The Legal Risks of Security Research
Sunoo Park and Kendra Albert have published “A Researcher’s Guide to Some Legal Risks of Security Research.”
From a summary:
Such risk extends beyond anti-hacking laws, implicating copyright law and anti-circumvention provisions (DMCA §1201), electronic privacy law (ECPA), and cryptography export controls, as well as broader legal areas such as contract and trade secret law.
Our Guide gives the most comprehensive presentation to date of this landscape of legal risks, with an eye to both legal and technical nuance. Aimed at researchers, the public, and technology lawyers alike, its aims both to provide pragmatic guidance to those navigating today’s uncertain legal landscape, and to provoke public debate towards future reform.
Comprehensive, and well worth reading.
Here’s a Twitter thread by Kendra.
Sidebar photo of Bruce Schneier by Joe MacInnis.
On Risk-Based Authentication
Interesting usability study: “More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication“:
Abstract: Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well.
We present the results of a between-group lab study (n=65) to evaluate usability and security perceptions of two RBA variants, one 2FA variant, and password-only authentication. Our study shows with significant results that RBA is considered to be more usable than the studied 2FA variants, while it is perceived as more secure than password-only authentication in general and comparably se-cure to 2FA in a variety of application types. We also observed RBA usability problems and provide recommendations for mitigation.Our contribution provides a first deeper understanding of the users’perception of RBA and helps to improve RBA implementations for a broader user acceptance.
Sidebar photo of Bruce Schneier by Joe MacInnis.
Negotiating with Ransomware Gangs
Really interesting conversation with someone who negotiates with ransomware gangs:
For now, it seems that paying ransomware, while obviously risky and empowering/encouraging ransomware attackers, can perhaps be comported so as not to break any laws (like anti-terrorist laws, FCPA, conspiracy and others) and even if payment is arguably unlawful, seems unlikely to be prosecuted. Thus, the decision whether to pay or ignore a ransomware demand, seems less of a legal, and more of a practical, determination almost like a cost-benefit analysis.
The arguments for rendering a ransomware payment include:
- Payment is the least costly option;
- Payment is in the best interest of stakeholders (e.g. a hospital patient in desperate need of an immediate operation whose records are locked up);
- Payment can avoid being fined for losing important data;
- Payment means not losing highly confidential information; and
- Payment may mean not going public with the data breach.
The arguments against rendering a ransomware payment include:
- Payment does not guarantee that the right encryption keys with the proper decryption algorithms will be provided;
- Payment further funds additional criminal pursuits of the attacker, enabling a cycle of ransomware crime;
- Payment can do damage to a corporate brand;
- Payment may not stop the ransomware attacker from returning;
- If victims stopped making ransomware payments, the ransomware revenue stream would stop and ransomware attackers would have to move on to perpetrating another scheme; and
- Using Bitcoin to pay a ransomware attacker can put organizations at risk. Most victims must buy Bitcoin on entirely unregulated and free-wheeling exchanges that can also be hacked, leaving buyers’ bank account information stored on these exchanges vulnerable.
When confronted with a ransomware attack, the options all seem bleak. Pay the hackers and the victim may not only prompt future attacks, but there is also no guarantee that the hackers will restore a victim’s dataset. Ignore the hackers and the victim may incur significant financial damage or even find themselves out of business. The only guarantees during a ransomware attack are the fear, uncertainty and dread inevitably experienced by the victim.
Sidebar photo of Bruce Schneier by Joe MacInnis.
Only 44% of healthcare providers, including hospital and health systems, conformed to protocols outlined by the NIST CSF – with scores in some cases trending backwards since 2017, CynergisTek reveals.
Healthcare providers and NIST CSF
Analysts examined nearly 300 assessments of provider facilities across the continuum, including hospitals, physician practices, ACOs and Business Associates.
The report also found that healthcare supply chain security is one of the lowest ranked areas for NIST CSF conformance. This is a critical weakness, given that COVID-19 demonstrated just how broken the healthcare supply chain really is with providers buying PPE from unvetted suppliers.
“We found healthcare organizations continue to enhance and improve their programs year-over-year. The problem is they are not investing fast enough relative to an innovative and well-resourced adversary,” said Caleb Barlow, CEO of CynergisTek.
“These issues, combined with the rapid onset of remote work, accelerated deployment of telemedicine and impending openness of EHRs and interoperability, have set us on a path where investments need to be made now to shore up America’s health system.
“However, the report isn’t all doom and gloom. Organizations that have invested in their programs and had regular risk assessments, devised a plan, addressed prioritized issues stemming from the assessments and leveraged proven strategies like hiring the right staff and evidence-based tools have seen significant improvements to their NIST CSF conformance scores.”
Bigger budgets don’t mean better security performance
The report revealed bigger healthcare institutions with bigger budgets didn’t necessarily perform better when it comes to security, and in some cases, performed worse than smaller organizations or those that invested less.
In some cases, this was a direct result of consolidation where systems directly connect to newly-acquired hospitals without first shoring up their security posture and conducting a compromise assessment.
“What our report has uncovered over recent years is that healthcare is still behind the curve on security. While healthcare’s focus on information security has increased over the last 15 years, investment is still lagging. In the age of remote working and an attack surface that has exponentially grown, simply maintaining a security status quo won’t cut it,” said David Finn, EVP of Strategic Innovation at CynergisTek.
“The good news is that issues emerging in our assessments are largely addressable. The bad news is that it is going to require investment in an industry still struggling with financial losses from COVID-19.”
Leading factors influencing performance include poor security planning and lack of organizational focus, inadequate reporting structures and funding, confusion around priorities, lack of staff and no clear plan.
Key strategies to bolster healthcare security and achieve success
Look under the hood at security and privacy amid mergers and acquisitions: For health systems planning to integrate new organizations into the fold through mergers and acquisitions, leadership should look under the hood and be more diligent when examining the organization’s security and privacy infrastructure, measures and performance.
It’s important to understand their books and revenue streams as well as their potential security risks and gaps to prevent these issues from becoming liabilities.
Make security an enterprise priority: While other sectors like finance and aerospace have treated security as an enterprise-level priority, healthcare must also make this kind of commitment.
Understanding how these risks tie to the bigger picture will help an organization that thinks it cannot afford to invest in privacy and information security risk management activities understand why making such an investment is crucial.
Hospitals and healthcare organizations should create collaborative, cross-functional task forces like enterprise response teams, which offer other business units an eye-opening look into how security and privacy touch all parts of the business including financial, HR, and more.
Money isn’t a solution: Just throwing money at a problem doesn’t work. Security leaders need to identify priorities and have a plan which leverages talent, tried and true strategies like multi-factor authentication, privileged access management and on-going staff training to truly up level their defenses and take a more holistic approach, especially when bringing on new services such as telehealth.
Accelerate the move to cloud: While healthcare has traditionally been slow to adopt the cloud, these solutions provide the agility and scalability that can help leaders cope with situations like COVID-19, and other crises more effectively.
Shore up security posture: We frequently learn the hard way that security can disrupt workflow. COVID-19 taught us that workflow can also disrupt security and things are going to get worse before getting better. Get an assessment quickly to determine immediate needs and coming up with a game plan to bolster defenses needed in this next normal.
One of the cornerstones of a security leader’s job is to successfully evaluate risk. A risk assessment is a thorough look at everything that can impact the security of an organization. When a CISO determines the potential issues and their severity, measures can be put in place to prevent harm from happening.
To select a suitable risk assessment solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Jaymin Desai, Offering Manager, OneTrust
First, consider what type of assessments or control content as frameworks, laws, and standards are readily available for your business (e.g., NIST, ISO, CSA CAIQ, SIG, HIPAA, PCI DSS, NYDFS, GDPR, EBA, CCPA). This is an area where you can leverage templates to bypass building and updating your own custom records.
Second, consider the assessment formats. Look for a technology that can automate workflows to support consistency and streamline completion. This level of standardization helps businesses scale risk assessments to the line of business users. A by-product of workflow-based structured evaluations is the ability to improve your reporting with reliable and timely insights.
One other key consideration is how the risk assessment solution can scale with your business? This is important in evaluating your efficiencies overtime. Are the assessments static exports to excel, or can they be integrated into a live risk register? Can you map insights gathered from responses to adjust risk across your assets, processes, vendors, and more? Consider the core data structure and how you can model and adjust it as your business changes and your risk management program matures.
The solution should enable you to discover, remediate, and monitor granular risks in a single, easy-to-use dashboard while engaging with the first line of your business to keep risk data current and context-rich with today’s information.
Brenda Ferraro, VP of Third Party Risk, Prevalent
The right risk assessment solution will drive program maturity from compliance, to data breach avoidance, to third-party risk management.
There are seven key fundamentals that must be considered:
- Network repository: Uses the ‘fill out once, use with many approach’ to rapidly obtain risk information awareness.
- Vendor risk visibility: Harmonizes inside-out and outside-in vendor risk and proactively shares actionable insights to enhanced decision-making on prioritization, remediation, and compliance.
- Flexible automation: Helps the enterprise to place focus quickly and accurately on risk management, not administrative tasks, to reduce third-party risk management process costs.
- Enables scalability: Adapts to changing processes, risks, and business needs.
- Tangible ROI: Reduces time and costs associated with the vendor management lifecycle to justify cost.
- Advisory and managed services: Has subject matter experts to assist with improving your program by leveraging the solution.
- Reporting and dashboards: Provides real-time intelligence to drive more informed, risk-based decisions internally and externally at every business level.
The right risk assessment solution selection will enable dynamic evolution for you and your vendors by using real-time visibility into vendor risks, more automation and integration to speed your vendor assessments, and by applying an agile, process-driven approach to successfully adapt and scale your program to meet future demands.
Fred Kneip, CEO, CyberGRX
Organizations should look for a scalable risk assessment solution that has the ability to deliver informed risk-reducing decision making. To be truly valuable, risk assessments need to go beyond lengthy questionnaires that serve as a check the box exercises that don’t provide insight and they need to go beyond a simple outside in rating that, alone, can be misleading.
Rather, risk assessments should help you to collect accurate and validated risk data that enables decision making, and ultimately, allow you to identify and reduce risk ecosystem at the individual level as well as the portfolio level.
Optimal solutions will help you identify which vendors pose the greatest risk and require immediate attention as well as the tools and data that you need to tell a complete story about an organization’s third-party cyber risk efforts. They should also help leadership understand whether risk management efforts are improving the organization’s risk posture and if the organization is more or less vulnerable to an adverse cyber incident than it was last month.
Jake Olcott, VP of Government Affairs, BitSight
Organizations are now being held accountable for the performance of their cybersecurity programs, and ensuring businesses have a strong risk assessment strategy in place can have a major impact. The best risk assessment solutions meet four specific criteria— they are automated, continuous, comprehensive and cost-effective.
Leveraging automation for risk assessments means that the technology is taking the brunt of the workload, giving security teams more time back to focus on other important tasks to the business. Risk assessments should be continuous as well. Taking a point-in-time approach is inadequate, and does not provide the full picture, so it’s important that assessments are delivered on an ongoing basis.
Risk assessments also need to be comprehensive and cover the full breadth of the business including third and fourth party risks, and address the expanding attack surface that comes with working from home.
Lastly, risk assessments need to be cost-effective. As budgets are being heavily scrutinized across the board, ensuring that a risk assessment solution does not require significant resources can make a major impact for the business and allow organizations to maximize their budgets to address other areas of security.
Mads Pærregaard, CEO, Human Risks
When you pick a risk assessment tool, you should look for three key elements to ensure a value-adding and effective risk management program:
1. Reduce reliance on manual processes
2. Reduce complexity for stakeholders
3. Improve communication
Tools that rely on constant manual data entry, remembering to make updates and a complicated risk methodology will likely lead to outdated information and errors, meaning valuable time is lost and decisions are made too late or on the wrong basis.
Tools that automate processes and data gathering give you awareness of critical incidents faster, reducing response times. They also reduce dependency on a few key individuals that might otherwise have responsibility for updating information, which can be a major point of vulnerability.
Often, non-risk management professionals are involved with or responsible for implementation of mitigating measures. Look for tools that are user-friendly and intuitive, so it takes little training time and teams can hit the ground running.
Critically, you must be able to communicate the value that risk management provides to the organization. The right tool will help you keep it simple, and communicate key information using up-to-date data.
Steve Schlarman, Portfolio Strategist, RSA Security
Given the complexity of risk, risk management programs must rely on a solid technology infrastructure and a centralized platform is a key ingredient to success. Risk assessment processes need to share data and establish processes that promote a strong governance culture.
Choosing a risk management platform that can not only solve today’s tactical issues but also lay a foundation for long-term success is critical.
Business growth is interwoven with technology strategies and therefore risk assessments should connect both business and IT risk management processes. The technology solution should accelerate your strategy by providing elements such as data taxonomies, workflows and reports. Even with best practices within the technology, you will find areas where you need to modify the platform based on your unique needs.
The technology should make that easy. As you engage more front-line employees and cross-functional groups, you will need the flexibility to make adjustments. There are some common entry points to implement risk assessment strategies but you need the ability to pivot the technical infrastructure towards the direction your business needs.
You need a flexible platform to manage multiple dimensions of risk and choosing a solution provider with the right pedigree is a significant consideration. Today’s risks are too complex to be managed with a solution that’s just “good enough.”
Yair Solow, CEO, CyGov
The starting point for any business should be clarity on the frameworks they are looking to cover both from a risk and compliance perspective. You will want to be clear on what relevant use cases the platform can effectively address (internal risk, vendor risk, executive reporting and others).
Once this has been clarified, it is a question of weighing up a number of parameters. For a start, how quickly can you expect to see results? Will it take days, weeks, months or perhaps more? Businesses should also weigh up the quality of user experience, including how difficult the solution is to customize and deploy. In addition, it is worth considering the platform’s project management capabilities, such as efficient ticketing and workflow assignments.
Usability aside, there are of course several important factors when it comes to the output itself. Is the data produced by the solution in question automatically analyzed and visualized? Are the automatic workflows replacing manual processes? Ultimately, in order to assess the platform’s usefulness, businesses should also be asking to what extent the data is actionable, as that is the most important output.
This is not an exhaustive list, but these are certainly some of the fundamental questions any business should be asking when selecting a risk assessment solution.
SANS Technology Institute’s Internet Storm Center (ISC) has been a valuable warning service and source of critical cyber threat information to internet users, organizations and security practitioners for nearly two decades.
Dr. Johannes Ullrich, the man whose site (DShield.org) became the basis of a SANS project (Incident.org) that later became the Internet Storm Center, has been leading the effort from the start.
Old and new attack trends
“Initially, the Internet Storm Center mostly dealt with firewall logs. In the early days (2000-2008 or so), firewall logs helped us understand the spread of worms like Leaves, Nimda, Blaster, and others,” he told Help Net Security.
“But as soon as home computers started to either use built-in firewalls, or take advantage of home router/firewall combos that are very common today, we saw how things shifted. Instead of actively scanning for systems, attackers tricked users into running the code for them. This lead to the never ending ways of malicious websites and emails that are still dominating.”
More recently, they witnessed the shift from data theft to data encryption by ransomware, as attackers discovered that the person willing to pay most for the data is the original owner.
In addition to this major trend, Dr. Ullrich says that it has become obvious over the years that old attacks and vulnerabilities never quite disappear.
“I think that the vast majority of attacks, even advanced attacks, only use a small handful of actual vulnerabilities, but it’s actually very difficult to obtain real good data to support or reject this thesis. There are a lot of studies that look at different pieces of the puzzle, but it’s hard to find out how it all fits together.“
He also thinks that some very “noisy” attacks are very much overrated and that companies spent a lot of effort and money on defending against attacks that would never have been successful. One of the hard parts in defense is to accurately determine the actual risk posed by a particular attack.
Understanding risks and finding solutions
One thing that’s definitely not overrated? Application control.
“I think it’s one of the most important techniques that has finally made it to the mainstream. Having users execute arbitrary applications is probably one of the most common weaknesses. And yes, a lot of users hate the restrictions, but I find limiting the ‘zoo’ of allowed applications significantly reduces risks,” he explained.
“This is not a new idea. Microsoft has made this a standard optional feature in all currently supported versions of Windows and Apple has to some extent ‘mastered’ this with their mobile device app stores. But it is one of those simple and maybe a bit boring techniques that can always use more attention.”
In the end, though, some of the risks may be a bit overhyped, and it’s important to understand that there is no perfect security.
“In cybersecurity, just like in ‘real world’ security, it is important to understand risks. Just like a shop owner may have a discount table outside the store, well knowing that some of the items may be stolen, and a locked cabinet in the back with high value items, in cyber security we still have to learn how to accurately determine risk and how to spend the right amount of effort on the right problems. The goal isn’t to prevent every breach, but to limit the impact of a breach.”
Getting talented people into cybersecurity
In parallel with working on the Internet Storm Center, Dr. Ullrich became more involved in teaching SANS courses. He started out teaching the Intrusion Detection class – which is the class he still enjoys teaching the most – and added various other classes along the way.
He was also involved in SANS’s effort to establish a graduate school, and the work he has done with the Internet Storm Center has also become part of the graduate schools research program that he’s heading up now as Dean of Research.
With all that in mind, I wondered what his take is on how to attract more young people into the cybersecurity field?
“There has been a lot of progress in the creation of gamified exercises to better identify talent and interest them in cybersecurity,” he noted.
“Cybersecurity is less about the knowledge of specific tools and techniques, but more about a talent to understand complex technological relationships and persevere in solving hard challenges.”
He also stressed that cybersecurity is a field that changes always and quickly.
“I think if you ‘sell’ cybersecurity as a field that offers you a set of challenging, never ending and changing puzzles, you likely address the right crowd. This is not a field where you learn once and ‘stick with it’ (does such a field still exist?). To excel, you also have to be a bit of a risk taker and you can’t always wait for instructions,” he concluded.
We believe we are less likely than others are to fall for phishing scams, thereby underestimating our own exposure to risk, a cybersecurity study has found. The research also reports that this occurs, in part, because we overlook data, or “base rate information,” that could help us recognize risk when assessing our own behavior yet use it to predict that of others.
Together, the results suggest that those who are not informed of the risk that, for instance, work-from-home situations pose to online security may be more likely to jeopardize the safety of themselves and those they work for.
COVID-19 wreaking havoc on cyber health
COVID-19 has had a devastating impact on the physical and mental health of people around the globe. Now, with so many more working online during the pandemic, the virus threatens to wreak havoc on the world’s “cyber health,” the researchers note.
“This study shows people ‘self-enhance’ when assessing risk, believing they are less likely than others to engage in actions that pose a threat to their cyber security–a perception that, in fact, may make us more susceptible to online attacks because it creates a false sense of security,” says Emily Balcetis, an associate professor in New York University’s Department of Psychology, who authored the study.
“This effect is partially explained by differences in how we use base rate information, or actual data on how many people are actually victimized by such scams,” adds co-author Quanyan Zhu, a professor at NYU’s Tandon School of Engineering.
“We avoid it when assessing our own behavior, but use it in making judgments about actions others might take. Because we’re less informed in assessing our actions, our vulnerability to phishing may be greater.”
Through March, more than two million U.S. federal employees had been directed to work from home – in addition to the millions working in the private sector and for state and local governments. This overhaul of working conditions has created significantly more vulnerabilities to criminal activity – a development recognized by the Department of Homeland Security.
Its Cybersecurity and Infrastructure Security Agency issued an alert in March that foreshadowed the specific cyber vulnerabilities that arise when working from home rather than in the office.
How people perceive their own vulnerabilities in relation to others
In their study, the researchers sought to capture how people perceive their own vulnerabilities in relation to others’.
To do so, they conducted a series of experiments on computers screens in which subjects were shown emails that were phishing scams and were told these requests, which asked people to click links, update passwords, and download files, were illegitimate.
To tempt the study’s subjects, college undergraduates, they were told complying with the requests would give them a chance to win an iPad in a raffle, allow them to have their access restored to an online account, or other outcomes they wanted or needed.
Half of the subjects were asked how likely they were to take the requested action while the other half was asked how likely another, specifically, “someone like them,” would do so.
On the screen that posed these questions, the researchers also provided the subjects with “base rate information”: The actual percentage of people at other large American universities who actually did the requested behavior (One, for instance, read: “37.3% of undergraduate students at a large American university clicked on a link to sign an illegal movie downloading pledge because they thought they must in order to register for classes”).
The researchers then deployed an innovative methodology to determine if the subjects used this “base rate information” in reporting the likelihood that they and “someone like them” would comply with the requested phishing action.
Using eye-tracking technology, they could determine when the subjects actually read the provided information when reporting their own likelihood of falling for phishing attempts and when reporting the likelihood of others doing the same.
Subjects less likely to rely on “base rate information”
Overall, they found that the subjects thought they were less likely than are others to fall for phishing scams – evidence of “self-enhancement.” But the researchers also discovered that the subjects were less likely to rely on “base rate information” when answering the question about their own behavior yet more likely to use it when answering the question about how others would act.
“In a sense, they don’t think that base rate information is relevant to their own personal likelihood judgments, but they do think it’s useful for determining other people’s risk,” observes Balcetis.
“The patterns of social judgment we observed may be the result of individuals’ biased and motivated beliefs that they are uniquely able to regulate their risk and hold it at low or nonexistent levels,” Blair Cox, the lead researcher on the paper and scientist in NYU’s Department of Psychology, adds. “As a result, they may in fact be less likely to take steps to ensure their online safety.”
Many companies are not dedicating proper resources to assess third-party risks, and those that are still lack confidence in their programs, according to Prevalent.
Supply chain disruptions
As a result, there are real consequences including loss of revenue, loss of productivity, and loss of reputation – all of which can jeopardize resiliency and are amplified given today’s supply chain concerns related to COVID-19.
“Organizations are starting to ask the question about what happens to them if their supply chain partners go out of business. Sadly, most companies don’t have the risk visibility into their supply chains to answer that question,” stated Brenda Ferraro, VP of third-party risk at Prevalent.
“How can they expect to adequately manage their own risk without understanding the risks vendors and partners pose?”
Key findings from the report
- Lack of confidence in the program inhibits results: 54% of organizations have some meaningful experience in conducting third-party risk assessments, yet only 10% are extremely confident in their programs.
- Significant consequences: 76% of respondents said that they experienced one or more issues that impacted vendor performance – resulting in a loss of productivity (39%), monetary damages (28%) and a loss of reputation (25%).
- Unsatisfactory number of assessments: 66% of respondents say they should be assessing more than three-fourths of their top tier vendors but aren’t doing so.
- Costs, resources and lack of process are inhibitors to success: Lack of resources (74%), cost (39%) and insufficient processes (32%) are keeping respondents from assessing all their top-tier vendors.
- No one seems happy with their existing toolset: Satisfaction levels among existing tools hovers in the 50% range, and weighted average of satisfaction caps out at 3.8/5.0. GRC tools have an especially long way to go with a 41% satisfaction rate.
Third-party risk management program
Growing and maturing an adaptable and agile third-party risk management program that is resilient in times of crisis doesn’t have to be a complex and time-consuming process. The report concludes with five recommendations to jump start vendor risk activities:
- Develop a programmatic process
- Build a cross-functional team that extends beyond risk and compliance
- Be comprehensive without being complex
- Maintain options for assessment collection and analysis for agility
- Complement your decision-making with risk-based intelligence
We sat down with Sean Cronin, CEO of ProcessUnity, to explore the challenges related to enterprise third-party risk today and in the future.
What are the most unexpected pitfalls for a CISO that wants to strengthen an enterprise third-party risk management program?
Ultimately, you need to understand where your program is today and build a plan to mature it. There are a lot of moving parts in a third-party risk management program. Most companies today are struggling with the work associated with the early phases of a program – the vendor onboarding process, the pre-contract due diligence and then the ongoing monitoring that must occur after a contract is signed. It’s critical to nail these processes first or you’re setting yourself up for failure.
Figure out where you are on the maturity curve first. Do you have an Informal program that’s just getting started? Is your team fighting fires in a reactive mode or have you advanced your processes to a point where you’re more proactive about reducing risk? If you’re already mature and you’re running an optimized program, it’s all about continuous improvement. If you understand the weaknesses and opportunities at your currently maturity level, it makes it easier to put a reasonable plan in place – one that prevents you from trying to take too big of a leap all at once.
Another pitfall is the wildcard that disrupts the proverbial applecart. This year, it’s COVID-19. Organizations are putting their programs on hold because they’re scrambling to reassess their vendors to ensure business continuity during the pandemic. More mature programs build a rapid-response mechanism into their programs, but less mature companies have to drop everything and react as best as possible.
How can an organization transform third-party risk into a competitive advantage?
Before third-party risk management can become a competitive advantage, businesses need to perfect the block-and-tackle basics of third-party risk management. This means having a comprehensive onboarding, due diligence and ongoing monitoring process. Getting those processes effective and efficient allows more time for risk teams to focus on the third-party risk management activities that can drive ROI for the company, including contract management, service-level agreements (SLAs) and performance management.
If your team has more time, they can spend it helping to negotiate better contracts with better financial terms or better services terms – maybe both. Your team will also have access to insights gained during due diligence and ongoing assessments. That data can be used to your advantage during initial negotiations or renewals.
There’s also an opportunity around SLAs. Build a library of SLAs, track where they are being used – on a contract-by-contract or vendor-by-vendor basis and then get your lines-of-business to submit metrics or evidence that results are within acceptable thresholds. Now you have an SLA-enforcement engine. No one wants to collect penalties for a broken promise, but the option is there. You also have the ability to forgo the penalty in exchange for something else – visibility into a product roadmap, input into a new feature, etc. SLAs are an important part of the vendor management process, but many organizations don’t have the time to use them to their advantage.
Finally, managing vendor performance is also a way to get a competitive advantage. If you work with the best vendors, you will get the best service and value. If you can swap out under-performing vendors with better ones over time, your company is going to be in a better place.
Third-party compromise continues to be one of the major drivers of data breaches worldwide. How can organizations make sure that the companies they work with are taking care of their security properly?
Lou Gerstner said it best, “You don’t get what you expect, you get what you inspect.” Hoping that your vendors, suppliers and third parties are just as buttoned-up as your company isn’t enough. The whole point of having a third-party risk program is to systematically assess new and current vendors over time. You need a mixture of self-assessments that the vendors complete and then you need to spot-check your higher-risk vendors with on-site controls assessments – live visits where you ask your vendors to prove they have the proper safeguards in place. It’s work that has to be done – you can’t take their word for it.
Unfortunately, even the best-run third-party risk programs may not be breach-proof – the idea is to prevent as much as possible and make it as hard as possible for a breach to occur.
If you have a strong program in place, you’ll be in a better position to easily understand is what was compromised should a breach occur. For example, in the first hour that a compromise was recognized, it would be great to know exactly what information that vendor owned – patient data, patient records, customer data, customer PII, customer credit cards, etc. A third-party risk management system can help to quickly and easily identify that.
Also, before the breach even happens, the increased due diligence and the periodicity in which organizations continue the evaluation of a third party will continue to drive risk out of that relationship. Ongoing monitoring of a vendor helps organizations better understand what their vendors are and aren’t doing – policies, evidence of specific actions, etc. This develops a dialogue with the vendor to explain why specific actions need to be taken to help drive risk out of both organizations. And that’s how organizations will be able to drive more secure relationships, more secure vendors and more secure providers.
How do you expect risk management strategies to evolve in the next decade? What’s new on the horizon and how can security leaders lay down the groundwork for increased compliance and security?
I was thinking about this a lot while at this year’s RSA Conference. RSAC was very much about the firewalls and the four walls of any corporation, however where security and risk will evolve is an increased importance on third parties. The second an organization puts any data into a third party, that risk is extended and create vulnerabilities that are exponentially worse than what’s within the firewalls or your own four walls.
In third-party risk specifically, we will see more teams incorporate external content into their third-party risk management programs to get a more wholistic view of their vendor population. We will see a rise of utilities and consortiums – where a vendor is assessed once, and multiple organizations can access that assessment. This will allow for a quicker and more streamlined vendor onboarding process. Vendor assessment questionnaires will also continue evolve. Today, we have questionnaires that can self scope based on inherent risk levels and self-score based on a set of preferred responses. This is the start of machine learning and eventually AI for third-party risk.
That’s the next horizon. And it’s exciting because security leaders are seeing the increased importance of that third-party supply chain and vendor ecosystem as part and parcel to their reputational risk and their overall organizational risk.
Human beings are poor judges of risk. For example, we perceive the risk of air travel to be higher than it actually is after a fatal aviation-related accident happens.
We also tend to dismiss risks just because we don’t see a tangible negative impact right away. This is, for example, what prevents many from making dental hygiene a priority: we all know dental hygiene is critical to our health and a relatively easy “investment”, but when nothing bad happens immediately after skipping teeth brushing once, many stop being regular about it.
“It is hard or impossible to predict just how many times of skipping a good brushing it takes to get you in trouble with tooth pain, so we tend to take on more risk until we end up getting toothache and regret not investing enough on proactive maintenance,” Ehsan Foroughi, Vice President of Products at Security Compass, told Help Net Security.
“For security, in many cases it starts with skipping it and taking risky shortcuts when the product is not yet widely adopted or the company is small and young. But as it grows and the risk grows, we tend to overlook that until something bad ends up happening.”
Obstacles to surmount on the path to better security
Another thing that makes companies brush aside security is competition.
“Software is becoming the core of every industry’s competitive advantage and there is a lot of pressure from the market and competition to release new software or improvements to existing software faster and at a lower cost (so that a limited investment can yield more results),” he noted.
“Proper security hygiene, when done in the traditional way, gets in the way of agility and creates the dilemma: should we take on risk to move fast in the business, or should we slow down and do the right thing? Unfortunately, human nature pushes many to choose the fast and risky approach which leaves them with a ticking time-bomb of a security incident waiting to happen.”
Barriers to pragmatic security decisions
Other roadblocks to sensible security decision-making include:
- Engineers not being well versed in security understanding and practices, as well as having a hard time communicating complex issues to business stakeholders
- Executives and decision-makers at the business level lacking education and awareness around the topic, most specifically around the foundations of software security
- Security teams being perceived as the only owner of the organization’s security.
What can CISOs do to make things better?
Like quality, security should be everybody’s job and responsibility, not just the QA/security team’s.
One of CISOs’ goals should be to improve security culture across the organization, by raising awareness, educating, consulting, promoting and providing processes and tools.
“When it comes to education, many think of hard skills such as security testing and coding skills. However, educating staff on how security affects the bigger business, how it can reduce revenue if not done right, and how it can affect them directly, is critical,” Foroughi noted.
He also advises CISOs not to wait for disaster. “The worst time to fix things is when an audit fails. Also, it costs a lot more to wrestle with malware clean ups and deal with ransomware than to enforce policies to protect data – so shift left and invest in proactive measures.”
But, at the same time, they should take care not to go overboard: enforcing extreme policies without regards for the value of assets being protected or the impact to productivity and usability often results in people bypassing the policies, and that would be even more harmful.
Preparing for the future
Foroughi expects the compliance and technology landscapes to get more complex and demanding.
When it comes to introducing new technologies and the need for employees to have the skills to wrangle it, he advises organizations not to focus on a specific skill set when hiring, but to look for foundational understanding in individuals.
“If you have the right people on board and the culture enables them to take initiative, they will bring the latest technology into the organization and will have the capability to quickly learn and adapt to deal with new problems,” he explained.
The problem of balancing security vs. time to market will also get harder to address, he says.
First and foremost, CISOs should be pragmatic and focus on getting 80% secure and 80% fast instead of choosing one over another.
They should also know that they will have an easier time to get buy-in from the rest of the organization if they learn how decisions in CISO’s domain affects the larger business and how to present proposals for future investment using that perspective.
In general, CISOs have to educate executives on how security and risk management affects business goals and on the importance of finding the balance.
“Invest in automating the balanced approach to development and prioritize this investment,” he concluded. “When asking the developers to cooperate with you to roll out this automation, start by explaining why you are doing this – you will face much less resistance.”
Security automation, orchestration and response (SOAR) speeds up the incident response process by replacing manual tasks with automated workflows. We sat down with Swimlane CEO Cody Cornell to learn more about the benefits for all organizations.
What are some of the biggest misconceptions when it comes to security orchestration, automation and response (SOAR) solutions?
Automation takes the mountain of daily manual work that’s required to really leverage a full-scale defense-in-depth strategy and makes completing it much more attainable. If each of your security controls is a segment of your overall security strategy, you can’t have one segment be an extremely weak one. As with all things, you are only as strong as your weakest link. Automation allows you to free up time, get to tasks you never could by hand, and have time to focus on strengthening your weakest links.
I think when people think of automation, they think about what it is like when it is completed, how their lives are better, how they reduced the burden on their teams, and how automations makes them more vigilant and capable around the clock. These outcomes are absolutely true, but if you look at other places where automation has made huge impacts in productivity it didn’t happen overnight.
There was no single thing that drove manufacturing automation. But in the end, it revolutionized manufacturing. Security automation is similar. The advantage is that since it is software, iteration can happen more quickly, but value builds over time. As that value builds, you get to a point where you can’t imagine it any other way.
Because of this, there are companies that are much more secure than their peer group, and it’s because of the historical investments and daily decisions they make. They’ve made the investments to make it more difficult for actors to take their information or compromise the services they deliver.
Overworked security operations teams are increasingly leveraging SOAR tools. What can these solutions do in a SOC environment?
All companies deal with overworked security teams in some form or another, but in cybersecurity, this can lead to burnout, which has potentially dire consequences. If a SOAR platform is successful, it’s taking upwards of 80-90% of the highly repetitive work security teams have to do, doing it on their behalf, and managing it in a way that is making their lives better.
With a SOAR tool, organizations can also abandon the exclusive use of ‘prioritization’ as a solution for overloaded employees. A lot of time prioritization is a symptom for lack of capacity, doing the “most” important thing a lot of times means hundreds if not thousands of other important things are being deprioritized.
The reality is, every to-do list item in a security operations center must be completed every day. Investigating alerts ineffectively—or even missing them completely—can result in a costly breach, and the items that are the highest priority, probably started out as a low priority or informational notification that could have been actioned immediately, might have never escalated to your highest priority. Rather than asking employees to prioritize their daily tasks, organizations leveraging SOAR tools are investing in processes and technologies that help their employees complete their work.
By creating a situation where professionals can get their work done, and get it done well, a stronger sense of achievement is generated among personnel, and in the case of cybersecurity, this can help reduce the risk for the entire organization.
What advice would you give to a newly appointed enterprise CISO that wants to take full advantage of what SOAR solutions have to offer?
Acknowledge that the way that we’ve historically done security ops and engineering just isn’t going to work going forward. The whole mindset that we’re going to have a somewhat slowly changing infrastructure, with people-intensive change management processes, that we’re going to update it every once in a while, is gone. If that’s how you’re managing any facet of your enterprise, from endpoints to perimeter, from cloud infrastructure to IoT devices, you’re just plain exposed.
You have to accept that if your infrastructure isn’t already built to be constantly evolving and adapting, you’re behind. You need to be able to digest a constant stream of information, enrich it from a variety of disparate data sources, and use that to make real-time risk assessment decisions that drive the automated update to your security infrastructure. Along with all that, you’ve needed to select, implement and manage your technology stack to support that speed of change in an operational cadence.
When selecting a SOAR technology, organizations should be looking for a single platform with the flexibility to support the broadest set of use cases at the deepest technical levels. Other factors to consider are whether this tool is enabling their people to get more done, and orchestrate more technology, or just providing another case management system where you park some notes, upload some logs, and assign a user.
CISOs should be thinking about SOAR as a platform, not as a tool, and it should be a platform that doesn’t limit what they can interact with. The security solutions in your environment, the intelligence sources at your disposal, the infrastructure your company utilizes is going to be constantly changing, and a lot of times those decisions are not made by the CISO.
Acquisitions, mergers, and partnerships are driven by the business, which will force the security team to adapt and integrate with a whole variety of security apparatus, and you need to be leveraging a platform that supports the largest variety of integration points but also the most diverse set of use cases because what you need today is not what you’ll need tomorrow. And from a planning perspective, you need to try to future proof wherever you can.
How do you see the SOAR market evolve in the next few years?
SOAR as a named category by the analyst community (Gartner/Forrester) was needed to describe an automation solution that organizations could use for security operations, addressing their daily pain points when trying to keep their organizations secure from relentless bad actors. Now the problem is altering the mindset of security teams from thinking about automation as a specific product unto itself and more of a principle of applied automation across every facet of security.
More and more organizations are looking to secure their business by leveraging automation. Automation is not new. We use automation every day in manufacturing, shipping, and other sectors, and we have for decades. The SOAR market will continue to evolve in ways that help organizations apply automation and orchestration to every facet of security.
Rather than thinking about automation as a single product category, we should be taking automation and applying it across an organization’s technology stack, security or otherwise. The types of use cases organizations are implementing with SOAR are evolving as well, including technology integrations for cloud, IoT and DevOps.
More than half of all healthcare vendors have experienced a data breach that exposed protected health information (PHI), and it’s a costly problem that points to broken third-party risk assessment processes, according to data released by the Ponemon Institute and Censinet.
The report shows that 54 percent of healthcare vendors have experienced at least one data breach of protected health information belonging to patients of the healthcare providers they serve. Of those 54 percent of respondents, 41 percent experienced six or more data breaches over the past two years. The average breach costs $2.75 million and exposes nearly 10,000 records.
Additionally, 54 percent of healthcare vendors believe that a single data breach would result in lost business and revenues from the healthcare providers they sell to, while 28 percent of vendors say that healthcare organizations have chosen another service or solution after they discovered gaps in the vendor’s privacy and security practices. This may be why only 36 percent of vendors would immediately notify providers if they confirmed a data breach that involved their PHI.
“The overall process for managing risk assessments is severely broken in healthcare,” stated Ed Gaudet, CEO and Founder of Censinet. “As an industry we must empower vendors with the right tools and behaviors that give healthcare providers the level of transparency, security and confidence they need to protect their business.”
Many of the vendor respondents believe that healthcare providers do not fully embrace risk assessments to accurately measure and manage third-party risk. For example, nearly half (41 percent) of healthcare vendor respondents said that providers do not require any action to be taken if they discovered gaps in vendors’ privacy and security practices and policies, and 42 percent say that providers do not require proof that the vendor complies with privacy and data protection regulations.
“Healthcare vendors and providers must move from simply checking a box to changing the culture,” continued Gaudet.
“This is an industry-wide problem and as such we need a new, collaborative approach that makes it easy for healthcare vendors and providers to band together and take action, implementing policies, procedures and controls that reduce risk holistically.”
The broken process of healthcare risk assessments
The research points to a fundamental failure of vendors and providers to work collaboratively to accurately measure third-party risk, largely because of the shortcomings of legacy risk management assessment processes.
According to the research, 55 percent of vendors say that risk assessments required by healthcare organizations are costly and time consuming, with vendors spending an average of $2.5 million annually to fill them out. This may be because 43 percent of vendors are still using spreadsheet-based processes for risk assessments.
Despite the effort vendors expend completing risk assessments, it’s hard to determine how accurate they are because 64 percent of vendors believe risk assessment questions are confusing and ambiguous.
Additionally, the rapidly changing threat landscape has made static risk assessments far less effective; 59 percent of respondents say that the risk assessments they fill out become out of date within three months or less, but only 18 percent say that healthcare providers require them to update the assessments more than once per year.
This may be why only 44 percent of vendors believe that risk assessments actually improve their security posture – a number that points to the misallocation of time and resources fueled by the need to check the box, rather than effectively mitigate risk.
“This research highlights many of the shortcomings in the risk assessment process and just how inadequate and ineffective industry certifications and frameworks are today for vendors,” stated Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute.
“According to the research, 55 percent of vendors say that these certifications do not provide enough value for the cost, while 77 percent indicate challenges with the certification process, including respondents who believe it is too time-consuming, too costly and too confusing.”
When asked about ways to improve the risk assessment process, healthcare vendors overwhelmingly turned to automation. According to the research, 61 percent of vendors believe that workflow automation would streamline the risk assessment process and 60 percent think workflow automation would make risk assessments more cost-effective.
If the risk assessment process were automated, vendors believe that the costs incurred would be reduced by up to 50 percent.
Only half of the vulnerabilities in cloud containers ever posed a threat, according to a Rezilion study.
The top 20 most popular container images on DockerHub were analyzed to discover that 50% of vulnerabilities were never loaded into memory and therefore did not pose a threat, regardless of Common Vulnerability Scoring System (CVSS) scores and despite vast resources in budget and manpower spent on patching or mitigation.
By triaging vulnerabilities using a continuous adaptive risk and trust assessment (CARTA) approach and then prioritizing treatment of those that are commonly targeted, companies can significantly reduce their security budgets or free up manpower to focus on other critical issues.
Firms with good security posture are equally breached
According to IDC, enterprises are spending 7-10% of their security budget on vulnerability management as daily operations become increasingly more dependent on cloud services. Vulnerability scanners overload and confuse security teams with mountainous results that would be impossible to patch all at once.
The existing prioritization practices such as CVSS provide no notable reduction of breaches in organizations with mature vulnerability management programs. Firms with good security posture are equally breached by known vulnerabilities as those with poor security posture.
A risk-based approach to vulnerability management
Gartner recommends that “security and risk management leaders should rate vulnerabilities on the basis of risk in order to improve vulnerability management program effectiveness”.
Gartner also predicts that “by 2022, approximately 30% of enterprises will adopt a risk-based approach to vulnerability management” and “by 2022, organizations that use the risk-based vulnerability management method will suffer 80% fewer breaches.”
“A vulnerability is only as dangerous as the threat exploiting it and in some instances during our research, we found the figure dropped to as low as 2%. By focusing on actual vs. perceived risk, we found the security industry has been unnecessarily exaggerating the number of vulnerabilities security teams must address, which has dangerous ramifications to the cloud security landscape,” said Shlomi Boutnaru, CTO at Rezilion.
“A continuous adaptive risk and trust assessment-based approach reduces friction and overhead by identifying vulnerabilities running in memory and then prioritizing treatment to those vulnerabilities commonly targeted by hackers as well as any that don’t have mitigations.”
A sharp increase (57%) in high-risk vulnerabilities drove the threat index score up 8% from December 2019 to January 2020, according to the Imperva Cyber Threat Index.
Following the release of Oracle’s Critical Patch Update – which included 19 MySQL vulnerabilities—there was an unusual increase in the vulnerabilities risk component within the Index.
Specifically, there was a 57% increase in vulnerabilities that can be accessed remotely with no authentication required, have a public exploit available, or are trending in social media, meaning they pose an especially high level of risk to businesses.
A spike in public cloud web attacks
Web attacks originating from the public cloud saw a 16% spike from November to December 2019. AWS was the top source of attacks, responsible for 94% of all web attacks coming from public clouds. This suggests that public cloud companies should be auditing malicious behavior on their platforms.
Bots used the Coronavirus hype for spamming
In the same month that the coronavirus outbreak first came to light, two new spam campaigns that relied on the hype around coronavirus were observed.
These messages lure people to enter a site that tracks the spread of the virus and also offers the sale of shady pharmaceuticals.
Latest Citrix bug gained more press than hacker interest
Despite widespread concern over the recent Citrix Application Delivery Controller bug, it was only ranked as the 176th most frequent attack vector seen this month.
For comparison, high-profile attack vectors such as this typically rank among the top 20. The Citrix bug accounted for 200,000 attacks detected, while the top attack vector in January accounted for over two billion attacks.
The adult industry was the victim of higher-risk attacks
More than half (51%) of the attacks against the adult industry were remote code execution (RCE). The reason these attacks pose an inflated risk is because a remote attacker can run malicious code to hijack the server and access its data.
Most attacks target sources within the same country
Most of the top 10 countries in which attacks originated were targeting sites within the same country. The exceptions were attackers from Germany and China who targeted U.S.-based websites.
This can be attributed in part to the fact that many websites under attack from different regions are located in U.S. data centers. This finding shows that even cyber attacks conducted by foreign adversaries often appear to originate locally.
Higher education institutions are increasingly adopting cloud-based solutions in order to lower costs, improve performance and productivity, and increase flexibility and scalability.
Before settling on a solution, though, they must assess it for security and privacy needs, including some that are unique to higher education.
To help them do that more expeditiously, EDUCAUSE – a US nonprofit association that aims to advance higher education through the use of information technology – has created HECVAT: the Higher Education Community Vendor Assessment Toolkit.
“The HECVAT provides a suite of questionnaires about information security and privacy controls to help higher education institutions appropriately assess third party and cloud services,” Brian Kelly, Director of the Cybersecurity Program at EDUCAUSE, told Help Net Security.
The intended audiences for the HECVAT are colleges and universities and the third-party service providers they contract with. Its benefits for the former are obvious, and for the latter, it reduces the burden that service providers face in responding to requests for unique security risk assessments from higher education institutions.
“The main benefit of the HECVAT is a consistent and shared framework for risk assessments that is being widely adopted across higher education,” Kelly pointed out. “Once completed, the HECVAT can be used by multiple institutions.”
The tool comes in various versions:
- Full: A robust questionnaire used to assess the most critical data sharing engagements
- Lite: A lightweight questionnaire used to expedite process
- On-Premise: A unique questionnaire used to evaluate on-premise appliances and software
Before initiating a risk/security assessment if a product an/or service uses sensitive data, users should use the Triage tool to determine assessment requirements. All of those resources are available here.
A number of cloud providers have already completed the HECVAT questionnaire and those assessments can be accessed here.
“The HECVAT was first released for use in October 2016. In 2019, the word ‘cloud’ was changed to ‘community’ to better reflect the spirit and intent of the toolkit and its expansion beyond the cloud,” Kelly explained.
“As adoption and use grow, the EDUCAUSE member-led Higher Education Information Security Council (HEISC), Internet 2, and the REN-ISAC will continue to collaborate and work on the HECVAT to meet the needs of the higher education community. While established amongst information security practitioners, we’ll be promoting the HECVAT’s use to university business officers, risk managers and procurement groups over the next year.”
EU Member States have identified risks and vulnerabilities at national level and published a joint EU risk assessment. Through the toolbox, the Member States are committing to move forward in a joint manner based on an objective assessment of identified risks and proportionate mitigating measures.
Toolbox measures and supporting actions
“Europe has everything it takes to lead the technology race. Be it developing or deploying 5G technology – our industry is already well off the starting blocks. Today we are equipping EU Member States, telecoms operators and users with the tools to build and protect a European infrastructure with the highest security standards so we all fully benefit from the potential that 5G has to offer,” said Thierry Breton, Commissioner for the Internal Market.
Coordinated implementation of the toolbox
While market players are largely responsible for the secure rollout of 5G, and Member States are responsible for national security, 5G network security is an issue of strategic importance for the entire Single Market and the EU’s technological sovereignty.
Closely coordinated implementation of the toolbox is indispensable to ensure EU businesses and citizens can make full use of all the benefits of the new technology in a secure way.
5G will play a key role in the future development of Europe’s digital economy and society. It will be a major enabler for future digital services in core areas of citizens’ lives and an important basis for the digital and green transformations.
With worldwide 5G revenues estimated at €225 billion in 2025, 5G is a key asset for Europe to compete in the global market and its cybersecurity is crucial for ensuring the strategic autonomy of the Union.
Billions of connected objects and systems are concerned, including in critical sectors such as energy, transport, banking, and health, as well as industrial control systems carrying sensitive information and supporting safety systems.
At the same time, due to a less centralized architecture, smart computing power at the edge, the need for more antennas, and increased dependency on software, 5G networks offer more potential entry points for attackers.
Cyber security threats are on the rise and become increasingly sophisticated. As many critical services will depend on 5G, ensuring the security of networks is of highest strategic importance for the entire EU.
Secure 5G networks: EU toolbox conclusions
The Member States, acting through the NIS Cooperation Group, have adopted the toolbox. The toolbox addresses all risks identified in the EU coordinated assessment, including risks related to non-technical factors, such as the risk of interference from non-EU state or state-backed actors through the 5G supply chain.
In the toolbox conclusions, Member States agreed to strengthen security requirements, to assess the risk profiles of suppliers, to apply relevant restrictions for suppliers considered to be high risk including necessary exclusions for key assets considered as critical and sensitive (such as the core network functions), and to have strategies in place to ensure the diversification of vendors.
While the decision on specific security measures remains the responsibility of Member States, the collective work on the toolbox demonstrates a strong determination to jointly respond to the security challenges of 5G networks.
This is essential for a successful and credible EU approach to 5G security and to ensure the continued openness of the internal market provided risk-based EU security requirements are respected.
The Commission will support the implementation of an EU approach on 5G cybersecurity and will act, as requested by Member States, using, where appropriate, all the tools at its disposal to ensure the security of the 5G infrastructure and supply chain:
- Telecoms and cybersecurity rules
- Coordination on standardization as well as EU-wide certification
- Foreign direct investment screening framework to protect the European 5G supply chain
- Trade defense instruments
- Competition rules
- Public procurement, ensuring that due consideration is given to security aspects
- EU funding programs, ensuring that beneficiaries comply with relevant security requirements.
Kount released a new research report on digital innovation and emerging fraud, which found that the most innovative businesses are also the ones facing the greatest fraud threats.
The report, conducted by Javelin Research, surveyed hundreds of respondents across the retail, restaurant, insurance, and financial industries and revealed more than 40% of businesses say fraud impedes their expansion into new digital channels and services.
With the threat of emerging fraud and increasing expectations for a frictionless customer experience, businesses are challenged to balance revenue, expansion, and innovation priorities.
Researchers found that 48% of consumers are more sensitive to anti-fraud measures that disrupt their online experience than they were a year ago. This means that retailers and restaurants have an increased imperative to balance fraud mitigation and customer experience.
Yet, only 64% of organizations’ customers have confidence in the security of their digital channels. In this era of high customer expectations, increasing digital fraud risk, and competition to continuously innovate, businesses must address this critical interconnection.
“Opportunities for fraud increase as businesses adopt new features, such as voice ordering or mobile wallets. Businesses do this to engage their customers and provide an enhanced customer experience,” said Rich Stuppy, Chief Customer Officer at Kount. “Unfortunately, these businesses are not adopting the proper controls related to fraud. This report underscores the fact that digital innovation and the corresponding increases in revenue in these industries will never reach their full potential without integrating suitable fraud prevention initiatives.”
Digital fraud risk: Retailers face threats
While the retail industry has led the way in rolling out increasingly sophisticated digital innovation, they also face the biggest risk from fraud. This is in part because many retailers aren’t using the most sophisticated fraud controls in an effort to minimize friction in the customer experience.
For example, 43% of retail merchants still authenticate users with only usernames and passwords, which can leave customer accounts vulnerable to takeover. As a result, retailers report that digital fraud (34%) and account takeover (10%) are their most significant fraud threats.
Restaurants underestimate fraud exposure
Restaurants are no longer relegated to brick-and-mortar, highlighted by the fact that 70% of those surveyed report plans to invest in digital products and services within the next year.
While many are focusing on new feature expansion and user experience (UX) refinement (48%), fraud management (27%) isn’t top of mind. What’s more, only 4% of restaurants ranked managing digital fraud risk as a top challenge for digital innovation, compared to 12% of all businesses.