[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ]
\nSorry for delay, Cisco Live was all consuming.<\/p>\n
* How to spot insider security threats using this one weird trick …
\n* Market expansion adds to cybersecurity talent shortage
\n* How to pick a mobile-focused fraud management vendor
\n* FDIC found hiding multiple APT attack and more from investigators
\n* Asean urged to unite vs cybercrime spooking banks
\n* ICO advises organisations to establish internal breach reporting procedures to prepare for GDPR
\n* Retailers Fight Back to Push for Chip-And-PIN Transactions
\n* HHS Issues New Ransomware Guidelines For Healthcare Sector
\n* How to Use Marketing to Regain Public Trust After a Data Breach
\n* To truly understand security, the business should consider a new CEO or CTO
\n* BAE Systems partners with SWIFT to bolster hacker intel<\/p>\n
How to spot insider security threats using this one weird trick …
\n“You can tell a disgruntled employee because they’ll refer to the company as ‘they’, not ‘we’.
\nThey’ll say ‘they do this’, not ‘we do this’,” he said.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=3376fe727c&e=20056c7556<\/p>\n
Market expansion adds to cybersecurity talent shortage
\n\u201cThe landscape of cyber risks is so widespread and evolving that forward-thinking (public) companies are seeking a new leader \u2013 a chief risk officer (CRO) \u2013 who will oversee all areas of risk exposure: IT risk, physical security, personnel security and protection of assets \u2013 including intellectual and reputational capital, stated Jeremy King, founder at Benchmark Executive Search.
\nThe chief risk officer will be the most in-demand position over the next five years \u2013 a single leader who can create a culture of security, map organizational structures and set budgets.\u201d
\nLooking at the market expansion and job figures, what’s the takeaway.
\nSimply put, the cybersecurity labor shortage is going to get worse before it gets better, and employers need to prepare.
\nManaged security providers and IT security outsourcing firms are challenged around recruiting as their businesses scale, and many regulated corporations can not hand off their security management so easily.
\nWait, we forgot about college grads — cyber’s new market entrants.
\nSurely they will help make a big dent in the labor shortfall – no.
\nNot so fast.
\nStudents are graduating from the top 10 U.S. computer science programs without taking a single course on cybersecurity.
\nThere’s a large influx of tech grads, but they are not necessarily cyber grads.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=03a8744283&e=20056c7556<\/p>\n
How to pick a mobile-focused fraud management vendor
\nRetailers need to collect mobile-specific data in order to accurately identify mobile fraud, a Forrester Research report says.
\nForrester recommends vendors use a risk scoring module on their management software that collects data on user behavior, sensor and location, and weighs that information to make a decision.
\nFor example, an account accessed via a desktop and a smartphone from different locations may or may not be fraudulent, and a transaction should not be rejected automatically for that difference.
\nA consumer could be accessing the account on a work computer and then at home on her smartphone, or a consumer\u2019s child could be using her account while the student is at college.
\nAnd a consumer who typically logs in from an Android device and then suddenly logs in from an iPhone may or may not be fraudulent.
\nIt\u2019s important for a vendor to accurately weigh how likely each scenario is to be fraudulent before denying account access or a sale, Cser says.
\nForrester also recommends fraud detection vendors use an SDK, or a software development kit, that it can embed into mobile apps.
\nThis will help the vendor collect mobile device data from consumers and improve risk scoring, Cser says in the report.
\nBecause of all these different fraud methods, Forrester recommends retailers and vendors track and report fraud patterns that do occur in order to quickly identify fraudulent behavior in the future.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4da563feb1&e=20056c7556<\/p>\n
FDIC found hiding multiple APT attack and more from investigators
\nA new congressional investigative report found that the FDIC covered up approximately 11 cybersecurity incidents, including multiple APT attacks by hackers believed to be linked to the Chinese government.
\nAccording to the committee report, the FDIC suffered approximately eight major breaches — defined as the loss of more than 10,000 records — by former employees who stole portable drives containing personal data on more than 300,000 individuals or entities.
\nAt least one of these breaches was referenced in the FISMA report but the FDIC did not notify Congress on any of them, and at least one of the stolen drives was never recovered.
\nThe committee also found a 2013 memo from then-FDIC Inspector General Jon Rymer to FDIC Chairman Martin Gruenberg informing him of a cybersecurity incident in October 2010 in which an FDIC employee’s desktop computer was compromised by an advanced persistent threat (APT).
\nThe committee report also suggested that “inconsistency in leadership” may have hurt the FDIC’s security posture because the agency had a number of acting CIOs and only one permanent CIO in the time before current CIO Lawrence Gross took over in November 2015.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d8a834ee00&e=20056c7556<\/p>\n
Asean urged to unite vs cybercrime spooking banks
\nIn a speech last Thursday, Tetangco noted of the closer regional economic integration\u2019s advantages to the banking industry.
\nFor one, \u201ctransforming 10 Asean jurisdictions into a single market consolidates the strength of a growing region that saves more than the rest of the world and has the vast potential of a young population,\u201d the BSP chief said.
\nTetangco said, however, there were possible downside risks to this integration.
\nHe said information held by banks have become hot commodities.
\nAs such, the industry should address challenges to keep them safe, he added.
\nHe said banks should embrace the advantages provided by fintech, but \u201cwe still have to be wary of the cyber-security issues that arise, such as the increasing trend of phishing and identity theft cases.\u201d
\nUnder the Asean integration, qualified Asian banks (QABs) under the Asean Banking Integration Framework will \u201ceffectively extend the reach of one jurisdiction by having \u2018outposts\u2019 outside its national borders but still within Asean,\u201d Tetangco said.
\nQABs are Asean-headquartered banks and majority owned by Asean nationals that may operate in another Asean country.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=5768265921&e=20056c7556<\/p>\n
ICO advises organisations to establish internal breach reporting procedures to prepare for GDPR
\nThe Information Commissioner’s Office (ICO) has advised organisations to set up internal security breach reporting procedures, supported by comprehensive training, as part of preparations for the General Data Protection Directive (GDPR) due to come into effect in 2018.
\nThe recommendation is made in an ICO Breach notification advisory, which has been updated to take account of the new rules.
\nOrganisations will need to start preparing now to be compliant from day one, and many organisations, particularly larger ones, are expected to appoint data protection officers.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=00d5af160c&e=20056c7556<\/p>\n
Retailers Fight Back to Push for Chip-And-PIN Transactions
\nHome Depot, the Atlanta-based home improvement retailer, filed a federal lawsuit this month accusing Visa and MasterCard, two credit card issuers, of hindering the retailer’s efforts to boost the security of the new chip cards.
\nIn their lawsuit, the company claims that the card issuers are not giving retailers the option to offer more secure transactions where consumers have to use their PIN, a four digit code instead of a basic signature.
\nAllowing the use of a PIN increases security and would lower the transaction fee being charged to the retailers by the issuers.
\nIn the lawsuit, Home Depot alleges that “while chip-and-PIN authentication is proven to be more secure, it is less profitable for Visa, MasterCard, and their member banks and it provides a greater threat to their market dominance.”
\nThese lawsuits have occurred, because retailers are “incredibly frustrated because they’re spending a ton of money and still not getting the safest, best solution,” said Matt Schulz, senior industry analyst at CreditCards.com, an Austin, Texas-based credit card comparison website.
\nThe likelihood that more retailers will file lawsuits is high.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=367df91ff0&e=20056c7556<\/p>\n
HHS Issues New Ransomware Guidelines For Healthcare Sector
\nThis new guideline by the US Health and Human Services Office for Civil Rights should provide additional information on how this malware works.
\nMore importantly, it will also help institutions understand how they can spot a threat, and ensure no [significant] damage is done.
\nTraining hospital staffers to spot a malware threat sounds great on paper, but it\u2019s hard to achieve in real life.
\nMost of the people working at a hospital are already overworked, and the last thing they need is more things on their plate.
\nLimiting user access to account records is another option worth exploring, but it might create friction.
\nIf not everyone can access the document correctly, waiting for someone to come by with file access will only slow operations down.
\n\u201cImplementing a data backup plan is a Security Rule requirement for HIPAA covered entities and business associates as part of maintaining an overall contingency plan.
\nAdditional activities that must be included as part of an entity\u2019s contingency plan include: disaster recovery planning, emergency operations planning, analyzing the criticality of applications and data to ensure all necessary applications and data are accounted for, and periodic testing of contingency plans to ensure organizational readiness to execute such plans and provide confidence they will be effective.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=6deb2f7f68&e=20056c7556<\/p>\n
How to Use Marketing to Regain Public Trust After a Data Breach
\nThe biggest lesson to learn from LinkedIn\u2019s approach to this breach is that, despite this not being a new issue, they have continued to show their dedication to both the security and trust of their users, as well as a commitment to treating this breach seriously, and with great transparency.
\nIn their blog post originally published the day after the recent release of user information, LinkedIn detailed what they knew about the situation, what they were doing to fix the issue, and provided links to more information about making sure your data and accounts are safe.
\nThough this would have been enough, they went a step beyond and continued to update this post as they worked through their process, and eventually addressed the Zuckerberg situation as well.
\nThe largest hurdle you have to face after a large data breach is also the most important regaining public trust.
\nProbably the biggest example of this comes from Target, and the massive data breach it found itself on the receiving end of in late 2013.
\nThis breach affected anyone who shopped at Target between November 27 and December 15, 2013, up to 70 million people, and potentially compromised a wide range of personal information including credit and debit card information, as well as names, mailing and email addresses, and phone numbers.
\nFollowing this attack, Target definitely took steps to restore its credibility, including offering a year of free credit monitoring to customers affected, a more aggressive rollout of chip-enabled card technology in stores, and a one-day 10 percent storewide discount.
\nHowever, in comparison to other companies that have undergone similar breaches, their response was still lacking in one major aspect a personal, human touch.
\nOutside of trust, you also need to find ways to earn the business of your customers back, as well.
\nWith the wealth of options available to consumers because of the internet, being trustworthy is not always enough, you also need to be competitive.
\nThis can\u2019t simply be a one-time sale, or coupon, either.
\nThis may bring in customers in the short term, but they are also likely to see it as a weak distraction, which reflects even more poorly on you.
\nInstead, consider implementing something like a rewards or loyalty program that will have more lasting benefits.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=528a7993ed&e=20056c7556<\/p>\n
To truly understand security, the business should consider a new CEO or CTO
\nCISOs may be seeing mixed results when trying to teach company executives about the nuances of information security, but one business expert believes outcomes can be significantly improved by appointing a C-level executive focused specifically on issues of trust.
\nThe appointment of a chief trust officer (CTO) or chief ethics officer (CEO), Accenture Security APAC managing director Jean-Marie Abe-Ghanem told CSO Australia, is emerging in some companies as a way of removing the perceptions of security as a technological solution.
\n\u201cBusinesses need to get that trust feedback from customers, and to succeed they must take at least one product and evaluate it at every step to see how they are dealing with trust or ethics around the data,\u201d she explained.
\nA chief trust or ethics officer would be tasked with building principle-based codes of conduct to reinforce those perceptions, with involvement from security specialists to ensure those controls are implemented as enforceable policies.
\nHer voice is one of a growing chorus of security experts pushing for new approaches to solving a risk equation that has gained numerous additional variables in recent years.
\nApproaching the problem with fresh eyes, from new angles, is seen as a key part of an effort that must also include a bottom-up reconciliation of business and technology activities to identify and isolate ongoing security issues.
\nThese must then be rephrased using business concepts that isolate executives from the confusing language of information-security enforcement.
\nAccenture is already conducting early proofs-of-concept with clients in Australia to see whether a more context-based approach to security can improve both internal compliance and the external perceptions of products and services designed to handle consumer data.
\nThis approach also benefits CISOs, who can work with trust and ethics officers to build out a jointly adopted, broader story to sell to the business executive \u2013 which will be particularly helpful as mooted new breach-notification laws push those executives to consider their security exposures. \u201cThe C-suite understands more and more of the subject,\u201d Abe-Ghanem said, \u201cand when you talk about digital trust to a C-suite, they get it.
\nIt steers the conversation away from technologies and pen testing and technie talk, and provides an easier conversation than security on its own.
\nThey key is to always, at every step of the customer journey, to consider whether trust is being enhanced or eroded.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=5ac5fc049d&e=20056c7556<\/p>\n
BAE Systems partners with SWIFT to bolster hacker intel
\nBAE Systems has been recruited to help SWIFT’s newly formed Customer Service Intelligence team in a bid to get ahead of cyber-criminals targeting banks connected to the global financial messaging service.
\nThe announcement follows the analysis and identification of malware that BAE Systems\u2019 threat intelligence team was able to link to an attack on Bangladesh Bank in February 2016.
\nHackers stole $81m from an account held in New York by Bangladesh’s central bank after lifting the financial institutions authorisation codes.
\nMalware analysis by both BAE Systems and Symantec linked the crooks behind the Bangladesh account raid to the hackers who ransacked Sony Pictures Entertainment’s systems back in 2014.
\nSWIFT (Society for Worldwide Interbank Financial Telecom) recently announced it would consider suspending banks with weaker cyber defences until they improve their security.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=471d81040c&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage1.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=4847e8837e)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage1.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul Davis – his opinions and no-one else’s, apart from the reporter’s opinions ] Sorry for delay, Cisco Live was all consuming. * How to spot insider security threats using this one weird trick … * Market expansion adds to cybersecurity talent shortage * How to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1249","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1249","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1249"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1249\/revisions"}],"predecessor-version":[{"id":3736,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1249\/revisions\/3736"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1249"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1249"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1249"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}