Identity is the foundation of security, so a robust automated identity and access management (IAM) system is by far the best way to keep your company’s information safe. It’s also a great way to increase efficiency and save money. It’s no wonder so many businesses are adopting IAM systems. The global market value of identity and access management systems has grown from $4.5 billion in 2012 to $7.1 billion in 2018. By 2021, it is … More
Security professionals who adopted a more traditional or reactive approach to their data protection and security program did not believe they would reach their digital transformation goals, according to a TITUS report. The report, “The Vital Role of Security in Digital Transformation,” is based on a survey conducted by Market Strategies International of more than 600 IT decision makers at leading brands across a diverse set of industries in the United States, Canada and the … More
The post Traditional approach to data security hindering digital transformation initiatives appeared first on Help Net Security.
It’s tough being a cybersecurity analyst these days. Over the last few years we have been repeatedly reminded of the challenge they are now facing, primarily through the steady stream of high-profile data breaches that have hit the headlines. In the last month alone Microsoft has been in the news after suffering a breach that enabled hackers to access customer email accounts, while a breach at beleaguered social giant Facebook was believed to have left … More
The post How can we give cybersecurity analysts a helping hand? appeared first on Help Net Security.
Far too many individuals who have never been victims of identity theft and financial crimes don’t understand how devastating those are to victims. “There are many victim services organizations that assist violent crime victims and the understanding of the trauma and the victim experience is not questioned (which is very appropriate and as it should be),” Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC), told Help Net Security. After all, we … More
The post Identity theft victims could lead us to accept more security-improving friction appeared first on Help Net Security.
Just after the new year I was catching up with a CISO over lunch in Pike Place Market in Seattle. We were reminiscing about how tough it is to get a security program up and running in the beginning. Pausing to dip his taco in the excellent house salsa, he commented, “Y’know, if I had to do it all over again…” and he proceeded to tell me a story. My brain twitched with possibilities—here was … More
Networks need regular cleaning just like your home, car or garage. Why? The answer is simple – poor security hygiene can lead to major data breaches. If you don’t regularly review your network, potential weaknesses and vulnerabilities will stack up. As we enter into spring cleaning season, now is as good a time as any for IT administrators and security professionals to catch up on yearly security maintenance. Here are several tasks that should be … More
The post Security spring cleaning: 5 tips for tidying up network safeguards appeared first on Help Net Security.
- Have you documented security incidents? How did you remediate those incidents?
- Do you have the result of your last business continuity test? If yes, can you share it?
- What security controls exist for your users? Do they use multifactor authentication, etc.?
- How are you maturing your security program?
- Are you ISO, SOC 1/SOC 2, and NIST Compliant, and is there documentation to support this?
If you’re unsatisfied with the answers from a potential partner regarding their security, it’s OK to walk away, especially if you make the determination that working with the vendor may not be critical to your business.
- Remediation: Can you work with the vendor to remediate the technical risk?
- Compensating controls: If you cannot remediate the risks entirely, can you establish technical compensating controls to minimise or deflect the risk?
These are policies that users of the offering should follow, such as limits on the types and amounts of data that can be input securely. Some typical policy scenarios include:
- Regulatory compliance: For example, a vendor’s non-compliance could mandate you walk away from a third-party relationship.
- Contractual obligations: Are there contractual obligations in place with your existing clients that prevent you from working vendors who don’t meet certain security and privacy standards?
- Security best practices: Ensure your policies around risk are enforced and determine whether they may conflict with your vendors’ policies.
Cloud Security should not be an afterthought
It is essential for security to be baked into a new cloud services design, requirements determination, and in the procurement process. In particular, defining and documenting the areas of security responsibility with the intended cloud service provider.
Cloud does not absolve the business of their security responsibilities
All cloud service models, whether the standard models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), always involve three areas of security responsibilities to define and document:
- Cloud Service Provider Owned
- Business Owned
- Shared (Cloud Service Provider & Business)
Regardless of the cloud model, data is always the responsibility of the business.
- Cloud Security Alliance
- PCI SSC Cloud Computing Guidelines
- NCSC Cloud Security Guidance
- Microsoft O365 Security and Compliance Blueprint UK
February was a rather quiet month for hacks and data breaches in the UK, Mumsnet reported a minor data breach following a botched upgrade, and that was about it. The month was a busy one for security updates, with Microsoft, Adobe and Cisco all releasing high numbers of patches to fix various security vulnerabilities, including several released outside of their scheduled monthly patch release cycles.
A survey by PCI Pal concluded the consequences of a data breach had a greater impact in the UK than the United States, in that UK customers were more likely to abandon a company when let down by a data breach. The business reputational impact should always be taken into consideration when risk assessing security.
I will be speaking at the e-crime Cyber Security Congress in London on 6th March 2019, on cloud security, new business metrics, future risks and priorities for 2019 and beyond.
Finally, completely out of the blue, I was informed by 4D that this blog had been picked by a team of their technical engineers and Directors as one of the best Cyber Security Blogs in the UK. The 6 Best Cyber Security Blogs - A Data Centre's Perspective Truly humbled and in great company to be on that list.
- What's the greater risk to UK 5G, Huawei backdoors or DDoS?
- The Business of Organised Cybercrime
- Is Huawei a Threat to UK National Security?
- Customers Blame Companies not Hackers for Data Breaches
- Automotive Technologies and Cyber Security
- The 6 Best Cyber Security Blogs - A Data Centre's Perspective
- Parenting Website Mumsnet hit by Data Breach
- UK Officials Concerned over Huawei’s Presence
- UK Consumers more likely to Abandon a Breached Company according to Research
- US Military Hackers took Russian troll factory offline during midterms, report claims
- GCHQ Chief: Cyber conflict could deteriorate into a Wild West if left unchecked
- Australia’s Major Political Parties Hacked by 'state actor' ahead of Elections
- High Stress Levels Impacting CISOs Physically, Mentally
- 60,000 EU Data Breaches filed under GDPR
- Dow Jones database holding 2.4 million records of politically exposed persons
- Palisades Park receives £151,000 advance after Cyberattack
- UK Bank Customers hit by Dozens of IT shutdowns due to operational and security incidents
- Musical.ly (TikTok App) fined a Record £4.3 Million under United States COPPA
- Microsoft Patches 76 Vulnerabilities, including 20 Critical for Windows, Edge, Hyper-V, Chakra and Adobe Flash
- Microsoft Fixes IIS Vulnerability that can cause CPU usage to Soar 100% when processing HTTP/2 requests
- Adobe Releases fixes 70 Vulnerabilities in Acrobat and Acrobat Reader
- Adobe issues New patch for Acrobat and Reader Out of Band
- RDP Flaws could allow Hackers to take over control of Systems
- Cisco rolls out Multiple Security Updates across its Product Portfolio
- Apple Patches Two Flaws Exploited in Zero-Day Attacks; also fixes FaceTime Eavesdropping Bug
- Mozilla Foundation issues Firefox Updates
- Cisco Network Assurance Engine (NAE) contains Password Vulnerability
- Cisco Patches Two Code Execution Vulnerabilities
- Carbon Black Global Threat Research Project
- 2019 CrowdStrike Global Threat Report
- Netscout Threat Landscape Report: IoT Devices Attacked Faster than Ever, DDoS Attacks up dramatically
The study bears out a shift in executive perceptions that information security is indeed important to the business. With the modern CISO evolving from that of a responder, to a driver of change, enabling to build businesses to be secure by design. The survey found CISOs are now involved in 90% of significant business decisions, with 25% of business executives perceive CISOs as proactively enabling digital transformation, which is a key goal for 89% of organisations surveyed by IDC.
Key findings from the research include:
- Information security is a business differentiator – Business executives think the number one reason for information security is competitive advantage and differentiation, followed by business efficiency. Just 15% of business executives think information security is a blocker of innovation, indicating that information security is no longer the ‘department of no’
- CISOs are now boardroom players – 80% of business executives and CISOs think their personal influence has improved in the last three years. CISOs are now involved in 90% of medium or high influence boardroom decisions
- CISOs must lead digital transformation efforts – At present, less than 25% of business executives think CISOs proactively enable digital transformation. To stay relevant, CISOs must become business enablers. They need to adopt business mindsets and push digital transformation forward, not react to it. CISOs that fail to adopt a business mindset will be replaced by more forward-thinking players.
- Focused on making security operations effective and efficient
- Engaged with the rest of the business
- Seen as key SMEs to the board
- Responding to business requests and enabling change
- Need to be part of the business change ecosystem
- Must be seen as drivers rather than responders
- CISO as entrepreneur and innovator