A whole lot of time and money gets spent preventing acts or behaviors from happening. Think about the data loss prevention (DLP) space; I’ve seen respected analyst firms show the amount of money spent on DLP growing from in the $300’$400 million range in 2010 to upwards of $900 million in 2014.
There’s an ever-increasing amount of money being thrown at the problem. To what end?
In 2012, there were 934 confidential information leaks reported worldwide‘a 16% increase over 2011.
In 2013, 496 leaks were reported, an 18% increase.
Not a great return on all that investing.
Two plus two is not adding up here, folks. This is an ineffective deterrent reminiscent of the Maginot Line. Now for the record I am not advocating turning away from traditional DLP solutions. What I am saying is that the value they deliver does not deter people from intentionally leaking data. It may stop the ‘smash and grab’ types, but the determined bad guys are still doing their thing.
Thinking about this took me back ‘
My wife and I, expecting our first child, called in a relative who installed home security systems. ‘Chris,’ I said, ‘make my house a fortress.’ So Chris went through the house, taking notes. When he had everything he needed, he asked me to walk outside in front of the house with him. As we walked he told me about the sensors and glass break detectors he would use to alarm every entry point. Except one.
‘Mike,’ he asked as he pointed at my garage door, ‘how do you open that?’ ‘I press a button in my car, and it opens like magic,’ I replied. ‘And do you think that the bad people you want to keep out might, just maybe, have a button in their car that can open a garage door?’ ‘I’ve heard about those, yes.’
We opened the garage door and took a look inside. Chris pointed at the door leading into the house.
‘I’m ahead of you on this one, Chris. We lock that door when we leave the house. So, fortress secure!’
He then asked, ‘What do you keep in your garage, Mike?’ ‘My car. Golf clubs. And power tools,’ I responded. ‘Do you think someone could use your power tools to cut through the drywall and insulation that separates your garage from your family room?’ ‘Well, now that you mention it.’
But Chris had a solution. Motion detectors.
If a determined bad guy did make it into the house without setting off the alarm, the motion detectors would wait for it’d detect him.
‘Blanket my house with motion detectors, Chris,’ I directed. Fortress secure!
He shook his head and said, ‘I can’t, Mike. You have cats. And cats, by their very nature, are bad for security.’
A quick huddle with the wife confirmed that we would not, in fact, be getting rid of the cats.
Chris assured me, ‘Mike, I will do everything I can to ‘fortressify‘ your house. But I strongly encourage you to put a ‘this house protected by‘ sign in front of your house, and let’s put some fake video cameras up outside the house, and get a dog. All of these things will help to scare bad guys away. And, if the dog eliminates your cat problem”
So, why do I bring this ancient history up? What did I learn from it?
Three things:
- Cats are bad for security.
- You need to monitor the inside.
- Never underestimate the power of deterrence.
Number three really got me thinking recently, so I turned to the dictionary:
Deterrence (noun): The act of preventing a particular act or behavior from happening.
‘ Merriam Webster
The stats cited earlier suggest that we aren’t doing a great job on this.
Back to the dictionary:
Deterrence (noun): The act of preventing a particular act or behavior from happening; The act of making someone decide not to do something.
‘ Merriam Webster
The act of making someone decide not to do something. Interesting. How do we change the mindset of a person intent on acting in a way counter to the best interests of their employer? There is some fascinating research on this subject.
Valerie Wright, Ph.D., research analyst at The Sentencing Project, noted, ‘research to date generally indicates that increases in the certainty of punishment, as opposed to the severity of punishment, are more likely to produce deterrent benefits.’
In other words, if I think I can get away with it, I’m more likely to do it. I read that 75% of employee-related crimes go unnoticed. I think we can do better at deterring bad acts, like intentional data leaks, fraud, and IP Theft. I think the way we do it is by increasing the certainty of punishment. If employees know that their computer activities are monitored and recorded, they will be less likely to think they can get away with it.
There is a definite parallel to the ‘eye-in-the-sky’ in casinos. Yes, they serve to help casino security detect bad acts as they occur, as well as provide evidence after the fact. But they also serve to deter cheaters from even trying, just by being there.
Are we doing enough to deter? What’s the old saying? Numbers never lie ‘
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.