Why Employees are Your Greatest Cyber Risk

A new study has found that nearly two in five workers admitted to clicking on a link or opening an attachment from a sender they did not recognize.

This security slip-up is significant due to the installation of malware on their devices and the harvesting of sensitive corporate data.

Resulting from the societal BYOD (bring your own devices) trend, the Finn Partners Research study shows that more than half of employees (55 percent) are using their personal devices for work, which directly impacts increased vulnerability to hackers, malware and data breaches. In addition, only 26 percent of employees change their login credentials and/or passwords for personal and work applications at least once a month.

“The fastest and easiest way for bad actors to gain access to sensitive organizational data is for employees to click on nefarious links – we know that around 40 percent of our workforce is engaging in such behavior,” said Jeff Seedman, senior partner at Finn Partners who leads the firm’s U.S. cybersecurity specialty group. “Employees often assume their personal devices are secure, but then neglect to update their software regularly or put any protection policies in place. This is a serious problem, especially if a device loaded with company data gets lost, stolen or hacked.”

Only 25 percent of employees said they receive “cyber hygiene” training on a monthly basis from their IT team. Cyber hygiene refers to the updating of operating systems on devices, checking for security patches, and changing passwords […] Read more »

 

 

50% of Retailers Experienced a Data Breach Last Year

Three-quarters of U.S. retailers have experienced a data breach, half in the last year, says the Thales 2018 Data Threat Report.

According to U.S. retail respondents, 75% of retailers have experienced a breach in the past compared to 52% last year, exceeding the global average. U.S retail is also more inclined to store sensitive data in the cloud as widespread digital transformation is underway, yet only 26% report implementing encryption – trailing the global average.

Year-over-year breach rate takes a turn for the worse

While last year’s report showed an encouraging decrease in breaches, this year U.S. retail data breaches more than doubled from 19% in the 2017 survey to 50%. This massive increase drove U.S. retail to be the second highest vertical polled to experience a data breach in the last year, ahead of healthcare and financial services and only slightly behind the U.S. federal government.

Digital transformation brings increased risks to data
According to the report, 95% of U.S. retail organizations will use sensitive data in an advanced technology environment (such as cloud, big data, IoT and containers) this year. More than half believe that sensitive data use is happening now in these environments without proper security in place. Each of these technology environments comes with unique security challenges. As the attack surface increases, unique data security challenges need to be addressed.

The increase in attacks against the retail sector calls into question why spending on data security isn’t more significant. Ironically, in the U.S., the traditional concerns about data security related to perceived complexity and business performance impact are now outpaced by a perceived lack of need, which was cited by 52% of respondents. Although not exactly the same globally, a lack of organizational buy-in was tied to 41% not perceiving a need for data security. The message here is that management needs a sense of urgency, and security professionals must do a better job of selling the importance of data security.

Security spending is up but not aligning with risk

The good news is that U.S. retail organizations are responding to the ever-increasing threat with 84% citing plans to increase IT security spending and 28% noting the increase would be significant. The bad news is that spending is not going to what respondents believe are the most effective defenses.

The retail sector recognizes the need for encryption to protect sensitive data. Forty-nine percent require encryption to increase cloud usage and 44% need system level encryption and access controls to expand the use of big data. More than half (52%) believe encryption (along with anti-malware tools) is needed to drive IoT adoption. This is in addition to encryption being the number one choice to satisfy compliance and data security laws such as GDPR, Korea’s PIPA and APPI in Japan.

Seemingly contradicting themselves, both U.S. and global retail ranked endpoint and mobile defenses as those that will get the largest spending increase (72% U.S.; 52% global)) even though they rank them the least effective.  A bright spot is that more organizations are recognizing the threat to cloud data and with that 49% of respondents have ranked cloud at the top of their IT security spending priorities […] Read more »

 

 

Discussions with Malik Bernard on the pathway to cyber success

 

Apex sat down with Malik Bernard, Executive Head, Cyber Governance (Cyber Security and GRC) at the City of New York to discuss the cyber journey. With over 20 years overall in the space of Cybersecurity, Enterprise IT Strategy and Design, Vendor Management coupled with IAM and DLP program implementation, he shares his experience on the pathway to cyber success.

Q: What is IT security doing to support innovation in the enterprise?

A: This is an interesting question; On its face, a simple question; but if you give it some thought, there has to be a distinction between IT Security and  how it supports Cyber. Within IT Security, one may look at Data, Hardware/Software and Artificial Intelligence. I know from performing hands on labs, working with industry leaders, and analysts, the trend is towards

  • Hardware Authentication
  • Machine Learning coupled with Behavior Analytics
  • Cloud Security or should I say, better cloud security, beyond Firewalls, Storage etc. In this space, virtualization still rules and the implementation of Virtual IPS/IDS is paramount as part of an overall Cloud security strategy.

Q: Should IT security be a business enabler?

A: Everyone and every department, should support the business through smart hiring, defined, well documented processes and procedures and with appropriate technologies.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I listen to smarter people than myself. I have within my circle of whom I trust, those that are non-bias individuals who aren’t afraid to tell me no, share with me what they really think and I attend a few workshop forums yearly to challenge and stretch my knowledge.

Q: How have you searched for and found the best vendors for your organization?

A: It helps to be the SME or subject matter expert or know a few on a variety of business and tech needs. This way, you can cut through the ‘pitch’ and get to the ‘how will this help solve the challenge(s) we’re currently facing’ and how will it scale.

Q: What is the biggest challenge for a CISO today?

A: This one depends on many factors; The size of the organization; The amount of power and control trusted and given to the CISO. I would say, keeping up with the ever changing attack surface of the enterprise and ensuring that one’s defensive posture, is the ‘right size’ for their environment.

Q: What is the difference between a CISO and a CRO (Chief Risk Officer)?

A: CISOs are more focused on tech, cyber, etc. CROs are more focused on Risk, Threats etc. They both should work closely together to ensure a full 360 view of Risk and Threats across the landscape.

Q: How has the role of the CISO changed over your career?

A: I’ve actually changed and defined in my prior role, what a next generation CISO should be focused on and how to get quick wins, towards a sustainable strategy of measured success. This role simply validated what I’ve been doing in prior, non exec, C-Suite positions.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: Discern what’s real, what’s perceived and what’s noise. Find a way to cut through the ‘pitch’ and understand how x may occur and have in place, 2, 3 options at the ready to defend the organization. Finally, listen more, speak less and be curious.

 

Mr. Bernard is the Senior Executive Head of the City of New York, where he heads up the City’s Cyber Governance Tower. He was also in charge of leading the following domain areas: Software Security Assurance akin to SDLC, Cybersecurity and Awareness Training and IT Risk.

Prior to joining the City of New York, Mr. Bernard held the role of Chief Information Security Officer (CISO), for a global technology company, where his and his team’s focus was on Cybersecurity (Identity Access Management, Data Leakage Prevention, Threat Management, GRC and Privacy Management.)

 

Gartner: Top Six Security and Risk Management Trends

As business leaders become increasingly conscious of the impact cybersecurity can have on business outcomes, they should harness increased support and take advantage of six emerging trends (listed below) to improve their enterprise’s resilience and elevate their own standing, according to Gartner, Inc.

  1. Senior business executives are finally becoming aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation. “Business leaders and senior stakeholders at last appreciate security as much more than just tactical, technical stuff done by overly serious, unsmiling types in the company basement,” says Peter Firstbrook, research vice president at Gartner. “Security organizations must capitalize on this trend by working closer with business leadership and clearly linking security issues with business initiatives that could be affected.”
  2. Legal and regulatory mandates on data protection practices are impacting digital business plans and demanding increased emphasis on data liabilities. “It’s no surprise that, as the value of data has increased, the number of breaches has risen too,” says Firstbrook. “In this new reality, full data management programs — not just compliance — are essential, as is fully understanding the potential liabilities involved in handling data.”
  3. Security products are rapidly exploiting cloud delivery to provide more agile solutions.“Avoid making outdated investment decisions,” advises Firstbrook. “Seek out providers that propose cloud-first services, that have solid data management and machine learning (ML) competency, and that can protect your data at least as well as you can.”
  4. Machine learning is providing value in simple tasks and elevating suspicious events for human analysis. Gartner predicts that by 2025, machine learning will be a normal part of security solutions and w3ill offset ever-increasing skills and staffing shortages. But buyer beware, says Firstbrook: “Look at how ML can address narrow and well-defined problem sets, such as classifying executable files, and be careful not to be suckered by hype. Unless a vendor can explain in clear terms how its ML implementation enables its product to outperform competitors or previous approaches, it’s very difficult to unpack marketing from good ML.”
  5. Security buying decisions are increasingly based on geopolitical factors along with traditional buying considerations. Increasing levels of cyber warfare, cyber political interference and government demands for backdoor access to software and services have resulted in new geopolitical risks in software and infrastructure buying decisions, Gartner says. “It’s vital to account for the geopolitical considerations of partners, suppliers and jurisdictions that are vital to your organization,” says Firstbrook. “Include supply chain source questions in RFIs, RFPs and contracts”  […] Read more »

 

 

65 Percent of Organizations Believe IoT Increases OT Security Risks

According to Kaspersky Labs State of Industrial Cybersecurity 2018 survey, 65% of organizations globally believe that operational technology (OT) or Industrial Control Systems (ICS) risks are more likely with the Internet of Things (IoT). Over the next year, 53% say that realizing IoT use cases and managing connected devices is a major priority.

As OT and IT converge, organizations can use IoT devices to boost the efficiency of industrial processes, but these devices and processes also present new risks and points of vulnerabilities. Industrial organizations surveyed feel unsafe, with 77% of respondents saying their organization is likely to become the target of a cybersecurity incident involving their industrial control networks.

Of the concerns related to IoT, 54% of respondents claim that the increased risks associated with connectivity and IoT integration are a major cybersecurity challenge, as well as new types of IoT security measures that need to be implemented (50%) and implementation of IoT use cases (45%).

According to Kaspersky Labs, companies relying on ICS are falling victim to conventional threats, including malware and ransomware. Almost two-thirds of companies experienced at least one conventional malware or virus attack on their ICS in the last year, 30% suffered a ransomware attack, and 27% had their ICS breached due to the errors and actions of employees.

Targeted attacks affecting the industrial sector accounted for only 16% in 2018 (down from 36% in 2017)  […] Read more »

 

 

Las Vegas Most Insecure Cyber City in US

A new study, Cybersecurity in the City: Ranking America’s Most Insecure Metros, has identified Las Vegas, Memphis and Charlotte as America’s most cyber insecure cities.

America’s Most Insecure Metros

10. Tampa – St. Petersburg
9. Orlando – Daytona Beach
8. West Palm Beach – Ft. Pierce
7. Jacksonville
6. Birmingham
5. Providence
4. Houston
3. Charlotte
2. Memphis
1. Las Vegas

America’s Least Vulnerable Metros

5. St. Louis
4. Seattle – Tacoma
3. Norfolk-Portsmouth-Newport News
2. Greensboro – Winston Salem
1. Richmond

“The Cybersecurity in the City: Ranking America’s Most Insecure Metros report emphasizes just how expansive both the vulnerability and threat landscapes have gotten in the U.S.,” said Guy Moskowitz, founder & CEO, Coronet. “While big companies may have the budgets, personnel and resources to protect their assets reasonably well, mid-market and small businesses are mostly left to fend for themselves. This is both unfortunate and a recipe for disaster” […] Read more »

 

Why People are ‘Password Walking’

A recent study of 61 million leaked passwords from Virginia Tech and Dashlane uncovered troubling password patterns.

Dashlane researchers examined the data for patterns, illuminating simple mistakes that continue to be made by people who use passwords in daily life, which is to say—virtually everyone. The Dashlane researchers found patterns across the keyboard, from not-so-randomly chosen letters and numbers to, popular brands and bands, and even passwords created out of apparent frustration.

Dashlane researchers discovered a high frequency of passwords containing combinations of letters, numbers, and symbols that are adjacent to one another on the keyboard. This practice, known as “Password Walking,” highlights the apathetic attitude most users have towards password creation, preferring convenience over security.

When users “Password Walk” they are creating passwords that are far from secure. Most hackers are keenly aware of the human tendency to rely on convenience and can easily exploit these common passwords.

Most are familiar with versions of “Password Walking,” such as “qwerty” and “123456”, but Dashlane’s researchers uncovered several other combinations that are frequently used:

These passwords are all comprised of keys on the left-hand side of standard keyboards. This means users can simply use the pinky or ring finger on their left hand to type their entire password. However convenient this may be, saving a few seconds is not worth the loss of one’s critical financial and/or personal data due to an account hack.

TThe study said, “The prevalence of “Password Walking” is troubling and should make anyone using such passwords take another look at their password practices. Genuinely random and unique passwords are essential to password security; punching a bunch of adjacent characters will not cut it.”

Vices like Coca Cola and Skittles seep into all corners of life, even passwords, the study said. The ten most frequent brand-related passwords:

  1. myspace *experienced a major breach in 2016
  2. mustang
  3. linkedin *experienced a major breach in 2016
  4. ferrari
  5. playboy
  6. mercedes
  7. cocacola
  8. snickers
  9. corvette
  10. skittles

Unsurprisingly, said the study, pop culture references were also prevalent. It would be wise to remember that using passwords that use names or common phrases is not a safe practice.

The ten most frequent pop culture passwords:

  1. superman
  2. pokemon
  3. slipknot
  4. starwars
  5. metallica
  6. nirvana
  7. blink182
  8. spiderman
  9. greenday
  10. rockstar

Last, as the world prepares for the Champions League Final this weekend, the study suggested that fans of the game should refrain from showing love for their favorite club in their passwords […] Read more »

 

 

GDPR: Will Your Company Be Fine or Fined?

Mayday, mayday” is a standard international distress signal. With the European Union’s General Data Protection Regulation (GDPR) going live on May 25, 2018, the phrase seems particularly apt.

What is the GDPR? Weighing in at over 50,000 words, the GDPR revises a decades-old EU privacy directive that harkens back to 1995, a time when there was more postal mail than email. The GDPR restricts how organizations can collect, use and retain personal data, and provides Europeans with certain rights to halt collection, and to obtain copies, correction and, at times, destruction of their data.

How does it impact U.S. businesses? The EU seeks to apply the GDPR to all companies regardless of location if they collect personal data from individuals in the EU, such as through websites targeting EU consumers with goods or services (whether paid or unpaid), or by monitoring the behavior of people in the EU. The GDPR also applies to vendors (and corporate partners and affiliates) who end up storing, transferring, processing or using EU personal data even though another company initially collected it.

What are the Cybersecurity Requirements? Companies must implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”  Doing so requires an organization to evaluate “the state of the art” of security; the costs of implementation; the nature, scope, context and purposes of processing the personal data; and the risks to individual rights and freedoms. Data protection must be implemented “by design and by default.”

Are there breach notification requirements? Yes. If a data breach is likely to result in “a risk” to an individual’s rights and freedoms, the company must notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. When the breach is likely to result in a “high risk” to rights and freedoms, notifications also must be made without undue delay to the affected individuals.

Can we get ready in a few weeks? It is unlikely. The EU gave companies two years. Still, achieving compliance may be more straightforward for organizations that do not collect sensitive categories of personal data (race, ethnicity, health, sex life, sexual orientation, criminal history, trade union membership, political/religious/philosophical beliefs, genetics or biometrics) and whose activities are unlikely to result in high risks to individual rights and freedoms (such as through large-scale data processing, new technologies or systematic monitoring, profiling and automated decision-making) […] Read more »

 

 

Security Budgets Increasing, But Qualified Cybertalent Remains Hard to Find

The worldwide cybersecurity skills gap continues to present a significant challenge, with 59 percent of information security professionals reporting unfilled cyber/information security positions within their organization, according to ISACA’s cybersecurity workforce research.

According to the report,

  • High likelihood of cyberattack continues. Four in five security professionals (81 percent) surveyed indicated that their enterprise is likely or very likely to experience a cyberattack this year, while 50 percent of respondents indicate that their organization has already experienced an increase in attacks over the previous 12 months.;
  • Nearly 1 in 3 organizations (31 percent) say their board has not adequately prioritized enterprise security.
  • Men tend to think women have equal career advancement in security, while women say that’s not the case. A 31-point perception gap exists between male and female respondents, with 82 percent of male respondents saying men and women are offered the same opportunities for career advancement in cybersecurity, compared to just 51 percent of female respondents. Of those surveyed, about half (51 percent) of respondents report having diversity programs in place to support women cybersecurity professionals.
  • Individual contributors with strong technical skills continue to be in high demand and short supply. More than 7 in 10 respondents say their organizations are seeking this kind of candidate.

Yet, there are several positive and promising insights in the ISACA data:

  • Time to fill open cybersecurity positions has decreased slightly. This year, 54 percent of respondents say filling open positions takes at least three months, compared to last year’s 62 percent.
  • Gender disparity exists but can be mitigated through effective diversity programs.Diversity programs clearly have an impact. In organizations that have one, men and women are much more likely to agree that men and women have the same career advancement opportunities. Eighty-seven percent of men say they have the same opportunities, as compared to 77 percent of women. While a perception gap remains, it is significantly smaller than the 37-point gap among men and women in organizations without diversity programs (73 percent of men in organizations without diversity programs say advancement opportunities are equal, compared to 36 percent of women).
  • Security managers are seeing a slight improvement in number of qualified candidates.Last year, 37 percent of security professionals said fewer than 25 percent of candidates for security positions were sufficiently qualified. This year, that number dropped to 30 percent.
  • Budgets are increasing. Sixty-four percent of respondents indicate that security budgets will increase this year, compared to 50 percent last year […] Read more »

 

 

The Quantum Computing Revolution

“Only six electronic digital computers would be required to satisfy the computing needs of the entire United States.” A prediction made by Howard Aiken in 1947 which on hindsight, we can all agree on has not turned out to be very prophetic. The need for processing power has continuously been on the rise and for the most part, the need has been catered through an unparalleled evolution of chip technology as forecasted by Moore’s Law. Moore’s Law states that the number of components that can fit on a computer chip will double roughly every two years, which in turn will improve the processing capabilities of computer chips. The law which is more of an observation rather than a physical law has held true over the decades and has seen digital computers which originally took up entire rooms reduced to being carried around in our very own pockets. But with components reaching atomic scales, and more and more money being fueled in to make chips smaller and faster, it has now come to a point where we cannot count on chip technology to advance as predicted by Moore’s Law. Hence, alternatives are being pursued and developments are being made which has given rise to the idea of quantum computing.

The traditional computer at its very core performs simple arithmetic operations on numbers stored in its memory. The key is the speed at which this is done, which allows computers to string these operations together to perform more complex things. But as the complexity of the problem increases, so does the number of operations that is required to reach a solution; And in this present day and age, some specific problems that we need to solve, far surpasses the computing capabilities of the modern computer. This, however, has also been used to our advantage, as modern cryptography which is at the core of cyber-security, relies on the fact that brute forcing complex mathematical problems is a practical impossibility.

Quantum computers, in theory, do things differently. Information is represented in physical states that are so small that they obey the laws of Quantum Mechanics. This information is stored in quantum bits known as qubits rather than the traditional binary bits used in conventional computers. Quantum Mechanics allows a qubit to store a probability of its value as either a 0 or 1 with the exact value of the qubit unknown until it is measured. Without getting too technical, this allows a quantum computer to contain several states at the same time, giving it the potential to be millions of times faster at solving certain problems than classical computers. This staggering computational power, in theory, could be used to render modern cryptography obsolete.

Modern cryptography relies on complex mathematical problems that would take computers hundreds, thousands or even millions of years to solve. This practical limitation is what keeps our cryptography based security systems secure. But with quantum computers, it is theoretically possible that these solutions could be reached in days or even hours, posing a massive vulnerability threat to our current encryption. If cryptography collapses, so will all our security.

But a quantum world is not all doom and gloom. Active research is already being done on quantum safe algorithms that can replace current algorithms that are under threat from the capabilities of a quantum computer. Theoretically, these quantum safe algorithms could prove to be more secure than anything we currently know of. Another area where quantum computing is likely to shine is in Big Data. With cross industry adoption of new technologies, the world is transforming itself into a digital age. This is sure to pose new problems well beyond the capabilities of modern computers as the complexity and the size of data keeps increasing. The challenge lies in converting real-world problems into a quantum language, but if that is accomplished, in quantum computing we will have a whole new computational system to tackle these problems.

It is important to realize that quantum computing is still in its infancy and almost all of the hype surrounding it is theoretical. But it is clear that the technology promises a revolution in computing, unlike anything we have seen before. It is also important to understand that quantum computers are not a replacement to the classical computer; Rather, it is specialized at solving a particular set of problems that are beyond the powers of a modern computer. This opens up a vast avenue of possibilities for quantum computing. The traditional computer will still have its place but with the world moving more and more towards a data-driven future, expect quantum computers to play a vital role in the future of technology.