[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* Size Doesn’t Matter: Cyber Security and the SME
* Cybersecurity Due Diligence Critical Amid Rise In Data Breaches
* Mobile Security Research Uncovers Gap Between Perception and Reality of Vulnerabilities
* Four ways S’pore is stepping up its fight against cybercrime
* Major cyber security threat underscored by congressional Homeland Security chairman
* Browser study aims to stop hackers in their tracks
* Why the U.S. is behind the curve on cyberwarfare
* 9 Critical Responsibilities Of The Cybersecurity Manager
* SEC Prepares for More Cybersecurity Oversight
* Firefox sets kill-Flash schedule
* How exposed is trucking data to theft?
* Call for Australia to appoint cyber ambassador
* The changing face of data breaches
* Automotive Cybersecurity Best Practices
* Regulators’ IM Crackdown May Increase Cyber Risk
* Cyber Security Quarterly Round-Up – July 2016
* MS-ISAC official: Ransomware is top malware of concern for states, counties
* CISOs need teamwork and a framework, says Chief Cybersecurity Officer at Trend Micro
* RSA Research Shows 74% of APJ Organizations Face Significant Risk of Cyber Incidents
* DHS looking for industry expertise in protecting ‘mobile ecosystem’
Size Doesn’t Matter: Cyber Security and the SME
The research, which forms part of NJR’s cyber security report: how real is the threat and how can you reduce your risk, shows that 23 per cent of employees use the same password for different work applications and 17 per cent write down their passwords, 16 per cent work while connected to public wifi networks and 15 per cent access social media sites on their work PCs.
Such bad habits and a lack of awareness about security mean that employees are inadvertently leaving companies’ cyber doors wide open to attack.
Tarun Samtani considers the areas that SMEs are weakest when it comes to maturing in cyber security:
a) Information governance
Once the crown jewels have been identified, the next step is to understand and map the different paths an adversary could take to get to them.
This is called Attack Path mapping.
b) Enterprise Risk Management
Cyber and information security risk management needs to be part of the enterprise risk management framework as a separate entity not under IT risk.
c) Cyber security Awareness
To reduce the risk of cyber threats, the human OS needs to be patched in such a way that staff not only understand their responsibility for security but also take an active role in improving the cyber security of the organisation by using best safe practices.
d) Enterprise Architecture
t is crucial for a business to have a single entity/function that sits across the business to oversee all the different projects in the organisation and aligns them to the business strategy.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=55b666fe4e&e=20056c7556
Cybersecurity Due Diligence Critical Amid Rise In Data Breaches
In response to the growing cybersecurity challenges facing corporate mergers and acquisitions (M&A), West Monroe Partners, a Chicago based management and technology consulting firm, recently released a report providing insight into the complexities and challenges of cybersecurity due diligence in the acquisition process.
The 28 page report, “Testing the Defenses: Cybersecurity Due Diligence in M&A,” revealed that the potential costs of cybersecurity problems are enormous.
In 2015, the Identity Theft Resource Center reported 781 data breaches at companies in the United States, with the average cost of a data breach being $3.79 million, according to a survey commissioned by the International Business Machines Corporation (IBM).
The report also found that in the majority of cases, cybersecurity issues alone are not enough to cause a buyer to abandon an acquisition with 77 percent of respondents saying that they have never walked away from a deal for that reason.
The study’s findings led to five main findings:
– Cybersecurity diligence is no longer optional.
– Knowledgeable personnel is key.
– Good governance trumps bells and whistles.
– Be practical when assessing risks.
– Remember to implement deal protections.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=206c82f8a3&e=20056c7556
Mobile Security Research Uncovers Gap Between Perception and Reality of Vulnerabilities
/EINPresswire.com/ — NEW YORK, NEW YORK — (Marketwired) — 07/19/16 — BLACKBERRY SECURITY SUMMIT – A new global research initiative conducted by BlackBerry Limited (NASDAQ: BBRY)(TSX: BB), a global leader in secure mobile communications, finds that despite extensive resources dedicated to mobile security, many IT decision-makers remain concerned about the level of vulnerabilities that persist.
The study surveyed 1,000 executives from seven countries across a wide range of vertical industries, including financial services, government and healthcare.
The survey reveals that 73 percent of organizations have a mobile security strategy in place, but only three percent say they have implemented the highest levels of security possible.
This is in part because of user attitudes – 82 percent of the executives admit mobile security precautions cause at least some frustration among employees, and potentially hinder productivity.
Overall, 44 percent fear that too much mobile security will prevent employees from doing their job.
This fear of implementing a stronger mobile environment led to a startling majority, 86 percent, of executives who said they are worried about the level of protection for their organization with half saying they will experience more security breaches through mobile devices.
A critical element to a successful BYOD or COPE (corporate owned, personally enabled) mobile environment is ensuring the isolation and separation of personal and business mobile data, also known as containerization.
However, nearly 45 percent have no containerization technology in place.
The research also uncovered that nearly half of organizations do not have a Security Incident Response Team (SIRT) in place, despite the fact that SIRT is an industry best practice to reduce the cost of data breaches.
IT decision-makers also want and seek outside help when it comes to securing their mobile environments.
Of those surveyed, 59 percent report that external expertise is the best option for reviewing mobile practices.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7e9123fec1&e=20056c7556
Four ways S’pore is stepping up its fight against cybercrime
SINGAPORE — Law and Home Affairs Minister K Shanmugam on Wednesday (July 20) unveiled the National Cybercrime Action Plan, which sets out the Government’s future and ongoing efforts against cybercriminal activity.
Here are the four key priorities in the plan.
1) EDUCATING THE PUBLIC
Among efforts to help the public to stay safe online, there will be a special focus on vulnerable groups, such as students and senior citizens.
2) ENHANCING GOVT’S CAPABILITY TO FIGHT CYBERCRIME
The Cybercrime Command, set up in December last year to improve coordination in the police’s response to cybercrime, will analyse new methods used by cybercriminals.
3) STRENGTHENING LEGISLATION AND CRIMINAL JUSTICE FRAMEWORK
The Computer Misuse and Cybersecurity Act will be amended so it is effective in responding to the transnational nature of cybercrimes and the evolving tactics of cybercriminals.
4) PARTNERSHIPS
The Government will build partnerships with industry and academia, locally and overseas, so as to share knowledge and build capabilities in areas such as cyber-forensics and cyber-investigations.
The MHA has also set up a new Institute of Safety and Security Studies that will promote thought leadership and build expertise in different areas, including cybercrime.
The institute’s training courses will be offered to Home Team officers and partners from Asean member states.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a8ddcab1a0&e=20056c7556
Major cyber security threat underscored by congressional Homeland Security chairman
CLEVELAND – The Chairman of the House Committee on Homeland Security says the nation is “not ready” for serious cyber security threats.
Texas Congressman Michael T.
McCaul, whose committee oversees the U.S.
Department of Homeland Security, made the remarks during an RNC Cyber security Forum meeting in Cleveland Tuesday to draw attention to the nation’s vulnerabilities regarding cyber attacks.
The forum presented views by ten of the nation’s leading experts on internet technology and was sponsored by the Center for CyberSecurity and Privacy Protection at Cleveland Marshall College of Law.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=57bcdf5571&e=20056c7556
Browser study aims to stop hackers in their tracks
Developing an anti-tracking computer program to protect users against hackers is at the heart of a new study into browsing habits.
Browser fingerprinting is an increasingly common tracking technique that collects contextual data from a person’s computer without their knowledge.
Researchers at the University of Adelaide in South Australia are conducting a study to discover the weaknesses in contemporary “browserprinting” methods to build an adequate defence program.
University of Adelaide PhD student Lachlan Kang said browser fingerprinting could affect anyone, even those who used the anonymous aspects of VPNs to protect their privacy.
In an Oxford and MIT joint study earlier this year, it was discovered that the social media site Twitter used location tags to determine real-world addresses, hobbies, and medical histories.
To join the study, visit: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8aec1e1df9&e=20056c7556.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=42e586ebfb&e=20056c7556
Why the U.S. is behind the curve on cyberwarfare
There are three reasons for this, and they are easy to understand.
First, we populate our cyberwarfare capability with officers whose training and experience are in kinetic, not digital, warfare.
We would be better off with a group of hackers or by elevating civilians, who would stay in place over a long enough period of time to acquire the requisite skills.
Second, we do not have people in key positions or in sufficient numbers who are fluent in either Arabic or Pashto or in grasping cultural nuances.
If you can’t understand the language or culture, it is pretty hard to figure out what is going on and respond to it on either a technical or psychological level.
And third, the complex web of organizational relationships in U.S. cyberwarfare precludes quick and dynamic decision-making when time is of the essence.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e1c41e182f&e=20056c7556
9 Critical Responsibilities Of The Cybersecurity Manager
The larger the organization, the more narrow the focus becomes.
For instance, if you were the only one running the show in the cybersecurity department for your organization, you would be tasked with everything from the technical aspects of security to security policy (and everything in between).
In a larger organization, cybersecurity managers often play one of two roles:
– A technical security manager
– A program security manager
9 Critical Responsibilities Of The Cybersecurity Manager
* Monitor all operations and infrastructure.
* Maintain all security tools and technology.
* Monitor internal and external policy compliance.
* Monitor regulation compliance.
* Work with different departments in the organization to reduce risk.
* Implement new technology.
* Audit policies and controls continuously.
* Ensure cybersecurity stays on the organizational radar.
* Detail out the security incident response program.
In many large organizations, the chief information security officer is involved in briefing the board members on cybersecurity—but depending on the size and maturity of the security program in your organization, this may fall on cybersecurity manager.
If this falls within your scope of work, you should focus on communicating the state of your information security program, including your successes and failures.
The free ebook below gives you a deeper look at how to do so effectively.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=195eb0cad5&e=20056c7556
SEC Prepares for More Cybersecurity Oversight
Leading U.S. banks, and other publicly traded companies, should expect increased cybersecurity scrutiny from the Securities and Exchange Commission.
This week, during a meeting of the Treasury Department’s Financial and Banking Information Infrastructure Committee, leaders of the SEC and the Commodity Futures Trading Commission, which aims to protect consumers from fraud, shared updates about their agencies’ approaches to cybersecurity, as well as an overview of their examination processes, rules and other actions.
The Treasury committee focuses on improving information sharing among financial regulators, promoting public-private partnerships and enhancing the resiliency of the financial sector.
And its membership reads like a who’s who of regulatory authority, including Sarah Bloom Raskin, deputy secretary at the Treasury Department; Mark Gruenberg, chairman of the Federal Deposit Insurance Corp.; and Thomas J.
Currey, comptroller of the Office of the Comptroller of the Currency.
The FBI also played a role at the meeting, noting the need for more information sharing with the financial sector.
We can expect in coming weeks to see more from the SEC and the CFTC about their plans to be more proactive about cybersecurity oversight, risk assessment and cyber examination.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c6ff92ea9d&e=20056c7556
Firefox sets kill-Flash schedule
Mozilla yesterday said it will follow other browser markers by curtailing use of Flash in Firefox next month.
The open-source developer added that in 2017 it will dramatically expand the anti-Flash restrictions: Firefox will require users to explicitly approve the use of Flash for any reason by any website.
Firefox is late to the dump-Flash party.
Other browser developers — Apple, Google and Microsoft — have been more active in limiting Flash.
Safari has frozen some Flash content since 2013, while Chrome did the same in September 2015.
Edge will follow suit with the release of the Aug. 2 upgrade, Windows 10 Anniversary Update.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=013350d98d&e=20056c7556
How exposed is trucking data to theft?
Sean KilcarrThere’s this new term being bandied about in corporate circles these days called “knowledge assets,” which means “confidential information” critical to a company’s core business operations other than personal information.
Such “knowledge assets” include things like: trade secrets; information regarding product design, development or pricing; non-public information company internal structure, plans or relationships; and “crucial” customer information, which in trucking’s case can mean everything from billing numbers to data regarding specific cargoes.
“Companies face a serious challenge in the protection of their knowledge assets.
The good news is there are steps to take to reduce the risk,” noted Dr.
Larry Ponemon, chairman and founder of the Ponemon Institute.
“First of all, understand the knowledge assets critical to your company and ensure they are secured,” he said. “Make sure the protection of knowledge assets, especially when sharing with third parties, is an integral part of your security strategy, including incident response plans.
To address the employee negligence problem, ensure training programs specifically address employee negligence when handling sensitive and high value data.”
That’s especially true for many areas in trucking, where cargo theft remains a major problem – while data breaches only amplify the issue.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8a4069c3fd&e=20056c7556
Call for Australia to appoint cyber ambassador
A senior official from the security services company Forcepoint has welcomed the appointment of Dan Tehan as the minister assisting Prime Minister Malcolm Turnbull for cyber security, but says that, given Tehan’s numerous roles, the appointment of a “cyber ambassador” will be key to co-ordinating Australia’s efforts in this direction.
But, at the same time, he added, that given Tehan was appointed to fulfil cyber strategy it raised questions of whether he would be able to critically evaluate and amend the programme with growing cyber security threats.
Tehan wears a number of hats in Turnbull’s ministry: he is minister for defence personnel, minister assisting the prime minister for the centenary of ANZAC, minister for veteran’s affairs and minister assisting the prime minister for cyber security.
Eilon said right now, Australian government agencies were operating with small budgets and could be hesitant to take steps needed to protect citizens, networks and sensitive data. “However, given the cost of fraud and cyber-attacks will reach $70 billion by 2020, as forecast by the Australian Computer Society, security across government should be more of a focus.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=00cc605fbc&e=20056c7556
The changing face of data breaches
HOW THE CLOUD COMPLICATES THE BREACH BUSINESS — Benjamin Powell, an attorney at WilmerHale who has handled some of the biggest data breach cases you can think of, says he’s noticing a distinct trend: As companies move to the cloud and increasingly rely on cloud service providers, they’re encountering different sets of problems when there’s a breach.
“It is interesting: If you have an incident, now you have a third party involved,” Powell, the former longtime general counsel for the Office of the Director of National Intelligence, told MC in a recent interview. “Everything before was your own world.
You now have multiple parties and players.
It’s just been something that as the cloud moves, it’s a different kind of world as opposed to, ‘Our servers are over there.’ And you see this in the government with what they’re doing in the cloud and even the intelligence community.”
The motive for moving to the cloud for most businesses, in Powell’s anecdotal experience, is “immense computing power at a very good price point.” But that raises a natural question. “Is that bad for security.
The answer is, it’s not a ‘good’ or ‘bad,’” according to Powell. “There are a lot of advantages to using providers who have security expertise you won’t have as a company unless you’re a really high-end company.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cb9afc48c9&e=20056c7556
Automotive Cybersecurity Best Practices
EXECUTIVE SUMMARY – JULY 2016
As vehicles become increasingly connected and autonomous, the security and integrity of automotive systems is a top priority for the automotive industry.
The Proactive Safety Principles released in January 2016 demonstrate the automotive industry’s commitment to collaboratively enhance the safety of the traveling public.
The objective of the fourth Principle, “Enhance Automotive Cybersecurity,” is to explore and employ ways to collectively address cyber threats that could present unreasonable safety or security risks.
This includes the development of best practices to secure the motor vehicle ecosystem.
To further this objective, the Automotive Information Sharing and Analysis Center (“Auto-ISAC”) has undertaken the task of creating and maintaining a series of Automotive Cybersecurity Best Practices (“Best Practices”).
The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties.
The Best Practices expand on the Framework for Automotive Cybersecurity Best Practices (“Framework”) published in January 2016 by the Alliance of Automobile Manufacturers (“Auto Alliance”) and the Association of Global Automakers (“Global Automakers”).
The Auto-ISAC closely collaborated with the two industry associations throughout Best Practices development.
These Best Practices follow a precedent set by other ISACs and similar organizations that have developed best practices for their respective industries.
The Best Practices provide guidance on how individual companies can implement the “Enhance Automotive Cybersecurity” Principle within their respective organizations.
This document is an Executive Summary of the Best Practices content.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0a83d8f018&e=20056c7556
Regulators’ IM Crackdown May Increase Cyber Risk
In April, the Office of the Comptroller of the Currency issued a bulletin specifically aimed at banks’ use of internal messaging software.
The bulletin was issued to “remind” banks of their obligations related to the maintenance of records, records retention and examiner access to records.
In the bulletin, the OCC said it is entitled to complete access to records of bank’s internal correspondence.
The agency warned that data deletion and encryption features in IM software should not be “used to prevent or impede OCC access to a bank’s books and records” and “may result in enforcement action.”
But given the heavy reliance by bank personnel on IM as a communication tool for everything from back office operations to trading, the OCC’s recent guidance could impose significant hardships.
Moreover, the guidance runs contrary to prevailing guidance on cybersecurity, which counsels against retention of data that could be accessible to hackers but that serves no current business purpose or need.
While it is rather obvious that IMs relevant to any current litigation and regulatory action or review should be retained, banks and their counsel are pretty much left scratching their heads for the time being concerning retention of IM data that would be deemed appropriate by the OCC.
Until more specific guidance comes from the OCC, bankers and their counsel should exercise informed discretion through dialogue with their OCC representative before deleting en masse IM data.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8d10682d56&e=20056c7556
Cyber Security Quarterly Round-Up – July 2016
* The EU General Data Protection Regulation has finally been approved and published in the Official Journal. The countdown to its application date of 25 May 2018 has therefore begun.
* The EU Network and Information Security Directive (otherwise known as the Cyber Security Directive) has finally been published in the Official Journal. Member States will now have until 9 May 2018 to adopt appropriate national legislation to comply with the Directive, with such legislation to apply from 10 May 2018.
* The “in-out” Referendum on the question of the UK’s membership of the EU has resulted in a majority of voters (on a turnout of approximately 72%) preferring the UK to leave the EU. The vote was 51.9% in favour of leaving, with 48.1% voting to remain. Under the terms of Article 50 of the Treaty on European Union, which governs the process, the UK must first inform the European Council of its intention to leave the EU. This notification triggers the two-year period specified by the Treaty for the negotiation of the terms of a Member State’s withdrawal.
* The European Commission adopted an adequacy decision on 12 July 2016 allowing for the transatlantic transfer of personal data from the EU to the US in accordance with the framework and principles of the EU-US Privacy Shield (the “Privacy Shield”).
* The Culture, Media and Sport Committee (the “Committee”) of the House of Commons has published a report in the wake of the TalkTalk cyber attack of 21 October 2015, recommending, amongst other things, that a part of CEO compensation be linked to effective cyber security.
* The UK government has recently confirmed that its National Cyber Security Centre (“NCSC”) will begin operations in October 2016. This newest body to be established as part of the UK’s continuing fight against Cybercrime will be headquartered in London and is to be “the authoritative voice on information security in the UK”.
* The European Banking Federation (“EBF”), the Global Financial Markets Association (“GFMA”) and the International Swaps and Derivatives Association (“ISDA”) have announced their intention to begin negotiations on common global cyber security, data and technology policies through a new set of common principles (the “Principles”).
* On 11 April 2016, the High Court of England and Wales issued its judgment in the case of Axon v Ministry of Defence [2016] EWHC 787 (QB), finding that an employer could be held vicariously liable for data protection breaches by its employees.
* One of the big challenges for the cyber insurance industry is assessing systemic aggregation risks. But the market is not standing still.
* Decentralised Autonomous Organisation (“DAO”) is an investment fund based on the Ethereum blockchain technology. DAO enables people to buy in to the fund by exchanging paper currency for virtual currency, known as Ether.
* The Hong Kong Monetary Authority (“HKMA”) issued a press release on 18 May 2016 on the launch of a “Cyber Security Fortification Initiative” (“CFI”), which is aimed at raising the level of cyber security of banks in Hong Kong. The HKMA also released a formal circular on 24 May 2016 setting out that it is a supervisory requirement for banks to implement the CFI.
* The Singapore government is expected to table legislation in Parliament in 2017 for a new, standalone Cyber Security Act.
* On 21 April 2016, Australia’s federal government released its Cyber Security Strategy (“CSS”).
* In July 2015 we reported that the Australian Companies and Securities Commission (“ASIC”) had released “Report 429: Cyber Resilience: Health Check” which recommended that businesses manage their cyber security by ensuring they are able to adapt to change, reduce exposure to risks and learn from incidents when they occur.
* A US federal appeals court handed a major win to Microsoft when it ruled that US authorities cannot compel US tech companies to disclose email content they store on servers located outside the United States.
* In a case that potentially could alter the way US law enforcement seeks to obtain stored electronic data, Microsoft has challenged the constitutionality of a provision of US federal law that authorises US courts to issue gag orders forbidding it, and similar companies, from advising their customers about search warrants, court orders or subpoenas that the government employs to obtain the stored electronic communications of those customers.
* Proposed legislation that would have required tech companies and cloud providers to provide stored electronic data to US government investigators in an unencrypted form appears unlikely to receive formal legislative consideration this year.
* Herbert Smith Freehills has published the first edition of its global cross-border M&A report, carried out in association with FT Remark, the research division of the FT. The report showed that anxieties over data protection and cyber security rules are rising up the agenda.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4a9d875f71&e=20056c7556
MS-ISAC official: Ransomware is top malware of concern for states, counties
Speaking during a Chief Information Officer Forum at the National Association of Counties’ annual conference, Gina Chapman, the senior director of operations for MS-ISAC, said ransomware attacks on the networks they monitor were on a “continuous incline” from October 2015 through May 2016.
During the October through May period, MS-ISAC observed 450 infections per month at its highest point.
Ransomware attacks on governments declined slightly in June, Chapman said, but governments should not let their guard down — cyberattacks traditionally decrease during the summer months.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=41814afc34&e=20056c7556
CISOs need teamwork and a framework, says Chief Cybersecurity Officer at Trend Micro
Companies may not fully understand the nature of modern threats, and simply placing a higher priority on security may not lead to improved measures, according to a CompTIA survey.
When it comes to the essential steps for strengthening and refining cybersecurity strategy in a large organization, Cabrera believes that a framework really comes first.
Unsurprisingly, he’s a big fan of the NIST Cybersecurity Framework, which consists of standards, guidelines and practices that help organizations address cyber risks by aligning policy, business and technological approaches.
It was created by the National Institute of Standards and Technology (NIST) in partnership with the US Department of Homeland Security and the private sector.
While 63% of companies have IoT devices already deployed, only 34% have security measures in place, indicating that the IoT is opening up new threat vectors but too few organizations are focused on preventing connected devices from being compromised.
“A layered connected threat defense using Big Data analytics and machine learning will be required to bring together often disparate and overlapping security stacks where visibility and control are the biggest challenges.
It is needed today but will be essential in the coming years for CISOs and their teams,” explains Cabrera.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=e88f82d71c&e=20056c7556
RSA Research Shows 74% of APJ Organizations Face Significant Risk of Cyber Incidents
SINGAPORE, July 20, 2016 /PRNewswire/ — RSA CONFERENCE — RSA, The Security Division of EMC (NYSE: EMC), has announced the results of research that demonstrates organizations in Asia Pacific & Japan (APJ) investing in detection and response technologies are better poised to defend against today’s advanced threats, in comparison to those primarily utilizing perimeter-based solutions.
The results of the second annual RSA Cybersecurity Poverty Index found that 74% of survey respondents in the APJ region face a significant risk of cyber incidents – closely aligned to the global average of 75%.
More than 200 respondents from the APJ region participated in the 2016 RSA Cybersecurity Poverty Index.
The survey gave participants the chance to self-assess the maturity of their cybersecurity programs by leveraging the NIST Cybersecurity Framework (CSF) as the measuring stick.
The findings showed that organizations continue to struggle with their ability to take proactive steps to improve their cybersecurity and risk posture.
In fact, 70% of APJ-based respondents had experienced cyber incidents that negatively impacted their business operations in the past year.
Not surprisingly, only 23% of those organizations considered their cybersecurity strategy mature.
The results also showed that organizations often delay investing in cybersecurity until they’ve undergone a major incident – typically one that impacts critical business assets.
The inability of organizations to quantify their Cyber Risk Appetite (the risks they face and the potential impacts on their organizations) makes it difficult to prioritize mitigation and investment, a foundational activity for any organization looking to improve their security and risk posture.
The strongest reported maturity levels were in the area of Protection.
However, perimeter-based defense solutions are proving to be increasingly ineffective over time as cyber threats become more advanced.
The categories of Response and Detection were ranked least mature in the region.
Organizations must focus on executing preventative strategies and improving capabilities that offer complete visibility to detect and respond to advanced threats before they can impact the business.
Link: http://paulgdavis.us3.lis