Trial Before the Fire: How to Test Your Incident Response Plan to Ensure Consistency and Repeatability

While many organizations go to great lengths to set up effective security operations incident response plans, few proactively test their processes to ascertain how they will work when faced with a real threat.

Fifty-nine percent of incident response (IR) professionals admit that their organizations follow a reactive approach, according to a report from Carbon Black. Essentially, teams assume their processes work reasonably well to address the incident at hand … until they don’t. While organizations must have IR plans in place, it’s even more important that they a) work consistently and b) are updated and improved over time.

Testing incident response processes within the security operations center (SOC) should yield two important results: a clear understanding of whether your plan is likely to work and a list of gaps that should be addressed. There is no point testing them if the findings will play no role in optimizing your processes.

Lessons learned from your tests must be properly documented for them to have real, lasting value for your security operations team. Plus, you don’t want to find out your emergency plans don’t work when disaster strikes. What makes sense on paper or the whiteboard often doesn’t work as planned when put into practice.

Schools run fire drills, so everyone knows what to do when the bells go off. So, why aren’t we applying this logic more broadly in cybersecurity?

What is incident response?

IR refers to the systematic response to and management of events following a cyberattack or data breach. It involves a series of actions and activities aimed at reducing the impact of such an event.

A typical IR plan includes six phases which help the affected organization recover from an incident or simply contain it once it occurs: preparation, identification, containment, eradication, recovery and lessons learned.

When building an effective IR plan, security teams should determine the following:

  • The purpose of the plan.
  • Details on how to use the plan.
  • Your ability to respond to different incident types – including unauthorized access, malicious code, denial of service and inappropriate usage – and whether your information assets would be affected by such events.
  • Event handling protocols for each incident type and how to respond. This should include a checklist of which playbook needs to be triggered in the event of a cyberattack or breach. (A playbook, also known as a runbook, is common to the SOC and defines the flow of activities associated with a specific security issue and subsequent investigation and response. The goal is to build a consistent set of activities followed in every case, no matter the analyst assigned to it.)
  • Your ability to set up a “war room” for critical decision makers to receive and share information across the organization.
Testing the waters

Once you have a clear, documented plan in place, you should periodically test it through simulations to assess effectiveness and make continuous improvements. So, how can you put your processes to the test? Most security operations teams today use three methods:

1)     Paper tests

The most theoretical and likely the first step for security operations teams who don’t have well-documented processes. However, paper tests leave too much room for error and should only be used to look for small process changes.

2)     Tabletop exercises

These scenarios consist of company stakeholders sitting around a, you guessed it, table and running through a mock security event. While these exercises may appear informal, you should prepare well in advance, make sure the right individuals participate from across the organization and that the scenario is as real as possible. Allow for up to half a day to put key processes through their paces and troubleshoot as you go.

3)     Simulated attacks

The most effective way to pressure test your processes is to simulate a real-world attack to see how your organization will respond.[…] Read more »

 

 

 

 

How Cybersecurity Leaders Can Best Navigate the C-Suite

Recent data breaches at companies like British Airways and Capital One have made it more evident than ever before that cybersecurity leaders must prepare for a staggering amount of potential threats. Credential stuffing, account takeovers, and insider threats are all vectors of attack that could potentially devastate a business. But without the C-suite’s support, it’s impossible for cybersecurity leaders to effectively plan for and defend against these threats.

If the C-suite doesn’t fully understand a security risk, they likely won’t prioritize investing to defend against the potential threat. This, of course, can lead to disastrous consequences, like losing loyal customers, hurting brand reputation, or incurring major fines. The British Airways breach led to a fine of almost $230 million, and that doesn’t include non-tactile losses like a damaged reputation. As a result, it’s up to the security leaders to effectively communicate and position security risks to company leaders and decision-makers.

Here are five tips to help cybersecurity leaders navigate the C-suite:

Make cybersecurity a priority—for everyone

While leaders acknowledge security is a vital part of their organization, they often prioritize other initiatives that provide a more direct return on investment. According to a recent study from Nominet, 90 percent of C-suite members think their organization lacks the proper resources to defend against a cyberattack, and 76 percent of them think a security breach is inevitable. This highlights a disconnect: While C-suite executives acknowledge security is an issue, they’re not doing all they can to protect their organizations.

In another report from Wipro, 72 percent of organizations cited employee negligence and lack of awareness as a top cyber risk. Because of this, cybersecurity leaders need to find ways to relate cybersecurity to all departments of a business. Pushing everyone in the organization—not just the C-suite and IT teams—to think about security through awareness programs and other initiatives is necessary for any organization. When everyone actively thinks about cybersecurity and how it affects the overall well-being of the company, preventative measures will be more effective. Whenever presenting a specific threat, take a minute to explain why all employees across the business, including the C-suite, should care about it. For instance, the CMO will likely be interested to know how a hacked third-party tag on the website could steal customers’ personal information, thus violating user privacy regulations and affecting brand reputation. By working with the C-suite to make the business security efforts a top priority across the company, nobody will be caught off guard in the case of a new threat or a security incident.

Attach cybersecurity needs to business requirements

Cybersecurity leaders often have difficulty quantifying risk into impact, or cash cost, and presenting it in a way that aligns with business goals. For example, a member of the security team might need to explain to the C-suite why an organization should purchase a new encryption service. Instead of only speaking to the importance of encryption and broadly mentioning that it could save the organization money down the road, point out some industry statistics to back it up. A recent IBM study suggests that encryption reduces the cost of a data breach by $360,000 on average—a number that should persuade anyone to consider better encryption. A simple cost-benefit analysis is all that’s needed.

Overall, security leaders should communicate threats in an easily digestible way, but also show how the small initial cost to close a security hole can prevent a more significant cost down the road. According to the same IBM study, the average data breach costs an organization $3.92 million—a crippling setback for any organization. If possible, spell out what a cyber threat could cost the organization, including costs around incident response, potential fines, and lost customers.

Get to the point

The C-suite has a lot of responsibilities. If security teams present them with too much information at once, C-suite executives might overlook critical details. It rests on the cybersecurity leader’s shoulders to provide just enough information to show impact, but not too much to lose their audience. Explain essential details, like the immediacy of an attack or how many people it could affect. Diving into the technical specifics of credential stuffing or email phishing attacks, however, might not be the best strategy to get a CEO’s attention. Leave out extremely technical jargon along with the non-essential graphs and charts […] Read more »

 

What Do You Need to Know About the California Consumer Privacy Act?

When the General Data Protection Regulation (GDPR) was enacted more than a year ago, it was far reaching, and many organizations were caught off guard because they thought it didn’t apply to them. But in fact, it did. Now the California Consumer Privacy Act (CCPA) is about to go into effect (Jan. 1, 2020), and any enterprise that does business in the state of California will need to change the way they manage personal information.

California has the fifth largest economy in the world. In fact, it’s actually bigger than that of the United Kingdom. Why is this relevant? Well, given the size of California’s economy, this legislation will clearly have a considerable global impact. It will tip the scales on privacy around the world. To prepare for the CCPA and other future data security legislation, organizations must focus on identifying the types of personal information they have and evaluating the flow of that data coming in and going out of the organization. Getting a handle on the flow of your sensitive data is also a great early step toward avoiding a breach, regardless of the regulations you need to follow. More importantly, it is the foundation of a solid data privacy strategy, which should be the end goal for global enterprises.

CCPA is only one in a myriad of data security regulations that will come to pass in the next few years. No organization can afford to develop an entirely new strategy for each regulation, so now is the time to develop a comprehensive data privacy policy that ensures the safe handling of all data, and particularly sensitive data. A few baseline practices can set your organization up for safe data handling and help you avoid starting from scratch every time a regulation changes or a new one comes out.

The objective of these guidelines is to provide you with some pragmatic thoughts around preparing for CCPA. They are based on conversations we had with security and data executives at enterprises worldwide regarding what’s worked best for them to address CCPA and other pending data privacy regulations.

1. Break Down Data Siloes

As organizations mature, departmental silos naturally emerge as the business evolves and expands into different areas. As part of this evolution, each business segment develops its own way of generating, collecting and managing data. However, when it comes to data protection strategies and meeting privacy regulations, businesses must break down these internal walls to consistently protect data across the entire organization. Privacy is an organization-wide initiative and stakeholders need solutions that have an impact in all areas.

Data protection solutions themselves should not be siloed either. The most successful programs take advantage of the data security frameworks and processes that already exist in individual departments. For example, instead of simply focusing on identifying and categorizing data to help meet CCPA mandates, consider the security technologies already in place and how data categorization can integrate with them to drive further success from a security standpoint. Consider how data context through classification and categorization can be used in other areas of the business or to power existing security technology investments – such as cloud access security brokers, data loss prevention solutions, encryption technologies or next-generation firewalls.

Implementing a cross-departmental data security solution can also be a real boon to business. Who knows what useful data might be sitting over in another department? If security solutions are implemented in a siloed fashion, however, an organization will not only increase its risk of noncompliance but will also lose an opportunity to create deeper awareness about what data protection means for each aspect of the business.

2. Create Rich Metadata

Metadata is the glue that connects all data within an organization. Metadata enables organizations to flag sensitive information in files, documents and web pages but also provides a way to compile more detailed and useful data about that data. For example, the metadata for an Excel spreadsheet could include personal data, the type of personal data (name, address, etc.), and the author of the spreadsheet. From a data protection standpoint, this information can be used to better identify, classify and protect corporate data. From a data management or analytics point of view, it can help business leaders develop strategies for new initiatives. Ideally, metadata can bring together an organization’s data protection and data management strategies to protect and advance the business simultaneously.

When considering privacy regulations such as CCPA, security professionals must look holistically across the organization to create metadata that all security technologies and data management systems within the organization can take advantage of. For example, what does the firewall need to be more efficient? Could firewall policies benefit from file metadata that identifies that personal data is contained in the file?

People often associate metadata with just the identity of the data, but it can also be used to govern how long an organization should retain this data. We know a key aspect of data protection is identifying retention for the possible deletion of data and this can all be defined in metadata. After identifying how long the data should be held, organizations can action programs to ensure information is deleted or archived in a way that is in line with data privacy regulations. Do you really need to keep a document listing employee names and dietary restrictions captured ahead of the corporate holiday party or can that be deleted once the party has taken place?

3. Use Machine Learning to Understand Context

Numerous machine learning models in the market today have already been tuned for personally identifying information (PII). Solutions designed to help with CCPA and GDPR compliance should leverage those models when it comes to data detection. Data categorization tools with machine learning built-in make it easier to understand the context around data, which in turn helps determine how to handle different types of data. Rather than simply flag social security numbers or bank account numbers, tools that employ machine learning can help users identify personal information contained within the narrative of documents and emails, such as health history or employee review details, for example.

What’s more, machine learning enables organizations to automate their PII strategy. Data categorization tools with built-in machine learning capabilities allow organizations to focus on getting their arms around privacy. As confidence in the system grows, data handling policies can be applied automatically.

Because most organizations have ever-increasing, complex environments, leveraging technologies that offer machine learning capabilities are critical for implementing efficient and intelligent data identification solutions to help achieve CCPA and GDPR compliance goals.

4. Know Where Data Goes and Why

The act of identifying data is one thing but keeping track of said data and managing it to ensure that compliance as it moves throughout the organization is quite another. Most data protection solutions will come with some sort of out-of-the-box dashboard, but a more efficient and customized way of approaching this is to think about the broader organizational analytics strategy.

Security professionals must understand what types of data their organization collects and where it goes once collected. It’s also critical to understand how people interact with personal data. Is personal data leaving the organization? Understanding how data is created, collected and shared will help security executives develop information handling policies that work with business strategies while also protecting sensitive data. They may discover they need to change security policies to be more efficient relative to how people are using data.

Once information handling policies have been refined, security executives can find ways to leverage their company’s data analytics approach to put good monitoring practices in place. As mentioned earlier, the lines between data management (or analytics) and data protection are beginning to blur as data becomes central to business strategies and privacy becomes a top concern for consumers.

5. Evaluate Who has Access to Personal Data

A central aspect of any data protection strategy is understanding who has access to  personal information within the organization […] Read more »

Talent Acquisition, Retention Leading Diversity Initiatives in Cybersecurity Jobs

Talent acquisition and retention is the leading operational reason that companies have been ramping up their diversity initiatives, according to (32 percent) of respondents in the (ISC)²study.

Nearly one in three (29 percent) added that diversity is important to their organization because the workforce should represent the demographics in society:

  • Nearly three quarters of organizations surveyed (74 percent) instituted a stated diversity value or program in the last 2-5 years. On top of this, a further 16 percent have followed suit in the last 12 months.
  • Overall, 40 percent of survey respondents stated that the HR department is the primary driver of diversity and inclusivity efforts, including measuring employee diversity goals. This compares to just under one quarter (23 percent) who said it was the senior management team and just 10 percent that said it was the C-suite driving diversity initiatives.
  • 60 percent said that up to 20 percent of the current vacancies in their organizations are IT and/or cybersecurity-based. A further quarter (26 percent) said these roles constituted between 21-50 percent of their workforce.

Hiring Cyber Roles:

  • 77 percent of respondents said that cybersecurity roles were recruited for in their organizations in the last 12 months. The number of roles filled ranged from 1 to 31 across the responses, although nearly 55 percent of the respondents said that up to 10 cybersecurity personnel were hired by their organization over the last 12 months. 18 percent said that between 11 and 30 roles were hired in the last year.
  • 37 percent say just 6-20 percent of their IT department employees are aged 18-21, while 35 percent say none of their IT department employees are aged 18-21. This indicates a struggle to bring enough new talent into the department that can learn from their experienced peers[…] Read more »..

The 2019 Riskiest States Report — Where Does Your State Rank?

Mississippi, Louisiana, California, Alaska, and Connecticut are the riskiest states in the U.S.A. based on consumer preparedness for cyberattacks, according to a new report from Webroot. The report examines the cyber hygiene habits of 10,000 Americans, 200 in each state, to determine what behaviors and practices they have in place to protect their information or identity from cybercriminals. While the five previously mentioned states scored the lowest on the cyber hygiene test, the average respondent’s grade wasn’t good either: 60% (or a “D”).

Despite the low scores on general cybersecurity knowledge and best practices, consumers reported a high (and false) sense of confidence about their cybersecurity behaviors. The majority (88%) of survey participants believe they are taking the appropriate steps to protect themselves from cybercriminals; however, the high fail rate suggests a major opportunity for improvement.

The 5 Riskiest States:

  1. Mississippi
  2. Louisiana
  3. California
  4. Alaska
  5. Connecticut

The 5 Least Risky (Safest) States:

  1. Kentucky
  2. Idaho
  3. Ohio
  4. North Dakota
  5. New Hampshire

Notable Findings:

Americans in every state are overconfident

  • 88% feel they take the right steps to protect themselves from cyberattacks.
  • Only 10% are A students in cyber hygiene, scoring 90% or higher.
  • The highest scoring state, New Hampshire, only scored a 65%.

Americans have a surface level understanding of common cyber threats

  • 79% of Americans have heard of malware, but only 28% could explain what it is.
  • 70% of Americans have heard of phishing, but only 33% could explain what it is.
  • 49% of Americans have heard of ransomware, but only 21% could explain what it is.

Less than half of Americans adopt cyber hygiene best practices

  • 64% of participants don’t keep their social media accounts private.
  • 63% of participants reuse passwords across multiple accounts.
  • 62% of participants rely on a free antivirus software[…] Read more »..

The role, the challenges and the responsibilities of a CIO with Milos Topic.

Apex sat down with Vice President & Chief Information Officer of Saint Peter’s University. With 20 years of experience in leadership, innovation strategies, technology implementation and business development, Milos shares his views on the role of a CIO and  what it means to be an IT leader today.

 

Q: What is IT doing to support innovation?

A: IT is meant to drive innovation and enable others to do the same and take part. IT is a critical partner and a “golden thread” if you will across everything modern businesses and organizations do. As such, it is uniquely positioned to provide value to all.  Furthermore, innovation comes in many forms, but it always requires action. Thinking, planning, strategizing is all wonderful and valuable, but without action, not much will get accomplished.

Q: What is the single most important thing CIOs should be focusing on today?

A: CIOs as well as all executives should be focused on people and business growth. Modern CIOs are more customer facing and are spending time on strategy, vision and innovations across and beyond the enterprise.

Q: Should IT be a business enabler?

A: IT is business in a sense, or it is at the very least an essential part of every modern and competitive organization. As such, it should provide options to challenge old (and at times outdated) business models before others (from the outside) do it for them.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I have invested years (and continue to do so) in building and nurturing relationships across various industries, sectors and markets. These relationships paired with various events (such as those hosted by Apex) are of critical significance in staying current and learning from those who may be further along.

Q: What is the biggest challenge for a CIO today?

A: It varies across industries and different maturity models of organizations, but I do believe that attracting and retaining top talent is one of the largest priorities, it certainly is for me. In today’s world and in major markets such as greater New York City area people have options which is great for them, yet challenging to many organizations.

Q: What is the difference between a CIO and a CTO?

A: Titles vary, but in general, a CIO should be focused on customers, innovation, strategy, growth and providing value to other major areas (Finance, Marketing, Operations, Security, Legal…) while a CTO is leading the existing services and ensures smooth operations of teams.

Q: How has the role of the CIO changed over your career?

A: Visibility has increased, and so have the responsibilities. CIOs have now earned seats on top management teams among their executive leadership peers. They are also more involved in the overall business vision, strategy and direction than ever before. All of these changes have taken place across organizations that are current and future proofed, while others are still behind and are struggling across some of these areas.

Q: What advice would you give an early stage CIO joining an organization?

A: Get as close to the business as you possibly can and learn everything about it. Build relationships, provide value to others and always give more than you take, in every exchange. Spend time and resources on developing leadership, strategy and negotiation skills as they matter in all that we do, professionally and personally.

Q: How important is the relationship between a CIO and a CISO?

A: While the reporting structure is debated by some, the relationship is very important. CIO relationships with everyone they work with are of importance, from CISO, to CFO, CMO, COO…all the way to the CEO. The entire C-suite needs to be unified and transparent with each other in order for all of them to move forward and make progress.

Q: What is the largest obstacle a CIO faces when it comes to security?

A: People. Training and organizational requirements to how data is stored, used and shared. Furthermore, many organizations are not funding information security adequately and proactively.

Q: What falls under the CIO’s responsibilities when it comes to security?

A: I’m of the belief that there should be one top technology leader and that is a CIO. Everyone else should report to them with varying degrees of authority. When it comes to finance, marketing, legal…they are all ultimately under one leader while IT seems to be fragmented in some organizations. The only potential exception is an area responsible for the overall risk, liability and governance for the entire business…they could be outside IT with strong collaborative partnership with the CIO and their leadership team.

Q: How do you see the security landscape changing over the next 12 – 18 months and how are you preparing?  

A: Robots are taking over. From machine learning to artificial intelligence, people can’t keep up with the volume and complexity of threats so continuous investments in tools and technologies is expected. We are experimenting with robotic process automation (RPA), machine learning and will continue to stay current with what is available.  

Q: How worried are you about the “human element” when it comes to security?

A: It is the weakest link in this chain. People make mistakes in opening emails, sharing data, configuring technology (both software and hardware)…the list goes on. Cyber security awareness training should be mandatory across all organizations and should be part of one’s employment record at some point in time.

 

Milos Topic

Vice President & Chief Information Officer

SAINT PETER’S UNIVERSITY

I believe that everything begins and ends with leadership. Leaders have the greatest responsibility for the impact and influence over the people they lead and the outcomes of their organizations as a whole. Furthermore, I am passionate about IT being a trusted strategic partner and an advisor (a service broker) to the entire organization as technology must drive innovation across organizations and provide both strategic and operational business solutions.

I have 20 years of experience in leadership, innovation strategies, technology implementation & business development while my formal education is a blend of science, technology and business. My journey in the Information Technology (IT) profession started in 1997 and over the past 20+ years I have worked on nearly all aspects of IT. I got underway with networking/cabling installs; tech support to programming in C++, C#, Java; web development; system/network security/administration to my most recent positions of leading teams of amazing people providing technology solutions and services while supporting a multitude of organizational needs. Finally, it is essential to always focus on people first, as they matter the most in everything we do.

Philadelphia University’s Cybersecurity Program Receives “Top Curriculum” in the US

OnlineMasters.com, an industry-leading educational research organization, has named La Salle University’s Master of Science in Cybersecurity a top 25 internet security program for 2019, and also awarded the program “best curriculum.”

OnlineMasters.com analyzed every online master’s program in internet security in the nation with a team of 43 industry experts, hiring managers, current students and alumni.

According to OnlineMasters.com, the study leveraged “an exclusive data set comprised of interviews and surveys from current students and alumni in addition to insights gained from human resources professionals.” Their methodology weighted academic quality (academic metrics, online programming, and faculty training and credentials) at 40 percent, student success (graduate reputation, student engagement, and student services and technology) at 40 percent, and affordability (average net cost, percent of students with loans, and default rate) at 20 percent. The study incorporated current data from the Integrated Postsecondary Education Data System (IPEDS) and statistical data from the National Center for Education Statistics. Only programs from accredited nonprofit institutions were eligible.

“We are honored to be recognized as a top 25 internet security master’s program, with a special nod to our curriculum,” says Peggy McCoey, assistant professor and graduate director for La Salle’s M.S. in Cybersecurity. “We have developed a flexible, rigorous, and highly relevant program to ensure today’s students develop competencies in cybersecurity management as well as breach detection, mitigation and prevention. The Program balances both theoretical and practical aspects and draws key learnings from industry practitioners to ensure attention to ethical principles and changes related to cybersecurity.”

La Salle’s M.S. in Cybersecurity is a 100 percent online asynchronous program with three start dates and eight-week courses so students can complete two courses per semester. OnlineMasters.com noted its “engaging courses in cyberwarfare, cybercrime and digital forensics” in support of its “best curriculum” designation[…] Read more ».

 

 

Is Your Data Breach Response Plan Ready?

Fifty-six percent of organizations experienced a data breach involving more than 1,000 records over the past two years, and of those, 37 percent occurred two to three times and 39 percent were global in scope, according to Experian. In 2017 in particular, there were more than 5,000 reported data breaches worldwide, and there were more than 1,500 in the U.S. alone.

In an effort to help businesses prepare for data breach response and recovery, Experian launched its new Data Breach Response Guide last month to provide in-depth strategy and tactics on how to prepare and manage incidents.

Security asked Michael Bruemmer, Vice President of Data Breach Resolution & Consumer Protection at Experian, how cybersecurity has changed recently and how enterprises can revamp their security strategies to be resilient and ready.

Security: How have typical responses to data breaches changed over the past five years?

Bruemmer: Fortunately, responses to data breaches are immensely better. There has been great progress in preparation, as 88 percent of companies say they have a response plan in place compared to just 61 percent five years ago, according to our 2018 annual preparedness study with the Ponemon Institute.

One of the biggest changes in data breach responses over the last few years is that organizations now have a breach-ready mindset and know it’s not about whether a breach will happen but rather when it will occur. Thus, many organizations now have a data breach response team in place, which is key to implementing a quick and adept response.

Businesses have also started to include public relations personnel on their data breach response teams, which has helped companies maintain more positive relationships with their stakeholders post-breach. There is still room for improvement: while companies have a plan in place, a large majority don’t practice their plans in a real-life drill setting, and the C-suite and boards are still not engaged enough in the process.

Security: What still needs to occur to improve enterprises’ data breach response protocols and practices?

Bruemmer: A few areas for improvement include actually practicing the data breach response plan and therefore, feeling confident the company can handle an incident successfully. In our 2018 annual preparedness study, only 49% of companies said their ability to respond to data breaches is/would be effective. One of the reasons may be that most boards of directors and C-suite executives are not actively involved in the data breach prep process, nor are they informed about how they should respond to an incident.

Another dynamic that requires attention, and is relatively new, is the passing of the General Data Protection Regulation (GDPR) overseas. Companies that operate internationally must understand the legislation and make sure they are equipped to handle a data breach that involves individuals globally. They should hire legal counsel who have knowledge and experience in this area and enlist partners that have multilingual capabilities and a presence in key countries. That way, operations such as notifying affected parties and setting up call centers can be executed quickly. Organizations are still catching up here.

Security: When auditing their data breach response plan, what in particular should security leaders be looking for?

Bruemmer: Businesses should conduct an audit of every component of a response plan. Security leaders should also assess whether external partners are meeting the company’s data protection standards and are up-to-date on new legislation. For example, healthcare entities should guarantee that business associate agreements (BAAs) are in place to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements. Additionally, vendors should maintain a written security program that covers their company’s data. Realistically, an organization could have up to 10 different external vendors involved in a data breach response, so keeping this circle secure is important.

Security: What are the top three issues business security leaders should plan for next year?

Bruemmer: Businesses should keep an eye on artificial intelligence (AI), machine learning (ML) and cryptomining malware next year. In a continuously evolving digital landscape, advanced authentication, or added layers of security, have become increasingly important for businesses to adopt when it comes to safeguarding against potential data breaches. However, while AI and ML are helpful in predicting and identifying potential threats, hackers can also leverage these as tools to create more sophisticated attacks than traditional phishing scams or malware attacks. Criminals can use AI and ML, for example, to make fake emails look more authentic and deploy them faster than ever before. Cryptomining has also become more popular with the recent rise of Bitcoin and more than 1,500 different cryptocurrencies in existence today. Cybercriminals are taking every opportunity, from CPU cycles of computers, to web browsers, mobile devices and smart devices, to exploit vulnerabilities to mine for cryptocurrencies.

Security: Are there any key tools or strategies security leaders can use to better engage with the C-Suite?

Bruemmer: Unfortunately, the lack of engagement by the C-suite and boards seems to be an ongoing issue. In today’s climate, companies should employ a security leader in the C-suite such as a Chief Information Security Officer to ensure protection is a priority and administered throughout the organization.

There should be ongoing and frequent communication about security threats by this officer to leaders and the board. In this instance, it’s better to over-communicate rather than hold back vital information that could help mitigate potential reputation damage and revenue loss […] Read more »

 

 

 

Nearly Half of Americans Willing to Give Brands a Pass for a Data Breach

New data shows that the U.S. public is surprisingly forgiving despite data breaches and controversies as long as companies demonstrate good faith.

The Consumer Attitudes Toward Data Privacy and Security Survey by Janrain also found that 42 percent of U.S. consumers surveyed report at least being open to forgiving the brand, while 7% refuse to forgive brands for allowing bad actors access to their personal data. Fourteen percent have lost all faith in an organization’s ability to protect their data.Nevertheless, consumers are increasingly taking control of their data into their own hands, the survey found. For example, 71% report downloading software that protects their data privacy or otherwise helps control their web experience. But Janrain’s survey brings good news to brands that are evaluating their consent-based marketing processes and capabilities in response to regulatory requirements or to strengthen customer relations.

If given the option, most people (55%) would let companies they trust use some of their personal data for specific purposes that benefit them in clear ways, the survey found. Only 36% wouldn’t let any company use their personal data. Sixty-six percent like the idea of being able to alert companies when they’re interested in something as long as they could “switch it off” when they’re no longer interested. Only 16% aren’t interested in this even if it came with preferences control.

When Janrain probed to gain more understanding about how effective digital brands have been in using consumer data to personalize their online ads, only 18% said ads “often” seemed to understand their needs, presenting brands with an important area for improvement. The largest bulk of respondents (47%) reported that these ads do seem to understand their needs at least “sometimes” while 26% said ads “hardly ever” understand them. Nine percent said online ads “never” do.

When asked whether they’d walk away from a business that requires personal information up front (like a phone number or email address) in order to conduct business, 15% of those surveyed said “yes” while 24% said “probably.” Fifty-four said it depends on whether the business is trusted or the only option.

Sixty-six percent of those surveyed renewed their call for GDPR-like rules in the United States that force brands to provide consumers with greater privacy, security and control of their personal data. Janrain asked a similar question in May of 2018 to which 69% responded favorably to more regulation in the States. This time, Janrain’s findings show consumers not only want more regulation, they believe it will actually help in the wake of high-profile breaches and controversies affecting well-known organizations such as Yahoo!, Equifax and Facebook. Only 9% believe such laws would be ineffective while only 6% believe more regulation would be too hard on businesses and the economy […] Read more »

 

 

8 Events That Changed Cybersecurity Forever

Cyber attacks happen daily and have evolved to become a pandemic. From the first computer virus, to billion dollar data breaches at large-scale companies, we can learn a lot from cybersecurityhistory.  And while threats continue to develop, so does the defense against them. Hackers are getting smarter, and it is our job to educate ourselves on past incidents so we can better prepare for the future. Take a look at these top 8 events that changed cybersecurity and made it what it is today.

Those who cannot remember the past are condemned to repeat it.” – George Santayana

The first computer virus was created in the early 1970s and was detected on ARPANET, the predecessor to the internet. In 1988 the first computer worm was distributed, gaining mass mainstream media attention. A quarter of a century later and viruses have evolved to become a pandemic. Viruses have proliferated quickly and malware has become more complex.

Cyber attacks happen daily and are constantly evolving. From computer worms to large data breaches, attacks come in all shapes and sizes. In the past quarter century alone, cyber attacks have evolved from tiny hacks created by high-school students to state-sponsored attacks compromising presidential elections.

While threats continue to develop, so does the defense against them. It’s important to remember these past events in order to combat impending attacks. Milestone incidents are what made cybersecurity what it is today – take a look at the top 8 events that changed cybersecurity, and why they (still) matter.

Though new cyber attacks appear each day, these top 8 watershed moments had a major impact on security and have led to where we are today. Here are just a few lessons we can learn from cybersecurity history.

  1. Never assume it won’t happen to you: Anyone and everyone is susceptible when it comes to data – whether it’s stored in the cloud or on premises.
  2. Hackers come from all over: Attacks no longer comes exclusively from hackers in their parents’ basements. They have evolved geographically, advanced in sophistication, and the amount of attacks from overseas has increased drastically.
  3. Insiders are just as dangerous: Vulnerabilities now come from the inside as well. All it takes is one click on a phishing email. Educate your employees on basic cybersecurity terms so that they are able to protect themselves and the company.
  4. Hackers are not going away: With change in technology comes change in crime — and cybercriminals are working harder than ever. It’s important to always be alert and keep up with important trends in order to keep you and your organization as safe as possible.

Unfortunately, the number of cyber attacks is only going to continue increase, and the impact of those attacks is becoming more significant than ever. It’s important to arm ourselves with what we can: learn from the past and protect your data first, not last.

Uncover your biggest security risks with a data risk assessment – and see how Varonis helps protect your data from the next generation of cyber attacks.

Infographic Sources:
InfosecurityCSOVerizon Data Breach ReportWikipediaTheGuardian

Rob Sobers is a Sr. Director at cybersecurity firm Varonis. He has been writing and designing software for over 20 years and is co-author of the book Lean Ruby the Hard Way, which has been used by millions of students to learn the Ruby programming language. Prior to joining Varonis in 2011, Rob held a variety of roles in engineering, design, and professional services.