Is Your Data Breach Response Plan Ready?

Fifty-six percent of organizations experienced a data breach involving more than 1,000 records over the past two years, and of those, 37 percent occurred two to three times and 39 percent were global in scope, according to Experian. In 2017 in particular, there were more than 5,000 reported data breaches worldwide, and there were more than 1,500 in the U.S. alone.

In an effort to help businesses prepare for data breach response and recovery, Experian launched its new Data Breach Response Guide last month to provide in-depth strategy and tactics on how to prepare and manage incidents.

Security asked Michael Bruemmer, Vice President of Data Breach Resolution & Consumer Protection at Experian, how cybersecurity has changed recently and how enterprises can revamp their security strategies to be resilient and ready.

Security: How have typical responses to data breaches changed over the past five years?

Bruemmer: Fortunately, responses to data breaches are immensely better. There has been great progress in preparation, as 88 percent of companies say they have a response plan in place compared to just 61 percent five years ago, according to our 2018 annual preparedness study with the Ponemon Institute.

One of the biggest changes in data breach responses over the last few years is that organizations now have a breach-ready mindset and know it’s not about whether a breach will happen but rather when it will occur. Thus, many organizations now have a data breach response team in place, which is key to implementing a quick and adept response.

Businesses have also started to include public relations personnel on their data breach response teams, which has helped companies maintain more positive relationships with their stakeholders post-breach. There is still room for improvement: while companies have a plan in place, a large majority don’t practice their plans in a real-life drill setting, and the C-suite and boards are still not engaged enough in the process.

Security: What still needs to occur to improve enterprises’ data breach response protocols and practices?

Bruemmer: A few areas for improvement include actually practicing the data breach response plan and therefore, feeling confident the company can handle an incident successfully. In our 2018 annual preparedness study, only 49% of companies said their ability to respond to data breaches is/would be effective. One of the reasons may be that most boards of directors and C-suite executives are not actively involved in the data breach prep process, nor are they informed about how they should respond to an incident.

Another dynamic that requires attention, and is relatively new, is the passing of the General Data Protection Regulation (GDPR) overseas. Companies that operate internationally must understand the legislation and make sure they are equipped to handle a data breach that involves individuals globally. They should hire legal counsel who have knowledge and experience in this area and enlist partners that have multilingual capabilities and a presence in key countries. That way, operations such as notifying affected parties and setting up call centers can be executed quickly. Organizations are still catching up here.

Security: When auditing their data breach response plan, what in particular should security leaders be looking for?

Bruemmer: Businesses should conduct an audit of every component of a response plan. Security leaders should also assess whether external partners are meeting the company’s data protection standards and are up-to-date on new legislation. For example, healthcare entities should guarantee that business associate agreements (BAAs) are in place to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements. Additionally, vendors should maintain a written security program that covers their company’s data. Realistically, an organization could have up to 10 different external vendors involved in a data breach response, so keeping this circle secure is important.

Security: What are the top three issues business security leaders should plan for next year?

Bruemmer: Businesses should keep an eye on artificial intelligence (AI), machine learning (ML) and cryptomining malware next year. In a continuously evolving digital landscape, advanced authentication, or added layers of security, have become increasingly important for businesses to adopt when it comes to safeguarding against potential data breaches. However, while AI and ML are helpful in predicting and identifying potential threats, hackers can also leverage these as tools to create more sophisticated attacks than traditional phishing scams or malware attacks. Criminals can use AI and ML, for example, to make fake emails look more authentic and deploy them faster than ever before. Cryptomining has also become more popular with the recent rise of Bitcoin and more than 1,500 different cryptocurrencies in existence today. Cybercriminals are taking every opportunity, from CPU cycles of computers, to web browsers, mobile devices and smart devices, to exploit vulnerabilities to mine for cryptocurrencies.

Security: Are there any key tools or strategies security leaders can use to better engage with the C-Suite?

Bruemmer: Unfortunately, the lack of engagement by the C-suite and boards seems to be an ongoing issue. In today’s climate, companies should employ a security leader in the C-suite such as a Chief Information Security Officer to ensure protection is a priority and administered throughout the organization.

There should be ongoing and frequent communication about security threats by this officer to leaders and the board. In this instance, it’s better to over-communicate rather than hold back vital information that could help mitigate potential reputation damage and revenue loss […] Read more »

 

 

 

Nearly Half of Americans Willing to Give Brands a Pass for a Data Breach

New data shows that the U.S. public is surprisingly forgiving despite data breaches and controversies as long as companies demonstrate good faith.

The Consumer Attitudes Toward Data Privacy and Security Survey by Janrain also found that 42 percent of U.S. consumers surveyed report at least being open to forgiving the brand, while 7% refuse to forgive brands for allowing bad actors access to their personal data. Fourteen percent have lost all faith in an organization’s ability to protect their data.Nevertheless, consumers are increasingly taking control of their data into their own hands, the survey found. For example, 71% report downloading software that protects their data privacy or otherwise helps control their web experience. But Janrain’s survey brings good news to brands that are evaluating their consent-based marketing processes and capabilities in response to regulatory requirements or to strengthen customer relations.

If given the option, most people (55%) would let companies they trust use some of their personal data for specific purposes that benefit them in clear ways, the survey found. Only 36% wouldn’t let any company use their personal data. Sixty-six percent like the idea of being able to alert companies when they’re interested in something as long as they could “switch it off” when they’re no longer interested. Only 16% aren’t interested in this even if it came with preferences control.

When Janrain probed to gain more understanding about how effective digital brands have been in using consumer data to personalize their online ads, only 18% said ads “often” seemed to understand their needs, presenting brands with an important area for improvement. The largest bulk of respondents (47%) reported that these ads do seem to understand their needs at least “sometimes” while 26% said ads “hardly ever” understand them. Nine percent said online ads “never” do.

When asked whether they’d walk away from a business that requires personal information up front (like a phone number or email address) in order to conduct business, 15% of those surveyed said “yes” while 24% said “probably.” Fifty-four said it depends on whether the business is trusted or the only option.

Sixty-six percent of those surveyed renewed their call for GDPR-like rules in the United States that force brands to provide consumers with greater privacy, security and control of their personal data. Janrain asked a similar question in May of 2018 to which 69% responded favorably to more regulation in the States. This time, Janrain’s findings show consumers not only want more regulation, they believe it will actually help in the wake of high-profile breaches and controversies affecting well-known organizations such as Yahoo!, Equifax and Facebook. Only 9% believe such laws would be ineffective while only 6% believe more regulation would be too hard on businesses and the economy […] Read more »

 

 

Attention CEOs: The Great CISO Renaissance is Coming

In 2015, the Boston-based security advisory firm K-logix predicted an increase of Chief Information Security Officers (CISOs) reporting to CEOs, and in 2017 the NACD provided provide guidance on boards on basic cyber security principles.  However, CISOs continue to struggle for widespread recognition as an executive officer.  Although the CISO is responsible for integrating privacy requirements into security program controls, the EU’s General Data Privacy Regulation (GDPR) introduced and catapulted a new role into the executive ranks in 2018. The regulation creates a new “Data Protection Officer (DPO)” role serving as a quasi-regulator for EU Data Privacy compliance enforcement who must report to the highest levels of management. Data Protection Officers usually fall under Compliance leadership function closely associated with the General Counsel or legal department, and are integral to the company’s data privacy program oversight.  In contrast, the CISO who is responsible for technology risk management may report through a number of executive functions depending on the industry and company. The General Counsel is no stranger to the executive table, so it should be no surprise that the new DPO role leapfrogged the CISO in the corporate hierarchy.

Although CISOs have been improving their business and risk management acumen by focusing on non-technology-based topics such as GDPR compliance, Third-Party Oversight and Enterprise Risk Management at recent security conferences, the majority of job descriptions for CISOs continue to describe both tactical and strategic duties and continue to list the role under a CIO or CTO.  In response, an increasing number of seasoned CISOs are opting for independent consulting work in the growing Gig Economy rather than struggling for budget and resources within a company only to be sacrificed when the inevitable data breach occurs. If the unique challenges with rank and responsibility continue, the role of the CISO could become a standard appendage to a company like an independent CPA firm or external counsel providing advisory guidance.  

If you are a CEO considering whether you want a CISO on your leadership team, I offer the following reminders regarding the CISO:  

  • The role of the CISO is strategic, not tactical

Some organizations proudly announce they have passed their SOC 2 independent audit report without any findings to communicate the maturity of their security program.  If those organizations were expecting a “clean” SOC 2 audit report to eliminate the need for a customer assurance program, an experienced CISO knows that a SOC 2 report can be crafted to scope out the “dust and cobwebs under the carpet” and only focus on the shiny production service or solution offered to customers.   Rarely are SOC 2 reports accepted on their face as adequate governance of an enterprise risk management program. Additional audits and evidence will likely be necessary to satisfy partner and customer inquiries.

In another example, security solution providers usually begin their sales pitch by describing a legitimate business problem.  However, they quickly shift to focusing on the product features rather than recognize the business problem in context of other risks an organization may face as the company’s executive team would do at a risk review.

The fallacy in both of these examples is the assumption that successful execution of a tactical project will translate into a strategic solution.  The truth is that the problem being solved may or may not be significant in the organization’s big picture, and the CISO should not waste time and resources on low priority problems.  By elevating the role to the strategic level, the CISO will have the appropriate context to consider operational risk challenges within the organization. For example, a survey by Soha Systems reported that 63% of data breaches – nearly two-thirds – are attributed directly or indirectly to Third-Parties according to IAPP.  If the CISO is focused exclusively on the technology used to secure products or services, the company could be missing the larger threat from the access granted to merchants, vendors and subcontractors.  The operational risk has little to do with technology and more to do with processes and permission management.

  • The role of the CISO touches the whole organization just like the Privacy Program

The privacy program and security program are complementary teams – like a right hand and left hand.  Although they serve similar functions within the organization, they are not the same. The privacy office defines the privacy requirements for the business and the security program creates and implements the controls needed to achieve those requirements.  Security and privacy programs are often combined under an Enterprise Risk Program. Much the same way a privacy program includes human resources, training, sales & marketing, corporate communications, legal & compliance, finance, and information technology stakeholders, so does the information security program.  However, the privacy program is dependent on the security team to implement the necessary controls. If the DPO reports to the CEO and/or Board of Directors, but the CISO is not at an equivalent level or is external to the organization, maintaining a current status of the security program may be more challenging than necessary due to office politics and hierarchy.  The right hand and the left hand should communicate equally with the brain to successfully perform a complex job requiring both hands, or the right hand may not know what the left hand is doing.

Similarly, if the CISO’s budget is nested within a CTO or CIO’s budget, re-allocating funds to other departments with deficient security controls is an uphill battle for the CISO.  Assume that the CISO has determined that risk associated with third-parties is the biggest risk for the company, but the procurement and/or human resources department need additional resources to screen contractors and other partners adequately.  If the CISO relies on a cost center such as the CTO or CIO to present the case to the executive team for additional funding, the message may diminish in translation, and the CIO or CTO may perceive higher priorities within the department. Providing the CISO with a seat at the table in executive team meetings will not only optimize spending decisions but will also improve collaboration and improve security and risk awareness among the executive team.

  • The role of the CISO is becoming a Regulatory Requirement

The Ponemon Institute has listed “Appointment of a CISO” as one of the factors to mitigate the cost of a data breach for several years.   Not surprisingly, regulators are beginning to require the appointment of a CISO as a compliance requirement. For example, the New York Department of Financial Services mandates “a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”)” be appointed” for each entity covered by the regulation.  Furthermore, the CISO is required to provide an annual written report to board of directors or equivalent governing body on the cybersecurity program and material cybersecurity risks.  Although the New York regulation requires an Annual report to the board, the CEO should receive regular and recurring status on the cybersecurity risks for the company. In light of the additional focus on security and data privacy generated by public outcry, similar requirements may permeate to other jurisdictions in the form of similar regulations.

  • The role of the CISO includes some Individual Professional Liability

As referenced above, audits of corporate security and data privacy programs require the individual responsible for the governance of the program be qualified for the role and maintain his or her skills through continuing education.  This control is often addressed through requiring industry recognized certifications with continuing professional education (CPE) mandates, a code of ethics and a duty to the profession as a condition of certification in the job descriptions for these roles.  Loss of a professional accreditation such as a CISSP, CISM, CISA, CRISC or C|CISO in the case of a CISO or a CIPP or CIPM in the case of a DPO are potential risks to be considered when considering a role within an organization. Both CISOs and DPOs are likely to request Director’s and Officer’s (“D&O”) Insurance / Professional Liability Coverage under the corporate policy as a condition of employment.

Under GDPR, regulatory fines for a company can reach 4% of annual turnover or 20 million EUR for a privacy breach.  Some privacy professionals view the regulation as a “stacked deck” mechanism for funneling revenues to the EU from US companies.  Impacted companies are presumed guilty under the regulation’s “Accountability Principle” and requirement to demonstrate compliance with “Security by Design” and “Security by Default.”

If that assessment is accurate, lawsuits against both companies and the officers responsible for the security and privacy program issues are likely.  Companies need to be wary of potential criminal prosecution risk associated with mishandling of protected information.  CISOs who have their professional credentials provided to regulators, government agencies and customers as evidence of their qualifications will be reluctant to have their communications filtered through another corporate officer, especially if recommendations are not implemented because of other risks.  If an independent or fractional CISO is required to carry professional liability insurance to cover regulatory fines on that scale, the premiums for that level of coverage make the costs for their services exorbitant, and the company will still need to cover their own liability insurance premiums. In-house CISOs covered under the company’s liability policy makes more fiscal sense for regulated industries to avoid paying twice for the same coverage.   Previously unregulated companies are finding themselves within the material and territorial scope of GDPR and are being introduced to compliance requirements and fines, and they are only beginning to understand the impact to their organizations.

Summary

Experienced CISOs with an appreciation for the concept of enterprise risk are venturing out to form their own advisory practices in the booming “Gig Economy” where they can choose their own clients, travel schedule, industry and risk tolerance.  If nothing changes, the trend towards “freelancing” is expected to continue. With full control over pricing and insurance for “gigs,” these freelancers are able to set their own rates commensurate with the risk associated with the opportunity. According to NASDAQ.com, 34% of the total workforce, nearly 53 million Americans were freelancers, and this number is expected to increase to 43% by 2020.  The irony is that the growth of the Gig Economy is only increasing the challenges for the CISOs who remain in corporate America. Managing risks associated with contractors increases in complexity as the number of third parties engaged by an organization increases, so a critical mass is building.   

The problem with the independent consulting option is that many CISOs really do WANT to be a part of a leadership team and would choose that option if offered to them.  These executives rely on teamwork to make the program successful and being an outsider who may or may not be able to use the name of their client as a reference diminishes the personal fulfillment and recognition in a job well done.  Creating a direct reporting relationship between the CEO and the CISO is one of the best ways to demonstrate management’s commitment to the security program, save insurance costs and increase efficiency of the security and data privacy programs.  With improved visibility to enterprise risks, CEOs can be assured their teams are working on the right problems and the security prowess of their leadership team expands through increased exposure to and collaboration with the CISO.

Donna Gallaher, CISSP, C|CISO, CIPP/E

Ms. Gallaher served as a C-Level Strategic Advisor in IT and Cyber Strategy for multiple global companies for over 15 years drawing from her previous successes in engineering, solution selling, IT operations and leadership.  She provides value to clients by thoroughly understanding business and regulatory requirements, assessing obstacles and translating technical challenges into business risks allowing technology to function as a business enabler.

Ms. Gallaher serves on the Board of Directors of the Technology Association of Georgia Information Security Society, Evanta CISO Southeast Governing Body and is active in the local ISSA and Cloud Security Alliance chapters.  She is active in the lobby efforts to shape cyber security legislation and her recent articles have been published on the National Technology Security Coalition website.

Ms. Gallaher holds CISSP, CCISO, CIPP/E and ITIL certifications and is a graduate of Auburn University with a Bachelor of Science in Electrical Engineering.

Magecart: The Largest Payment Card Attack in History. Here’s what you can do …

The previously disclosed Ticketmaster attack was not a one-off event, but instead part of the largest payment card theft in history impacting over 800 ecommerce sites around the world. If we consider the true impact of this event it is absolutely astonishing. The Target supply-chain-enabled attack from a few years ago was frightening, and that was only one merchant under attack, on in-store point-of-sale systems, for a mere 9 days. The Magecart website supply chain attack leveraged digital website payment card skimming that victimized over 800 global merchants for over 3 years – multiple orders of magnitude larger and significantly more chilling in scope.

The Magecart hacker group successfully attacked some of the most sophisticated ecommerce players and operated largely undetected since 2015 by taking advantage of a client-side vulnerability that exists in every commercial website today.  In the case of Ticketmaster, Magecart actors were able to compromise a 3rd party chatbot service called Inbenta that had been embedded on the Ticketmaster site. By manipulating the Inbenta JavaScript code on Ticketmaster’s webpages, Magecart could exfiltrate payment information from every single Ticketmaster customer who was served the Inbenta code.

The client-side browser is the primary environment wherein websites display and capture critical customer and payment data. It is the front door for interaction with customers and their data. 3rd party JavaScript executes on the client-side browser and is granted unmanaged and unlimited access to the entire webpage including the ability to exfiltrate data (keylogging, web injection, form field manipulation, phishing, etc.) and deface/alter webpage content. Simply put, by integrating 3rd party JavaScript, website owners are handing out skeleton keys to the front door while they focus extensively on securing the server-side back door. Security pros must think twice about being so cavalier with the skeleton keys to their front door and diligently secure both the server side and the client side of web sessions.

Given that many 3rd party vendors have comparatively weaker security protocols than the corporate websites that run them, it makes them attractive and susceptible attack targets.  3rd party JavaScript has unlimited access to the webpage DOM. This means that every 3rd party JavaScript vendor, and the hackers that seek to exploit them, have the same level of access to all webpage elements as the website owner’s development team.

 

Once that vendor is compromised, their code can be modified or replaced representing a major vulnerability for website owners. Magnifying the potential damage, once a hacker compromises a single 3rd party vendor, they have access to every single website that runs the tool.

3rd party JavaScript is served from external remote servers and executes on the client. This makes current security approaches such as pentesting, periodic code review, and dynamic application security testing entirely incapable of preventing these attacks. Since client-side connections with external servers are completely unmanaged and largely unmonitored, the company has no visibility into what these 3rd parties are doing and no way to prevent hackers from maliciously exploiting this access. Nearly every corporate website is currently unavoidably vulnerable to this attack vector.

Request an Expert Walk-Through of Data Exfiltration from Your Site

Here’s what you can do …

Luckily, there are steps that security teams can take to mitigate or even eliminate the risks of 3rd party vendors. From stringent prevention-level controls that still enable the beneficial usage of 3rd parties all the way to usage limitations that are restrictive and counterproductive, there are practical things that security pros can implement today to protect their companies from the next website supply chain attack.

Prevention is the best option

The best thing security pros can do to prevent an attack like Magecart is to implement technology that controls the access and permissions of every 3rd party running on the page. This insulates websites, their corporate owners, their visitors and private customer data from the inappropriate behaviors of overzealous 3rd parties and the more malicious activities of hackers that seek to exploit them.

Prevention-level approaches for addressing client-side connections not only secure the organization but are required for adequate data control defined by regulatory compliance (e.g. GDPR and California’s newly passed Digital Privacy Law). Without the ability to control private customer data and prevent unauthorized access by 3rd party website vendors or hackers, an organization is in a state of non-compliance.  

Additionally, a major benefit of prevention is that with security and privacy concerns satisfied, the business is free to deploy beneficial 3rd party website tools to achieve the shared goal of the business – revenue generation. By using 3rd parties on otherwise sensitive pages (e.g. payment, registration, login) the business is able to optimize their conversion rates at critical junctions of the customer journey. By using new and innovative tools, the business can be dynamic and differentiate from their peers who are forced to move slower and in a more restricted fashion. The end result is a secure and compliant site that delivers a superior customer experience and produces better analytics.

Monitoring and detection

While prevention is obviously the best method, monitoring provides a less secure and reactive option. Magecart’s multi-year activities are evidence that detection, although helpful, is woefully inadequate. The major inadequacy of detection approaches is that they are incapable of detecting these attacks in real-time. Even with a multitude of global sensors detection schemes may miss highly targeted and hyper-segmented attacks altogether.

Although they may detect an attack, they assuredly will never detect the attack in time for the website owner to avoid some damage. After all, even if the majority of the damage is avoided after detection, any leakage of customer data constitutes a compliance violation that will require full public disclosure. The resulting fines, PR crises and operational fire drills are typically crippling. We have not even begun to discuss that detection approaches have no remediation capability, so the only response is to completely remove the tool and suffer the operational and capital costs associated with losing and/or replacing its functionality. Ultimately, even this removal does not address the root cause leaving the site entirely and continuously exposed to future attacks via another compromised 3rd party tool operating on the site.

Fundamentally, these approaches are not scalable. 3rd party JavaScript changes routinely and sites are frequently changing and rotating the vendors they use. The alert fatigue coupled with the reactive nature of detection and the persistence of the underlying vulnerability renders these approaches severely limited.

Vendor due diligence assessments

Many organizations, and especially those under strict compliance mandates, perform routine, comprehensive vendor security assessments. Although, well intended and highly recommended, such exercises only provide a point-in-time assessment – and even then, only produce a comfortability level rating of a vendor’s security program. Any vendor can be breached at any time.  In practice we see some of the most seemingly mature and trusted 3rd party website tools be breached and exploited to victimize hundreds of websites. Although these assessments provide a semblance of comfortability and satisfy some compliance requirements, they do not provide prevention or even continuous detection. These assessments should be part of a comprehensive security program but are in no way adequate as a stand-alone approach to mitigating or preventing 3rd party risk.

Restricting the usage of 3rd party tools

The last resort would be to exercise a debilitating level of caution. The result is limiting the usage of beneficial 3rd party tools and is entirely counterproductive to the overall goals of the business. Limiting the number of tools used limits the organization’s ability to provide an engaging user experience and extract meaningful analytics. Relying only on “mature” or “trusted” 3rd party vendors and missing out on new and innovative tools makes delivering a compelling, differentiated, and dynamic web presence difficult. Restricting 3rd party tool usage in on sensitive areas of the website cripples conversion rates if customer experience and analytics are not optimized at critical points in the customer journey – like account registration, transactions, and check out.

The Time to Act is Now

It’s likely that the more than 800 compromised sites in this attack are just the tip of the iceberg given the amount of time that this attack was running undetected. Similar attacks on major global airlines, online electronics merchants, online mass merchants and credit rating agencies have recently been reported as exploited by this same attack vector.  3rd party vendors have shifted blame to site owners to incorporate the necessary security measures themselves.  It is therefore critical that site owners proactively employ preventative technology to prevent website supply chain attacks and continue to benefit from the differentiating utility they provide.

Next Steps

Quickly access an assessment of your current risk level.

If the industry wide susceptibility to this attack vector does not have you concerned about your own current vulnerability:

Request a customized expert walk-through of data exfiltration on your site @
www.sourcedefense.com

 

 

 

 

From a birds eye view of a CSO with Ian Amit

Apex sat down with Ian Amit, Chief Security Officer of Cimpress to discuss his views on what it means to be an innovative CSO today while remaining a business enabler. With over a decade of experience in diverse security fields he shares his experience and advice.

Q: What is IT security doing to support innovation in the enterprise?

A: First and foremost, ensuring that security understands the business needs as far as direction (technologically) and strategy. Then security complements said strategy and not only ensures it is taken through secure means, but also further enables it to take additional risks.

Q: What is the single most important thing CISOs should be focusing on today?

A: Understanding and prioritizing the risks for the business. It’s not a question of a technological vulnerability “du jour” to be addressed (especially if it does not affect the organization’s threat model) and more about being able to correctly utilize the resources at hand to most effectively address the actual relevant risks.

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

A: Independent. The CIO and CISO have potential conflicting views when it comes to technology, and hence should be independent of each other.

Q: Should IT security be a business enabler?

A: Absolutely. IT Security should never come from a “NO” approach, and by definition should enable the business to pursue whatever course of action it deems the most beneficial.

Q: How do you stay abreast of the trends and what your peers are doing?

A: Beyond the continued technological education, working and engaging with peer CSOs and CISOs has been the most beneficial for me as far as keeping up with the news, and mostly around how other executives are meeting their challenges. Forums where there are curated discussions where the members drive the conversations have been the most effective in doing that.

Q: How have you searched for and found the best vendors for your organization?

A: It is a constant cycle of looking for the right vendors for the organization, and in my view the value of VARs have diminished significantly over the years and are only used to secure the best price point for a product. For me the focus on products is shifting, and I’m spending more on training my internal resources, while augmenting them with the right products. That means continuously challenging our operating model, and also the products we use.

Q: What is the difference between a CISO and a CRO (Chief Risk Officer)?

A: There is definitely a lot of overlap from my perspective, and I feel like a CRO is only applicable in organizations where the majority of the risk contains not only non-information elements, but is highly biased to financial or legal elements. In more “traditional” organizations, I believe that a CSO (who has all security in scope, not just information security) is the executive role responsible for risk overall, and can be coupled with a strong internal audit function to provide full risk management coverage for the organization.

Q: How has the role of the CISO changed over your career?

A: At the beginning of my career, CISOs were mostly IT-Security managers. The scope and focus of those roles has been mostly limited to technology risk and managing the security of the infrastructure and the technology stack. Modern CISOs, and especially CSOs are tasked with a broader scope which includes the social as well as physical elements of security of the organization.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: Communication is key. Being able to have discussions with your peers in the executive management is critical, and this includes learning to formulate risk in business terms. Only then the application of “our” domain knowledge becomes applicable. One of the most common mistakes I’m seeing with CISOs in general is gravitating back to the engineering-heavy comfort zone where a lot of them came from, while losing focus over the actual missions which is to secure the organization and enable it to advance.

 

Why Employees are Your Greatest Cyber Risk

A new study has found that nearly two in five workers admitted to clicking on a link or opening an attachment from a sender they did not recognize.

This security slip-up is significant due to the installation of malware on their devices and the harvesting of sensitive corporate data.

Resulting from the societal BYOD (bring your own devices) trend, the Finn Partners Research study shows that more than half of employees (55 percent) are using their personal devices for work, which directly impacts increased vulnerability to hackers, malware and data breaches. In addition, only 26 percent of employees change their login credentials and/or passwords for personal and work applications at least once a month.

“The fastest and easiest way for bad actors to gain access to sensitive organizational data is for employees to click on nefarious links – we know that around 40 percent of our workforce is engaging in such behavior,” said Jeff Seedman, senior partner at Finn Partners who leads the firm’s U.S. cybersecurity specialty group. “Employees often assume their personal devices are secure, but then neglect to update their software regularly or put any protection policies in place. This is a serious problem, especially if a device loaded with company data gets lost, stolen or hacked.”

Only 25 percent of employees said they receive “cyber hygiene” training on a monthly basis from their IT team. Cyber hygiene refers to the updating of operating systems on devices, checking for security patches, and changing passwords […] Read more »

 

 

50% of Retailers Experienced a Data Breach Last Year

Three-quarters of U.S. retailers have experienced a data breach, half in the last year, says the Thales 2018 Data Threat Report.

According to U.S. retail respondents, 75% of retailers have experienced a breach in the past compared to 52% last year, exceeding the global average. U.S retail is also more inclined to store sensitive data in the cloud as widespread digital transformation is underway, yet only 26% report implementing encryption – trailing the global average.

Year-over-year breach rate takes a turn for the worse

While last year’s report showed an encouraging decrease in breaches, this year U.S. retail data breaches more than doubled from 19% in the 2017 survey to 50%. This massive increase drove U.S. retail to be the second highest vertical polled to experience a data breach in the last year, ahead of healthcare and financial services and only slightly behind the U.S. federal government.

Digital transformation brings increased risks to data
According to the report, 95% of U.S. retail organizations will use sensitive data in an advanced technology environment (such as cloud, big data, IoT and containers) this year. More than half believe that sensitive data use is happening now in these environments without proper security in place. Each of these technology environments comes with unique security challenges. As the attack surface increases, unique data security challenges need to be addressed.

The increase in attacks against the retail sector calls into question why spending on data security isn’t more significant. Ironically, in the U.S., the traditional concerns about data security related to perceived complexity and business performance impact are now outpaced by a perceived lack of need, which was cited by 52% of respondents. Although not exactly the same globally, a lack of organizational buy-in was tied to 41% not perceiving a need for data security. The message here is that management needs a sense of urgency, and security professionals must do a better job of selling the importance of data security.

Security spending is up but not aligning with risk

The good news is that U.S. retail organizations are responding to the ever-increasing threat with 84% citing plans to increase IT security spending and 28% noting the increase would be significant. The bad news is that spending is not going to what respondents believe are the most effective defenses.

The retail sector recognizes the need for encryption to protect sensitive data. Forty-nine percent require encryption to increase cloud usage and 44% need system level encryption and access controls to expand the use of big data. More than half (52%) believe encryption (along with anti-malware tools) is needed to drive IoT adoption. This is in addition to encryption being the number one choice to satisfy compliance and data security laws such as GDPR, Korea’s PIPA and APPI in Japan.

Seemingly contradicting themselves, both U.S. and global retail ranked endpoint and mobile defenses as those that will get the largest spending increase (72% U.S.; 52% global)) even though they rank them the least effective.  A bright spot is that more organizations are recognizing the threat to cloud data and with that 49% of respondents have ranked cloud at the top of their IT security spending priorities […] Read more »

 

 

Discussions with Malik Bernard on the pathway to cyber success

 

Apex sat down with Malik Bernard, Executive Head, Cyber Governance (Cyber Security and GRC) at the City of New York to discuss the cyber journey. With over 20 years overall in the space of Cybersecurity, Enterprise IT Strategy and Design, Vendor Management coupled with IAM and DLP program implementation, he shares his experience on the pathway to cyber success.

Q: What is IT security doing to support innovation in the enterprise?

A: This is an interesting question; On its face, a simple question; but if you give it some thought, there has to be a distinction between IT Security and  how it supports Cyber. Within IT Security, one may look at Data, Hardware/Software and Artificial Intelligence. I know from performing hands on labs, working with industry leaders, and analysts, the trend is towards

  • Hardware Authentication
  • Machine Learning coupled with Behavior Analytics
  • Cloud Security or should I say, better cloud security, beyond Firewalls, Storage etc. In this space, virtualization still rules and the implementation of Virtual IPS/IDS is paramount as part of an overall Cloud security strategy.

Q: Should IT security be a business enabler?

A: Everyone and every department, should support the business through smart hiring, defined, well documented processes and procedures and with appropriate technologies.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I listen to smarter people than myself. I have within my circle of whom I trust, those that are non-bias individuals who aren’t afraid to tell me no, share with me what they really think and I attend a few workshop forums yearly to challenge and stretch my knowledge.

Q: How have you searched for and found the best vendors for your organization?

A: It helps to be the SME or subject matter expert or know a few on a variety of business and tech needs. This way, you can cut through the ‘pitch’ and get to the ‘how will this help solve the challenge(s) we’re currently facing’ and how will it scale.

Q: What is the biggest challenge for a CISO today?

A: This one depends on many factors; The size of the organization; The amount of power and control trusted and given to the CISO. I would say, keeping up with the ever changing attack surface of the enterprise and ensuring that one’s defensive posture, is the ‘right size’ for their environment.

Q: What is the difference between a CISO and a CRO (Chief Risk Officer)?

A: CISOs are more focused on tech, cyber, etc. CROs are more focused on Risk, Threats etc. They both should work closely together to ensure a full 360 view of Risk and Threats across the landscape.

Q: How has the role of the CISO changed over your career?

A: I’ve actually changed and defined in my prior role, what a next generation CISO should be focused on and how to get quick wins, towards a sustainable strategy of measured success. This role simply validated what I’ve been doing in prior, non exec, C-Suite positions.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: Discern what’s real, what’s perceived and what’s noise. Find a way to cut through the ‘pitch’ and understand how x may occur and have in place, 2, 3 options at the ready to defend the organization. Finally, listen more, speak less and be curious.

 

Mr. Bernard is the Senior Executive Head of the City of New York, where he heads up the City’s Cyber Governance Tower. He was also in charge of leading the following domain areas: Software Security Assurance akin to SDLC, Cybersecurity and Awareness Training and IT Risk.

Prior to joining the City of New York, Mr. Bernard held the role of Chief Information Security Officer (CISO), for a global technology company, where his and his team’s focus was on Cybersecurity (Identity Access Management, Data Leakage Prevention, Threat Management, GRC and Privacy Management.)

 

Gartner: Top Six Security and Risk Management Trends

As business leaders become increasingly conscious of the impact cybersecurity can have on business outcomes, they should harness increased support and take advantage of six emerging trends (listed below) to improve their enterprise’s resilience and elevate their own standing, according to Gartner, Inc.

  1. Senior business executives are finally becoming aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation. “Business leaders and senior stakeholders at last appreciate security as much more than just tactical, technical stuff done by overly serious, unsmiling types in the company basement,” says Peter Firstbrook, research vice president at Gartner. “Security organizations must capitalize on this trend by working closer with business leadership and clearly linking security issues with business initiatives that could be affected.”
  2. Legal and regulatory mandates on data protection practices are impacting digital business plans and demanding increased emphasis on data liabilities. “It’s no surprise that, as the value of data has increased, the number of breaches has risen too,” says Firstbrook. “In this new reality, full data management programs — not just compliance — are essential, as is fully understanding the potential liabilities involved in handling data.”
  3. Security products are rapidly exploiting cloud delivery to provide more agile solutions.“Avoid making outdated investment decisions,” advises Firstbrook. “Seek out providers that propose cloud-first services, that have solid data management and machine learning (ML) competency, and that can protect your data at least as well as you can.”
  4. Machine learning is providing value in simple tasks and elevating suspicious events for human analysis. Gartner predicts that by 2025, machine learning will be a normal part of security solutions and w3ill offset ever-increasing skills and staffing shortages. But buyer beware, says Firstbrook: “Look at how ML can address narrow and well-defined problem sets, such as classifying executable files, and be careful not to be suckered by hype. Unless a vendor can explain in clear terms how its ML implementation enables its product to outperform competitors or previous approaches, it’s very difficult to unpack marketing from good ML.”
  5. Security buying decisions are increasingly based on geopolitical factors along with traditional buying considerations. Increasing levels of cyber warfare, cyber political interference and government demands for backdoor access to software and services have resulted in new geopolitical risks in software and infrastructure buying decisions, Gartner says. “It’s vital to account for the geopolitical considerations of partners, suppliers and jurisdictions that are vital to your organization,” says Firstbrook. “Include supply chain source questions in RFIs, RFPs and contracts”  […] Read more »

 

 

65 Percent of Organizations Believe IoT Increases OT Security Risks

According to Kaspersky Labs State of Industrial Cybersecurity 2018 survey, 65% of organizations globally believe that operational technology (OT) or Industrial Control Systems (ICS) risks are more likely with the Internet of Things (IoT). Over the next year, 53% say that realizing IoT use cases and managing connected devices is a major priority.

As OT and IT converge, organizations can use IoT devices to boost the efficiency of industrial processes, but these devices and processes also present new risks and points of vulnerabilities. Industrial organizations surveyed feel unsafe, with 77% of respondents saying their organization is likely to become the target of a cybersecurity incident involving their industrial control networks.

Of the concerns related to IoT, 54% of respondents claim that the increased risks associated with connectivity and IoT integration are a major cybersecurity challenge, as well as new types of IoT security measures that need to be implemented (50%) and implementation of IoT use cases (45%).

According to Kaspersky Labs, companies relying on ICS are falling victim to conventional threats, including malware and ransomware. Almost two-thirds of companies experienced at least one conventional malware or virus attack on their ICS in the last year, 30% suffered a ransomware attack, and 27% had their ICS breached due to the errors and actions of employees.

Targeted attacks affecting the industrial sector accounted for only 16% in 2018 (down from 36% in 2017)  […] Read more »