Gartner: Top Six Security and Risk Management Trends

As business leaders become increasingly conscious of the impact cybersecurity can have on business outcomes, they should harness increased support and take advantage of six emerging trends (listed below) to improve their enterprise’s resilience and elevate their own standing, according to Gartner, Inc.

  1. Senior business executives are finally becoming aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation. “Business leaders and senior stakeholders at last appreciate security as much more than just tactical, technical stuff done by overly serious, unsmiling types in the company basement,” says Peter Firstbrook, research vice president at Gartner. “Security organizations must capitalize on this trend by working closer with business leadership and clearly linking security issues with business initiatives that could be affected.”
  2. Legal and regulatory mandates on data protection practices are impacting digital business plans and demanding increased emphasis on data liabilities. “It’s no surprise that, as the value of data has increased, the number of breaches has risen too,” says Firstbrook. “In this new reality, full data management programs — not just compliance — are essential, as is fully understanding the potential liabilities involved in handling data.”
  3. Security products are rapidly exploiting cloud delivery to provide more agile solutions.“Avoid making outdated investment decisions,” advises Firstbrook. “Seek out providers that propose cloud-first services, that have solid data management and machine learning (ML) competency, and that can protect your data at least as well as you can.”
  4. Machine learning is providing value in simple tasks and elevating suspicious events for human analysis. Gartner predicts that by 2025, machine learning will be a normal part of security solutions and w3ill offset ever-increasing skills and staffing shortages. But buyer beware, says Firstbrook: “Look at how ML can address narrow and well-defined problem sets, such as classifying executable files, and be careful not to be suckered by hype. Unless a vendor can explain in clear terms how its ML implementation enables its product to outperform competitors or previous approaches, it’s very difficult to unpack marketing from good ML.”
  5. Security buying decisions are increasingly based on geopolitical factors along with traditional buying considerations. Increasing levels of cyber warfare, cyber political interference and government demands for backdoor access to software and services have resulted in new geopolitical risks in software and infrastructure buying decisions, Gartner says. “It’s vital to account for the geopolitical considerations of partners, suppliers and jurisdictions that are vital to your organization,” says Firstbrook. “Include supply chain source questions in RFIs, RFPs and contracts”  […] Read more »

 

 

Las Vegas Most Insecure Cyber City in US

A new study, Cybersecurity in the City: Ranking America’s Most Insecure Metros, has identified Las Vegas, Memphis and Charlotte as America’s most cyber insecure cities.

America’s Most Insecure Metros

10. Tampa – St. Petersburg
9. Orlando – Daytona Beach
8. West Palm Beach – Ft. Pierce
7. Jacksonville
6. Birmingham
5. Providence
4. Houston
3. Charlotte
2. Memphis
1. Las Vegas

America’s Least Vulnerable Metros

5. St. Louis
4. Seattle – Tacoma
3. Norfolk-Portsmouth-Newport News
2. Greensboro – Winston Salem
1. Richmond

“The Cybersecurity in the City: Ranking America’s Most Insecure Metros report emphasizes just how expansive both the vulnerability and threat landscapes have gotten in the U.S.,” said Guy Moskowitz, founder & CEO, Coronet. “While big companies may have the budgets, personnel and resources to protect their assets reasonably well, mid-market and small businesses are mostly left to fend for themselves. This is both unfortunate and a recipe for disaster” […] Read more »

 

Why People are ‘Password Walking’

A recent study of 61 million leaked passwords from Virginia Tech and Dashlane uncovered troubling password patterns.

Dashlane researchers examined the data for patterns, illuminating simple mistakes that continue to be made by people who use passwords in daily life, which is to say—virtually everyone. The Dashlane researchers found patterns across the keyboard, from not-so-randomly chosen letters and numbers to, popular brands and bands, and even passwords created out of apparent frustration.

Dashlane researchers discovered a high frequency of passwords containing combinations of letters, numbers, and symbols that are adjacent to one another on the keyboard. This practice, known as “Password Walking,” highlights the apathetic attitude most users have towards password creation, preferring convenience over security.

When users “Password Walk” they are creating passwords that are far from secure. Most hackers are keenly aware of the human tendency to rely on convenience and can easily exploit these common passwords.

Most are familiar with versions of “Password Walking,” such as “qwerty” and “123456”, but Dashlane’s researchers uncovered several other combinations that are frequently used:

These passwords are all comprised of keys on the left-hand side of standard keyboards. This means users can simply use the pinky or ring finger on their left hand to type their entire password. However convenient this may be, saving a few seconds is not worth the loss of one’s critical financial and/or personal data due to an account hack.

TThe study said, “The prevalence of “Password Walking” is troubling and should make anyone using such passwords take another look at their password practices. Genuinely random and unique passwords are essential to password security; punching a bunch of adjacent characters will not cut it.”

Vices like Coca Cola and Skittles seep into all corners of life, even passwords, the study said. The ten most frequent brand-related passwords:

  1. myspace *experienced a major breach in 2016
  2. mustang
  3. linkedin *experienced a major breach in 2016
  4. ferrari
  5. playboy
  6. mercedes
  7. cocacola
  8. snickers
  9. corvette
  10. skittles

Unsurprisingly, said the study, pop culture references were also prevalent. It would be wise to remember that using passwords that use names or common phrases is not a safe practice.

The ten most frequent pop culture passwords:

  1. superman
  2. pokemon
  3. slipknot
  4. starwars
  5. metallica
  6. nirvana
  7. blink182
  8. spiderman
  9. greenday
  10. rockstar

Last, as the world prepares for the Champions League Final this weekend, the study suggested that fans of the game should refrain from showing love for their favorite club in their passwords […] Read more »

 

 

GDPR: Will Your Company Be Fine or Fined?

Mayday, mayday” is a standard international distress signal. With the European Union’s General Data Protection Regulation (GDPR) going live on May 25, 2018, the phrase seems particularly apt.

What is the GDPR? Weighing in at over 50,000 words, the GDPR revises a decades-old EU privacy directive that harkens back to 1995, a time when there was more postal mail than email. The GDPR restricts how organizations can collect, use and retain personal data, and provides Europeans with certain rights to halt collection, and to obtain copies, correction and, at times, destruction of their data.

How does it impact U.S. businesses? The EU seeks to apply the GDPR to all companies regardless of location if they collect personal data from individuals in the EU, such as through websites targeting EU consumers with goods or services (whether paid or unpaid), or by monitoring the behavior of people in the EU. The GDPR also applies to vendors (and corporate partners and affiliates) who end up storing, transferring, processing or using EU personal data even though another company initially collected it.

What are the Cybersecurity Requirements? Companies must implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”  Doing so requires an organization to evaluate “the state of the art” of security; the costs of implementation; the nature, scope, context and purposes of processing the personal data; and the risks to individual rights and freedoms. Data protection must be implemented “by design and by default.”

Are there breach notification requirements? Yes. If a data breach is likely to result in “a risk” to an individual’s rights and freedoms, the company must notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. When the breach is likely to result in a “high risk” to rights and freedoms, notifications also must be made without undue delay to the affected individuals.

Can we get ready in a few weeks? It is unlikely. The EU gave companies two years. Still, achieving compliance may be more straightforward for organizations that do not collect sensitive categories of personal data (race, ethnicity, health, sex life, sexual orientation, criminal history, trade union membership, political/religious/philosophical beliefs, genetics or biometrics) and whose activities are unlikely to result in high risks to individual rights and freedoms (such as through large-scale data processing, new technologies or systematic monitoring, profiling and automated decision-making) […] Read more »

 

 

Rethinking Identity Management in the Gig Economy

For years, the “consumerization” of IT has referred to the practice of employees conducting workplace activities on their personal smartphones and tablets, or using consumer services like Gmail or social media for work purposes. However, the “gig economy” is about to consumerize the workplace to new levels, bringing changes that will significantly impact how CSOs and CISOs protect their businesses.

When large parts of the workforce or even entire staffs are made up of independent contractors, it’s not just devices or services that are being brought onto the corporate network from outside of IT’s purview. These “permalancers” will be operating as complete outsiders to the corporate infrastructure, so to speak, which will test the boundaries of current IT-department protocols. IT will have to think beyond established bring-your-own-device (BYOD) practices; companies relying so heavily on freelancers now need to construct new “bring-your-own-identity” policies that will enable these workers to move freely and safely about the network, while keeping company infrastructure protected.

Traditional IAM Falls Short in Managing Non-Traditional Workforces

Traditional identity and access management (IAM) systems were not architected to manage a large number of workers of this type. IT is used to managing, at most, tens of thousands of employees who are known to the company – users with corporate accounts that the department can assume are trustworthy because they’re operating on closed corporate networks and behind the company firewall.

Now, these freelancers and independent contractors more often than not use their own personal accounts to access company resources, potentially from unsecure locations, such as a coffee shop’s open public WiFi connection. There is a good chance they also work for other companies – maybe even competitors – and their gig might just last a few weeks or the duration of one project.

Workers Are Starting to Look Like Customers

In other words, workers are starting to look more like consumers, in part due to this increased reliance on contracted workers. As such, CSOs and CISOs need to start addressing the security needs of these workers accordingly. Consider marketing writers using their own accounts to upload or edit documents onto shared drives, or freelance programmers checking code into the company’s source code repository. They have created their own accounts, and their identities could be established by a variety of single sign-on providers. Plus, they are authenticated against public services like OpenID and social media. Managing worker access in this environment is much more complex than it is behind the VPN and firewall where HR or IT is simply charged with filling in key profile data for company-created identities, and authenticating users against internal directory services […] Read more »

 

 

The Quantum Computing Revolution

“Only six electronic digital computers would be required to satisfy the computing needs of the entire United States.” A prediction made by Howard Aiken in 1947 which on hindsight, we can all agree on has not turned out to be very prophetic. The need for processing power has continuously been on the rise and for the most part, the need has been catered through an unparalleled evolution of chip technology as forecasted by Moore’s Law. Moore’s Law states that the number of components that can fit on a computer chip will double roughly every two years, which in turn will improve the processing capabilities of computer chips. The law which is more of an observation rather than a physical law has held true over the decades and has seen digital computers which originally took up entire rooms reduced to being carried around in our very own pockets. But with components reaching atomic scales, and more and more money being fueled in to make chips smaller and faster, it has now come to a point where we cannot count on chip technology to advance as predicted by Moore’s Law. Hence, alternatives are being pursued and developments are being made which has given rise to the idea of quantum computing.

The traditional computer at its very core performs simple arithmetic operations on numbers stored in its memory. The key is the speed at which this is done, which allows computers to string these operations together to perform more complex things. But as the complexity of the problem increases, so does the number of operations that is required to reach a solution; And in this present day and age, some specific problems that we need to solve, far surpasses the computing capabilities of the modern computer. This, however, has also been used to our advantage, as modern cryptography which is at the core of cyber-security, relies on the fact that brute forcing complex mathematical problems is a practical impossibility.

Quantum computers, in theory, do things differently. Information is represented in physical states that are so small that they obey the laws of Quantum Mechanics. This information is stored in quantum bits known as qubits rather than the traditional binary bits used in conventional computers. Quantum Mechanics allows a qubit to store a probability of its value as either a 0 or 1 with the exact value of the qubit unknown until it is measured. Without getting too technical, this allows a quantum computer to contain several states at the same time, giving it the potential to be millions of times faster at solving certain problems than classical computers. This staggering computational power, in theory, could be used to render modern cryptography obsolete.

Modern cryptography relies on complex mathematical problems that would take computers hundreds, thousands or even millions of years to solve. This practical limitation is what keeps our cryptography based security systems secure. But with quantum computers, it is theoretically possible that these solutions could be reached in days or even hours, posing a massive vulnerability threat to our current encryption. If cryptography collapses, so will all our security.

But a quantum world is not all doom and gloom. Active research is already being done on quantum safe algorithms that can replace current algorithms that are under threat from the capabilities of a quantum computer. Theoretically, these quantum safe algorithms could prove to be more secure than anything we currently know of. Another area where quantum computing is likely to shine is in Big Data. With cross industry adoption of new technologies, the world is transforming itself into a digital age. This is sure to pose new problems well beyond the capabilities of modern computers as the complexity and the size of data keeps increasing. The challenge lies in converting real-world problems into a quantum language, but if that is accomplished, in quantum computing we will have a whole new computational system to tackle these problems.

It is important to realize that quantum computing is still in its infancy and almost all of the hype surrounding it is theoretical. But it is clear that the technology promises a revolution in computing, unlike anything we have seen before. It is also important to understand that quantum computers are not a replacement to the classical computer; Rather, it is specialized at solving a particular set of problems that are beyond the powers of a modern computer. This opens up a vast avenue of possibilities for quantum computing. The traditional computer will still have its place but with the world moving more and more towards a data-driven future, expect quantum computers to play a vital role in the future of technology.

 

Is Your Vendor Risk Management Program Working?

As the saying goes, you can outsource most anything, but you can’t outsource responsibility.  Companies remain on the hook for ensuring their vendors are up to task when it comes to cybersecurity, privacy compliance and continuity of operations. This checklist can help determine the maturity of your vendor risk management program.

✔ We understand the vendor’s role relative to our business risk.

Knowing if a vendor is reliable requires knowing how they are being relied upon. It is worth considering how a particular vendor’s security failure might impact the confidentiality, integrity or availability of your employee records, customer data and business secrets, and whether their failure could put a halt to your operations altogether.

✔ We understand the vendor’s security relative to our requirements.

Just because a vendor is well known, does not mean their standard offering meets your company’s legal, regulatory, contractual and business security needs. Companies often take advantage of a cross-functional team of information security, legal, compliance, procurement, privacy and risk experts when making important vendor decisions.

✔ We ask the right questions and understand the response.

Vendor questionnaires are all the rage, but they are resource intensive for both parties. If your company uses them, do it right by assigning appropriate personnel to assess the answers, recognize gaps and potential remediation measures, follow your organization’s risk acceptance procedures and document decisions. Alternatively, consider accepting independent third-party audits and certifications, supplemented only as necessary for unique requirements.

✔ Our contracts are rock solid.

The Federal Trade Commission put it succinctly: “Insist that appropriate security standards are part of your contracts.” But, what are appropriate standards? Among other things, strong contracts take into account a company’s legal and regulatory environment, and often have provisions relating to specific security controls, compliance with industry standards, third-party certifications, data rights and privacy requirements, audit rights, insurance coverage, incident notification (and cooperation and information sharing if there is an incident), responses to legally compelled disclosure, data localization requirements, choice of law, restrictions on subcontracting, data destruction, SLAs and indemnification […] Read more »

 

 

Women in Information Technology

The turn of the millennium has seen an exponential rise in the field of technology which has shown no signs of decline, 18 years after. Opportunities are abundant, innovation is plenty making IT a preferred career choice for many. This brings us to an interesting question; A question that is not often asked. What is the role women play in technology today?

The field of IT has always been male dominant. From iconic figures like Steve Jobs and Bill Gates to billionaire entrepreneurs like Mark Zuckerberg, the biggest contributions to technology have been from males. However, women are starting to play a bigger role in tech with many entering both regular and high-level positions in global firms. Ursula Burns, for example, has risen through the ranks to become the first African-American woman to become the CEO of Xerox, a  Fortune 500 company. Ginni Rometty, another inspiration to women across the globe, was named the president and CEO of IBM in 2011. Adding to the tale of success there is Marisa Mayer, an exemplary coder role model who was the former president and CEO of Yahoo!.

While this shows that women can definitely leave their mark in the field, there is also a stark reality that is hidden behind these success stories. A study carried out by virtual event solutions company, Evia shows that even though women make up more than half the US workforce, they make up only 20 percent of the US tech jobs. Making matters even worse, studies also show that women tend to leave technology-related positions at a rate two times that of men, clearly pointing to an underlying problem that is giving rise to a gender gap within the sphere of Information Technology.

The problem of under-representation of women in IT is a complicated one. On one side there is the argument that the whole debate is moot; gender is irrelevant, as long as a person is capable of accomplishing and aligning themselves with a company’s business. It is not that companies discriminate based on gender, but rather the number of women with the required technical background is simply not enough to balance out the gender gap. This may very well be true as statistics show that the number of women taking up computer science for their higher education has decreased over time. But a lack of talent pool alone does not answer why women who are already in tech roles would leave their jobs at a rate much faster than men. Surveys point to possible reasons ranging from company environment to a lack of work-life balance which is especially true for women in development. Working long hours might not be an option for a woman while a man would be more tolerant of the same. What is overlooked in such a scenario is to have a work environment that is equally conducive for both genders. Also, while discrimination or sexism is not something most women experience in a work environment, there could still be an underlying condescension that could lead to a sense of isolation.

The need for gender diversity within technology is undisputed. The issue can be talked about, argued over or even fixed to an extent with many great initiatives happening now. Significant strides are being made by different movements placing an emphasis on how a balanced workforce could provide a positive impact on a company. There is also a call to fill the pipeline with more talented women. The argument here is to stop screaming at companies to hire more women and focus instead on encouraging women to pursue careers in Information Technology. Some of this may bring about changes in the short term while some has the opportunity to make the greatest impact in the long run. But the gender gap we see in technology could, in fact, be a much more deep-rooted problem that lies within the very society that we are brought up in. If this is the case, then there should be a shift in social norms and concepts that are reinforced to steer young girls away from technology while encouraging the same in boys. It is only then will we be capable of breaking down gender roles and reaching true gender parity in the field of Information Technology.

 

Investors Put Cybersecurity Top of the Business Threat List

Cyber attacks are the now the biggest threat to business in the eyes of investors, mirroring growing global concern from business leaders, according to a new study by PwC.

In the PwC Global Investor Survey 2018 the views of investors and analysts are compared with those of business leaders. The study found that 41% of investors and analysts are now extremely concerned about cyber threats, seeing it as the largest threat to business, rising to first from fifth place in 2017. A similar amount (40%) of business leaders see it as a top three threat, but business leaders rank over-regulation and terrorism higher in the global study.

To improve trust with consumers, investors believe businesses should prioritize investment in cyber security protection (64% investors; 47% CEOs).

Investors rank geopolitical uncertainty (39% extremely concerned), speed of technological change (37%), populism (33%) and protectionism (32%) in the top five threats to growth.

Hilary Eastman, head of global investor engagement at PwC, said: “The top concerns of investors and CEOs emphasise the different internal and external perspectives on, and day to day experiences of, businesses. While on-the-ground challenges such as finding the right skills are high on business leaders’ agendas, investors are preoccupied with the impact that wider societal trends, such as geopolitical uncertainty, populism and protectionism, have on businesses generally.”

Overall, PwC finds that both investors and CEOs are more confident about the global growth outlook than they were last year. 54% of investors (+9%) believe global economic growth will improve and 57% of CEOs (+19%) […] Read more »

 

Beyond Talking the Talk: Building Cybersecurity into a Company’s DNA

Security is constant. It’s fast-paced with a high burnout rate, and many companies continue to struggle with implementing basic security controls. Given the overwhelming reality of resources and time that are already being dedicated to a company’s security strategy, how can organizations begin to build security into a company’s DNA in a realistic way?

While it may seem onerous or unrealistic to some, it is possible to create more than a cyber-aware culture. Changing the fabric of a company’s DNA is more than just a Pollyanna goal, it’s a necessary reality. But it will take time and leadership buy-in. The very basic building blocks require a shift in the way companies think about accountability. It starts with making everyone in the organization responsible for cybersecurity.

Let’s be clear that there is a difference between corporate culture and a company’s DNA. The DNA encompassing everything that relates to the very fibers of the organization. All those aspects of the company that we don’t think about it. When we talk about building cyber into the company DNA, we want it to be part of the normal day-to-day operations. Security needs to be part of what we are investing into the organization and people throughout the year. So that limited resources of time and money never diminish the way the company values security, it must be part of the corporate development life cycle.

When security is a part of the profit and loss statement, it inherently becomes a priority of the company’s goals. These are the ideas and behaviors we need to be going after in order to make security a priority for the organization.

So, what are some realistic steps you can take today? Here are a few ways to rebuild a company’s DNA and make a real difference in the way employees, the C-Suite, and the board value security[…] Read more »