Category: Security

Get Serious About SaaS Management in the Enterprise

While a software-as-a-service model leaves processing in the service provider’s hands, there’s plenty of work left for the IT group when it comes to administering the relationship and in supporting employee users.

For many business leaders, the advantages of software as a service (SaaS) are plentiful compared to on-premises or other cloud delivery architectures. These benefits include faster times to deployment, low administration overhead, infinite scalability, low CAPEX investment and flexible licensing/payment models. That said, SaaS comes with a host of administration tasks, which — if left unchecked — can severely limit the benefits that SaaS offers.

You should establish processes that not only foster communication and collaboration between the SaaS provider and the in-house IT department, but also internal processes that ensure application and data performance, usability and security. Let’s look at what tasks are required to maintain a healthy SaaS portfolio within your organization as well as some new tools that can help streamline administration efficiency.

SaaS administration tasks between business and service provider

Because of your reliance on a third-party SaaS provider to manage the underlying cloud infrastructure, data storage and application delivery methods, it’s critical to be in sync. One way to do this is to be sure that the service provider has multiple points of contact within your business. All too often, a single member of your IT staff will establish the lines of communication with a SaaS vendor. Then, once those employees move on from the company, remaining IT staff must scramble to reestablish those relationships. A better way to manage service provider communication is to assign administration tasks to a team rather than a team member. Missed communications can result in unplanned maintenance windows, missed details regarding new feature announcements or other important information.

Those tasked with managing SaaS contracts must fully understand how to handle licensing and service level agreements (SLA). Because every SaaS contract is different, the process of adding and removing licenses — as well as proper management of unused licenses — is critical to squeezing out the most value for your money. Understand the various license tiers and what differentiates them from a features perspective. Also, be sure to develop a strategy to reduce the number of idle or unused licenses that waste money.

DevPlans should be developed to ensure the proper balance between speed-to-delivery of a service and a reduction of idle-license spend. Finally, understand your leverage when it comes to missed SLAs. Make certain you’re getting what was agreed upon when services become unavailable according to SLA guidelines.

Lastly, be prepared for SaaS license renewals as well as the potential of a full service termination. Getting ahead of the this will lessen the risk of a disruption in service due to a misstep in the renewals or termination process. The weeks and months before a service renewal is also a great time to reassess the value of all services in the company’s application portfolio. That way, steps can be put in place to help with the renegotiation of contracts, re-training of employees on changed application usability or migration of data from one cloud provider to another.

Administration of SaaS tools within the business

The IT department must also look inwardly when getting serious about SaaS administration tasks. The initial setup and customization of the cloud-delivered application must be performed by a well-trained admin to be sure it’s done according to the provider’s best-practice standards. Additionally, administrators must stay informed of any feature adds/removals, maintenance windows and IT security-related information.

Onboarding and processes for SaaS services should be implemented to quickly bring on new employees. Even more importantly, when employees leave, administrators must be able to remove access for security purposes. SaaS platform integrations into existing user management tools or SaaS management platforms can help to automate and increase the speed/accuracy of these steps.

The SaaS applications and services that are approved and supported by the IT department must be well known to the business’s user base. An easy-to-access and understand portfolio of supported SaaS apps should be made available. This portfolio can not only be used to help eliminate shadow IT, but it’s also a great way to begin evaluating the portfolio to identify overlapping, underutilized and abnormally expensive tools within the organization….[…] Read more »…..

 

5G Networks Present New Risks and Security Challenges

The talk of the town, the next big thing, a revolutionary breakthrough – the 5G technology lives up to all these clichés. It captures the imagination with potential use cases capitalizing on the impressively high speed, low latency, and mind-blowing network capacity.

Contributed by David Balaban

The state of 5G deployment currently ranges from large-scale field testing to commercial roll-outs in small portions around the world. Next-generation connectivity is already available in dozens of cities in the U.S.,  Europe, and East Asia. Moreover, these advanced telco systems are expected to become the backbone of digital economies soon.

Just like any new technology, 5G networks can be low-hanging fruit for threat actors who seek to expand their malicious reach. Therefore, it’s in the best interest of governments to assess and tackle the entirety of potential security issues prior to the ubiquitous implementation of the tech.

These concerns have recently incited some expert discussions in the EU. In October, EU member states released a report on “coordinated risk assessment of 5G networks security”. It came in response to a recommendation issued by the European Commission, the executive branch of the EU, in March 2019. Here are the key takeaways from the officials’ findings.

Supplier monopoly deemed as a major risk

The report emphasizes the possible pitfalls of using a single supplier of 5G equipment, namely the Chinese technology giant Huawei. Interestingly, the document contains no direct references to the company in question, although the collaboration is officially underway. Network infrastructure with the solo contractor at its core is susceptible to a number of issues, including a shortage of telecommunications gear, dependencies on the supplier’s commercial well-being, and primitive malware attacks.

Considering this paradigm, the researchers claim network operators will have to rely too heavily on the contractor that may undergo commercial pressure and therefore fail to carry through with its obligations. The adverse influence may stem from economic sanctions affecting the supplier, as well as from a merger or acquisition. Consequently, such cooperation has a single point of failure (SPOF) that might undermine the successful adoption of the technology and stability of the network down the road.

An extra factor is a strong link between the supplier and the government of the country it is based in. It means there is a chance of state-level interference with the equipment provider’s activities. Furthermore, a lack of democratic checks and balances and the absence of data protection agreements between the EU and the said country are serious roadblocks endangering the future partnership.

According to the officials, one more facet of the peril comes down to a tightening connection between the EU’s telco networks and third-party software systems. The elevated scope of access the supplier will have to the region’s 5G infrastructure and the transferred data is a lure for cybercriminals who may take significant efforts to exploit these systems.

Additional security challenges – the big picture

Aside from the obvious caveats arising from the increased role of hardware and software suppliers, the joint report provides a lowdown on other possible security effects of 5G network deployment across the EU. A summary of these challenges is as follows.

More entry points for attackers

The architecture of 5th generation wireless networks is largely based on software. This hallmark makes them particularly vulnerable to security imperfections resulting from vendors’ inappropriate software development processes. Critical flaws may allow malefactors to inject backdoors into the applications and thereby maintain long-lasting surreptitious access to different layers of the targeted 5G infrastructure.

5G network slicing issue

Given that 5G will enable numerous services and applications operating within different virtualized environments, such as enterprise and government networks, the importance of securing these logically segregated ecosystems is going to grow. Unless reliably isolated and protected, these network segments (dubbed “slices”) can be exposed to data leaks…[…] Read more »…..

This article first appeared in CISO MAG.

<Link to CISO MAG site: www.cisomag.com>

Data Privacy Day 2020 Encourages Consumers to “Own Their Privacy”

The theme of Data Privacy Day 2020 is “Own Your Privacy.”

Data Privacy Day began in the United States and Canada in January 2008 as an extension of the Data Protection Day celebration in Europe and is officially led by NCSA in North America.

With the California Consumer Privacy Act taking effect this year and other states considering similar legislation, data privacy has become a growing concern for businesses and consumers alike, says StaySafeOnline. The organization cites a recent survey by Pew Research Center that found that a majority of Americans think their personal data is less secure now than five years ago and that data collection by businesses and government poses more risks than benefits. “Yet while these concerns increase, few people understand what is being done with the data that is collected and how it is used and shared by businesses, which can monitor, store and sell the data for profit. That is why the theme of Data Privacy Day 2020 is “Own Your Privacy,” notes the organization.

To celebrate the 13th annual Data Privacy Day on January 28, NCSA and a range of privacy experts will be ’Live from LinkedIn’ for the third consecutive year in San Francisco. This year’s event, titled “Data Privacy Day 2020: A Vision for the Future,” will bring together data privacy experts from industry, government, and non-profit for a morning of TED-style talks and panels on global and national data privacy regulations, says StaySafeOnline. Click here to join the live stream.

“With new privacy legislation going to effect this year, Data Privacy Day 2020 couldn’t be a more timely opportunity for helping businesses and consumers understand the importance of respecting and protecting personal information,” said Kelvin Coleman, executive director of NCSA. “With the amount of consumer data collected and stored online, Data Privacy Day encourages businesses to improve data privacy and security practices and educate consumers about the many ways they can make their personal information more private.”

Steve Durbin, managing director of the Information Security Forum, notes that, “The requirement for maintaining data privacy has increased as privacy regulations have been adopted by many more jurisdictions since they were first introduced. Fines for breaching data privacy regulations have multiplied, and penalties can be more severe than fines. Increased public awareness and media interest have led to potential commercial and reputational consequences for non-compliance. The risk of private data being compromised has increased as systems are increasingly accessible via connected devices and vulnerable to cyber-attacks.”

“With all of the focus on breaches and the loss of personal data, it is understandable that the main attention for organizations today seems to have shifted to data privacy – after all, we are seeing a growth in legislative requirements to protect personal information along with the associated fines and sanctions for non-compliance,” Durbin adds. “Most governments have created regulations that impose conditions on the protection and use of personally identifiable information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, data privacy and the protection of PII, afforded protection under the General Data Protection Regulation (GDPR) in the European Union (EU) the California Consumer Privacy Act (CCPA) and the New York Privacy Act appear to be here to stay.”

“What is clear is that privacy is becoming more of an issue in the United States,” he says. “And there is a very real need for a Federal law to avoid States introducing their own variations and interpretations on privacy which adds a further compliance burden to already overstretched businesses looking to understand and comply with their obligations across the various regions in which they are transacting business. The good news is that the formal enactment of the CCPA is going to add momentum to endeavors within the United States to formalize a sweeping federal law on data privacy.”

Joseph Carson, chief security scientist at Thycotic, says,”The reality today is that almost everyone is being tracked and monitored 24/7 with thousands of cameras recording your expressions, fashion, interactions and speech to determine what you need, what you might be thinking and who you are meeting. Algorithms can even determine what your next action might be.”

“Privacy should be universal,” Carson adds. “However, we tend to have different definitions of privacy in the digital world as opposed to physical world. EU GDPR has been a ground-breaking change that set new regulations around digital privacy, empowering citizens with clear cut rights around consent and transparency of their personal information online….[…] Read more »….

 

The Enterprise Guide to Successful AI

In a survey of 1000 Canadians, 31% of people said that companies that use AI in their operations and customer communications are the future.

People recognize the potential of AI and companies can no longer afford to be ignorant. AI is now disrupting every industry and the question is whether established companies will take proactive steps to ensure that disruption doesn’t happen to them.

The long-term path to success with AI requires companies to approach the integration of AI through an “AI Triple Win” framework of utility, privacy/security, and trust.

The AI Triple Win Framework

To achieve business success, the framework incorporates three key, foundational components:

  1. Utility: AI must solve pain points, add value, and serve genuine needs.
  2. Privacy and Security: Companies must incorporate privacy as a fundamental principle in every aspect of their work as opposed to an afterthought, and data must be held safely.
  3. Trust: Companies must achieve AI for Good, not simply AI for profit.

Let’s consider each pillar in more detail.

Pillar #1: Utility

To have the goal of using AI simply because competitors are using it is misguided. Whether creating utility means answering customer questions within seconds, serving consumers with more relevant website ads, creating product delivery efficiencies, or entertaining people while they wait for a taxi, every AI tool must serve a genuine need. Companies must have clarity on the role that AI can play in for them in growing their company and that requires Utility.

Within companies that focus on retail and customer service, AI tools help people find clothes that fit properly (Levi’s), and answer questions about products and services (Sephora, Lowe’s). Alibaba, a leader in applying advanced technologies in the retail space, has even employed smart racks and mirrors to help people see themselves in new styles without ever trying the clothes on, a boon for accessibility.

Similarly, within the food and QSR category, both Campbell’s Soup and Knorr use AI to help customers customize recipes based on ingredients currently in their home. Taco Bell uses a Slack chatbot to take orders. In addition, Domino’s Pizza allows consumers to place orders by sending a message that contains only the word “Pizza.”

Consumers are ready for AI customer experiences

Our research has showed that Canadians feel positive about AI in the customer service space. Many people believe that AI has the potential to improve customer service (40%) and can provide the same or better customer service than a person (20%). Further, 59% of people would feel comfortable with AI providing recommendations on what to purchase.

Given that 36% of people say Canadian businesses should invest in using AI technologies to run their business, it is clear that consumers are ready for companies to use AI.

Pillar #2: Privacy and Security

Unfortunately, few companies have made the second pillar, privacy, a key differentiator. DuckDuckGo, an internet browser that purposefully does not track its users movements (unlike Google, Firefox, and others), is enjoying increased consumer interest. Snips is an up-and-coming voice assistant alternative to Alexa and Siri that focuses on privacy and security. And Purism builds digital technologies with security as the main feature.

What companies can do, however, is make privacy and security key components of their publicly displayed company policies. Plain language allows anyone to understand what data a company is collecting and for what purpose (Apple, Encircle), what changes have been made to privacy policies (Fitbit), and how to withdraw consent for the collection of data (Danske Bank).

Consumers are ready to bring AI into their personal lives

Our research shows that people are comfortable with the possibilities that AI facilitates. People are comfortable trusting AI to regulate the temperature inside their homes (72%), organize their schedules (64%), and provide companionship to people who need it (58%). At the same time, however, people don’t blindly trust brands to respect their privacy and always maintain security. More than 43% of people worry about the AI on their phone, and a whopping 78% believe that AI will increase the lack of privacy.

We’ve already seen that people understand and want the benefits of artificial intelligence in their personal and work lives. They simply want companies to implement those processes in a way that respects their privacy and maintains their security.

Pillar #3: Trust

The third pillar of successful applications of AI is trust, an overriding aim to achieve AI for Good. In today’s world of transparency and instant communication around the world, revenue grabs are simply not sustainable. Companies must act in ways that are genuinely good for their customers.

Fortunately, many companies build consumer trust by not only providing good quality products and services, but by also actively and intentionally striving to do the right thing. Nike and Under Armor are prime examples in that they have taken a higher level approach to implementing AI in their business. Rather than simply using AI to facilitate customer service and purchase decisions, Nike and Under Armor mapped AI tools against their mission statements to create apps and virtual assistants that go beyond their products and services and help people lead healthier lives.

Consumers don’t yet trust companies to do the right thing

Unfortunately, companies using AI still have a long way to go to achieve a broader level of trust from consumers. Our research found that:

  • 20% of people believe companies using AI don’t have any ethical standards for AI in place
  • 31% worry companies might misuse AI to their own advantage
  • 41% believe companies using AI are focused on reducing their costs at the expense of people
  • 28% say Canadian businesses will use AI in ways that harm customers financially

Even though technology has impacted our lives for centuries, making millions of jobs extinct (Where are the buggy builders and lamp lighters today?), and creating millions of new jobs (Hello, data miners and user experience designers), people still worry that companies using AI will treat people unfairly and cause job loss and personal financial problems. The fact that AI and robotics will create almost 60 million more jobs than they destroy by 2022 doesn’t always feel personally relevant. People need to trust that companies will treat their employees and their consumers fairly today…[…] Read more »

 

Cybersecurity Weekly: Colorado BEC scam, CyrusOne ransomware, new California privacy law

A town in Colorado loses over $1 million to BEC scammers. Data center provider CyrusOne suffers a ransomware attack. California adopts the strictest privacy law in the United States. All this, and more, in this week’s edition of Cybersecurity Weekly.

1. California adopts strictest privacy law in U.S.

A new privacy rights bill took effect on January 1, 2020 that governs the way businesses collect and store Californian consumer data. The California Consumer Privacy Act mandates strict requirements for companies to notify consumers about how their data will be used and monetized, along with offering them a hassle-free opt-out process.
Read more »

2. Starbucks API key exposed online

Developers at Starbucks recently left an API key exposed that could be used by an attacker to access the company’s internal systems. This issue could allow attackers to execute commands on systems, add/remove users and potentially take over the AWS instance. The security researcher who reported the incident to Starbucks was awarded a $4,000 bounty.
Read more »

3. Cybercriminals filling up on gas pump transaction scams

Gas stations will become liable for card-skimming at their pay-at-the-pump stations starting in October. In the meantime, cybercriminals are targeting these stations with a vengeance, according to security researchers. This is because pay-at-the-pump stations are one of the only PoS systems that don’t yet comply with PCI DSS regulations.
Read more »

4. Travelex currency exchange suspends services after malware attack

On New Year’s Eve, the U.K.-based currency exchange Travelex was forced to shut down its services as a “precautionary measure” in response to a malware attack. The company is manually processing customer requests while the network stays down during the incident response and recovery process.
Read more »

5. Xiaomi cameras connected to Google Nest expose video feeds from others

Google temporarily banned Xiaomi devices from its Nest Hub following a security incident with the Chinese camera manufacturer. Several posts on social media over the past week have showcased users gaining access to other random security cameras. Google warned users to unlink their cameras from their Nest Hub until a patch arrives.
Read more »

6. Colorado town wires over $1 million to BEC scammers

Colorado Town of Erie recently lost more than $1 million to a business email compromise attack after scammers used an electronic payment information form on the town’s own website. They requested a change to the payment information on the building contract for a nearby bridge construction project.
Read more »

7. Maze ransomware sued for publishing victim’s stolen data

The anonymous hackers behind the Maze ransomware are being sued for illegally accessing a victim’s network, stealing data, encrypting computers and publishing the stolen data after a ransom was not paid. Lawyers claim the lawsuit may be to reserve their spot for monetary damages if money is recovered by the government.
Read more »

8. Landry’s restaurant chain suffers payment card theft via PoS malware

A malware attack struck point of sale systems at Landry’s restaurant chain that allowed cybercriminals to steal customers’ credit card information. Due to end-to-end encryption technology used by the company, attackers were only able to steal payment data “in rare circumstances.”..[…] Read more »….

 

 

Watch Out: 7 Digital Disruptions for IT Leaders

Here are seven digital disruptions that you may not see coming.

Be like Apple, not Kodak. Years ago, Kodak was the first to offer digital film. But instead of pursuing the market that would disrupt one it already commanded, Kodak opted to invest in its traditional business by buying a chemical company for its conventional film business. Other companies went on to market digital film. Then came digital cameras and mobile devices with cameras in them. Kodak chose the wrong path.

Apple went down the path of disrupting its own successful product, the iPod MP3 player, to develop and sell the iPhone. It turned out to be the right decision.

Gartner VP, analyst and chief fellow Daryl Plummer recounted these stories in the introduction to his keynote address titled 7 Digital Disruptions You Might Not See Coming at the Gartner IT Symposium recently. So how do you be Apple instead of Kodak?

“It’s really about protecting yourself from what might happen to you,” Plummer said. “Futureproofing yourself means that you are ready for the things that are coming, and even if you don’t know what they are, you can adapt.”

What disruptions may be coming down the pike that you aren’t expecting? Plummer provided a peek into the following 7 digital disruptions that you may not see coming:

1. Emotional experiences

Inexpensive sensors can now track physical biometrics, and organizations are working on providing hyper-personalized digital experiences, according to Gartner. The firm is forecasting that by 2024, AI identification of emotions will influence more than half of the online ads that you see.

This trend will reach beyond marketing to consumers. It could also be used in HR applications and be applied to employee evaluations, for instance.

Gartner recommends that CIOs identify emotional trigger-based opportunities with employees and customers, add emotional states evaluation to 360 Review processes, and mitigate privacy concerns with opt-in for-pay emotion mining.

2. AI decency, trust, and ethics

How do we know that the decisions AI is making are fair when there are many examples of questionable results that exhibit bias? What about fake news and deep fakes? Plummer said that this trend will disrupt trust models, certification of developers, auditing rules, and societal norms for trust. Gartner is predicting that by 2023, a self-regulating association for oversight of AI and machine learning designers will be established in at least four of the G7 countries.

CIOs should prescribe principles that establish an AI trust framework for developers and users.

3. Distributed cloud

Plummer said that in its most basic form, this trend means that the responsibility for cloud will shift entirely to the provider. About 75% of private clouds won’t work out in the long run because the DIY effort won’t be as good as what is available in the public cloud. Openshift, Cloud Foundry, and Azure Stack are taking us along this path to distributed cloud.

The trend will disrupt private cloud, hybrid cloud, data location, and data residency.

CIOs should demand packaged hybrid services, identify latency-sensitive use cases, and request explanation of economics of cloud operations.

4. Democratization of space

While it cost 4% of the entire U.S. budget to put a man on the moon, putting a satellite into orbit now costs just $300,000, Plummer said. That has led to a low space orbit getting mighty crowded with hundreds of satellites. It also raises a host of new questions. What rules apply to data residency in space? What laws apply? What about crime in space? Countries and companies will be competing in space, and the cheaper it gets to launch a satellite, the more crowded it will become.

This trend will disrupt the economics of space-based systems, connectivity, and legal issues.

Technology providers will need to explore LEO (low earth orbit) connectivity options as space-based compute options become real.

5. Augmented humans

People will have technology such as chips and storage embedded in their bodies, and it will drive disruptions such as PC thought control, brain computer interfaces, and mind-link technology.

To prepare, tech providers should enhance disabled access to compute technology using brain computer interfaces and begin the shift from lifestyle to lifeline technologies, according to Gartner…[…] Read more »…..

 

Trial Before the Fire: How to Test Your Incident Response Plan to Ensure Consistency and Repeatability

While many organizations go to great lengths to set up effective security operations incident response plans, few proactively test their processes to ascertain how they will work when faced with a real threat.

Fifty-nine percent of incident response (IR) professionals admit that their organizations follow a reactive approach, according to a report from Carbon Black. Essentially, teams assume their processes work reasonably well to address the incident at hand … until they don’t. While organizations must have IR plans in place, it’s even more important that they a) work consistently and b) are updated and improved over time.

Testing incident response processes within the security operations center (SOC) should yield two important results: a clear understanding of whether your plan is likely to work and a list of gaps that should be addressed. There is no point testing them if the findings will play no role in optimizing your processes.

Lessons learned from your tests must be properly documented for them to have real, lasting value for your security operations team. Plus, you don’t want to find out your emergency plans don’t work when disaster strikes. What makes sense on paper or the whiteboard often doesn’t work as planned when put into practice.

Schools run fire drills, so everyone knows what to do when the bells go off. So, why aren’t we applying this logic more broadly in cybersecurity?

What is incident response?

IR refers to the systematic response to and management of events following a cyberattack or data breach. It involves a series of actions and activities aimed at reducing the impact of such an event.

A typical IR plan includes six phases which help the affected organization recover from an incident or simply contain it once it occurs: preparation, identification, containment, eradication, recovery and lessons learned.

When building an effective IR plan, security teams should determine the following:

  • The purpose of the plan.
  • Details on how to use the plan.
  • Your ability to respond to different incident types – including unauthorized access, malicious code, denial of service and inappropriate usage – and whether your information assets would be affected by such events.
  • Event handling protocols for each incident type and how to respond. This should include a checklist of which playbook needs to be triggered in the event of a cyberattack or breach. (A playbook, also known as a runbook, is common to the SOC and defines the flow of activities associated with a specific security issue and subsequent investigation and response. The goal is to build a consistent set of activities followed in every case, no matter the analyst assigned to it.)
  • Your ability to set up a “war room” for critical decision makers to receive and share information across the organization.
Testing the waters

Once you have a clear, documented plan in place, you should periodically test it through simulations to assess effectiveness and make continuous improvements. So, how can you put your processes to the test? Most security operations teams today use three methods:

1)     Paper tests

The most theoretical and likely the first step for security operations teams who don’t have well-documented processes. However, paper tests leave too much room for error and should only be used to look for small process changes.

2)     Tabletop exercises

These scenarios consist of company stakeholders sitting around a, you guessed it, table and running through a mock security event. While these exercises may appear informal, you should prepare well in advance, make sure the right individuals participate from across the organization and that the scenario is as real as possible. Allow for up to half a day to put key processes through their paces and troubleshoot as you go.

3)     Simulated attacks

The most effective way to pressure test your processes is to simulate a real-world attack to see how your organization will respond.[…] Read more »

 

 

 

 

How Cybersecurity Leaders Can Best Navigate the C-Suite

Recent data breaches at companies like British Airways and Capital One have made it more evident than ever before that cybersecurity leaders must prepare for a staggering amount of potential threats. Credential stuffing, account takeovers, and insider threats are all vectors of attack that could potentially devastate a business. But without the C-suite’s support, it’s impossible for cybersecurity leaders to effectively plan for and defend against these threats.

If the C-suite doesn’t fully understand a security risk, they likely won’t prioritize investing to defend against the potential threat. This, of course, can lead to disastrous consequences, like losing loyal customers, hurting brand reputation, or incurring major fines. The British Airways breach led to a fine of almost $230 million, and that doesn’t include non-tactile losses like a damaged reputation. As a result, it’s up to the security leaders to effectively communicate and position security risks to company leaders and decision-makers.

Here are five tips to help cybersecurity leaders navigate the C-suite:

Make cybersecurity a priority—for everyone

While leaders acknowledge security is a vital part of their organization, they often prioritize other initiatives that provide a more direct return on investment. According to a recent study from Nominet, 90 percent of C-suite members think their organization lacks the proper resources to defend against a cyberattack, and 76 percent of them think a security breach is inevitable. This highlights a disconnect: While C-suite executives acknowledge security is an issue, they’re not doing all they can to protect their organizations.

In another report from Wipro, 72 percent of organizations cited employee negligence and lack of awareness as a top cyber risk. Because of this, cybersecurity leaders need to find ways to relate cybersecurity to all departments of a business. Pushing everyone in the organization—not just the C-suite and IT teams—to think about security through awareness programs and other initiatives is necessary for any organization. When everyone actively thinks about cybersecurity and how it affects the overall well-being of the company, preventative measures will be more effective. Whenever presenting a specific threat, take a minute to explain why all employees across the business, including the C-suite, should care about it. For instance, the CMO will likely be interested to know how a hacked third-party tag on the website could steal customers’ personal information, thus violating user privacy regulations and affecting brand reputation. By working with the C-suite to make the business security efforts a top priority across the company, nobody will be caught off guard in the case of a new threat or a security incident.

Attach cybersecurity needs to business requirements

Cybersecurity leaders often have difficulty quantifying risk into impact, or cash cost, and presenting it in a way that aligns with business goals. For example, a member of the security team might need to explain to the C-suite why an organization should purchase a new encryption service. Instead of only speaking to the importance of encryption and broadly mentioning that it could save the organization money down the road, point out some industry statistics to back it up. A recent IBM study suggests that encryption reduces the cost of a data breach by $360,000 on average—a number that should persuade anyone to consider better encryption. A simple cost-benefit analysis is all that’s needed.

Overall, security leaders should communicate threats in an easily digestible way, but also show how the small initial cost to close a security hole can prevent a more significant cost down the road. According to the same IBM study, the average data breach costs an organization $3.92 million—a crippling setback for any organization. If possible, spell out what a cyber threat could cost the organization, including costs around incident response, potential fines, and lost customers.

Get to the point

The C-suite has a lot of responsibilities. If security teams present them with too much information at once, C-suite executives might overlook critical details. It rests on the cybersecurity leader’s shoulders to provide just enough information to show impact, but not too much to lose their audience. Explain essential details, like the immediacy of an attack or how many people it could affect. Diving into the technical specifics of credential stuffing or email phishing attacks, however, might not be the best strategy to get a CEO’s attention. Leave out extremely technical jargon along with the non-essential graphs and charts […] Read more »

 

What Do You Need to Know About the California Consumer Privacy Act?

When the General Data Protection Regulation (GDPR) was enacted more than a year ago, it was far reaching, and many organizations were caught off guard because they thought it didn’t apply to them. But in fact, it did. Now the California Consumer Privacy Act (CCPA) is about to go into effect (Jan. 1, 2020), and any enterprise that does business in the state of California will need to change the way they manage personal information.

California has the fifth largest economy in the world. In fact, it’s actually bigger than that of the United Kingdom. Why is this relevant? Well, given the size of California’s economy, this legislation will clearly have a considerable global impact. It will tip the scales on privacy around the world. To prepare for the CCPA and other future data security legislation, organizations must focus on identifying the types of personal information they have and evaluating the flow of that data coming in and going out of the organization. Getting a handle on the flow of your sensitive data is also a great early step toward avoiding a breach, regardless of the regulations you need to follow. More importantly, it is the foundation of a solid data privacy strategy, which should be the end goal for global enterprises.

CCPA is only one in a myriad of data security regulations that will come to pass in the next few years. No organization can afford to develop an entirely new strategy for each regulation, so now is the time to develop a comprehensive data privacy policy that ensures the safe handling of all data, and particularly sensitive data. A few baseline practices can set your organization up for safe data handling and help you avoid starting from scratch every time a regulation changes or a new one comes out.

The objective of these guidelines is to provide you with some pragmatic thoughts around preparing for CCPA. They are based on conversations we had with security and data executives at enterprises worldwide regarding what’s worked best for them to address CCPA and other pending data privacy regulations.

1. Break Down Data Siloes

As organizations mature, departmental silos naturally emerge as the business evolves and expands into different areas. As part of this evolution, each business segment develops its own way of generating, collecting and managing data. However, when it comes to data protection strategies and meeting privacy regulations, businesses must break down these internal walls to consistently protect data across the entire organization. Privacy is an organization-wide initiative and stakeholders need solutions that have an impact in all areas.

Data protection solutions themselves should not be siloed either. The most successful programs take advantage of the data security frameworks and processes that already exist in individual departments. For example, instead of simply focusing on identifying and categorizing data to help meet CCPA mandates, consider the security technologies already in place and how data categorization can integrate with them to drive further success from a security standpoint. Consider how data context through classification and categorization can be used in other areas of the business or to power existing security technology investments – such as cloud access security brokers, data loss prevention solutions, encryption technologies or next-generation firewalls.

Implementing a cross-departmental data security solution can also be a real boon to business. Who knows what useful data might be sitting over in another department? If security solutions are implemented in a siloed fashion, however, an organization will not only increase its risk of noncompliance but will also lose an opportunity to create deeper awareness about what data protection means for each aspect of the business.

2. Create Rich Metadata

Metadata is the glue that connects all data within an organization. Metadata enables organizations to flag sensitive information in files, documents and web pages but also provides a way to compile more detailed and useful data about that data. For example, the metadata for an Excel spreadsheet could include personal data, the type of personal data (name, address, etc.), and the author of the spreadsheet. From a data protection standpoint, this information can be used to better identify, classify and protect corporate data. From a data management or analytics point of view, it can help business leaders develop strategies for new initiatives. Ideally, metadata can bring together an organization’s data protection and data management strategies to protect and advance the business simultaneously.

When considering privacy regulations such as CCPA, security professionals must look holistically across the organization to create metadata that all security technologies and data management systems within the organization can take advantage of. For example, what does the firewall need to be more efficient? Could firewall policies benefit from file metadata that identifies that personal data is contained in the file?

People often associate metadata with just the identity of the data, but it can also be used to govern how long an organization should retain this data. We know a key aspect of data protection is identifying retention for the possible deletion of data and this can all be defined in metadata. After identifying how long the data should be held, organizations can action programs to ensure information is deleted or archived in a way that is in line with data privacy regulations. Do you really need to keep a document listing employee names and dietary restrictions captured ahead of the corporate holiday party or can that be deleted once the party has taken place?

3. Use Machine Learning to Understand Context

Numerous machine learning models in the market today have already been tuned for personally identifying information (PII). Solutions designed to help with CCPA and GDPR compliance should leverage those models when it comes to data detection. Data categorization tools with machine learning built-in make it easier to understand the context around data, which in turn helps determine how to handle different types of data. Rather than simply flag social security numbers or bank account numbers, tools that employ machine learning can help users identify personal information contained within the narrative of documents and emails, such as health history or employee review details, for example.

What’s more, machine learning enables organizations to automate their PII strategy. Data categorization tools with built-in machine learning capabilities allow organizations to focus on getting their arms around privacy. As confidence in the system grows, data handling policies can be applied automatically.

Because most organizations have ever-increasing, complex environments, leveraging technologies that offer machine learning capabilities are critical for implementing efficient and intelligent data identification solutions to help achieve CCPA and GDPR compliance goals.

4. Know Where Data Goes and Why

The act of identifying data is one thing but keeping track of said data and managing it to ensure that compliance as it moves throughout the organization is quite another. Most data protection solutions will come with some sort of out-of-the-box dashboard, but a more efficient and customized way of approaching this is to think about the broader organizational analytics strategy.

Security professionals must understand what types of data their organization collects and where it goes once collected. It’s also critical to understand how people interact with personal data. Is personal data leaving the organization? Understanding how data is created, collected and shared will help security executives develop information handling policies that work with business strategies while also protecting sensitive data. They may discover they need to change security policies to be more efficient relative to how people are using data.

Once information handling policies have been refined, security executives can find ways to leverage their company’s data analytics approach to put good monitoring practices in place. As mentioned earlier, the lines between data management (or analytics) and data protection are beginning to blur as data becomes central to business strategies and privacy becomes a top concern for consumers.

5. Evaluate Who has Access to Personal Data

A central aspect of any data protection strategy is understanding who has access to  personal information within the organization […] Read more »

Talent Acquisition, Retention Leading Diversity Initiatives in Cybersecurity Jobs

Talent acquisition and retention is the leading operational reason that companies have been ramping up their diversity initiatives, according to (32 percent) of respondents in the (ISC)²study.

Nearly one in three (29 percent) added that diversity is important to their organization because the workforce should represent the demographics in society:

  • Nearly three quarters of organizations surveyed (74 percent) instituted a stated diversity value or program in the last 2-5 years. On top of this, a further 16 percent have followed suit in the last 12 months.
  • Overall, 40 percent of survey respondents stated that the HR department is the primary driver of diversity and inclusivity efforts, including measuring employee diversity goals. This compares to just under one quarter (23 percent) who said it was the senior management team and just 10 percent that said it was the C-suite driving diversity initiatives.
  • 60 percent said that up to 20 percent of the current vacancies in their organizations are IT and/or cybersecurity-based. A further quarter (26 percent) said these roles constituted between 21-50 percent of their workforce.

Hiring Cyber Roles:

  • 77 percent of respondents said that cybersecurity roles were recruited for in their organizations in the last 12 months. The number of roles filled ranged from 1 to 31 across the responses, although nearly 55 percent of the respondents said that up to 10 cybersecurity personnel were hired by their organization over the last 12 months. 18 percent said that between 11 and 30 roles were hired in the last year.
  • 37 percent say just 6-20 percent of their IT department employees are aged 18-21, while 35 percent say none of their IT department employees are aged 18-21. This indicates a struggle to bring enough new talent into the department that can learn from their experienced peers[…] Read more »..