Ask the Expert: The Data Breach Effects We Never Hear About

We’re constantly hearing about data breaches in the context of financial losses – this company lost $40m, this one’s market value dropped by 3% – but what about the softer losses? What about the people who lose their privacy and have their most intimate details exposed?

In this blog post, we guest interview Dana Turjeman, Ph.D. Candidate in Quantitative Marketing in University of Michigan, and look at the implications on individuals who have suffered the consequences of a data breach.

About Dana Turjeman

Dana Turjeman is a Ph.D. Candidate at the Ross School of Business, University of Michigan, and her research focuses on privacy and impression management.

After working with an online match-making website (specifically for those seeking an extramarital affair) that suffered a severe data breach, Dana and her team wanted to learn more about the short term changes in the behavior of users following the announcement of a breach.

When she started to investigate the consequences of the data breach, she realized there was a lack of research on how such breaches affect users. Almost all work in this field was on financial damages suffered by public companies – simply because financial data on public companies are more available.

BitDam (BD): What’s the impact of data breaches on individuals?

Dana Turjeman (DT): Data breaches differ based on their level of sensitivity of the data, number of records, where the data ends up (public or not), and whether people can be protected from damage or not. On many occasions, data breaches cause financial harm to individuals; in many countries, these effects can be minimized by using financial identity and fraud detection services.

In other cases, sensitive information about habits, sexual preferences, and illegal behavior have been revealed. In the case of one of the affair-seeking websites that was breached, individual users got divorced, had their reputation severely harmed, and in extreme cases – committed suicide. This example of a breach is one of the most extreme in terms of the sensitivity of the data.

Usually, even though data breaches receive a lot of media attention, individual users do not have many ways to protect their identity, and even if they do have a way to protect it, they neglect to do so; this is often referred to as the “privacy paradox“. This might be for several reasons: optimism bias, laziness, uncertainty as to what can be done, and habituation (getting used) to data breaches. Measurement of changes to users’ engagement with companies is hard to achieve, following a data breach, and my research aims to solve this problem.

BD: Can you tell us more about your research?

DT: I have several projects on privacy; one of them focuses on the consequences of the data breach on the affair-seeking website, as I mentioned. Another relevant one is on the positive and negative sides of data collection, specifically in marketing practices.

In a different stream of my research, I look at impression management. In one relevant project, I observe changes people make on online dating websites (not only those seeking an affair) and investigate the “optimization” they make to their appearance on the website. Some users change details such as date of birth, height, and ethnicity – which can clearly never change. It doesn’t mean they lie in order to deceive. Rather, there are several reasons that have been discovered – personal security, ability to hide personal information and “hold the cards”, and yes, also – desire to attract more.

BD: It seems like the main focus when it comes to data breaches is on financial losses rather than customer behavior. Can you comment on that?

DT: Most research on the consequences of a data breach focuses on the stock market valuation of companies that suffered a breach, and customer surveys. It is hard to measure actual changes in customer behavior, for two main reasons:

(1) Companies don’t easily provide data following such instances (very naturally so – they want to share less, and not more, data, after a data breach), and (2) it is hard to measure users’ reactions, especially when there’s no “control group” (i.e., usually, in a data breach, all users/customers of the company are affected, and there is no clear group that can be used for comparison).

BD: How do you deal with these constraints?

DT: We solve both of these problems by having a rich data set that we received directly from the company (under a Non-Disclosure Agreement, and only for academic purposes), and by using advanced quantitative and causal inference methods.

BD: Why are the “softer” effects being overlooked in your opinion?

DT: Some of the consequences of data breaches that I mentioned above – loss of privacy, reputation, etc., are hard to measure. Usually, it is easier to look at stock market valuation and assess what the damage is from there.

BD: Any idea on how to avoid such privacy violations?

DT: The easiest thing is to collect only the data that is really needed and hold it for the least amount of time necessary. But even with data that is collected, companies should:

  •     – Update their security practices all the time
  •     – Encrypt every piece of the data, and obviously the sensitive parts of it
  •     – Grant access to only those who must access the data
  •     – If using third-party code:
  •         – Be sure to use it only if it is from a reputable source
  •         – If it is an open-source, use open source that is well maintained and validated
  •     – Data protection should be discussed from the very first step of product development
  •     – Apply advanced cybersecurity solutions and keep up-to-date with new solutions and technologies

 

The Key: Stay Protected

Data breaches can take a massive financial toll on businesses. What’s less known, is the tremendous negative impact these breaches have on individuals. Thanks to researchers like Dana Turjeman, we’re starting to find out more about the effects these breaches have.

A key takeaway is how imperative it is to ensure that all content and applications are secure. Organizations and individuals should make sure they are protected and deploy sophisticated solutions to deal with these advanced threats before it’s too late.

City and County of San Francisco’s Nathan Sinclair Share His Experience of BitDam’s PenTest

Nathan Sinclair heads the Cybersecurity Defense team of the City and County of San Francisco providing IT security services to about 30,000 employees. He has recently engaged with BitDam, used its PenTest in several ways and got to some conclusions. In this interview, he shares his experience with BitDam’s PenTest including some specific insights about the process, how it helped him assess different email security solutions and even push for doing more in less time.

Nathan, can you please give us some background about yourself and your job?

Nathan: I manage the cybersecurity defense team for the city and county of San Francisco. We are a central service for cybersecurity monitoring and alerting which serves the entire organization.

One of the newest additions is that now we are also focused on email protection. Our biggest challenge was phishing because we knew it’s a growing problem but didn’t have much visibility on what was going on, so that was the main trigger for our email security solution search.

How did you hear about BitDam?

Nathan: Our CISO, Mike Makstman, brought it to my notice. I heard about BitDam before but didn’t have any direct touch with them. Then Mike told me about them and that they use an interesting approach. So I did some research and found out that it is indeed a different approach to how all others do email security and it sparked my curiosity. That was when we started to kick off, saw a demo and understand what it does. Understanding the technology underlying behind it, I realized how valuable it could be. That’s one of the reasons we went forward with procuring it.

Ok, so what was the next step?

Nathan: To start testing we used the BitDam online PenTest and forwarded some malicious emails to the BitDam portal to see how it works. Just like we did to other email protection solutions. I know that this wasn’t the perfect test, but that was the best we could as an initial step.

Alright, can you tell me a bit more about the PenTest itself? What was done there?

Nathan: Well, the Pentest – that was interesting!

I started with the free online PenTest – very simple. You just put your email address there. The first time we did that was actually very helpful because we tested multiple solutions using the same PenTest – sent the same emails to mailboxes equipped with different solutions so we got a true comparison.

Then we rolled in into the advanced part of the BitDam PenTest working with the company’s team. That was really good because the number of emails that were sent to all solutions was high and it gave us a representation of what emails the products could see, which ones saw what, whether they were able to detect malicious files and so on. This helped us narrow down the solutions very very fast. This is the fastest POC that I’ve ever done for so many solutions at the same time in my whole career.

How many solutions did you test?

Nathan: We’ve examined about 5 solutions in total. We had licensing set up from different solutions to some internal mailboxes so each mailbox used a different solution. It was interesting to see in real-time how different solutions handle different malicious emails, which alerts they send etc.

What kind of products did you check in this PenTest?

Nathan: All products we’ve compared to were email security solutions. Some of them had additional functions like sandboxing and advanced analysis of the messages, so it was kind of a mix.

How would you evaluate these solutions without the BitDam PenTest?

Nathan: It would have been a similar process but a lot slower…We would have to wait for certain malicious or phishing messages to come to us for real in order to send it to each of the solutions.

How long did the process of comparing these 5 solutions take?

Nathan: Honestly, once BitDam started to send all those messages the test was very quick. This PenTest was way more efficient than how we’ve been testing other solutions before. The PenTest analysis took about a month in total, and that was only so I can pull data and make sure I’ve tested all the features and covered all bases.

How easy was it to operate? Analyze?

Nathan: The initial one on the website was super easy. Literally, put your email address in, click a button, and click submit. The advanced PenTest was also easy. We just had to let the team know which email addresses to send the messages to. I had alerts set up so I knew when it was coming in, what time. It wasn’t anything that was complicated.

Anything worth sharing with others who may do this PenTest?

Nathan: We had to figure out a way to count the messages that did pass and came in, and there were hundreds of such messages. To deal with that, one of our guys set up a rule so he could tell me every morning how many messages actually made it to his mailbox. He just created a folder in order to track it and it was very interesting to see how many did make it through.

Also, to us, the PenTest helped us assess how we will operate on those systems when we will get a false negative. Good representation of what’s going on is a pretty big deal to us since we serve different departments.

Were you surprised by the results?

Nathan: You know what, no, I wasn’t. We asked our peers what other solutions and services they have, and the actual experience they had with these solutions. So when we tested one of the first ones I wasn’t surprised, it was typical.

I was surprised by the speed of this PenTest which gave us the amount of time to be able to do everything that we wanted and even more.

And what was your impression of BitDam?

Nathan: I can definitely tell that it’s a company that doesn’t just sell a product but really builds a partnership which really fits how we operate with vendors. I think it’s really cool how the product looks at email very differently. The BitDam approach – creating the baseline of how something is supposed to work – was a key driver to make the decision to have it as a security blanket, especially for mailboxes that are more targeted than others.

Are there any cyber trends that you notice at the City and County of San Francisco?

Nathan: Our biggest target is our end users. That trend is going to continue. Malicious emails are looking more and more real every day. There have been a lot of messages that were targeted to us, that looked very genuine from where they come from and they are not. They send you to websites or places that look just like the website that could potentially send it. Once the user has clicked on it the damage has been done. I think we have to combine education of end-users and technology such as more intelligence and dynamic analyzing of those messages.

Lead Data’s President in an interview on BitDam

With Lead Data as a trusted partner, we wanted to hear from Ron Redmond, Lead Data’s President, about their activities, how they tried BitDam using the company’s PenTest and why they decided to offer the solution to their customers.

Ron, please give me some background about Lead Data.

Ron: We’ve started Lead Data 18 years ago, and back then focused on CheckPoint‘s products and services, bringing it to organizations in the tri-state area. Since then, we’ve evolved and work with other partners including Microsoft, Cisco, RSA, f5, Terranova, Barracuda, and since recently, also BitDam. We were always focused on security. Today, we serve more than 700 organizations in our geographical area, with most of them having multiple locations and a thin IT staff. They look at Lead Data’s team as trusted members of their own IT team.

How did you come across BitDam in the first place and what caught your attention?

Ron: I was introduced to BitDam by a friend almost a year ago. It sounds interesting especially since the founders know closely how attackers tend to work. So I spent some time with the founders and got an understanding of what the uniqueness of the technology. I loved the fact that BitDam brings a whole new approach to a known problem that exists many years, and which no one has really solved so far. That drew me to start working with BitDam.

I was intrigued by this different approach and wanted to check if I would see a difference, if it would catch things that normal Anti-Virus couldn’t catch. And here I’m talking mainly about zero-day malware. I wanted to see what impact this new approach would have on the bottom line, the actual results.

So I guess you wanted to test it before you decided to offer it to your customers.

Ron: Absolutely. We did a POC test with BitDam against our existing security controls – a combination of a leading sandbox solution and a leading email security product, both from well recognized players in this market.

Ok, and what did the results look like?

What were the results? The email solution didn’t get a single piece of the malicious files that were introduced and which BitDam caught. The sandboxing solution detected only 40% of it.

We’ve done two tests – the automated test provided online by BitDam, and a very extensive test with the BitDam team. We’ve done both tests multiple times with many different customers. BitDam always detected much more than the other solutions.

Any additional tools that you used as part of your assessment of the BitDam solution?

Ron: Well, we also used BitDam Total to scan files for malware leveraging the BitDam engine. One of Lead Data cyber security experts used this free service and found the portal very helpful. He actually used it to test files in many cases. The interesting thing about it is that it caught zero-day malware in many of these checks. And these were malicious files that our existing security suite missed. That was really impressive!

Ok. So you were impressed by the technology and the capabilities. Why do you think that others should use it?

Ron: For the obvious reason that it catches zero-day malware that most other products, including leading ones, do not catch. This is organizations’ main concern when it comes to email security. You see, there are many security solutions out there, and they catch malware. But the real risk is in zero-day attacks which can lead to massive losses. Everyone is looking for this ‘magic’ that would protect from zero-day malware, and here it is. This is not in theory, I saw it in my environment scanning Lead Data email traffic as well as with our customers. Within a few weeks of operations BitDam detected zero-day attacks that other solutions (again, leading ones) didn’t.

Which organization do you think should adopt this?

Ron: I think that BitDam’s technology could help companies of all sizes. The larger the organization the more value BitDam would add.

Do you have any tips or suggestions for your customers?

Ron: As a first step, I strongly suggest to try the BitDam PenTest which is available on their web site. It is a very simple straightforward to test your current mail security solution. Based on the results, me and my team are happy to set a full BitDam PenTest which is more comprehensive. The results of the full PenTest will show you the value that BitDam will bring on top of your existing mail security solution. And last but not least, I’d like to invite you to our BitDam webinar taking place on 29 January, 2019. 

Anything else that you would like to share from your experience with BitDam?

Ron: We used it ourselves. It has caught any pieces of malware for us although we are much smaller than other companies we work for. We actually caught several pieces of zero-day attacks that were sent to us by our customers.

Also, I must share that my experience working with BitDam has been wonderful. As a partner, their team is always available for me to help work with customers and prospects.

Schedule a Demo

Enter your email to get a free trial invitation