[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
\nAnd so, now the news<\/p>\n
* France and Germany urge reform to access encrypted messages
\n* The 3 Biggest Mistakes In Cybersecurity
\n* What IT Pros Need To Know About Hiring Cyber-Security Hunt Teams
\n* Best Practices For Data Center’s Physical Security
\n* 19% of shoppers would abandon a retailer that\u2019s been hacked
\n* Lost and stolen devices account for 1 in 4 breaches in the financial services sector
\n* Cybercrime in India up 300% in 3 years: Study
\n* Onapsis : Releases SAP Security In-Depth Publication for SAP HANA
\n* BeyondTrust Survey Uncovers Growing Disparity Managing Privileged Access
\n* How do you measure success when it comes to stopping Phishing attacks?
\n* How to secure your remote workers
\n* New approach needed to IT, says NIST’s top cyber scientist
\n* Security Leadership & The Art Of Decision Making
\n* FCC proposes 5G cybersecurity requirements, asks for industry advice
\n* Traffic, jammed: New report says DDoS attacks are up 211 percent
\n* New breed of IT professional
\n* \u200bAPAC unprepared for security breaches: FireEye’s Mandiant
\n* SA\u2019s new cybercrimes law explained
\n* Get the Security Budget You Need and Spend It Wisely
\n* Data breaches: Different regions, very different impacts<\/p>\n
France and Germany urge reform to access encrypted messages
\nFrench Interior Minister Bernard Cazeneuve met with his German counterpart, Thomas de Maiziere, on 23 August to discuss anti-terrorism proposals.
\nFollowing the meeting, Cazeneuve told the press in Paris that France and Germany will put forward a European initiative to tackle the problem of messaging encryption used by Islamist extremists, to be discussed at the EU summit taking place on 16 September.
\nIn particular, Cazeneuve said that messaging service operators such as Telegram, which has so far been reluctant to cooperate with the authorities, should be compelled to provide access to encrypted content to terrorism investigations.
\nThe French minister urged the European Commission to pass new legislation targeting encrypted messaging services provided by both EU and non-EU companies, creating the right legal framework to strengthen national security.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=103f4ffac2&e=20056c7556<\/p>\n
The 3 Biggest Mistakes In Cybersecurity
\nEveryone, from the small business owner, to senior executives in businesses of every shape and size are confronting a seemingly insurmountable problem: Constant and rising cyber security breaches.
\nIt seems no matter what we do, there is always someone that was hacked, a new vulnerability exploited, and millions of dollars lost.
\n1) They think cyber security is a technology problem.
\n2) They follow a cyber security check list once-and-done.
\n3) They don’t have a cyber security awareness training program in place.
\nNeither structure nor strategy will help if you ignore the most important element in cyber security: People.
\nIn 2016 ISACA published the top three cybersecurity threats facing organizations in that year.
\nThey were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=50a2ab9578&e=20056c7556<\/p>\n
What IT Pros Need To Know About Hiring Cyber-Security Hunt Teams
\nIf your organization doesn’t run its own threat analysis center, it may be worth hiring a hunt team to watch your back.
\nHere’s what you need to know.
\nAt the RSA Conference in 2015, Joshua Stevens, enterprise security architect for HP Security, gave a presentation on hunt team skill sets and on the ways analytics and visualization tools can be used to help identify cyber threats.
\nThe qualifications cited in the presentation suggest hunt team members should have advanced intrusion detection and malware analysis skills, data science and programming skills, and a creative, analytical mindset.
\nIf you try to assemble an in-house hunt team, your own personnel may have to work harder to benefit from external incidents.
\nA vendor handling many clients, however, can apply what it learned from one client to protect its other customers.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=f94435798d&e=20056c7556<\/p>\n
Best Practices For Data Center’s Physical Security
\nThere are several criteria that you need to look into and no wonder what we’ll be discussing here is be expensive, time-consuming and resource-intensive.
\n– Constructed for ensuring physical protection
\nconstruct the exterior (walls, windows, and doors) of materials that provide ballistic protection.
\nIn addition, it must also provide protection on physical grounds, which means that it should have all the physical equipment in place such as barriers to keep invaders from sneaking inside.
\n– 24×7 backup powe
\n– Cages, cabinets and vaults
\nshould be strong and rigid, ensuring the safety of the equipments residing inside.
\n– Electronic access-control systems (ACSs)
\n– Provisioning process
\nanother practice to provide entry to the facility involves a process that requires providing structured and documented provisioning by the individual requesting to get inside the data center.
\n– Fire detection and fire suppression systems
\nThe structures must be hard-wired with alarms backed with fire suppression systems, assuring fire safety.
\n– Educate the entire team: Your staff must be educated about security.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=bedc189fed&e=20056c7556<\/p>\n
19% of shoppers would abandon a retailer that\u2019s been hacked
\nThe 2016 KPMG Consumer Loss Barometer report surveyed 448 consumers in the U.S. and found that 19% would abandon a retailer entirely over a hack.
\nAnother 33% said that fears their personal information would be exposed would keep them from shopping at the breached retailer for more than three months.
\nThe study also looked at 100 cybersecurity executives and found that 55% said they haven’t spent money on cybersecurity in the past yearand 42% said their company didn’t have a leader in charge of information security.
\nThe survey results, posted Tuesday online, found that retail and automotive industries were laggards in appointing leaders to assess cyberthreats and opportunities.
\nThe financial services and tech industries were leaders.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=4d0206c0fd&e=20056c7556<\/p>\n
Lost and stolen devices account for 1 in 4 breaches in the financial services sector
\nBitglass is a vendor in the cloud access security broker (CASB) space.
\nWhat that means is that Bitglass is focused on ensuring organizations utilize strong security tools and processes to keep their data safe.
\nIt’s a busy space and one in which being seen as a thought leader is important; hence, Bitglass and its competitors invest lots of effort in creating content that is broadly useful to the industry.
\nthe report found that leaks within the financial services industry almost doubled between 2014 and 2015, with that increase looking set to continue through 2016.
\nAll of the U.S.’s largest banks have suffered recent leaks, and in the first half of this year alone, five of the top 20 banks in the U.S. disclosed breaches.
\nKey findings from the report include:
\n– 1 in 4 breaches in the financial services sector over the last several years were due to lost or stolen devices; 1 in 5 were the result of hacking.
\n– 14% of leaks can be attributed to unintended disclosures and 13% to malicious insiders.
\n– Five of the nation’s 20 largest banks have already suffered data breaches in the first half of 2016.
\n– In 2015, 87 breaches were reported in the financial services sector, up from 45 in 2014.
\n– In the first half of 2016, 37 banks have already disclosed breaches.
\n– Over 60 organizations suffered recurring breaches in the last decade, including most major banks.
\n– JP Morgan Chase, the nation’s largest bank, has suffered recurring breaches since 2007.
\nThe largest breach event, the result of a cyberattack, was widely publicized in 2014 and affected an estimated 76 million U.S. households.
\n– Of the three major credit bureaus, the 2015 Experian leak was the largest, affecting 15 million individuals.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=958db15de6&e=20056c7556<\/p>\n
Cybercrime in India up 300% in 3 years: Study
\nThe study revealed that in the past, the attacks have been mostly initiated from countries like the US, Turkey, China, Brazil, Pakistan, Algeria, Turkey, Europe, and the UAE, adding with growing adoption of internet and smartphones India has emerged as one of the primary targets among cyber criminals.
\nAttackers can gain control of vital systems such as nuclear plants, railways, transportation or hospitals that can subsequently lead to dire consequences such as power failures, water pollution or floods, disruption of transportation systems and loss of life, noted the study.
\nIn the US alone, there has been an increase of nearly 50 per cent in reported cyber incidents against its critical infrastructure from 2012 to 2015, it said.
\nThe Indian Computer Emergency Response Team has also reported a surge in the number of incidents handled by it with close to 50,000 security incidents in 2015, noted the study titled ‘Protecting interconnected systems in the cyber era,’.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=9247435b60&e=20056c7556<\/p>\n
Onapsis : Releases SAP Security In-Depth Publication for SAP HANA
\nOnapsis, the global experts in business-critical application security, today released SAP HANA System Security Review Part 2.
\nThis publication analyzes SAP HANA Internal Communication Channels, details associated risk, and identifies how to properly audit an SAP HANA system.
\nAs the 13th edition in the SAP Security In-Depth series, SAP HANA System Security Review Part 2 describes how to update the SAP HANA platform, noting new improvements in each Support Package.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=8a473baa6e&e=20056c7556<\/p>\n
BeyondTrust Survey Uncovers Growing Disparity Managing Privileged Access
\nPHOENIX–(BUSINESS WIRE)–BeyondTrust, the leading cyber security company dedicated to preventing privilege misuse and stopping unauthorized access, today unveiled the results of its definitive Privilege Benchmarking Study based on a worldwide survey of IT professionals.
\nThe study demonstrates a widening gulf between organizations that adhere to best practices for privileged access management.
\n* Top-tier companies were much more likely to have a centralized password management policy \u2013 92 percent of them do, in contrast with just 25 percent of bottom-tier organizations.
\n* Password cycling is also much more common among top-tier businesses; 76 percent of top-tiers frequently have passwords changed, whereas only 14 percent of bottom-tiers do.
\n* Credential management formed another point of distinction, with nearly three-quarters (73 percent) identifying themselves as efficient in this area, compared to 36 percent of the bottom-tier companies.
\n* More than two-thirds of top-tier companies (71 percent) can monitor privileged user sessions, and 88 percent can restrict access with a measure of granularity.
\n* Among bottom-tiers, fewer than half (49 percent) can monitor sessions, and only 37 percent have granular capabilities to restrict access.
\n* Among top-tier organizations, fully 9 out of 10 grant privileges to apps rather than users.
\n* Among bottom-tier companies, this falls to 46 percent.<\/p>\n
While it\u2019s vital to evaluate the risks posed by individual apps and systems, only 6 percent of bottom-tier companies have tools that provide this capability \u2013 and, shockingly, 52 percent \u201cjust know\u201d what the risks are.
\nMeanwhile, more than half of top-tier companies (57 percent) can make these assessments.<\/p>\n
Top-tier companies are also more likely to actually conduct vulnerability assessments; 91 percent do, compared to just 20 percent of bottom-tier organizations.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c31430cc64&e=20056c7556<\/p>\n
How do you measure success when it comes to stopping Phishing attacks?
\nSome measured success based on clicks.
\nAs such, if the employees avoid 80-percent of the Phishing emails delivered during an assessment, they see that as a win.
\nFrom there, the assessment moves to focusing on the 20-percent that did click links.
\nNo two Phishing attacks (simulated or real) are alike.
\nIf an employee avoids an obvious scam based on delivery notifications, but later falls for a scam related to financial documents, that’s a problem.
\nYet, some organizations stop testing those who are successful during a given round of assessment.
\nThis has the potential to create defensive gridlock.
\nThe general feeling among defenders was that an anti-Phishing “win” was a 10 to 20-percent click rate, meaning that 80 to 90-percent of the Phishing emails that went to the organization (testing or otherwise) were unsuccessful attempts.
\nIn this case, clicks were inclusive of both links and attachments.
\nMany also agreed that a layered defensive posture, as well as continuous assessment and training will help lower the impact of Phishing, but it wouldn’t prevent it entirely.
\nInstead, better compromise detection, and improved response times should be part of any anti-Phishing program.
\n“The average failure rate (of the client) of a Phishing\/spear-Phishing campaign is usually between 60 to 80-percent – a pretty astronomical number.
\nHowever, if we carry those metrics through six months down the road after further security awareness training and tuning of technologies (spam filters, etc.); I’ve seen this number drop by as much as 30-percent,” Blow said.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=814c8e88d6&e=20056c7556<\/p>\n
How to secure your remote workers
\nPublic wifi is insecure by nature\u2014it requires no authentication to connect to the network, allowing cybercriminals to easily intercept the connection and distribute malware.
\nHackers can also spoof public wifis by creating fake access points and mimicking the names of legitimate connections.
\nIf you\u2019re in a coffee shop and the shop\u2019s wifi name is COFFEE_SHOP-WIFI, they might call theirs COFFEE_SHOP_FREE_WIFI.
\nUsers would have no idea they had connected to the wrong one, since they\u2019d be able to browse the Internet with no apparent interference.
\nThose connecting to rogue access points can have all of their traffic harvested in plain text, including passwords and other sensitive company data.
\nWith the onus on remote workers to keep their machines updated, there\u2019s a lot of room for error.
\nOut-of-date software, plugins, and browsers, plus unpatched and unprotected systems leave remote employees even more vulnerable to attack.
\nRemote workers with unpatched systems are especially vulnerable to malvertising campaigns and their associated exploit kits, an estimated 70 percent of which drop ransomware payloads these days.
\nAccording to a recent survey by Osterman Research, nearly 40 percent of businesses have been victims of a ransomware attack in the last year\u2014and unprotected endpoints are part of the problem. \u201cPart of the reason [that there are so many attacks] is that we have people that are using their own devices, they\u2019re using corporate devices, and also privacy regulations in the U.S. aren\u2019t as strict as in other countries,\u201d says Mike Osterman, President of Osterman Research. \u201cSo there\u2019s a lot of information that\u2019s not as protected as it needs to be, a lot of endpoints that aren\u2019t as protected.\u201d
\nHere are eight ways that businesses can better secure their remote workers.
\n– Switch to cloud-based storage.
\n– Encrypt devices, when possible.
\n– Create secure connections to the company network.
\n– Roll out automatic updates.
\n– Use an encrypted email program.
\n– Implement good password hygiene.
\n– Increase user awareness.
\n– Deploy an endpoint security program.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=66fa9428d1&e=20056c7556<\/p>\n
New approach needed to IT, says NIST’s top cyber scientist
\nNo amount of security software, firewalls or anomaly detection systems can protect an IT infrastructure that’s fundamentally insecure and a new approach to computer architecture is required to deal with the looming cybersecurity crisis, the National Institute of Standards and Technology’s top computer security scientist told the president’s commission on long-term cybersecurity.
\nThe “only way” to address the looming cybersecurity crisis is “to build more trustworthy secure components and systems,” Ron Ross told the Commission on Enhancing National Cybersecurity during a Tuesday meeting in Minneapolis.
\nSecurity, he observed, “does not happen by accident.” Things like safety and reliability needs to be engineered in from the beginning, he argued, comparing the process to the “disciplined and structured approach” used to design structurally sound bridges and safe aircraft.
\nThis new approach “will require a significant investment of resources and the involvement of essential partnership including government, industry, and the academic community,” said Ross, comparing it to the moonshot of the 1960’s.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=814b6763a7&e=20056c7556<\/p>\n
Security Leadership & The Art Of Decision Making
\nWhat a classically-trained guitarist with a Master’s Degree in counseling brings to the table as head of cybersecurity and privacy at one of the world’s major healthcare organizations.
\nBishop Fox\u2019s Vincent Liu sat down recently with GE Healthcare Cybersecurity and Privacy General Manager Richard Seiersen in a wide-ranging chat about security decision making, how useful threat intelligence is, critical infrastructure, the Internet of Things, and his new book on measuring cybersecurity risk.
\nWe excerpt highlights below.
\nYou can read the full text here.
\nVincent Liu: How has decision making played a part in your role as a security leader?
\nRichard Seiersen: Most prominently, it\u2019s led me to the realization that we have more data than we think and need less than we think when managing risk.
\nIn fact, you can manage risk with nearly zero empirical data.
\nIn my new book \u201cHow to Measure Anything in Cybersecurity Risk,\u201d we call this \u201csparse data analytics.\u201d I also like to refer to it as \u201csmall data.\u201d Sparse analytics are the foundation of our security analytics maturity model.
\nVL: If you\u2019re starting out as a leader, and you want to be more \u201cdecision\u201d or \u201cmeasurement\u201d oriented, what would be a few first steps down this road?
\nRS: Remove the junk that prevents you from answering key questions.
\nI prefer to circumvent highs, mediums, or lows of any sort, what we call in the book \u201cuseless decompositions.\u201d Instead, I try to keep decisions to on-and-off choices.
\nWhen you have too much variation, risk can be amplified.
\nMost readers have probably heard of threat actor capability.
\nThis can be decomposed into things like nation-state, organized crime, etc.
\nWe label these \u201cuseless decomposition\u201d when used out of context.
\nVL: How useful is threat intelligence, then?
\nRS: We have to ask\u2014and not to be mystical here\u2014what threat intelligence means.
\nIf you\u2019re telling me it is an early warning system that lets me know a bad guy is trying to steal my shorts, that\u2019s fine.
\nIt allows me to prepare myself and fortify my defenses (e.g., wear a belt) at a relatively sustainable cost.
\nWhat I fear is that most threat intelligence data is probably very expensive, and oftentimes redundant noise.
\nVL: Where would you focus your energy then?
\nRS: For my money, I would focus on how I design, develop, and deploy products that persist and transmit or manage treasure.
\nConcentrate on the treasure; the bad guys have their eyes on it, and you should have your eyes directed there, too.
\nThis starts in design, and not enough of us who make products focus enough on design.
\nOf course, if you are dealing with the integration of legacy \u201ccritical infrastructure\u201d-based technology, you don\u2019t always have the tabula rasa of design from scratch.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=c816ec88ca&e=20056c7556<\/p>\n
FCC proposes 5G cybersecurity requirements, asks for industry advice
\nThe FCC published a request Wednesday for comment on a new set of proposed 5G rules to the Federal Register focused on adding specific \u201cperformance requirements\u201d for developers of example internet-connected devices.
\n\u201cCybersecurity issues must be addressed during the design phase for the entire 5G ecosystem, including devices.
\nThis will place a premium on collaboration among all stakeholders,” said FCC Chairman Tom Wheeler during a National Press Club event on June 20. “We continue to prefer an approach that emphasizes that industry develop cybersecurity standards just as we have done in wired networks.”
\nIn addition to a structured security strategy, the FCC\u2019s 5G application process will require organizations to share their ongoing participation in threat intelligence and other data sharing programs \u2014 such initiatives include the likes of the Cyber Threat Alliance.
\nA quick review of the FCC\u2019s proposed 5G cybersecurity plan shows a six category split, organized by a companies’ security approach, coordination efforts, standards and best practices, participation with standards bodies, other security approaches and plans with information sharing organizations.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=5e9734d81b&e=20056c7556<\/p>\n
Traffic, jammed: New report says DDoS attacks are up 211 percent
\nDistributed denial of service attacks are on the rise across the globe, as opportunistic Dark Web dealers increasingly sell hacking-as-a-service products, according to a new threat intelligence report compiled by Imperva, a California-based cybersecurity firm.
\nThe company measured threats faced by its customers during a roughly one-year time period, seeing a 211 percent year-over-year increase in attacks.
\nThe firm largely attributed this apparent growth to the establishment of several botnet operations \u2014 which serve as a platform to automate and increase attack volume \u2014 and malicious actors\u2019 ability to access greater bandwidth to help generate and use such weapons.
\nDark Web dealers are using these botnets, according to Imperva, to offer more effective cyber tools to would-be customers.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=e6c3a8efd4&e=20056c7556<\/p>\n
New breed of IT professional
\nT professionals are now integral to business decisions and have a much more visible role in protecting sensitive data.
\nThey\u2019re also increasingly expected to manage information privacy when key privacy positions aren\u2019t filled or simply don\u2019t exist.
\nT professionals today must translate what they\u2019re seeing in their threat-intelligence and risk-management efforts into business impact.
\nIT professionals who think they can fight security and privacy battles alone have already lost the war.
\nAn open mind and flexible approach can go a long way in helping keep IT professionals relevant in today\u2019s organization.
\nAn open mind and flexible approach can go a long way in helping keep IT professionals relevant in today\u2019s organization.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=0b125470c2&e=20056c7556<\/p>\n
\u200bAPAC unprepared for security breaches: FireEye’s Mandiant
\nIn its latest report, Mandiant M-Trends Asia Pacific, the cyberforensics firm found that organisations across APAC allowed attackers to dwell in their environments for a median period of 520 days before discovering them — three times the global median of 146 days.
\nMandiant said APAC organisations cannot defend their networks from attackers because they frequently lack basic response processes and plans, threat intelligence, technology, and expertise.
\nThe report found that APAC was almost exclusively targeted by some attacker tools, with one suspected Chinese threat group, APT30, targeting highly sensitive political, economic, and military information for at least a decade.
\nMandiant said that during its investigations, it found that most organisations depended only on antivirus software to detect malicious persistence mechanisms.
\n“Antivirus software is a signature-based technology that cannot detect every malicious event across an entire estate,” the company said.
\n“To significantly improve, organisations must bring together the technology, threat intelligence, and expertise necessary to quickly detect and respond to cyber attacks.”
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=07fd455137&e=20056c7556<\/p>\n
SA\u2019s new cybercrimes law explained
\nA new Cybersecurity Bill is coming into effect later this year which aims to stop cybercrime and improve security for South Africans.
\nSEAN DUFFY, Security Executive at Dimension Data Middle East & Africa, explains the basics of the bill.
\nThe Cybercrimes Bill affects everyone using a computer or the Internet, or anyone who owns an information infrastructure that could be declared critical.
\nAmong others, the following individuals and organisations should take note: ordinary South African citizens or employees using the Internet, network service providers, providers of software and hardware tools, financial services providers (the Bill includes prohibited financial transactions), representatives from government departments, those involved with IT regulatory compliance, as well as information security experts.
\nThe Cybercrimes Bill consolidates South Africa\u2019s cybercrime laws, which makes successful prosecution of criminals more likely.
\nUp until now, cyber offences were charged under various acts, among others the Prevention of Organised Crime Act, and the Electronic Communications and Transactions (ECT) Act of 2002.
\nThe ECT Act seemed to govern most online crime, but only included three cybercrime offences.
\nPenalties on conviction are quite severe.
\nPenalties include fines of R 1 \u2013 R 10 million and imprisonment of one to ten years, depending on the severity of the offence.
\nThe nature of the crime determines the penalty.
\nIncidents will happen, but it\u2019s how an organisation responds that matters.
\nGovernment is working on establishing a legal mechanism for anyone to defend themselves against cybercrime.
\nHowever, organisations need to be more proactive in their security through the use of services such incident response plans, real-time threat management, vulnerability management and managed security services.
\nLink: http:\/\/paulgdavis.us3.list-manage2.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=09999adb35&e=20056c7556<\/p>\n
Get the Security Budget You Need and Spend It Wisely
\nIt\u2019s challenging for a CISO to get budget for cybersecurity.
\nYour board of directors really wants to spend that IT money on projects and solutions that will expand the business and bring in more revenue.
\nThat\u2019s what your shareholders value.
\nAs breaches become more commonplace, your colleagues and customers become desensitized to the potential impact of a breach, which can downgrade their sense of urgency to protect assets in advance.
\nNew CISOs sometimes report being given no security budget at all.
\nSo how do you show that there is value in investing in cybersecurity and justify a proper security budget.
\nThere isn\u2019t an ROI in the way that most company accountants understand it.
\nMuch of the time you have to rely on your experience and judgment, as well as the competing claims of security vendors \u2014 none of which helps you build a compelling case when you are being asked to assess the return on the investment and tell the board members why they should spend their money on your security budget.
\nA team of researchers at the Robert H.
\nSmith Business School at the University of Maryland developed and refined an economics-based model to help businesses with this exact problem.
\nThe researchers produced an informative video to show the basics of the model and their research findings.
\nThe video distills years of research into a four-step process to help you determine where your security budget is best spent.
\nThe basic principles are similar to those proposed by many experienced security consultants \u2014 with some key refinements.
\nFirst, classify your assets by value in terms of cost of a potential breach as well as vulnerability to a breach.
\nThen, estimate the degree to which the solution in question will reduce the likelihood of a breach.
\nSome simple statistics then show you how to maximize the return on your cybersecurity investment.
\nSurprisingly, it\u2019s not always best to set out to protect your most obvious assets.
\nSometimes the costs of fully protecting the most vulnerable assets are impractically high.
\nFrom a business return standpoint, you may be better off protecting a larger number of less vulnerable assets.
\nThe researchers used their model against real-life scenarios and found that, for most use cases, your cybersecurity budget should not exceed 37 percent of the expected losses due to a security breach.
\nThis is the point at which the costs usually (but not always) start to outweigh the expected benefits.
\nThe beauty of the Gordon-Loeb model is that it gives you a framework to derive costs versus benefits for different levels of investment.
\nThey are clear that there are use cases where it does not apply, however: For example, in a case where the breach of an asset would lead to catastrophic loss.
\nNo model should be relied upon prescriptively, but going through the modeling exercise when you assess your security risk should at least help you review and refine your thinking.
\nLink: http:\/\/paulgdavis.us3.list-manage1.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=daa6f3cfd4&e=20056c7556<\/p>\n
Data breaches: Different regions, very different impacts
\nA Deloitte report on the business impact of a cyber attack recently showed that 89% of the impact of a breach comes from three factors:<\/p>\n
Value of lost contract revenue;
\nDevaluation of trade name; and
\nLost value of customer relationships.
\nIt is important to note that these factors look quite different from an EU perspective.
\nMost EU companies are not currently required to notify regulators or customers after a data breach, as opposed to the US, where 47 out of 50 states have mandatory notification laws.
\nAs a result, several main impacts (which are felt heavily in the US) are either non-existent or less visible in the EU, including:
\n– Cost
\n– Scrutiny
\n– Pressure
\nAs a result of these differences, EU companies are less incentivised to improve cyber security.
\nThe EU market for cyber insurance is consequently less mature than in the US \u2013 where products have been developed to transfer the costs of business disruption, customer notification, and identity theft protection.
\nHowever, this situation will change over the next two years, as the EU General Data Protection Regulation (GDPR) and Network and the Information Security (NIS) directives come into force in mid-2018.
\nBoth pieces of legislation will increase the number of companies and sectors that will have to report breaches to their national regulator \u2013 and possibly to customers \u2013 within 72 hours (GDPR) or without \u201cundue delay\u201d (NIS Directive) depending on the severity of the breach.
\nLink: http:\/\/paulgdavis.us3.list-manage.com\/track\/click?u=45bf3caf699abf9904ddc00e3&id=fa8c9d7ba0&e=20056c7556
\nFeedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)<\/p>\n
If you know someone else who would be interested in this Newsalert, please forwarded this email.
\nIf you want to be added to the distribution list, please click this: Subscribe to this list (http:\/\/paulgdavis.us3.list-manage2.com\/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)<\/p>\n
Unsubscribe from this list (http:\/\/paulgdavis.us3.list-manage.com\/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=f1a3c807cc)
\nUpdate subscription preferences (http:\/\/paulgdavis.us3.list-manage.com\/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)
\n============================================================<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n
()<\/p>\n","protected":false},"excerpt":{"rendered":"
[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.] And so, now the news * France and Germany urge reform to access encrypted messages * The 3 Biggest Mistakes In Cybersecurity * What IT Pros Need To…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-2503","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2503","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=2503"}],"version-history":[{"count":1,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2503\/revisions"}],"predecessor-version":[{"id":4990,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/posts\/2503\/revisions\/4990"}],"wp:attachment":[{"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=2503"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=2503"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cybersecurityinstitute.com\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=2503"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}