[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions 😉
So onto the news:
CSO salaries expected to skyrocket
According to the 2016 Technology Salary Survey released this month by Robert Half Technology, top CSOs can now expect to earn just under a quarter million dollars in base pay.
To be more specific, salaries for CSOs will range from $140,250 to $222,500 next year.
This represents an average pay increase of 7.0 percent, the fourth highest in the entire salary study.
Only wireless network engineers (at 9.7 percent), big data engineers (at 7.5 percent) and data security analysts (at 7.1 percent) will see larger pay hikes.
CSO pay increases will also be significantly higher than other IT executives in 2016.
According to the Robert Half study, the percent of salary increase in the top ranks of IT will be 4.9 percent for CIOs; 5.2 percent for CTOs; 5.1 percent for vice presidents of IT; 5.1 percent for technology directors; and 4.9 percent for IT managers.
“Ideal CISOs have touched all points of security, not just application or infrastructure security,” Borre adds. “Opportunities to bring in best practices, build teams, and recover from major security problems are attractive to new candidates.”
But the good news doesn’t stop at the CSO level.
There is plenty of bounty to go around in the IT security ranks.
Taken as a whole, IT security jobs have the highest pay increase percentage heading into 2016 of any IT job group.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c210024ef2&e=20056c7556
Apple Reiterates Inability to Unlock iOS Devices Running iOS 8 or Higher in New Court Filing
Apple this week informed a federal magistrate judge in Brooklyn, New York that it “would be impossible” for the company to access data on a locked iPhone running iOS 8 or later, reports Reuters.
Apple was responding to a request from the judge, James Orenstein, to help him decide whether to fulfill a U.S.
Justice Department request that would have forced Apple to help authorities gain access to a seized iPhone.
In a brief filed with the court, Apple said 90 percent of its devices are running iOS 8 or higher and are thus inaccessible.
Apple is able to access the 10 percent of devices that continue to use iOS 7 or below, but the company told the judge that being forced to comply with the Justice Department’s request could tarnish its brand.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8af0b84db5&e=20056c7556
45% of Middle East companies encountered malware in Q3 of 2015
About 45% of users in the Middle East encountered malwares in the local networks, and through USBs and storage drives in the third quarter (Q3) of 2015, a report by Kaspersky Security Network revealed.
In the same context, the report said 18% of users faced electronic threats through the Internet.
Adware, a malware that provides automatic pop-up ads to make profits for their owners, was still the most widespread malware in the region during July and September.
According to the report, Trojan attacks doubled in comparison to the same period in 2014, and the attacks’ severity increased, targeting the commerce and banking service sectors through the Internet.
Kaspersky Lab’s 2014 Global Corporate IT Security Risks survey, conducted with B2B International, showed that 51% of the organisations in GCC countries were attacked by viruses, spyware and other malicious programmes from the end of 2014 to date.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=87b5347068&e=20056c7556
California Updates Data Breach Notification Statute
Three bills that will update California’s data breach notification requirements have been signed into law by Governor Jerry Brown.
The bills impose specific requirements on providing breach notification to consumers, add a definition of “encryption,” and amend the definition of “personal information.” These updates take effect on January 1, 2016.
Perhaps the most important of the three bills, S.B. 570, changes how companies must notify consumers of a security breach.
A second bill, A.B. 964, clarifies California’s existing data breach notification law by providing a definition of encryption as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” Under California law, notifications with respect to an information security incident are generally not required for information that is encrypted.
The added definition attempts to provide additional clarity to the term by excluding custom and proprietary encryption solutions.
The third bill, S.B. 34, amends the definition of personal information to include information or data collected through the use or operation of automated license plate recognition (ALPR).
ALPR is a mass surveillance method that uses optical character recognition on images to read license plates.
Existing closed-circuit television or road-rule enforcement cameras can be used, or ones specifically designed for the task.
They are used by various police forces and as a method of electronic toll collection on pay-per-use roads and cataloging the movements of traffic or individuals.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=4abb85f800&e=20056c7556
Cybersecurity risks: directors and officers should stop, collaborate and listen
The risks associated with cyber-attacks and data breaches are growing in Canada and internationally and the costs associated with an organization preventing, detecting, responding to and recovering from such an incident can be considerable.
Directors and officers must also consider the potential for further related legal implications for the organization and personally.
In particular, there are growing trends of shareholder litigation against directors and officers and the termination or resignation of senior management in the wake of data breaches as senior management and directors are being held accountable for perceived failures to oversee corporate cybersecurity.
In the aftermath of several recent data breaches, shareholders have taken action against individual board members and senior management claiming that they knew or should have known that the company’s customer information was vulnerable to attack and yet failed to implement appropriate security measures including, in the United States, actions involving T.J.
Maxx, Heartland Payment Systems, Target, Wyndham Hotels and Resorts and Home Depot.
The Canada Business Corporations Act (CBCA) and comparable corporate law statutes require that every director and officer of a corporation — in exercising their powers and discharging their duties — exercise the care, diligence and skill that a reasonably prudent person would exercise in comparable circumstances.
In interpreting compliance with this standard, courts recognize that business decisions will usually involve some degree of risk and that it would be inappropriate to subsequently apply 20/20 hindsight to past decisions.
In the absence of Canadian case law on director liability in the context of a data breach, it is instructive to review the existing U.S. judicial and regulatory guidance on the duties of boards with respect to cybersecurity.
Palkon v.
Holmes et al. is a federal New Jersey court decision dismissing, with prejudice, a shareholder derivative action arising out of data breaches at the Wyndham hotel chain.
Between April 2008 and January 2010, cybercriminals hacked into the corporate computer network of Wyndham Hotels and Resorts and the networks of the hotels themselves, stealing personal and financial data of hotel customers.
The plaintiff alleged that the defendants failed to implement adequate data security controls, failed to disclose the data breaches in a timely manner and thus had wrongfully refused his previous demand to investigate the conduct of the Wyndham board.
Senior management and directors need to be aware of the importance of monitoring corporate cybersecurity issues.
This is acutely highlighted by the shareholder derivative complaint in Bennek v.
Ackerman et al. against Home Depot and its board filed in August 2015 in the United States wherein the plaintiffs alleged that “cyber attacks on major retailers, including Target and Neiman Marcus, alerted the individual defendants to the heightened probability that Home Depot would also be attacked.” The court has not yet issued any decisions on the merits in the Home Depot shareholder derivative litigation.
However, the shareholder complaint itself is a clear signal that, despite the plaintiffs not succeeding in the Palkon shareholder derivative claim, boards can expect to face scrutiny and be subject to shareholder litigation following data breaches.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d9a4092c31&e=20056c7556
Enterprises using more security controls in traditional data centres than in the cloud
A SANS Dynamic Data Center Survey, completed by 430 IT professionals working in security-related disciplines, found that most enterprises rely on a variety of time-tested, best-practice information security practices and policies to secure their computing environments.
According to the survey, IT professionals are less clear about whether these traditional approaches can work in a much more dynamic computing environment with a heterogeneous mix of bare metal and virtual servers and data centres and clouds.
Security teams are decidedly still concerned about attacks and security issues.
In this survey, 68 percent of respondents cited access and privilege management events, and 64 percent highlighted application vulnerabilities, both issues that could easily affect internal data centre infrastructures and applications as much as cloud deployments.
In fact, one respondent stated that assigning too many permissions and privileges in one major cloud provider’s portal was a big concern, emphasizing both of these issues.
Advanced multistage attacks and malware infections continue to be key concerns in enterprises of all sizes, at 62 percent and 61 percent, respectively.
Time to containment and recovery from attacks is crucial to limiting loss of data and the costs of a breach.
With regard to containment, 37 percent of respondents were able to get their incidents under control within 8 hours, which reflects the nature of application-centric or malware-based infections.
Usually systems can be quarantined, and the malware can also be cleaned or quarantined in some cases.
In application attacks, development and security teams can remove attacker data or take applications offline temporarily.
Another 21 percent of respondents contained the issue(s) within 8 to 24 hours, and an additional 19 percent contained the problem in less than a week.
Unfortunately, 17 percent took more than a week to contain the attack.
Currently most respondents are using more security controls in traditional data centres than in the cloud.
Within the data centre, the vast majority are employing network firewalls, network IDS and IPS, and server/application monitoring, selected by 96 percent, 83 percent and 77 percent, respectively.
In addition, 75 percent use web content filtering, 75 percent use identity and access management tools, and 74 percent use host-based security and anti-malware tools.
Roughly two-thirds are using network encryption (66 percent) and SIEM (63 percent).
However, the numbers drop sharply within the cloud.
Just 34 percent make use of network firewalls, 29 percent rely on network IDS and IPS, and only 28 percent monitor servers and applications.
Web content filtering fell off considerably, with only 25 percent taking this approach.
Only 31 percent use identity and access management tools, while 24 percent deploy host-based security and anti-malware tools, 28 percent incorporate network encryption and 25 percent use SIEM.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=78a117a1aa&e=20056c7556
Cyber Attacks On Physical Systems Call For A Blended Security Approach
Security experts of various disciplines agree that physical systems are increasingly being leveraged in attacks on organizational networks and supply chains.
Many manufacturers maintain that security (including that of security systems) is the responsibility of the end user, which would be fine if they were only expected to maintain security and not create the security in the first place.
Regular testing and patching needs to be brought within oversight of IT security so it forms part of other corporate network securing cycles.
Risk needs to encompass the security functions including information security and how resulting data from physical systems, such as CCTV or entry systems, needs to be securely managed through its lifecycle.
Supply chains also need to be considered as a potential security vulnerability.
If you need an example of why, then take a look at the Target mega breach.
This was enabled by a phishing attack on their air conditioning contractor.
Summing up, I would say we need to change our approach to securing our organizations to protect all of the assets in a joined-up, blended approach.
Everything we do should be informed by this, and that means opening lines of communication, understanding and training between disciplines.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f49bab172a&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=6bc542a912)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)