“Shadow IT,” or solutions not specified or deployed by the IT department, now account for 35 percent of enterprise applications. Research shows an increase in IT shadow spend with numbers projected to grow another 20 percent by the end of 2015.
Experts agree that shadow IT is here to stay, particularly the growing tendency to use cloud services for collaboration, storage and customer relationship management.
Enterprise organizations can’t afford to bypass the productivity and profitability that comes with a happy and enabled mobile workforce. However, the utilization of SaaS that IT has not vetted and approved may expose regulated or protected personal data, which a business is responsible for remediating.
California leads the way in the privacy arena with the Security Breach Notification Law and Online Privacy Protection Act. The Federal Trade Commission is the primary U.S. enforcer of national privacy laws, with other national and state agencies authorized to enforce additional privacy laws in vertical industries such as banking and health care.
Sanctions and remedies for non-compliance with FTC data protection laws include penalties of up to US $16,000 for each offense. The FTC can also obtain an injunction, restitution to consumers, and repayment of investigation and prosecution costs. Criminal penalties include imprisonment for up to ten years. In 2006, a data broker agreed to pay US $15 million to settle charges filed by the FTC for failing to adequately protect the data of millions of consumers. Settlements with government agencies can also include onerous reporting requirements, audits and monitoring by third-parties. A major retailer that settled charges of failing to adequately protect customer’s credit card numbers agreed to allow comprehensive audits of its data security system for 20 years.
So, what is the answer? How do you start to get a handle on shadow IT?
Ask.
Ask employees which cloud services they are using. You might also need to utilize a combination of automated and manual discovery tools to get a complete picture of what programs employees are using and what data is hosted and shared in provider clouds. These “cloud consumption” dashboards can monitor and assess cloud usage and detect encryption tools at each host.
Protect your data.
Implement automatic backup of all endpoint data in the enterprise to capture a real-time view of where employee data lives, when and where it moves and who has touched it—even as it moves to and from non-approved clouds.
Act fast when the inevitable happens.
The reality is a breach may be inevitable, but you can recover. With continuous and automatic endpoint backup, IT can quickly evaluate the content of files believed to have been breached and act in good faith to lessen the impact. Additionally, understanding what was stolen allows a company to make an accurate disclosure and manage consumer confidence issues.
For CIOs and IT staff accustomed to maintaining complete control over their digital ecosystems, relinquishing even a bit of this control can be terrifying—even in the name of productivity. And yet, with a security strategy that focuses on complete data visibility, they can empower mobile workers while minimizing the risks associated with the dark side of shadow IT.
Rachel Holdgrafer, Business Content Editor, Code42
As global use of connected devices–including those used for life-saving purposes—grows, a new survey from ISACA shows that there is a significant confidence gap between consumers and cybersecurity and IT professionals. In fact, while 64% of US consumers say they are confident they can control information conveyed through Internet of Things (IoT) devices, 78% of professionals say security standards are insufficient.
According to ISACA’s 2015 IT Risk/Reward Barometer, the number one IoT-related security concern for enterprises is data leakage. Nearly half of the more than 7,000 global professionals surveyed think their IT department is not aware of all of the organization’s connected devices (e.g., connected thermostats, TVs, fire alarms), yet 73% believe the likelihood of being hacked through an IoT device is medium or high. All while 72% say that IoT device manufacturers do not implement sufficient security.
It is clear that further education and awareness efforts are needed. Now. The number of B2B IoT devices is expected to grow from 1.2 billion connected devices in 2015 to 5.4 billion in 2020. That is a lot of important personal and confidential data being shared, transported and used by often unknown entities.
On the flip side, there is a significant business risk if organizations do not embrace IoT. They may lag behind competitors and upstarts, and risk losing revenue and reputation. In addition, enterprises do gain value from IoT. Specifically, global survey respondents reported that the greatest benefits of using IoT are:
* Greater accessibility to information (44%)
* Greater efficiency (35%)
* Improved services (34%)
* Increased employee productivity (25%)
* Increased customer satisfaction (23%)
The key is to balance risk with benefits, and I encourage professionals and consumers to safely embrace IoT devices. To help do this, ensure all devices are updated regularly with security upgrades, take cyber security training, be wary about information shared and stay alert for unusual behavior at all times. The future is bright. Or at least that’s what my connected watch tells me.
Rob Clyde, CISM
International Vice President and Board Director, ISACA
Managing Director, Clyde Consulting LLC
Note: ISACA’s annual IT Risk/Reward Barometer is a global indicator of trust and attitudes. The 2015 study is based on polling of 7,016 ISACA members in 140 countries and additional surveys among 1,227 consumers in the US, 1,025 consumers in the UK, 1,060 consumers in Australia, 1,027 consumers in India and 1,057 consumers in Mexico. To see the full results, visitwww.isaca.org/risk-reward-barometer.
National Cybersecurity Awareness Month in October is the perfect time to reflect on what you’re doing to overcome the cybersecurity skills shortage. That’s right – you – personally. According to Dr. Jane LeClair, COO for the National Cybersecurity Institute at Excelsior College, the cybersecurity skills shortage is everyone’s problem, and we all have a responsibility to meet this need.
Dr. LeClair believes that in order to shore up the workforce, it’s essential to broaden the pool of candidates beyond typical populations (such as the military and IT). Dr. LeClair sees cybersecurity awareness – both its impact on our daily lives and as a career opportunity – as the perfect vehicle to achieve this.
So, rather than providing courses only to people who are pursuing a formal cybersecurity education and are on a professional track, the NCI offers both career-oriented education AND informal awareness courses and content.
By combining public awareness of cybersecurity issues with career-oriented education, the NCI is hoping to attract as many people as possible to the field. Through robust (often free) courses, such as “Introduction to Cybersecurity,” monthly webcasts and a daily blog, they are hoping to give people a voice to discuss issues that are important to them and an outlet for increasing their knowledge. Dr. LeClair challenges, “If cybersecurity is so vital in our daily lives, shouldn’t we all be doing everything we can to help?”
She states, “People can get complacent, so it’s important that we keep cybersecurity in front of them and keep it fresh. We know people are interested in these issues, and the informal learning piece helps them continue to learn as the industry changes.”
NCI’s ultimate goal is to teach people to like cybersecurity, whether they go on to pursue a career or just have their cybersecurity consciousness elevated. Dr. LeClair asserts, “Cybersecurity is a lifelong, daily learning opportunity. We want people to develop a personal enjoyment and passion for it in order to be strong, lifelong learners.”
The NCI is tackling the issue both from the bottom up and the top down. Through their MBA cybersecurity program, they aim to raise awareness at a managerial level. Dr. LeClair believes organizations have a deep need to realize how important cybersecurity is and that if management embraces the message, it will trickle down to all employees.
These programs are gaining a lot of traction, and Dr. LeClair knows they’re on to something. So, they’ve ramped up their National Cybersecurity Awareness Month efforts this year:
Offer daily podcasts.
Post a different game every day.
Offer a free, live event on cyber law and cyber insurance.
Post one case study per week that people can use within their organizations to get discussions going about cybersecurity.
It’s easy to think that by avoiding those links that could crash your company’s network and not falling for those emails from Nigerian princes, you’re doing enough. But what if we all had cybersecurity awareness ingrained in us? What if children began learning about cybersecurity as a career option early in school? What if cybersecurity education was accessible to ALL people, rather than just an elite group already on the path to a lifelong cybersecurity career? We could actually improve the global cybersecurity situation. For more information on the GAP, please visit https://www.isc2.org/global-academic-program/default.aspx or send an email to academic@isc2.org.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Steve Winterfeld: Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (2015) by Bruce Schneier
Executive Summary
Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World is Bruce Schneier’s manifesto on what should be done about the amount, and controls around data being collected on us. If, like me, you have been focused on Information Security this book is a great exposure to the privacy issues our profession is facing. The book is more focused on policy than practical application, but worth the read for the background and ideas presented.
Data and Goliath is a call to action around two topics: first, the cultural acceptance of not owning our personal data or understanding how it is being used; and second, the difference between nation-state espionage and mass surveillance. Trying to reduce the themes of the book to just a couple of points is a gross oversimplification. This book belongs in the Canon due to the foundational and timeless issues it addresses for our industry. Finally, don’t let the 400-page length intimidate you, as the text of the book is only 238 pages with the rest being reference notes.
Review
Schneier’s first books were all about cryptography, and he has been part of developing multiple cryptographic algorithms. Over time, he has moved to broader security issues (Secrets and Liesis still a relevant foundational book today). Now, he is addressing national policy, market economics, and privacy expiations around demographics like generational differences.
Data and Goliath is a call to action aimed at the U.S. While it addresses international issues and laws, Schneier acknowledges the fact that it is U.S.-focused. Some of this can be credited to Edward Snowden’s exposing of National Security Agency (NSA) documents. Schneider is a supporter of Snowden and his actions.
The book is organized into three sections: the world we are creating, what’s at stake, andwhat to do about it.
The world we are creating covers types, and the amount of personal data we are collecting — mass surveillance, how is it is being used, and who is using it. This section provides the background and evidence for his positions and conclusions. He provides examples on cell phone providers tracking not just you, but who you are with; companies selling data on gullible seniors; and purchasing patterns revealing if you’re pregnant. The last example was from when advertisements on the pregnancy were sent to family, which is how the father found out his daughter was pregnant. One of the more interesting points covered is how long data is stored. How long does your phone company need to know where you were? Should they have the right to sell this info? Do you realize you have no rights as to how your personal data is used?
What’s at stake starts with political perspective (liberty and justice), commercial aspects (fairness and equality), and looks at privacy vs. security facets of the issue. Schneier proposes that mass surveillance by commercial companies or governments has chilling effects on social change, leads to censorship, and facilitates surveillance-based manipulation. Additionally, he points out examples of accusation by data after the fact, cases of institutional abuse, and governments stockpiling vulnerabilities or building in backdoors. He builds a strong case for what the NSA has cost U.S. companies in international business after Snowden revealed how they were collaborating. He does acknowledge the same would be true in other countries like China and companies like Huawei.
One key idea for me was: “Science fiction writer Charles Stross described this as the end of prehistory.” What is the impact of your actions being tracked and stored for the rest of your life? Do you want to have to explain your actions at 21 when you’re 45?
What to do about it provides actionable advice to governments, corporations and the average citizen. The book looks at social norms and big data trade-offs. This section talks about the security to surveillance trade-off and covers comparing police to national surveillance, as it pertains to protecting citizens. It looks at institutional vs. individual power and comes down hard on the NSA and FISA court. In fact, Schneier proposes that the Communications Security mission should be split off from the Signals Intelligence mission of the NSA and given to the National Institute of Standards and Technology. He calls for whistleblowing protection organizations and talks about how Snowden could not get a fair trial under the current system. Finally, he outlines concerns around movements to nationalize the Internet.
Here are the notable guidance references: Necessary and Proportionate principles, Executive Order 12333, Section 215 of PATRIOT act and Section 702 of the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, Communications Assistance for Law Enforcement Act, Posse Comitatus Act, Organisation for Economic Co-operation and Development Privacy Framework, European Union Data Protection Directive, The Code of Fair Information Practices, White House Consumer Privacy Bill of Rights, Madrid Privacy Declaration.
The key in this section for me was “Privacy-law scholar Peter Swire writes about the declining half-life of secrets.” The days of government secrets lasting 50 years until they were declassified are gone.
Here is his guidance: use encryption and systems, like Tor, to anonymize yourself. We should look for ways to avoid, block, distort and break surveillance. Institutions need transparency accountability and independent oversight. His call to action: notice it, talk about it, and organize politically.
Schneier does acknowledge the benefits of mass data collection, like steering us away from traffic jams and how hard this issue is to address. What he is asking is that we have a transparent debate about what is socially and legally acceptable.
Conclusion
While Data and Goliath brings to mind the Internet enabling a surveillance state that Stalin wanted or Orwell imagined, it is also a must read to provide you with the background and evidence to make up your own mind. While I didn’t agree with all of the arguments presented, I would not have developed my opinion if I had not been challenged by the ideas in the book.
This book should be read by anyone who has responsibility for the privacy of customer data.
