[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
* US House of Representatives bans Yahoo Mail and Google App Engine over malware concerns
* Symantec’s Cheri McGuire named CISO of Standard Chartered bank
* The cyber-security buck should stop with executives, finds survey
* A key security takeaway from Walmart’s chip-and-PIN suit against Visa
* Vulnerability management trends in Asia Pacific
* Five Useful Tips to Build a Successful and Mature Security Operations Center
* Why incident response plans fail
* Are You Prepared for Your Vendor’s Data Breach?
* New FireEye Research Reveals the Impact of High-Profile Security Breaches on U.S. Consumers’ Trust of Brands
* 6 privacy landmines and how to avoid stepping on them
* Health Care Breaches Common, but Budgets Stay Mostly Flat: Survey
* FDIC Calls ‘Major’ Data Breaches Accidental
US House of Representatives bans Yahoo Mail and Google App Engine over malware concerns
On April 30, the House’s Technology Service Desk informed users about an increase in ransomware related emails on third-party email services like Yahoo Mail and Gmail.
The ban on Yahoo Mail access suggests that some House of Representatives workers accessed Yahoo mailboxes from their work computers.
This raises the questions: are House workers using Yahoo Mail for official business, and, if they’re not, are they allowed to check their private email accounts on work devices?
This ban appears to be unrelated to the ransomware attacks and is in response to indicators that attackers have been using Google’s platform to host a remote access trojan named BLT since June 2015, unnamed congressional sources told Reuters.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=dc40542b38&e=20056c7556
Symantec’s Cheri McGuire named CISO of Standard Chartered bank
In her new role, McGuire’s responsibilities will include cyber security governance, strategy, regulatory engagement, policy development, training and awareness, as well as industry stakeholder partnerships.
She will also be accountable for the Bank’s information security monitoring, third party risk management and vulnerability assessments.
She will also become a member of the Bank’s information technology and Operations Management Team.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8ff1a31213&e=20056c7556
The cyber-security buck should stop with executives, finds survey
VMWare presented new research today on the historically distant relationship between the issue of cyber-security, employees and the board.
29 percent of both groups believe that the CEO should be responsible for a significant data breach, and 38 percent of office workers and 22 percent of decision-makers believe that the buck should stop with the board following a breach.
However, research published in conjunction with the Economist Intelligent Unit earlier this year showed that only five percent of corporate leaders put cyber-security at the top of their priorities.
This is not so much a technology problem, but perhaps a psychological, or sociological one.
It’s a question of “how much can people take”.
Simply, its about making security as easy as possible for employees.
In the report itself, Joe Baguley, CTO of VMware mentions that, “Security is not just about technology.
As the research shows, the decisions and behaviours of people will impact the integrity of a business”.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2c81962459&e=20056c7556
A key security takeaway from Walmart’s chip-and-PIN suit against Visa
Walmart on Tuesday filed suit against Visa and charged the payment card provider with making it too easy for consumers to avoid some of the security features built into chip-and-PIN cards.
Walmart’s suit relates specifically to Visa debit cards and does not involve chip-and-PIN credit cards, which are making a much slower transition into the U.S. market.
Despite the implication of the name, chip-and-PIN cards can be configured to work without PINs.
Although the embedded chips make the cards more secure than those with magnetic stripes, they’re even more secure when used along with PINs.
That’s the crux of Walmart’s lawsuit.
The company says Visa forces it to give customers who use Visa-branded debit cards a choice between verifying purchases with PINs, or with signatures.
The signature option invites fraud, according to Walmart.
And because Visa debit cards are common, many other retailers are also likely forced to let consumers choose to use lesser payment security measures, Sirota says.
The moral of this story.
If you have a choice between using a PIN or signature to verify your identity when making a purchase, do yourself a favor and choose the former option.
Sure, it’s yet another number to memorize, but the extra security will be more than worth the trouble if it helps you avoid a migraine associated with payment card fraud.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0e48d9ae27&e=20056c7556
Vulnerability management trends in Asia Pacific
A new study conducted by Forrester Consulting evaluated perceived challenges, drivers and benefits of various vulnerability management strategies and investments based on responses from information security professionals in Australia, China, Japan, New Zealand and Singapore.
According to survey results, one of the top security priorities of companies is protecting customer data, with a focus on application security, data security and protection of customers’ personal information.
Despite their customer focus, only 22 percent of security decision makers performed continuous vulnerability assessments to monitor their environments for new threats.
The majority of respondents (44 percent) conducted scans periodically, while 28 percent performed scans monthly.
Forty-six percent of survey respondents cited reducing risk and improving security posture as the highest ranking security priority of all strategic IT objectives for companies in the Asia Pacific region.
The potential vulnerabilities of companies are compounded as new technologies and devices are introduced by employees, customers and partners.
Such attacks significantly affect the business, ranging from internal consequences such as decreased productivity (53 percent of respondents said that the impact of this was ‘severe’ or ‘very severe’) and increased operational expenses (60 percent) to detriments such as brand damage (51 percent), resulting in lost customer trust (57 percent) and lost revenue (51 percent).
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0f817f5b39&e=20056c7556
Five Useful Tips to Build a Successful and Mature Security Operations Center
1) Know and Set Monitoring Goals
2) Find the Right Technical Configurations
3) Build the Right Security Operations Team
4) Have a Robust Incident Response Process
5) Lobby for Help From IT and Other Departments
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9b0ccb69f8&e=20056c7556
Why incident response plans fail
Rather than identifying, analyzing and eradicating the threat, organizations can easily become entangled in processes hindering response time and further endangering operations.
While many industrial organizations have an IR plan in place, very few run through a routine simulation exercise of this plan.
Simulated exercises reveal various incorrect assumptions made throughout the IR process and identify gaping holes where there are missing contacts or protocols that are critical for a successful IR program.
When an incident occurs, key stakeholders want to be aware of what’s happening and how the situation is being addressed.
Keeping executives in the know and managing expectations around the line of communication is an important part of an IR plan.
There should be an assigned “incident captain” who can quickly alert the necessary parties and inform them of immediate next steps.
When it comes to managing suppliers in an IR plan, there are a number of questions or assumptions that should be verified during a simulated exercise.
What role do your suppliers play in the event of an attack.
Do they have a contractual agreement that outlines their role in IR and disclosure around cyber incidents.
Do they install software that was purchased from another vendor.
Do suppliers know what software you have in operation.
Do they run simulated testing of software updates on machines prior to actual implementation?
Attacks are part of today’s connected environment, so IR is not as much about the attack but rather resiliency.
Cybersecurity practices need to be collaborative and open, not only within an organization but across industries.
Executives should be thinking about how they inventory assets and what type of services they would require from manufacturers to deal with a cyber incident.
They must communicate a clear picture to the board of what is required and how this plan will be executed efficiently.
Running through an IR exercise helps raise awareness about cybersecurity within an organization and creates a resilient business culture that is prepared for anything.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5d576b1348&e=20056c7556
Are You Prepared for Your Vendor’s Data Breach?
Ever since the Target and Home Depot breaches were traced to intrusions at their vendors, the management of cybersecurity at third-party vendors has been a focus of companies and regulators.
The FTC has flagged the issue, as has the SEC.
The DoD has imposed strict cybersecurity requirements for contractors that “flow down” to sub-contractors.
Revisiting third-party risk management in view of recent cyber attacks presents some important takeaways for companies and vendors to consider:
– Collaborate on data security
– Be prepared for a breach
– Review your contractual terms
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=0300348919&e=20056c7556
New FireEye Research Reveals the Impact of High-Profile Security Breaches on U.S. Consumers’ Trust of Brands
MILPITAS, CA–(Marketwired – May 12, 2016) – FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today’s advanced cyber attacks, today released the results of new research that finds high-profile data breaches are negatively impacting consumer trust in major brands.
The FireEye commissioned research — conducted by independent technology market research specialist Vanson Bourne with a survey of 2,000 adults within the U.S. in April 2016 — confirms the rising public concerns of data privacy.
Findings revealed that 76 percent of respondents would likely take their business elsewhere due to negligent data handling practices.
Additionally, 75 percent of consumers stated they were likely to stop purchasing from a company if a data breach was found to be linked to the board failing to prioritize cyber security.
The survey findings also highlight the potential long-term financial impact of data breaches on major brands, with 59 percent of consumers warning they would take legal action against companies if a data breach resulted in their personal details being used for criminal purposes. 72 percent of consumers also reported that they will now share fewer personal details with companies, which could hit the revenues of organizations — from social media platforms to search engines — that rely on collecting detailed consumer data for advertisers.
Other key findings included the following:
52 percent of consumers would consider paying more for the same products or services from a provider with better data security
54 percent of consumers feel more negatively of organizations breached
78 percent of consumers are cautious of organizations’ abilities to keep data safe
52 percent of consumers said security is an important or main consideration when buying products and services
90 percent of consumers expect to be informed within 24 hours if their service provider had suffered a data breach which could have compromised their data
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d166125d11&e=20056c7556
6 privacy landmines and how to avoid stepping on them
Erin Whaley, a partner at the law firm Troutman Sanders, outlined what those are and shared half-a-dozen tips for avoiding them.
1) As long as I have cybersecurity insurance I’ll be covered in the event of a breach.
It’s not that simple.
2) Our team can handle any incident internally.
Even providers who really have the best professionals in the country should seek outside help.
3) Social media isn’t a big concern for us. “Do not think social media is not a problem for you,” Whaley contended.
4) Business associate agreements are just a form agreement.
Our lawyers don’t need to review them.
Whaley explained that more BA’s fall into this trap than healthcare providers, there are some hospitals that do as well and for a variety of reasons, most notably that they think BA agreements are similar and they don’t want things held up in legal review.
5) As long as I’m HIPAA compliant, I don’t have to worry about other privacy laws. “That is not true,” Whaley said. “There are other privacy laws.”
6) We do a fine job responding to requests from individuals for their records.
Updating this process is not a priority. “You should go ahead and look at the process for responding to individual requests for records,” Whaley said.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8cbd2413aa&e=20056c7556
Health Care Breaches Common, but Budgets Stay Mostly Flat: Survey
Almost 90 percent of hospitals and insurers have had a breach in the past two years, but budgets have risen for less than a third of health care organizations.
Based on multiple interviews with 91 health insurers and hospitals and 84 business associates, the survey found that 89 percent of health care organizations had a data breach in the past two years, with nearly half having more than five data breaches.
While most of the breaches were small, encompassing less than 500 records, the average cost of a breach was $2.2 million over two years for health care providers and insurers and more than $1 million for business associates, according to the survey.
As a result of breaches, more than half of all companies have become better at vetting third-party partners, spent more on security technology and focused on employee training.
However, the demand for security personnel has prevented nearly three-quarters of health care firms from hiring more skilled IT security personnel, the survey found.
In addition, half of respondents did not see any change in budgets, while about 30 percent saw an increase over the past two years.
To a large extent, both seem to lack preparedness.
Only 8 percent of health care organizations conduct vulnerability assessments quarterly, and 25 percent of business associates do so, the survey found.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b783b6877b&e=20056c7556
FDIC Calls ‘Major’ Data Breaches Accidental
There is a difference of opinion within the federal government about what counts as a “major” data breach.
The debate over the breadth and depth of the adjective is more than semantic.
The failure of an agency to classify a cyberincident as a “major” one could stall reporting of the incident.
For example, since October 2015, seven Federal Deposit Insurance Corporation employees who retired or moved on to other jobs each took with them 10,000 or more sensitive records inadvertently, according to FDIC Chief Information Officer Lawrence Gross.
He did not categorize any of the losses as a major cyberincident at the time.
But under 2014 cyber reforms, the rules say if agency data remains outside the government’s control for at least eight hours or if the situation involves more than 10,000 records, that agency is dealing with a “major” incident that requires notifying Congress within seven days.
Gross testified before a House Science Committee panel that he did not believe the breaches merited the “major” label, as defined last October by White House rules, because each worker had been authorized to see the data at issue.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2d6748e545&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage1.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=a107cc6b71)
Update subscription preferences (http://paulgdavis.us3.list-manage2.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)