Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

The 3 Biggest Mistakes in CyberSecurity

by

August 23, 2016 – Chris Moschovitis – Information Management

Everyone, from the small business owner, to senior executives in businesses of every shape and size are confronting a seemingly insurmountable problem: Constant and rising cyber security breaches. It seems no matter what we do, there is always someone that was hacked, a new vulnerability exploited, and millions of dollars lost.

In an effort to stem the tide people have tried everything: From throwing money at it by buying the latest and greatest tech gizmos promising security, to outsourcing cyber security management, to handing it over to the IT folks to deal with it. And, every time the result is money lost, productivity decreased, and the attacks continue.

Many business people complain that we’re not just losing a battle here and there. We’re losing the war. Is that true?

The truth is that those that keep losing their cyber battles and risk losing the war are making three critical mistakes:

1. They think cyber security is a technology problem.

2. They follow a cyber security check list once-and-done.

3. They don’t have a cyber security awareness training program in place.

First, cyber security is not a technology problem. Far from it. It is a business-critical problem, and more importantly: It’s a people problem, and we need to address it at that level.

Second, cyber security is a constantly evolving battlefield. The threats evolve, the attacks take new paths, the underlying technologies change. A static check list solves yesterday’s problems, not today’s, and certainly not tomorrow’s.

Finally, if people don’t understand the threat they will not even see the attack coming, much less be able to respond and protect themselves. Cyber security awareness training is the only way to prepare everyone for the new reality we live and work in.

Cyber security is not an IT problem either, according to Prosyn. It is a risk management problem. This is easier to understand in you work in a regulated industry. There, the concept, language, even governance of risk management is part of the daily lexicon.

Not so with small and mid-market business less familiar with the risk management function. It doesn’t help that the very nature of the threat and the way the “payload” of the attack is delivered is via information technologies. It almost makes sense to have IT deal with cyber security. But the victims are not the computers. The victims are the businesses and their people.

More importantly: A company’s Information Technology generates Value. It does so a myriad different ways depending on the business you are in, from the actual delivery of goods to clients (e.g. software businesses, data businesses, media and technology businesses etc.) to complementing, enhancing, and realizing the mission and vision of the company (law firms, manufacturing, logistics, healthcare, etc.)

Cyber security, like all risk management, is there to protect value. Therefore, you can never have cyber security (the value protector) report to IT (the value creator). That creates a conflict of interest. Just like IT reports directly to the CEO, so must cyber security. They are parallel tracks keeping the business train aligned and moving.

Once you have the reporting structure correctly in place, you need to empower it with executive buy-in and engagement. Cyber security needs your direction on company goals and risk appetite so they can develop the right strategy to protect the company’s assets. Cyber security professionals, working with the board and executives, including IT and business units, will develop the right defense-in-depth strategy that is right for the company.

Cyber security doesn’t happen in isolation. It is not a set check list. It is dynamic, adjusting strategy to risk, asset value, and controls. As market conditions change, as company goals change, and as technology changes, so will the cyber security strategy.

Neither structure nor strategy will help if you ignore the most important element in cyber security: People. In 2016 ISACA published the top three cybersecurity threats facing organizations in that year. They were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats.

Excluding the advanced persistent threats typically targeted against large multinationals, governments, military, infrastructure and the like, the other two have one common element: People.

It is people that become the victims of cyber-attacks, and by extension, the businesses they work in or do business with. Be it through social engineering, extortion, or any of the many vulnerabilities that hackers can exploit, it is people that get compromised first. They are the ones that have to pick up the pieces when all the data is gone or when their identity is stolen.

The good news is that cyber security awareness training is one of the most effective controls against hackers. Training and sensitizing people to the threats, the methods used, vulnerabilities, even their own personal privacy risks, has been proven time and again as the one thing that makes a real difference in early detection, quick response and recovery during a cyber-attack. Having a quarterly lunch-and-learn will go a long way in developing a culture of cyber awareness, saving both your business and your employees from cyber-harm.

Avoiding these three mistakes in cyber security won’t help win every single battle. But it will guarantee you win the war.

Average cost of a data breach up 12.5 percent among Canadian Firms

by

IT World Canada – Howard Solomon

Canadian CISOs who want more hard data to convince the C-suite and boards to devote more resources to cybersecurity have a new report to show.

If a study of 24 Canadian organizations is accurate, the total cost over a recent 12 month period of a breach of over 1,000 records went up 12.5 per cent compared to 2014 to just over $6 million.

Another way of looking at it is the average cost per record stolen or lost went up 10.6 per cent to $278 compared to the same period the year before.

These numbers come from a study released last week by the Ponemon Institute that was funded by IBM. The costs were based upon estimates provided by participating victim organizations.

The report is part of an annual global study of breaches in 13 countries (United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates, Saudi Arabia, Canada and, for the first time, South Africa), which last year covered 383 organizations. The average cost of a breach across all those firms was US$4 million.

Importantly, the study included the cost of losing customers: Of the Canadian companies studied, for those that lost less than one per cent of their existing customers the average total cost of a breach was $4.77 million, well below the global averae of $6.03 million. When companies had a churn rate of greater than 4 per cent, the average cost was $7.88 million.

There are two cautions: First, Ponemon admits that 24 firms is a small sample for this country, and second, only organizations that suffered a breach of between 1,000 and 100,000 lost or stolen records in 2015 were counted – meaning Ashley Madison isn’t there. That way catastrophic incidents don’t skew the results.

The number of Canadian breached records per incident in the study period ranged from 4,800 to 70,998 and the average number of breached records was 21,200.
“Over the many years studying the data breach experience of more than 2,000 organizations in every industry, we see that data breaches are now a consistent ‘cost of doing business’ in the cybercrime era,” said institute head Larry Ponemon. “The evidence shows that this is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies.”

The report has other interesting numbers:

–It took more than five months to detect that an incident occurred and almost two months to contain the incident;

–54 per cent of the Canadian data breaches studied were caused by malicious or criminal attacks, 25 per cent were caused by human error and 21 per cent by system glitches. Companies that experienced malicious attacks had a per capita data breach cost of $304, which is above the average for all organizations studied. In contrast, companies that experienced system glitches ($250) or employee negligence ($246) had per capita costs below the mean value;

–The more records lost, the higher the cost of the data breach. The cost ranged from $3.59 million for data breaches involving 10,000 or fewer lost or stolen records to $6.88 million for the loss or theft of more than 50,000 records;

–Notification costs increased. These costs include IT activities associated with creation of contract databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures and inbound communication set-up. The average cost increased from $0.12 million in 2015 to $0.18 million in 2016;

–Lost business costs increased. This cost category typically includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. Among all the 383 companies studied these costs increased from an average US$1.99 million in 2015 to US$2.24 million in 2016 — that’s of the overall $4 million average cost.

“The biggest financial consequence to organizations that experienced a data breach is lost business,” says the report.

Both direct and indirect per capita costs increased significantly. The indirect cost of data breach includes costs related to the amount of time, effort and other organizational resources spent to resolve the breach. In contrast, direct costs are the actual expense incurred to accomplish a given activity such as purchasing technology or hiring a consultant.

Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.

 

 

Ransomware poses complex legal and reputational risks

by

Brent Arnold and Christopher Oats Contributed to The Globe and Mail

As businesses and public institutions increasingly become the targets of ransomware – malware that blocks access to computer systems or the information they contain until the user performs actions demanded by hackers – legal risks surrounding such headline-making attacks have come to the fore in Canadian corporate consciousness.

A January report by the Online Trust Alliance reveals that ransomware attacks aimed at companies are not only growing more prevalent, but they are also becoming more sophisticated. Today’s hackers can custom tailor their demands according to the size and market value of their corporate mark. Making matters worse, last month Apple’s iOS operating system was infected with ransomware for the first time.

Ransomware typically gains access to a computer system when a user clicks on unfamiliar links or strange attachments (although a growing number of programs are infecting computers via the download of ostensibly legitimate applications). In its most benign form, an infection could force employees to complete a survey; at its most malignant, it has strong-armed companies into paying actual ransoms (typically in the nationless and virtually untraceable currency of bitcoin).

Businesses that fail to comply face the destruction of client and proprietary data, and intellectual property – not to mention sustaining significant reputational damage and exposure to third-party lawsuits from clients and consumers (and there is never any guarantee that meeting hackers’ demands will result in computers or data being unlocked).

Despite this growing threat, legal recourses for ransomware victims are slim. The activity is, of course, illegal and should be immediately reported to police (the RCMP also suggests reporting to the Canadian Anti-Fraud Centre). But despite the fact that such attacks have been reported for more than a decade, there are no documented cases of ransomware perpetrators ever having been prosecuted in Canada.

Given the often remote nature of the crime (the few attacks that have been successfully traced typically come from foreign countries), criminal and civil remedies may be unlikely to succeed. In the rare event that a cybercriminal is identified, civil proceedings against foreign nationals are most likely to result in default judgments that are difficult if not impossible to collect on.

While cybercriminals frequently avoid prosecution, their corporate victims may find themselves in the legal spotlight. Recent amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) will soon require companies subject to PIPEDA to alert the federal privacy commissioner, affected individuals and relevant organizations or government institutions following a breach of security safeguards that “creates a real risk of significant harm to the individual.” This can include risk of economic loss by the person whose personal information is subject to the breach, as well as potential reputational harms.

While reporting obligations provide an important consumer protection and will be a legal necessity in certain cases (companies that fail to report where required by PIPEDA may be subject to fines of up to $100,000), they are nonetheless problematic for businesses – particularly those for whom data security is a critical component of their brand identity. Recent hacks have shaken consumer and shareholder confidence and resulted in both significant disruption for targeted businesses and resignations by top executives.

All indicators suggest ransomware will only become more vicious and prevalent in the foreseeable future. With added reporting pressure looming on the horizon, companies that fall prey may soon find themselves facing complex legal and reputational risks.

 

LogRhythm – Better Defense in on Tool

by

LogRhythm mashes up security and big data to give SMBs better defense in one tool

by Jason Hiner TechnRepublic

Security Intelligence Management (SIM) can even the playing field between IT and cybersecurity attackers. Here’s how one of the leaders in the space offers a real-time battle strategy.

LogRhythm Dashboard

The LogRhythm interface and dashboard is built in HTML5.
Image: LogRhythm

A lot of SMBs feel overmatched by the bad guys in cybersecurity. And, for good reason—they are. Most attackers have abundant time to find the latest software vulnerabilities and the best techniques for exploiting weaknesses.

Even companies that have plenty of firewalls, anti-malware, and threat detection still struggle to keep attackers out of their networks% of companies reported that their networks were breached in 2015, according the 2016 Cyberthreat Defense Report.

The problem is that these companies are at a serious intelligence disadvantage.

To fight that, a new breed of security product has emerged in the last few years called “security intelligence management” (SIM). These products use big data—about the methods attackers use to breach networks—and put it to work in targeted ways to identify and respond to potential break-ins as they’re happening.

Timeliness is key, because the average time between a breach and an organization discovering it is 146 days, according to Mandiant’s M-Trends 2016 report.

One of the leaders in the SIM market is LogRhythm, a company I met this week in Orlando at the Midmarket CIO Forum, where their message played well to a crowd of 200 overworked, under-resourced CIOs and CMOs.

Read Full Article ->

To find out more about LogRhythm – give us a call at 866-431-8972 or email us at sales@symtrex.com

 

SolarWinds Study Reveals Hybrid IT is the Reality

by

MarketWire – News Room – March 29, 2016

SolarWinds Study Reveals Hybrid IT is the Reality for Majority of Businesses; Security Concerns, New Skillsets Top of Mind for IT Professionals

According to the SolarWinds IT Trends Report 2016, Only 9 Percent of IT Professionals Say Their Organizations Have Not Migrated Any Infrastructure to the Cloud, While 62 Percent Report Security Remains the Greatest Challenge and Three-Quarters Indicate Resources and New Skills Are Still Needed

AUSTIN, TX–(Marketwired – March 29, 2016) – SolarWinds, a leading provider of powerful and affordable IT management software, today released the findings of its IT Trends Report 2016: The Hybrid IT Evolution. The study features insights from IT practitioners, managers and directors proving that the vast majority of businesses have shifted away from on-premises-only infrastructure to hybrid IT environments, creating new concerns and pressures for IT professionals.

“The findings of this year’s study paint a clear picture: cloud adoption is nearly ubiquitous, but it’s not now and will not in the foreseeable future be suitable for all workloads, and even if it were, very few if any companies would convert all of their existing applications to run in the cloud,” said Joel Dolisy, CIO, SolarWinds. “The resulting dynamic — one set of critical on-premises services connected with another set of services in the cloud — is hybrid IT. And at the center of this evolution is the IT professional who needs to ensure always-on performance of applications, devices, networks and systems — regardless of location. They need to be empowered with the support to gain the skills and tools required to properly monitor and manage hybrid IT environments, which in turn will allow businesses to truly unlock the potential of the cloud.”

Download the Solarwinds IT Trends Report 2016: the Hybrid IT Evolution

Read the article

Contact us for more information at 866-431-8972 or via email at sales@symtrex.com