[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
\nAnd so, now the news<\/p>\n
* Security: Financial Cost of Data Breaches Continues to Soar
\n* New Cybersecurity Program Targets Small Healthcare Practices
\n* New Gmail Alerts Warn of Unauthenticated Senders
\n* Experience with preventing malicious attacks offers unique perspective on POPI for three6five
\n* Cyber security: Australian spy agency runs high school hacker recruitment drive
\n* Businessworld Connects With Security Leaders, Launches 1st CISO Strategy Summit [India]
\n* Should cloud vendors cooperate with the government?
\n* SADA Systems: Enterprises remain split on cloud data security
\n* A Risk-Driven Approach to Security, From Check Boxes to Risk Management Frameworks
\n* Mid-year Cybersecurity Trends Review: What You Need to Know to Mitigate Risk
\n* DoD CIO moving over to OPM
\n* Battle over who regulates data privacy rages on
\n* 62 Percent of Employees Have Access to Data They Shouldn’t Be Able to See
\n* Singapore\u2019s enforcement of data protection law on the rise
\n* Vodafone teams with Unitec to boost cyber security
\n* Security is more than User Education \u2013 it\u2019s About Cultural Change<\/p>\n
Security: Financial Cost of Data Breaches Continues to Soar
\nOn average it takes 201 days to identify a breach and another 70 days to eliminate it.
\nBreaches identified in less than 100 days have an average cost of $3.23 million, while breaches that take longer to find average $4.38 million in cost.
\nThe biggest cost of a data breach is lost business due to a loss of trust.
\nThe more regulation in the industry, the higher the costs.
\nHealthcare and financial services have breaches that are the most expensive.
\nBreaches due to criminal and malicious intent generally are the most difficult to identify.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=3501bcf10d&e=20056c7556<\/p>\n
New Cybersecurity Program Targets Small Healthcare Practices
\nHITRUST, a consortium of stakeholders collaborating to better secure protected health information, has launched a new cybersecurity service for small physician practices.
\nCalled CyberAid, the package includes a Trend Micro cloud-hybrid network security application, Trend Micro endpoint security software covering Windows and Mac OSX operating systems for mobile devices using Android and IOS, installation assistance, monitoring services and recovery support after an incident.
\nHITRUST is seeking additional services from other security vendors.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b8ba6a5df5&e=20056c7556<\/p>\n
New Gmail Alerts Warn of Unauthenticated Senders
\nGoogle is expected soon to begin a gradual rollout of new security features in Gmail that warn users if the system could not authenticate the sender of an email message.
\nStarting this week for browser-based users of Gmail and Android users, Google will display a question mark over a sender\u2019s profile photo or user logo if the message cannot be authenticated with Sender Policy Framework or DKIM.
\nA new set of warnings will also be displayed for messages containing potentially dangerous links.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=24ff9da0e5&e=20056c7556<\/p>\n
Experience with preventing malicious attacks offers unique perspective on POPI for three6five
\nLessons learned from helping customers deal with malicious ransomware has given networking company three6five an advantage in handling security issues that will arise when the South African Protection of Personal Information (POPI) Act comes into force later this year.
\n“The POPI Act is going to force companies to completely change the way they do business,” says Eric Holmes, Security Engineer at three6five. “For example, no unsolicited telephone calls will be allowed under the act.
\nChanging processes and even strategy to fit in with the new law could be very difficult, and in some cases applications connected to databases may have to be rewritten to ensure compliance.
\nIt is important that action is taken to minimise the risk of non-compliance.
\nThe main focus of activities to become more compliant with the act will be to remove as much personal data as possible.
\nThis will often require a 180-degree turn in policy and procedures.
\nIn future, prudent companies will store personal data required for business use for as short a period as possible and as securely as possible.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=3ea8957b39&e=20056c7556<\/p>\n
Cyber security: Australian spy agency runs high school hacker recruitment drive
\nAustralia’s top cyber security agency is targeting high school students as young as 14 as part of a recruitment plan to build an army of “white hat” hackers to shield the country from internet attacks like those that crippled the census.
\nMore than 100 high school students have been given placements over the last three years and a number have subsequently joined ASD as cadets or later as graduates.
\nUsing video game slang and Hollywood movie references, the directorate is imploring teenagers to use their computer skills for the common good and help defend the nation rather than going over to the nefarious “dark side”.
\nThe brochure asks students to join ASD to “play the game no one else can”.
\nIt calls the fight between “white hat” and “black hat” hackers as the “classic story of the good guys versus the bad guys \u2013 and we need to win”.
\nThe directorate has in recent months also begun bankrolling the Girls Programming Network community group in Canberra, designed to get female students from years 4 to 12 interested in computers.
\nThe directorate is not the first of the agencies from the “five eyes” countries to look towards high schools for recruitment.
\nThe US National Security Agency and the UK’s Government Communications Headquarters do the same.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=b8c5eb7626&e=20056c7556<\/p>\n
Businessworld Connects With Security Leaders, Launches 1st CISO Strategy Summit [India]
\nBusinessworld organized the 1st CISO Strategy Summit on 11 August, 2016, in Delhi NCR (Gurgaon).
\nThe day-long event saw more than 80 top information security practitioners participating in it and discussing top-of-the-mind issues confronting them.
\nThe day started with one of the most discussed topics in the realm of enterprise security these days \u2013 the Internet of Things (IoT).
\nThe panelists talked about how security leaders can skirt challenges associated with IoT to create new business models, enhance productivity, and generate new revenue stream for their companies.
\nWith the banking and financial industry continuously confronting modern threats originating from opaque sources, cyber sabotage and espionage that are destabilizing the critical infrastructure, it was only apt to discuss information security in the BFSI vertical.
\nThe panel discussion on \u2018BFSI in a Fluid Threat Landscape\u2019 was moderated by Sivarama Krishnan, Partner & Leader \u2013 Cyber Security Services, PwC India.
\nThe panelists Puneet Kaur Kohli, Group CIO, Bajaj Capital, and Sumit Gupta, VP-IT, Bank of America, deliberated upon how CISOs in the banking vertical stayed ahead of hackers and breaches.
\nThey also provided insights into the new approaches that could be adopted to secure the two big trends of mobility and cloud permeating corporates.
\nThe session was moderated by Damanjit Uberoi, Executive Director, EY.
\nThe last session of the event \u2014 What\u2019s next for Information Security? \u2013 moderated by Jayant Saran, Partner \u2013 Forensic, Financial Advisory, Deloitte India, provided a peek into the future.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=36834fa810&e=20056c7556<\/p>\n
Should cloud vendors cooperate with the government?
\n35 percent believe cloud app vendors should be forced to provide government access to encrypted data while 55 percent are opposed. 64 percent of US-based infosec professionals are opposed to government cooperation, compared to only 42 percent of EMEA respondents.
\nMore than one in three IT pros believe cloud providers should turn over encrypted data to the government when asked, according to Bitglass and the Cloud Security Alliance (CSA).
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d6c3d5a39e&e=20056c7556<\/p>\n
SADA Systems: Enterprises remain split on cloud data security
\nA bit more than half of IT managers said the cloud offers better security than their own data centers, according to a SADA Systems study.
\nSADA Systems, a managed services provider (MSP) and cloud consultant based in Los Angeles, surveyed more than 200 enterprise IT professionals regarding their use of cloud services.
\nFifty-one percent of the respondents said data security is better in the cloud, while 58% cited the cloud as “the most secure, flexible and cost-effective solution for their organizations,” according to SADA Systems.
\nIn other SADA Systems findings, 50% of survey respondents said they are likely to increase public cloud use by at least 25% over the next two to three years; 25% of the IT professionals polled said they would increase their public cloud use by 50% during the same time span.
\nIn addition, 84% of respondents said they are using public cloud infrastructure today, and 45% of the companies surveyed said their cloud migrations took three to six months.
\nTwenty-three percent said the migration took less than three months.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=3986022748&e=20056c7556<\/p>\n
A Risk-Driven Approach to Security, From Check Boxes to Risk Management Frameworks
\nMost industries are under regulatory pressure, so they take a compliance-driven approach to security to meet minimum requirements.
\nBut compliance requirements are often static and prescriptive, according to security executives.
\nCompliance gives organizations a false sense of security that can be misleading, and it provides only a one-time snapshot.
\nStudies indicated that despite serious business investment in modern security equipment, there was still a 58 percent year-over-year increase in malware incidents.
\nAccording to the recent \u201c2016 Cost of Data Breach Study\u201d from the Ponemon Institute, the average total cost of a data breach increased from $3.79 million in 2015 to $4 million in 2016, based on responses from the 383 companies in 12 countries that participated in the study.
\nManaging risk can help to mitigate this cost.
\nBelow are some more key takeaways on risk programs:
\nCompliance Is Just One Factor
\nRisk Tolerance Evolves Over Time
\nRisk management breaks down into three distinct areas: strategic, tactical and operational.
\nAs organizations move to a risk-based approach, they can explore assessment platforms, work to create risk profiles and partner with third-party providers to perform risk assessments.
\nSecurity teams are adopting various governance and control frameworks, and it is clear that members are using a mix of controls and frameworks instead of relying on just one.
\nFrameworks in use range from widely adopted National Institute of Standards and Technology (NIST), ISO 2700 and COBIT to hybrid approaches customized for the organization\u2019s needs.
\nIt\u2019s clear that risk management programs provide organizations with a lot of flexibility, but implementation still requires a tremendous amount of effort.
\nA risk-based approach doesn\u2019t eliminate compliance requirements, and C-level executives, security managers and division heads have to learn to communicate their objectives so that everyone can collectively agree upon the right balance.
\nRisk management requires buy-in from the top-down so that there is support for new initiatives and processes.
\nAligning IT security with a business-driven approach can also put organization in a position to have its unique business objectives drive its compliance rather than having compliance drive its business.
\nToo many organizations invest significant time and money to comply with industry and government regulations only to find out too late that their key business processes were still vulnerable to attacks.
\nLeveraging security management from a business-driven perspective enables an organization to successfully secure those business processes in a manner that inherently provides the necessary evidence to demonstrate compliance.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9a40ad7ffb&e=20056c7556<\/p>\n
Mid-year Cybersecurity Trends Review: What You Need to Know to Mitigate Risk
\nHalfway through 2016, it is safe to say the cyber phrase of the year is likely to be \u201cregulatory compliance.\u201d It is interesting the focus is on liability (corporate and personal) as the sheer volume, diversity and complexity of cyberthreats accelerate.
\nUntil recently, only large, geographically dispersed enterprises needed to create security plans that capture distributed systems, mobile workforce and endpoints.
\nHowever, with the accelerated adoption of public and private clouds, even small and mid-sized businesses need to plan for their security strategy as if they were distributed enterprises.
\nMany commercial entities, including government contractors and suppliers, need to closely monitor newly released and upcoming National Institute of Standards and Technology cybersecurity standards to ensure they comply with the latest security requirements.
\nIn addition to established compliance requirements like the Federal Information Security Management Act and the Federal Risk and Authorization Management Program, new requirements include compliance with NIST SP 800-171 to meet controlled, unclassified information and controlled technical information requirements.
\nYour company\u2019s cybersecurity strategy should not be predicated solely on the IT department\u2019s technology decisions.
\nNeedless to say, the IT organization needs to be able to respond to new threats and adopt best practices however cybersecurity connected to your business and go-to-market message need to be reviewed to determine liabilities in case of a breach, potential areas of data ownership concerns, etc.
\nFor many organizations, the use of outsourced chief information security officer-as-a-service and other capabilities is becoming the risk mitigation strategy of choice\u2013 providing validation as well as a fresh perspective to meeting the due diligence requirements demanded by boards and customers.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=981a8e7a03&e=20056c7556<\/p>\n
DoD CIO moving over to OPM
\nFormer Department of Defense (DoD) CIO David DeVries, whose career spans some 35 years, will move over in the coming weeks to the civilian side as the CIO of the U.S.
\nOffice of Personnel Management (OPM).
\nHe replaces Donna Seymour, who resigned as OPM’s CIO in February just before congressional hearings into the OPM breach.
\nDeVries brings some synergies that should help OPM, which is partnering with the DOD to build a National Background Investigations Bureau.
\nThe bureau will be housed at OPM but run on systems built by DoD.
\nDeVries will move right into the fire.
\nIn late May, the OPM inspector general issued a report saying OPM has yet to carry out federally mandated planning practices as part of a project to overhaul its IT infrastructure.
\nThe project has been active for two years and is part of OPM’s efforts to revamp its IT security following a data breach that dates back to early 2014.
\nThe project, now called Infrastructure as a Service, has a base cost estimate of $93 million.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=96896c69e9&e=20056c7556<\/p>\n
Battle over who regulates data privacy rages on
\nIn recent years, the FTC\u2019s authority to go after companies who\u2019ve allowed personal information to be hacked has been challenged \u2013 most notably by the Wyndham Hotel chain \u2013 but so far, it looks like the FTC can continue its efforts.
\nIn a case involving Wyndham, a federal appellate court noted it is up to the FTC, on a case by case basis, to determine what is \u201cunfair.\u201d That court concluded Congress \u201cdesigned the term [\u201cunfair\u201d] as a \u2018flexible concept with evolving content.\u2019\u201d
\nAnd in a recent decision involving a clinical laboratory called LabMD, the FTC demonstrated how that flexibility works.
\nLabMd was accused of allowing a massive data breach which compromised personal, medical information of 9300 consumers.
\nThe FTC filed a complaint alleging LabMD\u2019s data handling practices were so sloppy that it not only allowed the hack to occur, it constituted an \u201cunfair practice\u201d under Section 5.
\nThere are several lessons from the LabMD proceeding.
\nFirst, the FTC isn\u2019t going anywhere.
\nIts regulatory heels are dug in.
\nSecond, don\u2019t count on a \u201cno harm no foul\u201d standard in a data breach case.
\nThe FTC has made it clear that in the case of a substantial breach of sensitive information, the foul is the harm.
\nAnd finally, employers cannot put their head in the sand when it comes to employees and computer data.
\nA failure to train and monitor is an unfair practice.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=d698546b55&e=20056c7556<\/p>\n
62 Percent of Employees Have Access to Data They Shouldn’t Be Able to See
\nAccording to the results of a recent survey of 3,027 employees in the U.S., U.K., France and Germany (1,371 end users and 1,656 IT professionals), fully 62 percent of end users acknowledged that they have access to company data they probably shouldn’t be able to see.
\nThe study, conducted by the Ponemon Institute and sponsored by Varonis Systems, also found that 76 percent of IT pros said their organization had experienced the loss or theft of company data over the past two years, a significant increase from 67 percent who gave the same response in a 2014 study.
\nEighty-eight percent of end users said their jobs require them to access and use proprietary information such as customer data, contact lists, employee records, confidential business documents, or other sensitive data.
\nJust 29 percent of IT professionals said their organizations enforce a least-privilege model to ensure that insiders only have access to company data on a need-to-know basis.
\nThe survey also found that 78 percent of IT professionals are very concerned about ransomware.
\nFifteen percent of organizations have been hit by ransomware, and fewer than half of those detected the attack within the first 24 hours.
\nOnly 25 percent of organizations monitor all employee and third-party email and file activity — 38 percent don’t monitor any file or email activity at all, and 35 percent of organizations have no searchable records of file system activity, leaving them unable to determine which files may have been encrypted by ransomware.
\nA separate Bluelock survey of 228 C-level executives and IT professionals recently found that no executives surveyed rated the protection of their business against technology-related disruptions as extremely important, while 60 percent of IT pros did.
\nAmong all respondents, the most common reason for not investing in disaster recovery was because of “more pressing priorities.”
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=01624b1396&e=20056c7556<\/p>\n
Singapore\u2019s enforcement of data protection law on the rise
\nSingapore’s Personal Data Protection Commission (PDPC) is stepping up its efforts to enforce the Personal Data Protection Act 2012 (PDPA).
\nFollowing the release of its first nine enforcement decisions in April this year, the PDPC has published a further enforcement decision in June and two decisions in July, and is currently investigating a recent data disposal incident with the Monetary Authority of Singapore (MAS) concerning a multinational bank.
\nThe PDPC has also recently announced the need for organisations to improve their data security and data protection measures and has issued new guides primarily focusing on data protection measures, which organisations should consider carefully.
\nTo accompany its recent media release urging organisations to improve their data security measures and in light of recent enforcement decisions, the PDPC has published new guides on data protection clauses for agreements relating to data processing, securing personal data in electronic medium and building websites for small to medium enterprises.
\nThe PDPC has also updated the guide on disposal of personal data on physical medium to include chapters on cloud computing, IT outsourcing and security patching and has updated its advisory guidelines on key concepts in the PDPA regarding content on withdrawal of consent and access requests.
\nOrganisations are encouraged to carefully consider the contents of the guides and updated guidelines when reviewing its data handling practices.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=65c28cd3ab&e=20056c7556<\/p>\n
Vodafone teams with Unitec to boost cyber security
\nUnitec\u2019s chief executive, Rick Ede, said the partnership would help raise New Zealand\u2019s next generation of cyber security professionals.
\nUnder the agreement, Vodafone and Unitec will jointly commercialise any security product and service innovations that result during the partnership.
\nAt its launch Unitec said Unitec researchers would do the work using funding and equipment provided by NICT.
\nAt its launch, Hossein Sarrafzadeh, computing head of department at Unitec, said: \u201cNICT is very keen on the research capability we have in our department.
\nThat was one of the reasons they wanted to work with us.
\nWe already have researchers with the necessary expertise related to cyber security.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=2ae38563c1&e=20056c7556<\/p>\n
Security is more than User Education \u2013 it\u2019s About Cultural Change
\nIt is often said that users are the weakest link in the security chain.
\nBut every obstacle presents an opportunity and so does this one.
\nIf we can change user behaviour through a cultural shift, they can become an organisation\u2019s first line of defence against cyber-attacks as opposed to the weak link in the chain.
\nHaving discussed the way users are exploited by attackers, let\u2019s now discuss the most effective ways to bring about the cultural change required to change user behaviour so that they are more security savvy.
\nThis can be achieved in a methodical way as described below:
\n– Executive Cybersecurity Awareness Training
\n– General Cybersecurity Awareness Training
\n– Staff Induction Presentation
\n– Email Phishing Testing
\n– Cybersecurity Awareness Campaign
\nThis requires more than just user awareness training and indeed needs a culturally shift driven from top down.
\nAny organisation that can achieve this, will be driving a cyber security aware culture that represents an opportunity to reduce cyber security incidents at the start of the attack chain in a cost effective manner.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=20a68cb095&e=20056c7556<\/p>\n
============================================================
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage1.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=7bc1958e9c)<\/p>\n
Update subscription preferences (http:\/\/paulgdavis.us3.list-manage2.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.] And so, now the news * Security: Financial Cost of Data Breaches Continues to Soar * New Cybersecurity Program Targets Small Healthcare Practices * New Gmail Alerts Warn…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-1251","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1251"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1251\/revisions"}],"predecessor-version":[{"id":3738,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1251\/revisions\/3738"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}