Security breach – it’ll never happen! Part 2

This time we continue our look at IBM Security’s latest Cost of a Data Breach Report.

I thought that it would be useful to see what recommendations the report had for busy IT security teams.

37% of ransomware victims opted not to involve law enforcement to help contain a ransomware breach, but those that did experienced a less costly ransomware breach overall. The average cost of a ransomware breach was US$5.11 million when law enforcement wasn’t involved and US$4.64 million when law enforcement was involved – a 9.6% difference.

The total amount of time to identify and contain a ransomware breach was 33 days shorter with law enforcement involvement, at 273 days in total compared to 306 days (a saving of 11.4%). The mean time to contain a ransomware breach was 63 days or 23.8% shorter with law enforcement involvement compared to 80 days without.

For organizations that experienced a ransomware attack, those that used automated response playbooks or workflows designed specifically for ransomware attacks were able to contain them in 68 days compared to the average of 80 days for organizations without automated response playbooks or workflows (16% less).

Does paying the ransom actually save your organization any money? The report suggests that the savings are minimal. Their findings were that the cost of a ransomware attack for an organization that paid the ransom was US$5.06 million. If the organization didn’t pay the ransom, the cost was US$5.17 million – a difference of 2.2%. However, the figures don’t include the cost of the ransom itself. The report suggests that paying the ransom is probably not a cost-effective strategy overall.

The report strongly makes the case for the use of security AI, saying that organizations with extensive use of security AI and automation identified and contained a data breach 108 days faster than organizations that didn’t use AI or automation. What falls into that category includes the use of AI, machine learning, automation, and orchestration to augment or replace human intervention in detection and investigation of threats as well as the response and containment process. On the opposite end of the spectrum are processes driven by manual inputs, often across dozens of tools and complex, non-integrated systems, without data shared between them.

In addition, there were cost savings with AI and automation. The report found a US$1.76 million lower data breach costs compared to organizations that didn’t use security AI and automation capabilities.

Perhaps not surprisingly, the report found that 51% of organizations are planning to increase their security investments as a result of a breach – although one must worry about the other 49%. For those who are planning to invest, the top areas identified included incident response (IR) planning and testing, employee training, and threat detection and response technologies.

The report recommends that organizations take a DevSecOps approach tin order to build security into any tools or platforms an organization depends on to engage its workforce or its customers. Organizations of all types, the report says, should look to ensure that security is at the forefront of the software they’re developing as well as commercial off-the-shelf software that they’re deploying. Application developers must continue to accelerate the adoption of the principles of secure by design and secure by default to ensure that security is a core requirement that’s considered during the initial design phase of digital transformation projects and not simply addressed after the fact. The same principles must be applied to cloud environments to support cloud-native app development in order to makes a serious effort to protect user privacy and minimize attack surfaces.

The report recommends application testing or penetration testing from the perspective of an attacker in order to give organizations the opportunity to identify and patch vulnerabilities before they turn into breaches. No technology or application will ever be fully secure, and adding more features introduces new risks. Ongoing application testing can help organizations identify new vulnerabilities.

The report suggests that organizations should strengthen their resiliency by knowing their attack surface and practicing their Incident Response (IR). Various tools can help organizations gain an attacker-informed perspective into their unique risk profile and vulnerabilities, including which vulnerabilities are readily exploitable.

Secondly, having a team in place that’s versed in the right protocols and tools to respond to an incident has been shown to significantly reduce costs and the time to identify and contain a breach. Organizations with high levels of these countermeasures in place incurred US$1.49 million lower data breach costs compared to organizations with low levels or none.

Another recommendation is for organizations to implement network segmentation practices to limit the spread of attacks and the extent of damage they can cause, strengthening overall resiliency and reducing recovery efforts.

The report also recommends that organizations modernize data protection across hybrid cloud. 82% of data breaches in the report involved data stored in cloud environments, and 39% of breaches included data that spanned multiple types of environments. The report recommends gaining visibility and control of data spread across hybrid cloud as a top priority for organizations, and should include a focus on strong encryption, data security, and data access policies.

Newer technologies such as data security posture management can help find unknown and sensitive data across the cloud, including structured and unstructured assets within cloud service providers, software as a service (SaaS) properties, and data lakes. This can help identify and mitigate vulnerabilities in underlying data store configurations, entitlements, and data flows.

Organizations also need to deploy strong identity and access management (IAM) strategies that include technologies such as multifactor authentication (MFA), with particular focus on managing privileged user accounts that have an elevated access level.

There are plenty of evidence-based suggestions in the Cost of a Data Breach Report that most sites would be wise to implement before a data breach happens to them (again) because they need to realize that a breach can definitely happen to them.

Security breach – it’ll never happen! Part 1

We all know from the press that security breaches have been causing serious problems to computing infrastructure for a number of years now. And yet, there are still too many mainframe sites that are hoping it won’t happen to them. I thought, by way of a wake-up call, it would be useful to take a look at the findings of the latest Cost of a Data Breach Report from IBM Security.

The first thing your CFO will want to know is how much a data breach is likely to cost. The report found that it is US$4.45 million, which is 2.3% higher than the 2022 report’s findings. Worryingly, only 1 in 3 sites that experienced a breach had the breach identified by their own security teams or tools. The remaining 67% of breaches were reported by a benign third party or by the attackers themselves. When the attackers disclosed a breach, it cost organizations nearly US$1 million more compared to internal detection.

The cost of a ransomware attack increased by 13% from 2022, now costing on average US$ 5.13 million. Ransomware attacks made up 24% of all data breaches recorded in the survey. Destructive attacks that left systems inoperable accounted for 25% of attacks. Business partner and software supply chain attacks accounted for 15% and 12% of attacks, respectively.

There’s always a big debate about whether an organization should disclose that it has been hacked and call in law enforcement. After all, the hackers are often based abroad, and a prosecution is unlikely. In addition, the news of the breach may reach the press and the company is very likely will lose customer confidence and is likely to lose money over the next couple of years. The report found that organizations that didn’t inform law enforcement faced an additional cost of US$ 470,000. 63% of sites in the survey had involved law enforcement, the 37% that didn’t also paid 9.6% more and experienced a 33-day longer breach lifecycle.

If you work in healthcare, the report found that since 2020, healthcare data breach costs have increased by 53.3%. For the 13th year in a row, the healthcare industry reported the most expensive data breaches, at an average cost of US$10.93 million.

The big question worrying many sites is are they currently being hacked, and they haven’t realized yet? The survey found that the length of time it takes to identify a breach is 204 days, which, although it might be cold comfort, is better than last year’s figure of 207 days. Once a breach has been identified, how long does it take to recover? The survey found that on average it takes organizations 73 days. That’s three days longer than the 2022 results.

One small comfort for traditional mainframers is that 82% of breaches involved data stored in the cloud – public, private, or multiple environments Mainframe sites that have projects that embrace cloud computing may well wish to review their security policy for the cloud. The report goes on to say that attackers often gained access to multiple environments, with 39% of breaches spanning multiple environments and incurring a higher-than average cost of US$4.75 million.

The location of an organization has big impact on the cost of a data breach. The most expensive place for a data breach is the USA, costing US$9.48 million. The Middle East is the second most expensive at US$8.07 million. Next is Canada, costing US$5.13 million. Fourth is Germany, costing US$4.67 million. And fifth is Japan costing US$4.52 million. The United Kingdom has dropped out of the top five this year.

We said Healthcare was the most expensive. The rest of the top five industries are: Financial costing US$5.90 million; Pharmaceuticals costing US$4.82 million; Energy costing US$4.78 million; and Industrial costing US$4.73 million. Technology has dropped out of this top five list.

Detection and escalation costs are still very expensive. This year the figure rose by 9.7% to US$1.58 million. These costs include activities that enable a company to reasonably detect a breach and can include forensic and investigative activities, assessment and audit services, crisis management, and communications to executives and boards.

When it comes to lost business costs, the figure dropped 8.5% to US$1.30 million. This figure includes activities such as business disruptions and revenue losses from system downtime, the cost of lost customers and acquiring new customers, and reputation losses and diminished goodwill.

This year’s report is its 18^th consecutive edition. The research is conducted independently by Ponemon Institute, and sponsored, analysed, and published by IBM Security. Responses were from 553 organizations impacted by data breaches that occurred between March 2022 and March 2023.

Next time will look at more from the report.

Apple – the evil empire?

There’s a moment in one of those films about the early days of Apple where Steve Wozniak comes up to Steve Jobs and says that he has built a new computer with umpteen holes in the back so that you can plug in just about every device that was then available. It would have made those early Apple devices the dream machine for most people. However, Steve Jobs, without any thought about the feelings of his company’s co-founder, says ‘no’. And so started the locked in, world of its own, Apple empire.

Let’s be clear, I’ve used Apple devices since the days of the Apple IIGS, through those wonderful luggable Macs, right up until a few years ago. Apple was first with a commercially-viable WIMPS (Windows, Icons, Menus, and Pointers) interface, and they created the look and feel of a modern phone. I also love the idea of a magnetic connector, so that if you trip over the wire, it simply disconnects and doesn’t pull your laptop onto the floor.

But if Apple are so good, what percentage of the worldwide PC marketplace does it have? According to IDC data in April, Apple has 7.2 percent of the worldwide PC market. According to Statista, it has 14.2% of the US PC marketplace. What about Apple phones? Firstly, I’m told, you’re not allowed to hold them like a normal phone, you have to hold them sideways, just in case not everyone in the world realizes that you’re using an Apple device. Statcounter tells us that worldwide, Apple phones have 31.5% market share, with Android phones having 67.56%. (The tiny percentage left must be people using two tin cans and a piece of string!) However, if we look at the US marketplace, 62.13% of phones sold are from Apple, with Android having just 37.47%. A huge discontinuity between the USA and the rest of the world.

Medium published an interesting story about the psychology tricks (cognitive biases) Apple use to keep punters hooked on its products. Here are the tricks listed in the article:

Using gamification to improve user engagement – this is the process of turning something dull and mundane into a game – you might do it with your three-year-old to tidy up their toys. For example, the Apple Card in your digital wallet changes colour as you spend more money. This encourages people to spend more. Apple Arcade offers games that aren’t available on any other platform, which creates a sense of exclusivity (or social isolation!). Apple rings on the Apple watch motivates people to be healthier and offers rewards as people hit milestones.

Integrating behavioural economics with product design – an example is bringing out new products with updates (often minimal). This appears to make older models obsolete. The sunk cost fallacy is where a person has spent time and money not only buying a product, but also learning how to use it. So, changing to a different product doesn’t seem worth the effort. So, once an Apple user, always an Apple user. Habits or defaults use less brain power and seem easier at the time. So, if you chose Apple last time, you’re very likely to choose an Apple product for your next purchase.

The psychology of notifications – alerts help us feel that we’re keeping up to date with what’s going on. A red number next to your email icon makes it seem urgent that you check your emails. Allowing users to tailor their notifications gives them the illusion of control.

The mere exposure effect – as anyone finding themselves humming the tune of an advert knows, familiarity makes us choose a product (or tune). So, product placement means that only the good guys in films and TV wear or use Apple products. And we’re the good guys in our life story, aren’t we?

Dopamine-driven feedback loops – this neurotransmitter motivates and rewards us. When you check your email (or anything else) and find a new email, you get a small dopamine reward. So, you repeat the activity to get another reward.

Peak-end rule – mums looking after toddlers don’t remember every dirty nappy or the floods of tears, they remember the best bits – that quite cuddle reading a book together – and the end – the child finally fast asleep. Apparently, Apple product launches have high-intensity peak moments, when a new product or feature gets announced.

Paradox of choice – it’s very hard for people to choose what jam they want if there are more than six choices available. There are too many variables to weigh up. So, Apple restricts the number of product choices it makes available.

Reduction of cognitive dissonance – if you hold contradictory views about something, you are meant to feel cognitive dissonance, which is unpleasant. So, Apple turns off comments on all its social media platforms. There’s nothing negative for customers and potential customers to see. So, there are no potentially conflicting views.

Is Apple deliberately using psychological techniques to suck in people and keep them as customers? Are all big organizations doing the same only not so well? You decide. But on the plus side, Apple has pushed forward computing on PCs, tablets, and phones. On the downside, they may well be exploiting their customers in ways that Microsoft, Google, and PC and phone manufacturers can only dream of!

 

Guide Share Europe Annual Conference 2023

If you work on mainframes and you live in the UK or western Europe, you won’t want to miss out on the UK’s premier mainframe conference and exhibition. It is, of course, The Guide Share Europe (GSE) UK Annual Conference. And it is taking place from Monday 30 October until Thursday 2 November at its regular home in Whittlebury Hall, Whittlebury, Near Towcester, Northamptonshire NN12 8QH, UK. After last year’s successful face-to-face conference, this one should be even better. And this year’s strapline is “Where Technology and Talent meet Tomorrow”.

In-person meetings like this not only provide excellent education for attendees, but also the opportunity to speak to the exhibitors about where they are focusing their attention and to catch up – and argue – with other mainframers during the day and in the bar in the evening!

And, importantly, the GSE conference has just opened up registration this month. So, if you were hoping to get a room in the hotel where the conference is taking place, I would advise that you book straight away.

This year, the Diamond sponsor is Broadcom. The Platinum Sponsors are BMC, Vanguard Integrity Professionals, Rocket Software, and IBM. The Gold Sponsors are Opentext, and Vertali. The Silver Sponsors are MainTegrity, Ensono, DataKinetics, Beta Systems, Veracode, and SEA Software Engineering of America.

This year’s exhibitors are Enterprise Performance Strategies, Velocity Software, Trident Services, Macro4, Planet Mainframe, SCC, Fitz Software, TSG, </mooody cow>, Interskill, Red Hat, Dell Technologies, Action Software, and Verhoef Training.

Although there are now a number of sessions on the Monday afternoon. The conference proper kicks off on Tuesday morning with a brief keynote from Mark Wilson, followed by HSBC Bank’s Paul Hopson.

That is followed by three days of excellent presentations from various experts. There are typically 16 streams running covering all aspects of mainframe life, from 101 sessions for people who are new to the mainframe world. To sessions on CICS, IMS, Db2, security, application development, women in IT, new technologies, storage, system management, and much more. And there are keynote presentations on the other days. That gives nearly 200 sessions across the three and a half days of the conference.

And if you’re still debating whether to go, let me recommend it to you. The quality of presentations is always excellent. And the networking opportunities are brilliant. There’s usually 500 or more people there. It would be a shame for you to miss it.

See you there.

Why do mainframers feel the way they do? Part 2

This week, we continue our look at what can affect the mental health of mainframers. Having discussed genetics, a person’s history, and the effects of adrenalin, we start looking at how a person’s GI tract affects their mind, and vice versa.

Intestinal permeability (ie leaky gut) occurs with chronic low-grade inflammation, which happens more often in disorders such as anxiety or depression.

It is estimated that 90 percent of the body’s serotonin is made in the digestive tract. In fact, altered levels of gut serotonin have been linked to diseases such as irritable bowel syndrome, cardiovascular disease, and osteoporosis.

Stress can affect the composition of, and the total amount of, biome (bacteria etc) in a person’s gut. The biome can be directly affected by neurons, immune cells, and enterochromaffin cells (neuroendocrine cells found in the gastric glands, that aid in the production of gastric acid through the release of histamine).

The brain also modulates gut functions such as: motility; the secretion of acid, bicarbonates, and mucus; intestinal fluid handling; and mucosal immune response. These maintain the mucus layer and biofilm where individual groups of bacteria grow.

Plus, the brain may affect the biome composition and function by changing intestinal permeability, allowing bacterial antigens to penetrate the epithelium and stimulate an immune response in the mucosa (mucous membrane). So, through the autonomic nervous system, the brain modulates immune function, which can increase epithelial permeability to bacteria, which facilitates their access to immune cells.

Changes in the composition of the gut flora due to diet, drugs, or disease correlate with changes in levels of circulating cytokines, some of which can affect brain function. Cytokines are small proteins that affect the behaviour of cells around them. They are especially important in the immune system.

The brain and the gut are connected by the vagus nerve, which wanders (its name comes from the same source as the word vagabond) round the body and contains nerves sending messages from the brain, and nerves sending messages to the brain. It affects how the gut behaves (trying to keep everything well – a homeostatic role), but it’s also part of the Gut-Brain Axis, sending messages from the gut to the brain, which then impact on mood.

The gut is also closely linked to the body’s immune system. Most of the body’s immune system works on the gut! When our immune system identifies an invader, it releases cytokines, and the body is protected by inflammation as white cells attack the invading organisms. However, some people have low levels of inflammation all the time.

It’s worth noting that the brain and the immune system have two-way links.

Stress can cause inflammation. Stressful events include bereavement, poverty, debt, social isolation, and maltreatment as a child. Being overweight causes inflammation. Even public speaking can increase inflammation!

Most inflammation occurs on the inside of the body, which people can’t see. One of the ways that the body naturally keeps the levels of inflammation down is through the vagus nerve. It controls the inflammatory reflex.

The inflammatory reflex is a neural circuit that regulates the immune response to injury and invasion. If cytokine levels in the body rise, the vagus nerve will detect the change and send a message to the brain. A signal is then sent down the vagus nerve to the spleen, acting on macrophages (white blood cells) to reduce the cytokine level. Cytokines can cause collateral damage to the body’s cells near them. Interestingly, vagal nerve stimulation can reduce inflammation. Increased vagal signalling inhibits inflammation and prevents organ damage.

The health and fitness of the vagus nerve is called vagal tone. A high vagal tone equates to a better capacity to keep inflammation down.

Other factors associated with increased inflammation include: obesity; sedentary lifestyle; disordered sleep; emotional and physical trauma; medical illnesses such as cardiovascular disease, diabetes, cancer, and autoimmune; infections (including exposure to unsanitary living conditions and poor hygiene); medical treatment such as surgery, chemotherapy, or radiation; and antidepressant treatment resistance.

The body’s natural immune response can trigger oxidative stress temporarily. This type of oxidative stress causes mild inflammation that goes away after the immune system fights off an infection or repairs an injury. Oxidative stress refers to an imbalance of free radicals and antioxidants in the body, which can lead to cell and tissue damage. Free radicals are molecules with one or more unpaired electron that are very reactive. Antioxidants are substances that neutralize or remove free radicals by donating an electron. The neutralizing effect of antioxidants helps protect the body from oxidative stress. Examples of antioxidants include vitamins A, C, and E.

The blood-brain barrier protects the brain. We used to think it was impenetrable.

The neuroimmune system is composed primarily of glial cells and mast cells (a type of white blood cell). During a neuroimmune response, cytokines send inflammatory signals across the blood-brain barrier, which activates microglial cells in the brain, which then release more cytokines. As a consequence, this can kill neurons or shrink them, reduce the number of synaptic connections, and the synaptic supply of neurotransmitters can be disrupted. And it can block the regenerative process that would create new cells. Tryptophan is a serotonin precursor. Microglial cells can instruct nerve cells to make other end products such as kynurenine. This makes less serotonin available in the brain and kynurenine (and other alternative end products) are toxic. So, inflammation in the body can have a negative impact on the brain – perhaps, leading to depression.

There’s lots of research evidence linking inflammation in the body with depression.

What I’m suggesting here is that the mental health of mainframers and others can’t be taken in isolation and needs to be looked at along with the physical health of their body.

But even that isn’t enough. The mental health of a person depends on a much bigger picture. George Engel in 1977 first came up with the idea of a biopsychosocial model. He suggested that in order to understand a person's medical condition more than just biological factors had to be considered. It’s also important to look at psychological and social factors. And these three types of factors are interlinked. In 2017, Wade and Halligan said, it is generally accepted that “illness and health are the result of an interaction between biological, psychological, and social factors”.

Psychological factors include: stress management; positive thought; resilience; mental discipline; and giving and receiving love. Social factors include: support from social groups; and access to medical and health education. Lastly, biological factors include: healthy diet; exercise; freedom from addiction; time to relax; and no genetic predisposition to disease.

And, maybe, we can take that a stage further. How a person feels depends very much on their employer’s attitude towards their staff, and politics – how keen national and local government are to ensure a person feels safe and has somewhere to live; whether they have access to education and health services; whether there are shops and places of entertainment nearby; and whether there are affordable and green transport links for business. And so much more.

 

Why do mainframers feel the way they do? Part 1

Working with mainframes is a bit like being a spy in a foreign country sometimes. You know that you have the most secure and powerful platform available, and yet you seem to be working abroad – by that I mean your organization – where no-one seems to be aware of the mainframe’s existence and only talk about server racks and the cloud. That’s going to affect your mental health, isn’t it? Let’s look at what else can affect the mental health of mainframers – by that, I mean you and your colleagues.

Let’s start at the beginning. People start off the way they are because of their genes – a random mixture from both parents. In addition to how the genes are expressed, there are also the effects of epigenetics. This is where the expression of a gene or genes is altered, but the basic genetic code doesn’t change. As scientists discover more about genes, we find some that definitely have a specific impact on a person – eg genes for particular diseases – and there are suggested associations between genes and certain things, eg addiction or depression. However, in May 2021, a genome-wide association study (GWAS) of genetic and health records of 1.2 million people from four separate data banks identified 178 gene variants linked to major depression.

Do genes totally control how happy any mainframer will be? Sonja Lyubomirsky, author of The How of Happiness suggests that 50 percent of happiness is genetically predetermined, while 10% is due to life circumstances, and 40 percent is the result of your own personal outlook. These values might apply to more than just happiness.

Picking up on that 40% figure, it’s not so much the events that happen in your life that affect you, it’s very much how you think about them that impacts you.

The second big thing that affects a person is their environment. This is the surroundings or conditions in which a person lives or operates. The effects of genes and environment led to the nature-nurture debate that went on for many years. And this fits Lyubomirsky’s ideas about happiness percentages.

We also know that a person’s childhood can affect how they think and behave as an adult, and also affects their health as an adult and their life expectancy. It’s also during childhood that many people’s core values and beliefs are created (or indoctrinated – depending on your beliefs).

Let’s suppose you go for an interview for a new job somewhere, or a promotion at your present company, how do you feel? Most people will probably feel a little nervous, perhaps go to the toilet a couple of times, have butterflies in their stomach. This is your body’s flight-or-flight response. The problem is that it’s exactly the same response whether you are feeling excited – like a child who is going to meet Father Christmas – or terrified – those few moments before the charity skydive starts that you foolishly agreed to! Adrenalin is pumping round your body causing blood to move away from your gastrointestinal (GI) tract and sending it to your muscles. That’s why you feel butterflies in your stomach, it’s the lack of blood. How you interpret that – excitement or terror – depends on you and where you find yourself.

That just illustrates the link between your body and your mind. They are not two distinct domains, they are intimately linked. How much pain you feel from an injury can depend on how relaxed you are. Clenching their fists and tightening their muscles can increase a person’s perceived level of pain. So can the expectation machine that is your brain. If you expect the vaccination or dental work will hurt you very much, then guess what, it will. If you don’t expect very much pain, then the sensation of pain will pass more quickly.

Let’s take a closer look at a mainframer’s GI tract and how it can affect them.

Firstly, a person’s GI tract has millions of bacteria etc that live in it – our gut microbiome. The gut has its own nervous system – called the enteric nervous system. And there’s a two-way link between the brain and gut – the Gut-Brain Axis (GBA).

Our gut has to digest food (ie make and secrete enzymes). It has to absorb food. It has to squeeze food through itself (peristalsis). And it has to defeat invading bacteria. It has to ensure the cells in the gut lining keep the bad stuff out and let the good stuff through. It has to not have too thin a layer or too many gaps between cells. And it has to produce a layer of mucous over the top of this lining. And your microbiome helps – it does use some of your food for itself, but it does create useful products. If you don’t have a microbiome, eg through taking too many antibiotics, you’ll not be very healthy.

What you eat can affects your biome. Studies have shown that gut microbes can affect behaviour and even emotions (like depression). A Belgian study found two kinds of microbe (Coprococcus and Dialister) were missing from the microbiomes of their depressed subjects, but not from those with a high quality of life.

Compounds made by the gut microbiome, eg Short-Chain Fatty Acids (SCFAs), such as butyric acid, propionic acid, and acetic acid, are able to stimulate sympathetic nerves, mucosal serotonin release, and to influence memory and the learning process.

Faecal microbiota transplants can be used to influence mental health. The gut microbiome plays a facilitating role between the stress response, inflammation, and depression and anxiety.

 

Find out more about what affects mainframers, when the second part of this article is published next time.