Breaches and Leaks Soared 424% in 2018

Breaches and Leaks Soared 424% in 2018

Nearly 15 billion identity records circulated in underground communities in 2018, a 71% increase over the year as hackers targeted smaller organizations more widely, according to a new report (…).

breaches and Leaks, breaches, leaks, hackers, cybercrime, cybersecurity, cyber-criminals

Remote working may boost productivity, but also leave you vulnerable to attack

Remote working may boost productivity, but also leave you vulnerable to attack

New flexible working practices could pose a security risk to small businesses, with one in five of employees (21%) stating they are most productive when working in public spaces like a cafe or library, but only 18% concerned with the security implications this could have. SMBs therefore face the challenge of keeping their business secure, all the while adhering to the needs and expectations of the modern workforce (…)

vulnerable to attack, boost productivity, Remote working

CISO challenges and the path to cutting edge security

CISO challenges and the path to cutting edge security

Zane Lackey (…) serves on multiple Advisory Boards including the National Technology Security Coalition, the Internet Bug Bounty Program, and the US State Department-backed Open Technology Fund. (…) In this interview (…) he discusses CISO challenges, cloud security strategies, next-gen security, and much more.

CISO challenges, focus on bringing security capabilities

It’s time for a new cyber risk management model

It's time for a new cyber risk management model

An overwhelming attack surface, voluminous vulnerabilities, sophisticated threats, and new business requirements demand a new cyber risk management model.

cyber risk management model, risk management, attack surface, voluminous vulnerabilities, sophisticated threats

Why you should take an operational approach to risk management

Why you should take an operational approach to risk management

Combining two seemingly unrelated entities to make a better, more useful creation is a keystone of innovation. Think of products like the clock radio and the wheeled suitcase, or putting meat between two slices of bread to make a sandwich, and you can see how effective it can be to combine two outwardly disparate things.

operational approach to risk management

75% of Employees Could Cost a Business $7.91 Million

75% of Employees Could Cost a Business $7.91 Million

Seventy-five percent of professionals pose a moderate or severe risk to their company’s data, says (…) third-annual State of Privacy and Security Awareness Report, which also found that workers in the financial sector are more likely to be a risk with 85 percent of survey respondents falling into one of the two risk categories.

Employees Could Cost a Business, phishing emails

How to Protect Against Human Vulnerabilities in Your Security Program

How to Protect Against Human Vulnerabilities in Your Security Program

When it comes to cybersecurity, no doubt humans are the weakest link. No matter how many layers are added to your security stack, nor how much phishing education and awareness training you do, threat actors continue to develop more sophisticated ways to exploit the human vulnerabilities with socially engineered attacks. In fact, as security defenses keep improving, hackers are compelled to develop more clever and convincing ways to exploit the human attack surface to gain access to sensitive assets.
Protect Against Human Vulnerabilities, Security Program, secure email and web gateways, human vulnerabilities security program

Has your security evolved to counter Ocean’s Eleven of threat scenarios?

Has your security evolved to counter Ocean’s Eleven of threat scenarios?

In assessing how the cyber threat and mitigation landscape has evolved over time, I often think of the ways that “cops and robbers” movies have changed: In the old days, a typical scene would feature a bad guy walking into a bank with a note indicating that he had a gun, and that he wanted what was in the safe. He’d hand over the note to a teller, and then walk out with bundles of cash.
threat scenarios, cops and robbers, risk-based strategy, attack surfaces, stick-up men

Avoid scoring a cyber security own goal this summer

Avoid scoring a cyber security own goal this summer

Cyber security is now an important part of our lives so, if you are travelling to the FIFA™ World Cup in Russia this summer, it’s understandable that you may be thinking about how best to secure your devices and key accounts.
cyber security, world cup, personal devices, security

Internet of Things: Who is watching you?

Internet of Things: Who is watching you?

Internet of Things, mobile transactions

An overwhelming number of IT security professionals (85%) see a cyberattack on critical infrastructure happening in the next five years. (…) CEO Todd DeSisto says that figure is perhaps the scariest number the company has seen in the four years they have been conducting the Internet of Evil Things research

There are many reasons why a certification can be a valuable career asset

There are many reasons why a certification can be a valuable career asset

career asset, certification

Many people who have experience with computers and information technology (IT), or even just have an interest in the field, have probably found themselves asking a simple question: Should I get certified or not?

There’s essentially no option to enter some professions without obtaining some form or certification or licensure. Most people intending to become a nurse, for example, or a tax accountant, would simply take for granted the requirement to clear certain hurdles that verify knowledge and skills before getting a job.

Risky business: Are mobile employees compromising business info?

Risky business: Are mobile employees compromising business info?

mobile employees, Risky business

Americans logged 457.4 million trips for business in 2016, and there is no sign of business travel slowing down, with global business travel spend expected to rise 5.8 percent to $1.6 trillion in 2020.

With the rise of business travel comes an increased threat to businesses’ information security. From business plans, to budget scopes, to employee contact information and more, employees travel with a range of confidential information that, if not handled properly, could significantly impact a company’s reputation – not to mention compromise the information of clients and other employees.

How to Use Security to Drive Sales

How to Use Security to Drive Sales

Security to Drive Sales

Making information security a priority within an organization isn’t easy. Security is usually seen as a specialized technical function within the organization and often isn’t aligned with organizational strategy or even day-to-day business tactics. Instead, information security teams are often siloed from the effects of their decisions and hyper-focused on detection, defense and mitigation. This is why companies’ security strategies often conflict with business operations. Does that new two-factor authentication system leave your sales team hanging out in the cold when they get locked out of your system in the middle of a demo? Too bad. The “S” in “IS” is for security, not sales.

Study Finds IT Professionals Lack Confidence in Their Ability to Detect and Contain Cyberbreaches

Study Finds IT Professionals Lack Confidence in Their Ability to Detect and Contain Cyberbreaches

Detect and Contain Cyberbreaches, IT Professionals Lack Confidence

A new research study, Cybersecurity: Perceptions & Practices, found that less than half of all organizations were able to detect a major cybersecurity incident within one hour. Even more concerning, less than one-third said that even if they detected a major incident, they would be unable to contain it within an hour.

A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer

A Casino Was Hacked Thanks To The Internet Of Broken Things & A Fish Tank Thermometer

Casino Was Hacked, information security

For years we’ve documented how the internet of broken things industry and evangelists have contributed to a global privacy and security shitshow. The rush to connect everything from tea kettles to Barbie dolls to the internet without including even basic privacy or security standards has resulted in a massive security problem few seem interested in actually fixing. As a result we’re not only less secure and more at risk for privacy violations, but these devices are now routinely contributing to some of the most devastating DDoS attacks history has ever seen.

6 Ways for SMBs to Improve Security, with Little Security Expertise

6 Ways for SMBs to Improve Security, with Little Security Expertise

Improve Security, Little Security Expertise

There is a children’s book, “Inside, Outside, Upside Down” featuring The Berenstain Bears, that teaches young children about spatial concepts. When it comes to securing your organization’s data, it may feel like you need to cover all of the spaces: inside, outside, and even upside down. It’s no wonder, since security risks exist everywhere: inside the network and outside the firewall, from employees accidentally leaking information via their mobile devices to outside phishing and malware threats trying to get in. With these increased cyber risks, companies of all sizes are constantly challenged with how to spatially navigate the security landscape.

How the human factor puts your company at risk

human factor puts your company at risk

human factor, human factor risks, human factor puts your company at risk

[A new report was released] with statistics on the success rates of social engineering attacks, based on the 10 largest and most illustrative pentesting projects performed for clients in 2016 and 2017.

The ins and outs of risk management

The ins and outs of risk management

Risk Management

With technological advancements rapidly increasing over the past couple of years, it’s unsurprising that data breaches have slowly crept up the list of small business owners’ biggest fears. For an SME (small-to-medium enterprise) that may not have even considered the possibility of this issue, the consequences of a breach could, in some cases, be fatal to the business. So you can see why the thought of not having protection in place is a scary one. So with an ever-increasing need for better risk management, what do you really need to know?

Criminals can build Web dossiers with data collected by browsers

Criminals can build Web dossiers with data collected by browsers

data collected by browsers, Criminals can build Web dossiers

Everybody knows by now that websites collect information about users’ location, visited pages, and other data that can help them improve or monetize the experience.

But just a small minority of Internet users realizes that browsers also collect/store information that can help attackers compile a “Web dossier” to be used for future attacks.

2017 Was a Record Year for Cybersecurity Breaches

2017 Was a Record Year for Cybersecurity Breaches

Cybersecurity Breaches

More than 14.5 billion malware-laced emails were sent in 2017, and there was a 1,000-percent increase in phishing efforts, according to AppRiver’s annual Global Security Report. The report also notes that 1.9 billion data records were lost or stolen as a result of cyberattacks in the first half of 2017 alone.

How to improve your security infrastructure when you’re on a budget

How to improve your security infrastructure when you’re on a budget.

security infrastructure, improve security

When you’re on a tight budget for cybersecurity, it can seem almost impossible to secure every part of your businesses’ network without going over budget with the latest technologies in place.

You may not be able to solve all your security needs immediately with a small budget, but the important thing is that you are working towards your security goals and taking steps to move the needle forward.

Which phishing messages have a near 100% click rate ?

Which phishing messages have a near 100% click rate ?

phishing messages, cybersecurity

Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organization wants to see click rates decrease.

For one thing, employees come and go (and change roles) with regularity. Secondly, threats change over time. Thirdly, knowledge and practices that aren’t regularly reinforced will be lost. And, finally, awareness isn’t the same as knowledge

The new ISO 31000 keeps risk management simple

The new ISO 31000 keeps risk management simple

ISO 31000, risk management simple
Damage to reputation or brand, cyber crime, political risk and terrorism are some of the risks that private and public organizations of all types and sizes around the world must face with increasing frequency. The latest version of ISO 31000 has just been unveiled to help manage the uncertainty.

Why do we need a risk-based approach to authentication?

Why do we need a risk-based approach to authentication?

authentication

20 years ago, everyone worked at a desktop workstation hardwired into an office building. This made network security simple and organizations felt they could depend on the time-tested method of the trusted perimeter. Firewalls were relied on to keep out external threats, and anything within the network was considered secure and safe.

The Worst Passwords of 2017 Revealed

The Worst Passwords of 2017 Revealed

The Worst Passwords

For the second year in a row, “123456” remained the worst password.

The list was put together by SplashData, a company that provides various password management utilities that it compiled the list by analyzing more than five million user records leaked online in 2017.

In its 2017’s Worst Passwords of the Year list, “starwars” joins the list at #16.

5 Steps to Turn the NIST Cybersecurity Framework into Reality

NIST Cybersecurity Framework into Reality

NIST Cybersecurity Framework into Reality
The first version of the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) was published in 2014 to provide guidance for organizations looking to bolster their cybersecurity defenses. It was created by cybersecurity professionals from government, academia and various industries at the behest of President Obama and later made into federal government policy by the Trump administration.

Five mental shifts we must make to achieve security beyond perimeters

Five mental shifts we must make to achieve security beyond perimeters

achieve security
Data centers aren’t exactly going extinct, but given the massive shift to public clouds, you need to make some significant adjustments if your mindset doesn’t already include or understand the cloud. The problem is that not every organization knows how to prepare for and embrace the cloud-driven future. It can take some major mental adjustments to shift mindset from on-prem environments based on the data center, which has a clear and definable perimeter, to the nebulous world of the cloud.

Uber Security Breach: User Accounts Taken For a Ride?

Uber Security Breach: User Accounts Taken For a Ride?

Uber Security Breach
Looking for a nearly free ride? According to The Hacker News, thanks to an alleged Uber security breach, two separate users on the Dark Web marketplace AlphaBay are offering stolen Uber accounts for less than $5. The users, Courvoisier and ThinkingForward, say they have thousands of legitimate, active accounts for sale, while the company itself denies any breach took place. So what’s the real story?

How CSOs Can Adapt to the Changing World of Digital Risk

How CSOs Can Adapt to the Changing World of Digital Risk

World of Digital Risk
Picture this, a large organization has been hacked, compromising the financial information of millions of people. News headlines detailing similar stories are now frequent, causing the job description of CSO to rapidly expand. In the past, the main responsibility of this role has been managing the physical security of an enterprise. But in today’s dominantly digital world, CSOs must expand their reach to not only monitor tangible risks, but also address the uninsured risks that live in the digital world.

Six data security questions that every board needs to ask

data security questions

data security questions
As data breaches become a constant headline, data security should be a major concern for company boards everywhere. Unless a board member has been hired specifically to provide oversight for cybersecurity programs, many boards may find themselves unprepared to perform the necessary level of due diligence.

Uber data breach from 2016 affected 57 million riders and drivers

Uber data breach

Uber data breach
Uber faced a data breach in 2016 that affected some 57 million customers, including both riders and drivers, revealing their names, email address and phone numbers. That affected group included 50 million riders and 7 million drivers; around 600,000 driver license numbers for U.S. drivers were also included in the breach, according to a new report from Bloomberg.

Poor security habits are the ideal recipe for a breach

Poor security habits

Poor security habits
A Preempt survey of more than 200 employees (management level or above) from enterprise companies of 1000 or more people, found that businesses are left exposed by employees who have more access to sensitive resources than they should and who follow poor security habits.

6 Best Practices that Reduce Third-Party Cybersecurity Risk

Reduce Third-Party Cybersecurity Risk

Reduce Third-Party Cybersecurity Risk, cybersecurity risk
Cybersecurity threats are increasingly sophisticated and targeted. Hackers who want your information or want to disrupt your operations are looking for any way into your network. In an interconnected world, these hackers are increasingly looking to an organization’s supply chain partners, especially those with network access but without effective cybersecurity protection.

Why wait to be breached? Three reasons to secure your data now

secure your data

secure your data, iso 27001 training, information security training
“I’m working on it.”
“We don’t have room in this year’s budget.”
“Something else more important came up.”
“Well, we’ve not been breached before…”
“The risk of it happening is so small and it’s hard to quantify…”

These are some of the most common excuses companies give for delaying their security and compliance efforts. But, given the severe repercussions of just one breach – spiraling costs of damage-limitation, the brand-eroding reputational impact, falling share prices and lost jobs at the very highest level – putting off these initiatives is corporate insanity.

5 Basic Rules to Build an Effective Security Awareness Program

Security Awareness Program

Security Awareness Program
The Battle of Thermopylae, also known as “The Hot Gates,” fought in 480 B.C. is often put in the context that 300 Spartans held off a huge Persian army. In reality, the 300 Spartans were not alone during the battle. Alongside of them fought Athenians, Thebes, Thespians, and a variety of other united Greek forces. All told, until the last day or so, the Greeks had a force of between 7,000 and 10,000 soldiers at Thermopylae. The key difference is that the Spartan warriors were bred as warriors – they were professional soldiers. The Athenians, Thebes and Thespians were soldiers, but most of them had other, full-time jobs, and fought in the army when they were called upon.

7 in 10 Employees Lack Awareness Needed to Prevent Cyber Incidents

Prevent Cyber Incidents

Prevent Cyber Incidents
Seven in 10 employees lack the awareness to stop preventable cybersecurity incidents, according to the second-annual State of Privacy and Security Awareness Report.

For the second year in a row, the average survey respondent achieved a “Novice” score, showing the average survey respondent is dangerously close to one wrong decision or mistake leading to a security or privacy incident.

5 Cybersecurity Vulnerabilities That People Still Forget About

 Cybersecurity Vulnerabilities

Cybersecurity Vulnerabilities
People are cautious of physical theft, but the security of digital assets is often ignored. The simplest actions can have devastating consequences for your data security. Outdated software, weak credentials, and malware all create opportunities for data exfiltration.

Studies show that many users believe they won’t be targeted by hackers and aren’t aware of the sheer number of risks posed by cloud and mobile data access. With cybercrime on the rise, it’s important that we all take a proactive approach to data security.

Here is just a handful of common attack vectors that hackers have taken advantage of in recent years:

The global impact of huge cyber security events

cyber security events

cyber security events
The past 12 months have seen a number of unprecedented cyber-attacks in terms of their global scale, impact and rate of spread. Already causing widespread public concern, these attacks only represent a small sample of the wide array of cyber threats we now face.

Europol’s Executive Director Rob Wainwright: “The global impact of huge cyber security events such as the WannaCry ransomware epidemic has taken the threat from cybercrime to another level. Banks and other major businesses are now targeted on a scale not seen before and, while Europol and its partners in policing and Industry have enjoyed success in disrupting major criminal syndicates operating online, the collective response is still not good enough. In particular people and companies everywhere must do more to better protect themselves.”

Salary Survey Extra: Deep Focus on ISACA CRISC

Salary Survey Extra: Deep Focus on ISACA CRISC
isaca crisc, crisc, crisc training, crisc certification, Certified in Risk and Information Systems Control Professional training, Certified in Risk and Information Systems Control Professional certification

Risky business used to be a Tom Cruise movie from the ’80s, but in 2017 it’s a pretty fair description of the just about any commercial endeavor. This is particularly true in the IT industry, where even the companies that consult about IT security sometimes get hacked. Anyone feeling great about Deloitte’s data protection consulting services this week?

When it comes to IT risk management, one certification stands out above the rest. The Certified in Risk and Information Systems Control (CRISC) credential offered by ISACA is your must-have qualification, and it’s also a perennial staple of our Salary Survey 75 list, checking in this year at No. 17.

The 5 cyber attacks you’re most likely to face

The 5 cyber attacks

The 5 cyber attacks
Don’t be distracted by the exploit of the week. Invest your time and money defending against the threats you’re apt to confront.

As a consultant, one of the biggest security problems I see is perception: The threats companies think they face are often vastly different than the threats that pose the greatest risk. For example, they hire me to deploy state-of-the-art public key infrastructure (PKI) or an enterprise-wide intrusion detection system when really what they need is better patching.

The fact is most companies face the same threats — and should be doing their utmost to counteract those risks. Here are the five most common successful cyber attacks.

TOP 5 advantages of achieving a professional certification

TOP 5 advantages of achieving a professional certificationprofessional certification

Advantage # 1:

It’s an accelerator to maximise your career potential and to reach your professional objectives.

An internationally professional certification is an accelerator, helping you maximise your career potential and to reach you professional objectives, for e.g. for an professional certified as an Auditor or an Assessor, it may provide the need qualifications to conduct audits and specific assessments in an organisation or even audits for a certification body; for a professional certified with the Foundation level, it will provide the qualifications related with the foundation concepts of a specific subject, and for an Officer, Implementer or Manager it may provide the needed qualifications for advising and participating in the implementation, management and/or maintenance of an specific framework adapted to the requirements of an organisation on a specific subject (for e.g. Privacy and Data Protection Framework, to comply with the requirements of the GDPR).

Understanding Cyber Insurance

Understanding Cyber Insurance

Cyber Insurance
Data breaches have led enterprises to invest more in cybersecurity programs. But what about consumers, who often feel the effects of a security breach?

Keith Moore, CEO (…), believes that consumers increasingly will take cybersecurity into their own hands and purchase cyber insurance policies.

The evolving nature of the CISO role

The evolving nature of the CISO roleCISO role

As IT security increasingly becomes a priority, CISOs’ influence within companies is growing. However, security strategy in many organizations is still largely reactive and not yet aligned with business functions.

6 Tips for CISOs Selling to the Board

CISOs Selling to the BoardCISOs, information security

There’s a shift taking place in the boardroom: With the recent high-profile cyberattacks like WannaCry and NotPetya, cybersecurity has been placed in the spotlight, making it a much more prominent topic than it was five years ago. Boardrooms are abuzz with questions about these breaches including “how did they happen?” or “what can we do to prevent them from happening to us?”

Most Countries without Cybersecurity Strategy

Cybersecurity Strategy

Cybersecurity Strategy
Only about half of all countries have a cybersecurity strategy or are in the process of developing one, the International Telecommunication Union reported in its second Global Cybersecurity Index.

The Union, part of the United Nations, said about 38 percent of countries have a published cybersecurity strategy and an additional 12 percent of governments are in the process of developing one.

Monitoring logons the most effective way to detect a data breach

Monitoring logons the most effective way to detect a data breach

Monitoring logons, detect a data breach, Cyberattack, cybersecurity
Monitoring corporate logins is the most effective way to detect a data breach within an organisation, according to a new report on the ‘key indicators of compromise’ by IS Decisions.

Mismatched port and application traffic, increases in data reads or outbound traffic, geographical irregularities regarding the perimeter of the organisation, and data access at irregular times and locations are other key indicators identified. But the one common activity across nearly all attack patterns, necessary to perform basic hacks on network perimeters and endpoint devices, and move laterally across devices to access data unlawfully, is use of corporate logins.

Cyber Security Regulation. The Move Towards Board Involvement

Cyber Security Regulation

Cyber Security Regulation, cybersecurity Regulation
Regulators are the catalyst for stronger measures in cyber security, and new regulation from the EU is going to have a serious impact on organizations that process EU citizen data. After four years of diligence and debate, The EU Parliament approved the Global Data Protection Regulation (GDPR) on April 14, 2016. It will enter into effect on May 25, 2018, at which time those organizations in non-compliance will face heavy fines.

SIEM challenges: Why your security team isn’t receiving valuable insights

SIEM challenges

SIEM challenges, information security, cybersecurity
Today, many enterprises use security information and event management (SIEM) software to help detect suspicious activity on their networks. However, to be effective organizations need to surround a SIEM with security experts, advanced use cases, threat intelligence, and proven processes to investigate and respond to threats.

Integrating GDPR into your day to day IT practices

Integrating GDPR into your day to day IT practices

Integrating GDPR, General Data Protection Regulation requirements, Data Protection, privacy management
GDPR, four letters that when combined strike fear into the heart of any sysadmin. Luckily, there is quite some time before it comes into force, which means getting into the habit of complying should be natural by 25th May 2018. My default position on these types of regulations are to consider it from a consumer’s point of view, and think about how I would feel with someone holding personal data of mine for longer than necessary.

4 Best Practices for Backing Up Endpoints in Your Business

4 Best Practices for Backing Up Endpoints in Your Business

Backing Up Endpoints, risk management, information security
Follow these critical steps to minimize threats to data in highly mobile environments.

The risk of data loss can keep any IT manager up at night. Disappearing data can cause major expense and even serious damage to the credibility of a business and significantly affect the productivity of ­individual employees and workgroups.

Here we go again: DDoS attacks on the rise!

DDoS attacks

DDoS attacks, Cyberattack, cybersecurity
Newly released data shows that DDoS and web application attacks are on the rise once again, according to Akamai’s Second Quarter, 2017 State of the Internet / Security Report. Contributing to this rise was the PBot DDoS malware which re-emerged as the foundation for the strongest DDoS attacks seen by Akamai this quarter.

The 3 Main Ways Ransomware Spreads in 2017

The 3 Main Ways Ransomware Spreads in 2017

Ransomware, Cyberattack, cybersecurity, information security, cyber risk, cyber security
Email is still the primary distribution mechanism for ransomware attacks, but “malvertising” is also a growing threat.

Ransomware is now on everyone’s mind, thanks to the recent “Petya” or ”Nyetya” global malware attack and the earlier WannaCry attack. Ransomware — malware designed to encrypt files and only decrypt them if the victim pays a ransom, usually in the digital currency bitcoin — is being spread in numerous ways, some of which are hard to defend against.

Risk Management: How to Prevent Costly Supply Chain Incidents

Risk Management: How to Prevent Costly Supply Chain Incidents

risk management, iso 27005 risk manager, iso 31000 risk manager, supply chain security
Preventable corporate scandals, as seen by headline events related to Pepsi, Wells Fargo, Volkswagen, Chipotle and Wendy’s, result from a variety of risk management failures across a variety of industries. Notable scandals include cybersecurity failures at retail organizations and restaurants, quality control issues at manufacturers, and ineffective asset management and access rights at financial institutions.

How to Change Behavior for Stronger Security System Cybersecurity

How to Change Behavior for Stronger Security System Cybersecurity

Security System Cybersecurity, Cyberattack, cybersecurity, information security, cyber risk, cyber security
How Healthy Are Your Cybersecurity Habits?

There is a world of difference between knowing the right thing to do and actually following through and doing it. Think about doctors who repeatedly remind their patients to quit smoking, or to be careful with their cholesterol, to get regular exercise and adopt healthier eating habits instead of eating bacon with every meal. We know what we should do. Quite often, though, that knowledge is not enough to actually change our behavior.

You were probably aware of some fundamental cybersecurity best practices before you started to read this article. But let’s focus on two: passwords and firmware.

Global Cyberattack Could Cost $121 Billion

Global Cyberattack Could Cost $121 Billion

Cyberattack, cybersecurity, information security, cyber risk, cyber security
Lloyd’s of London has warned that a serious cyberattack could cost the global economy more than $120 billion – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy.

The report from Lloyd’s said the threat posed by such global attacks has spiraled and poses a huge risk to business and governments over the next decade.

Largest Cryptocurrency Exchange Hacked! Over $1 Million Worth Bitcoin and Ether Stolen

Cryptocurrency Exchange Hacked

Cryptocurrency Exchange Hacked, Cyberattack, cybersecurity, information security, NIST cyber security framework
One of the world’s largest Bitcoin and Ether cryptocurrencies exchanges Bithumb has recently been hacked, resulting in loss of more than $1 Million in cryptocurrencies after a number of its user accounts compromised.

Bithumb is South Korea’s largest cryptocurrency exchange with 20% of global ether trades, and roughly 10% of the global bitcoin trade is exchanged for South Korea’s currency, the Won.

Bithumb is currently the fourth largest Bitcoin exchange and the biggest Ethereum exchange in the world.

Last week, a cyber attack on the cryptocurrency exchange giant resulted in a number of user accounts being compromised, and billions of South Korean Won were stolen from customers accounts.

3 Questions to Improve Cyber Incident Recovery

Cyber Incident Recovery

Cyber Incident Recovery, Cyberattacks, cybersecurity, information security, NIST cyber security framework
The NIST Cybersecurity Frame-work focuses twice on the concept of improvement, doing so within both the Respond and the Recover functions. For improved response, NIST recommends that organizations incorporate lessons learned into their response plans and update their response strategies. When it comes to improved recovery, NIST echoes that guidance: Companies should incorporate lessons learned into their recovery plans and update their recovery strategies. Because of these similarities, it is helpful to consider this article in the context of our May 2017 Cyber Tactics column, “Been Hacked? Let That Be a Lesson to You.”

Emergency Preparedness Essentials: 5 Things CSOs Should Know

Emergency Preparedness Essentials: 5 Things CSOs Should Know

Emergency Preparedness, business continuity, disaster recovery
In order to ensure the safety and security of an organization’s personnel, a Chief Security Officer (CSO) must be able to identify, assess and develop appropriate responses to a wide range of potential and actual threats as they evolve in real time. This presents a Herculean challenge since security, while recognized as critical, is also preferred to be invisible in day-to-day operations. Substantial guidance in these efforts is available from the communities of law enforcement, the private sector and emergency planners. In particular, it is worth summarizing five central insights that can assist CSOs as they work to protect their organizations.

Building a strong cybersecurity program for the long haul

Building a strong cybersecurity program for the long haul

cybersecurity program, security awareness
Patch Tuesday is approaching and there is a chance it might be a boring one. Hopefully, I didn’t jinx things by saying that, but I think most of what we’ll see is a bit of volume on the third-party side. Before we get into the forecast, though, let’s talk about the recent roller coaster we’ve all been on.

Rising volume of attacks overpowers security teams

attacks overpowers security

attacks overpowers security, cybersecurity best practices, security awareness, cyber attack
New research from IDC that shows organizations are constantly under attack and struggling to keep up. The research finds most organizations run time-consuming security investigations and often fail to effectively protect themselves.

4 Cybersecurity Best Practices for Your Organization

Cybersecurity Best Practices

cybersecurity best practices, security awareness, cyber attack
A data breach can happen to any organization, and it’s a growing concern among companies both large and small. According to this cyberattack infographic, an IBM study revealed that the average consolidated cost of a data breach is approximately $3.8 million, a 23 percent increase from 2013. According to that same graphic, the Identity Theft Resource Center found that approximately 22 percent of breaches are due to insider theft, and 12 percent are simply a matter of accidental exposure.

You can keep your company and your employees safe from these dangerous data breaches by ensuring that employees are aware of a few tried-and-true data security best practices. Here are some of the most important ones:

As GDPR deadline looms, time for compliance is running out

GDPR Deadline

GDPR deadeline, privacy management, data regulation, DPO, Data Protection Officer
GDPR is a game-changing piece of data protection legislation that goes into effect on May 25, 2018.

While the legislation includes various components related to how organizations collect, store, manage and protect customer data, the ‘right to be forgotten’ gives individuals the right to have personal data erased. If most organizations cannot locate where their customer data is stored, it will be difficult to fulfill ‘right to be forgotten’ requests (…).

How to Land the Best Jobs in Cyber Security

Best Jobs in Cyber Security

best jobs in cyber security, ransomware, malware, security awareness, cyber attack
For job seekers looking for high pay, job security and the option to work in any sector and in any state, the cyber security field is the place to be.

Cyber crime costs the global economy over $400 billion each year. [Since] 2014 some of the largest companies in the world were victims of cyber crime, including J.P. Morgan, Target and The Home Depot among others. As cyber attacks continue to increase in volume and tenacity, with ever changing tactics, the government and the private sector are raising the alarm. In response, there has been a sharp uptick in the demand for cyber security professionals across almost every sector.

Due to this shortage in a critical area of national security and following the law of supply and demand, those who work in cyber security can expect to earn top dollar. For instance, on average, chief security officers will make over $220,000 annually.

So while it is clear that a job in cyber security has many benefits, what cyber security positions are the best and how do you land them?

The wannacry ransomware is a reminder to get serious about security

Get serious about security

get serious about security, ransomware, malware, security awareness, cyber attack

Wannacry Ransomware Attack

Ransomware is the word on everyone’s lips this week, following the massive WannaCry ransomware attack which spread quickly all over the world. Security experts estimate that over 200 000 systems across 150 countries were affected by the attack, in which hackers took advantage of a weakness in Microsoft’s Windows operating system to block any access to a computer system until a ‘ransom’ is paid in order to unlock the system again.

Investigations into the massive hack are still unfolding, but current thinking is that the attack originated in North Korea and made use of a set of top secret National Security Agency tools that were stolen and sold last year.

WannaCry: Smaller businesses are at great risk

Risk Management

Smaller businesses are at great risk, ransomware, malware, security awareness

Last week saw a widespread attack with more than 10,000 organisations across 150 countries – including 48 NHS trusts in the UK – almost simultaneously hit by the ransomware strain WannaCry. With data encrypted, the impacted businesses and other institutions experienced significant downtime as they were unable to continue with normal operations. The hospitals, for example, were forced to postpone non-urgent procedures and people were asked not to visit Accident & Emergency.

3 in 5 companies expect to be breached in 2017

Companies Breached

companies expect to be breached, ransomware, malware, security awareness

New research found that of the 50 percent who reported being breached in 2016, the average material impact to the business was $4 million.

Vanson Bourne interviewed 600 senior IT decision-makers at organisations with at least 1,000 employees across Australia, France, Germany, Italy, the United Kingdom and the United States.

How to make cyber security a priority for your managers

cyber security as a priority

cyber security, ransomware, malware, security awareness, cyber attack
Both the business and technology industry are growing and making new advancements. These new improvements, such as converged systems and cloud storage systems, while strikingly beneficial, also bring with them new risks. One of the rising risks is cyber security. With many companies taking advantage of new technology and running their business online, they have become larger targets for cyber hackers.

A guide on how to prevent ransomware

A guide on how to prevent ransomware

prevent ransomware, malware, security awareness

Ransomware is fast becoming a major threat to computer systems in many organisations. It is an aggressive form of attack which criminals use to infect computers and block the victim from accessing their own data unless they pay a ransom. Ransomware is not a new threat but has become more widely used among criminals simply because it is highly profitable.

At its heart, ransomware is simply another form of a computer virus, albeit a very potent one. The methods it uses to infect a computer are the same ones other computer viruses employ.

Hackers claim to have looted Pirates of the Caribbean 5

Hackers claim to have looted some treasure from Disney’s Magic Kingdom: Pirates of the Caribbean 5

Hackers, hacking, ransomware, Pirates of the Caribbean 5

At a town hall meeting in New York earlier today, Disney chief executive Bob Iger said hackers are claiming to have stolen an undisclosed new film from Disney’s upcoming slate, according to a report in The Hollywood Reporter. Needless to say, the king of Disney’s castle is refusing to pay the demanded ransom.

Instead, the company is working with federal investigators and holding their breath to see if the online pirates will release their booty into the wild, according to the report.

Citing multiple sources, The Hollywood Reporter wrote that the hackers were demanding a huge ransom in bitcoin be paid out or they’d release the film into the wild. Specifically, the hackers threatened to release the first five minutes of the film and then the rest of the film in 20-minute sections. Iger’s response? Basically… “Come at me.”

How CIOs are shaping the future of work

How CIOs are shaping the future of workCIOs are shaping the future, CXO, CIO, Chief information officer

IT leaders are poised to make radical changes in the workplace, but boardrooms are holding back progress by continuing to place too much emphasis on reducing costs and keeping the lights on.

IT job profile: So you want be a CISO

IT job profile: So you want be a CISOWant be a CISO, CISO, CISSP, CCISO, CISM, CISA, ISO 27001, Information security, Risk Management

Want be a CISO? Chief Information Security Officer (CISO) is a coveted position in many IT organizations. The high demand for qualified CISOs leads to tremendous competition for capable candidates and correspondingly high salaries. But what’s the real deal behind the scenes? Do you have what it takes to serve in a CISO role? If not, what qualifications do you need before you can join the information security big leagues?

Sitting in an organization’s senior-most security chair requires a unique mixture of professional experience and educational background. The CISO position is a career capstone for some and a way station to the CIO chair for others. Either way, arriving at this destination requires careful career planning. Most CISOs don’t get there by accident.

Consumer Reports to Include Cybersecurity and Privacy in Product Reviews

Consumer Reports to Include Cybersecurity and Privacy in Product Reviews

Include Cybersecurity and Privacy in Product Reviews, cybersecurity, privacy, cybersecurity standards, data security, password

Consumer publication Consumer Reports will soon begin considering cybersecurity and privacy safeguards when scoring products.

The group, which issues scores that rank products it reviews, said it had collaborated with several outside organizations to develop methodologies for studying how easily a product can be hacked and how well customer data is secured.

Why the Security of Confidential Documents is a Problem for Enterprises

Why the Security of Confidential Documents is a Problem for Enterprises

Confidential documents, Cybersecurity, security education, Security of Confidential Documents

There is a widespread and growing need to improve security practices surrounding confidential documents in most organizations today, according to a new study by the Business Performance Innovation (BPI) Network.  In a global survey of managers and information workers, 6 out of every 10 respondents said they or someone they know have accidently sent out a document they shouldn’t have.

It’s Time to Change Your Perception of the Cybersecurity Professional

It's Time to Change Your Perception of the Cybersecurity Professional

Cybersecurity professional, cybersecurity careers, security education, security leadership, security talent gap, threat mitigation

To borrow from the Nobel Prize winning songwriter, the (security) times, they are a-changin’. When the commercial Internet was young – say in 1995 – IT structure was relatively simple. It consisted of just three layers: server, network and client. Each had its own security component.

Ah, the good old days. Growing complexity is one of today’s IT’s biggest security challenges. The more complex the system, the greater the attack surface (in general). It is much easier now to hide multi-pronged canattacks in different layers and parts of the IT infrastructure.

NIST CRIED: The Four Steps of Incident Mitigation

NIST CRIED: The Four Steps of Incident Mitigation

cyber security education, cybersecurity response, incident mitigation, NIST cyber security framework, risk mitigation

Mike Tyson notably said, “Everyone has a plan ‘till they get punched in the mouth.” So, how do you ensure the same doesn’t hold true for your company’s incident response plan when a real breach occurs?  Enter the NIST Framework category titled Mitigation.

Faced with an actual intrusion, companies would do well to focus on executing four immediate incident response steps.  Taken together, their initials form the acronym CRIED:

Cybersecurity Protection Begins with the User

Cybersecurity Protection Begins with the User

cybersecurity Protection, cyber security education, cybersecurity awareness, intellectual property security, workstation security
The internet is a dangerous place, right? Not only is the internet full of hackers trying to steal your corporate information, but they’re also targeting your website and company database to steal credit cards, private health information and other sensitive data to resell on the Dark Web.

This is partially true. But do people really appreciate what the attack surface looks like right now? Internet threats are not just SQL injection attacks or attackers targeting Joomla or WordPress. We tend to hear things about phishing and social engineering, but do people really appreciate the impact these things have on their world?

Measuring the Impact of Cyberattacks: Lost Revenue, Reputation & Customers

Measuring the Impact of Cyberattacks: Lost Revenue, Reputation & Customers

CISOs are feeling the pressure when it comes to cybersecurity management, but new data from Cisco’s annual report may help in getting them the buy-in they need.
impact of cyberattacks, cyber attacks, cybersecurity costs, cybersecurity leadership, data breach costs, data breach response, phishing scams
The Cisco 2017 Annual Cybersecurity Report, released 1/31/17, outlines some of the major trends and risks facing enterprises, compiling data from surveys of approximately 3,000 CISOs.

According to Cisco CISO Steve Martino, enterprises are realizing that losses from data breaches and cybersecurity vulnerabilities have tangible repercussions for the business. As a result of public breaches, 29 percent of security professionals surveyed say their organizations experienced a loss of revenue, and 38 percent of that group said revenue loss was 20 percent or higher. Security professionals also cite rising losses of opportunity and customers after cyberattacks.

Cybersecurity Skills Gap Leaves 1 in 4 Organizations Exposed for Six Months or Longer

Cybersecurity Skills Gap Leaves 1 in 4 Organizations Exposed for Six Months or Longer

Sophisticated cybersecurity defenses are increasingly in high demand as a cybersecurity attack is now viewed as an inevitability. However, a majority of surveyed organizational leaders fear they are ill-equipped to address these threats head-on.
cyber security, Cybersecurity Skills, cybersecurity, security training, security gap

According to a new cybersecurity workforce study by ISACA’s Cybersecurity Nexus (CSX), only 59 percent of surveyed organizations say they receive at least five applications for each cybersecurity opening, and only 13 percent receive 20 or more. In contrast, studies show most corporate job openings result in 60 to 250 applicants. Compounding the problem, ISACA’s State of Cyber Security 2017 found that 37 percent of respondents say fewer than 1 in 4 candidates have the qualifications employers need to keep companies secure.

Can You Measure Your Building’s Penetration Risk?

Can You Measure Your Building’s Penetration Risk

How can you measure your risk of unauthorized entry? Until now, it’s been virtually impossible. When it comes to security entrances, new analytics technologies (e.g. PSIM, IoT, etc.) are emerging, and it’s becoming possible to use technology, combined with people, to tap into security entrance metrics as part of an overall physical security strategy.
Risk, risk management, access management, security management

Measuring penetration risk is about prediction, and to accurately predict requires a reliable tailgating prevention strategy, otherwise any PSIM or other available analytical tool will fall short. In this article, we’ll talk about the challenges security professionals face related to penetration risk measurement; later, in a second article, we’ll demonstrate how a tailgating prevention strategy actually works and the metrics that can help predict your risk of penetration.

43% of Organizations Grade Their Cybersecurity “C” or Worse

43% of Organizations Grade Their Cybersecurity “C” or Worse

More than one in four organizations have been breached in the past 12 months, while 23 percent aren’t sure if they have been breached or not.
cyber security, cybersecurity, IT security, security training

When asked to grade their organization’s cybersecurity program, 43 percent of survey respondents gave themselves a “C”, “D”, “F”, or “non-existent”, and only 15 percent gave themselves an “A”. While there isn’t a one-size-fits-all solution to network security, the “A” grade companies have several attributes in common, including a high level of automation, a threat intelligence framework, and a robust training program for security staff.

That’s according to the 2017 Cybersecurity Report Card by DomainTools, which also found that one-third of security pros are savvy enough to detect daily attacks, but the looming majority (66 percent) are unaware of the daily onslaught of malicious activity. While malware (76 percent) and spearphishing (56 percent) are the most common types of threat vectors, business email compromise (25 percent) and DDoS attacks (24 percent) are on the rise. Finally, nearly one-third of respondents were the recipients of attempted cyberextortion, also known as ransomware, which cost businesses more than $1 billion in 2016.

After a terrible year for cybersecurity, will 2017 be any better?

After a terrible year for cybersecurity, will 2017 be any better?By Help NET Security on 9 January 2017
cyber security, cybersecurity

From a cybersecurity perspective, 2016 was a very devastating year for companies, schools, government agencies, organizations and even presidential campaigns. What we’ve learned from a record year for breaches, hacks, phishing, malware, and ransomware is what we’ve known all along: cyber criminals are clever and they are not bound by any rules or real strategy.

We also learned that no company, government agency, or organization is safe if they are in the bullseye of those determined to breach their networks. Hackers really have a single goal: to steal data or financial assets, crippling organizations in the process. Stolen data, such as passwords, social security numbers, personal information and possibly bank account credentials, is generally sold on the black market. This was the case in the first big U.S. hack of 2016.

CSOs and CISO are under pressure

CSOs and CISO are under pressureBy Security Magazine on 7 January 2017
CISO, CSO, cyber security, cybersecurity

Under pressure!  No, not the 1982 hit song by Queen that was used in the 1997 American comedy crime film Grosse Pointe Blank. I am describing the likely 2017 work environment for CSOs and CISO. If CSOs and CISOs thought they were under pressure in 2016, it is about to increase and go beyond the usual. Traditional increases in pressure were due to the growing rate of data breaches and the number, complexity and success rates of cyberattacks. All of those pressures will increase from 2016 to 2017, but wait there’s more!  There will be multiple new reasons for the increase and the impact they will have will be different. The pressure will come from as high as you can go within your organizations as well as being driven by business management. Here are just a few drivers of the increased pressure.

Cybersecurity Tips for the Break Room and Boardroom

Cybersecurity Tips for the Break Room and BoardroomBy Security Magazine on 5 January 2017
c-suite security metrics, cyber security education, cybersecurity awareness, cybersecurity leadership, security training, cybersecurity

Every day we are updated about the latest cybersecurity breaches – whether it’s Yahoo, Dropbox or LinkedIn, how many records have been stolen, or how much companies have paid in result from ransomware or financial fraud.

However, are employees and executives aligned with cybersecurity awareness? Are the risks and top discussions that happen in the break room similar to those that happen in the boardroom? The topics and concerns are farther apart than you could ever imagine.

Vermont Electric Company Finds Russian Malware on Computer

Vermont Electric Company Finds Russian Malware on ComputerBy Security Magazine on 2 January 2017
cybersecurity, grid security, malware, utility security
Burlington Electric, which serves 19,600 customers in Vermont, said it found malicious software on company laptop, and it’s blaming the Russians.

Burlington Electric noted that the malicious software on a computer was not connected to its grid control systems.

Both the Department of Homeland Security and the utility said there are no indications that the electric grid was breached, reported CNN.

Burlington Electric General Manager Neale Lunderville told CNN that the utility found an Internet address that was associated with recent malicious cyber activity, and that IP address was communicating with a company computer.

What is next in cloud and data security for 2017?

What is next in cloud and data security for 2017?By Cloud Buzz on 29 December 2016
Big Data, Cloud Computing, Contributors, Digital Transformation, Security, data security
It has been a tumultuous year in data privacy to say the least – we’ve had a huge increase in data breaches, including some of the largest in history; an uncertain future when it comes to cybersecurity policies; new European regulations that have major implications for U.S. companies; and yet, business carries on. Despite all the challenges and risks, businesses will continue to move forward on digital transformation, cloud adoption and mobile adoption, all with an eye on cybersecurity.

These are the biggest trends that I see carrying us into 2017:

Infographic: IoT Internet of Things Cyber Security Concerns

Internet of Things Cyber SecurityBy Cloud Buzz on 29 December 2016
Cloud Computing, Infographic, Internet of Things, Security
Technology is moving forward at a rate we have never seen before. While the internet was something we once needed a computer to access, it can now be accessed on an endless number of remote devices thanks to Cloud technology and a relatively new term called the “Internet of Things “. However, there are also concerns about a world that connects technology in such a way as seen with the recent attacks. More devices connected via the cloud mean more opportunities for hackers to access and/or steal your data.

4 Components of an Effective IoT Security Strategy

Internet of Things SecurityBy BizTech on 19 December 2016

IoT Security, information security, threat prevention
Recent breaches have shown the vulnerability of the Internet of Things, but IT departments can defend against hackers with a multifaceted approach to security.

While driving a Jeep Cherokee through downtown St. Louis in July 2015, Andy Greenberg felt a sudden blast of air from the vents. The radio mysteriously changed stations, music began blaring and the windshield wipers started. The situation went from perplexing to frightening when Greenberg stepped on the gas pedal but couldn’t accelerate as he watched an 18-wheeler approach in his rearview mirror.

Mitigating internal risk: Three steps to educate employees

Risk ManagementBy Help Net Security on 20 December 2016

cyber risk, risk management, security awareness
IT security is usually focused on how to prevent outsiders with malicious intent from causing harm to your IT systems and data. While this is a valid concern, people within organizations who simply do not understand the consequences of their everyday habits and behavior on company computers pose an equivalent if not greater risk.

Every person within a company that has access to information is a gateway for data exfiltration. This is why education for ALL employees that encourages following best practices for IT security safety is extremely important to implement within organizations. So where should you start? Take 3 easy steps.

5 Tips for improving enterprise cloud success in 2017

Enterprise CloudBy Cloud Tweaks on 19 December 2016

cloud computing, cloud security

Improving Enterprise Cloud

There has been an increase in the adoption rate of cloud technology to help businesses keep capital investment and maintenance costs down while benefiting from flexibility and rapid up and down-scaling as needs dictate. However, to maximize the benefits of cloud, companies have to overcome a number of challenges and mitigate various risks. As plans are drawn up for 2017, it is worth considering these tips for improving cloud success in the enterprise.

Is Big Data becoming an important and possibly expensive form of currency ?

Big DataBy Cloud Tweaks on 19 December 2016

Big Data, Cloud Computing
When we think about currency in the world, we often go the pieces of paper money we all keep in our wallets or the numbers on the screen when we look at our bank accounts online. While this is the case for most people, anything that can hold value can be seen as a form of currency.

And in the “ever-evolving” world of technology, data is quickly becoming the next important and expensive currency in the world. Data is critical for almost anything from marketing a new product, helping a business run smoothly and much more.

The difficult path to cyber resilience

A Day in the Life of a Security ConsultantBy Help Net Security on 19 December 2016

cyber resilience

Global organizations are more confident than ever that they can predict and resist a sophisticated cyber attack, but are falling short of investments and plans to recover from a breach in today’s expanding threat landscape.

The High Cost of Not Doing Enough to Prevent Cyber Attacks

The High Cost of Not Doing Enough to Prevent Cyber AttacksBy Security Magazine on 13 December 2016

cyber attacks, cyber security, cybersecurity

Organizations are in a difficult place when it comes to protecting themselves against the current cybersecurity threat environment. Many companies believe that they’re too small to be a hacker’s target. However, given the wide range of businesses and organizations being hit on a daily basis, this couldn’t be farther from the truth. If your organization has data, and every business does, you are a worthy and potentially lucrative target for cyber criminals.

Organizational Resilience – the big concept these days


by António Relvas on October 27, 2016

What is Resilience in an organization? The definition that is widely accepted is that “organizational resilience” is the “ability of an organization to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper.

Ok, the above definition is a great one, but how to achieve resilience in an organization? This is the tricky part, and there are two ways (that can work).

Good Risk Management Practices. Are you at risk?

Risk Management

Risk management is about managing threats and opportunities. When is effective it is often unnoticed, but when it fails, the consequences can be dramatic, and this applies to everyone.

You are a risk manager and you may not know it, but we all make decisions and risk arise as a consequence of decisions we make. So, if you think about it for a moment, it becomes clear to you that when you make a decision, you anticipate and visualize the possible consequences of that decision in (near) future, and then you rethink the decision and decide.

The Goal of the Risk Manager

Risk management is the understanding, assessment (including prioritization) and treatment of risks, from highest to lowest, taking into account factors such as: the impact of a risk event may have; the likelihood of this risk event happens; and of course, the means involved for dealing with this risks.

The prioritization of risk management activities is essential, instantly identifying the risks with higher or lower impact and the likelihood of happen and of having impact on the business.

Often, a decision on risk management involves making choices between what we thought that may happen, based on past events (if possible), and what we