Over a year long review of managed security provider trends has shown us one thing. MSS providers want to provide protection to their customers as cheaply as possible so that much of the services being provided are returned to the MSS as profit. An alarming trend in the industry is to not acknowledge breaches because if the companies acknowledge them, they have to deal with them and subject themselves to possible regulatory or costly fines from the FTC. What we have been hearing is that companies would rather buy their way out of a breach (we will get back to this in a moment) than buy cyber insurance and pay for security services from MSP's. Larger companies have billions in assets available so a 20 million dollar fine is a setback, it's not the end of the world for a 20 billion dollar company.
Largely the FTC has only come after businesses that have blatantly failed to protect consumer information. This has actually created a culture of ignoring breaches in the industry. By our count only 1 in 15 breaches actually get reported and of those only 2 or 3 notify their end users that there was an issue. Usually the companies that do notify are the Twitters, Github's or Amazon's of the world that have large user bases and that value their reputations. Privately owned companies tend to take the route of if I acknowledge it, then I have to do something to resolve it and that's costly. Better to just ignore it and then pay any fines levied and move on. We completely disagree with this stance but we are seeing it more and more.
It seems that only when the media calls out a company and gets the attention of lawmakers that things really start happening. Look at the Cambridge Analytica story as a perfect example. This type of activity has been going on for years and was virtually undetected, nobody truly cared about the fact that these companies were able to do business intelligence or espionage legally depending on whom you ask. It was only after the media got a hold on the story and started publicly calling out Cambridge Analytica that we saw Mark Zuckerberg in front of congress and Cambridge Analytica "shutting down" which was really a smoke and mirrors act in changing their names. In short this same activity will continue and we are back to normal operating conditions.
Apps are the problem
One of the biggest issues we are seeing is that end users just don't read the terms of service of the applications and services they use. Nearly every application out there allows the application developer to collect statistics. These "statistics" are things such as how long you use the app, where you use the app, how you use the app and so on. What is really frightening is that the location data is being aggregated by companies and being sold to law enforcement and Government to be able to target and track you, the individual without a warrant because you have agreed to let the application developer collect the statistics and they are legally allowed to resell access to that data. At least companies like Twitter truly do give you the control to either allow this or completely block it, the other companies and social media giants should take a queue from Twitter and put control back in the end users hands to control and limit this activity if you so wish.
In short read the terms and conditions of use of these applications and understand what they are truly saying.
Wall of shame
Back in 2012 we had a blog where we would call out companies security that was lacking or leaking customer information. At the time we received all sorts of responses, everything from thank you for letting us know to threats of lawsuits. These companies were totally upset that we were informing users about what was happening when in fact they should have been looking for ways to better secure their platforms. They should have also stopped selling this data because in short we believe these companies to be performing proxied illegal searches in violation of the 4th amendment. They continue to do it because we as consumers allow it. Law enforcement and Government can use these data searches because the data is housed by a private company circumventing the legal process required to get a FISA court order. In cases of missing persons in danger we believe this to be a good thing, when it's used to track criminals it's a clever way to circumvent protections on US Citizens.
Why limit your security vendors?
Another problem we constantly see is that companies will hire red teams to test security but then will limit them to areas they know they are doing well negating the real issue of identifying areas that need to be more heavily protected. These same reviews are then passed on to insurance carriers that provide a premium reduction because the companies are actively trying to secure their networks (as least the areas they have high confidence in being secure). This is like having a shootout and high noon and only arming one of the cowboy's. You already know what the outcome is gonna be and the limiting of the red team exercise makes it pointless.
Buying your way out of a breach
It's even worse at larger companies. Most companies realize that data breaches on average cost between 10 and 20 million in losses. Companies have been putting back funding to sort of self insure instead of spending money to actually shunt security issues that they are aware of. This tells us that companies know they are gonna be breached and would rather have money put back to pay any fines. These same companies are concentrating on their profits rather than the right thing to do. In short they are buying their way out of a breach.
As you can see we have brought up several opinions in this piece. These blog post are shared to get you thinking and discussing topics of interest and not to agree or disagree with any stance or what is occurring in the industry. We want to hear from you. Follow us on Twitter to comment on this or other blog post and as always, stay vigilant!