[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* EMV: Not Ready for Prime Time?
* Take it to the boardroom: Elevating the cybersecurity discussion
* Trust As Product Strategy
* We Must Stop The Race to Attribution After Each Cyberattack
* Don’t let embarrassment about a data breach cost you even more
* EU cyber security agency urges action to avoid crisis
* Homeland Security Issues Ransomware Alert for Networked Systems
* Whaling Attacks Jump Again in Q1
* 93 per cent of us have our location tracked every day[UK]
* Research Spotlight: Enabling Evil for Pocket Change
* Calculate the cost and probability of a DDoS attack
* Fragmented nature of cyber insurance cover makes it hard to assess insurers’ risk exposure, says expert
EMV: Not Ready for Prime Time?
Dave Matthews, executive vice president and general counsel of the National Restaurant Association, which represents more than 500,000 restaurants throughout the country, says the group questions whether EMV is really ready for “prime time.”
Small and independent restaurants have seen significant upticks in chargebacks for alleged fraudulent transactions since the EMV fraud liability shift took effect in October 2015.
And Matthews alleges that’s unfair, given the current state of EMV and the questions about whether all the transactions cited for chargebacks are actually fraudulent.
Smaller restaurants have been put at an EMV-migration disadvantage, Matthews argues.
While larger merchants with higher transaction volumes have been able to demand more immediate EMV certification for their point-of-sale systems and devices, smaller merchants have had little say in when their terminals are certified as EMV compliant, he contends.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=daada0d4df&e=20056c7556
Take it to the boardroom: Elevating the cybersecurity discussion
Though important, these can be in opposition to the needs of a CISO, who aims to improve enterprise-wide security measures and risk management across all silos.
When considering governance, placing the CISO within the purview of an executive with broader responsibilities, such as a CEO, is advisable.
Due to the myriad of overarching implications, today’s enterprise leaders should be held accountable for cybersecurity, regardless of their role.
A prime example is the chief marketing officers.
The executives are typically more focused on how the Web is used, with email campaigns, mobile app development and website updates, but these promotional endeavors can leave the door open for malware or other attacks to be released on unsuspecting customers.
At each operating level, the influence of technology demands an awareness of where security fits into everyday functionality.
For the last 20 years, corporate focus has consistently been on cutting costs, improving access and increasing efficiencies.
That level of commitment should now be given to customer, partner and investor information, and to making it secure as possible in the digital world.
Physical safety is an expected convenience of in-store shopping, and online environments should offer information security.
Therefore, enterprises should invest between 10 to 20 percent of their IT budget in cybersecurity as a function of brand protection.
Elevating cybersecurity to an operational and risk management priority will take effort and focus but can yield many dividends.
For this practice to become a reality, boards of directors must educate themselves to improve governance and oversight.
To stay ahead of the bad guys, a shift in investment strategy, as well as strong improvements to employee training and reporting structure are paramount.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=6caac8ab83&e=20056c7556
Trust As Product Strategy
Whether business owners already recognize it or not, trust has become one of the key parts of the product strategy and the product itself.
For cloud, financial services, IoT-related, and even retail industries, trust is a way to gain and retain customers.
The “formula” for trust, in our view, consists of core components, such as security, privacy, convenience, and speed to market.
Without trust of customers, employees, shareholders, and stakeholders, many industries will have a harder time maintaining competitive positions in the market.
Security, privacy, convenience, speed to market must be part of the end to end vision for the product, as more and more companies deliver their products and services online.
Trust in institutions is highly dependent on privacy practices.
Just 45% of people are confident that their data held by businesses is secure.
Of the 55% who lack confidence, these individuals could be swayed to invest in a more secure product if they could be persuaded that their data would be safer.
Even among the 45% who believe their data is safe, just one data breach could be enough to erode that confidence and cause them to start looking for alternatives.
The level of trust a business establishes and maintains is key for retaining users.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ebae414748&e=20056c7556
We Must Stop The Race to Attribution After Each Cyberattack
Summary: Cybersecurity expert Emilio Iasiello discusses one of the key issues in cybersecurity — how do we determine who attacked us.
Each attack brings forth rapid declarations by the government that the attacker is one of their favorite foes.
Should we believe them?
While attribution is important in assigning responsibility for an attack, it may detract from the most important next step for a breached organization – mitigating the damage caused, patching up security “holes,” and ensuring that business operations continue promptly and securely.
There will be time later to determine who was behind the attack, or at least, as good as can be expected given the tools and information on hand.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a21534be45&e=20056c7556
Don’t let embarrassment about a data breach cost you even more
When a company’s executives decide to hide a breach, their action can morph from unsavory to illegal.
But that decision can leave them vulnerable to the attackers behind the breach in the first place, who know that the company has not done what the law requires and can now threaten it with disclosure.
The risks that such decisions give rise to were made dramatically clear on Thursday (March 31) when Reuters noted a new global crime trend of cyberthieves partnering with traditional organized crime syndicates to attack banks across the world.
If the banks are hesitant to reveal that they were successfully attacked.
Without disclosure, law enforcement is not informed.
My point is that data breaches and breach-disclosure laws are realities that affect each other and that companies need to think about carefully.
They must work out precise and explicit guidelines long before they are in the thick of a real incident.
To decide things on the fly, based on the particulars of each situation, is a recipe for inconsistency.
You are letting the people who are in charge of preventing attacks decide when they have to tell the world about an attack — and the potential for embarrassment will influence their decisions, because they will be sure that the world is going to decide that they failed to do their job.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=09f85a544f&e=20056c7556
EU cyber security agency urges action to avoid crisis
The call comes as Enisa publishes a report recommending more efficient cyber crisis co-operation and management based on an analysis of current crisis management frameworks.
According to Enisa, the promulgation of a legal framework for EU-level crisis management has drastically increased the efficiency of European’s response to crises in all sectors analysed.
The report makes five main recommendations about EU-level priorities to raise the maturity in cyber crisis management and reduce the impact of potential cyber crises.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=edaaf904a9&e=20056c7556
Homeland Security Issues Ransomware Alert for Networked Systems
The US Department of Homeland Security issued a ransomware alert through the US Computer Emergency Readiness Team (US-CERT) to organizations that use networked systems, warning them of the potential dangers stemming from this type of malware.
In conjunction with the Canadian Cyber Incident Response Centre (CCIRC), DHS explained that the alert is designed “to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.”
A final key takeaway in the alert is that organizations are discouraged from paying the ransom.
As previously mentioned, this does not guarantee that the files will be released, according to US-CERT.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cc75711a07&e=20056c7556
Whaling Attacks Jump Again in Q1
Three-quarters of UK IT professionals have seen an increase in whaling attacks this year designed to trick staff into transferring funds outside the organization, according to new research from email security firm Mimecast.
In the UK, the number of respondents who saw an increase in such incidents rose from 55% in December 2015 to 75% in March this year.
When it comes to global figures, 67% of respondents said they saw a jump in the number of whaling incidents designed to defraud them of revenue, while 43% saw an increase in attacks looking for sensitive corporate information.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=74e6f8f431&e=20056c7556
93 per cent of us have our location tracked every day[UK]
The ‘Opt me out of Location’ campaign aims to highlight the fact that nearly every single mobile phone owner in the UK (93 per cent) has unwittingly signed up for a contract that permits their location to be tracked.
More than this, the data collected allows providers to build up highly detailed customer profiles which Krowdthink warns leaves millions of users just one serious data breach away from having private data exposed to and abused by criminals.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=ac7946f52c&e=20056c7556
Research Spotlight: Enabling Evil for Pocket Change
At the end of February, one of the researchers on the team received a solicitation email from a domain reseller, which she reviewed the first week of March.
The email was from Namecheap offering deeply discounted domains for .88 cents.
The timing of the email couldn’t have been more ironic as it overlapped with some current research into determining if there is a relationship between domain pricing and an aggregation of domains related to malware/phishing/spamming.
This article will discuss the relationship between deeply discounting domains and nefarious activities.
For the purpose of discussion in this article, the word malicious will include malware, phishing, and spam activities.
After taking all things into consideration, the overarching theme is, there is an undeniable association between deeply discounted (or cheap) services on the Internet and criminal/malicious activity.
The extent and severity of that activity can range from a unwanted spam to full compromise of critical data.
Nonetheless when something is cheap or free on the Internet it will undoubtedly be exploited for nefarious activities.
Additionally, when domains go on sale, especially less than $1, there is a significant increase in domain registrations and “bad stuff”.
We encourage our customers and all users to take measured precautions to protect their assets. Business users especially, should perform an adequate risk assessment and determine whether or not there is a legitimate business need to access ‘non-standard’ TLDs, when there is not, implement configurations in a layered security model filtering emails, web traffic, and implementing host-level protections, and above all else BACK UP YOUR ASSETS!!
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=297d43b2b4&e=20056c7556
Calculate the cost and probability of a DDoS attack
Incapsula’s DDoS Downtime Calculator is designed to help you assess the risks associated with an attack, offering case-specific information adjusted to the realities of your organization.
The algorithm inside the calculator is based on real-world information from a DDoS Impact Survey conducted among 270 organizations representing various sizes and industries.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=069bcd9621&e=20056c7556
Fragmented nature of cyber insurance cover makes it hard to assess insurers’ risk exposure, says expert
Insurance and cyber liability specialist Manoj Vaghela of Pinsent Masons, the law firm behind Out-Law.com, was commenting after the Times reported that insurers have faced difficulties in providing accurate estimates of the cost of underwriting cyber risks.
The newspaper reported that management at the Lloyd’s of London market have asked insurers to provide such estimates but that some were struggling to meet the deadline to do so because of challenges in valuing the risk.
“The insurance industry does not yet have a single product that sets the gold standard for cyber attacks,” Vaghela said. “Instead, there are many different types of policies which may respond ranging from stand-alone cyber policies to fidelity policies.
This fragmentation of risk makes it very difficult to assess the market’s exposure.”
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0698cc84a3&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=a517aec6e0)
Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)