[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* Best practices in cyber vulnerability assessment
* Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
* Will Faster Payments Mean Faster Fraud?
* Accenture : Data theft, malware infection big threat to digital businesses
* Ponemon Institute: External Cyber Attacks Cost Enterprises $3.5M/year, 79% of Businesses Lack Comprehensive Strategies to Manage these Risks
* 2016 Malware Levels Now Stand at Nearly Four Times 2015 Totals
* Twitter Hacking and Social Media’s Risk to Executive Security
* Beyond Data: Why CISOs Must Pay Attention To Physical Security
* $2.7 Million HIPAA Penalty for Two Smaller Breaches
* Using compliance as a tool for change
* In the Breach War, File Protection Is Just as Important as Data
* Data security and breach notification in Finland
* ISO compliance in the cloud: Why should you care, and what do you need to know?
* Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations
* Breach notification reporting can be complicated without proper skills, tools
* Banks must do better on cyber security: KPMG
* Australia gets one-quarter of a minister for national infosec
* The Case for Continuous Security Monitoring
* Arbor Networks Releases Global DDoS Attack Data for 1H 2016
* 5 Best Practices for Outsourcing Cybersecurity
* Most CISOs and CIOs need better resources to mitigate threats
Best practices in cyber vulnerability assessment
Here are the best practices for cyber vulnerability assessment.
First and foremost you should have a very clear understanding of why you need a cyber vulnerability assessment.
Research other companies in your industry.
To know exactly which parts of your business structure need an assessment, you need to research your company’s processes with a focus on the systems that are critical to keeping your business running.
Once you’ve identified the systems that need an assessment, you should rank them according to both their importance to your overall business model and to the sensitivity of the information they contain.
Now that you know exactly which systems and software need an assessment and how they rank in terms of priority, you should make sure you’re aware of the security systems you already have in place.
f you’ve completely mapped out both your vulnerabilities and your already-in-place security, and your inter-departmental security task force is in agreement on what’s needed, you’re ready to perform your vulnerability scans.
f you did your homework on what you needed to assess and also on the vulnerability assessment tool you chose, then you should fully trust the results of your cyber vulnerability assessment and act on them.
Don’t wait.
Don’t second guess.
The assessment will produce recommendations for remediation that you should act on right now.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f75296b2b0&e=20056c7556
Are Healthcare CISOs Suffering from Cybersecurity Solution Fatigue? An Expert Probes Some of the Issues
A recent Institute for Critical Infrastructure Technology report provided some intriguing thoughts about the pressure facing chief information security officers (CISOs) to keep their organizations secure and how they are combating information and vendor solution overload.
“Due to the plague of APTs, malware, ransomware and other malicious initiatives by invisible adversaries, few C-level executive positions are as critical as the CISO,” Scott writes.
In a recent report, James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT), a Washington, D.C.-based cybersecurity think tank, points out that a well-informed CISO can improve the engagement of the C-suite and improve the cyber posture of the organization.
While the report offers a cross-industry perspective of the CISO role and the challenge of vendor solution overload, the report author does spend moments focusing on healthcare organizations, specifically in a section detailing how CISOs can assess the return on investment of cybersecurity solutions.
The report provides an interesting perspective about the need for CISOs to ignore the hype surrounding “silver bullet” solutions in order find the most effective cybersecurity solutions and strategies for their particular organizations, but at the same time, the report author also highlights the part that the vendor community plays in this problem.
“In many cases, CISOs operate under the unrealistic expectation that they should be able to prevent every breach with a finite budget.
They are expected to have enough technical expertise to develop a strategy to protect the business and enough business acumen to convince the board to adopt that strategy because it aligns with the goals of the organization,” he writes.
And, he asserts that modern CISOs tend to function more as Chief Information Risk Officers, managing the risk to data and technology.
According to the ICIT report, there is rapid burnout among CISOs, as the average turnover rate is 17 months.
“Vendor attempts to offer silver bullet solutions undermine the community at large and poisons the vendor-customer relationship.
The culture promoting these inadequate solutions distracts CISOs, technical personnel and solution developers from the risks and threats in the threat landscape and it distracts them from designing the right solutions to address the market needs.”
In the report, the author offers strategic recommendations for calculating a cybersecurity solution’s ROI and uses a healthcare organization as an example.
The ROI of security solutions can be equated to the fiscal component of the impact that the organization would assume if an adversary exploited the vulnerability that the solution addresses, the author writes.
The report concludes with statistics sourced from the Economist Intelligence Unit that indicates proactive CISO-led strategies can cut the success rate of cyber-breaches by more than 50 percent, hacking successes by 60 percent and ransomware infections by 47 percent.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3891b71e92&e=20056c7556
Will Faster Payments Mean Faster Fraud?
Crowe contends that to ensure global payments interoperability, faster payments are a necessity.
The U.S. will soon be at a competitive disadvantage if it does not enable faster payments, she argues.
Parry says the most fundamental risk to payments is poor identity management.
And it’s a legitimate concern.
After all, poor identity management apparently enabled hackers to steal $81 million from the central bank of Bangladesh in February, as part of a fraudulent transaction that was approved by the Federal Reserve Bank of New York.
And in a real-time or near-real-time environment, once the money is gone, it’s gone.
Unlike in the United Kingdom, Australia and other economically advanced parts of the world, faster payments are not the norm in the U.S.
Crowe declined to touch the interchange issue. “Cost is not the No. 1 worry for the Fed when it comes to faster payments,” she noted during the summit.
The top concern, she says, is “a faster process that is still secure for business.”
The Secure Payments Task Force’s goals differ from the goals of the Faster Payments Task Force.
And the Secure Payments Task Force has identified four areas that must be addressed to ensure the ongoing security of the payments system in the U.S. going forward.
Faster payments will be part of that, but not all.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c3227da9d2&e=20056c7556
Accenture : Data theft, malware infection big threat to digital businesses
The new report from Accenture and HfS Research say that 69 percent of respondents experienced an attempted or successful theft or corruption of data by insiders during the prior 12 months, with media and technology organizations reporting the highest rate (77 percent).
This insider risk will continue to be an issue, with security professionals’ concerns over insider theft of corporate information alone rising by nearly two-thirds over the coming 12 to 18 months.
The survey, “The State of Cyber security and Digital Trust 2016′”, was conducted by HfS Research on behalf of Accenture.
More than 200 C-level security executives and other IT professionals were polled across a range of geographies and vertical industry sectors.
The survey examined the current and future state of cyber security within the enterprise and the recommended steps to enable digital trust throughout the extended ecosystem.
The findings indicate that there are significant gaps between talent supply and demand, a disconnect between security teams and management expectations, and considerable disparity between budget needs and actual budget realities.
Despite having advanced technology solutions, nearly half of all respondents (48 percent) indicate they are either strongly or critically concerned about insider data theft and malware infections (42 percent) in the next 12 to 18 months.
When asked about current funding and staffing levels some42 percent of respondents said they need more budget for hiring cyber security professionals and for training.
More than half (54 percent) of respondents also indicated that their current employees are underprepared to prevent security breaches and the numbers are only slightly better when it comes to detecting (47 percent) and responding (45 percent) to incidents.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2433514c57&e=20056c7556
Ponemon Institute: External Cyber Attacks Cost Enterprises $3.5M/year, 79% of Businesses Lack Comprehensive Strategies to Manage these Risks
TORONTO–(BUSINESS WIRE)–Despite acute awareness of the millions of dollars in annual costs, and the business risks posed by external internet threats, security leaders highlight the lack of staff expertise and technology as a key reason that these attacks are unchecked, according to results from a new Ponemon Institute study sponsored by BrandProtect.
Seventy-nine percent of the IT and IT security practitioners polled indicated their defensive infrastructure to identify and mitigate those threats are either non-existent, ad hoc or inconsistently applied throughout the enterprise.
The findings reveal that the companies represented in this research averaged more than one cyber attack per month and incurred annual costs of approximately $3.5 million because of these attacks.
The report “Security Beyond the Traditional Perimeter,” sponsored by internet risk detection and mitigation expert BrandProtect, examined the threats, costs and responses of companies to external internet cyber attacks.
These threats include executive impersonations, social engineering exploits, and branded attacks arising outside a company’s traditional security perimeter.
Security professionals cited an acute need for expertise, technology, and external services to address their growing concerns about these external threats.
Some of the key findings include:
– Fifty-nine percent of respondents say the protection of intellectual property from external threats is essential or very important to the sustainability of their companies.
– External internet attacks are frequent and the financial costs of these attacks are significant.
Respondents in this study report they experienced an average of 32 material cyber attacks or slightly more than one per month, costing their companies an average $3.5 million annually.
– Seventy-nine percent of respondents described their security processes for internet and social media monitoring as non-existent (38 percent), ad hoc (23 percent) or inconsistently applied throughout the enterprise (18 percent).
– Sixty-four percent of security leaders (directors or higher) feel that they lack the tools and resources they need to monitor, sixty-two percent lack the tools and resources they need to analyze and understand, and sixty-eight percent lack the tools and resources they need to mitigate external threats.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2a6b4c203b&e=20056c7556
2016 Malware Levels Now Stand at Nearly Four Times 2015 Totals
GULF BREEZE, Fla., July 19, 2016 (GLOBE NEWSWIRE) — via PRWEB – Necurs is back with a vengeance, according to the security research team at AppRiver.
In its Q2 Global Security Report, the company notes that the infamous botnet’s return was one of the major reasons behind the escalation in malware activity–which clocked in at 4.2 billion malicious emails and 3.35 billion spam emails between April 1, 2016, and June 30, 2016.
For the first time, the report also includes metrics from Web-borne threats, reporting an average of 43 million unique threats daily throughout the second quarter.
AppRiver’s security analyst team quarantined 4.2 billion emails containing malware in Q2, pointing to a continued increase in malware traffic this year and resulting in total of 6.6 billion emails quarantined during the first half of 2016.
For comparison, analysts observed 1.7 billion emails containing malware during all of 2015.
Ransomware levels, as predicted in the Q1 Global Security Report, have increased this quarter–and arguably pose the greatest threat to netizens.
AppRiver’s security researches predict that the massive volume of malware isn’t likely to subside anytime soon.
With the likes of Locky and Zepto kidnapping users’ files until they pay a ransom, malware–especially ransomware–has become a business of its own.
The popular channels that malware, like ransomware, travel through include obfuscated JavaScript, malicious macros, and OLEs (Object Linking and Embedding).
Fifty-five percent of spam and malware traffic originated in North America, with Europe coming in second place.
Additionally, AppRiver’s SecureSurf™ Web filtering detected a spike in phishing attempts in June.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c444c2318b&e=20056c7556
Twitter Hacking and Social Media’s Risk to Executive Security
The use of social media as a means for targeting victims – whether through phishing or social engineering scams – is nothing new.
However, in the past month or so we’ve seen a new trend in threat actors’ tactics: hacking high-profile executives’ social media accounts with the purpose of publishing embarrassing and controversial posts.
This was recently seen in the Twitter hacks of Twitter co-founder Jack Dorsey, Yahoo CEO Marissa Mayer, Google CEO Sundar Pichai, and Oculus CEO Brendan Iribe.
Executives can do a number of things to help minimize the risk of exploitation, including:
– Invest in a Monitoring Service
– Use Multi-Factor Authentication
– Remove Geo-Location Data
– Limit Personal Information Disclosure
– Verify Online Content
– Do Not Reuse Passwords
– Create Official and Verified Accounts
– Use Separate Accounts
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a4cf76b6f5&e=20056c7556
Beyond Data: Why CISOs Must Pay Attention To Physical Security
IT and InfoSec tend to think in terms of networks, endpoints and outside attacks, but they risk missing the big picture if they think of vulnerabilities and threats only in terms of wider internet threats.
IT departments often consider the security of a physical building as a separate domain, but it is becoming increasingly difficult to delineate physical security from data security.
Technology professionals needs to get back to basics.
While it’s important to focus on vulnerability mitigation, the Open Systems Interconnection (OSI) model begins with the physical layer.
Security must be considered at every step, even when no networked communication is taking place.
Despite a rapidly evolving cybersecurity landscape, malicious actors possess only a limited number of physical entry points, and IT departments must ensure reasonable precautions are taken to deny unauthorized access.
Organizations should establish multiple lines of physical defense (mirroring best practices for data security), placing several obstacles in the path of an intruder.
By unifying both physical and data security, IT departments are better equipped to defend against the multi-front attacks that threaten organizations today.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=67bc503971&e=20056c7556
$2.7 Million HIPAA Penalty for Two Smaller Breaches
In the wake of two 2013 breaches that affected a total of 7,066 individuals, Oregon Health & Science University says it will pay $2.7 million in a HIPAA settlement with federal regulators that includes a three-year corrective action plan.
The first incident, which impacted 4,022 individuals, involved an unencrypted laptop that was stolen from a surgeon’s vacation rental home in Hawaii in February 2013 (see Stolen Laptops Lead Breach Roundup).
The second 2013 breach, which affected 3,044 individuals, involved OHSU’s use of a cloud-based storage service without a business associate agreement, OHSU says.
So far in 2016, two other HIPAA settlements also focused on the absence of business associate agreements.
Those include a $1.55 million settlement in March with North Memorial Health Care and a $750,000 settlement in April with Raleigh Orthopaedic Clinic, P.A. of North Carolina.
Also, since 2008, OCR has issued several resolution agreements with covered entities related to breach investigations stemming from the theft or loss of unencrypted mobile computing devices and storage media.
One of the largest such settlements was a $1.7 million OCR resolution agreement with Alaska Department of Health and Human Services in 2012 over a 2009 breach involving a stolen USB drive containing protected health information of only 501 people.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=eff832956a&e=20056c7556
Using compliance as a tool for change
One of my guiding principles is that compliance does not equal security.
Compliance isn’t a true representation of how well companies use security to protect themselves.
It can be little more than checking all the boxes and telling the auditors what they want to hear.
After all, many compromised banks were PCI-compliant, and several breached healthcare organizations were compliant with HIPAA.
Using compliance shortfalls to upgrade our security practices isn’t unusual.
Last year, I was able to use compliance to justify several initiatives, including signing up for a service and buying associated tools that will allow us to establish baseline security configurations for technology assets such as Linux, Windows, Apache, Oracle and firewalls.
And relying on findings from our PCI audit related to encryption, I was able to deploy Bitlocker for Windows PCs and File Vault for Apple Macs.
PCI regulations state that all credit card information that is stored must be encrypted, and such information can show up anywhere in our company, since many of our employees assist customers, who often provide credit card and other sensitive data even though we advise against it.
So now we’re enforcing encryption for 100% of our company-owned PCs.
Such widespread use of encryption has a beneficial side effect, since many states now provide a “safe harbor,” meaning that a company that has been breached might not have to notify customers and provide breach remediation services if all the data involved was encrypted.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b7cb8b4f37&e=20056c7556
In the Breach War, File Protection Is Just as Important as Data
Earlier this year, the Federal Deposit Insurance Corp. (FDIC) narrowly avoided disaster when sensitive information for 44,000 agency customers was stored without proper security measures…on a personal storage device.
In what was coined an ‘inadvertent data breach,’ a former staffer left the agency with the device, and lucky for the FDIC, returned it without incident three days later.
Not all financial services organizations or payment companies would fare so well.
According to the 2015 State of File Collaboration Security report by Enterprise Management Associates, 75% of IT and infosec professionals at mid-tier enterprises expressed a high or very high level of concern about sensitive, regulated or confidential data leakage due to inappropriate file sharing or unauthorized access.
Fully half said there were frequent instances of inappropriately shared documents or unauthorized access to files containing sensitive, confidential, or regulated information.
A whopping 84% had a moderate or total lack of confidence in their organization’s file security monitoring, reporting and policy enforcement capabilities.
Emerging file security solutions aimed at reducing file mishandling and collaboration data leakage risks address this gap with strong file encryption and usage controls that, once applied, persist for the life of the file, including after it traverses to various networks, recipients and devices.
Past information rights management (IRM) solutions were costly, often tied to specific applications or required specific infrastructure to function, and were cumbersome for IT and departmental users alike to use and manage.
While these IRMs worked internally, they were especially challenging to enforce users outside the organization.
New technology solutions enable very granular controls over who can access files, under what conditions and what they can do with them.
Users can easily apply required controls on file viewing, editing, saving, printing, and watermarking that persist for the life of the file.
More so, the file owner can change the file security policy dynamically and even remotely delete files after they have been shared.
These security policy controls are enforced wherever the file goes and every time the sensitive file is opened.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a40089ef82&e=20056c7556
Data security and breach notification in Finland
Finland has no general data security law and no specific security obligations.
The Personal Data Act includes a general obligation requiring the controller to carry out technical and organisational measures which are necessary to secure personal data against:
In general, the data security obligations set out by Finnish law are technology neutral (ie, they do not define technical or organisational measures specifically).
No general obligation to notify individuals of data breaches exists.
Sector-specific obligations to notify individuals apply to telecoms operators, as set out in the Information Society Code.
No general obligation to notify the regulator of data breaches exists.
Sector-specific obligations to notify the Finnish Communications Regulatory Authority of data breaches apply to telecoms operators, as set out in the Information Society Code.
Click here to view the full article.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=65dc280e7a&e=20056c7556
ISO compliance in the cloud: Why should you care, and what do you need to know?
ISO 27001 is a widely adopted global security standard and framework that sets out requirements and best practices for a comprehensive approach to managing company and customer information.
Proving IT security practices is an important element of achieving ISO 27001.
The business benefits of ISO 27001 certification are many.
ISO 27001 is an effective way to reduce the risk of your organisation suffering a data breach, satisfies audit requirements and establishes trust both internally and externally that security controls are properly managed, providing customers with greater confidence in doing business with you.
When working with third party cloud providers it’s your responsibility to ensure that all parties involved are compliant.
Don’t just take a certificate at face value, you must validate an organisation’s claims when reviewing their ISO certifications, otherwise you are putting your organisation at risk.
Questions to ask include: What does the certification actually cover in terms of services and geo-locations.
Is the certification for the entire company or only a segment of their operation.
Who issued the certification and do they have an online database for validation.
Is the issuer accredited to issue an ISO certification.
Is the vendor willing to show you the auditor report behind the certification?
In conclusion, organisations should care a great deal about ISO compliance in the cloud and ensure their partners and providers care as well.
ISO compliance in the cloud doesn’t have to be a nightmare, but you do need to approach the process with the level of rigour that the standard demands.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=26656c0625&e=20056c7556
Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations
On June 18, 2015, the Digital Privacy Act (also known as Bill S-4) received Royal Assent in Canada’s Parliament.
The Digital Privacy Act amended PIPEDA.
Among other important changes, the Digital Privacy Act amended PIPEDA to require mandatory notification of both the OPC and affected indivdiuals, and introduced a record-keeping requirement (and fines for organizations which fail to meet either of these new requirements).
These new data breach requirements in PIPEDA will come into force once the Government passes regulations, and to that end, the Government has circulated a Discussion Paper and solicited comments.
A challenge organizations face when dealing with a breach affecting personal information is whether to report the breach to the OPC.
Currently voluntary, this dilemma will not go away when it becomes mandatory – rather, the question will simply become one of how to determine whether the trigger (“real risk of significant harm”) has been met.
The OPC is of the view that the current set of factors enumerated in subsection 10.1(8) of PIPEDA are sufficient and any other further guidance on conducting a risk assessment could be provided by the OPC in due course. [1]
The Discussion Paper had also asked if encryption should provide a kind of “get out of jail free” card insofar as encrypted information that is lost or accessed would be presumed to present no or a low “real risk of significant harm”.
The OPC was against equating encryption with a diminished risk of significant harm.
This raises the question of why the OPC has regarded the use of encryption as an adequate security safeguard to be considered under Principle 4.7.3.
The OPC clearly sees itself as playing an instrumental role in the future primacy landscape, and has indicated that once the Government passes final regulations it is prepared to develop guidelines that will complement the content of regulations and provide additional compliance assistance for organizations.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0f4b973c78&e=20056c7556
Breach notification reporting can be complicated without proper skills, tools
here is still a huge gap in many organizations, both from a technical and skills perspective, in terms of how to evaluate the impact and scope of a breach, said Arasteh. “The nature of security issues and breaches means it’s sometimes very difficult to decide when to notify third parties or not.” Organizations need to determine whether personal information was accessed and disclosed, and what harm that breach may cause.
He said that’s a tough call to make, as there are a number of factors that determine the impact of a breach and its scope.
But if the hacker wasn’t detected until five months after the initial access, they have probably gained access to everything.
Most hackers are able crack an enterprise’s Active Directory within three days, said Arasteh. “If an attacker has been around a couple of weeks, you can assume they accessed all critical information.”
It’s hard to find out what damage has been done, as it takes a great deal of time and resources, while a company’s board of directors wants to know the impact and scope immediately, he said. “Answering these questions takes time.” And unless you put in the effort, you don’t know what data has been accessed, and there is a chance you might not be able to figure it out if there’s no evidence left. “That adds to the complexity.”
It goes without saying that organizations need to work at earlier detection of breaches. “The potential impact will be lower,” said Arasteh. “The earlier we can find the attacker in the lifecycle, the easier it will be to scope incident.” Many enterprises make significant investments in controlling the perimeter, but once an attacker gets past, the organization has no visibility or detection capabilities, he said.
This lack of visibility means they can’t go back to look at traffic to understand what was happening a month ago or know what data was leaving the perimeter that shouldn’t have.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9395969083&e=20056c7556
Banks must do better on cyber security: KPMG
Speaking to InvestorDaily ahead of his appearance at the 16th annual Wraps, Platforms and Masterfunds Conference on 14-16 September, KPMG Australia cyber partner Gordon Archibald said banks and financial institutions are “still being compromised”.
KPMG’s forensics team has been involved in several internal bank cyber security investigations, but the company is under non-disclosure agreements, he said.
“Every audit that we do, every penetration assessment, every vulnerability assessment … we’re still finding critical systems missing critical patches.”
Financial institutions are making attacks too easy, with cyber security hygiene “pathetic” in many instances, Mr Archibald said, adding that applications are still being installed with default passwords and security policies are not being enforced.
“We really want to see cyber as an enabler – and that’s through having the confidence in your controls to make bold decisions.”
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c3bd6a5cc1&e=20056c7556
Australia gets one-quarter of a minister for national infosec
If you were hoping tech would get some kind of boost in the Turnbull government’s third ministry, prepare for disappointment.
Mitch Fifield retains communications, and Fiona Nash remains minister for regional communications – which at least means the telcos don’t have to spend the time and energy getting to know capturing brand-new ministers.
The other ministerial names that will matter to tech are Greg Hunt, moved from environment to Minister For Agreeing With StartupLand (industry and innovation), and Dan Tehan.
Tehan is now – deep breath – the minister for defence personnel, minister assisting the prime minister for the centenary of ANZAC, minister for veteran’s affairs and minister assisting the prime minister for cyber security,
The creation of the cyber security portfolio and its location close to the prime minister are, we suppose, symbolic that the government is taking it seriously.
Perhaps there’s a role beyond the symbolic, but it’s hard to imagine what that role might be.
Government systems are secured by the Australian Signals Directorate, which exists in the defence portfolio, rather than Tehan’s; and perhaps thankfully, the government has not had any significant role in private sector computer security.
It has not even managed to create a mandatory data breach notification regime and it’s pared back the Office of the Australian Information Commissioner. (OAIC).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=22f5c873aa&e=20056c7556
The Case for Continuous Security Monitoring
The only way for IT to adapt their networks to the twin forces of change in technology is to ensure that security evolves just as quickly as the infrastructure requirements and the global threats.
I would argue that one of the best ways for this kind of dynamic security to work is through a structured program of continuous security monitoring.
Networked business-technology assets need to be inventoried, configured, and maintained; their vulnerabilities