This is part of a running series where we ask cyber leaders about the assumptions and mistakes that enterprises keep making in cybersecurity and how the industry can address them to mitigate irreparable reputation damage, compliance fines and mass-scale breaches.
Today Chris Howell, Co-Founder and CTO, Wickr weighs-in with his insights on just how much of a target employee communications have become for attackers today and the importance of secure communications.
Wickr's end-to-end encrypted messaging platform provides the highest standard of encryption trusted by millions worldwide. Wickr has a growing footprint in the federal and defense markets, and currently provides secure communications for each of the DoD Military Services with end-to-end encrypted files, video, chat, text and voice services for end-users. The platform also offers an enterprise solution, which delivers compliance controls and seamlessly integrates into your organizations IT workflows.
Chris Howell, Co-Founder and CTO, Wickr:
“I think what’s wrong with cybersecurity today has, to some extent, been wrong with it forever. In the battle to determine strategy and acquire resources, Compliance, whose goal is “secure enough,” beats Information Security, whose goal is “as secure as possible,” most of the time – leads to big blind spots in terms of risk. For example, most enterprises poorly assess the risk associated with employee communication and collaboration. They have information classification policies, but they’re not the simplest things for the average employee to follow and only really get top of mind share at the point where document creation and third parties intersect. Enterprises typically fail to understand how much corporate communication occurs outside of corporate email. To the extent that they provide other options and don’t fully understand how much they will be used for sensitive communications, how targeted employee communications have become for attackers today and how much a breach even if purely due to internal communications would cost the company.
Enterprises accept far too much service provider risk. When it comes to how a company's use of a tool or third-party service exposes them to potential harm, the focus should instead be more on the risk equation's impact side than the likelihood. Most vendor management processes focus almost entirely on the likelihood of attempting to assess the provider's security worthiness with tens or hundreds of check boxes for things like "are your passwords at least eight characters in length," while summing up the impact side in a single word, "medium." Never forget that Murphy's Law applies to every vendor, too, and when it strikes, it's all about the impact. We should focus more on the impact when assessing services and providers that design their services to minimize our exposure should the inevitable happen.
Most people overvalue the term “encryption” in risk assessments. This can happen in any risk assessment type, but it’s extremely common when assessing third-party service provider risk. A “Yes” next to “Is data encrypted in transit” on a spreadsheet tells you as much about the product’s real-world security capabilities – like if a car has seat belts. Not all encryption is created equal. To really assess data security risk, you need to know what kind of encryption is used and how the product or service is using it. Choosing end-to-end encryption vs. client-to-server encryption, for example, makes a world of difference in terms of actual security risk and helps you understand whether a term like “zero trust” is an actual service design principle or a marketing slogan.”