[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]<\/p>\n
* EMV: Not Ready for Prime Time?
\n* Take it to the boardroom: Elevating the cybersecurity discussion
\n* Trust As Product Strategy
\n* We Must Stop The Race to Attribution After Each Cyberattack
\n* Don\u2019t let embarrassment about a data breach cost you even more
\n* EU cyber security agency urges action to avoid crisis
\n* Homeland Security Issues Ransomware Alert for Networked Systems
\n* Whaling Attacks Jump Again in Q1
\n* 93 per cent of us have our location tracked every day[UK]
\n* Research Spotlight: Enabling Evil for Pocket Change
\n* Calculate the cost and probability of a DDoS attack
\n* Fragmented nature of cyber insurance cover makes it hard to assess insurers’ risk exposure, says expert<\/p>\n
EMV: Not Ready for Prime Time?
\nDave Matthews, executive vice president and general counsel of the National Restaurant Association, which represents more than 500,000 restaurants throughout the country, says the group questions whether EMV is really ready for “prime time.”
\nSmall and independent restaurants have seen significant upticks in chargebacks for alleged fraudulent transactions since the EMV fraud liability shift took effect in October 2015.
\nAnd Matthews alleges that’s unfair, given the current state of EMV and the questions about whether all the transactions cited for chargebacks are actually fraudulent.
\nSmaller restaurants have been put at an EMV-migration disadvantage, Matthews argues.
\nWhile larger merchants with higher transaction volumes have been able to demand more immediate EMV certification for their point-of-sale systems and devices, smaller merchants have had little say in when their terminals are certified as EMV compliant, he contends.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=daada0d4df&e=20056c7556<\/p>\n
Take it to the boardroom: Elevating the cybersecurity discussion
\nThough important, these can be in opposition to the needs of a CISO, who aims to improve enterprise-wide security measures and risk management across all silos.
\nWhen considering governance, placing the CISO within the purview of an executive with broader responsibilities, such as a CEO, is advisable.
\nDue to the myriad of overarching implications, today\u2019s enterprise leaders should be held accountable for cybersecurity, regardless of their role.
\nA prime example is the chief marketing officers.
\nThe executives are typically more focused on how the Web is used, with email campaigns, mobile app development and website updates, but these promotional endeavors can leave the door open for malware or other attacks to be released on unsuspecting customers.
\nAt each operating level, the influence of technology demands an awareness of where security fits into everyday functionality.
\nFor the last 20 years, corporate focus has consistently been on cutting costs, improving access and increasing efficiencies.
\nThat level of commitment should now be given to customer, partner and investor information, and to making it secure as possible in the digital world.
\nPhysical safety is an expected convenience of in-store shopping, and online environments should offer information security.
\nTherefore, enterprises should invest between 10 to 20 percent of their IT budget in cybersecurity as a function of brand protection.
\nElevating cybersecurity to an operational and risk management priority will take effort and focus but can yield many dividends.
\nFor this practice to become a reality, boards of directors must educate themselves to improve governance and oversight.
\nTo stay ahead of the bad guys, a shift in investment strategy, as well as strong improvements to employee training and reporting structure are paramount.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6caac8ab83&e=20056c7556<\/p>\n
Trust As Product Strategy
\nWhether business owners already recognize it or not, trust has become one of the key parts of the product strategy and the product itself.
\nFor cloud, financial services, IoT-related, and even retail industries, trust is a way to gain and retain customers.
\nThe \u201cformula\u201d for trust, in our view, consists of core components, such as security, privacy, convenience, and speed to market.
\nWithout trust of customers, employees, shareholders, and stakeholders, many industries will have a harder time maintaining competitive positions in the market.
\nSecurity, privacy, convenience, speed to market must be part of the end to end vision for the product, as more and more companies deliver their products and services online.
\nTrust in institutions is highly dependent on privacy practices.
\nJust 45% of people are confident that their data held by businesses is secure.
\nOf the 55% who lack confidence, these individuals could be swayed to invest in a more secure product if they could be persuaded that their data would be safer.
\nEven among the 45% who believe their data is safe, just one data breach could be enough to erode that confidence and cause them to start looking for alternatives.
\nThe level of trust a business establishes and maintains is key for retaining users.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ebae414748&e=20056c7556<\/p>\n
We Must Stop The Race to Attribution After Each Cyberattack
\nSummary: Cybersecurity expert Emilio Iasiello discusses one of the key issues in cybersecurity \u2014 how do we determine who attacked us.
\nEach attack brings forth rapid declarations by the government that the attacker is one of their favorite foes.
\nShould we believe them?
\nWhile attribution is important in assigning responsibility for an attack, it may detract from the most important next step for a breached organization \u2013 mitigating the damage caused, patching up security \u201choles,\u201d and ensuring that business operations continue promptly and securely.
\nThere will be time later to determine who was behind the attack, or at least, as good as can be expected given the tools and information on hand.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a21534be45&e=20056c7556<\/p>\n
Don\u2019t let embarrassment about a data breach cost you even more
\nWhen a company\u2019s executives decide to hide a breach, their action can morph from unsavory to illegal.
\nBut that decision can leave them vulnerable to the attackers behind the breach in the first place, who know that the company has not done what the law requires and can now threaten it with disclosure.
\nThe risks that such decisions give rise to were made dramatically clear on Thursday (March 31) when Reuters noted a new global crime trend of cyberthieves partnering with traditional organized crime syndicates to attack banks across the world.
\nIf the banks are hesitant to reveal that they were successfully attacked.
\nWithout disclosure, law enforcement is not informed.
\nMy point is that data breaches and breach-disclosure laws are realities that affect each other and that companies need to think about carefully.
\nThey must work out precise and explicit guidelines long before they are in the thick of a real incident.
\nTo decide things on the fly, based on the particulars of each situation, is a recipe for inconsistency.
\nYou are letting the people who are in charge of preventing attacks decide when they have to tell the world about an attack \u2014 and the potential for embarrassment will influence their decisions, because they will be sure that the world is going to decide that they failed to do their job.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=09f85a544f&e=20056c7556<\/p>\n
EU cyber security agency urges action to avoid crisis
\nThe call comes as Enisa publishes a report recommending more efficient cyber crisis co-operation and management based on an analysis of current crisis management frameworks.
\nAccording to Enisa, the promulgation of a legal framework for EU-level crisis management has drastically increased the efficiency of European\u2019s response to crises in all sectors analysed.
\nThe report makes five main recommendations about EU-level priorities to raise the maturity in cyber crisis management and reduce the impact of potential cyber crises.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=edaaf904a9&e=20056c7556<\/p>\n
Homeland Security Issues Ransomware Alert for Networked Systems
\nThe US Department of Homeland Security issued a ransomware alert through the US Computer Emergency Readiness Team (US-CERT) to organizations that use networked systems, warning them of the potential dangers stemming from this type of malware.
\nIn conjunction with the Canadian Cyber Incident Response Centre (CCIRC), DHS explained that the alert is designed \u201cto provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.\u201d
\nA final key takeaway in the alert is that organizations are discouraged from paying the ransom.
\nAs previously mentioned, this does not guarantee that the files will be released, according to US-CERT.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=cc75711a07&e=20056c7556<\/p>\n
Whaling Attacks Jump Again in Q1
\nThree-quarters of UK IT professionals have seen an increase in whaling attacks this year designed to trick staff into transferring funds outside the organization, according to new research from email security firm Mimecast.
\nIn the UK, the number of respondents who saw an increase in such incidents rose from 55% in December 2015 to 75% in March this year.
\nWhen it comes to global figures, 67% of respondents said they saw a jump in the number of whaling incidents designed to defraud them of revenue, while 43% saw an increase in attacks looking for sensitive corporate information.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=74e6f8f431&e=20056c7556<\/p>\n
93 per cent of us have our location tracked every day[UK]
\nThe \u2018Opt me out of Location\u2019 campaign aims to highlight the fact that nearly every single mobile phone owner in the UK (93 per cent) has unwittingly signed up for a contract that permits their location to be tracked.
\nMore than this, the data collected allows providers to build up highly detailed customer profiles which Krowdthink warns leaves millions of users just one serious data breach away from having private data exposed to and abused by criminals.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=ac7946f52c&e=20056c7556<\/p>\n
Research Spotlight: Enabling Evil for Pocket Change
\nAt the end of February, one of the researchers on the team received a solicitation email from a domain reseller, which she reviewed the first week of March.
\nThe email was from Namecheap offering deeply discounted domains for .88 cents.
\nThe timing of the email couldn\u2019t have been more ironic as it overlapped with some current research into determining if there is a relationship between domain pricing and an aggregation of domains related to malware\/phishing\/spamming.
\nThis article will discuss the relationship between deeply discounting domains and nefarious activities.
\nFor the purpose of discussion in this article, the word malicious will include malware, phishing, and spam activities.
\nAfter taking all things into consideration, the overarching theme is, there is an undeniable association between deeply discounted (or cheap) services on the Internet and criminal\/malicious activity.
\nThe extent and severity of that activity can range from a unwanted spam to full compromise of critical data.
\nNonetheless when something is cheap or free on the Internet it will undoubtedly be exploited for nefarious activities.
\nAdditionally, when domains go on sale, especially less than $1, there is a significant increase in domain registrations and \u201cbad stuff\u201d.
\nWe encourage our customers and all users to take measured precautions to protect their assets. Business users especially, should perform an adequate risk assessment and determine whether or not there is a legitimate business need to access \u2018non-standard\u2019 TLDs, when there is not, implement configurations in a layered security model filtering emails, web traffic, and implementing host-level protections, and above all else BACK UP YOUR ASSETS!!
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=297d43b2b4&e=20056c7556<\/p>\n
Calculate the cost and probability of a DDoS attack
\nIncapsula\u2019s DDoS Downtime Calculator is designed to help you assess the risks associated with an attack, offering case-specific information adjusted to the realities of your organization.
\nThe algorithm inside the calculator is based on real-world information from a DDoS Impact Survey conducted among 270 organizations representing various sizes and industries.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=069bcd9621&e=20056c7556<\/p>\n
Fragmented nature of cyber insurance cover makes it hard to assess insurers’ risk exposure, says expert
\nInsurance and cyber liability specialist Manoj Vaghela of Pinsent Masons, the law firm behind Out-Law.com, was commenting after the Times reported that insurers have faced difficulties in providing accurate estimates of the cost of underwriting cyber risks.
\nThe newspaper reported that management at the Lloyd’s of London market have asked insurers to provide such estimates but that some were struggling to meet the deadline to do so because of challenges in valuing the risk.
\n“The insurance industry does not yet have a single product that sets the gold standard for cyber attacks,” Vaghela said. “Instead, there are many different types of policies which may respond ranging from stand-alone cyber policies to fidelity policies.
\nThis fragmentation of risk makes it very difficult to assess the market\u2019s exposure.”
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0698cc84a3&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage1.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=a517aec6e0)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ] * EMV: Not Ready for Prime Time? * Take it to the boardroom: Elevating the cybersecurity discussion * Trust As Product Strategy * We Must Stop The Race to Attribution After Each…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1215","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1215"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1215\/revisions"}],"predecessor-version":[{"id":3702,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1215\/revisions\/3702"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}