Category Archives: compliance

Regulation readiness: Embracing the privacy legislation wave ahead

There are a few certainties in life. Your attempt to use the fifteen-item express checkout line with sixteen items will be denied by the seventeen-year-old cashier. The motorcycle cop will write you a $150 ticket instead of warning for going just three miles over the speed limit in your neighborhood. Your tactic of ignoring that federal privacy regulation just enacted will result in significant fines and penalties for your burgeoning business. Whatever the scenario, the … More

The post Regulation readiness: Embracing the privacy legislation wave ahead appeared first on Help Net Security.

One year of GDPR application: Europeans well aware of their digital rights

Europeans are relatively well aware of the new data protection rules, their rights and the existence of national data protection authorities, to whom they can turn for help when their rights are violated, according to the European Commission. “European citizens have become more aware of their digital rights and this is encouraging news. However, only three in ten Europeans have heard of all their new data rights. For companies, their customers’ trust is hard currency … More

The post One year of GDPR application: Europeans well aware of their digital rights appeared first on Help Net Security.

How employees and their organizations are prioritizing data privacy

Employees in the UK expressed greater understanding of privacy laws, and better training opportunities, than those in the U.S., the ObserveIT survey reveals. The survey polled 1,000 full-time employees in the United States and United Kingdom to determine their understanding of their organizations’ current privacy regulations. New policies and regulations dictating organizations’ handling of sensitive consumer information – such as the GDPR, the CCPA and Vermont’s data privacy law – have brought to light the … More

The post How employees and their organizations are prioritizing data privacy appeared first on Help Net Security.

GDPR implementation lessons can help with CCPA compliance

The ever increasing number of data breaches has made consumers more aware of how their data is being used and has emphasized the importance of keeping personal data private, says Sovan Bin, CEO and founder of cloud data management firm Odaseva. “In terms of the general public, the California Consumer Privacy Act (CCPA) is a wake-up call for consumers to know and understand their data privacy rights. They should feel free to exercise these rights … More

The post GDPR implementation lessons can help with CCPA compliance appeared first on Help Net Security.

Analytics and automation solutions to help contact center IT staff ensure compliance

91% of of contact center IT staff believe increasing contact center compliance software investment should be considered a priority in the next year. 83% of contact center professionals also said their organization’s efforts towards customer privacy and private data safety need to be improved, according to NICE. NICE’s survey, which focused on identifying the challenges of IT and compliance professionals, brought to light that 97% of those surveyed have at least one concern when it … More

The post Analytics and automation solutions to help contact center IT staff ensure compliance appeared first on Help Net Security.

Nevada Enacts New Privacy Law – Consumers Granted the Right to Opt-Out of the Sale of Personal Information

On May 29th, Nevada Governor signed into law Senate Bill 220, a new privacy law granting consumers the right to opt-out of the sale of their personal information. Nevada is the second state to grant this right, following California (CCPA). SB 220 does not provide for a specific effective date; therefore, following Nevada law, it will go into effect October 1, 2019. While similar to the “Do Not Sell” provisions of the CCPA, the SB 220 has notable differences: SB 220 defines “sale” more narrowly. SB 220 defines “sale” as the sale or licensing of personal information for monetary consideration. CCPA … Continue reading Nevada Enacts New Privacy Law – Consumers Granted the Right to Opt-Out of the Sale of Personal Information

The post Nevada Enacts New Privacy Law – Consumers Granted the Right to Opt-Out of the Sale of Personal Information appeared first on TrustArc Blog.

How organizations are managing vulnerability risks

Tripwire evaluated how organizations are managing vulnerability risks and found that more than one in four (27 percent) globally have been breached as a result of unpatched vulnerabilities, with an even higher rate in Europe (34 percent). Vulnerability management starts with visibility of the attack surface, and Tripwire’s report found that 59 percent of global organizations are able to detect new hardware and software on their networks within minutes or hours. However, this is a … More

The post How organizations are managing vulnerability risks appeared first on Help Net Security.

Why zero trust is crucial to compliance

The enterprise faces a brand new world when it comes to data privacy and security. New regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have joined PCI-DSS, HIPAA, and more than 25,000 other cybersecurity regulations passed since 2008. Together, these regulations have vastly increased the workload on security teams already stretched thin by the sheer scale and complexity of modern software business services. The challenge posed by these … More

The post Why zero trust is crucial to compliance appeared first on Help Net Security.

Handle personal data: What we forget is as important as what we remember

This spring, Facebook addressed the issue of permanence across its messaging platforms – from Instagram to Messenger to WhatsApp – with the aim to “set a new standard” for consumers’ private communication platforms. Shortly after, Telegram took it further, announcing new capabilities that enable users to delete any message in both ends of any private chat, at any time. While these announcements focus on the consumer audience, global businesses have been grappling with the same … More

The post Handle personal data: What we forget is as important as what we remember appeared first on Help Net Security.

Most global workers noticed stricter policies at work as a result of GDPR

When enforcement of the GDPR went into effect on May 25, 2018, it had worldwide implications on data protection and privacy legislation. One year later, there are conflicting sentiments from the global workforce about whether the regulation has been effective, according to Snow Software. A new survey, which polled 3,000 professionals in the United States, Europe and Asia Pacific region, found that only 39% of respondents feel their personal data is better protected since GDPR … More

The post Most global workers noticed stricter policies at work as a result of GDPR appeared first on Help Net Security.

How many adults trust companies with their personal data?

More than one third (36%) of adults aged 16–75 trust companies and organizations with their personal data more since GDPR came into effect one year ago, according to TrustArc. There are positive sentiments toward enforcement activity, and half (47%) of respondents have exercised some of their GDPR privacy rights. 57% of respondents are also more likely to use websites that have a certification mark or seal to demonstrate GDPR compliance. “The research tells a tale … More

The post How many adults trust companies with their personal data? appeared first on Help Net Security.

Data privacy: A hot-button issue for Americans one year after GDPR

The General Data Protection Regulation (GDPR) went into effect in the European Union a year ago this month. GDPR, which gives EU citizens more control over their personal data by mandating how businesses must handle that information, has attracted great interest around the world. In addition, it has inspired government officials elsewhere in the world to develop laws addressing consumer data privacy concerns. In recognition of GDPR’s first anniversary, nCipher Security conducted a survey to … More

The post Data privacy: A hot-button issue for Americans one year after GDPR appeared first on Help Net Security.

Half of companies missed GDPR deadline, 70% admit systems won’t scale

Even if given two years notice to achieve GDPR compliance, only half of companies self-reported as compliant by May 25, 2018, a DataGrail survey reveals. “The Age of Privacy: The Cost of Continuous Compliance” report benchmarks the operational impact of the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as well as sharing insights into lessons learned and attitudes toward privacy regulations. DataGrail surveyed more than 300 U.S. privacy management … More

The post Half of companies missed GDPR deadline, 70% admit systems won’t scale appeared first on Help Net Security.

Cyber Security + Compliance Controls: What Does It All Mean, Rick?

I’m sure you have all seen the Rickie Fowler commercial where the interviewer rants about all of the confusing financial terms involved with getting a mortgage. If not, you can find it below: Confusion in Cyber Security Throughout my career, I have worked with hundreds of organizations. Regardless of the vertical or size of the […]… Read More

The post Cyber Security + Compliance Controls: What Does It All Mean, Rick? appeared first on The State of Security.

Updates for Microsoft 365 help strengthen data privacy

As data continues to grow exponentially and travel across organizational boundaries, privacy and compliance professionals play an increasingly strategic role within organizations. Several updates—announced today—for Microsoft 365 provide organizations with more control and options to strengthen their data privacy practices, including:

  • New capabilities for Microsoft 365 E5 and E5 Compliance, such as the new Office 365 Advanced Message Encryption feature, data investigation capabilities, Microsoft Teams compliance features, and a new Advanced eDiscovery experience.
  • The ability to use Compliance Manager to get automated updates of security controls and create your own assessments—including on-premises and non-Microsoft applications—against any regulation or standard, so you can manage compliance across data assets in a unified way.

To learn more about these updates, read Grow and protect your business with more privacy controls from Microsoft 365.

The post Updates for Microsoft 365 help strengthen data privacy appeared first on Microsoft Security.

The Giant Awakens – China’s Cybersecurity Law (CSL) and Data Protection Obligations

While many of us were focused on the European Union’s GDPR and California’s Consumer Privacy Act (CCPA), the giant on the other side of the world implemented China’s Cybersecurity Law (CSL) in June 2017. While CSL laid out broad data protection principles, there were noticeable gaps related to implementation and overall scope. To operationalize and further clarify CSL scope, the Chinese government instituted six systems: the Internet Information Content Management System; the Cybersecurity Multi-Level Protection System (MLPS); the Critical Information Infrastructure Security Protection System; the Network Products and Services Management System; the Cybersecurity Incident Management System; and the Personal Information … Continue reading The Giant Awakens – China’s Cybersecurity Law (CSL) and Data Protection Obligations

The post The Giant Awakens – China’s Cybersecurity Law (CSL) and Data Protection Obligations appeared first on TrustArc Blog.

Security roundup: March 2019

We round up interesting research and reporting about security and privacy from around the web. This month: ransomware repercussions, reporting cybercrime, vulnerability volume, everyone’s noticing privacy, and feeling GDPR’s impact.

Ransom vs ruin

Hypothetical question: how long would your business hold out before paying to make a ransomware infection go away? For Apex Human Capital Management, a US payroll software company with hundreds of customers, it was less than three days. Apex confirmed the incident, but didn’t say how much it paid or reveal which strain of ransomware was involved.

Interestingly, the story suggests that the decision to pay was a consensus between the company and two external security firms. This could be because the ransomware also encrypted data at Apex’s newly minted external disaster recovery site. Most security experts strongly advise against paying extortionists to remove ransomware. With that in mind, here’s our guide to preventing ransomware. We also recommend visiting NoMoreRansom.org, which has information about infections and free decryption tools.

Bonus extra salutary security lesson: while we’re on the subject of backup failure, a “catastrophic” attack wiped the primary and backup systems of the secure email provider VFE Systems. Effectively, the lack of backup put the company out of business. As Brian Honan noted in the SANS newsletter, this case shows the impact of badly designed disaster recovery procedures.

Ready to report

If you’ve had a genuine security incident – neat segue alert! – you’ll probably need to report it to someone. That entity might be your local CERT (computer emergency response team), to a regulator, or even law enforcement. (It’s called cybercrime for a reason, after all). Security researcher Bart Blaze has developed a template for reporting a cybercrime incident which you might find useful. It’s free to download at Peerlyst (sign-in required).

By definition, a security incident will involve someone deliberately or accidentally taking advantage of a gap in an organisation’s defences. Help Net Security recently carried an op-ed arguing that it’s worth accepting that your network will be infiltrated or compromised. The key to recovering faster involves a shift in mindset and strategy from focusing on prevention to resilience. You can read the piece here. At BH Consulting, we’re big believers in the concept of resilience in security. We’ve blogged about it several times over the past year, including posts like this.

In incident response and in many aspects of security, communication will play a key role. So another helpful resource is this primer on communicating security subjects with non-experts, courtesy of SANS’ Lenny Zeltser. It takes a “plain English” approach to the subject and includes other links to help security professionals improve their messaging. Similarly, this post from Raconteur looks at language as the key to improving collaboration between a CISO and the board.

Old flaws in not-so-new bottles

More than 80 per cent of enterprise IT systems have at least one flaw listed on the Common Vulnerabilities and Exposures (CVE) list. One in five systems have more than ten such unpatched vulnerabilities. Those are some of the headline findings in the 2019 Vulnerability Statistics Report from Irish security company Edgescan.

Edgescan concluded that the average window of exposure for critical web application vulnerabilities is 69 days. Per the report, an average enterprise takes around 69 days to patch a critical vulnerability in its applications and 65 days to patch the same in its infrastructure layers. High-risk and medium-risk vulnerabilities in enterprise applications take up to 83 days and 74 days respectively to patch.

SC Magazine’s take was that many of the problems in the report come from companies lacking full visibility of all their IT assets. The full Edgescan report has even more data and conclusions and is free to download here.

From a shrug to a shun

Privacy practitioners take note: consumer attitudes to security breaches appear to be shifting at last. PCI Pal, a payment security company, found that 62 per cent of Americans and 44 per cent of Britons claim they will stop spending with a brand for several months following a hack or breach. The reputational hit from a security incident could be greater than the cost of repair. In a related story, security journalist Zack Whittaker has taken issue with the hollow promise of websites everywhere. You know the one: “We take your privacy seriously.”

If you notice this notice…

Notifications of data breaches have increased since GDPR came into force. The European Commission has revealed that companies made more than 41,000 data breach notifications in the six-month period since May 25. Individuals or organisations made more than 95,000 complaints, mostly relating to telemarketing, promotional emails and video surveillance. Help Net Security has a good writeup of the findings here.

It was a similar story in Ireland, where the Data Protection Commission saw a 70 per cent increase in reported valid data security breaches, and a 56 per cent increase in public complaints compared to 2017. The summary data is here and the full 104-page report is free to download.

Meanwhile, Brave, the privacy-focused browser developer, argues that GDPR doesn’t make doing business harder for a small company. “In fact, if purpose limitation is enforced, GDPR levels the playing field versus large digital players,” said chief policy officer Johnny Ryan.

Interesting footnote: a US insurance company, Coalition, has begun offering GDPR-specific coverage. Dark Reading’s quotes a lawyer who said insurance might be effective for risk transference but it’s untested. Much will depend on the policy’s wording, the lawyer said.

Things we liked

Lisa Forte’s excellent post draws parallels between online radicalisation and cybercrime. MORE

Want to do some malware analysis? Here’s how to set up a Windows VM for it. MORE

You give apps personal information. Then they tell Facebook (PAYWALL). MORE

Ever wondered how cybercriminals turn their digital gains into cold, hard cash? MORE

This 190-second video explains cybercrime to a layperson without using computers. MORE

Blaming the user for security failings is a dereliction of responsibility, argues Ira Winkler. MORE

Tips for improving cyber risk management. MORE

Here’s what happens when you set up an IoT camera as a honeypot. MORE

The post Security roundup: March 2019 appeared first on BH Consulting.

Why Your Data Security Strategy Should Include Data Masking

 

Data Masking/Tokenization/Anonymization replaces sensitive information with fictitious data while retaining the original data format. The data masking process lets you continue to work with your data as if it were not encrypted. Databases, business applications and collaboration software continue to work as if the data was real, but unauthorized personnel only have access to the fake data and can’t extract meaningful sensitive information.

ITAR compliance: ignorance is no excuse

The ITAR (International Traffic in Arms Regulations) legislation details what measures businesses and individuals must take to comply with ITAR requirements and specifies severe penalties, both civil and criminal, for non-compliance. The reach of the regulations is broad and suppliers of all kinds may be subject to requirements to keep sensitive information secure and restricted.

Does Data Residency Reduce Cloud Risks?

Countries are establishing data residency regulation to protect private and classified data generated from their citizen by mandating storing this information within that country (the country of origin). The theory is that the laws of the country in which the data is stored apply to that data. Large cloud providers such as Amazon, Microsoft, Salesforce are opening cloud data centers outside their home countries (Cloud Data Center Expansion Race) to satisfy these laws. The question is “Does Data Residency Reduce Cloud risks?