Friday, February 28, 2014

Now Sears Is Investigating A Possible Security Breach


Women walk past the Sears department store at Fair Oaks Mall in Fairfax, Virginia, January 7, 2010. REUTERS/Larry Downing
Thomson Reuters
Women walk past the Sears department store at Fair Oaks Mall in Fairfax

Sears Holdings Corp said Friday it has launched an investigation to determine whether it was the victim of a security breach, following Target Corp's revelation at the end of last year that it had suffered an unprecedented cyber attack.
"There have been rumors and reports throughout the retail industry of security incidents at various retailers and we are actively reviewing our systems to determine if we have been a victim of a breach," Sears spokesman Howard Riefs said in a statement on Friday.
"We have found no information based on our review of our systems to date indicating a breach," he added.
He did not say when the operator of Sears department stores and Kmart discount stores had begun the investigation or provide other information about the probe.
Sears Holdings Corp operates nearly 2,500 retail stores in the United States and Canada.
Bloomberg News reported on Friday that the U.S. Secret Service was investigating a possible secret breach at Sears, citing a person familiar with the investigation. The report did not identify that source by name.
The Bloomberg report said that its source did not disclose details about the scope or timing of the suspected breach.
A spokesman for the U.S. Secret Service declined comment when Reuters asked if the agency was investigating a possible breach at Sears.
The Secret Service is leading the U.S. government's investigation into last year's attack on Target, which the company has said led to the theft of some 40 million payment card numbers as well as another 70 million pieces of personal data.
(Reporting by Jilian Mincer and Jim Finkle; Editing by Nick Zieminski)
This post originally appeared at Reuters. Copyright 2014. Follow Reuters on Twitter.

Read more:

Tuesday, February 25, 2014

Payment Card Breaches: Time to Spread the Risk with Mandatory Cyber Insurance

Payment Card Breaches: Time to Spread the Risk with Mandatory Cyber Insurance

  Posted in Cyber Insurance

The BIG 2014 security stories concerning the Target,  Neiman Marcus and Michaels payment card breaches of have highlighted the significant criminal hacking and fraudulent payment card activity that goes on in the retail space.  Of course, it was not so long ago that the Heartland Payment Systems breach (2008;  100 million cards exposed) and the TJX breach in (2007; 45 million card exposed) dominated the news cycle.  The reactions in the media and with the population then were very similar to those today. The latest round of mega breaches occurred, however, despite the existence of the Payment Card Industry Data Security Standard for a decade.  In fact, according to the Verizon 2014 PCI Compliance Report, only 11.1% of the organizations it audited between 2011 and 2013 satisfied all 12 PCI requirements.  In other words, just under 90% of the businesses Verizon audited as a PCI Qualified Security Assessor failed.  This begs the question, despite aggregate expenditures by merchants likely in the hundreds of millions of dollars (if not over a billion) over the last decade:  has anything really changed?
Yes, in fact some things have changed — global card fraud losses have increased from about $3 billion annually in 2000 to about $11 billion annually in 2012 (source:  the Nilson Report, August 2013).  Organized crime has increased its activity in the payment card fraud space, and sophisticated economic ecosystems have sprung up to make the fraudulent use of payment cards more efficient.  Payment card breaches are low risk (of getting caught) and high reward crimes, and activity in this space will continue to increase as a result (per the FBI):
The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors . . . we believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.
Moreover, fraudsters have automated and scaled their attacks so they can go after payment cards held by small and medium businesses on a mass basis.  These small and medium sized companies lack the sophistication, technical knowledge and resources to achieve full PCI-DSS compliance (or take even basic steps like changing the default passwords on the remote access of a point of sale system).  Breaches of small and medium businesses can result in severe financial difficulties and in many cases, bankruptcy.  Not to mention the adverse impact and inconvenience suffered by cardholders and their issuing banks.
Payment card breaches are not 100% preventable, and for most merchants over time, are inevitable (indeed the practice of information security itself has recognized this generally by shifting its attention in recent years to not only prevention, but also detection, response, containment and mitigation of breaches).  As such, rather than focus solely on cumbersome security standards such as PCI-DSS, payment card breaches should be viewed more from an overall risk management perspective. 
A full risk management approach includes efforts not only to prevent and contain the breach itself, but also to mitigate the financial impact businesses and individuals may suffer in the wake of a breach.   Spreading the risk of payment card breaches across the payment card ecosystem (e.g. merchants, banks, processors and card brands) is the best way to mitigate the systemic risk that exists.  As such, it is time to consider whether cyber insurance should be mandated either by law or the card brands to achieve this goal.

The Auto-Insurance Analog
Most States require drivers to purchase auto insurance to cover potential liability and property damage arising out of auto accidents.  There are several rationales for making auto mobile insurance mandatory, including the following:
  • Systemic and Unavoidable Risk.  A systemic and unavoidable risk exists with respect to the mass utilization of automobiles in our society.  Accidents will happen within this “system”, and it is impossible to prevent all accidents.
  • Cost of Prevention vs. Optimal Adoption/Use.  One way to manage risk is to require more safety measures to prevent automobile accidents and injury.  However, at a certain point the costs associated with attempting to prevent more accidents undermine the benefits of everybody having access to relatively inexpensive transportation.  If drivers were required to ride around in the equivalent of tanks large portions of society would not be able to afford to car.   The aggregate benefits and efficiencies we gain as a society of drivers would disappear.  Therefore, it is better to mandate a reasonable level of safety measures and accept some systemic risk.
  • Concentrated Risk vs. Optimal Adoption/Use.   Even when the proper risk prevention versus risk acceptance balance is achieved, adoption and use of automobiles on a mass basis may decrease if risk is concentrated on individual drivers and they are forced to bear the full cost of an accident.  If driving out on the roads and getting into an accident can lead to tens or hundreds of thousands of dollars in losses for a single driver, many would chose not to drive.  This again would undermine the benefits described above.  The solution is to accept a certain risk level, but to spread that risk across the entire system.  That is what mandatory auto insurance does – it helps to maximize the number of drivers while significantly limiting the chance that a single driver will face catastrophic financial loss because of an accident. 
  • Avoidance of Adverse Selection and the Development of a Balanced Insurance Market.  Mandatory automobile insurance is necessary to avoid adverse selection.  Adverse selection results when only the riskiest participants in an insurance market purchase the insurance product because they have the most to gain by buying the insurance (or better-stated: the most to lose if they don’t buy the insurance).  However, when the purchase of insurance is not mandatory this can create an unbalanced insurance market where the insurance carriers have the worst risks on their books (resulting in increased claims and losses) with no “good risks” paying premiums to offset losses.  Eventually a market that is exclusively adversely selected against cannot be sustained and the societal benefits of that insurance market disappear.
  • Increasing the Likelihood of Making Victims Whole.  One rationale for mandatory auto insurance is increasing the likelihood that victims of negligent drivers will be made whole.  If the auto insurance market was voluntary some individuals injured in automobile accidents would be unable to collect damages from uninsured motorists (aka “free loaders” who derive benefit from others purchasing insurance).  From a systemic point of view, some drivers might opt out of driving due to the risk of uncompensated injury or property damage (thereby reducing the aggregate benefits of everybody driving).  Mandating auto insurance results in more drivers and reduces the free loader problem.
The rationale and reasoning for mandatory cyber insurance for payment card breaches is the same.  Ultimately, information security is not about preventing all security incidents; it is about minimizing the risk and impact of security incidents.  There is no such thing as perfect security and risk will always remain in the payment card system.  Breaches will happen (just as there will always be automobile accidents). 
There is also a diminishing return with respect to efforts to prevent security breaches.  Organizations cannot cost-effectively build “Fort Knox” just as drivers cannot afford to military grade armored vehicles.  Once a reasonable level of security is achieved, at a certain point, it is more cost-effective and efficient to accept a certain level of risk and insure at least a portion of it.
In addition, the payment card system could face an unfavorable risk concentration that could undermine the adoption and use of payment cards in the long run.  If merchants legitimately fear they could be put out of business because of a payment card breach, they may choose to opt out.  I have already had clients inquire about payment card work-arounds (for one client, we explored the possibility of putting ATMs in each of this client’s restaurants).  A system of mandatory cyber insurance for payment card breaches can alleviate this concentration problem and strengthen the payment card system overall.
What types of companies are purchasing cyber insurance currently?  While the profiles may vary, it is likely that many of the “early adopters” are companies who want the insurance because they feel that they are prime targets with a lot of payment card information or that their security may not be adequate.   It is possible that insurance underwriting can weed out these higher risk companies and decrease adverse selection.  However, especially in the small and medium business market, due to competition and other factors, underwriting requirements and standards have decreased significantly.  Even where more involved underwriting occurs, because of the ever-shifting nature of cyber risk and the complexity of security, it is often very difficult to truly understand a company’s risk.  All of these factors could lead to “adverse selection,” and the ultimate question for the insurance industry (especially in light of increasing litigation and regulatory actions) is whether the cyber insurance market is sustainable without a very wide base of insureds.  Like automobile insurance, mandating cyber insurance can help balance the market out to the benefit of insureds, carriers and society as a whole.
Finally, as with auto insurance, mandating cyber insurance across the board can increase the likelihood that the victims of a payment card breach can be made whole.  Some organizations that get hit with a breach, because of financial stress associated with responding to a breach, are not going to be able to compensate individuals or issuing banks (for card reissuance costs or fraud).   Moreover, under the current system, most issuing banks whose cards are exposed get pennies on the dollars for the losses they suffer because of a breach.  Mandatory cyber insurance can address both of these issues.  With risk spread throughout the system and every organization being covered, breached companies will be able to avoid bankruptcy.  In addition, if insurance is available in every case, it may be possible to adjust card brand recovery processes to allow issuing banks to recover more after a security breach.
How Might this Work?
Some readers might blanch at the idea of mandated insurance, and most automatically think the mandate would come from the government.  While a government mandate would work in this context, in the payment card context, the card brands are at the top of the pyramid and can impose requirements for merchants that want to accept payment cards.  Like the PCI-DSS standard itself, the card brands could agree to require merchants to have some level of cyber insurance.  That said, because all of the participants in the payment card system have a stake when it comes to payment card breaches, it may be possible to spread the cost of insurance across all of the stakeholders (merchants, merchant banks, processors and issuing banks).   Overall, while there are a lot of details that would have to be worked through, a mechanism (the card brand’s operating regulations and associated payment-card related agreements) to mandate cyber insurance exists, and governmental involvement is not necessary (although if action is not taken, government action may be the result).  Finally, the rationale laid out above applies equally to security breaches involving other types of personal information, including financial and healthcare information — however, that is a conversation for another day.

Monday, February 24, 2014

Deutsche Telekom releases voice and text message encryption app

German parent company of T-Mobile responds to privacy concerns in wake of Edward Snowden's revelations
T-Mobile shop
The encryption app will launch for Android phones first and iOS devices later. Photograph: Peter Macdiarmid/Getty Images
Deutsche Telekom, the German parent company of the mobile carrier T-Mobile, is releasing a new app for all its users that encrypts voice and text messages.
The company is acting on privacy concerns raised in the wake of the Snowden revelations with the creation of the app, which encrypts each voice or text exchange between two devices using a unique code.
The app will be officially unveiled at the CeBIT technology trade fair in Hanover, Germany, in mid-March. It is not yet clear when it will be made available to customers, but it will initially launch for Android phones and come to iOS devices later.
The service will be run by Deutsche Telekom's enterprise unit T-Systems in co-operation with Germany's Sichere Mobile Kommunikation mbH (GSMK), a provider of encrypted phone services and devices.
"To the best of my knowledge, this marks the first time that a major network operator throws its full weight behind end-to-end mobile voice encryption," GSMK's chief executive, Bjoern Rupp, said on Monday.
"This is not just in the form of a specialised niche product, but in the form of a mass-market-compatible product that will be rolled out to all of its customers," he told Reuters at the Mobile World Congress in Barcelona, the world's biggest annual phone industry conference.
Deutsche Telekom's own secure communications unit provides handsets to the German government, such as the modified Android phone used by Angela Merkel. But the version of the "Merkelphone" that the company sells to private buyers costs €1,700, preventing widespread adoption.

Rene Obermann, Deutsche Telekom's CEO, has been vocal about the need for his company to throw itself behind privacy efforts. In November he went so far as to call, in an editorial in the FAZ newspaper, for Germany to wall its internet off from the US and to create Europe-only clouds. But critics point out that T-Mobile US, a wholly owned subsidiary of Deutsche Telekom, has worked with American intelligence agencies in the past.

Tuesday, February 18, 2014

NSA Cryptography Warning Does Not Impact PKWARE Security Software

NSA Cryptography Warning Does Not Impact PKWARE Security Software

Posted by on in Data Security

When it comes to enterprise data security, it’s important to note that not all encryption algorithms are the same. As there are warnings about the strength of one encryption algorithm making headlines, we feel it’s important to make some distinctions about our own security software.
b2ap3_thumbnail_Encryption_Chain_Strong_Solid_Algo_PKWARE.jpgA crypto algorithm under scrutiny is not in use with PKWARE products.PKWARE does not make any use of the Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) from RSA, the Security Division of EMC, in any of its products, such as SecureZIP, vZip or Viivo. The Dual_EC_DRBG algorithm is the subject of warnings from RSA, which has stated that its encryption might be vulnerable to inspection by the National Security Agency.
As the BBC reported: “RSA, the internet security firm, has warned customers not to use one of its own encryption algorithms after fears it can be unlocked by the NSA … The advice comes in the wake of New York Times allegations that the NSA may have intentionally introduced a flaw into the algorithm – known as Dual Elliptic Curve Deterministic Random Bit Generation – and then tried to get it adopted as a security standard by the US National Institute of Standards and Technology.”
There has been uncertainty over which security vendors are impacted by this warning, as InfoWorld security writer Roger Grimes noted this week. Moreover, there have been warnings about the use of Dual-EC that go back to 2006, as Johns Hopkins cryptographer and research professor Matthew Green points out.
End-to-end encryption remains an invaluable and preferred resource for protecting your enterprise data from snoopers, hackers, breaches and end-user error. Strong encryption algorithms that use mathematical calculations to encode and protect data are at the core of our solutions are in use by tens of thousands of organizations each day. We are consistently reviewing and certifying all cryptographic libraries that are in use by all PKWARE products and we immediately inform customers if we discover any issues.
We have issued a technical advisory reinforcing the strength of our security solutions, a PDF of which you can find here. We’re open to discussions with businesses who are evaluating the best fit for their data security in light of the security warnings from RSA.

More firms buying insurance for data breaches

Companies seek added protection
Rick Wilking/Reuters
Target disclosed recently that hackers stole the debit and credit cards of 40 million customers and the PIN numbers, e-mails, and addresses of 70 million people.

The threat of cyber hacking, underscored by the credit card breach at Target, is now so great that US businesses are rushing to buy insurance coverage against the expense of being hacked, or losing sensitive customer information.
One in three companies now has insurance to specifically protect against such losses. Last year, cyber insurance polices sold to retailers, hospitals, banks, and other businesses jumped 20 percent, according to Marsh LLC, a New York insurance brokerage firm that tracks the market.
Ultimately, the costs of these policies are picked up by consumers.
A decade since it was first introduced, cyber insurance has graduated from a splurge to a necessity propelled by a series of high-profile data breaches that have cost companies many millions of dollars.
South Shore Hospital purchased its first cyber insurance policy shortly after a data breach put the names, Social Security numbers, and health histories of its 800,000 patients at risk in 2010. The policy didn’t cover South Shore’s costs in that incident — including a $750,000 state settlement for privacy violations — but the Weymouth hospital’s executives decided they needed to be better prepared for the next one.
‘Cyber risk and cyber insurance has really got the attention of the board room these days. It’s become less a discretionary purchase.’
Quote Icon
“Who would have thought about cyber insurance?” said Sarah Darcy, a spokeswoman for the hospital. “It’s such a new coverage to have to have.”
Target’s disclosure recently that hackers had stolen the debit and credit cards of 40 million customers and the PIN numbers, e-mails, and addresses of 70 million people has prompted even greater interest in cyber insurance, industry specialists said. These policies cover the costs of a data loss, from hiring investigators to find the source of the breach to providing credit monitoring for customers to enlisting public relations experts to help salvage the company’s reputation.
The Boston insurer Liberty Mutual, which has been selling primary policies for data breaches since 2011, said the Target data theft prompted executives who were debating whether to buy coverage to make the commitment and sign policies, said Oliver Brew, vice president of privacy and technology underwriting.
Liberty Mutual’s sales of these policies have jumped 30 percent from last year.
“It’s a huge growth potential,” Brew said of the cyber insurance market. “It’s an emerging risk.”
Several years ago, business executives were more focused on buying insurance to cover losses if a fire destroyed their manufacturing plant or thieves broke into an office and stole computer equipment. But increasingly, companies find that the information they have on those computers, from customer health records to credit card data, is just as valuable and could be just as costly to the bottom line if lost.
When hackers broke into TJX Cos., the owner of TJ Maxx and Marshalls, and stole about 46 million customer credit and debit card numbers, the Framingham company estimated the breach would cost it at least $180 million. The breach of Sony Corp.’s video game online network in 2011 led to the theft of names, addresses, and credit card data belonging to about 100 million users. The hit to Sony: an estimated $171 million.
The average cost of a data theft in 2012 was $188 per customer account, according to a recent study by the Ponemon Institute, a Michigan-based independent research center focused on privacy and information security. While the mega-breaches tend to grab headlines, more common data losses involve fewer than 100,000 customer records. But even these smaller breaches can be costly, averaging $5.4 million in 2012.
“Cyber risk and cyber insurance has really got the attention of the board room these days,” said Bob Parisi, a managing director for Marsh LLC. “It’s become less a discretionary purchase.”
At the same time, insurance companies are starting to specifically exclude electronic data losses from traditional corporate policies, forcing businesses to buy additional coverage.
Since October, the Chubb Group of New Jerseyhas excluded privacy and data breaches from its standard insurance for directors and officers of health care companies.
For Partners HealthCare, which operates the state’s largest hospital and physician network and handles vast amounts of sensitive information, it made sense to buy separate cyber insurance coverage, instead of relying on an umbrella policy, said Tim Murray, the company’s director of risk management. Along with health care records, Partners accepts $130 million a year in credit card payments.
Partners bought the policy in 2007 and made a claim two years after an employee left the records of 192 Massachusetts General Hospital patients on an MBTA train. The hospital paid a $1 million fine to the US Department of Health and Human Services, which was covered by the cyber insurance.
“It was effective,” Murray said.
Still, businesses should be aware of the type and extent of the coverage of the cyber insurance they’re buying, said Doug Meal, a partner with Ropes & Gray LLP who represented TJX and is working with Target. Many policies may not cover all the risks a company faces.
For example, companies such as Visa and Mastercard, which have to reissue compromised credit cards, usually sue the business victimized by the breach for their card replacement costs. Some insurance policies won’t cover that expense, Meal said.
“This is a very, very new area,” Meal said. “The liability in the area and the risks in the area are a bit of a moving target.”
Deirdre Fernandes
can be reached at Follow her on Twitter @fernandesglobe.

Sunday, February 16, 2014

Target's cybersecurity team raised concerns months before hack

By Chris Welch on
Target shopping carts
Target's security staff may have been aware of vulnerabilities in the retailer's systems months before a massive breach compromised data on millions of shoppers. The Wall Street Journal reports that at least one internal analyst had called for a thorough review of the defenses around Target's payment terminals, which were later infiltrated during the sophisticated attack. That request was initially "brushed off" according to the Journal. It's unclear if a review was eventually granted before hackers made off with 40 million debit and credit card numbers — and a wealth of other customer information. The specific nature of those concerns are also unknown, the Journal says, so any vulnerabilities exploited by the hackers may have still been in place even after the requested review.
Target maintains an "extensive" cybersecurity intelligence team, according to a former employee who spoke with the Journal. US retailers reportedly deal with many threats each week, and their security teams face the difficult task of prioritizing some of those threats over others. Earlier this month, it was revealed that the Target hackers managed to sneak their way into the company's systems by stealing credentials from a contractor. From there, they planted malicious code targeting the retailer's payment terminals. In the wake of the attack, some Target customers have been hit with fraudulent charges, forcing banks to replace millions of credit and debit cards. An investigation to find those responsible remains ongoing. Be sure to keep up with our StoryStream to get all the latest on the Target situation.

Wednesday, February 12, 2014

About the Critical Infrastructure Cyber Community C³ Voluntary Program

The United States depends on critical infrastructure every day to provide energy, water, transportation, financial services, and other capabilities that support our needs and way of life. Over the years, improvements in technology have allowed these capabilities to evolve and run more efficiently.

With this increased reliance on cyber-dependent systems, come increased threats and vulnerabilities. Protecting the cybersecurity of our critical infrastructure is a top priority for the nation, and in February 2013 the President signed Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity and released Presidential Policy Directive (PPD)-21: Critical Infrastructure Security and Resilience, which aims to increase the overall resilience of U.S. critical infrastructure. One of the major components of the EO is the development of the Cybersecurity Framework (the Framework) by the National Institute of Standards and Technology (NIST) to help critical infrastructure sectors and organizations reduce and manage their cyber risk.
Because cybersecurity and physical security are increasingly interconnected, the Department of Homeland Security (DHS) is partnering with the critical infrastructure community to establish a voluntary program to encourage use of the Framework to strengthen critical infrastructure cybersecurity. The Critical Infrastructure Cyber Community C³ (pronounced “C Cubed”) Voluntary Program is the coordination point within the Federal Government for critical infrastructure owners and operators interested in improving their cyber risk management processes. The C³ Voluntary Program aims to: 1) support industry in increasing its cyber resilience; 2) increase awareness and use of the Framework; and 3) encourage organizations to manage cybersecurity as part of an all hazards approach to enterprise risk management.
The C³ Voluntary Program’s launch in February 2014 coincides with the release of the final Framework. The C³ Voluntary Program’s focus during the first year will be engagement with Sector-Specific Agencies (SSAs) and organizations using the Framework to develop guidance on how to implement the Framework. Later phases of the C³ Voluntary Program will broaden the program’s reach to all critical infrastructure and businesses of all sizes that are interested in using the Framework.

C³ Voluntary Program Activities

The C³ Voluntary Program focuses on three major activities:
Supporting Use
The C³ Voluntary Program will assist stakeholders with understanding use of the Framework and other cyber risk management efforts, and support development of general and sector-specific guidance for Framework implementation. The C³ Voluntary Program will also work with the 16 critical infrastructure sectors to develop sector-specific guidance, as needed, for using the Framework.
Outreach and Communications
The C³ Voluntary Program will serve as a point of contact and customer relationship manager to assist organizations with Framework use, and guide interested organizations and sectors to DHS and other public and private sector resources to support use of the Cybersecurity Framework.
The C³ Voluntary Program encourages feedback from stakeholder organizations about their experience using C³ Voluntary Program resources to implement the Framework. The C³ Voluntary Program works with organizations to understand how they are using the Framework, and to receive feedback on how the Framework and the C³ Voluntary Program can be improved to better serve organizations. Feedback about the Framework will also be shared with NIST, to help guide the development of the next version of the Framework and similar efforts..

C³ Voluntary Program Engagement Channels

The C³ Voluntary Program and organizations can interact through the following engagement channels:
  • Regionally located DHS personnel from the Cyber Security Advisor (CSA) and Protective Security Advisor (PSA) programs. These personnel interact directly with organizations in their regions about cybersecurity and critical infrastructure protection.
  • The Critical Infrastructure Partnership Advisory Council (CIPAC) Framework, a partnership between government and critical infrastructure sector owners and operators that enables a broad spectrum of activities to support and coordinate on critical infrastructure protection.
  • Direct engagement between the C³ Voluntary Program and interested organizations. Organizations may access the C³ Voluntary Program website or contact the C³ Voluntary Program at  
  • Requests for Information (RFI), which create opportunities for the general public to provide input on cybersecurity solutions and policies. 
Access program resources at the C3 Voluntary Program US-CERT Gateway.

Saturday, February 1, 2014

To Succeed, Growth Hacking Has To Focus More On Product Development Than Marketing

Editor’s note: Justin Caldbeck is a partner at Lightspeed Venture Partners and invests primarily in the Internet and mobile sectors with a focus on social media, e-commerce and enterprise software. Follow him on Twitter @caldbeckj.
I can’t think of a buzzier phrase in the tech industry these days than “growth hacking,” and in some ways I also can’t think of a more dangerous trend to glom onto. Sure, growth is good. But only if it’s real growth.
If it’s a marketing campaign that goes viral and wins you a bunch of one-time “users,” it can actually do more harm than good. If it’s a product that is growing through spammy unsolicited social “sharing,” the growth numbers will massively misrepresent the health of the business. The really great growth hackers out there — people like Andy Johns, who helped Facebook, Twitter, LinkedIn and Quora all reach record user numbers — understand that it’s not just about getting as many users as possible, but about helping to get the product experience right and ultimately amassing as large a user base as possible. Those are two very different things.
Take what happened with Formspring as an example. In 2010, the Q&A site experienced the fastest growth of any site ever (as its top brass were quick to point out on Twitter when TechCrunch awarded that honor to Pinterest last year). But within a year that growth had trailed off and eventually the site traffic/usage began to decline. Why? Because of its integration with social media sites, Formspring was able to generate rapid growth, but once visitors had taken a look at the site once or twice, they realized that there was very little value in the underlying product and, as a result, the vast majority of “users” that touched the site didn’t ever come back or engage in a meaningful way.
I am starting to fear that Zynga is destined to be another such example: They did well early on by leveraging very aggressive viral marketing techniques and combining them with what was, at the time, cutting edge in-game monetization. However, it appears to me that the company has lacked something that I always look for as an investor: Product Soul. By that I mean a founder’s vision for the products he or she wants the company to create, a strong belief in the product’s ability to change the lives of its users for the better, and an unrelenting focus on making those products great and easy to use.
For Zynga, this has never been the case. The focus on growth and lack of true product innovation (the company has largely been one that has created knock-offs of other games) has resulted in a company that appears to lack real direction and whose relevance has largely faded over the past year.
Social video app Viddy is an even better examples. It was jockeying with Socialcam and others to be “the Instagram of video” in early 2012 and its growth appeared to be exceptional. From May 2011 to March 2012, the company registered 10 million users, and by May 2012 it had 30 million. By December 2012, it had 40 million registered, but only 675,000 monthly users.
In a six-month span the company’s growth plummeted 95 percent, not just because Facebook cracked down on spammy apps that required users to install them in order to view content, but because the underlying product didn’t resonate with consumers from an ongoing usage standpoint. As a result, tens of millions of users had “tried” Viddy and were left with an underwhelming experience. As any good entrepreneur will tell you, it’s much harder to acquire a user a second time after a bad product experience than it is to acquire them the first time.
There’s no inherent problem with growth hacking, of course. Growth is great and ultimately can be a big driver of enterprise value. The problem is that right now, far too many entrepreneurs are focused more on that than they are on what I believe to be the most important thing of all and, ultimately a more successful driver of sustained growth: When a user touches a product, do they love it? Do they come back and use it again? And, overall, do they have a good experience with it?
I recently had an entrepreneur that I really respect talk to me about the fact that he was considering hiring a growth hacker. They have a strong team, a great company mission and are the early leaders in a large addressable market with a product that is attempting to solve a major pain point for a set of users. But they have a growth problem. Why? First, their early growth has been driven by marketing spend as opposed to organic growth. And second, the vast majority of users who have tried the product aren’t engaging with it on an ongoing basis (even though the product is designed for repeat usage).
Those are two key issues for me, and ones I don’t think a growth hacker can fix. When evaluating the “quality of growth” early on in a company, I look for companies that are growing largely through organic channels (in other words, 85 to 90 percent or more of growth is being driven by free channels). That sort of growth tends to mean that users are choosing to tell others about how great a product is. I also look at a company’s engagement metrics over time to see if users are trying a product or service out once and leaving, or if they’re choosing to engage with the product over and over again.
Given what I heard from this entrepreneur, I strongly suggested that he improve both word-of-mouth endorsements and user engagement before trying to accelerate growth. Once the product is growing organically, and users are voluntarily engaging with it on an ongoing basis, then, sure, by all means hire a growth hacker to help ramp things up.
The problem right now is that many companies seem to be operating under the total misconception that growth fixes all. That leads them to bring on self-proclaimed “growth hackers” who rapidly acquire more customers through spammy viral techniques, but when those customers don’t engage, or — worse — have bad experiences and tell their friends about it, that growth curve crashes. By that point your growth hacker is on to his or her next gig, and you’re left with what you had to begin with: a product that either hasn’t found its audience yet or hasn’t yet given people a reason to engage with it.
So if you’re thinking about hiring a growth hacker, find someone who’s a great product person and who really knows user experience and understands user value, not just someone who knows all the tricks to ratcheting up your growth curve.

Data-Centric Security: Reducing Risk at the Endpoints of the Organization

January 28, 2014
By Jim Wyne, CIPP/US
What’s the risk?
Data is king. We enter, collect, scan, process, analyze, store, print and transmit data all day, every day. It’s the heart and soul of most organizations, and they rely on it to achieve their goals and accomplish their missions. But how safe is this most precious asset of the business? How is it being protected? Is enough being done to ensure it is safeguarded?  What else can be done?
In this time of increased attacks on IT networks, the king’s men are in overdrive attempting to stay ahead of these threats targeted at stealing our information. CIOs and CISOs are in a constant state of evaluating, implementing and re-evaluating processes and solutions that secure the perimeter and safeguard the networks and the devices within the organization.
Chief privacy officers (CPOs) and privacy administrators work closely with CIOs and CISOs.  They are the watchdogs of the data who understand the personal identifiable information (PII), nonpublic information (NPI) and sensitive corporate information collected and housed within the organization. Privacy administrators provide education to the stakeholders to recognize sensitive data and define procedures aimed at protecting that data and the processes to be followed when a breach occurs. They are also passive participants in understanding and evaluating applications that use and manipulate sensitive data.
Isn’t What’s Being Done Enough?
Recently, at a cybersecurity summit sponsored by The Washington Post, Craig Mundie, senior advisor to Microsoft, said, “People need to understand, in the last 12 months there’s been a qualitative change where the attacks are moving to destructive types of attacks.”
Gen. Michael Hayden, former director of the Central Intelligence Agency and National Security Agency, said at the summit, “The problem is getting worse. There are other actors out there now who are coming to your networks, not just to steal your stuff or maybe not even to steal your stuff. They want to hurt your network.”
Gone are the days when endpoints of the organization were confined to desktops and laptops connected to the LAN and somewhat easy to secure and manage by central IT administrators. Endpoints now included virtual users, smartphones, tablets, external consultants and even partner organizations with a need to exchange information. These additional complexities require information to be pushed and pulled to devices internally and externally, thereby increasing the risk of exposure and the likelihood of data theft.
A recent survey conducted by the Norse Corporation and published by the Ponemon Institute reported that 60 percent of respondents said they were unable to stop a security exploit due to a lack of outdated intelligence. Only 10 percent said they would know with certainty if such an incident occurred.
Beyond Network Security, What Else Is Being Done To Protect Data?
One solution organizations have migrated toward to address risk of data theft is data-at-rest (DaR) encryption for endpoint devices. A DaR solution encrypts all data stored or at rest on hard drives of laptops, desktops and even server drives. DaR encryption, however, employs a device protection philosophy that serves to protect data on the hard drive in the event the device, such as a laptop, is stolen or lost. DaR encryption does very little, if anything, to prevent data theft during a network intrusion. When the laptop is connected to the network and online, all the data is live and accessible. When the data is in flight inside or outside of the network, the data is “in the clear” and susceptible to theft from an intruder or man-in-the-middle attack. If implemented, device protection utilizing a DaR solution is a good start to data protection but should not be the only safeguard adapted.
In a recent Global Information Security Study conducted by Frost and Sullivan, 62 percent of CISOs rank data theft as a top-five concern, followed by hackers at 50 percent. Mobile devices scored the second highest concern at 70 percent; they are all related to protecting the organization’s data at rest and in flight. Be it employee theft; man-in-the-middle attacks or hackers trying to break into a network and steal data, or sensitive data pushed to a tablet or smartphone and then lost or stolen, all the top concerns of this study are related to the organization’s data being stolen.
What is Data-Centric Security and How Can it Protect Data?
To address this risk, a data-centric security solution targeted at directly protecting the data, versus the devices at the endpoints of the organization, will add additional fortification to security measures currently in place. Such a solution should focus on protecting data, files, documents and folders stored and used by the user community throughout its lifecycle. It should also protect the data when it is in motion and distributed to employees internally, externally and to partner organizations.
Additionally, the solution should be minimally disruptive to the end users’ workflow and include the ability for IT, security or privacy administrators to access the protected data as needed for auditing or mischievous employee behavior purposes.
Data-centric security is the only way to ensure the most important asset of the business—the data—is protected.
Not all data-centric security truly minimizes risk, however. Some organizations have chosen to invest in privacy training for their employees along with a few manual intensive tools to use when they believe data should be protected. They then trust that the good habits and sensible decisions of the users will serve to protect the organization’s most critical data as they store and move it internally or externally. Unfortunately, this still leaves data open to access by network intrusion and increases the risk of data theft and exposure of data in flight in the event employees forget to protect the data manually or do not believe it’s sensitive data they are handling. It may be a cost-effective solution, but it leaves uncertainty and doubt. In this scenario, risk has not been fully minimized and the cost to the organization can well exceed the cost of an automated data-centric security solution if a data breech occurs. The damage caused to the reputation of the organization may never be restored.
What Is the Best Approach To Implementing Data-Centric Security?
Best practices that fully minimize risk should revolve around automated data-centric security solution that features strong encryption and administrative controls through policy management. Policy management is an important ingredient that enables the organization to enforce standards and protection on data stored on the devices at the endpoints or the organization. Equally important is the ability to include a contingency key for access to encrypted data by security administrators for auditing purposes or in the event an employee leaves the organization.
In the federal government environment, the Federal Information Security Management Act and the Federal Information Processing Standards (FIPS) provide a framework, guidance and requirements for securing sensitive data. FIPS 140-2 mandate the use of strong AES 256 encryption, the use of digital certificates and digital signing to secure all sensitive data. Most, if not all, federal employees are assigned a digital certificate that is stored on their PIV or CAC card making deployment of a data-centric security solution supporting digital certificates a fairly easy and quick process.
A checklist of features and functions in a robust data-centric security solution include:
  • Protect enterprise data by securing files, file names, e-mail messages and attachments regardless of security format or computing platform using strong encryption. For federal agencies, the solution should meet FIPS 197 and FIPS 140-2 requirements.
  • Reduce complexity by enabling a seamless user workflow and integration into desktop and office computing applications such as Word, Excel, Outlook, etc.
  • Reduce sensitive data exposure by securing files using PKI encryption (digital certificates) and/or complex passwords.
  • Prevent the recovery of sensitive temporary files that have been deleted by shredding.
  • Enforce the use of data protection using a centrally managed security policy in the enterprise.
  • Provide contingency key support to ensure access to all encrypted files by IT security for emergencies, protection against malicious employee behavior and audit purposes.
  • Provide for easy adaption into in-stream applications and job streams via a command line interface or API.
  • Ensure access to encrypted data on mobile devices.
Jim Wyne, CIPP/US, is a senior systems engineer with PKWARE, Inc., with over 35 years of experience in IT. He has worked in both the public and private sectors. For the past 12 years, his focus has been on data privacy and data security solutions.