Bugs in-not-on the Mobile Windshield

These days, our smart phone is literally our life.  Everything we need (or think we need) is in it.  Everything we want to know or do can be done with it.

Of course, it is also a great way for the bad guys to get to you.   You may think you are downloading a “clean app” only to find it’s infected as last month’s news about the 25 million android phones infected with a whatsapp malware illustrates.

But in some cases, even if you are extra careful about downloading apps, your phone may already be infected.  The reason is that the smartphone you buy may already have 100 to 400 preinstalled apps that  were selected by the phone manufacturer.  As noted in a BlackHat presentation, these preinstalled apps have become a target of hackers because its a great way to distribute their malware as far and as fast as possible.  What can this malware do?  It could provide a means for remote access, key-logging or activity monitoring for starters.  Not necessarily what you want when your whole life revolves around your phone.

One key point is that hackers are not just focusing on the end-user, they are focused on embedding their malware through the supply chain, knowing that ultimately it will wind up with the target they are after.  Companies have to thoroughly vet the secure of the technologies they are using to build products and services for their customers.

And, of course, with smartphone users, practice good mobile hygiene by periodically pruning the apps you have on your phone, running anti-virus software (certainly for Android phones), keep the operating system up-to-date, use a password manager and VPN service when you are on the road.  And, like the airplane pre-flight instructions say, take care of your own phone first (but then) assist others — like with your children and their phones.


Building Customer Trust Before and After a Breach

There has been a lot of news in the past few years about increased cybersecurity regulations and the potential fines they could impose on companies. From the E.U.’s General Data Protection Act to the California Consumer Privacy Act, the thought of government fines have left many businesses worried. And while it’s certainly something to be concerned about, studies have shown that the biggest cost to organization’s follow a breach isn’t regulatory fines, but loss of customers.  

In fact, according to this year’s Ponemon report, lost business has been the largest source of breach costs for four years running. The report shows that, above all other factors, customer loss accounts 36% of the total cost of a data breach — or an average of $1.42 million in lost business 

Placing more emphasis on customer retention both before and after a data breach will therefore greatly reduce the costs a breach could have on an organization. The Ponemon report shows that where businesses that were able to keep customer turnover below 1% experienced an average total breach cost of $2.8 million, organizations with customer turnover of 4% or more averaged a total cost of $5.7 million.  

And there are a number of different steps an organization can take to help keep customer turnover as low as possible. 

Customer Retention, Before and After a Breach


You don’t want to wait until after a data breach to tell your customers that you prioritize cybersecurity. It will come across as insincere. After all, what reasons have you given to make customers believe it? That’s why placing an emphasis on your commitment to cybersecurity and protecting customer data before a breach is essential. 

A key way to show your commitment is to have a governance structure in place that shows you prioritize cybersecurity. The Ponemon report shows that organizations with an established executive position responsible for ensuring the protection of customer data directly helps to reduce lost business.  

Educating customers about privacy is another great way to build trust. Be upfront with your customers when it comes to how you use their information and why. This can involve having an accessible and clearly written privacy policyinforming customers about your use of cookiesand recommending the use of multifactor identification 


In the event a breach does occur, not all hope is lost. Your customers will be rightfully concerned, but making it a priority to show what steps your taking to mitigate the effects of the breach will go a long way toward retaining those customers.  

An important way to show this is first and foremost to promptly notify those effected about the breach. If a breach occurs, you don’t want to look like you were dragging your feet. There is no surer way to lose customer trust than to seem like you’re hiding the fact that customer data was lost.  

After notifying your customers, you also want to provide help for customers that were effectedProviding comprehensive identity theft prevention tools and requiring customers to reset their password are two good ways to do this. In fact, the Ponemon report found that organizations that offered data breach victims identity protection experienced a smaller amount of customer turnover.  


After a breach, companies are fond of talking about the how committed they are to protecting customer privacy. But the bottom line is that you want to prove this to your customers. Showing respect for their privacy before a breach occurs and especially afterwards will greatly reduce the impact your company will endure.  

Time is not on our side

Among the many things that Equifax has been criticized for, one of them is the amount of time it took the company to identify, contain and then notify customers about the breach. The breach initially occurred on May 14th but went undetected until in the very end of July. From there, it took the company an additional month to official announce that the breach occurred.  

But the sad truth is Equifax’s response time is actually a lot faster than a lot of other organizations that suffered data breaches. One of the factors that The Ponemon Institute looks at in their annual Cost of a Data Breach Report is what they call the breach lifecycle. The lifecycle of a breach is defined as the time between when a data breach initially occurs and when the breach is finally contained. And the average breach lifecycle is shockingly long. According to the report, the average lifecycle came to a total of 279 days — a combination of 206 days to identify the breach and 73 days to contain it. And the report found that this number grew significantly over the past year, representing an almost 5% increase over 2018’s breach lifecycle of 266 days.  

The impact of a long breach lifecycle for a company is not just a public perception of incompetence, it also dramatically increases the costs experienced. The report found that organizations with a breach lifecycle longer than 200 days saw much higher costs. Breaches that took under 200 days cost an average of $3.34 million, where long breach cycles were found to be 37% or $1.22 million more costly for organizations, for a total average of $4.56 million. Simply put, the faster a data breach can be identified and contained, the lower the costs.  

Shortening the Lifecycle of a Breach

It is therefore pretty apparent that, in the event a breach occurs, organization’s need to be prepared to respond as quickly as possible. Response to a breach involves two basic elements: detection and containment. Here are a few ways organizations can help reduce the length for both.  


The Ponemon report shows that detecting a breach is by far the largest factor in the length of a breach’s lifecycle. Malicious attacks want to keep their access for as long as possible, so will work to cover their tracks. And breaches caused by errors are often overlooked because, well, if we knew we made a mistake we wouldn’t have made it.  

It’s therefore important to constantly stay vigilant for signs that a breach has occurred. It can be difficult to constantly monitor all systems for any anomalies. Intrusion detection systems (IDS) are helpful here as well as Security Information and Event Management (SIEM) systems which collect system information (logs) and will provide alerts if there is anomalous activity.  It the very least it is important to centralize your logging, conduct regular vulnerability and anti-malware scans of removable devices and regularly check your administrative accounts for unauthorized changes or additions.

And while different types of breaches produce different signs, there are a number of general indications that can help tip off when something is wrong. Repeated system crashes, unusually high system activity, and unapproved configuration changes are all common indications of an attack. It may be nothing, but it’s far better to be overly cautious than to assume everything is fine only to later find out something was wrong after all.  


The first step to containing a breach should actually happen before a breach even occurs: implementing an incident response plan and regularly practicing responses to cyber-attacks. The Ponemon report found that organizations with incident response plans and who simulate attacks were able to reduce the cost of a breach $1.23 million.  

The response itself largely depends on the cause of the breach. Whether it’s applying new security patches, updating user credentials, wiping stolen devices or something else, the essential point to is be able to quickly identify how the breach occur and respond accordingly. The time to prepare is before a breach, not after.

An Inside Job

A story came out a few years ago showing that a former employee of an engineering firm continued to access the company’s systems long after leaving. The employee left the firm in 2013 to start his own company, but for two more years he used his old credentials to access and download project proposals, designs and budgetary documents — all with an estimated worth of $425,000. 

This is just one example of a growing threat to businesses: malicious insider attacks. We recently covered the threat of accidental disclosure by employees, but that doesn’t mean there aren’t other inside threats to be concerned about. There are a variety of reasons an employee might intentionally threaten company information. Often, it’s done for personal financial gain but in other cases it can simply be a case of a disgruntled employee.  

According to Ponemon’s 2018 Cost of Insider Threats, criminal or malicious attacks make up for 23% of all inside cybersecurity incidents — a number that continues to rise every year. And, as the above example shows, these attacks can be costly. The report also found that malicious insider attacks cost organizations an average of $607,745 per incident.  

A key contributor to that cost is not just the value of information stolen, but also the amount of time it takes to detect. Because these attacks often use seemingly legitimate access to systems and databases, it can be difficult to discern whether someone is using credentials to access records for work purposes or with ill intent. According to the Ponemon record, it takes an average of 73 days to detect and contain an inside incident.  

Mitigating the Threat

There are, however, a number of steps organizations can take to both prevent insider threats and detect them if they do happen.  

Evaluate Access Controls 

One of the best line of defenses is to constantly evaluate employee permissions and access. Not all employees will need access to all systems, so placing access restrictions depending on the employee’s need is a must.  

And this isn’t something you should do just once. It’s important to regularly update your access controls. An employee might need access to certain databases for a short-term project, or, like in the example above, has left the company. Regularly going through employee permissions and access will ensure that only those who absolutely need your information can access it.  

Implement Data Loss Prevention Software 

Using data loss prevention (DLP) software is an essential way to detect potential malicious activity. DLP tools will classify your data by risk level and organization policy. If the software identifies policy violations (such as moving data off network), it can automatically encrypt effected information, and alert security teams. 

Employee education  

A report conducted by Opinion Matters found that some employees might be taking or sharing information because they believe they own the data they work on. According to the report, only 40% of employees interviewed agreed that data is exclusively owned by the organization and not by teams, departments or individuals.  

Through clear policy and regular training, business need to make a point of educating employees on data ownership. Employees need to be  made aware of their responsibility when it comes to protecting company information.  

Oops, I did it again….

In February 2018 the personal information of over 21,400 marines, sailors and civilians were exposed when an employee of the Marine Force Reserves accidentally sent an email to the wrong distribution list. The unencrypted email contained an attachment that included not just names, but also social security numbers, bank routing numbers, credit card numbers, addresses, and emergency contacts.  

In a statement about the breach, a Marines spokesperson assured that “no malicious intent was involved.” But, of course, at the end of the day, the sensitive information of thousands of people was still leaked to those who shouldn’t have access to it.  

The media often represents cyber breaches as the result of someone cracking into remote systems. So, when we think of data breaches or other cybersecurity incidents, we generally imagine a hacker hunched over their desk in a dark room.  

However, while there are bad actors behind many breaches, a number of reports show that, in the real world, a significant amount of breaches is simply due to human error. According to Verizon’s 2019 Data Breach Investigations Report, 21% of all data breaches are the result of user error. And, like in the case of the Marines breach, the leading form of error is the misdelivery of data. And another report by Opinion Matters shows that 79% of IT leaders believe employees have accidentally put sensitive company data at risk.  

It is of course important for companies to continue to prevent outside threats effecting their systems. But the data shows that organizations should put just as much effort into protecting against breaches stemming from human error. And while you can’t always prevent someone from making mistakes, there are some steps employers can take to help prevent it.  

Of course, it is important to provide proper training for employees at every level of the organizations. But in addition to this, making cybersecurity a key part of the overall business culture can go a long way towards reducing accidental disclosures. The report by Opinion Matters shows that 60% of insider breaches stem from employees rushing and making mistakes. It’s therefore essential for businesses leadership to help employees understand the importance of protecting company data.