Cybersecurity

Are we counting on a Maginot Line?

By Veriato Team

A whole lot of time and money gets spent preventing acts or behaviors from happening. Think about the data loss prevention (DLP) space; I’ve seen respected analyst firms show the amount of money spent on DLP growing from in the $300’$400 million range in 2010 to upwards of $900 million in 2014.

There’s an ever-increasing amount of money being thrown at the problem. To what end?

In 2012, there were  934 confidential information leaks reported worldwide‘a 16% increase over 2011.

In 2013,  496 leaks were reported, an 18% increase.

Not a great return on all that investing.

Two plus two is not adding up here, folks. This is an ineffective deterrent reminiscent of the  Maginot Line. Now for the record I am not advocating turning away from traditional DLP solutions. What I am saying is that the value they deliver does not deter people from intentionally leaking data. It may stop the ‘smash and grab’ types, but the determined bad guys are still doing their thing.

Thinking about this took me back ‘

My wife and I, expecting our first child, called in a relative who installed home security systems. ‘Chris,’ I said, ‘make my house a fortress.’ So Chris went through the house, taking notes. When he had everything he needed, he asked me to walk outside in front of the house with him. As we walked he told me about the sensors and glass break detectors he would use to alarm every entry point. Except one.

‘Mike,’ he asked as he pointed at my garage door, ‘how do you open that?’ ‘I press a button in my car, and it opens like magic,’ I replied. ‘And do you think that the bad people you want to keep out might, just maybe, have a button in their car that can open a garage door?’ ‘I’ve heard about those, yes.’

We opened the garage door and took a look inside. Chris pointed at the door leading into the house.

‘I’m ahead of you on this one, Chris. We lock that door when we leave the house. So, fortress secure!’

He then asked, ‘What do you keep in your garage, Mike?’ ‘My car. Golf clubs. And power tools,’ I responded. ‘Do you think someone could use your power tools to cut through the drywall and insulation that separates your garage from your family room?’ ‘Well, now that you mention it.’

But Chris had a solution. Motion detectors.

If a determined bad guy did  make it into the house without setting off the alarm, the motion detectors would wait for it’d detect him.

‘Blanket my house with motion detectors, Chris,’ I directed. Fortress secure!

He shook his head and said, ‘I can’t, Mike. You have cats. And cats, by their very nature, are bad for security.’

A quick huddle with the wife confirmed that we would not, in fact, be getting rid of the cats.

Chris assured me, ‘Mike, I will do everything I can to ‘fortressify‘ your house. But I strongly encourage you to put a ‘this house protected by‘ sign in front of your house, and let’s put some fake video cameras up outside the house, and get a dog. All of these things will help to scare bad guys away. And, if the dog eliminates your cat problem”

So, why do I bring this ancient history up? What did I learn from it?

Three things:

  1. Cats are bad for security.
  2. You need to monitor the inside.
  3. Never underestimate the power of deterrence.

Number three really got me thinking recently, so I turned to the dictionary:

Deterrence (noun): The act of preventing a particular act or behavior from happening.
‘ Merriam Webster

The stats cited earlier suggest that we aren’t doing a great job on this.

Back to the dictionary:

Deterrence (noun): The act of preventing a particular act or behavior from happening; The act of making someone decide not to do something.
‘ Merriam Webster

The act of making someone decide not to do something. Interesting. How do we change the mindset of a person intent on acting in a way counter to the best interests of their employer? There is some fascinating research on this subject.

Valerie Wright, Ph.D., research analyst at The Sentencing Project, noted, ‘research to date generally indicates that increases in the certainty of punishment, as opposed to the severity of punishment, are more likely to produce deterrent benefits.’

In other words, if I think I can get away with it, I’m more likely to do it. I read that  75% of employee-related crimes go unnoticed. I think we can do better at deterring bad acts, like intentional data leaks, fraud, and IP Theft. I think the way we do it is by increasing the certainty of punishment. If employees know that their computer activities are monitored and recorded, they will be less likely to think they can get away with it.

There is a definite parallel to the ‘eye-in-the-sky’ in casinos. Yes, they serve to help casino security detect bad acts as they occur, as well as provide evidence after the fact. But they also serve to deter cheaters from even trying, just by being there.

Are we doing enough to deter? What’s the old saying? Numbers never lie ‘

Insider Risk – How Prepared Are You?

Insider Risk – How Prepared Are You?

Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.

About the author

Veriato Team
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Quis ipsum suspendisse ultrices gravida.

Insider Risk & Employee Monitoring Resources

Smart Year-End IT Investments- A Trifecta for ROI

Smart Year-End IT Investments- A Trifecta for ROI

Drive Productivity, Reduce Insider Risk, Enforce Compliance As the year wraps up, many IT, security, compliance, and HR teams have unspent budgets that won't roll over. Rather than scrambling for last-minute, low-value purchases, why not make smart, strategic...

Is IAM, SIEM, and DLP Enough to Combat Insider Risk?

Is IAM, SIEM, and DLP Enough to Combat Insider Risk?

Key Takeaways: Closing the Gaps in Traditional Security Tools: IAM, SIEM, and DLP are vital but insufficient in addressing insider risks. They focus on access control, event logs, and data protection without understanding the behavioral context that signals insider...