Following a high profile breach, a major bank said it was doubling its security spend. To Josh Goldfarb, it underscores everything that’s wrong with the current philosophy in IT security.
“You can throw that money in the fire but it doesn’t mean you improved your security,” he said in an ILTACON session titled “Peeling Away the Many Layers of Intrusion” (#ILTA027). His point was clear: How money is invested in security may be equally important as how much it is invested.
He may have some insights worth listening to: His ideas have been published by the technology trade publication Information Week, the Information Systems Security Association Journal, and even technology research firm Gartner.
“Security is an unsolvable problem”
Mr. Goldfarb says he isn’t much for sound bites such as “security is an unsolvable problem.” This is because these sayings are rather meaningless.
“Swallowing the ocean is an unsolvable problem,” he said, noting we’d probably start by drinking a glass of water, one at a time. Instead the problem – IT security – needs to be defined and broken down.
In his view, IT security can be defined in two words: risk management. Security is a business process just like any other business function, HR or finance for example. It’s not practical to simply throw money at a function to solve a problem, which is essentially what the tech community has done to address IT security for the last 20 years.
And the industry still has security challenges.
Also see these related posts:
Infographic: Cybersecurity Stats for Legal Tech
4 Certs Legal Should Ensure Managed Services Providers Have
ABA Pilot Recommends Law Firms Collaborate on Cybersecurity
IT Security by the Numbers
Mr. Goldfarb laid out the numbers – how the thinking over the last 20 years has gotten the tech community into trouble:
- It takes a median of 205 days before an intrusion is even detected
- It takes an average of 32 days to respond to a breach (after detected)
- 69% of companies learn of a breached from an external entity
In all of these cases, 100% of the victims had traditional measures in place – updated firewalls or anti-virus signatures.
It’s not working because “humans are the weakest link in the chain.” We are susceptible to malicious phishing emails and sophisticated attacks. One recent study found inside counsel was far more likely to open a phishing email than any other department.
Businesses, including law firms, invest to prevent intrusions. Prevention is a necessary baseline, but it’s not sufficient, according to Mr. Goldfarb.
In one study, Mr. Goldfarb helped a team examine 1,216 companies in a “proof of value” (POV) test across 63 countries and 20+ industries. A shocking 97% of these companies were compromised (and didn’t know it). Worse, 27% had APT – or advanced persistent threats.
This creates the potential for data – sensitive data – to flow right out the door. He mused that if criminals compromised perhaps just 30-40 law firms in this manner, those people would “have a really good idea” of M&A deals for example.
Intrusion Detection: Mitigate Risk
These attacks happen over time and leave traces that can be analyzed and detected.
“If we can detect these [traces], we can break the progression in the middle,” said Mr. Goldfarb. “You break the communication and you’ve mitigated the risk. It doesn’t matter if they’ve compromised 100 laptops, because you broke the chain.
The path forward, he says, is the augmentation of prevention “with detection and response” through intrusion detection tools.
The right investment has a long way to go: He says the collective budget for traditional network security is roughly $35 billion, while just $500 million is spent on intrusion and detection. Given security is a board of directors level discussion, the investment seems disproportional.
* * *
Law firms are often criticized for being slow to adopt technology, though the scrutiny of late has gone a long way to raise awareness and invest in action. If Mr. Goldfarb is right, IT security is a constant battle that’s going to require more than just money to keep at bay.
Find more on IT Security from Mr. Goldfarb on his blog, An Analytical Approach.
If you enjoyed this post, you might also like:
SlideShare Friday: Why Law Firms are at Cybersecurity Risk