Category: Security

The ever changing role of a CSO with David Levine

With a wide and diverse variety of positions during his 23-year tenure with the Ricoh, Vice President Corporate and Information Security and CSO David Levine shares his perspective on the role of the CISO,  how he stays abreast of industry trends and in the current COVID-19 era, what it means to have a remote team. 

 

Q: How has the role of the CISO changed over your career?

A:  The CISO role has continued to grow in organizational and strategic importance within many businesses, including Ricoh. What was once a blended function in IT is now its own critical function with its leader (CISO/CSO) having a seat at the table and reporting, if applicable, to the board on a regular basis. That’s a significant transformation!

Q: What is the biggest challenge for a CISO today?

A: This ties into my answer above, the security budget and staffing has not necessarily kept pace with increasing demands and importance. As more and more of the organization as well as customers and partners realize they need to engage and include security the team gets spread thinner. This can put a real strain on the organization and its effectiveness. Prioritization and risk assessment become critical to help determine what needs to be focused on. You also cannot ignore the fundamental challenge of just keeping pace with operational fundamentals like vulnerability remediation, patching, alert response and trying to stay ahead of highly skilled adversaries. 

Q: How do you stay abreast of the trends and what your peers are doing?

A: I use a variety of approaches to track what’s going on relative to trends and my peers. Daily security email feeds are a great source to get a quick recap on the last 24 hours, leveraging one or more of the big research firms and being active in their councils is a great mix of access to analysts and peers. I am also active in the CISO community and participate in events run by great organizations like Apex. 

Q: What advice would you give an early stage CIO or CISO joining an enterprise organization?

A: Although I have been with Ricoh for many years, if I was moving to a new organization, I would take the time to ensure I understand:

 

  • the company’s objectives and priorities; 
  • what’s in place today and why;
  • what security’s role in the organization has been;
  • what’s working and what isn’t.

 

I’d also commit to completing initial benchmarking and make sure I spent time, upfront, to start to build solid relationships with key stakeholders.

Q: Have you been putting cloud migration first in your organization’s transformation strategies?

A: We adopted a cloud first mentality a few years ago. The cloud isn’t perfect for everything but in many cases it’s a great solution with a lot of tangible advantages.

Q: What are your Cloud Security Challenges?

A: For us, one of the biggest challenges is keeping pace with the business from a security and governance standpoint. We are currently working on putting in comprehensive policies and requirements, along with tools like a checklist, which will make it clear what’s needed and also enable the various teams to do some of the upfront work without needing to engage my team. That’s a win-win for everyone and reduces the likelihood of a bottleneck.

Q: What are your top data priorities: business growth, data security/privacy, legal/regulatory concerns, expense reduction?

A: YES! In all seriousness, those are all relevant priorities my team and I need to focus on. This further adds to the prior points around more work than hours and resources. 

Q: Did you have specific projects or initiatives that have been shelved due to COVID-19 and current realities?

A: Like most of my peers that I have talked to, we have put on hold most “net new” spending for now. The expectation is we will get back to those efforts a bit down the road. We are also taking a look to see what opportunities we have to streamline expenses.

Q: Has security been more of a challenge to manage while your teams have shifted to a Work From Home structure?

A: I am proud of my teams and the ecosystem we put in place. All in all, it’s been a pretty smooth transition. My team is geographically dispersed and a few key resources were already remote. However, that is not to say there aren’t any challenges – not being able to put hands on devices has made some investigations and project work more difficult but we’ve found safe ways to complete the tasks. Ensuring the teams stay connected and communicate is also important. 

Q: What were/are the most significant areas of change due to COVID-19?

A: We certainly had to make some exceptions to allow access and connectivity that we would not have done under normal circumstances, but it was the right thing to do for our business and our customers. We also had to shift some users to work from home who typically would not and as such, didn’t have the right resources. Both of these highlighted areas to focus on in the next revisions of our Business Continuity Plans which contemplated the need to shift work and locations but not necessarily everyone working from home. There is also a need to reemphasize security, policies, training when working from home.

Data Privacy and Data Security: Outsourcing to Third Parties and the Effect on Consumers, Companies, and the Cybersecurity Industry as a Whole

With the recent increase of global data privacy regulations and their ramifications on multinational organizations, it is crucial to examine the differences between data privacy and data security, why these nuances matter, and the impact they have on cybersecurity trends for not only organizations, but consumers.

Twenty years ago, data protection and information security were largely viewed as complementary activities. In today’s environment, data protection is rarely articulated without its privacy counterpart, and information security has transformed into “cybersecurity” to consider that data contains multiple threat factors.

Typically, cybersecurity is described as an intersection of three principles: confidentiality, integrity, and availability (CIA). If one of these core components is to fail or otherwise be wrongly configured, the resulting vulnerability could be a breach of information, commonly by means of unauthorized access, leakage, or wrongful deletion due to poor policy, risk management, or immature security practice.

Data privacy is often defined as the protection of sensitive data, typically referencing personally identifiable information (PII), such as a social security number, race, ethnicity, and age. Depending on the sector, regulation, or jurisdiction, the definition of which data is considered “sensitive” will vary and can expand beyond personal types of information to assets like trade secrets, intellectual property, or financial and operational data. The problem with this definition of data privacy is that the protection of this information is viewed more as a security attribute, lending to the longstanding proverb that you cannot have privacy without security.

If you reflect on the information trends since the turn of the last millennium, we experienced a shift to the cloud in the early 2000s, where organizations moved servers and other hardware assets to centralized vendors that maintain data center environments at scale. With this migration, the world’s first Software-as-a-Service (SaaS) companies came online at the height of the dot-com bubble.

The “as a service” business model placed a new dependence on service organizations when their customers outsourced critical elements of their supply chain for operational efficiencies or for the ability to scale quickly without having to gain expertise in an industry not core to their product. This reliance on third parties created increased security risks since more companies would now have access to the same information that was previously received, managed, and maintained all under the same roof.

The effect on consumers

Beginning in the 2010s, data breaches that affected consumers due to stolen credit card data, like those disclosed by Adobe, Target, and Home Depot all occurring within the same year, made data security a hot topic for consumers for the first time, causing boards and regulators to inquire about the controls in place to mitigate these threats. However, it was not until recently that consumers shifted that mindset to include data privacy, after public breaches exposed health and personal information at Anthem, Uber, Adult Friend Finder, and Marriott. These data breaches made headlines, and consumers began to ask, ‘what data are you storing for me, how do you plan to use this data, and how long will it be retained?’.

Lawmakers and regulators took notice of this shift to consumer protectionism and began to mandate public changes in normal business operations in lieu of federal privacy laws.

The effect on companies

With so many checkpoints to consider when engaging a new vendor, and the stakes for proper due diligence higher than ever, organizations began to turn to assessment firms for assurance around these security controls. Assistance is needed because companies are unable to audit every service provider that might interact with user or customer data. In the United States, an organization may request a System and Organization Controls (SOC) 2 report, an examination by a competent Certified Public Accountant (CPA) of their security controls based on set criteria. Or they may seek ISO 27001 certification, an accredited, point-in-time report on the conformity of their activities to requisite management processes and control objectives, establishing a baseline for what is considered a minimum state of security maturity.

Due to the shift in consumer focus on privacy considerations, globally recognized assurance programs have only recently been developed. In August 2019, the International Organization for Standardization (ISO) released the ISO 27701 standard – requirements and guidance for establishing a Privacy Information Management System (PIMS) for organizations that are controllers and/or processors of sensitive information like PII. While data privacy legislation had been around for several years through mechanisms like the EU-U.S. Privacy Shield and, more recently, the General Data Protection Regulation (GDPR), ISO 27701 is the first assurance program that organizations could certify demonstrating their commitment to privacy based on the legal context affecting their data subjects.

In the months following the release of ISO 27701, organizations such as Alibaba, Huawei, Microsoft, Accenture, Blackhawk Network, and OneTrust have certified to the new standard; however, these certified organizations plus a multitude of others looking to match the achievement have quickly realized that privacy hygiene requires different resources and in-house skill sets than were needed with their security program.

The challenges of incorporating data privacy

One of the top challenges security teams face when building a privacy program on top of their existing security management system is how to expand the enterprise risk assessment to include risks that threaten the protection of PII. They inherently gravitate towards thinking about this new taxonomy of risk in terms of the foundational CIA principles, but neglect to consider the rights of the data subject. As a result, they have been forced to merge security personnel with privacy personnel to complete this task, which now exposes a new problem – many organizations do not have privacy personnel.

Looking at some Fortune 500 organizations, job titles such as Chief Security Officer or Chief Information Security Officer (CISO) are far more commonplace than Chief Privacy Officer. Often, the privacy function of an organization is absorbed by General Counsel or outsourced to law firms kept on retainer. Early ISO 27701 certification plans at the largest processors of personal information in the world have been halted after discovering their security departments have little to no connection to their in-house privacy teams, if they exist at all. This results in a remediation only possible through a major shift in the organizational chart or hiring of competent personnel…[…] Read more »

 

Cyber Work Podcast: Growing the number of women in cybersecurity with Olivia Rose

Introduction

Cybersecurity is a field on the cutting edge, yet when it comes to gender parity, there’s still much progress to be made. For women, breaking into a male-dominated field like cybersecurity comes with a unique set of challenges.

Data from the (ISC)² Cybersecurity Workforce Report reveals that the landscape of women in cybersecurity is complex and — at least in some ways — evolving:

  • Women make up 24% of the cybersecurity workforce — a major increase from 11% in 2017
  • Women earn more degrees and cybersecurity certifications on average
  • More women than men hold leadership roles like IT Director, CISO and CIO

Seeing these numbers on the rise is exciting and encouraging. However, not all of the statistics are positive:

  • Of women in cybersecurity, 56% will leave to pursue jobs in another field
  • 17% of women earn salaries between $50,000 and $99,999, compared to 29% of men
  • Women in security management roles earn an average of $5,000 less than men in the same roles

In Infosec’s podcast “Growing the Number of Women in Cybersecurity,” Oliva Rose, the director of global executive risk solutions at Kudelski Security, shares her experiences as a woman in the field and shares some valuable advice with women considering a career in the cybersecurity world.

What can companies do to encourage women and minorities to take cybersecurity jobs? And just as important, how can companies encourage them to stay?

Network to overcome isolation

For many women working in cybersecurity, it’s unfortunately easy to feel like a stranger in a strange land. It’s not uncommon to be the only woman on a team or in an entire department, and the feeling of being the “odd woman out” can be enough to drive women to look for jobs in fields with better minority representation.

This leads us to the million-dollar question: what can cybersecurity companies do to make women feel less isolated at work? In this case, the most obvious answer (hire more women) is only one part of the equation, since retention rates for women in cybersecurity are also quite low.

According to Rose, access to networking opportunities is vital. Encouraging women to participate in conferences and professional groups can help them meet other women in the field and foster the sense of community they’ve been missing at work. For women trying to get their foot in the door, Rose suggests volunteering at conferences because it waives the fee! RSA, SecureWorld and ISACA are just a few of the many conferences available to women in information security.

Close the confidence gap

Self-doubt and insecurity can loom over women’s cybersecurity careers like storm clouds on an otherwise sunny day. Many women experience Imposter Syndrome, which is the perception that they’re not as skilled or as smart as their colleagues or that they’re not good enough for the job.

Although men can also experience extreme self-doubt at work, women and minorities are much more susceptible to it. Why? It largely stems from feeling like an outsider. This feeling of being on the outside looking in has ramifications on women’s careers in cybersecurity.

Many women feel the need to prove their skills with certifications and degrees. On average, women in cybersecurity hold more certifications than their male colleagues. They’re also more likely to earn a postgraduate degree, according to the (ISC)² Cybersecurity Workforce Report. Rose has experienced this herself, saying, “You have to know your stuff. You may have to know your stuff more than the five other guys in the room.”

How can we help women feel more confident in cybersecurity jobs? Networking and mentorship are two powerful strategies. Since self-doubt is something that can’t be fought in isolation, connecting women with peers who understand what they’re going through can be immensely beneficial.

Recruit from non-traditional backgrounds

Despite the long-running debate on the value of a college degree in cybersecurity, many recruiters still prefer to hire people with degrees in STEM. That alone disqualifies a huge number of professionals, many of them women, who would make a big contribution to the field.

To hire more women in information security roles, recruiters will have to break the mold and look beyond traditional education requirements. Why? Because women don’t graduate from STEM programs at the same rate as men. In the 2015-2016 school year, women earned only 18.7% of bachelor’s degrees in computer and information sciences..[…] Read more »….

 

 

7 Ways to Improve Software Maintenance

Here are some approaches and steps organizations can take to perform software maintenance while creating as much time as possible for new software development.

In 2019, Tidelift, an Opensource support and maintenance organization, conducted a survey of software developers that revealed that developers spent less than one third of their time (32%) developing new code. In the same survey, developers said that 35% of their time was spent on software maintenance.

My own experience in consulting with companies is that the amount of time spent on software maintenance is closer to 50%.

In either case, the time spent on maintaining software prevents organizations from pursuing new projects and getting things done.

At the same time, maintaining the software that you have created or inherited is a fact of life.

Software maintenance is defined as “a part of Software Development Life Cycle. Its main purpose is to modify and update software application(s) after delivery to correct faults and to improve performance. Software is a model of the real world. When the real-world changes, the software requires alteration wherever possible.”

Given this, what steps can organizations take to perform software maintenance while creating as much time as possible for new software development?

1. Listen to your help desk

No function in IT has a better finger on the pulse of application performance than the help desk. The help desk gets all of the questions and problems from users. The people who work the help desk know from the calls they get which applications are most problematic, and why. If more IT organizations patched help desk insights into their application development brainstorming and performance evaluations, they would be more successful identifying areas of persistent application problems and failures so these areas could either be addressed fully by repairing them or retired and replaced with another solution. Just as importantly, the knowledge gained from application trouble “hot spots” at the help desk can be learned from so the same mistakes aren’t repeated in new software development.

2. Engage QA

In too many organizations, developers up against tight deadlines tend to throw their work “over the wall” to QA at the last minute. Then, only partial application testing gets done before the app gets deployed into production. When the app goes live, there can be weeks of problem reports and troubleshooting, with fixes and workarounds resulting. Conversely, by thoroughly testing applications upfront for technical correctness, integration and usability, post-production software maintenance can be drastically reduced. To facilitate this, project managers need to plug in and ensure adequate times for software QA.

3. Consider a move to the cloud

Organizations using broken on-premises legacy software can consider making a break from endless maintenance by moving to a cloud-based version of the software that is offered and supported by the vendor. In a scenario like this, software maintenance is moved out of the shop and into the hands of the vendor. One disadvantage is that you never can be sure when the fixes or enhancements you want are going to get done — but the move could well be worth it if you can live with the inconvenience.

4. Sunset the applications that aren’t returning value

Almost every organization has a legacy system that no longer delivers the value it once did. This is a time to consider sunsetting that system and potentially planning a “rip and replace” with a new system. Rip and replace works when there are few needs to integrate the system with other software that is running. In cases where rip and replace is viable, you can shift much of your system maintenance for the new system to the supporting vendor.

5. Always regression test

The impulse when you’re under the gun to finish a project is to meet deadline and skip some of the quality tests. One critical test is the regression test, which places any application that is newly modified in a simulated production environment with other applications to test and ensure that integration with these other applications and called routines is working properly. When regression testing is skipped, risk heightens that a newly modified app will break or cause other pieces of systems to break because of a coding error that was introduced. This brings down systems and causes service outages..[…] Read more »…..

 

Here Come 5G IoT Devices: What Is “Reasonable Security”?

After years of waiting for 5G technology to transform industry and consumer devices, developments at this year’s Consumer Electronics Show suggest that 2020 may finally be the year when US companies make the leap.  Early signs show the healthcare and manufacturing sectors will lead the way this year in incorporating 5G and connected devices into their operations.

If the prognosticators are correct, our smart watches will soon talk to our refrigerators and order healthy groceries online.  And our doctors may receive real-time health updates from our workout equipment, pharmacies, and implanted medical devices.

The combination of 5G and the projected explosion in the number of IoT devices has industry excited, and the government focused on data security.  5G will allow massive evolution of products and services; leading to autonomous vehicles, remote surgery, and greater connectivity, automation, and precision in industrial manufacturing.  This coming integration and reliance on connected devices—the Internet of Things (IoT)—raises myriad new privacy and security concerns, and lawmakers and regulators are ready to take action.

The New Year brought new state laws in California and Oregon focusing specifically on security requirements for connected devices.  The laws are the first in the nation, and portend a coming wave of laws, lawsuits, and regulatory actions focused specifically on data security.  Lawmakers are wrestling with how to keep consumers safe in the face of rapid technological advancement, and are falling back on the concept of “reasonable security” to bridge the gap.  But reasonable security may not be an easy standard for engineers to implement.

The California and Oregon laws require manufacturers of connected devices to integrate reasonable security measures that (1) are appropriate to the nature and function of the device; (2) appropriate to the information the device may collect, contain, or transmit; and (3) designed to protect the device and its information from unauthorized access, destruction, use, modification, or disclosure.

This may seem like a simple threshold, but these laws’ definition of “connected devices” is expansive, potentially expanding the scope to include security cameras, household assistants, vehicles, and in the case of California, industrial manufacturing equipment.  Each different category of device is going to have a different level of sophistication, different uses, different interaction with data, and different manufacturing requirements.  What may be reasonable for a wifi-enabled juicer is not going to be reasonable for a connected vehicle.

The increasing inability of laws and policies to keep pace with advancements in technology means that efforts to address these issues are going to be crafted in an overly broad and flexible manner.  The California and Oregon laws, as well as similar efforts at the federal level, reflect a struggle to empower the government to address problems, the exact contours of which are not completely known or understood.  Rather than be behind the curve of a particular problem, these laws impose broad requirements that will evolve over time.

At the same time, laws run the risk of codifying standards that may be inapt or quickly become obsolete.  The California and Oregon laws provide that “reasonable security” can be satisfied by equipping a device with a unique preprogrammed password or a requirement that the user generate a new means of authentication before gaining access to the device for the first time.  This may be reasonable for some devices, but the law also covers devices where a compromise in security could result in significant physical harm, and where more stringent security requirements would be appropriate.

As security and encryption approaches continue to advance, the password requirements codified in the laws may actually be disincentives to the adoption of more effective—and reasonable—security practices.  So this is leaving engineers asking the question, what is reasonable security?

Unfortunately, “it depends” is the answer right now. Until regulators offer guidance on how they are going to interpret the requirements or, develop those standards through various enforcement actions, it will be up to manufacturers to develop industry-wide standards for what constitutes “reasonable security.”  This may be particularly challenging in light of the expansive scope of these laws.  The California Attorney General, at least, has previously endorsed the Center for Internet Security’s Critical Security Controls as a baseline for reasonable security.  And some industries, like the automotive industry, already have good track records and mechanisms to establish industry standards.  Emerging industries and existing companies unfamiliar with IoT and 5G, may not be in such an advantageous position..[…] Read more »

 

 

Supercomputers Recruited to Work on COVID-19 Research

A consortium forms to crunch data that might help researchers get a better understanding of the virus faster.

A convergence of technology resources is being put to work to find answers in the fight against COVID-19. The White House Office of Science and Technology Policy and the U.S. Department of Energy reached out to the technology sector, bringing together IBM and other supercomputing powerhouses to support research into the virus.

The combination of private industry, academic resources, and government entities thus far has assembled 16 supercomputer systems that boast some 775,000 CPU cores and 34,000 GPUs. That computing power is tasked with running huge calculations for molecular modeling, epidemiology, and bioinformatics in order to hasten the research time spent on the virus.

Spearheaded by IBM, the key partners in the COVID-19 High Performance Computing Consortium include Amazon Web Services, Google Cloud, Microsoft, Massachusetts Institute of Technology, Rensselaer Polytechnic Institute, NASA, and others. The consortium is accepting research proposals online, then matching researchers with computing resources that might best accelerate their efforts.

John Kolb, vice president, information services and technology and chief information officer at Rensselaer Polytechnic Institute (RPI), says high-performance computing is an area of expertise for the university. “We’re on our third-generation supercomputer, an IBM DCS system, that we put in place in November,” he says. “It’s the most powerful supercomputer for a private university in the country.”

Kolb says the supercomputer’s architecture is meant to move data in and out of memory very quickly in large quantities. That lets users take on data-intensive problems. “It’s also very well-suited for some of the machine learning and AI things our researchers are involved with,” he says.

The effort to fight COVID-19, Kolb says, may include a lot of modeling of very large data sets once they become available. “You can start to look at issues around the spread of the virus and mitigation of the spread,” he says. “There could be some drug repurposing and perhaps development of new therapeutic candidates.”

There may be opportunities for new materials to filter out the virus, Kolb says, or to create items that are in short supply now.

RPI uses the Summit supercomputer architecture system, which is the same system as some of the Department of Energy labs, he says. “It will be interesting to see if we can have runs here that scale up on Summit or do we have runs on Summit that we could take over.” Kolb believes most of the problems the consortium will deal with may be multivariant. For example, that could mean taking into account the number of people, density, the effectiveness of social distancing, and the capacity of hospitals. “We’re clearly trying to explore some things that may have some great promise, but there’s some great computing and science that need to come into play here,” Kolb says.

The greater emphasis in recent years on technology and compute in the public, private, and academic sectors may mean there can be more hands on deck to support research into the virus. “COVID-19 is going to see a fair amount of data analytics and the use of AI and machine learning tools to think through what are the most promising possibilities going forward,” Kolb says. “Across the country and world, we’re developing much more expertise in this area.”

IBM got involved in this fight believing it could coalesce a team around bringing computational capability to bear on investigating the virus, says Dave Turek, vice president of technical computing at IBM Cognitive Systems. “It was prompted by experiences IBM’s had applying computational biology, molecular dynamics, and material science to a variety of scientific problems,” he says.

Bringing scientific perspective and computing expertise together, Turek says, could create a set of resources that can be used broadly. It also gives researchers access to supercomputing they might not otherwise have, he says. “It a massive, massive amount of computing,” he says.

The way the consortium is established, other interested organizations can make their resources available as well, Turek says. “This is really a clearinghouse,” he says. “We have scientists and computer scientists sitting on review committees on proposals that are coming in to ensure the science is dedicated to the most appropriate platform to the task at hand.”

The momentum and application of technology such as supercomputers that was already underway could help narrow the time research efforts may take. “Even inside IBM, we did modeling on the evolutionary pathways of H1N1,” Turek says. “Those skills and experiences have been scaled up and leveraged over time”..[…] Read more »…..

 

How Small Businesses Can Protect Themselves from Cyberattacks

When most people think of cyberattacks, major data breaches at humongous companies like Equifax and Yahoo!, typically come to mind. This is perfectly understandable, as these are the attacks that impact the most people and always make headlines. But cybercriminals don’t limit their attacks to large companies–they also target countless small businesses every year. And in many cases, these attacks destroy businesses and livelihoods.

By Zack Schuler, Founder and CEO of NINJIO

There’s no reason to put it delicately: The state of cybersecurity in the world of small and medium-sized businesses (SMBs) is nothing short of alarming. Not only are SMBs relentlessly targeted by hackers, but they’re also woefully unprepared to defend themselves and unequipped to handle the aftermath. This is a status quo that has to change immediately–SMBs are the biggest engine of the U.S. economy and they’re at risk like never before.

The Scope of the Problem

Every year, cyberattacks cost small businesses an average of almost US$80,000, and losses can range up to US$1 million (according to a report by the Better Business Bureau). Meanwhile, a 2018 study by the Ponemon Institute found that more than two-thirds of SMBs reported that they had been targeted by a cyberattack within the preceding year. Substantial majorities of SMBs also agree that cyberattacks are becoming more targeted, severe, and sophisticated, but despite these facts, almost half of respondents say they have no understanding of how to protect against cyberattacks.

Key findings from the report
  • Every year cyberattacks cost small businesses an average of almost US$80,000, and losses can range up to US$1 million.
  • A survey reports 88 percent of small business owners felt their business was vulnerable to a cyberattack.
  • Almost two-thirds of small businesses fail to act following a cybersecurity incident.
  • 56 percent of SMBs say, defending mobile devices from cyberattacks is extremely challenging.
  • The top three attack vectors cited by SMBs are mobile devices, laptops, and cloud systems.
  • Just 16 percent of SMBs are “very confident in their cybersecurity readiness.”
  • 60 percent of SMBs lack a “cyberattack prevention plan.”

A recent survey by the U.S. Small Business Administration found that 88 percent of small business owners felt their business was vulnerable to a cyberattack. However, due to resource constraints, a lack of technical expertise, and the rapid pace of change in the cybersecurity world, they often feel helpless or ill-prepared to defend themselves against the vast range of cyberthreats they face.

In fact, a survey of more than 4,100 SMB cybersecurity professionals recently conducted by Forrester, found that almost two-thirds of small businesses fail to act following a cybersecurity incident. Even when the threat is right at their doorstep, many SMBs don’t know what to do.

The World is Changing for SMBs

There are many factors that contribute to the challenging cybersecurity situation for SMBs. First, digital operations are no longer optional for any company–even if your market is small and local, consumers are increasingly demanding the ability to do all their business online.

SMBs are changing the way they operate in the digital era. For example, a 2018 Cisco survey of SMBs found that the percentage of their networks that are on the cloud increased from 55 percent to 70 percent between 2014 and 2017. While almost 70 percent of SMBs say they’re making this transition for security reasons, an increased reliance on cloud-based services can also open up new vulnerabilities.

Meanwhile, other aspects of the digital transition have proved difficult for SMBs, 56 percent of which say, defending mobile devices from cyberattacks is extremely challenging. Ponemon reports that the top three cyberattack vectors cited by SMBs are mobile devices, laptops, and cloud systems.

The Ponemon report also discovered that issues such as a lack of money, out-of-date cybersecurity technologies, and insufficient personnel are all major obstacles cited by SMBs. But the main threat cited in the report is employee negligence, as phishing/social engineering attacks were reported more than any other, while negligent employees or contractors were cited as the top root cause of the data breaches.

How SMBs can Protect Themselves

According to the Forrester survey cited above, just 16 percent of SMBs are very confident in their cybersecurity readiness. Despite the fact that SMBs are increasingly concerned about cybersecurity, Forrester also found that almost half of them don’t have a clearly defined strategy for protecting themselves. This is a common theme in surveys of SMBs. A 2019 Keeper survey found that 60 percent of respondents lack a cyberattack prevention plan..[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

4 strategies for balancing cybersecurity and business continuity planning during the coronavirus outbreak

As cybersecurity conferences worldwide cancel events, the impact of the coronavirus (COVID-19) on the industry comes close to home. At least two people who attended the annual RSA cybersecurity conference were officially diagnosed with the virus, with one placed in a medically induced coma. Compounding this industry impact, many companies have started initiating new “work from home” requirements for nonessential employees, including Apple and Google.

While companies brace for the coming changes that COVID-19 seems to be bringing, cybersecurity and compliance professionals find themselves struggling to balance workforce, member and data security. With this in mind, organizations should consider the following business continuity planning and cybersecurity strategies as they create their coronavirus preparedness plans.

Stay home, stay safe

Infosec’s education platforms were built from the start to be flexible and offer uninterrupted service.
For more than 5 years, Infosec courses have been online — helping remote students and employees meet their career goals and stay safe wherever they are.

What are the current governmental directives regarding COVID-19?

In late February 2020, the Centers for Disease Control (CDC) released its “Interim Guidance for Businesses and Employers.” This reads in part:

Important Considerations for Creating an Infectious Disease Outbreak Response Plan

All employers should be ready to implement strategies to protect their workforce from COVID-19 while ensuring continuity of operations. During a COVID-19 outbreak, all sick employees should stay home and away from the workplace, respiratory etiquette and hand hygiene should be encouraged, and routine cleaning of commonly touched surfaces should be performed regularly.

Employers should:

  • Ensure the plan is flexible and involve your employees in developing and reviewing your plan.
  • Conduct a focused discussion or exercise using your plan, to find out ahead of time whether the plan has gaps or problems that need to be corrected.
  • Share your plan with employees and explain what human resources policies, workplace and leave flexibilities, and pay and benefits will be available to them.

The Occupational Safety and Health Administration (OSHA) and Health and Human Services (HHS) issued a joint guidance of their own which stated, in part:

  • Employers should explore whether they can establish policies and practices, such as flexible worksites (e.g., telecommuting) and flexible work hours (e.g., staggered shifts), to increase the physical distance among employees and between employees and others

Although many companies already allow employees to work remotely, many others require employees to remain on-site when handling sensitive information. Unfortunately, those employees and organizations may not be able to control the required quarantine of sick individuals or may need to work remotely as part of physical distancing requirements for preventing the spread of COVID-19.

This means that companies need to start preparing new business continuity and security models now in order to limit business disruption.

Review your business impact analysis for cybersecurity controls

When people think about business impact analysis (BIA) and cybersecurity, they normally consider the potential impact of an organization’s essential functions being taken down by a malicious actor. While this remains true in terms of business continuity during an outbreak, the risks also shift.

Some considerations to include might be:

  • Availability of critical IT staff
  • Workforce member home wireless security
  • Use of Virtual Public Networks (VPN)
  • Enforcement of encryption processes
  • Managing user access to applications with multi-factor authentication
  • Monitoring user and entity behavior analytics (UEBA)
  • Limiting user access according to the principle of least privilege.[…] Read more »…. 

 

 

A Radical Plan for Enterprise Transformation

If you want the big rewards of new technology implementations, you need the right approach and a full commitment.

Want your organization to be on track for the kind of growth that digital-native startups enjoy? It may sometimes seem like these organizations have a head start because they don’t already have infrastructure in place. There’s a certain freedom that comes with starting fresh. Every decision they make is a new choice, based on today’s technology market. But established organizations can learn a few lessons from how these startups have built their infrastructure.

The real leaders among established businesses are those organizations that will jump in and leverage today’s technology and revamp their tech infrastructure to be adaptive for multiple projects and purposes. They won’t be held back by their existing tech infrastructure.

That’s among the conclusions and best practices pulled out of a new report from Accenture, based on engagements with C-level execs at more than 8,300 companies, with half in IT roles and half in non-IT roles, including 885 CEOs.

But not many organizations fit into the “Leaders” category of companies that represent just 10% of the overall study group, according to Accenture. These Leaders companies will experience much greater success, growing revenues at more than twice the rate of those in the bottom 25%. That bottom 25% is known as the “Laggards.”

Does it really make that much of a difference? Accenture said that in 2018, for example, Laggards left 15% of their potential revenue behind. If both Leaders and Laggards continue on their current trajectories, Laggards will leave 46% of their potential annual revenue on the table in 2023, Accenture said.

Yet in this fast-moving tech environment, it can be tricky to be sure you are moving fast enough and also making the right decisions.

A new form of ‘silo’

“Why does it happen? Primarily due to fragmented decision-making,” said Accenture in the report, written by Accenture Chief Technology and Innovation Officer Paul Daugherty, Group Chief Executive of Accenture Technology Services Bhaskar Ghosh, and Global Managing Director for IT and Business Research James Wilson. “Compelled to move as rapidly as possible, C-level executives are putting business unit, product, or geography heads in charge of the tech investment decisions affecting their areas. It works well in the short run. But it results in several (or many) fully rooted highly customized systems operating in isolated pockets of the organization.”

These systems can’t work together, and interoperability is key to driving the innovation of modern cloud-based, data-driven systems. That means the innovation can’t be shared or scaled across the business, and it gets harder to update each system.

How do you make sure you are more like a Leader and not like a Laggard? Accenture said organizations face a set of decision points it calls PATHS, an acronym for progress, adaptation, timing of tech adoption, human + machine workforce, and strategy.

The study defines “progress” in this context as how extensively or broadly to apply new technologies to evolve business processes across the enterprise. Organizations have a few choices in how they pursue this. One option could be to transform the low-hanging business processes, such as the customer-facing ones. Another option would be to build innovation centers or hubs to transform multiple processes. Both of these options would result in progress.

However, the Leaders tend to choose the third option, which is reimaging business processes for the future, and targeting multiple business processes with the same technology. That option is harder and probably more painful, but successfully executing it yields the most rewards.

Accenture offers similar options for the four other decision points. The first two options may look like progress, but the optimal option in each category is what leads to organizations becoming Leaders.

The cloud option

The firm defines “adaptation” as how we adapt our current IT investments to changing business needs. The first option is to patch legacy systems and the second option is to lift and shift to the cloud. But the optimal option, according to Accenture, is to decouple from legacy and transform with the cloud.

As for “timing of tech adoption,” Accenture says this is about how to properly sequence and map adoption of new technologies. The first option is to experiment with new technologies on the leading edge, and the second is to double down on industry-specific, customized technology. But the optimal option is to identify fundamental or general-purpose technologies and prioritize their adoption in terms of timing and processes targeted.

Accenture defines “human + machine workforce” as how to activate and enable the workforce to use and be augmented by technology. The first option is to rely on traditional, periodic training about new technology via standard classroom or online learning modules. The second option is to individualize training to allow employees to learn at their own pace. But the optimal option is to deliver tech-augmented training for working with technologies of the future such as AI, XR (augmented, virtual, and mixed reality technologies), and experiential and personalized.

Finally, Accenture said “strategy” in this context refers to how to intentionally manage the intersection of business strategy and technology strategy. The first option is to let business units rapidly and independently address their pain points, and the second option is to devise a technology strategy to explore ambitious business goals like new business models and adjacent markets. But the optimal option is to “build boundaryless, adaptable, and radically human IT systems that explicitly enable scale and strategic agility,” according to Accenture.

By embracing this kind of strategy, leaders become increasingly agile and able to innovate at scale within the enterprise…[…] Read more »…..

 

Connecting To Secure Wireless Networks In Windows 10

Introduction

Though they offer undeniable benefits of mobility, cost and convenience, wireless networks are less desirable from a security perspective. There is always a risk that signals can get intercepted as they traverse through the open air.

Unsecured or “open” wireless networks, like those found in public cafes and airports, offer cybercriminals an easy launching pad for attacks. Sensitive data can be compromised in many different ways on unsecured wireless networks through the use of malware, snooping or man-in-the-middle tactics.

Given a choice, it is always preferable to restrict your connectivity on Windows 10 devices to fully secured wireless networks. Such networks use various wireless security protocols to encrypt the connections and, more importantly, restrict access to authorized individuals and their devices.

Take a closer look at Windows 10

Take a closer look at Windows with this course covering everything Windows related. This skills course covers:

⇒ Your Windows Toolset
⇒ Windows 10 Task Manager
⇒ Information and Configuration Tools
⇒ And more topics related to windows 10

 

Different types of wireless security protocols

There are four main types of wireless security protocols currently in existence: WEP, WPA, WPA2 and WPA3. Their evolution was the result of incremental upgrades to wireless network security over the last 22 years pioneered by the Wi-Fi Alliance.

Though primitive implementations of wireless data technology date back to the 1970s, Wi-Fi as we know it (the 802.11 protocol) first came about in 1997. The earliest Wi-Fi security protocol was also unveiled the same year.

WEP — Wired Equivalent Privacy

As the first generation of wireless network security, WEP has been outdated for almost two decades. Due to the simplistic nature of the RC4 Encryption Algorithm used in WEP, hackers could easily crack its security encryption using basic network analysis tools like AirCrack, AirSnort and Kismet.

When it comes to WPE and Windows 10, the protocol is no longer supported by default due to its deprecated status. This has been the case since at least Windows 7. You can still use the protocol while creating a new network on Windows 10; it’s just not at all recommended.

WPA — Wi-Fi Protected Access

Due to the discovery of numerous security vulnerabilities within the Cyclic Redundancy Check (CRC) used in WEP authentication, WPA was developed as a new standard in 2003. Instead of CRC, the new system used Temporal Key Integrity Protocol (TKIP).

TKIP-based WPA was considered more robust, as it used unique encryption keys for each data packet sent across the network. This results in more complex codes that can take longer to decrypt and hack.

But the system was far from secure, as it still employed the RC4 encryption used by its predecessor. WPA served largely as a stopgap measure for the Wi-Fi Alliance as it was developing a stronger, more secure Wi-Fi security standard. WPA was quickly replaced by WPA2 in 2006.

WPA2 — AES

Until the announcement of WPA3 in 2018, WPA2 was the most advanced form of wireless security. Two major things set it apart from its predecessor: the mandatory usage of Advanced Encryption Standard (AES) algorithms and the replacement of TKIP with Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP).

While CCMP is a superior protocol with vastly improved security compared to other protocols, WPA2 is still vulnerable to brute-force attacks and rainbow table attacks which use vast databases of precomputed hash strings (rainbow tables).

Both WPA and WPA2 provide two separate authentication variants: Personal for individual and home use and Enterprise for use in an office context. In the former, there is just one single authentication key. In Enterprise, the system administrator can set multiple authentication keys for different users.

Connecting to a WPA or WPA2 network is a fairly straightforward process in Windows 10. The system automatically detects all available wireless networks in the vicinity. The user simply has to select the network from the list and provide the security key (Wi-Fi password) when prompted.

To check your current security protocol, go to the Taskbar and click the Wi-Fi Connection icon. Go to the Wi-Fi details found in Properties. Security Type is displayed prominently there.

WPA3 — The future

The next generation of wireless security is yet to reach widespread implementation. It aims to reduce the reliance on user-set passwords for security, which is a thing in WPA2 — the system is only secure if you use a 16-digit complex password.

In WPA3, this is no longer a necessity, as it uses a new protocol for key exchange called Simultaneous Authentication of Equals. As it reduces the reliance on hash string databases, attackers have to directly interact with the router/access point to crack the password.

Even if the security key is compromised, the protocol does not allow access to historic data transmitted through the network. WPA3 is also expected to make public or open wireless networks even more secure.

Different ways to connect to secure wireless networks

In Windows 10, users have multiple choices when it comes to connecting their PCs to a nearby secure Wi-Fi network. At least four options exist, with varying levels of convenience and complexity. They include:

Taskbar

The most straightforward option is using the taskbar. The wireless icon is usually located in the right corner. Clicking it displays a list of available connections. Select the appropriate network and provide the authentication key to connect.

Settings

Another option is to use the Network & Security page in the Settings menu. Head to the Wi-Fi section, select “Manage known networks” and opt for “Add a new network.” Provide the network name and select the appropriate security type. Input the security key (Wi-Fi password) and save the settings to connect..[…] Read more »….