For technologists

GUEST ESSAY: The true cost of complacency, when it comes to protecting data, content

By John Safa

Facebook was lucky when the Information Commissioner’s Office (ICO)—the UK’s independent authority set up to uphold information rights in the public interest—hit the U.S. social media company with a £500,000 fine.

This penalty was in connection with Facebook harvesting user data, over the course of seven years — between 2007 and 2014. This user data became part of the now infamous Cambridge Analytica scandal.

Facebook was very lucky, indeed, that its misdeeds happened before May 25, 2018. On that date, the EU General Data Protection Regulation (GDPR) came into force.

If its violation had happened after that, the fine could have been up to £17 million or 4 percent of global turnover. Yet, even with the prospect of stupendously steep fines hanging over the heads, insecure enterprises still don’t grasp the true cost of data privacy complacency.

According to research by one law firm, pre-GDPR regulatory fines had almost doubled, on average, between 2017 and 2018, up from £73,191 to £146,412. Those figures pale when stacked against the potential bottom line impact that now exists. …more

GUEST ESSAY: Why corporate culture plays such a pivotal role in deterring data breaches

By Max Emelianov

Picture two castles. The first is impeccably built – state of the art, with impenetrable walls, a deep moat, and so many defenses that attacking it is akin to suicide.

The second one isn’t quite as well-made. The walls are reasonably strong, but there are clear structural weaknesses. And while it does have a moat, that moat is easily forded.

Related podcast: The case for ‘zero-trust’ security

Obviously, on paper the castle with better defenses is the one that survives a siege. But what really makes the difference here is the people manning it. See, the soldiers in the second castle are unquestionably loyal to their king. While in the first castle, there is a turncoat in the ranks.

As you’ve probably surmised, the castles are meant to represent a business’s security infrastructure.

The soldiers are a business’s employees. Unless the two are in alignment with one another – unless your employees care about keeping corporate data safe and understand what’s required to do so – your business is not secure.

People power

It doesn’t matter how strong your walls are. It doesn’t matter how much money you invest into point solutions and hardened architecture. It doesn’t matter how many people you hire to man your IT department. …more

NetSecOPEN names founding members, appoints inaugural board of directors

SAN JOSE, Calif. – Dec. 11, 2018 – NetSecOPEN, the first industry organization focused on the creation of open, transparent network security performance testing standards, today announced that 11 prominent security vendors, test solutions and services vendors, and testing laboratories have joined the organization as founding members.

Related podcast: The importance of sharing alliances

The organization also announced the appointment of its first board of directors, who will guide NetSecOPEN toward its goal: making open network security testing standards a reality.

These developments signal decisive momentum for the organization, which formed in 2017 to close the gap between proprietary performance metrics and the observed real-world performance of security solutions. Certification of security product performance today is typically conducted by independent testing laboratories using proprietary testing methodologies.

True “apples-to-apples” evaluations of security products pose a challenge for enterprise buyers, because the methodologies and test criteria differ from lab to lab. NetSecOPEN believes that testing methodology requires greater transparency, consensus, and standardization, and that real-world factors need to be integrated into the testing methodology.

The NetSecOPEN standard is designed to provide metrics that can be used to compare solutions fairly and to understand the impact on network performance of different solutions under the same conditions. The goal is to examine the performance ramifications of a solution with all of that solution’s security features enabled, conveying the true costs of the solution.

“There is great urgency for open, transparent standards for the testing of network security equipment,” said Brian Monkman, executive director of NetSecOPEN. “Today, security professionals face significant challenges when evaluating, deploying, and optimizing new solutions. Similar product specifications may deliver different results, and products often behave differently with real-world traffic than they do in lab environments. …more

Comment | Read | December 11th, 2018 | For technologists | Steps forward

GUEST ESSAY: ‘Tis the season — to take proactive measures to improve data governance

By Todd Feinman

The holiday season is upon us and the bright lights and greenery aren’t the only indicators that we’ve reached December.

Sadly, data breaches often occur at this time of year. Recently we’ve seen major news stories about breaches at Starwood Hotels and Quora.

Related podcast: The need to lock down unstructured data

Last year, at this time, it was announced that there was a significant privacy leak at eBay affecting many customers. And, it was just before the holidays in 2013 that Target announced the infamous breach impacting more than a hundred million people.

The list goes on, and with each incident everyone is always asking the same question — Could this have been prevented and how? Every large brand is acutely aware that securing its data is of foremost importance in today’s world, and that by protecting data you are protecting the brand’s equity. That should be obvious after what we see in the news, however, it’s not always so straightforward.

According to the Poneman analyst report, The Importance of DLP in Cybersecurity Defense, many organizations still believe, “it’s probably not going to happen to me.” The first step toward fortifying one of the company’s most valuable assets — customer or employee data — is to get to know the data better. …more

GUEST ESSAY: 5 security steps all companies should adopt from the Intelligence Community

By Angela Hill and Edwin Hill

The United States Intelligence Community, or IC, is a federation of 16 separate U.S. intelligence agencies, plus a 17th administrative office.

The IC gathers, stores and processes large amounts of data, from a variety of sources, in order to provide actionable information for key stakeholders. And, in doing so, the IC has developed an effective set of data handling and cybersecurity best practices.

Businesses at large would do well to model their data collection and security processes after what the IC refers to as the “intelligence cycle.” This cycle takes a holistic approach to detecting and deterring external threats and enforcing best-of-class data governance procedures.

The IC has been using this approach to generate reliable and accurate intelligence that is the basis for making vital national security decisions, in particular, those having to do with protecting critical U.S. infrastructure from cyber attacks.

In the same vein, businesses at large can use the intelligence cycle as a model to detect and deter any attacks coming from foreign intelligence services. Such threats impact more businesses than you may think.

Per a 2017 CNN source, nearly 100,000 agents from as many as 80 nations operate within the United States with the intention of targeting businesses to gain …more

GUEST ESSAY: Atrium Health data breach highlights lingering third-party exposures

By Jonathan Simkins

The healthcare industry has poured vast resources into cybersecurity since 2015, when a surge of major breaches began. While the nature of these breaches has evolved over the last four years, the growth in total healthcare incidents has unfortunately continued unabated.

The recent disclosure from Atrium Health that more than 2.65 million patients had significant amounts of PII exposed by the healthcare provider’s third-party billing vendor, AccuDoc Solutions, shows the healthcare sector remains acutely vulnerable to attacks exploiting third-party contractors even as their first-party security posture hardens.

Atrium Health operates over 40 hospitals and almost 1,000 other healthcare facilities, primarily in North Carolina and South Carolina. AccuDoc kept payment records from several Atrium Health locations. A hacker accessed AccuDoc’s databases from September 22-29.

The compromised databases included names, addresses, dates of birth, insurance policy details, medical record numbers, account balances and dates of service — of both guarantors and patients. Additionally, the Social Security numbers of about 700,000 patients were also exposed.

Weak links

The Atrium breach demonstrates how any third party in a company’s digital ecosystem can be the weak link that gives attackers a clear path to exposed data. The fact that this incident is being labeled “the Atrium breach” in the media also shows where the reputational risk lies. …more

MY TAKE: Massive Marriott breach continues seemingly endless run of successful hacks

By Byron V. Acohido

I have a Yahoo email account, I’ve shopped at Home Depot and Target, my father was in the military and had a security clearance, which included a dossier on his family, archived at the U.S. Office of Personnel Management, I’ve had insurance coverage from Premera Blue Cross and I’ve stayed at the Marriott Marquis in San Francisco.

Related: Uber hack shows DevOps risk

The common demonitor: All of those organizations have now disclosed massive data breaches over a span of the past five years.

On Friday, Starwood Properties, which merged with Marriott in 2016, disclosed as many as 500 million people who made reservations at their hotels may have had their personal information accessed in a breach that lasted as long as four years.

The Starwood hack appears to come in second in scale only to the 2013 Yahoo breach, which affected as many as 3 billion accounts, while a subsequent Yahoo breach also hit 500 million accounts.

The breach is rightly attracting attention of regulators in Europe and the United States. Marriott shares fell nearly 6 percent to $114.67 in Friday afternoon trading. Here’s a roundup of reaction from cybersecurity thought leaders: …more

Older Articles »

The Last Watchdog