to prevent such events.

Janet writes daily news including proprietary Advisen data analysis for Advisen’s cyber FPN and management liability FPN editions. She has been a financial writer since 1983 and an insurance writer for roughly 20 years, focusing on commercial property and casualty insurance. Email Janet Aschkenasy.