[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* Security: Financial Cost of Data Breaches Continues to Soar
* New Cybersecurity Program Targets Small Healthcare Practices
* New Gmail Alerts Warn of Unauthenticated Senders
* Experience with preventing malicious attacks offers unique perspective on POPI for three6five
* Cyber security: Australian spy agency runs high school hacker recruitment drive
* Businessworld Connects With Security Leaders, Launches 1st CISO Strategy Summit [India]
* Should cloud vendors cooperate with the government?
* SADA Systems: Enterprises remain split on cloud data security
* A Risk-Driven Approach to Security, From Check Boxes to Risk Management Frameworks
* Mid-year Cybersecurity Trends Review: What You Need to Know to Mitigate Risk
* DoD CIO moving over to OPM
* Battle over who regulates data privacy rages on
* 62 Percent of Employees Have Access to Data They Shouldn’t Be Able to See
* Singapore’s enforcement of data protection law on the rise
* Vodafone teams with Unitec to boost cyber security
* Security is more than User Education – it’s About Cultural Change
Security: Financial Cost of Data Breaches Continues to Soar
On average it takes 201 days to identify a breach and another 70 days to eliminate it.
Breaches identified in less than 100 days have an average cost of $3.23 million, while breaches that take longer to find average $4.38 million in cost.
The biggest cost of a data breach is lost business due to a loss of trust.
The more regulation in the industry, the higher the costs.
Healthcare and financial services have breaches that are the most expensive.
Breaches due to criminal and malicious intent generally are the most difficult to identify.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3501bcf10d&e=20056c7556
New Cybersecurity Program Targets Small Healthcare Practices
HITRUST, a consortium of stakeholders collaborating to better secure protected health information, has launched a new cybersecurity service for small physician practices.
Called CyberAid, the package includes a Trend Micro cloud-hybrid network security application, Trend Micro endpoint security software covering Windows and Mac OSX operating systems for mobile devices using Android and IOS, installation assistance, monitoring services and recovery support after an incident.
HITRUST is seeking additional services from other security vendors.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b8ba6a5df5&e=20056c7556
New Gmail Alerts Warn of Unauthenticated Senders
Google is expected soon to begin a gradual rollout of new security features in Gmail that warn users if the system could not authenticate the sender of an email message.
Starting this week for browser-based users of Gmail and Android users, Google will display a question mark over a sender’s profile photo or user logo if the message cannot be authenticated with Sender Policy Framework or DKIM.
A new set of warnings will also be displayed for messages containing potentially dangerous links.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=24ff9da0e5&e=20056c7556
Experience with preventing malicious attacks offers unique perspective on POPI for three6five
Lessons learned from helping customers deal with malicious ransomware has given networking company three6five an advantage in handling security issues that will arise when the South African Protection of Personal Information (POPI) Act comes into force later this year.
“The POPI Act is going to force companies to completely change the way they do business,” says Eric Holmes, Security Engineer at three6five. “For example, no unsolicited telephone calls will be allowed under the act.
Changing processes and even strategy to fit in with the new law could be very difficult, and in some cases applications connected to databases may have to be rewritten to ensure compliance.
It is important that action is taken to minimise the risk of non-compliance.
The main focus of activities to become more compliant with the act will be to remove as much personal data as possible.
This will often require a 180-degree turn in policy and procedures.
In future, prudent companies will store personal data required for business use for as short a period as possible and as securely as possible.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3ea8957b39&e=20056c7556
Cyber security: Australian spy agency runs high school hacker recruitment drive
Australia’s top cyber security agency is targeting high school students as young as 14 as part of a recruitment plan to build an army of “white hat” hackers to shield the country from internet attacks like those that crippled the census.
More than 100 high school students have been given placements over the last three years and a number have subsequently joined ASD as cadets or later as graduates.
Using video game slang and Hollywood movie references, the directorate is imploring teenagers to use their computer skills for the common good and help defend the nation rather than going over to the nefarious “dark side”.
The brochure asks students to join ASD to “play the game no one else can”.
It calls the fight between “white hat” and “black hat” hackers as the “classic story of the good guys versus the bad guys – and we need to win”.
The directorate has in recent months also begun bankrolling the Girls Programming Network community group in Canberra, designed to get female students from years 4 to 12 interested in computers.
The directorate is not the first of the agencies from the “five eyes” countries to look towards high schools for recruitment.
The US National Security Agency and the UK’s Government Communications Headquarters do the same.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b8c5eb7626&e=20056c7556
Businessworld Connects With Security Leaders, Launches 1st CISO Strategy Summit [India]
Businessworld organized the 1st CISO Strategy Summit on 11 August, 2016, in Delhi NCR (Gurgaon).
The day-long event saw more than 80 top information security practitioners participating in it and discussing top-of-the-mind issues confronting them.
The day started with one of the most discussed topics in the realm of enterprise security these days – the Internet of Things (IoT).
The panelists talked about how security leaders can skirt challenges associated with IoT to create new business models, enhance productivity, and generate new revenue stream for their companies.
With the banking and financial industry continuously confronting modern threats originating from opaque sources, cyber sabotage and espionage that are destabilizing the critical infrastructure, it was only apt to discuss information security in the BFSI vertical.
The panel discussion on ‘BFSI in a Fluid Threat Landscape’ was moderated by Sivarama Krishnan, Partner & Leader – Cyber Security Services, PwC India.
The panelists Puneet Kaur Kohli, Group CIO, Bajaj Capital, and Sumit Gupta, VP-IT, Bank of America, deliberated upon how CISOs in the banking vertical stayed ahead of hackers and breaches.
They also provided insights into the new approaches that could be adopted to secure the two big trends of mobility and cloud permeating corporates.
The session was moderated by Damanjit Uberoi, Executive Director, EY.
The last session of the event — What’s next for Information Security? – moderated by Jayant Saran, Partner – Forensic, Financial Advisory, Deloitte India, provided a peek into the future.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=36834fa810&e=20056c7556
Should cloud vendors cooperate with the government?
35 percent believe cloud app vendors should be forced to provide government access to encrypted data while 55 percent are opposed. 64 percent of US-based infosec professionals are opposed to government cooperation, compared to only 42 percent of EMEA respondents.
More than one in three IT pros believe cloud providers should turn over encrypted data to the government when asked, according to Bitglass and the Cloud Security Alliance (CSA).
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d6c3d5a39e&e=20056c7556
SADA Systems: Enterprises remain split on cloud data security
A bit more than half of IT managers said the cloud offers better security than their own data centers, according to a SADA Systems study.
SADA Systems, a managed services provider (MSP) and cloud consultant based in Los Angeles, surveyed more than 200 enterprise IT professionals regarding their use of cloud services.
Fifty-one percent of the respondents said data security is better in the cloud, while 58% cited the cloud as “the most secure, flexible and cost-effective solution for their organizations,” according to SADA Systems.
In other SADA Systems findings, 50% of survey respondents said they are likely to increase public cloud use by at least 25% over the next two to three years; 25% of the IT professionals polled said they would increase their public cloud use by 50% during the same time span.
In addition, 84% of respondents said they are using public cloud infrastructure today, and 45% of the companies surveyed said their cloud migrations took three to six months.
Twenty-three percent said the migration took less than three months.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3986022748&e=20056c7556
A Risk-Driven Approach to Security, From Check Boxes to Risk Management Frameworks
Most industries are under regulatory pressure, so they take a compliance-driven approach to security to meet minimum requirements.
But compliance requirements are often static and prescriptive, according to security executives.
Compliance gives organizations a false sense of security that can be misleading, and it provides only a one-time snapshot.
Studies indicated that despite serious business investment in modern security equipment, there was still a 58 percent year-over-year increase in malware incidents.
According to the recent “2016 Cost of Data Breach Study” from the Ponemon Institute, the average total cost of a data breach increased from $3.79 million in 2015 to $4 million in 2016, based on responses from the 383 companies in 12 countries that participated in the study.
Managing risk can help to mitigate this cost.
Below are some more key takeaways on risk programs:
Compliance Is Just One Factor
Risk Tolerance Evolves Over Time
Risk management breaks down into three distinct areas: strategic, tactical and operational.
As organizations move to a risk-based approach, they can explore assessment platforms, work to create risk profiles and partner with third-party providers to perform risk assessments.
Security teams are adopting various governance and control frameworks, and it is clear that members are using a mix of controls and frameworks instead of relying on just one.
Frameworks in use range from widely adopted National Institute of Standards and Technology (NIST), ISO 2700 and COBIT to hybrid approaches customized for the organization’s needs.
It’s clear that risk management programs provide organizations with a lot of flexibility, but implementation still requires a tremendous amount of effort.
A risk-based approach doesn’t eliminate compliance requirements, and C-level executives, security managers and division heads have to learn to communicate their objectives so that everyone can collectively agree upon the right balance.
Risk management requires buy-in from the top-down so that there is support for new initiatives and processes.
Aligning IT security with a business-driven approach can also put organization in a position to have its unique business objectives drive its compliance rather than having compliance drive its business.
Too many organizations invest significant time and money to comply with industry and government regulations only to find out too late that their key business processes were still vulnerable to attacks.
Leveraging security management from a business-driven perspective enables an organization to successfully secure those business processes in a manner that inherently provides the necessary evidence to demonstrate compliance.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9a40ad7ffb&e=20056c7556
Mid-year Cybersecurity Trends Review: What You Need to Know to Mitigate Risk
Halfway through 2016, it is safe to say the cyber phrase of the year is likely to be “regulatory compliance.” It is interesting the focus is on liability (corporate and personal) as the sheer volume, diversity and complexity of cyberthreats accelerate.
Until recently, only large, geographically dispersed enterprises needed to create security plans that capture distributed systems, mobile workforce and endpoints.
However, with the accelerated adoption of public and private clouds, even small and mid-sized businesses need to plan for their security strategy as if they were distributed enterprises.
Many commercial entities, including government contractors and suppliers, need to closely monitor newly released and upcoming National Institute of Standards and Technology cybersecurity standards to ensure they comply with the latest security requirements.
In addition to established compliance requirements like the Federal Information Security Management Act and the Federal Risk and Authorization Management Program, new requirements include compliance with NIST SP 800-171 to meet controlled, unclassified information and controlled technical information requirements.
Your company’s cybersecurity strategy should not be predicated solely on the IT department’s technology decisions.
Needless to say, the IT organization needs to be able to respond to new threats and adopt best practices however cybersecurity connected to your business and go-to-market message need to be reviewed to determine liabilities in case of a breach, potential areas of data ownership concerns, etc.
For many organizations, the use of outsourced chief information security officer-as-a-service and other capabilities is becoming the risk mitigation strategy of choice– providing validation as well as a fresh perspective to meeting the due diligence requirements demanded by boards and customers.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=981a8e7a03&e=20056c7556
DoD CIO moving over to OPM
Former Department of Defense (DoD) CIO David DeVries, whose career spans some 35 years, will move over in the coming weeks to the civilian side as the CIO of the U.S.
Office of Personnel Management (OPM).
He replaces Donna Seymour, who resigned as OPM’s CIO in February just before congressional hearings into the OPM breach.
DeVries brings some synergies that should help OPM, which is partnering with the DOD to build a National Background Investigations Bureau.
The bureau will be housed at OPM but run on systems built by DoD.
DeVries will move right into the fire.
In late May, the OPM inspector general issued a report saying OPM has yet to carry out federally mandated planning practices as part of a project to overhaul its IT infrastructure.
The project has been active for two years and is part of OPM’s efforts to revamp its IT security following a data breach that dates back to early 2014.
The project, now called Infrastructure as a Service, has a base cost estimate of $93 million.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=96896c69e9&e=20056c7556
Battle over who regulates data privacy rages on
In recent years, the FTC’s authority to go after companies who’ve allowed personal information to be hacked has been challenged – most notably by the Wyndham Hotel chain – but so far, it looks like the FTC can continue its efforts.
In a case involving Wyndham, a federal appellate court noted it is up to the FTC, on a case by case basis, to determine what is “unfair.” That court concluded Congress “designed the term [“unfair”] as a ‘flexible concept with evolving content.’”
And in a recent decision involving a clinical laboratory called LabMD, the FTC demonstrated how that flexibility works.
LabMd was accused of allowing a massive data breach which compromised personal, medical information of 9300 consumers.
The FTC filed a complaint alleging LabMD’s data handling practices were so sloppy that it not only allowed the hack to occur, it constituted an “unfair practice” under Section 5.
There are several lessons from the LabMD proceeding.
First, the FTC isn’t going anywhere.
Its regulatory heels are dug in.
Second, don’t count on a “no harm no foul” standard in a data breach case.
The FTC has made it clear that in the case of a substantial breach of sensitive information, the foul is the harm.
And finally, employers cannot put their head in the sand when it comes to employees and computer data.
A failure to train and monitor is an unfair practice.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d698546b55&e=20056c7556
62 Percent of Employees Have Access to Data They Shouldn’t Be Able to See
According to the results of a recent survey of 3,027 employees in the U.S., U.K., France and Germany (1,371 end users and 1,656 IT professionals), fully 62 percent of end users acknowledged that they have access to company data they probably shouldn’t be able to see.
The study, conducted by the Ponemon Institute and sponsored by Varonis Systems, also found that 76 percent of IT pros said their organization had experienced the loss or theft of company data over the past two years, a significant increase from 67 percent who gave the same response in a 2014 study.
Eighty-eight percent of end users said their jobs require them to access and use proprietary information such as customer data, contact lists, employee records, confidential business documents, or other sensitive data.
Just 29 percent of IT professionals said their organizations enforce a least-privilege model to ensure that insiders only have access to company data on a need-to-know basis.
The survey also found that 78 percent of IT professionals are very concerned about ransomware.
Fifteen percent of organizations have been hit by ransomware, and fewer than half of those detected the attack within the first 24 hours.
Only 25 percent of organizations monitor all employee and third-party email and file activity — 38 percent don’t monitor any file or email activity at all, and 35 percent of organizations have no searchable records of file system activity, leaving them unable to determine which files may have been encrypted by ransomware.
A separate Bluelock survey of 228 C-level executives and IT professionals recently found that no executives surveyed rated the protection of their business against technology-related disruptions as extremely important, while 60 percent of IT pros did.
Among all respondents, the most common reason for not investing in disaster recovery was because of “more pressing priorities.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=01624b1396&e=20056c7556
Singapore’s enforcement of data protection law on the rise
Singapore’s Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA).
Following the release of its first nine enforcement decisions in April this year, the PDPC has published a further enforcement decision in June and two decisions in July, and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank.
The PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures, which organisations should consider carefully.
To accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions, the PDPC has published new guides on data protection clauses for agreements relating to data processing, securing personal data in electronic medium and building websites for small to medium enterprises.
The PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing, IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the PDPA regarding content on withdrawal of consent and access requests.
Organisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=65c28cd3ab&e=20056c7556
Vodafone teams with Unitec to boost cyber security
Unitec’s chief executive, Rick Ede, said the partnership would help raise New Zealand’s next generation of cyber security professionals.
Under the agreement, Vodafone and Unitec will jointly commercialise any security product and service innovations that result during the partnership.
At its launch Unitec said Unitec researchers would do the work using funding and equipment provided by NICT.
At its launch, Hossein Sarrafzadeh, computing head of department at Unitec, said: “NICT is very keen on the research capability we have in our department.
That was one of the reasons they wanted to work with us.
We already have researchers with the necessary expertise related to cyber security.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2ae38563c1&e=20056c7556
Security is more than User Education – it’s About Cultural Change
It is often said that users are the weakest link in the security chain.
But every obstacle presents an opportunity and so does this one.
If we can change user behaviour through a cultural shift, they can become an organisation’s first line of defence against cyber-attacks as opposed to the weak link in the chain.
Having discussed the way users are exploited by attackers, let’s now discuss the most effective ways to bring about the cultural change required to change user behaviour so that they are more security savvy.
This can be achieved in a methodical way as described below:
– Executive Cybersecurity Awareness Training
– General Cybersecurity Awareness Training
– Staff Induction Presentation
– Email Phishing Testing
– Cybersecurity Awareness Campaign
This requires more than just user awareness training and indeed needs a culturally shift driven from top down.
Any organisation that can achieve this, will be driving a cyber security aware culture that represents an opportunity to reduce cyber security incidents at the start of the attack chain in a cost effective manner.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=20a68cb095&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage1.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=7bc1958e9c)
Update subscription preferences (http://paulgdavis.us3.list-manage2.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)