[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
\nAnd so, now the news<\/p>\n
* Size Doesn\u2019t Matter: Cyber Security and the SME
\n* Cybersecurity Due Diligence Critical Amid Rise In Data Breaches
\n* Mobile Security Research Uncovers Gap Between Perception and Reality of Vulnerabilities
\n* Four ways S\u2019pore is stepping up its fight against cybercrime
\n* Major cyber security threat underscored by congressional Homeland Security chairman
\n* Browser study aims to stop hackers in their tracks
\n* Why the U.S. is behind the curve on cyberwarfare
\n* 9 Critical Responsibilities Of The Cybersecurity Manager
\n* SEC Prepares for More Cybersecurity Oversight
\n* Firefox sets kill-Flash schedule
\n* How exposed is trucking data to theft?
\n* Call for Australia to appoint cyber ambassador
\n* The changing face of data breaches
\n* Automotive Cybersecurity Best Practices
\n* Regulators’ IM Crackdown May Increase Cyber Risk
\n* Cyber Security Quarterly Round-Up – July 2016
\n* MS-ISAC official: Ransomware is top malware of concern for states, counties
\n* CISOs need teamwork and a framework, says Chief Cybersecurity Officer at Trend Micro
\n* RSA Research Shows 74% of APJ Organizations Face Significant Risk of Cyber Incidents
\n* DHS looking for industry expertise in protecting \u2018mobile ecosystem\u2019<\/p>\n
Size Doesn\u2019t Matter: Cyber Security and the SME
\nThe research, which forms part of NJR\u2019s cyber security report: how real is the threat and how can you reduce your risk, shows that 23 per cent of employees use the same password for different work applications and 17 per cent write down their passwords, 16 per cent work while connected to public wifi networks and 15 per cent access social media sites on their work PCs.
\nSuch bad habits and a lack of awareness about security mean that employees are inadvertently leaving companies\u2019 cyber doors wide open to attack.
\nTarun Samtani considers the areas that SMEs are weakest when it comes to maturing in cyber security:
\na) Information governance
\nOnce the crown jewels have been identified, the next step is to understand and map the different paths an adversary could take to get to them.
\nThis is called Attack Path mapping.
\nb) Enterprise Risk Management
\nCyber and information security risk management needs to be part of the enterprise risk management framework as a separate entity not under IT risk.
\nc) Cyber security Awareness
\nTo reduce the risk of cyber threats, the human OS needs to be patched in such a way that staff not only understand their responsibility for security but also take an active role in improving the cyber security of the organisation by using best safe practices.
\nd) Enterprise Architecture
\nt is crucial for a business to have a single entity\/function that sits across the business to oversee all the different projects in the organisation and aligns them to the business strategy.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=55b666fe4e&e=20056c7556<\/p>\n
Cybersecurity Due Diligence Critical Amid Rise In Data Breaches
\nIn response to the growing cybersecurity challenges facing corporate mergers and acquisitions (M&A), West Monroe Partners, a Chicago based management and technology consulting firm, recently released a report providing insight into the complexities and challenges of cybersecurity due diligence in the acquisition process.
\nThe 28 page report, \u201cTesting the Defenses: Cybersecurity Due Diligence in M&A,\u201d revealed that the potential costs of cybersecurity problems are enormous.
\nIn 2015, the Identity Theft Resource Center reported 781 data breaches at companies in the United States, with the average cost of a data breach being $3.79 million, according to a survey commissioned by the International Business Machines Corporation (IBM).
\nThe report also found that in the majority of cases, cybersecurity issues alone are not enough to cause a buyer to abandon an acquisition with 77 percent of respondents saying that they have never walked away from a deal for that reason.
\nThe study\u2019s findings led to five main findings:
\n– Cybersecurity diligence is no longer optional.
\n– Knowledgeable personnel is key.
\n– Good governance trumps bells and whistles.
\n– Be practical when assessing risks.
\n– Remember to implement deal protections.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=206c82f8a3&e=20056c7556<\/p>\n
Mobile Security Research Uncovers Gap Between Perception and Reality of Vulnerabilities
\n\/EINPresswire.com\/ — NEW YORK, NEW YORK — (Marketwired) — 07\/19\/16 — BLACKBERRY SECURITY SUMMIT – A new global research initiative conducted by BlackBerry Limited (NASDAQ: BBRY)(TSX: BB), a global leader in secure mobile communications, finds that despite extensive resources dedicated to mobile security, many IT decision-makers remain concerned about the level of vulnerabilities that persist.
\nThe study surveyed 1,000 executives from seven countries across a wide range of vertical industries, including financial services, government and healthcare.
\nThe survey reveals that 73 percent of organizations have a mobile security strategy in place, but only three percent say they have implemented the highest levels of security possible.
\nThis is in part because of user attitudes – 82 percent of the executives admit mobile security precautions cause at least some frustration among employees, and potentially hinder productivity.
\nOverall, 44 percent fear that too much mobile security will prevent employees from doing their job.
\nThis fear of implementing a stronger mobile environment led to a startling majority, 86 percent, of executives who said they are worried about the level of protection for their organization with half saying they will experience more security breaches through mobile devices.
\nA critical element to a successful BYOD or COPE (corporate owned, personally enabled) mobile environment is ensuring the isolation and separation of personal and business mobile data, also known as containerization.
\nHowever, nearly 45 percent have no containerization technology in place.
\nThe research also uncovered that nearly half of organizations do not have a Security Incident Response Team (SIRT) in place, despite the fact that SIRT is an industry best practice to reduce the cost of data breaches.
\nIT decision-makers also want and seek outside help when it comes to securing their mobile environments.
\nOf those surveyed, 59 percent report that external expertise is the best option for reviewing mobile practices.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=7e9123fec1&e=20056c7556<\/p>\n
Four ways S\u2019pore is stepping up its fight against cybercrime
\nSINGAPORE \u2014 Law and Home Affairs Minister K Shanmugam on Wednesday (July 20) unveiled the National Cybercrime Action Plan, which sets out the Government\u2019s future and ongoing efforts against cybercriminal activity.
\nHere are the four key priorities in the plan.
\n1) EDUCATING THE PUBLIC
\nAmong efforts to help the public to stay safe online, there will be a special focus on vulnerable groups, such as students and senior citizens.
\n2) ENHANCING GOVT\u2019S CAPABILITY TO FIGHT CYBERCRIME
\nThe Cybercrime Command, set up in December last year to improve coordination in the police\u2019s response to cybercrime, will analyse new methods used by cybercriminals.
\n3) STRENGTHENING LEGISLATION AND CRIMINAL JUSTICE FRAMEWORK
\nThe Computer Misuse and Cybersecurity Act will be amended so it is effective in responding to the transnational nature of cybercrimes and the evolving tactics of cybercriminals.
\n4) PARTNERSHIPS
\nThe Government will build partnerships with industry and academia, locally and overseas, so as to share knowledge and build capabilities in areas such as cyber-forensics and cyber-investigations.
\nThe MHA has also set up a new Institute of Safety and Security Studies that will promote thought leadership and build expertise in different areas, including cybercrime.
\nThe institute\u2019s training courses will be offered to Home Team officers and partners from Asean member states.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=a8ddcab1a0&e=20056c7556<\/p>\n
Major cyber security threat underscored by congressional Homeland Security chairman
\nCLEVELAND – The Chairman of the House Committee on Homeland Security says the nation is “not ready” for serious cyber security threats.
\nTexas Congressman Michael T.
\nMcCaul, whose committee oversees the U.S.
\nDepartment of Homeland Security, made the remarks during an RNC Cyber security Forum meeting in Cleveland Tuesday to draw attention to the nation’s vulnerabilities regarding cyber attacks.
\nThe forum presented views by ten of the nation’s leading experts on internet technology and was sponsored by the Center for CyberSecurity and Privacy Protection at Cleveland Marshall College of Law.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=57bcdf5571&e=20056c7556<\/p>\n
Browser study aims to stop hackers in their tracks
\nDeveloping an anti-tracking computer program to protect users against hackers is at the heart of a new study into browsing habits.
\nBrowser fingerprinting is an increasingly common tracking technique that collects contextual data from a person\u2019s computer without their knowledge.
\nResearchers at the University of Adelaide in South Australia are conducting a study to discover the weaknesses in contemporary \u201cbrowserprinting\u201d methods to build an adequate defence program.
\nUniversity of Adelaide PhD student Lachlan Kang said browser fingerprinting could affect anyone, even those who used the anonymous aspects of VPNs to protect their privacy.
\nIn an Oxford and MIT joint study earlier this year, it was discovered that the social media site Twitter used location tags to determine real-world addresses, hobbies, and medical histories.
\nTo join the study, visit: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8aec1e1df9&e=20056c7556.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=42e586ebfb&e=20056c7556<\/p>\n
Why the U.S. is behind the curve on cyberwarfare
\nThere are three reasons for this, and they are easy to understand.
\nFirst, we populate our cyberwarfare capability with officers whose training and experience are in kinetic, not digital, warfare.
\nWe would be better off with a group of hackers or by elevating civilians, who would stay in place over a long enough period of time to acquire the requisite skills.
\nSecond, we do not have people in key positions or in sufficient numbers who are fluent in either Arabic or Pashto or in grasping cultural nuances.
\nIf you can\u2019t understand the language or culture, it is pretty hard to figure out what is going on and respond to it on either a technical or psychological level.
\nAnd third, the complex web of organizational relationships in U.S. cyberwarfare precludes quick and dynamic decision-making when time is of the essence.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e1c41e182f&e=20056c7556<\/p>\n
9 Critical Responsibilities Of The Cybersecurity Manager
\nThe larger the organization, the more narrow the focus becomes.
\nFor instance, if you were the only one running the show in the cybersecurity department for your organization, you would be tasked with everything from the technical aspects of security to security policy (and everything in between).
\nIn a larger organization, cybersecurity managers often play one of two roles:
\n– A technical security manager
\n– A program security manager
\n9 Critical Responsibilities Of The Cybersecurity Manager
\n* Monitor all operations and infrastructure.
\n* Maintain all security tools and technology.
\n* Monitor internal and external policy compliance.
\n* Monitor regulation compliance.
\n* Work with different departments in the organization to reduce risk.
\n* Implement new technology.
\n* Audit policies and controls continuously.
\n* Ensure cybersecurity stays on the organizational radar.
\n* Detail out the security incident response program.<\/p>\n
In many large organizations, the chief information security officer is involved in briefing the board members on cybersecurity\u2014but depending on the size and maturity of the security program in your organization, this may fall on cybersecurity manager.
\nIf this falls within your scope of work, you should focus on communicating the state of your information security program, including your successes and failures.
\nThe free ebook below gives you a deeper look at how to do so effectively.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=195eb0cad5&e=20056c7556<\/p>\n
SEC Prepares for More Cybersecurity Oversight
\nLeading U.S. banks, and other publicly traded companies, should expect increased cybersecurity scrutiny from the Securities and Exchange Commission.
\nThis week, during a meeting of the Treasury Department’s Financial and Banking Information Infrastructure Committee, leaders of the SEC and the Commodity Futures Trading Commission, which aims to protect consumers from fraud, shared updates about their agencies’ approaches to cybersecurity, as well as an overview of their examination processes, rules and other actions.
\nThe Treasury committee focuses on improving information sharing among financial regulators, promoting public-private partnerships and enhancing the resiliency of the financial sector.
\nAnd its membership reads like a who’s who of regulatory authority, including Sarah Bloom Raskin, deputy secretary at the Treasury Department; Mark Gruenberg, chairman of the Federal Deposit Insurance Corp.; and Thomas J.
\nCurrey, comptroller of the Office of the Comptroller of the Currency.
\nThe FBI also played a role at the meeting, noting the need for more information sharing with the financial sector.
\nWe can expect in coming weeks to see more from the SEC and the CFTC about their plans to be more proactive about cybersecurity oversight, risk assessment and cyber examination.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c6ff92ea9d&e=20056c7556<\/p>\n
Firefox sets kill-Flash schedule
\nMozilla yesterday said it will follow other browser markers by curtailing use of Flash in Firefox next month.
\nThe open-source developer added that in 2017 it will dramatically expand the anti-Flash restrictions: Firefox will require users to explicitly approve the use of Flash for any reason by any website.
\nFirefox is late to the dump-Flash party.
\nOther browser developers — Apple, Google and Microsoft — have been more active in limiting Flash.
\nSafari has frozen some Flash content since 2013, while Chrome did the same in September 2015.
\nEdge will follow suit with the release of the Aug. 2 upgrade, Windows 10 Anniversary Update.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=013350d98d&e=20056c7556<\/p>\n
How exposed is trucking data to theft?
\nSean KilcarrThere\u2019s this new term being bandied about in corporate circles these days called \u201cknowledge assets,\u201d which means \u201cconfidential information\u201d critical to a company’s core business operations other than personal information.
\nSuch \u201cknowledge assets\u201d include things like: trade secrets; information regarding product design, development or pricing; non-public information company internal structure, plans or relationships; and \u201ccrucial\u201d customer information, which in trucking\u2019s case can mean everything from billing numbers to data regarding specific cargoes.
\n“Companies face a serious challenge in the protection of their knowledge assets.
\nThe good news is there are steps to take to reduce the risk,” noted Dr.
\nLarry Ponemon, chairman and founder of the Ponemon Institute.
\n“First of all, understand the knowledge assets critical to your company and ensure they are secured,\u201d he said. \u201cMake sure the protection of knowledge assets, especially when sharing with third parties, is an integral part of your security strategy, including incident response plans.
\nTo address the employee negligence problem, ensure training programs specifically address employee negligence when handling sensitive and high value data.”
\nThat\u2019s especially true for many areas in trucking, where cargo theft remains a major problem \u2013 while data breaches only amplify the issue.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8a4069c3fd&e=20056c7556<\/p>\n
Call for Australia to appoint cyber ambassador
\nA senior official from the security services company Forcepoint has welcomed the appointment of Dan Tehan as the minister assisting Prime Minister Malcolm Turnbull for cyber security, but says that, given Tehan’s numerous roles, the appointment of a “cyber ambassador” will be key to co-ordinating Australia’s efforts in this direction.
\nBut, at the same time, he added, that given Tehan was appointed to fulfil cyber strategy it raised questions of whether he would be able to critically evaluate and amend the programme with growing cyber security threats.
\nTehan wears a number of hats in Turnbull’s ministry: he is minister for defence personnel, minister assisting the prime minister for the centenary of ANZAC, minister for veteran’s affairs and minister assisting the prime minister for cyber security.
\nEilon said right now, Australian government agencies were operating with small budgets and could be hesitant to take steps needed to protect citizens, networks and sensitive data. “However, given the cost of fraud and cyber-attacks will reach $70 billion by 2020, as forecast by the Australian Computer Society, security across government should be more of a focus.”
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=00cc605fbc&e=20056c7556<\/p>\n
The changing face of data breaches
\nHOW THE CLOUD COMPLICATES THE BREACH BUSINESS \u2014 Benjamin Powell, an attorney at WilmerHale who has handled some of the biggest data breach cases you can think of, says he\u2019s noticing a distinct trend: As companies move to the cloud and increasingly rely on cloud service providers, they\u2019re encountering different sets of problems when there\u2019s a breach.
\n\u201cIt is interesting: If you have an incident, now you have a third party involved,\u201d Powell, the former longtime general counsel for the Office of the Director of National Intelligence, told MC in a recent interview. \u201cEverything before was your own world.
\nYou now have multiple parties and players.
\nIt\u2019s just been something that as the cloud moves, it\u2019s a different kind of world as opposed to, \u2018Our servers are over there.\u2019 And you see this in the government with what they\u2019re doing in the cloud and even the intelligence community.\u201d
\nThe motive for moving to the cloud for most businesses, in Powell\u2019s anecdotal experience, is \u201cimmense computing power at a very good price point.\u201d But that raises a natural question. \u201cIs that bad for security.
\nThe answer is, it\u2019s not a \u2018good\u2019 or \u2018bad,\u2019\u201d according to Powell. \u201cThere are a lot of advantages to using providers who have security expertise you won\u2019t have as a company unless you\u2019re a really high-end company.\u201d
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=cb9afc48c9&e=20056c7556<\/p>\n
Automotive Cybersecurity Best Practices
\nEXECUTIVE SUMMARY \u2013 JULY 2016
\nAs vehicles become increasingly connected and autonomous, the security and integrity of automotive systems is a top priority for the automotive industry.
\nThe Proactive Safety Principles released in January 2016 demonstrate the automotive industry\u2019s commitment to collaboratively enhance the safety of the traveling public.
\nThe objective of the fourth Principle, \u201cEnhance Automotive Cybersecurity,\u201d is to explore and employ ways to collectively address cyber threats that could present unreasonable safety or security risks.
\nThis includes the development of best practices to secure the motor vehicle ecosystem.
\nTo further this objective, the Automotive Information Sharing and Analysis Center (\u201cAuto-ISAC\u201d) has undertaken the task of creating and maintaining a series of Automotive Cybersecurity Best Practices (\u201cBest Practices\u201d).
\nThe Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties.
\nThe Best Practices expand on the Framework for Automotive Cybersecurity Best Practices (\u201cFramework\u201d) published in January 2016 by the Alliance of Automobile Manufacturers (\u201cAuto Alliance\u201d) and the Association of Global Automakers (\u201cGlobal Automakers\u201d).
\nThe Auto-ISAC closely collaborated with the two industry associations throughout Best Practices development.
\nThese Best Practices follow a precedent set by other ISACs and similar organizations that have developed best practices for their respective industries.
\nThe Best Practices provide guidance on how individual companies can implement the \u201cEnhance Automotive Cybersecurity\u201d Principle within their respective organizations.
\nThis document is an Executive Summary of the Best Practices content.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0a83d8f018&e=20056c7556<\/p>\n
Regulators’ IM Crackdown May Increase Cyber Risk
\nIn April, the Office of the Comptroller of the Currency issued a bulletin specifically aimed at banks’ use of internal messaging software.
\nThe bulletin was issued to “remind” banks of their obligations related to the maintenance of records, records retention and examiner access to records.
\nIn the bulletin, the OCC said it is entitled to complete access to records of bank’s internal correspondence.
\nThe agency warned that data deletion and encryption features in IM software should not be “used to prevent or impede OCC access to a bank’s books and records” and “may result in enforcement action.”
\nBut given the heavy reliance by bank personnel on IM as a communication tool for everything from back office operations to trading, the OCC’s recent guidance could impose significant hardships.
\nMoreover, the guidance runs contrary to prevailing guidance on cybersecurity, which counsels against retention of data that could be accessible to hackers but that serves no current business purpose or need.
\nWhile it is rather obvious that IMs relevant to any current litigation and regulatory action or review should be retained, banks and their counsel are pretty much left scratching their heads for the time being concerning retention of IM data that would be deemed appropriate by the OCC.
\nUntil more specific guidance comes from the OCC, bankers and their counsel should exercise informed discretion through dialogue with their OCC representative before deleting en masse IM data.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8d10682d56&e=20056c7556<\/p>\n
Cyber Security Quarterly Round-Up – July 2016
\n* The EU General Data Protection Regulation has finally been approved and published in the Official Journal. The countdown to its application date of 25 May 2018 has therefore begun.
\n* The EU Network and Information Security Directive (otherwise known as the Cyber Security Directive) has finally been published in the Official Journal. Member States will now have until 9 May 2018 to adopt appropriate national legislation to comply with the Directive, with such legislation to apply from 10 May 2018.
\n* The “in-out” Referendum on the question of the UK’s membership of the EU has resulted in a majority of voters (on a turnout of approximately 72%) preferring the UK to leave the EU. The vote was 51.9% in favour of leaving, with 48.1% voting to remain. Under the terms of Article 50 of the Treaty on European Union, which governs the process, the UK must first inform the European Council of its intention to leave the EU. This notification triggers the two-year period specified by the Treaty for the negotiation of the terms of a Member State’s withdrawal.
\n* The European Commission adopted an adequacy decision on 12 July 2016 allowing for the transatlantic transfer of personal data from the EU to the US in accordance with the framework and principles of the EU-US Privacy Shield (the “Privacy Shield”).
\n* The Culture, Media and Sport Committee (the “Committee”) of the House of Commons has published a report in the wake of the TalkTalk cyber attack of 21 October 2015, recommending, amongst other things, that a part of CEO compensation be linked to effective cyber security.
\n* The UK government has recently confirmed that its National Cyber Security Centre (“NCSC”) will begin operations in October 2016. This newest body to be established as part of the UK’s continuing fight against Cybercrime will be headquartered in London and is to be “the authoritative voice on information security in the UK”.
\n* The European Banking Federation (“EBF”), the Global Financial Markets Association (“GFMA”) and the International Swaps and Derivatives Association (“ISDA”) have announced their intention to begin negotiations on common global cyber security, data and technology policies through a new set of common principles (the “Principles”).
\n* On 11 April 2016, the High Court of England and Wales issued its judgment in the case of Axon v Ministry of Defence [2016] EWHC 787 (QB), finding that an employer could be held vicariously liable for data protection breaches by its employees.
\n* One of the big challenges for the cyber insurance industry is assessing systemic aggregation risks. But the market is not standing still.
\n* Decentralised Autonomous Organisation (“DAO”) is an investment fund based on the Ethereum blockchain technology. DAO enables people to buy in to the fund by exchanging paper currency for virtual currency, known as Ether.
\n* The Hong Kong Monetary Authority (“HKMA”) issued a press release on 18 May 2016 on the launch of a “Cyber Security Fortification Initiative” (“CFI”), which is aimed at raising the level of cyber security of banks in Hong Kong. The HKMA also released a formal circular on 24 May 2016 setting out that it is a supervisory requirement for banks to implement the CFI.
\n* The Singapore government is expected to table legislation in Parliament in 2017 for a new, standalone Cyber Security Act.
\n* On 21 April 2016, Australia\u2019s federal government released its Cyber Security Strategy (“CSS”).
\n* In July 2015 we reported that the Australian Companies and Securities Commission (“ASIC”) had released \u201cReport 429: Cyber Resilience: Health Check\u201d which recommended that businesses manage their cyber security by ensuring they are able to adapt to change, reduce exposure to risks and learn from incidents when they occur.
\n* A US federal appeals court handed a major win to Microsoft when it ruled that US authorities cannot compel US tech companies to disclose email content they store on servers located outside the United States.
\n* In a case that potentially could alter the way US law enforcement seeks to obtain stored electronic data, Microsoft has challenged the constitutionality of a provision of US federal law that authorises US courts to issue gag orders forbidding it, and similar companies, from advising their customers about search warrants, court orders or subpoenas that the government employs to obtain the stored electronic communications of those customers.
\n* Proposed legislation that would have required tech companies and cloud providers to provide stored electronic data to US government investigators in an unencrypted form appears unlikely to receive formal legislative consideration this year.
\n* Herbert Smith Freehills has published the first edition of its global cross-border M&A report, carried out in association with FT Remark, the research division of the FT. The report showed that anxieties over data protection and cyber security rules are rising up the agenda.<\/p>\n
Link: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4a9d875f71&e=20056c7556<\/p>\n
MS-ISAC official: Ransomware is top malware of concern for states, counties
\nSpeaking during a Chief Information Officer Forum at the National Association of Counties\u2019 annual conference, Gina Chapman, the senior director of operations for MS-ISAC, said ransomware attacks on the networks they monitor were on a \u201ccontinuous incline\u201d from October 2015 through May 2016.
\nDuring the October through May period, MS-ISAC observed 450 infections per month at its highest point.
\nRansomware attacks on governments declined slightly in June, Chapman said, but governments should not let their guard down \u2014 cyberattacks traditionally decrease during the summer months.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=41814afc34&e=20056c7556<\/p>\n
CISOs need teamwork and a framework, says Chief Cybersecurity Officer at Trend Micro
\nCompanies may not fully understand the nature of modern threats, and simply placing a higher priority on security may not lead to improved measures, according to a CompTIA survey.
\nWhen it comes to the essential steps for strengthening and refining cybersecurity strategy in a large organization, Cabrera believes that a framework really comes first.
\nUnsurprisingly, he\u2019s a big fan of the NIST Cybersecurity Framework, which consists of standards, guidelines and practices that help organizations address cyber risks by aligning policy, business and technological approaches.
\nIt was created by the National Institute of Standards and Technology (NIST) in partnership with the US Department of Homeland Security and the private sector.
\nWhile 63% of companies have IoT devices already deployed, only 34% have security measures in place, indicating that the IoT is opening up new threat vectors but too few organizations are focused on preventing connected devices from being compromised.
\n\u201cA layered connected threat defense using Big Data analytics and machine learning will be required to bring together often disparate and overlapping security stacks where visibility and control are the biggest challenges.
\nIt is needed today but will be essential in the coming years for CISOs and their teams,\u201d explains Cabrera.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e88f82d71c&e=20056c7556<\/p>\n
RSA Research Shows 74% of APJ Organizations Face Significant Risk of Cyber Incidents
\nSINGAPORE, July 20, 2016 \/PRNewswire\/ — RSA CONFERENCE — RSA, The Security Division of EMC (NYSE: EMC), has announced the results of research that demonstrates organizations in Asia Pacific & Japan (APJ) investing in detection and response technologies are better poised to defend against today’s advanced threats, in comparison to those primarily utilizing perimeter-based solutions.
\nThe results of the second annual RSA Cybersecurity Poverty Index found that 74% of survey respondents in the APJ region face a significant risk of cyber incidents \u2013 closely aligned to the global average of 75%.
\nMore than 200 respondents from the APJ region participated in the 2016 RSA Cybersecurity Poverty Index.
\nThe survey gave participants the chance to self-assess the maturity of their cybersecurity programs by leveraging the NIST Cybersecurity Framework (CSF) as the measuring stick.
\nThe findings showed that organizations continue to struggle with their ability to take proactive steps to improve their cybersecurity and risk posture.
\nIn fact, 70% of APJ-based respondents had experienced cyber incidents that negatively impacted their business operations in the past year.
\nNot surprisingly, only 23% of those organizations considered their cybersecurity strategy mature.
\nThe results also showed that organizations often delay investing in cybersecurity until they’ve undergone a major incident \u2013 typically one that impacts critical business assets.
\nThe inability of organizations to quantify their Cyber Risk Appetite (the risks they face and the potential impacts on their organizations) makes it difficult to prioritize mitigation and investment, a foundational activity for any organization looking to improve their security and risk posture.
\nThe strongest reported maturity levels were in the area of Protection.
\nHowever, perimeter-based defense solutions are proving to be increasingly ineffective over time as cyber threats become more advanced.
\nThe categories of Response and Detection were ranked least mature in the region.
\nOrganizations must focus on executing preventative strategies and improving capabilities that offer complete visibility to detect and respond to advanced threats before they can impact the business.
\nLink: http:\/\/paulgdavis.us3.lis<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.] And so, now the news * Size Doesn\u2019t Matter: Cyber Security and the SME * Cybersecurity Due Diligence Critical Amid Rise In Data Breaches * Mobile Security Research…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-2494","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2494","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=2494"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2494\/revisions"}],"predecessor-version":[{"id":4981,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2494\/revisions\/4981"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=2494"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=2494"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=2494"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}