[metaslider id=2951] … Read More
Younger employees ‘main culprits’ for security breaches
UK senior decision makers believe younger workers are the biggest risk to cyber security, but are doing little to support them and reduce that risk, a report reveals
From ComputerWeekly.com – Warwich Ashford
More than a third of senior executives believe that younger employees are the “main culprits” for data security breaches in the workplace, a study shows.
However, the same decision makers are doing very little to allay their own fears, with more than a third of 18 to 24 year olds able to access any files on the company network, and less than half (43%) have access only to the files that are relevant to their work.
The study, conducted by Censuswide, sought the views of 1,000 next generation workers (18-24 year olds) and 500 decision makers in UK organisations.
The study examines how security, privacy and online behaviour at work impacts the lives of younger employees and the companies that they work for.
Password sharing tops the list of what keeps decision makers awake at night (56%), but 29% of younger workers reveal that they are in the driving seat when it comes to password changes, with their employers leaving it to them to decide when they need a password change. Furthermore 15% admit to sharing passwords with colleagues.
Asked how younger employees could negatively impact the workplace, 47% of decision makers worry about them sharing social media posts and the impact these could have on brand and reputation. Many have even raised issues in court regarding such issues. Employment law firms such as Dhillon Law (learn more) and others regularly deal with cases of employee misconduct, which include cases of malicious or accidental data breaches, but also of younger employees being discriminated against due to such stereotypes.
However, these concerns appear well founded with one in five workers saying they are not bothered about how their social media activity might affect their employers and 18% admitting that their posts could compromise employers’ security and privacy policies.
However, less than half say their company has social media guidelines in place, highlighting the need for strong social media access controls that follow the principles of a zero-trust approach to security, which assumes that users inside a network are no more trustworthy than those outside the network. The lack of trust may be caused by previous incidents of security breaches or leaks of information due to carelessness or malpractice. In turn, this could result in chain-reaction events that could cause further losses for the company.
Likewise, communications within digital company workspaces leave a small window for security breaches. By using a ucaas hosted voice assistant software from a company such as BCM One, such wiggle room can be minimized regarding telecommunication-based activities. The use of hired or native communication software or applications in accordance with the company’s protocols can be regarded as a precautionary step. Following these steps can result in a more secure workspace for employees.
In addition to that, companies can also consider other ways to make sure that their business communication and data are secure. The “always on” approach to technology of younger workers with no experience of an off-line world, further reinforces the need for robust security policies, the study report said. When it comes to this generation of workers, 40% of decision-makers are concerned about their misuse of devices, while 35% say they are too trusting of technology and 30% worry they share company data too easily.
While 79% of decision makers report having a strong security policy in place and 74% of them think that their employees abide by it, over a third (37%) feel that young workers are too relaxed about security policies.
Awareness of the dark web
Decision-makers also say the next generation of workers have a good awareness of the dark web (87%), underground hacking (79%) and crimeware. And although around half (48%) say they have strict guidelines in place for employees accessing these new “dark arts”, 39% feel they could be better. That is why dark web monitoring is essential in all businesses so that there can be safety checks done consistently to keep on top of any issues.
“Some may think of younger workers as always online, always ready to share information and perhaps not being as concerned about privacy or security as perhaps older workers, but we must remember they are the business leaders of tomorrow and we must help not hinder them,” said Barry Scott, chief technology officer for Europe at Centrify.
“While it’s clear that employers are concerned about this new generation entering the workforce – and see them as a potential risk to both the business and brand – these same companies are perhaps guilty of not putting in place the right security processes, policies and technologies.
“If you give employees access to any information at any time from any place, or fail to enforce strict password and security policies, they are likely to take full advantage, putting both their own jobs at risk as well as the company itself,” he said.
According to Scott, the study shows it is time to discard the old castle and moat model of “trust but verify” because it does not work in today’s mobile-first, cloud-enabled world where employees can be anywhere and work on multiple devices.
“Traditional network perimeters are dissolving and security professionals must adopt a zero-trust security approach that assumes bad actors are already on the network,” he said. “With zero-trust, we verify every user, validate their device and limit their access to only the resources they need, and use machine learning to ensure the resulting improved security has no impact on efficiency.
“Let’s be clear that zero-trust is not saying we’ve lost trust in our employees, it actually provides an enabler to allow them to work exactly the same way wherever they are, and provides the company with a stronger security posture.”
Extra mentoring needed
The study report concludes that while managers’ assumptions that next-generation workers are the root of cyber security problems in the workplace may be overstated, there are some areas, such as social media use and password management, where younger workers do need extra mentoring.
Decision makers can do more to address this problem, the report said, by putting technical controls in place (for example, businesses can look here to learn more about the aforementioned zero-trust approach), refining security policies and communicating them effectively to employees.
However, according to the report, leadership and the need for decision makers to set a good example are equally important. “If managers can demonstrate a commitment to security through their own policies and actions, then the next-generation workforce will surely follow,” the report said.
Data protection: proactive prevention is better than cure
From SC Magazine – David Angin
With employees and endpoints the weak links in the cyber-security chain, David Angwin says organisations must break away from traditional protection and switch focus to preventing sophisticated attacks before it’s too late.
Businesses and organisations looking to protect themselves against the dire consequences of data breaches in 2016 now face perhaps one of the most complex and rapidly evolving threat landscapes in recent years. Attackers are smarter and more targeted in their approach, and so too are the various forms of malware at their disposal. The threat of compromised security is compounded by the stagnating ‘reactive’ approach that many security solutions continue to employ in their attempts to prevent data loss, an approach which simply is not fit for purpose. As the saying goes: ‘an ounce of prevention is worth a pound of cure’, and in relation to data security, the logical step in keeping up with threats is to focus efforts on preventing an attack before damage has been done.
The weak links in the chain
The factors behind the increased risk to organizations are twofold. First, attackers are aware that employees are often the weak link in a security chain. Users can fall victim to expertly targeted ‘spear-phishing’ campaigns and allow malware in through a web browser, all it can take is one click of a link and the attack can proliferate from that one single point. Not only are spear-phishing attacks tailored to that particular organisation, but careful monitoring from the attackers can allow them to tailor their approach to individual employees.
Second, the network edge and endpoints within an organization are exploited by attackers as the path of least resistance to gain access to sensitive data. A Verizon report has found that 95 percent of threats originated at the endpoint.
There is increasing evidence of endpoint-related security breaches. Earlier this year, Swiss technology firm RUAG recognised a breach which had gone unnoticed since 2014, during which time attackers had obtained 23GB of potentially valuable/sensitive data. In this case, the 2016 report noted that infected endpoints were used as bots to relay information as communication and worker drones, making the attack more difficult to spot and allowing for complex instructions to be relayed without being detected.
Whether the cause is a sophisticated attack or a careless employee, the approach taken by traditional antivirus software is firmly rooted in the idea of ‘detecting and remediating’ the attack, one that crucially relies on the software obtaining a positive ID of the threat before it is able to take action. This is often not fast enough to effectively limit the damage caused by zero-day attacks, and the ability to remediate the attack is particularly limited in small businesses with limited or no IT staff.
Why wait to act?
This is the question that underpins the far more effective preventative approach to data protection. Advanced threat protection predicts potential attacks by utilising machine learning – which is a branch of artificial intelligence – to analyse all files prior to execution, determining which processes are safe before they can run. The software is able to make informed decisions about behavioural characteristics from millions of identifiers within the code, while using only a fraction of valuable system resources.
This approach is perfect for protecting traditional endpoints, and can also be utilised for alternative methods of application delivery, including in virtualised environments using energy-efficient thin clients. For many companies, virtualisation can enhance IT security management and protection, as it enables proactive security patches to be delivered remotely and simultaneously to all endpoints, and ensures company data is secured in the data centre.
Additionally, utilizing a data protection service in conjunction with advanced threat protection software and virtual desktops could create an environment that provides high levels of protection for organizations and mitigates the threats from increasingly sophisticated attacks.
With employees working in a virtualised environment, the enterprise is able to control all endpoints from a centralised management console, with the ability to assess, detect and react more quickly in the event of security issues. Next generation security solutions which adopt a preventative approach can be easily deployed and managed, the result being a comprehensive and future-proof protection strategy for the organisation.
Have questions on endpoint security – contact us.
The 3 Biggest Mistakes in CyberSecurity
August 23, 2016 – Chris Moschovitis – Information Management
Everyone, from the small business owner, to senior executives in businesses of every shape and size are confronting a seemingly insurmountable problem: Constant and rising cyber security breaches. It seems no matter what we do, there is always someone that was hacked, a new vulnerability exploited, and millions of dollars lost.
In an effort to stem the tide people have tried everything: From throwing money at it by buying the latest and greatest tech gizmos promising security, to outsourcing cyber security management, to handing it over to the IT folks to deal with it. And, every time the result is money lost, productivity decreased, and the attacks continue.
Many business people complain that we’re not just losing a battle here and there. We’re losing the war. Is that true?
The truth is that those that keep losing their cyber battles and risk losing the war are making three critical mistakes:
1. They think cyber security is a technology problem.
2. They follow a cyber security check list once-and-done.
3. They don’t have a cyber security awareness training program in place.
First, cyber security is not a technology problem. Far from it. It is a business-critical problem, and more importantly: It’s a people problem, and we need to address it at that level.
Second, cyber security is a constantly evolving battlefield. The threats evolve, the attacks take new paths, the underlying technologies change. A static check list solves yesterday’s problems, not today’s, and certainly not tomorrow’s.
Finally, if people don’t understand the threat they will not even see the attack coming, much less be able to respond and protect themselves. Cyber security awareness training is the only way to prepare everyone for the new reality we live and work in.
Cyber security is not an IT problem either, according to Prosyn. It is a risk management problem. This is easier to understand in your work and in a regulated industry. Therefore, the concept, language, even governance of risk management is part of the daily lexicon. This is why it’s so important that you understand how to respond to risk as well as being aware of what the risks may be before they occur.
Not so with small and mid-market businesses less familiar with the risk management function. It doesn’t help that the very nature of the threat and the way the “payload” of the attack is delivered is via information technologies. It almost makes sense to have IT deal with cyber security. But the victims are not the computers. The victims are the businesses and their people.
More importantly: A company’s Information Technology generates Value. It does so through myriad different ways depending on the business you are in, from the actual delivery of goods to clients (e.g. software businesses, data businesses, media, and technology businesses, etc.) to complementing, enhancing, and realizing the mission and vision of the company (law firms, manufacturing, logistics, healthcare, etc.) Owing to these security breach issues, many businesses tend to opt for services of reliable service providers like Privacera (https://privacera.com/products/centralized-access-control/) and similar others. By having centralized and secure access to all the data of the business, they are most likely to be not affected by cybercrime.
That said, externally sourced IT management could do a better job at regulating data security as well as other IT-based functions. As they are professionals in the field, software facility management may be leveled and managed properly. Besides, the risk involved in such functions may be taken up by the IT outsourcing company, which means that external threats may be mitigated without client company involvement.
Cyber security, like all risk management, is there to protect value. Therefore, you can never have cyber security (the value protector) report to IT (the value creator). That creates a conflict of interest. Just like IT reports directly to the CEO, so must cyber security. They are parallel tracks keeping the business train aligned and moving.
Once you have the reporting structure correctly in place, you need to empower it with executive buy-in and engagement. Cyber security needs your direction on company goals and risk appetite so they can develop the right strategy to protect the company’s assets. Cyber security professionals, working with the board and executives, including IT and business units, will develop the right defense-in-depth strategy that is right for the company.
Cybersecurity is a crucial component of a defensive strategy for businesses that operate online, like e-commerce stores. It is likely that you will need to protect your website or mobile application from cyber threats if you operate such a store. In order to accomplish this, you may need to develop a strong security system to protect customer data and transactions. In the event that you do not have enough funds, you can consult with companies that provide ecommerce financing options to fund your cybersecurity development.
Cyber security doesn’t happen in isolation. It is not a set check list. It is dynamic, adjusting strategy to risk, asset value, and controls. As market conditions change, as company goals change, and as technology changes, so will the cyber security strategy.
Neither structure nor strategy will help if you ignore the most important element in cyber security: People. In 2016 ISACA published the top three cybersecurity threats facing organizations in that year. They were, in order: 52% Social Engineering; 40% Insider Threats; 39% Advanced Persistent Threats.
Excluding the advanced persistent threats typically targeted against large multinationals, governments, military, infrastructure and the like, the other two have one common element: People.
It is people that become the victims of cyber-attacks, and by extension, the businesses they work in or do business with. Be it through social engineering, extortion, or any of the many vulnerabilities that hackers can exploit, it is people that get compromised first. They are the ones that have to pick up the pieces when all the data is gone or when their identity is stolen.
The good news is that cyber security awareness training is one of the most effective controls against hackers. Training and sensitizing people to the threats, the methods used, vulnerabilities, even their own personal privacy risks, has been proven time and again as the one thing that makes a real difference in early detection, quick response and recovery during a cyber-attack. Having a quarterly lunch-and-learn will go a long way in developing a culture of cyber awareness, saving both your business and your employees from cyber-harm.
Avoiding these three mistakes in cyber security won’t help win every single battle. But it will guarantee you win the war.
LogRhythm Named a Leader – 5th Consecutive Year
LogRhythm Named a Leader for Fifth Consecutive Year in Gartner Magic Quadrant for Security Information and Event Management (SIEM)
LogRhythm recognized for completeness of vision and ability to execute
BOULDER, Colo.–(BUSINESS WIRE)–LogRhythm, The Security Intelligence Company, today announced that it has, once again, been positioned as a Leader by Gartner, Inc. in the 2016 “Magic Quadrant for Security Information and Event Management” research report. This is the fifth consecutive year that Gartner has recognized LogRhythm as a Leader among SIEM providers.
“Organizations are under immense pressure to quickly detect, respond to and neutralize increasingly sophisticated cyber threats,” said Chris Petersen, CTO and co-founder of LogRhythm. “We are honored to be recognized by Gartner and believe this year’s placement in the Leaders quadrant for SIEM speaks volumes about our leadership in the market, and our ability to address the most pressing customer needs in the areas of threat management, security and compliance. I believe this report validates the excellence and dedication of our engineering and product teams. With our latest up-and-to-the-right movement in the leadership quadrant, it is crystal clear that LogRhythm is delivering on our promise to help companies around the globe neutralize today’s cyber threats.”According to Gartner, the SIEM Leaders quadrant is composed of vendors that provide products that are a strong functional match to general market requirements, have been the most successful in building an installed base and revenue stream within the SIEM market, and have a relatively high viability rating (due to SIEM revenue or SIEM revenue in combination with revenue from other sources). In addition to providing technology that is a good match to current customer requirements, Leaders also show evidence of superior vision and execution for emerging and anticipated requirements. They typically have relatively high market share and/or strong revenue growth, and have demonstrated positive customer feedback for effective SIEM capabilities and related service and support.
LogRhythm’s security intelligence and analytics platform unifies next-generation SIEM, including log management, network monitoring and forensics, endpoint monitoring and forensics security analytics, and user, network and endpoint behavioral analytics. In addition to protecting customers from the risks associated with cyber threats, LogRhythm provides innovative compliance automation and assurance, and enhanced IT intelligence.
Average cost of a data breach up 12.5 percent among Canadian Firms
IT World Canada – Howard Solomon
Canadian CISOs who want more hard data to convince the C-suite and boards to devote more resources to cybersecurity have a new report to show.
If a study of 24 Canadian organizations is accurate, the total cost over a recent 12 month period of a breach of over 1,000 records went up 12.5 per cent compared to 2014 to just over $6 million.
Another way of looking at it is the average cost per record stolen or lost went up 10.6 per cent to $278 compared to the same period the year before.
These numbers come from a study released last week by the Ponemon Institute that was funded by IBM. The costs were based upon estimates provided by participating victim organizations.
The report is part of an annual global study of breaches in 13 countries (United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India, the United Arab Emirates, Saudi Arabia, Canada and, for the first time, South Africa), which last year covered 383 organizations. The average cost of a breach across all those firms was US$4 million.
Importantly, the study included the cost of losing customers: Of the Canadian companies studied, for those that lost less than one per cent of their existing customers the average total cost of a breach was $4.77 million, well below the global averae of $6.03 million. When companies had a churn rate of greater than 4 per cent, the average cost was $7.88 million.
There are two cautions: First, Ponemon admits that 24 firms is a small sample for this country, and second, only organizations that suffered a breach of between 1,000 and 100,000 lost or stolen records in 2015 were counted – meaning Ashley Madison isn’t there. That way catastrophic incidents don’t skew the results.
The number of Canadian breached records per incident in the study period ranged from 4,800 to 70,998 and the average number of breached records was 21,200.
“Over the many years studying the data breach experience of more than 2,000 organizations in every industry, we see that data breaches are now a consistent ‘cost of doing business’ in the cybercrime era,” said institute head Larry Ponemon. “The evidence shows that this is a permanent cost organizations need to be prepared to deal with and incorporate in their data protection strategies.”
The report has other interesting numbers:
–It took more than five months to detect that an incident occurred and almost two months to contain the incident;
–54 per cent of the Canadian data breaches studied were caused by malicious or criminal attacks, 25 per cent were caused by human error and 21 per cent by system glitches. Companies that experienced malicious attacks had a per capita data breach cost of $304, which is above the average for all organizations studied. In contrast, companies that experienced system glitches ($250) or employee negligence ($246) had per capita costs below the mean value;
–The more records lost, the higher the cost of the data breach. The cost ranged from $3.59 million for data breaches involving 10,000 or fewer lost or stolen records to $6.88 million for the loss or theft of more than 50,000 records;
–Notification costs increased. These costs include IT activities associated with creation of contract databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures and inbound communication set-up. The average cost increased from $0.12 million in 2015 to $0.18 million in 2016;
–Lost business costs increased. This cost category typically includes the abnormal turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill. Among all the 383 companies studied these costs increased from an average US$1.99 million in 2015 to US$2.24 million in 2016 — that’s of the overall $4 million average cost.
“The biggest financial consequence to organizations that experienced a data breach is lost business,” says the report.
Both direct and indirect per capita costs increased significantly. The indirect cost of data breach includes costs related to the amount of time, effort and other organizational resources spent to resolve the breach. In contrast, direct costs are the actual expense incurred to accomplish a given activity such as purchasing technology or hiring a consultant.
Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished customer acquisition rates.