Category Archives: Risk Management

The State of Ransomware: Attacks Up, Payments Down as Firms Fight Back

Ransomware isn’t going away. As noted by Infosecurity Magazine, European small and midsize businesses (SMBs) paid out almost $100 million last year to recover encrypted files. Meanwhile, Malwarebytes tracked a 90 percent increase in the number of detected ransomware attacks.

But it’s not all bad news. According to a new report from Datto, the state of ransomware is shifting. More companies are reporting attacks and fewer are paying ransoms. It’s a standoff: Ransomware-makers are doubling down on new attacks even as enterprises push back on payment.

The Current State of Ransomware

The Datto report pointed out that 4.5 percent of European SMBs fell victim to malware between 2016 and 2017. More telling, 78 percent said they experienced “business-threatening downtime” because of these attacks. Meanwhile, 97 percent of respondents said that ransomware attacks were on the rise, with 22 percent reporting multiple attacks in a single day.

What’s more, attackers are both persistent and pernicious. Eleven percent of SMBs said persistent ransomware was used to attack systems more than once, while 31 percent reported that ransomware also infected backups, making the road to remediation much more difficult. Given these startling numbers, it’s easy to see why the current state of ransomware has companies concerned.

Breaking the Feedback Loop of Fear

The ramp up of ransomware threats has created a kind of feedback-loop culture. Companies know that they shouldn’t pay the ransom and should report the attack, but standard operating procedure has become the opposite: Pay quickly to decrypt files and keep the breach under wraps.

As noted by the Datto report, however, attitudes are changing. More businesses are now reporting attacks to authorities and supplying them with relevant data, while just 21 percent of SMBs opted to pay the ransom in 2017. That’s a solid choice, since 18 percent of firms that came up with the cash didn’t get their data back.

So what’s the best way to push back and put enterprises ahead of malware-makers? It starts with recognizing origin points. According to Tech Republic, the root causes of most successful ransomware infections are user error and phishing attacks. Basic security hygiene, solid antivirus solutions and robust security training go a long way toward taking the bite out of ransomware threats.

Meanwhile, security firms are actively researching ransomware decryption tools, ZDNet reported. The Belgian National Police and Kaspersky Lab recently released a free solution for the prolific Cryakl ransomware strain.

The biggest shift, however, comes at a corporate level. Given the ability of ransomware threats to infect any operating system and any platform at any time, organizations often take on the mantle of helpless victim inevitably compromised by bad actors.

As a result, the threat of ransomware becomes just as terrifying as the infection itself, forcing employees and IT professionals into an infinite loop of fear and frustration. With the rise of reporting, proven effectiveness of basic security training and ongoing work by security experts, however, the state of ransomware becomes a driving force for security adaptation rather than harbinger of IT apocalypse.

The post The State of Ransomware: Attacks Up, Payments Down as Firms Fight Back appeared first on Security Intelligence.

The Inconvenient Reality of Law Firm Security Challenges

When it comes to IT security-related risks, law firms are a prime target. Unfortunately, law firm security is not where it needs to be. Think about it: There’s a ton of juicy information on any given law firm network, and it’s all stored on mobile devices, email systems, web portals and more, both locally and in the cloud.

These organizations are concentrated sources of intellectual property and other sensitive business information, including:

  • Client trade secrets;
  • Attorney-client privileged information involving past, current and future cases;
  • Strategies and tactics involving approaches to litigation;
  • Details on mergers and acquisitions; and
  • Personally identifiable information (PII) as part of security incident investigations.

Not only do law firm network environments serve as an entry point to all this sensitive information, but many organizations are behind the times in terms of allocating reasonable funds to bolster security and minimize risks. This creates the perfect scenario for cybercriminals.

The Risks of an IT-Centric Approach to Law Firm Security

It’s easy for legal professionals to assume that they don’t have anything of value to cybercriminals and that their firm is not a target, but the threat is real. It might even come from inside the network in the form of a negligent or conniving employee exposing sensitive records. External threats could include competitors or foreign governments looking to disrupt legal operations or steal information.

In my experience working in the legal field, IT employees have had to lead the charge for security. Larger firms have begun hiring chief information security officers (CISOs), but many still take an IT-centric approach to security tasks, including:

  • Policy development;
  • Policy enforcement;
  • Ongoing information risk oversight; and
  • Security assessment and audit.

Whether in-house or outsourced, IT management of security functions can lead to a false sense of security among law firm partners and other stakeholders. Perhaps even more dangerous, I have seen situations in which firm partners with little to no IT or security background were in charge of security and risk management. This cost-saving shortcut to security can create more liabilities than it mitigates.

Assuring Clients and Preparing for a Breach

It’s one thing to have a dysfunctional security program, but when it becomes known, bigger issues arise. For example, when law firm clients start questioning security initiatives via those dreaded security questionnaires or worse, a breach occurs, the core of the law firm’s business, integrity and livelihood are impacted. To nip these issues in the bud, law firms must:

  • Manage oversight of security initiatives.
  • Document security policies along with disaster recovery and incident response plans.
  • Implement reasonable security technologies, and hire the right personnel to help enforce policies and oversee sensitive information.
  • Establish a cyber liability insurance policy.
  • Conduct periodic vulnerability and penetration testing.

Preventing security breaches is a worthy goal, but security leaders must also prepare to respond to exploits and outages that will inevitably get through the organization’s defenses. Otherwise, the firm will develop a reputation for negligence and recklessness.

To demonstrate that they are integrating security into the firm’s business practices, security teams should take the following steps.

  1. Know what you’ve got, including intellectual property and PII, along with critical systems and the vendors involved.
  2. Understand how it’s all at risk, including both technical and operational risks that are placing these assets in harm’s way.
  3. Reconfigure business processes, technical controls and organizational culture to protect the data identified in the first step and mitigate the risks outlined in the second step.

Collectively, this approach to information security involves a deep understanding of how both the business and the technology operates in the course of client representation. The key is to understand that you cannot secure the things you don’t acknowledge. Overlooking both technical and nontechnical areas of the practice that deal with sensitive information will lead to a misunderstanding of how security needs to be addressed, and that’s when security breaches happen.

Laying Down the Law on Security Practices

These best practices go beyond security. The American Bar Association’s Center for Professional Responsibility documented its own industry-specific guidance for protecting client information in its “Model Rules of Professional Conduct.” These rules involve not only understanding the technologies you’re using in your law firm, but also demonstrating reasonable efforts to properly handle and secure sensitive information.

Security is not that complicated until it is. That’s why law firms should heed Stein’s Law and address security gaps now before a data breach occurs.

The post The Inconvenient Reality of Law Firm Security Challenges appeared first on Security Intelligence.

Dispel Launches Election Security Platform

Dispel, a U.S.-based company that specializes in secure communication and collaboration systems, on Thursday announced the launch of a new product designed to help protect elections against malicious cyber actors.

read more

7 steps security leaders can take to deal with Spectre and Meltdown

Security and risk management leaders must take a pragmatic and risk-based approach to the ongoing threats posed by an entirely new class of vulnerabilities, according to Gartner. Spectre and Meltdown are the code names given to different strains of a new class of attacks that target an underlying exploitable design implementation inside the majority of computer chips manufactured over the last 20 years. Security researchers revealed three major variants of attacks in January 2018. The … More

Data Risk Management, Part 3: Assessing Risk Levels of Structured Versus Unstructured Data

This is the third installment in a three-part series about data risk management. For the full story, be sure to read part 1 and part 2.

As security practitioners look to secure their organization’s crown jewels against data theft, they should consider whether there is a difference in the risk levels for securing structured versus unstructured data. This process starts with defining what exactly the organization’s crown jewels are. Once that is determined, most organizations find that they need to prioritize both structured and unstructured data based on the value they represent.

Structured data, such as data kept in a relational database, is easy to search and analyze. This includes length-specific data, such as Social Security numbers, and variable-length text strings, such as customer names. Examples of applications that rely on structured data contained in a relational database management system (RDBMS) include sales tracking, airline reservation, customer relationship management (CRM), electronic medical record (EMR) and inventory control systems. Structured data within an RDBMS can be easily searched using structured query language.

Unstructured data is just the opposite. It represents the lion’s share of data within any organization, has no predefined schema and uses a variety of formats. Think of emails, audio and video files, social media, mobile data, text files and so on. Unstructured data grows exponentially and constantly streams through your on-premises infrastructure, big data environments and the cloud. It can be stored in diverse repositories, whether they are NoSQL databases, data lakes or applications.

Determining Risk Levels of Structured and Unstructured Data

One thing both types of data have in common is that humans and machines can generate them. They also both represent varying risk levels to the organization. When classifying data, it’s important to consider the value that data represents to the organization and the potential implications of data loss.

For example, intellectual property, which is largely unstructured, is of great value to the organization. The theft of this data by a rival or cyberthieves could eliminate the organization’s competitive advantage and threaten its survival. On the other hand, the compromise of an email exchange about setting up a lunch date represents little threat to the organization, unless it’s between the CEO and another CEO to discuss a potential merger or acquisition. The breach of Colin Powell’s personal email account, for example, exposed a mergers and acquisitions strategy and acquisition targets, thanks to an attachment containing unstructured data in one of many stolen emails.

Structured data, such as transaction, financial and customer data, also holds great value to the organization. Because organizations have long recognized the value of this information, and because regulatory mandates require certain controls to be put in place to protect it, they have done a better job of securing structured data. The bigger issue arises when structured data is taken out of a well-fortified RDBMS and exported into a spreadsheet, cloud or partner system to be manipulated and shared with others. Once outside the existing security controls for the RDBMS, it is much harder to monitor and secure this data.

Unstructured Data Is an Easy Target

Cybercriminals are aware that critical unstructured data is a much easier target for theft than structured data that is protected by corporate firewalls, identity and access controls, encryption, database activity monitoring and more. Because organizations struggle to understand where that critical unstructured data is, how it is used and who has access to it, it can represent a bigger risk to the enterprise.

In addition, since there is so much more unstructured data than structured data, it’s harder to separate the critical from the not-so-critical to bolster protections around it. At the end of the day, it is essential to secure and control access to mission-critical structured and unstructured data. The process of identifying the data that is most critical to the success of the business will raise awareness of the potential impact of a breach.

Achieving the highest possible level of data security requires continuous monitoring for potential vulnerabilities and threats, combined with advanced protection and deep visibility into potential risks that may affect sensitive business data and processes. The key is to enable conversations between IT, security and line-of-business leaders to improve processes, mitigate risks, and convey meaning and value to executives.

Listen to the podcast: Data Risk Management in 2018 — What to Look for and How to Prepare

The post Data Risk Management, Part 3: Assessing Risk Levels of Structured Versus Unstructured Data appeared first on Security Intelligence.

Data Governance: How prepared are enterprises for the impending GDPR?

Report reveals only 6% of enterprises are prepared for GDPR, with less than four months until the data privacy and security regulation goes into effect With less than four months

The post Data Governance: How prepared are enterprises for the impending GDPR? appeared first on The Cyber Security Place.

SecurityWeek RSS Feed: New Details Surface on Equifax Breach

Documents provided recently by Equifax to senators revealed that the breach suffered by the company last year may have involved types of data not mentioned in the initial disclosure of the incident.

read more

SecurityWeek RSS Feed

Three Characteristics of a Successful Agile Security and Risk Management Implementation

The cost of cybercrime damage is skyrocketing. In fact, Cybersecurity Ventures’ “2017 Cybercrime Report” estimated that the total cost will reach $6 trillion annually by 2021. In addition, Verizon’s “2017 Data Breach Investigations Report” noted that 81 percent of breaches recorded in 2017 exploited weak or stolen credentials, and 14 percent involved privilege misuse.

For these reasons, as organizations embrace cloud, automation and orchestration to support digital transformation, security is coming into sharper focus as a priority during app development. In fact, according to F5 Networks, security services account for four of the top five application services currently deployed.

The question now is, how can we create development platforms capable of addressing more frequent, complex, pervasive, disruptive and potentially disastrous security challenges? More specifically, as regulatory requirements mount and C-level leaders are increasingly held personally liable for data breaches, how can we empower organizations to successfully deploy cutting-edge technologies such as artificial intelligence (AI), quantum computing, the Internet of Things (IoT) and blockchain microsegmentation?

Fight Fire With Fire

Although many organizations are making good progress toward improving their security posture, business leaders need to change their approach and embrace new ways of implementing security natively as increasingly complex threats emerge and multiply in 2018.

This requires security teams to move beyond doing the bare minimum to meet compliance and implement proactive measures to protect enterprise data from today’s sophisticated fraudsters. A Bitglass report revealed that 87 percent of organizations had experienced at least one cyberattack during the previous year, suggesting that manual, compliance-centric approaches to data protection are no longer sufficient to address the latest cybercriminal developments, such as the use of weaponized AI in automated spear phishing attacks.

Large enterprises today already face billions of cyberthreats daily — so how can they possibly prepare for the trillions more that will surely result from the increasing use of cognitive technology in cybercriminal campaigns? Agile security and risk management (ASRM) is the only way to address these emerging challenges and empower business leaders throughout the organization to make better, more informed decisions about cyber risks.

By leveraging the power of AI and quantum computing, organizations can fight fire with fire to thwart even the savviest of threat actors. The ASRM approach enables security leaders to reduce their threat and vulnerability exposure via microsegmentation and minimize the cost of cybercrime damage through preventative measures, advanced assessments and contextualization.

What Is Agile Security and Risk Management?

In general, security management involves identifying the company’s assets and implementing policies to protect them. By extension, Agile security management is a continuous, pervasive and proactive method of protecting assets at a microsegmented level. This process involves all team members during all phases of the development life cycle.

ISO 31000 defines risk management as “the effect of uncertainty on objectives.” Correspondingly, Agile risk management is an approach that continuously identifies, assesses, treats, verifies, reports and monitors vulnerabilities through all stages of the life cycle.

Three Key Principles of ASRM

These definitions may be relatively simple, but transitioning from a traditional risk management approach to an Agile framework requires a substantial transformation and a concerted effort from multiple departments and stakeholders. Security professionals should embrace the following principles of ASRM to successfully implement these strategies throughout the enterprise.

1. ASRM Is Everyone’s Job

Although security and risk experts will remain in high demand for the foreseeable future, ASRM must be continuously taught, practiced and verified by all available corporate resources, including humans and AI-powered computing devices. Companies should provide training, nonretaliatory reporting outlets and comprehensive processes to prepare all resources to deal with the upcoming wave of AI-powered cybercrime.

From full-time corporate executives to contractors, suppliers, partners, customers and computing devices, all resources must be engaged in the proactive protection of corporate assets. The IBM X-Force Command Center is a great way to help your team refine its incident response and cyberdefense skills.

2. Continuous, Iterative and Incremental ASRM Delivery

Most current review practices call for hiring a group of security, risk, compliance, governance, business assurance and legal experts to assess the compliance status of various deployments against common regulations, standards and principles. These reviews often involve a pre-established list of questions that are already widely known among business units, causing auditors to miss crucial security gaps.

Organizations are best served by engaging all their resources to implement security and risk practices throughout the entire life cycle. Just as a builder would wire a house for electricity during the early stages of construction, security and risk activities should be conducted from the initial planning and inception through to decommissioning, end-of-life or destruction.

Organizations should also conduct continuous Agile training to implement security and risk in an iterative and incremental manner. Consistent and pervasive delivery are crucial to the success of the ASRM approach. Tools such as IBM Security AppScan are tailored to assist security teams with ASRM detection, protection and prevention.

3. Top-Down and Bottom-Up ASRM Decision-Making

Hierarchical organizations and societies can grow and maintain order, yet they aren’t able to adapt to today’s decentralized, pervasive and multiplying new world of increasingly destructive cyberattacks — they just aren’t Agile enough.

In fact, for fear of being reprimanded, employees often fail to report potential threats and risks. Companies should develop bug bounty programs to promote and celebrate Agile security and risk discussions. As part of Agile daily stand-ups, security teams should test their code and review their architecture and patching posture in the context of ASRM. By generating continuous feedback regarding all Agile activities, teams can release higher-quality and higher-value features at a faster pace.

The Race Is On to Embrace ASRM Modernization

If you are still unsure about Agile security, consider that it only takes nanoseconds to steal trillions of dollars from an infiltrated environment. How many assets and future gains (e.g., intellectual property) can you afford to lose? How much damage could a professional cybercriminal inflict over the standard cyberbreach remediation period of 18 months?

To embrace better corporate agility, organizations must increase communications, create room for small, rapid failures and empower their people and AI-empowered solutions to render and own ASRM decisions. Until ASRM adoption becomes ubiquitous, enterprises of all sizes will continue to suffer data breaches, experience significant staff turnover and be targeted by corporate investment activists.

As shareholders, investors and employees, we are all entitled to true management transparency, visibility and understanding of corporate security and risk posture. In addition to the summaries that are currently published as part of annual reports for publicly traded companies, shareholders should demand evidence of ASRM modernization. Otherwise, how can they justify investing sweat equity into an organization that can be wiped out overnight like a house of cards?

ASRM requires substantial, strategic transformation. Many large organizations have already completed the first phase of transitioning their development practices from waterfall to Agile. Fully embracing ASRM is the next step along the Agile adoption journey.

The post Three Characteristics of a Successful Agile Security and Risk Management Implementation appeared first on Security Intelligence.

January’s Top Cybersecurity News Stories: Jackpotting, Cryptocurrency Mining and Other Emerging Trends

Below is a roundup of the biggest cybersecurity news stories from the past month.

January is over, and it’s time for security professionals around the world to sweep up the confetti and start digging in on their New Year’s resolutions. During the first month of 2018, we saw everything from a CPU vulnerability to advanced Internet of Things (IoT) exploits, physical ATM attacks and new cybercriminal trends driven by the cryptocurrency gold rush.

Let’s take a closer look at how these stories are shaping the cybersecurity landscape as the industry gears up for another year of escalating threats.

Taking Stock of the Top Cybersecurity News Stories From January

On Jan. 9, a Ponemon Institute report titled “What CISOs Worry About in 2018” revealed that chief information security officers (CISOs) are less confident than ever about their susceptibility to cyber risks. According to the study, two-thirds of security leaders believe their organizations will suffer a cyberattack or data breach this year, and many fear that third-party partners will be the vulnerability point. In addition, 70 percent of CISOs cited lack of competent staff as their top challenge. Their concerns are understandable considering that cybercriminals stole $172 billion from 978 million consumers in 20 countries last year, according to Symantec.

January also saw an explosion of cryptomining attacks. In recent weeks, threat actors made off with $400 million worth of a digital currency by penetrating Japanese cryptocurrency exchange Coincheck. That news came just days after Ernst & Young estimated that nearly $400 million worth of funds raised in initial coin offerings had been lost or stolen. That’s more than 10 percent of the proceeds.

Cryptocurrency has become a playground for attackers, who have recognized that they can score bigger payoffs by turning users’ computers into nodes on a massive coin-mining network than they can by attacking users individually. In fact, SiliconANGLE reported that ransomware attacks are on the decline as criminals seek safer and more lucrative returns in mining.

One such attack has been ongoing for more than four months, affecting an estimated 30 million users around the globe. In most cases, victims don’t even know they’ve been compromised. Miners can use rogue JavaScript controls to hijack a system from an open browser window. Some attackers even buy their ads legitimately before replacing the contents with malicious code.

Top Exploits of 2018 So Far

In cybersecurity, there’s always something new to worry about. This month’s headache is jackpotting, a physical compromise scheme in which thieves hijack ATMs and force them to spit out cash. Brian Krebs first exposed the phenomenon, which encompasses a variety of techniques, such as using an endoscope — a device used by doctors to look inside the human body — to locate ports inside the machine where a crook can attach a cable that syncs with his or her laptop.

Voice-activated assistants have also found themselves squarely in cybercriminals’ crosshairs. According to Communications of the ACM, sound waves can be used to rewire circuits in IoT devices to deliver incorrect readings, cause control systems to malfunction or even execute commands using voice instructions hidden in music. Because the threats use analog media, they aren’t easily combated with digital protection.

Emerging Malware Trends

One thing that defines every January is predictions for the year ahead. What trends will define the security landscape in 2018? The IBM X-Force team has a few ideas.

  • Botnet attacks will become more frequent as cybercriminals exploit vulnerabilities in IoT devices. Last summer, a consortium of technology firms took down a botnet that compromised tens of thousands of Android devices using exploits in seemingly legitimate apps from the Google Play store. Any device can now potentially become a participant in a distributed denial-of-service attack (DDoS).
  • Failure to patch known vulnerabilities continues to be the primary culprit in large-scale attacks. Less than 1 percent of vulnerabilities in 2016 were considered zero-day, according to the IBM X-Force vulnerability database. Applying patches has never been more important.
  • Cloud services are presenting new attack vectors as misconfigured permissions or simple oversight leaves data exposed. Cloud databases leaked over 2 billion records in 2017, and the X-Force team asserted that server misconfigurations were responsible for 70 percent of them.
  • Thieves are increasingly extorting large ransoms for stolen high-value data. Victims in 2017 included a popular video streaming service from which preproduction versions of popular shows were stolen and several plastic surgery clinics whose photos of celebrity clients were held for ransom. With ransomware becoming a hit-or-miss proposition, attackers are focusing more on big money opportunities.
  • Phishing attacks will become more sophisticated as perpetrators use spear phishing to target individual victims, often spoofing their email accounts and writing style with personalized messages.
  • As noted above, cryptocurrency theft will soar with the growing value of blockchain-based digital money.

Risk Management Resolutions

Failure to patch is only one of the five epic security fails we outlined this month that put organizations at increased risk. Another is the tendency to become complacent once compliance is achieved on paper and neglect to update certifications and skills. A third major blunder is failure to centralize data security, which can impede efforts to keep up with the constantly shifting threat landscape.

Organizations that do not assign responsibility for data put themselves at even further risk. After all, if no one owns the data, no one is likely to protect it. Finally, failure to monitor data access enables cybercriminals to simply walk in through the front door, so to speak. It’s important to shut down access privileges immediately once an employee is terminated or otherwise leaves the company.

Consumers Warm Up to Security

IBM Security’s new “Future of Identity Study,” which surveyed nearly 4,000 adults from around the globe, revealed that consumers are beginning to prioritize security above convenience. Respondents ranked security as their top priority, over both convenience and privacy, when logging in to the majority of applications, especially apps dealing with money and financial transactions. The survey also found that biometrics are becoming mainstream, with 87 percent of consumers saying they’ll be comfortable with the technology in the future.

In addition, the study noted that although millennials have grown up with information technology, they aren’t as careful as their elders about passwords. Young people are less likely than other groups to use complex passwords and more likely to use the same password many times. However, they are also more inclined to use password managers and biometrics, which can help provide additional security layers without adding extra passwords to memorize.

Read the complete IBM Study on The Future of Identity

Gearing Up for Six More Weeks of Winter

With the new year in full swing, the start of February is an excellent time to take stock of the past month’s cybersecurity news headlines and trends, and gear up for whatever threats will emerge in the coming weeks. It’s a lot to take in at once, but awareness of the latest shifts in the threat landscape can go a long way toward helping enterprises and individual users steer clear of the cybercriminal flavor of the month.

The post January’s Top Cybersecurity News Stories: Jackpotting, Cryptocurrency Mining and Other Emerging Trends appeared first on Security Intelligence.

What Can We Learn From the World Economic Forum’s Cyber Resilience Playbook

When the World Economic Forum (WEF) released its “Global Risks Report 2018,” in January, it also issued a new report titled “Cyber Resilience: Playbook for Public-Private Collaboration,” which aims to improve the way governments and policymakers around the world make decisions about cybersecurity. Since, as the report noted, the first line of defense is rarely the government, this framework is designed to promote collaboration both within our own borders and across the globe.

To create the framework, the WEF, in collaboration with the Boston Consulting Group, asked its experts to create an initial list of values that policymakers would need to weigh when choosing between various cyber policies. The 30 options were eventually distilled down to five key values that are central to any choice regarding cybersecurity policy: security, privacy, economic value, fairness and accountability. The remaining 25 options can be mapped to one of these five key values.

Understanding the Trade-Offs of Cyber Resilience

“While leaders are accustomed to debating cybersecurity policy topics in isolation, there is seldom reflection on whether the sum of the parts of cybersecurity policy crafted on a day-to-day basis amounts to a coherent whole.” — The World Economic Forum’s “Cyber Resilience: Playbook for Public-Private Collaboration”

The report laid out the risks and trade-offs associated with each policy choice and noted that, by now, all of the easy choices have already been exhausted. What’s left is a series of challenging decisions at the organizational, national and international levels, and the effects of these decisions are both far-reaching and long-lasting.

So how can security experts help decision-makers understand the risks and trade-offs of their policies when our world today is so polarized? The report addresses that aspect specifically, warning policymakers to avoid rhetorical simplicity, false choices and absolute positions. Instead, they should embrace nuanced reflection and discussion to connect various policy choices to the five key values.

However, policymakers in several countries have started requiring organizations to implement very specific cybersecurity processes and technologies. This drastic approach, reminiscent of the disastrous days of security by compliance, can often lead to a false sense of security — and an even worse resilience posture. A better approach is to design regulations that evolve with the conditions instead of the usual post-crisis panic. As the report put it, “Efforts should also be framed in the context of an ongoing iterative process rather than ad hoc and crisis-driven, resulting in patchwork legislation.”

The 14 Key Policy Topics

The playbook outlined 14 policy topics that lawmakers, policymakers, government officials and business leaders should consider to improve global cyber resilience. These key topics are:

  1. Research, threat sharing and the government’s role in facilitating the exchange of information;

  2. Zero-day vulnerabilities — whether governments develop or purchase them and how they should warn the private sector of their use;

  3. The liability for vulnerabilities, especially after a product is no longer supported;

  4. The attribution issue — the extent to which we can point to a particular actor as the source of an attack.

  5. How to prevent or disrupt botnets;

  6. Balancing the interests of the state with those of its own citizens;

  7. National information security roles, including which agency should be responsible for what in each country and the need for cross-border collaboration;

  8. The benefits and the drawbacks of encryption, especially as law enforcement agencies seek to implement workarounds and backdoors;

  9. Cross-border data flows and the responsibilities of each jurisdiction;

  10. Notification requirements and the level of sanctions that policymakers should mandate for breached organizations;

  11. Duty of assistance and the best ways to leverage public resources in case of cyber emergencies;

  12. Active defense and the issue of organizations taking matters into their own hands;

  13. Liability thresholds and the duty of care that organizations should be able to implement and demonstrate; and

  14. Cyber insurance and the effectiveness of incentives.

Overall Value for Multiple Stakeholders

While it may be tempting to dismiss this document as a directive aimed solely at politicians and policymakers, the playbook lays out very real risks that organizations around the world must face when dealing with their own cyber resilience capabilities. How can we talk about and decide on the best approach to keeping businesses running?

Ultimately, the WEF playbook provides a mature, approachable framework to help governments and other organizations think about the tough choices chief information security officers (CISOs) must make. These challenges are presented in clear language and supported by visuals to illustrate the interconnected nature of each choice.

In the words of the report, the framework aims to “shape a digital future that is sustainable, inclusive and trustworthy.” By promoting a standard by which governments and organizations take care to connect policies to values, the WEF is one step closer to improving cyber resilience around the globe.

The post What Can We Learn From the World Economic Forum’s Cyber Resilience Playbook appeared first on Security Intelligence.

Groundhog Day: Third-party cyber risk edition

Over the past four years, I’ve had countless conversations with hundreds of companies around third-party cyber risk issues. It’s been my personal Groundhog Day, so to speak. Regardless of sector or size of company, the conversations are almost identical as most everyone faces a similar challenge: “How can I truly manage risk from third parties where I have little or no control over their information security practices?” “I know I have massive risk from third … More

Who Needs a College Degree? Filling the Skills Gap With Qualified New Collar Professionals

A college degree was once thought to guarantee a successful career. For some professions, structured coursework and vetted certification is the only way to ensure that a student was prepared to take on a challenging job. Other industries, however, don’t necessarily equate the lack of a college education to a lack of qualification. These roles are ideal for new collar professionals — that is, candidates who lack college degrees but posses relevant experience that can’t always be taught in a classroom.

New collar jobs have become gateways for people who are either changing careers or entering the private sector workforce without an academic degree. Technology jobs are plentiful and generally offer strong pathways for growth, and hiring managers are finding qualified talent coming from nontraditional sources. People who emerge from technical schools, online courses and apprentice programs may have less formal training, but make up for it with real-world experience and a fresh perspective.

Opening Technology Careers to New Collar Candidates

Many organizations are adopting this approach to talent acquisition in response to the ongoing cybersecurity skills shortage. Let’s take a look at some of the top technology jobs available to new collar professionals.

Cybersecurity Analyst

According to Cisco, there are currently 1 million unfilled cybersecurity positions around the world, making it one of the most attractive categories for job seekers. Since technology evolves on a daily basis, current experience can be as valuable as years of dedicated study. In fact, because security is so interwoven with IT, almost any experience with IT can be viewed as a qualification for a security position.

However, it’s important for job seekers to have an interest in highly detailed analysis of technical issues. These low entry-level requirements allow hiring managers to cast a wider net to find suitable applicants in a competitive market.

App Developer

Mobile applications are more than just the main entry point for businesses. Job seekers can learn much of what they need to know by using training tools available through their mobile devices and develop sample apps to showcase their abilities. Individuals can access some basic education at no charge, and they can access deeper, more detailed training via online courses as well.

Data Analyst

With so much data being generated and collected every minute, there are always new issues to resolve and insights to discover. Although machine learning is automating some of these tasks, there is still plenty of day-to-day work to be done.

Entry-level jobs such as junior data analyst generally require familiarity with database concepts, spreadsheet experience, and some sense of how businesses use and present findings from their data. Job seekers should hone their skills to include data acquisition and advanced functions. Employers should look for candidates with experience in numbers and reporting, such as those with bookkeeping backgrounds.

Network Support Specialist

Networks connect the computing world, and keeping those connections viable is critical to business. But while the requisite skills are specific and the jobs often require some kind of certification, training is available through a multitude of providers.

Technical schools are good sources to find candidates with an associate’s degree in network engineering, but a certificate issued by a network technology provider may be an even better indication that an applicant possesses the right skills. Many certification courses are offered online to help aspiring network support specialists study at their own convenience.

Multimedia Graphic Professional

Candidates with artistic skills, good design instincts and an interest in technology are well-suited for multimedia graphics positions, which involve creating visuals for websites. Applicants who have a strong social media presence may already possess these abilities. Prospective multimedia graphic designers can hone their skills by developing and posting a wide variety of graphic types. Employers can find great prospects by visiting online galleries and browsing social media platforms.

A Different Path to Success

New collar jobs offer a different path to well-paying jobs for those who elect to forego a college degree. Job seekers can develop specialized training and experience in less time and less expensively than what colleges require. As a result, employers can tap new pools of qualified candidates who are highly motivated and loyal to their companies.

Read the complete IBM report: Addressing the Skills Gap with a New Collar Approach

The post Who Needs a College Degree? Filling the Skills Gap With Qualified New Collar Professionals appeared first on Security Intelligence.

Tenable, Cylance Disclose Revenue Metrics

Cybersecurity solutions providers Tenable and Cylance this week shared financial metrics for 2017, with both privately-held companies showing strong revenue growth.

Cylance reported revenue of more than $100 million last year, which the company says represents a year-over-year growth of 177 percent.

read more

Highlights From the World Economic Forum’s ‘Global Risks Report 2018′

“In a world of complex and interconnected systems, feedback loops, threshold effects and cascading disruptions can lead to sudden and dramatic breakdowns.” — The World Economic Forum’s “Global Risks Report

The post Highlights From the World Economic Forum’s ‘Global Risks Report 2018′ appeared first on The Cyber Security Place.

The Rewards & Cyber Risks of Internet of Things Devices

If credit unions use Internet of Things technology to better understand and serve their accountholders they must also understand the associated cybersecurity risks and new vulnerabilities – and protect member

The post The Rewards & Cyber Risks of Internet of Things Devices appeared first on The Cyber Security Place.

Highlights From the World Economic Forum’s ‘Global Risks Report 2018’

“In a world of complex and interconnected systems, feedback loops, threshold effects and cascading disruptions can lead to sudden and dramatic breakdowns.” — The World Economic Forum’s “Global Risks Report 2018”

First came the New Year’s Eve parties, followed by New Year’s resolutions and, finally, the annual meeting of global elites at the World Economic Forum (WEF) in Davos, Switzerland, on January 23–26. Just ahead of the event, the WEF released its “Global Risks Report 2018,” a compendium of data points and analysis about the state of economic health around the world.

The report, partly based on a survey of about 1,000 of its members conducted during the second half of 2017, covers all major categories of risk, including economic, environmental, geopolitical, societal and technological. The top four concerns include recurring themes, such as inequality and unfairness, political tensions within and between countries, the environment, and cyber vulnerabilities. It is across this spectrum of global risks that the report warns of “the increased dangers of systemic breakdown,” due in part to our increasing dependence on technology.

A Sharpened Focus on Cyber Risks

For the first time in the history of the “Global Risks Report,” two technological threats — cyberattacks and data fraud or theft — ranked in the top five risks by likelihood. Cyberattacks also figured high on the impact side, coming in sixth place. The report warned of the dangers that await if global leaders don’t take stock of the issues and become more engaged in improving policies, communication, coordination and risk decisions.

As many organizations have found out the hard way in 2017, cybercriminals have access to a target space that is growing at an exponential pace. The report noted that attacks against businesses have doubled in the span of five years and are now considered part of the cost of doing business. Not surprisingly, the report mentioned the prevalence of ransomware in 2017, including mentions of WannaCry and NotPetya, and the significant costs and disruptions created by those events.

The Internet of Things (IoT) is also spotlighted in the report, but not for the technological advancements it provides. Instead, WEF noted that there are now already more IoT devices than people on the planet, and these devices, with their lack of out-of-the-box-security, have already been used to launch distributed denial-of-service (DDoS) attacks at 100 gigabits per second. These events are part of a growing tally of cybercrime costs that could reach $8 trillion by 2022. The report also pointed to increasing evidence of disruptions to systems and services “that keep societies functioning,” including critical infrastructure, government agencies, banks, telecommunications and transportation.

How Cyberthreats Fit Into the Larger Picture

Cyber risks are just one of the many categories of threats that society faces today. However, the 2018 report dedicated more attention to this increasingly important issue, warning of the fragility and instability of technological systems and highlighting the uncertainty that could result from their widespread failure. WEF called out the possibility of “asymmetric economic warfare” as our modern economies increasingly rely on new technologies to drive everything from manufacturing systems to remote healthcare, and the financial infrastructure that powers our online banking and investment transactions.

Addressing the Need for Better Risk Assessment and Management

As a global barometer of economic health and a repository of top concerns, the WEF report also recommended solutions that can help us avoid the cliff. While it noted that global risks are growing in complexity and becoming pervasive with a strong potential for cascading failures, it also emphasized the need for reactions and responses to be determined and coordinated from both a local and global perspective. As 2017 has shown, knowing how best to respond to a cyber crisis is as important as all the work done prior to a breach.

While global economies have improved their ability to measure and mitigate conventional risks, they struggle to understand and address the complex risks that are found at the intersection of the various systems that make our modern world possible. The report section titled “Future Shocks” features stories that illustrate the potential impact of widespread complacency and demonstrate how rapidly risks can propagate between systems and geographic regions.

Toward the end of the “Global Risks Report,” two short essays discussed the need for resilience in complex organizations and the dangers of cognitive bias in risk management. The first essay urged businesses to consider supplementing traditional risk assessments with a “resilience lens” that considers how to improve the organization’s ability to respond to risks.

The second argued that our current understanding of why people react strongly to certain risks but not others is incomplete. It also illustrated the dangers of anchoring and confirmation bias, highlighting top leadership’s tendency to “approach risk analysis as a standalone activity to be ticked off a list, but then fall short on mitigating the risks that their analysis has identified.”

Starting the Conversation With the ‘Global Risks Report’

The “Global Risks Report,” with its focus on world-scale economic opportunities and risks, is written for enterprise leaders in plain, business-friendly language. This year, cyberthreats figure prominently along the various global risks found in our increasingly complex and interconnected world. It makes it a perfect New Year’s gift for chief information security officers (CISOs) to share with their business leaders as a way to examine common concerns and build trust through stronger communication and engagement on a topic that is critical to the survival of organizations around the world.

Listen to the podcast series: Take Back Control of Your Cybersecurity Now

The post Highlights From the World Economic Forum’s ‘Global Risks Report 2018’ appeared first on Security Intelligence.

Creating an Incident Response Checklist to Prepare for a Data Breach

When faced with an external attack or data breach, an organization is helpless unless it has an incident response plan firmly in place. The goal of such a plan is to minimize the damage of an attack, meaning that the recovery effort should take as little time as possible and avoid unnecessary costs, which include more than just money. In fact, sometimes the greatest cost of a data breach is reputational damage and the erosion of customer trust.

An incident response plan typically includes a list of processes that must be completed when a breach occurs and defines what activity actually constitutes a security incident. It also determines who is responsible for carrying out these processes. This team, usually called a cyber incident response team (CIRT), consists of security and IT professionals as well as members of the human resources, public relations and legal departments. Such a wide range of talent is necessary because, in addition to securing the technology environment, the incident response team must advise executives and communicate effectively with the public.

Listen to the podcast: Get Smarter About Disaster Response — Five Resolutions for 2018

Six Steps to Continuously Improve Your Incident Response Strategy

The SANS Institute developed a six-step framework to help organizations respond to security incidents, from the initial discovery of a breach to post-incident investigations.

  1. The first step is Preparation, which covers establishing and applying security policies, defining a detailed response strategy, determining who serves on the CIRT and developing the necessary tools.
  2. Next is Identification and Scoping, which is where incidents are detected. Prompt discovery makes it easier to control the damage and costs that result from a breach. This is usually performed by IT employees, who use log files, error messages and monitoring tools to determine how, where and when the incident occurred. Dwell time — the time between an incident’s discovery and its remediation — may vary across organizations in different locations. Since prompt identification is vital to a positive outcome, companies located in disparate global regions may need to factor this in when designing their incident response plans.
  3. The Containment/Intelligence Gathering phase focuses on stopping the threat to prevent future damage and preserving any evidence that may prove useful in a potential legal prosecution. This step also includes system backup and the short- and long-term containment measures outlined during the Preparation phase.
  4. The bulk of the Eradication/Remediation step centers on removing the actual threat from the network and restoring the system to its pre-incident state. This can be particularly challenging since data may have been lost during the incident. Any compromised credentials need to be reset at this point. Care must be taken to make sure the reset is effective and well-communicated to affected parties. After the eradication step, the system should be clear of the threat as well as any newly created files or code modifications.
  5. Recovery comes next. During this stage, the systems are put back into production and then monitored to make sure they are working properly. This phase also addresses dependencies across the system and verifies output using validation tools.
  6. The last step, Follow Up/Lessons Learned, may be the most important. The CIRT should double-check all the previous steps to confirm that they were executed correctly and itemize tasks for the next incident. Insights gleaned from a thorough review of what occurred during the incident response process can serve as CIRT training materials and comparison benchmarks for the future.

The Big Picture

While considering these individual incident response steps, it is crucial to examine how they function together as a whole. Each step has its own quirks and challenges, but the overall process should be flexible enough to influence a positive outcome.

Preparation before an incident occurs is critical to the security of any organization, but no amount of preparation can address every possible type of breach. CIRTs must be able to adapt to numerous variables during and after an attack. In addition, it may be necessary to repeat some of the steps described above once the process is complete to remove all traces of the threat.

How the entire cycle functions after all the phases are executed makes the difference between success or failure in an incident response plan. There will always be room for improvement, but this process can help organizations minimize the damage of a security breach and return to normal operations as quickly as possible.

Listen to the podcast: Get Smarter About Disaster Response — Five Resolutions for 2018

The post Creating an Incident Response Checklist to Prepare for a Data Breach appeared first on Security Intelligence.

IBM Study: Consumers Weigh in on Biometrics, Authentication and the Future of Identity

The technology and security headlines of 2017 foreshadow big changes on the horizon in the world of identity and access.

Rumors of the death of the password may have been exaggerated in the past, but major data breaches have removed any doubt that our email addresses, passwords and personal information, including Social Security numbers, are no longer sufficient to protect our identities online. At the same time, options for using more unique data, such as biometrics, for authentication are gaining popularity, with fingerprint scans already pervasive on personal devices and facial recognition moving into the mainstream with the latest smartphone models.

But while these new authentication methods are certainly picking up steam, the path to a completely passwordless world will be a long journey and, ultimately, users will lead the way.

Preparing for a New Era of Authentication

As we reach this crucial turning point in the authentication landscape, IBM commissioned a broad consumer study to better understand global and generational consumer preferences around biometrics, passwords and multifactor authentication.

IBM Security’s new “Future of Identity Study,” released today, surveyed nearly 4,000 adults around the globe. Below are some of the top findings.

  • Security is beginning to outweigh convenience. People ranked security as the highest priority, over convenience and privacy, for logging in to the majority of applications, particularly when it comes to money-related apps.
  • Biometrics are becoming mainstream. Sixty-seven percent of respondents are comfortable using biometric authentication today, while 87 percent say they’ll be comfortable with these technologies in the near future.
  • Millennials are moving beyond passwords. While 75 percent of millennials (respondents between the ages of 20 and 36) are comfortable using biometrics today, less than half are using complex passwords and 41 percent reuse passwords to access numerous accounts. Older generations showed more care with password creation, but were less inclined to adopt biometrics and multifactor authentication.

Taking a closer look at these trends, the future of identity may be closer than we think.

Read the complete IBM Study: The Future of Identity

Millennials Accelerating the End of the Password Era

Generational differences that emerged from the survey results showed that younger adults are putting less care into traditional password hygiene but are more likely to layer access with multifactor authentication, use biometrics for speed and convenience, and use password managers to secure their accounts. This could be an indication that younger generations have less confidence in passwords to begin with, thus looking to alternative methods to secure their accounts.

With millennials quickly becoming the largest generation in today’s workforce, according to a study by ManpowerGroup, these trends may impact how employers, service providers and technology companies provide access to devices and applications in the near future. Below are some additional findings on generational authentication trends.

  • Only 42 percent of millennials use complex passwords that combine special characters, numbers and letters (versus 49 percent of respondents who are 55 and older), and 41 percent reuse the same password multiple times (versus 31 percent of those aged 55+).
  • On average, people 55+ use 12 passwords, while Generation Z (ages 18 to 20) averages only five passwords. This could indicate a heavier reuse rate across a growing number of accounts.
  • Millennials are two times more likely to use a password manager (34 percent) than people over the age of 55 (17 percent).
  • Millennials are more likely to enable two-factor authentication in the wake of a breach (32 percent versus 28 percent of the general population). They are also more likely to delete an account held by a breached service providers and move to a competing one.
  • Seventy-five percent of millennials were comfortable using biometrics today, compared to 58 percent of those over age 55.

Security Trumps Convenience, Especially for Money-Related Apps

While conventional wisdom may hold that consumers value speed over all else, the survey found that consumers ranked security as a higher preference than privacy or convenience for the majority of applications, particularly for money-related applications.

The one exception to this was social media apps, where convenience took a slight edge over security, revealing a potential blind spot when it comes to protecting personal data stored on those apps.

Users' top priorities when logging into various applications

Figure 1: Users’ top priorities when logging into various applications

Preparing for the Future of Identity

How can organizations adapt to shifting user preferences? Companies should adapt by taking advantage of flexible identity platforms that provide users with choices between multiple authentication options — for example, letting users toggle between a mobile push notification that invokes fingerprint readers on their phone and a one-time passcode.

Organizations can also balance demands for security and convenience by incorporating risk-based approaches into their access schemes. When risk levels rise, additional authentication checkpoints can be triggered, such as when behavioral cues or connection attributions, such as device, location or IP address, signal potentially abnormal activity.

Leveraging data from the survey can also help reshape security processes for an evolving workforce. As millennial and Generation Z employees begin to dominate the workforce, organizations and businesses can adapt to younger generations’ proclivity for new technology by allowing for increased use of mobile devices as the primary authentication factor and integrating approaches that favor biometric methods or tokens in place of passwords. As always, users should follow best practices for securing their digital identities.

For additional details on the study and advice to help companies prepare for the future of authentication, download the full report.

Read the complete IBM Study on The Future of Identity

In an era where personal information is no longer private and passwords are far from unbreakable, the future of identity is now everyone’s personal business.

The post IBM Study: Consumers Weigh in on Biometrics, Authentication and the Future of Identity appeared first on Security Intelligence.

Choosing the Right Security Framework to Fit Your Business

The many challenges related to building and running an information security program can be overwhelming. The chief information security officer (CISO) is responsible for running identity and access management (IAM), data loss prevention (DLP) and many other security programs. On top of those daunting considerations are the complex areas of governance, risk and regulatory compliance.

One of the most effective ways to build and maintain these programs is to use a hybrid security framework that is customized to meet business objectives, and to define policies and procedures for implementing and managing controls in the organization. It should be tailored to outline specific security controls and regulatory requirements that impact the business.

Common Security Frameworks

To better understand security frameworks, let’s take a look at some of the most common and how they are constructed.

NIST SP 800-53

First published in 1990, National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) provides guidance to help U.S. federal government agencies comply with Federal Information Processing Standards (FIPS). Although the framework establishes security standards and guidelines for government agencies and federal information systems, it is also widely followed in the private sector. It is considered to generally represent industry best practices.


The Information Security Audit and Control Association (ISACA) produced the Control Objectives for Information Related Technology (COBIT) framework in 1996 to focus on risk reduction in financial organizations. It is also commonly used to comply with the Sarbanes-Oxley Act (SOX). With the latest revision, COBIT has evolved to address best practices for aligning information technology functions and processes, and linking them to business strategy.

ISO 27000 Series

International Standards Organization (ISO) 27000 is a set of broad standards covering an array of privacy, confidentiality and IT security best practices published jointly with the International Electrotechnical Commission (IEC). These standards are designed to help organizations address their risks with appropriate controls.

The series includes several subset frameworks specific to various industry types. For example, ISO 27799 defines standards and best practices for the healthcare industry.


The Consortium for IT Software Quality (CISQ) developed standards for automating the measurement of software size and structural quality. These standards, which are based on exploits identified by the SANS Institute, the Open Web Application Security Project (OWASP) and Common Weakness Enumeration (CWE), are commonly used to manage risks such as application security.

Building a Hybrid Security Framework

Organizations can also leverage a hybrid framework by choosing specific controls from other frameworks to meet their compliance requirements and business needs. Typically, hybrid models consist of cherry-picked controls from other standards that are driven by industry compliance requirements. For example, the Health Information Trust Alliance (HITRUST) framework and ISO 27799 are both used in the healthcare sector. The Cloud Security Alliance’s Cloud Control Matrix (CCM) is another hybrid framework commonly used in cloud computing.

Many frameworks have redundant characteristics, enabling security teams to map certain controls to satisfy compliance with an array of regulatory standards. An organization could, for instance, use a combination of ISO 27001, NIST 800-53 and COBIT, selecting the controls that best help it meet its business objectives.

Other hybrid examples include:

  • The Federal Risk and Authorization Management Program (FedRAMP);
  • The Health Insurance Portability and Accountability Act (HIPAA);
  • The North American Electric Reliability Corporation (NERC) critical infrastructure protection (CIP) plan;
  • The Payment Card Industry Data Security Standard (PCI DSS);
  • The American Institute of Certified Public Accountants (AICPA) Service Organization Control (SOC);
  • The Center for Internet Security (CIS) Top 20 Critical Security Controls; and
  • The FBI’s Criminal Justice Information Services Division (CJIS).

The Road Ahead

There is no such thing as a one-size-fits-all approach to security, and each framework has its pros and cons. Organizations vary in their complexity and maturity, from small, niche industries to global conglomerates and governments. For this reason, it’s important to research the available security frameworks and balance the benefits and drawbacks of each approach.

A hybrid framework can help organizations meet their unique business objectives and compliance requirements. This approach enables flexibility and ensures continued functionality as the technology and threat landscapes shift. Organizations with more basic needs might opt to become certified in an individual standard such as ISO 27000 or PCI DSS.

Whichever framework or combination of frameworks your organization selects, a comprehensive strategy to defend against potential threats while keeping data secure is more crucial than ever.

The post Choosing the Right Security Framework to Fit Your Business appeared first on Security Intelligence.

FINRA: Cyber Security Still a Major Threat to Broker-Dealers

Latest FINRA Examination Findings Reveal That Firms Have Made Progress with Cyber Security, but Problems Remain Cyber security remains “one of the principal operational risks facing broker-dealers,” according to the FINRA 2017 Examination Findings Report, and while progress has been made, many broker-dealer firms still have work to do to protect themselves against hackers. Firms… Read More

The post FINRA: Cyber Security Still a Major Threat to Broker-Dealers appeared first on .

Data Risk Management, Part 2: Who Is Ultimately Accountable When a Big Breach Happens?

This is the second installment in a three-part series about data risk management. For the full story, be sure to read part 1.

High-profile cyberattacks and data breaches shine a spotlight on an infrequently discussed organizational issue: Who is ultimately responsible for the security of mission-critical data within the enterprise?

All too often, this question is examined in the heat of post-incident response to determine who should be taken to task. Who loses his or her job for failing to protect sensitive information in the event of a massive breach? Is it the chief data officer (CDO), chief information officer (CIO), chief security officer (CSO), chief risk officer (CRO) or chief executive officer (CEO)?

Who Is Responsible for Data Risk Management?

By taking a more proactive approach to determining who should actually hold most of the responsibility and how that responsibility is divided before a data breach occurs, the C-suite can help avoid catastrophic breaches in the first place. Any such examination requires participants to agree on and understand the following:

  • Who owns the organization’s critical data/crown jewels?
  • Who knows where that critical data resides?
  • Who manages the security of that critical data?
  • Who decides what data is considered critical versus what data is deemed noncritical?
  • Who is accountable if the data is exposed?

By clearly defining lines of responsibility, it’s possible to enhance organizational processes and procedures that reinforce critical data protection. Although it’s not easy to discover all the different players who handle or are otherwise responsible for critical data, organizations can bring a greater level of accountability to those involved by identifying the players who have custodianship or a hand in accessing and processing that data. A holistic picture that provides answers to the above questions can help C-level executives cut through the complexity to better focus on managing critical data risk.

Why Is Critical Data so Hard to Defend?

For many organizations, targeted risk management will require a significant change in their current processes. It’s not uncommon for executives to assign line-of-business (LOB) managers the task of determining the acceptable risk level. Without a big-picture view of critical data risk, however, the risk is equated with not meeting financial or other business objectives rather than avoiding data threats. Spreading the task of managing data risk across multiple units, departments and stakeholders means there is no clear line of accountability.

The diffusion of responsibility for managing data risk also makes it impossible for the chief information security officer (CISO) and his or her team to prioritize securing the organization’s crown jewels. Few cross-organizational security teams actually know where the most critical data is located, and they often lack a complete understanding of what data would do the most damage if it were compromised. Without that insight, security teams have to treat all digital assets equally, essentially taking a boil-the-ocean approach to data protection.

Data Risk Management Is a Team Effort

By answering the questions listed above, organizations can determine who owns the most critical data. They can then team those data owners with IT security practitioners to prioritize protection. Data owners can take responsibility for creating the policies for what the data risk level should be and to what extent data should be protected. The CISO’s team can then take responsibility for the technical implementation and communication of these data security and privacy policies. Sharing that context allows the security team to understand what it is protecting and begin the process of prioritizing discovery, classification, hardening and monitoring mission-critical data.

Finally, the entire C-suite must be able to track the status of data risk via analytics that explain it in the context of the organization’s business objectives. Data risk management should be a proactive engagement for all members of the C-suite. But at the end of the day, it’s the CEO who should take ultimate responsibility.

Watch the on-demand webinar: Do You Speak Risk? Bring Data Security to the C-Suite

The post Data Risk Management, Part 2: Who Is Ultimately Accountable When a Big Breach Happens? appeared first on Security Intelligence.

Building the Best Incident Response Team

Incident response is one of the final frontiers of security that the majority of businesses have yet to explore. Although most have the written policies and the proper technologies, many enterprises are ill-prepared for that unexpected and often undetected security incident. This general lack of preparedness has created a “wing it” attitude over the years. Even worse, IT and security teams frequently lack clear goals, and executive management and board members are too disconnected from the security function to bridge this gap.

Management often assumes that IT and security have everything under control. After all, good money was spent on security, so things should be locked down and incidents shouldn’t occur, right? On the other hand, many IT and security professionals believe they can handle an incident and everything that comes with it. That may be true from a technical perspective, but dealing with the people and business side of a security incident is an entirely different matter that requires different people and various skill sets within the organization.

Listen to the podcast: Get Smarter About Disaster Response — Five Resolutions for 2018

Who Is Involved?

So, who needs to be on your incident response team? The answer is straightforward in many ways. Computer security-related incidents are like other business crises: You have the right people in the right roles to execute a predeveloped plan that will minimize the impact on the business.

Still, it is security, so there’s going to be politics, resistance and downright ignorance among those involved. Here are the roles that I’ve seen taking part in the response process in fully functioning security programs:

  • Legal counsel to provide oversight and guidance on steps to take or not take;
  • Executive management for decision-making at the executive/board level;
  • IT and security teams for technical guidance and execution of the initial incident response phases;
  • Compliance for assistance with incident oversight and follow up, including any breach notification or reporting that may be required;
  • Business operations for guidance and communications across departments and teams;
  • Human resources for facilitating internal communications and assisting with user-centric security policies that may have been violated;
  • Public relations expertise from someone who has experience in this area and a prepared message;
  • Outside consultants who can provide incident response, forensics and security testing expertise;
  • Vendors such as internet service providers (ISPs), cloud service providers and managed security service providers (MSSPs); and
  • Business partners that have close technical ties to your environment.

Leading With Prevention

Incident response planning should focus on prevention. It requires proactively monitoring for incidents. After the incident occurs, it involves proper containment and clean up. It may impact sensitive information and thus require a formal investigation. The process and findings need to be communicated to all the parties involved — potentially including the general public. It has to have follow up, adjustment and ongoing oversight. Every single role in the list above is required to make these things happen.

When you look at some of the biggest breaches, it seems that incident response was a fleeting thought up until the moment of detection. In many cases, it is then, and only then, that response procedures are ever considered. There’s irony in the fact that executive management and legal suddenly take an interest in security if the news media gets involved and shareholders come calling. That’s certainly not the time for security buy-in to finally happen.

Along the lines of the Chinese proverb, the best time to start developing, testing and fleshing out your incident response plan was 20 years ago. The second best time is now. The former applies to organizations that have already suffered breaches. The latter applies to everyone else.

Start Now

Get started on incident response today. The time’s going to pass anyway, so why not start now to make things right? Round up the necessary people, come up with a plan or update your existing one and run tabletop exercises with the team to see how it will all come together. Your main goal should be to maximize the chances of the plan working once it’s executed in a real-world scenario. If it does, you will come across as a true professional with a bit of security wisdom. If it doesn’t, you will come across as a harried beginner who doesn’t take security as seriously as others assumed.

In the end, your incident response team should be made up of people who are the best fit for your organization’s needs. Just make sure it’s people outside of IT and security. As Einstein said, “We cannot solve our problems with the same thinking we used when we created them.” Change before you’re forced to. Getting all the right people involved with incident response will make a tremendous difference in your efforts not if, but when, the big incident occurs.

Learn More About IBM’s Incident Response and Intelligence Services

The post Building the Best Incident Response Team appeared first on Security Intelligence.

SecurityWeek RSS Feed: Gemalto Licensing Tool Exposes ICS, Corporate Systems to Attacks

A significant number of industrial and corporate systems may be exposed to remote attacks due to the existence of more than a dozen vulnerabilities in a protection and licensing product from Gemalto.

read more

SecurityWeek RSS Feed

How to engage with the C-Suite on cyber risk management, part 4

Creating metrics to indicate risk.In part 3 of our metrics series, we discussed we how KRIs help identify risks while KPIs help us measure them. In this, our final article

The post How to engage with the C-Suite on cyber risk management, part 4 appeared first on The Cyber Security Place.

Misconfigured Jenkins Servers Leak Sensitive Data

A researcher has conducted an analysis of Jenkins servers and found that many of them leak sensitive information, including ones belonging to high-profile companies.

London-based researcher Mikail Tunç used the Shodan search engine to find Jenkins servers accessible from the Internet and discovered roughly 25,000 instances.

read more

All Cybersecurity Investments Are Not Created Equal

Cybersecurity risks are growing, with companies experiencing more security incidents and suffering greater losses per incident. In response, organizations are investing heavily in security tools. But are they investing wisely?

Recent research suggests that security spending is not as effective as it could be. Many organizations are spending heavily on traditional security tools, such as endpoint defenses, at a rate that exceeds the value of these expenditures. Meanwhile, other cybersecurity investments, such as intelligence and analytics solutions, offer more bang for the buck but do not draw the investment levels they merit.

This imbalance reflects a widespread tendency to protect against hazards that are familiar and visible, but not necessarily the most serious threats. More fundamentally, it reflects a common tendency toward tool fragmentation. In other words, security tool investments are often made in isolation to protect against particular, individual threats, rather than being integrated into a broad-based, holistic security immune system.

Getting the Most Out of Cybersecurity Investments

Accenture’s “2017 Cost of Cyber Crime Study” revealed a 62 percent increase in cyberattacks over the past five years and an average cost per attack of $11.7 million. That this pace shows no sign of slowing down is familiar news, but how effective are organizations at targeting their security spending to meet this growing and evolving threat? According to the study, not as effective as they could be.

The study assessed nine widely used security technologies: advanced perimeter controls; extensive use of data loss prevention; deployment of governance, risk and compliance; extensive deployment of encryption; automated policy management; advanced identity and access governance; automation, orchestration and machine learning; use of user behavior analytics (UBA); and security intelligence systems.

Of these, the study found that only the last three — automation, analytics and security intelligence investments — produced net cost savings. That is, they saved more in loss reduction than the security investment cost. Advanced identity and access governance broke even, while the remaining five technologies all cost more to implement than they ended up saving. The worst performers were advanced perimeter controls and extensive use of data loss prevention, which both had a relative value performance of negative 4.

Building Resilience From the Inside Out

To clarify, the study is not saying that these cybersecurity investments hinder defense efforts, only that isolated, individual investments do not always improve security functions enough to justify the cost of implementing them. The results call for a security strategy that “builds resilience from the inside out — versus only focusing on the perimeter — with an industry-specific approach.”

At one time, defending the perimeter was the top — and, virtually, the only — priority for network protection. The perimeter is still important, but threats have evolved and many organizations still retain the fortress mentality of an earlier time.

More surprising, though, is the negative return on governance, risk and compliance tools. Isn’t compliance a good thing? It is, but this is more a call for awareness than for investing too heavily in compliance-centric tools in the hopes that they will magically make regulatory challenges disappear. An audit is a good way to assess your security posture, but the goal should be to ensure that you are secure, not merely compliant.

Investing in a Security Immune System

The fundamental lesson of this study is not about which particular security tools to invest in, because every solution plays an important role in the integrated security picture. Rather, the report supports the notion every company and every industry is different, and their needs will naturally vary.

Security needs to be integral and built in from the outset. It cannot be bolted on as an afterthought. Each security tool should be thoughtfully selected and integrated into a comprehensive security immune system that is greater than the sum of its parts and able to thwart the increasing variety of threats that come its way.

Read the interactive white paper: Why a security immune system makes sense now

The post All Cybersecurity Investments Are Not Created Equal appeared first on Security Intelligence.

Triton Malware Exploited Zero-Day in Schneider Electric Devices

The recently discovered malware known as Triton and Trisis exploited a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization.

read more

SecurityWeek RSS Feed: Triton Malware Exploited Zero-Day in Schneider Electric Devices

The recently discovered malware known as Triton and Trisis exploited a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers in an attack aimed at a critical infrastructure organization.

read more

SecurityWeek RSS Feed

The Risk Modeling Gotcha: Roles Are Like Hammers to Screws

Why do organizations continue to struggle with entitlement risk modeling? It boils down to risk being aligned to roles and role-based access. The irony is that roles were never intended to be risk models. They were once low-hanging fruit, a logical way to provide an early means of grouping users to entitlements and later associating risk to such groupings.

The Problem With Role-Based Risk Modeling

Let’s briefly step back and distinguish the difference between groups and roles. Groups are typically bundles of individuals or entitlements that can be managed together within a single system, application or common system framework. Roles extended such groupings can span across both common and dissimilar enterprise systems and applications. The purpose of roles and groups was once to boost efficiency in managing entitlements and improve oversight of common members. Somewhere along the line, they became common tools for risk modeling.

Ultimately, security teams must determine whether each entitlement is in conflict, toxic or nontoxic, to another entitlement. This would be a tall order. The unfortunate problem with using roles for risk modeling is that each time an additional entitlement is added or removed from a role, the enterprise is forced to evaluate whether a new risk has been introduced.

To further complicate things, roles frequently contain multiple entitlements and even subroles with many contents. The role contents must constantly be evaluated for direct or indirect conflicts with business rules, policies and regulations that determine requirements for segregation of duties (SOD). Roles will, of course, be modified and consolidated as a common practice, and role contents will be added and removed.

The maintenance required to constantly evaluate and mitigate potential SOD risks each time a role is modified with a new or removed entitlement is impossible to effectively manage. It’s no wonder that organizations rarely achieve maturity in their risk models when they are based upon roles. The constant nature of role maintenance totally contradicts any risk maturity when specifically aligned to roles.

A Smarter Approach to Risk Modeling

A more effective approach is to separate risk models from roles — in other words, just let roles be roles. By aligning risk to static business activities, the roles can remain dynamic without disrupting risk models and resume their intended purpose of driving efficiencies in provisioning, user management and recertifications/attestations.

Business activities that largely remain unchanged are best defined by the lines of business (LOBs) or auditors, and they are easily modeled from common business process management frameworks. In fact, there is an open standard model of industry-specific business processes and even a generic cross-industry model available from an open community led by the American Productivity and Quality Center (APQC). The APQC community refers to these standard models as process classification frameworks (PCFs). Most business process management solutions leverage the open standard APQC PCFs and LOBs are usually very familiar with industry-specific PCF models. LOBs and auditors commonly use these frameworks in business process management, benchmarking operations and auditing.

At this point in time, only IBM Security Identity and Access Governance can successfully separate risk modeling from past role management, embrace the APQC PCF model and accommodate an organization’s own business activities. The solution was designed from the ground up to leverage this more effective business activity risk modeling approach. This allows security professionals to use roles the way they were originally intended instead of introducing inefficiencies into the risk management and modeling strategies.

Read the white paper: How Identity Governance became a key compliance and risk control

The post The Risk Modeling Gotcha: Roles Are Like Hammers to Screws appeared first on Security Intelligence.

What is the impact and likelihood of global risks?

The World Economic Forum, a not-for-profit foundation that each year gathers participants from around the world to discuss a wide range of global issues, has published its yearly Global Risks Report. Based on the opinions of almost 1,000 global experts and decision-makers, the top 5 global risks in 2018 in terms of likelihood are extreme weather events, natural disasters, cyber attacks, data fraud or theft, and failure of climate-change mitigation and adaptation. Cyber attacks and … More

PureSec Emerges From Stealth With Security Product for Serverless Apps

Tel Aviv, Israel-based startup PureSec emerged from stealth mode on Wednesday with a security platform designed for serverless architectures and a guide that describes the top 10 risks for serverless applications.

read more

Shared Accounts Increasingly Problematic for Critical Infrastructure: ICS-CERT

Assessments conducted last year by the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) showed that boundary protection remains the biggest problem in critical infrastructure organizations, but identification and authentication issues have become increasingly common.

read more

Companies Around the World are Ramping Up for GDPR — Is Yours?

General Data Protection Regulation (GDPR) is coming. It’s a wide-ranging regulation that requires both heightened protection for personal data and thorough notification to any European Union (EU) data subject whose personal data is breached. This applies to living individuals on EU soil, both citizens and noncitizens alike.

The Clock Is Ticking for GDPR Compliance

A surprising number of organization leaders seem to be taking a wait-and-see approach to GPDR. They want to see just how the law’s provisions will be carried out in practice. That’s understandable, but it might not be wise. GDPR isn’t just a toothless suggestion. It’s a serious directive, and avoiding its penalties, which can range as high as 4 percent of an enterprise’s worldwide financial turnover, is going to be an important objective for any business that does business in the EU or with EU residents.

Read the Interactive Solution Brief: Ready, Set, GDPR

As of May 25, 2018, any enterprise that handles the personal data of EU residents will face stiff penalties for data handling practices that violate the new law. The wide scope of the regulation may come as a surprise to business leaders and IT professionals outside the EU, even ones accustomed to dealing with local or national regulations of their own. Of note is that where the data resides is irrelevant — what’s important is that it belongs to an EU data subject, even if the data itself is stored elsewhere. This seems understandable enough, though some businesses worldwide are either unaware or only dimly aware of the upcoming regulation.

Until the new regulation takes full effect in May 2018, organizations are expected to make the preparations they need to meet the set forth demands. During this period, you should pay special attention to the preparations companies similar to yours are making for GDPR compliance. This can help you avoid being blindsided by enforcement actions.

Name, Rank and Serial Number? Not By a Long Shot

Under GDPR, personal information that your company might routinely collect, such as customer demographics, requires intense care if it can personally identify an individual. Preparation for GDPR compliance means, first of all, an enterprisewide assessment of the kind of data your organization collects or holds. You’ll need to identify personal data or — perhaps the most efficient course — treat all personal data with the same heightened level of protection. The simplest course may well be to delete nonessential personal records entirely. Remember, the high price of noncompliance can turn unprotected personal records into toxic assets.

Under GDPR, enterprises will need to carefully steward any information that could be used to identify a covered individual, including information such as:

  • Name;
  • Unique identifiers, such as social insurance account numbers;
  • Location data that can be used to pinpoint an individual;
  • Email address and other contact information; and
  • Characteristics specific to the individual, such as political opinions, religion, physical details, and special categories of data such as genetic and biometric information.

Organizations will also be expected to comply with requests to erase data belonging to individuals who do not wish for it to be held. This provision is officially known as the right to erasure (sometimes more colloquially called the right to be forgotten).

Why GDPR Preparation Isn’t Just a Day at the Park

Preparing for GDPR compliance will take time, because GDPR calls for accountability as well as compliance.

In fact, one of the most challenging elements of meeting GDPR’s requirements is one of record keeping. Companies will not only have to appropriately classify and protect  personal information, but they will also have to document their compliance with the regulation. They’ll need careful record keeping so they can meet the requirement to notify affected data subjects in the event of a breach. GDPR also requires that you maintain and enforce internal data policies — time frames for data retention, for example — and these should be articulated for all stakeholders.

Equally challenging for many organizations will be the adjustments they will need to make to their internal structure to meet GDPR mandates. Both personnel and practices will be affected. GDPR compliance, for example, may call for enterprises to designate a data protection officer to represent the interest of data holders in certain circumstances, such as where required by member state law or when processing special categories of data on a large scale.

What Should You Be Doing?

Best practices can be hard to describe in depth when they concern a regulation that’s not yet in full effect. But GDPR is concrete enough that some steps are easier to identify, for example:

  • Work together. Make sure every part of your organization — from legal to accounting to sales to customer service — is aware of the implications of GDPR and operates with the common goal of meeting its requirements.
  • Assess the impact. Survey all data you hold (from customers, employees or other individuals) for all the kinds of identifiers the law affects, and make protecting them a priority. This also includes business contacts, not just consumers.
  • Plan judicious data use and collection. Identify, as closely as you can, what data will be necessary for new and ongoing projects, and use the least amount of personal data possible. At the same time, test your procedures for meeting individuals’ requests for data access or erasure. Frugal use of data will help you avoid challenges to your data practices and help reduce the risk of a breach.
  • Create a notification plan. In the event of a breach, the ability to contact the supervisory authority within 72 hours and notify affected data subjects is critical. If you don’t report the breach or can’t reach the data subjects, you may face fines and other penalties, even when the breach is no fault of your own.

As wide-sweeping as it is, GDPR is ultimately a regulation that can be tackled like any other. We think the single best thing you can be doing about GDPR compliance is setting yourself and your team in motion rather than sitting on the sidelines.

Read the Interactive Solution Brief: Ready, Set, GDPR

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. IBM does not provide legal, accounting or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.

The post Companies Around the World are Ramping Up for GDPR — Is Yours? appeared first on Security Intelligence.

The role of trust in security: Building relationships with management and employees

Massive data breaches have become the new reality, and they confirm that one of the biggest challenges companies face when it comes to security: a company’s biggest shortcomings are often

The post The role of trust in security: Building relationships with management and employees appeared first on The Cyber Security Place.

Four Key Lessons From NACD’s ‘2018 Governance Outlook’ About Managing Cyber Risks

In mid-December 2017, the National Association of Corporate Directors (NACD) published its “2018 Governance Outlook: Projections on Emerging Board Matters” report, designed to highlight key areas of focus for board directors in 2018. It also offered recommendations for improving enterprise risks, including a section dedicated to cyber risks.

Four Key Takeaways From the NACD ‘s ‘2018 Governance Outlook’

The report — and the underlying NACD Public Company Governance Survey — found that only 49 percent of board directors are confident about management’s ability to effectively handle cyber risks. In the same vein, since there are increasing calls for cyber risks to be integrated within the enterprise risk management (ERM) system, 58 percent said it was important or very important for their boards to improve oversight of risk management in the coming year.

When it comes to cyber risks, there is a lot of room for improvement: Only 12 percent of respondents in the public governance survey said their boards had a “high level of knowledge” of cyber risks. With those numbers in mind, below are four takeaways for board directors from the report:

1. Get Engaged With Strategy and Risk Oversight

Boards should focus on what matters, and that includes organizational strategy and execution, the way risks are managed and keeping a close eye on cyber risks. Since board meetings are often filled with discussions about board composition, compensation, succession and disclosure-related issues, it can be extremely challenging to make time for anything else. However, businesses today are facing heavy turbulence, often resulting in management going from crisis to crisis. In such an environment, directors, with their varied experiences and backgrounds, are best positioned and prepared to spot trends and ensure that management’s actions not only help the company survive today, but also continue to thrive in the future.

Directors know that the buck stops with them, so it should come as no surprise that 71 percent believe their boards must improve their understanding of the risks and opportunities, as well as their impact on performance in the coming year. However, directors also understand that they need to get involved with the development of strategy (67 percent) and improve the way they monitor management’s ability to execute those strategies successfully (also 67 percent). Instead of “reviewing and concurring” with management’s approach, directors are cautioned to be more engaged with both strategy and risk oversight.

Part of that engagement is to “hold executives accountable for providing better intelligence on cyber risk and delivering better results.” It is reckless and unacceptable for a CISO or CIO to report on cyber risks in ways that are not relevant to the CEO and the board.

Listen to the podcast: If you can’t measure it, you can’t manage it

2. Pay Close Attention to Cyberthreats

One of the key lessons for boards to take away from this report is the need for directors to “implement defense strategies to combat cyberthreats.” Directors are cautioned against continuing a largely passive and disconnected approach to their oversight duties when it comes to cyber risks.

The message appears to have been received: When asked about the top five trends that have the greatest potential impact on their company over the coming year, directors ranked cyberthreats fourth (at 38 percent), below industry changes (58 percent), business model disruptions (46 percent) and global economic changes (46 percent). In fact, cyberthreats ranked well above political uncertainty, technology disruptions, U.S. tax reform and investor activism.

The report noted that cyber risks are likely to remain on board agendas permanently, but also reminded directors of their duty to press for “complete, relevant and timely” assurances on how effective the organization is in identifying, managing and responding to cyber risks. But the days of paying lip service to cyberthreats by reviewing, communicating and doing the bare minimum to avoid fines or pass a yearly compliance audit are long gone. The survival of the organization as a whole is at stake with the current level of threats. If the board isn’t confident in its own ability to fully understand cyber risks, the report urged directors to “add a cyber risk specialist on the board” or employ “outside cybersecurity consultants as board advisors.”

3. Work to Improve Organizational Culture

Directors need to get a clear, unbiased picture of the company’s culture and help shape it appropriately. Since culture is often a key driver of performance, it affects the way the organization interacts with its staff, clients and business partners. As such, it can have a direct impact on the company’s success and the kinds of risks it faces.

Organizational culture is most often perceived as risk-seeking and risk-averse. However, the nature of the organization’s security culture should also be part of the board’s overall dashboard metrics on corporate culture. Without a strong culture of security, the organization’s next breach may well come from one of its own employees instead of an external attacker.

4. Ask the Tough Questions

Board directors have a fiduciary duty to oversee cyber risks. They should be able to clearly document the steps and actions they’ve taken to become engaged. When asked about which practices board directors themselves had used, the top four responses were:

  • Looking at the company’s current strategy for protecting its most critical cyber assets (82 percent);

  • Looking at the company’s IT infrastructure to safeguard data (74 percent);

  • Reviewing management’s reporting of cyber risk information and improving the quality of information used to make cyber risk decisions (69 percent); and

  • Looking at the company’s data breach response plan (61 percent).

Because cyberthreats are constantly evolving, board directors need to help management identify and implement a more effective strategic plan for dealing with cyber risks. The report provided six key questions to assist with this endeavor, three of which are listed below:

  • What people, processes and technologies are we currently using to defend our network?

  • What additional resources are needed in people, processes and technologies to limit risk?

  • Are representatives from the security team included in every business planning meeting?

Improving Executive Engagement

As the report noted, “Being ‘secure’ is not a static end state that lends itself to inflexible compliance checklists; it requires a constant evaluation of risk relative to a rapidly evolving cyberthreat landscape.” NACD’s “2018 Governance Outlook” provides good, actionable advice for boards to improve their engagement around strategic risk management and oversight of cyber risks.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

The post Four Key Lessons From NACD’s ‘2018 Governance Outlook’ About Managing Cyber Risks appeared first on Security Intelligence.

Update: Two Years After Discovery Dangerous Security Hole Lingers in GPS Services

Security researchers warned of a serious vulnerability in a GPS service by the China-based firm ThinkRace exposes sensitive data in scores of GPS services, more than two years after the hole was discovered and reported to the firm. (Update: added comment from John van den Oever, the CEO of one2track B.V – PFR 1/3/2018) Data including a GPS...

Read the whole entry... »

Related Stories

Science of CyberSecurity: Thoughts on the current state of Cyber Security

As part of a profile interview for Science of Cybersecurity I was asked five questions on cyber security last week, here's question 1 of 5.

Q. What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?
Thanks to regular sensational media hacking headlines most organisational leaders are worried about their organisation’s cyber security posture, but they often lack the appropriate expert support in helping them properly understand their organisation’s cyber risk. To address the cyber security concern, an ‘off the peg’ industry best practice check box approach is often resorted to. However, this one-size-fits-all strategy is far from cost effective and only provides limited assurance in protecting against modern cyber attacks, given every organisation is unique, and cyber threat adversaries continually evolve their tactics and methodologies. In these difficult financial times of limiting cyber security budgets, it is important for the cyber security effort to be prioritised and targeted. To achieve this, the cyber security strategy should be born out of threat intelligence, threat assessing and a cyber risk assessment. This provides organisational leaders with the information to take effective cyber security strategy decisions, and to allocate funding and resources based on a subject matter they do understand well, business risk. Nothing can ever be 100% safeguarded; cyber security is and always should be a continual risk based undertaking, and requires an organisation risk tailored cyber security strategy, which is properly understood and led from the very top of the organisation. This is what it takes to stay ahead in the cyber security game.

Security is Not, and Should not be Treated as, a Special Flower

My normal Wednesday lunch yesterday was rudely interrupted by my adequate friend and reasonable security advocate Javvad calling me to ask my opinion on something. This in itself was surprising enough, but the fact that I immediately gave a strong and impassioned response told me this might be something I needed to explore further… The UK […]

Making the world angrier, one process at a time

I have recently set up Family Sharing on my iOS devices, so that I can monitor and control what apps go on my kids devices without having to be in the room with them. Previously they would ask for an app, and I would type in my AppleID password and that was  that. Unfortunately with […]

Are you the most thrilling ride at the theme park?

I recently spent the day in Thorpe Park (a bit like a down market DisneyLand for anyone not from the UK), and we were all looking forward to a day of roller coasters, silly ride photographs, bad overpriced food and generally some good fun. We had never been before, and my kids are now old […]