Chris Pogue is senior vice president of Cyber Threat Analysis for Nuix. Over the past 14 years, Chris has investigated thousands of breaches across the globe. Prior to joining Nuix in June 2014, Chris spent six years at SpiderLabs where worked as an incident responder, managing consultant, and director. He was previously an engagement manager at the IBM/ISS X-Force incident response and penetration testing teams. Before joining the private sector, Chris served in the United States Army for 13 years as a Signal Corps Warrant Officer and Field Artillery reconnaissance Sergeant.
What do you see as the greatest cyber risks today?
This is a tough question to answer since there are so many facets to the threat landscape.
Obviously, data breaches by organized cybercriminals or nation states are high on the list. However, the data breach itself is only a fraction of the overall risk profile. The general lack of IT hygiene that has allowed a breach to occur in the first place plays a significant role. So does organizations’ lack of preparedness to deal with a breach once it has taken place. The lack corporate response and communication strategies can factor into how the public, the media, the board, and potentially regulators such as the Securities and Exchange Commission and Federal Trade Commission will respond. Failure to engage in appropriate post-breach activities can have a devastating impact to the victim organization that includes loss of customer confidence; loss of market share; governance, risk, and compliance fines; class action lawsuits; and negative executive actions imposed by the federal government.
I suppose if I had to boil all that down into a single, concise answer, it would be the lack of preparedness.
What will the greatest threats be in 5 years’ time?
At the blistering rate technology is evolving, it’s hard to predict where we’ll be in five years, let alone where the threats will reside. If I had to guess, I would say that the “internet of things” and wearable tech will become the next logical source of criminal activity. In a recent article on Forbes.com, several experts have estimated that devices such as smart watches, smart homes, and smart cars will become a 19 trillion dollar industry by 2020. If history repeats itself (which it always does), these devices and the applications that run them will be designed with a “first to market” strategy, with the emphasis being on speed rather than on security. It is then logical to assume that they will create an entirely new generation of vulnerabilities that will allow cybercriminals to compromise, capitalize, and monetize.
Is the insurance industry doing enough to adequately address these risks?
It depends how you define “doing enough.” Many insurance providers are offering breach insurance, however thinking that will solve the problem is like saying that car insurance will prevent accidents.
Think of it like this. Having a teenager on your car insurance automatically drives up your premium. Why? Because teenagers are inexperienced drivers who frequently lack the emotional maturity to make safe driving decisions. Ergo, they are more likely to have accidents than older, more experienced drivers. As a mechanism to address this automatic rate increase, may providers will offer discounts for good grades, extracurricular activities, and having a part time job. Why? Because it shows that the teenager is a good student, is mature enough to hold a job, and understands the concept of being part of a team. While none of these things have a direct correlation to the avoidance of accidents, together they have been found to contribute to a reduction in the likelihood of an accident.
Today, running a business that stores, processes, or transmits valuable data (like payment card information, personally identifiable information, or electronic personal healthcare information) is akin to having a teenage driver in the house. Your rates will go up because there is a higher likelihood that you will suffer a data breach. However, policy holders that can display appropriate IT hygiene, have an incident response plan in place, and conduct regular attack simulation exercises, can likewise receive discounts on their premiums.
How does this help? Well, the traditional business driver has penalization for non-compliance or inadequacies in security and response plans (do bad = pay money). But under this model, the insurance companies can incentivize better IT hygiene and better security and response practices by reducing premiums and increasing total coverage (do good = save money). Using this strategy, businesses can see a direct return on investment for their efforts. Of course, there is a return on investing in IT hygiene and incident response planning even without breach insurance, it’s just a bit more complicated to quantify.
What keeps you awake at night?
There are so many facets to the security theater; it’s a bit like a Rubik’s Cube that’s been mixed up. It involves adequately understanding the evolving threat landscape, choosing security tools and techniques to address different vulnerabilities, knowing who to train, how to train them and to what depth, which laws apply, how to litigate, what are the regulatory rules… to name just a few. All of these components need to come together in a meaningful way to help organizations:
- Prepare
- React
- Remediate
- Recover
- Resume
Until organizations start taking this holistic view of their corporate response strategy, I’m afraid we are simply going to see more of the same: Breach after breach after breach.
In your opinion, what is the single most important cyber risk development in the past 12 months?
In my opinion, it’s the diversification of data theft and fraud. Stolen payment card data once ruled the underground economy, but we have started to see other types of data targeted en masse and subsequently monetized by attackers.
This means the threat landscape has expanded beyond the traditional big three—retail, hospitality, and food and beverage—to include previously untouched businesses such as legal service vendors, financial service providers, healthcare providers, insurance providers, educational institutions, and government agencies.
These other business types have, of course, experienced breaches in the past. It’s just that now they are happening more frequently, and the black market has grown to accommodate the trafficking of these diverse data types.