Analysis & Commentary on Cyber Security Issues
The “so what” factor feeds and aggregators don’t give you.
Should the US Adopt a Data Breach Safety Net?
Vaccines are positive for public health, just as the curation of large data sets for analytics research can be. It’s also known, with statistical certainty, that some people will be harmed by vaccines, just as some will be harmed in data breaches. An equivalent “safety net” fund for data breach victims should exist, with the money coming from fines imposed on negligent data stewards and companies that fail to prevent breaches. (Healthcare Analytics News)
A novel idea, but unlikely to come to fruition. Such a scheme has the potential to provide victims with a more reasonable level of compensation than they receive now, but given that judges are increasingly requiring “victims” to demonstrate that they’ve actually been harmed, useless. Even if you could justify standing, the frequency, volume, and diversity of breaches makes it impossible to determine which one was the cause of your pain. Even if there is never another data breach again, for all practical purposes there is no information about you that isn’t already or can’t readily be in the hands of evil doers. There is no safety net.
Small Businesses Are Fearless in the Face of Security Threats
What, me worry? That’s the stance a shocking number of small business owners in the U.S. have taken toward cybersecurity, according to a new study from Paychex. In a survey of 341 business leaders conducted by Bredin. Most of the small business owners polled by the research firm, 68% in fact, were not concerned about getting hacked. And if by chance an attack was successful, 90% said they were at least somewhat confident they could recover. (Small Business Computing)
It is unclear what is more disturbing: the over-confidence or the ignorance. Even if a business doesn’t depend on IT to survive, there are still the issues of reputation impact, liability, the loss of trust, etc. Some of these factors are short-lived, but in a competitive environment, how long before partners and primes stop doing business with you because you leak like a sieve? The nature of your business, the type of data you process and posses, are irrelevant: that you have computers is enough of a reason to hack you. If you can’t be secure at least be compliant; its the least you can and should do to avoid the label “negligent.”
Health-Care Industry Increasingly Faces Cybersecurity Breaches
The scenarios are chilling: A busy hospital suddenly cannot use any of its electronic medical records or other computerized systems. The victim of a ransomware attack, the hospital will not regain access without paying those who locked down the records — if at all. At another hospital, hackers find a way to connect to the software that controls IV pumps, changing their settings so they no longer deliver the correct doses of medication. (GovTech)
We are never more vulnerable than when we interface with medical technology. Predicting which industry will have the first catastrophe triggered by the exploitation of an embedded or IoT device is hard. It is worth noting however, that one of the earliest cases of such a device causing harm is in the medical space. An unintentional error, not a malicious attack, but an indication nevertheless of the importance of getting things right given the stakes should things go wrong.
How information sharing in security and intelligence can benefit your organization
Information sharing is, in many ways, like activities like exercise or flossing. We all know we should be doing it—regularly, properly, and with expert guidance, that is—but many of us don’t. Concerns over trust, privacy, and sometimes even value continue to limit or prevent many organizations from sharing information, yet these concerns—although legitimate—are not insurmountable. (CSO)
You cannot effectively defend yourself alone. Participating in a good sharing scheme is a force multiplier. It extends your view across the threat landscape and provides you with insights and forewarning that can help you avoid serious threats. But sharing is expensive, either in a financial context or a human one, and often times both. Anyone who sells “intelligence” as a commodity isn’t selling intelligence. Good intelligence is subject to a rigorous process, and is priced accordingly. Intelligence is no good unless you have the means – people and processes – to make it actionable for your enterprise. Just adding more data to an already overworked security team is throwing a drowning man a brick.
Most consumers don’t trust ‘internet of things’ security
Despite previous claims that many consumers aren’t aware of the risks presented by “internet of things” devices, a new survey has found the opposite, with 90% of consumers saying they don’t trust the security offered by now near omnipresent devices. Of consumers polled, two-thirds said they were concerned about hackers taking control of their device, with 60% expressing concern about data breaches and 54% concerned about hackers taking control of their personal information. (Silicon Angle)
As well they should not. While it is refreshing to see a substantial percentage of the populace aware that with great convenience comes great risk, the rate of adoption of smart devices worldwide would suggest that – best case scenario – people have assessed that the value of the former trumps concerns over the latter. The most likely course of action will of course be regulation, which will come after a sufficiently large catastrophe, or rapid string of smaller ones. But since legacy devices will still control so much infrastructure – critical or otherwise – actual improvements will still take years to be realized.
Biggest 2017 Data Breaches and What We Can Learn From Them
As bad as 2016 was for cybersecurity, 2017 data breaches might just set a record for online crime. This year on the list of victims we already have quite a few famous names including Gmail, Verizon, Three, Hipchat, and Wonga. And of course there was the almost unfathomable Equifax disaster, arguably the worst breach ever. (Tech Genix)
So many lessons learned; so little put into action. It takes very little for organizations that collect and store personal data to reduce both the likelihood as well as the impact of a data breach. Two factor authentication makes it significantly more difficult for an attacker to exploit legitimate credentials. Minimize the amount of ‘real’ data you use in active processing; assigning an arbitrary designator in place of a SSN or other exploitable data point allows you to still extract value without exposing customers to risk. Store off-line or in encrypted, long-term storage, anything you don’t need on a regular basis. Better yet delete everything you don’t absolutely need. They can’t steal what you don’t have.
How to sell cybersecurity to your executive team
Despite the headlines, growth-oriented executives tend to prioritize other expenses. Despite repeated major, high-profile breaches, most cybersecurity teams still struggle to get sufficient funding. “After this hack, cybersecurity budgets are bound to increase.” We’ve all thought it. But, curiously, it may not always happen. It’s a constant battle between profitable business investments and “unprofitable” security investments to protect the current bottom-line. (CSO)
Only security companies are in the security business; everyone else is just in business. The sooner we as practitioners or subject matter experts recognize this, the more likely we’re going to see meaningful change from decision-makers. The C-suite is always going to prioritize the things that positively impact top- or bottom-line growth. Security thinking and requests for funds need to be put into that context. Yes, this means we can’t always get what we want, but if we explain things in a way that makes business sense (vice security sense), we can get what is needed.
Quarter of UK Employees Have ‘Purposefully Leaked Business Data’
Your regular reminder that your biggest security issue isn’t hardware or software, its wetware.