Despite what looks like a daily increase in the number of successful attempts to maliciously disrupt legitimate online activities, end consumers look more exposed, today, and for the near term future than ever before.
Two factors contribute to this assessment:
- Hacker tools now include a much richer supply of once legitimate access credentials. At the same time the set of organizations victimized by hacker successes are moving at too slow a pace towards safely pooling the kind of information critically important to an objective of better defending future victims from the next round of hacker activities
- Risk management programs–electronic data insurance policies–exist (and are available for businesses to purchase), but are not funded to an appropriate level, given the extent of business exposure to hacker activities. There is little indication of the underwriters of these programs adding much more financial power to them anytime soon.
Both of these factors are worth further description: proven methods exist to render information specific to organizations anonymous. As written earlier in this blog, I have personal direct experience promoting content sets (Key Risk Indicators, or KRIs) produced by one of these methods by an ISV targeting operational risk management teams for banking institutions subject to the Basel II accord.
There is no reason why similar technology cannot be used to strip critically important information about compromised login credentials of the specifics required to directly identify the source of the data. In case readers are unfamiliar with the imperative for keeping organization-specific information absolutely private, there are a number of good reasons for this requirement. The two most prominent of these amount to:
- Protecting an institution from full revelation of the extent of damages suffered to peers within its industry group and
- Protecting an institution from potentially damaging publicity
Certainly other reasons exist. Readers looking to explore these can contact me. I will be happy to discuss the topic further.
But the lack of interest on the part of risk underwriters to “bulk up” on the financial resources they offer does not look to be as sanguine and easily correctable. On April 7, 2015, the Wall Street Journal published an article written by Rachel King titled Cyber Insurance Capacity is ‘Very Small’: AIG CEO (http://blogs NULL.wsj NULL.com/cio/2015/04/02/cyber-insurance-capacity-is-very-small-aig-ceo/). In my opinion Ms. King is on track to publish this piece, which includes excerpts from an interview Ms. King had with Mr. Peter D. Hancock, the CEO of AIG.
One of the quotes Ms. King includes from her conversation with Mr. Hancock should provide the data security ISV community with a very valuable insight: “‘I suspect, over time, the willingness of insurers and by others in the industry to provide greater capacity will increase with greater comfort in the maturity of the countermeasures'” Apparently Mr. Hancock, AIG, and, perhaps, a good chunk of the rest of the risk underwriting business community are not yet convinced about our ability to defeat the hackers. Makes sense to me and ought to provide ISVs with a reason to work harder at the hacker problem.
In the meantime, businesses, and the members of the general public affiliated with them, should plan on more pain.
Ira Michael Blonder
© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved