The Telegraph Business – Are company boards of directors trivialising security?

telegraphUK CEOs worry more about cyber threats than their global peers; but how can they effectively combat them?

“At a time when businesses are facing a growing threat from data breaches, they must have a director responsible for cyber security. It’s no longer a question of if but when a data breach will occur,” says Jason Hart, CTO for data protection at digital-security firm Gemalto.

“Having an individual or team on the board responsible for this area is essential. They can help the company understand the threats it faces and communicate steps that need to be taken to senior management.”

To read the full article click here.

GDPR Report – GDPR Summit London: Should you be worried about a data breach?

gdprreport-logogReports of business data breaches have unfortunately become commonplace. This week, the corporate finance giant Deloitte has suffered a cyber-attack that compromised confidential data, including the private emails of some of its clients.

More than ever, businesses need to ensure their data is protected from outside threats. Jason Hart, CTO of Data Protection at Gemalto said about the news of the Deloitte breach:

“Today’s announcement that Deloitte was hacked is not a surprise. Breaches will – and ARE continuing to happen—to expect otherwise would be unrealistic. As an industry, we need to truly know our surroundings, meaning knowing exactly where data resides, who has access to it, how it is transferred, when it is encrypted/decrypted – really the entire supply change of digital users and the data. Of the 1.9 billion data records compromised worldwide in the first half of 2017, less than 1% used encryption to render the information useless.

“We need a data-centric view of threats means using better identity and access control techniques, multi-factor authentication and encryption and key management to secure sensitive data. This is, even more, pressing with new and updated government mandates like the 2015 Digital Privacy Act in Canada, the GDPR in Europe, as well as U.S state-based and APAC country-based breach disclosure laws.”

To read the full article click here. 

Information Week – The Cyber Risk of False Confidence

informationweek-logo2Companies are overly confident about their cybersecurity, and it’s leaving their data (and maybe yours too), open to some major security risks.

Gemalto CTO and VP for Data Protection, Jason Hart says part of the reason for this “breach gap” – the idea that organizations think their data is more secure than it is – is because organizations don’t fully understand the motivations behind a breach.

“There’s still a lack of understanding from organizations that it’s the data [threat actors] are after,” says Hart. “We’ve mostly seen confidentiality breaches, when a threat actor gets the data they share it, sell it, etc. What people misunderstand, is that a confidentiality breach is just the start of the problem,” he says.

To read the full article click here. 

eSecurity Planet – Massive SEC Breach Highlights Need for Broader Use of Encryption

esp_logoU.S. Securities and Exchange Commission (SEC) chairman Jay Clayton recently announced that a software vulnerability in its Electronic Data Gathering, Analysis and Retrieval (EDGAR) system “was exploited and resulted in access to nonpublic information” in 2016.

Jason Hart, vice president and CTO for data protection at Gemalto, said by email that stopping breaches like these is an unrealistic goal. “A better starting point is for organizations to truly know what they are trying to protect and then putting the right safeguards like encryption in place,” he said. “Of the 1.9 billion data records compromised worldwide in the first half of 2017, less than 1 percent used encryption to render the information useless.”

According to Gemalto’s Breach Level Index for the first half of 2017, the proportion of stolen, lost or compromised data that was protected by encryption dropped by 4 percent compared to the last six months of 2016.

The first half of 2017 also saw a 164 percent increase in stolen, lost or compromised records — over 10 million records were compromised or exposed every day, or 122 records every second.

To read the full article click here.

Help Net Security – Number of lost, stolen or compromised records increased by 164%

helpnetAccording to Gemalto’s Breach Level Index, 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017.

Compared to the last six months of 2016, the number of lost, stolen or compromised records increased by 164%. A large portion came from the 22 largest data breaches, each involving more than one million compromised records. Of the 918 data breaches more than 500 (59% of all breaches) had an unknown or unaccounted number of compromised data records.

“IT consultant CGI and Oxford Economics recently issued a study, using data from the Breach Level Index and found that two-thirds of firms breached had their share price negatively impacted. Out of the 65 companies evaluated the breach cost shareholders over $52.40 billion,” said Jason Hart, Vice President and CTO for Data Protection at Gemalto. “We can expect that number to grow significantly, especially as government regulations in the U.S., Europe and elsewhere enact laws to protect the privacy and data of their constituents by associating a monetary value to improperly securing data. Security is no longer a reactive measure but an expectation from companies and consumers.”

To read the full article click here.

LondonLovesBusiness – Talk Talk fined again after customer data breach

londonlovesbiz-logoTalkTalk has been fined £100,000 for failing to protect 21,000 of its customers data, and putting it at risk by allowing contractors to access it.

Jason Hart, CTO, Data Protection at Gemalto and former ethical hacker said it is the important to punish businesses that fail to protect their customers’ data. He said: “This fine should serve as a warning to all other companies that they need to ensure they are protecting their customers’ data.

“GDPR is just around the corner, so this is likely to be just the start of things and we’ll soon start to see what the real picture of cybersecurity is like throughout Europe. If businesses are not protecting data at its source they will no longer be able to hide any breaches that occur and ultimately deserve to be fined.”

To read the full article click here.

GDPR:Report – HBO has suffers a “cyber incident” leaking a Game of Thrones episode

gdprreport-logogHBO was victim to a “cyber incident”, which has resulted in the theft of a Game of Thrones episode and other data.

On Tuesday anonymous hackers leaked HBO data to the website “winter-leaks.com” however it was inaccessible by Wednesday. The hackers claimed to have stolen 1.5 terabytes of data from the network’s servers.

Jason Hart, CTO, Data Protection at Gemalto and former ethical hacker said on the incident:

“Broadcasters face a unique threat. Due to the nature of the industry, hackers have the opportunity to access data as it is transmitted between multiple data centres, and so they require solutions to help encrypt their high-value TV transmissions – without interfering with the audience’s viewing experience. These specialised solutions, such as high-speed encryption, will help ensure that broadcasters are protecting their IP in an age of increased piracy and data theft.

“HBO now joins a list of other Hollywood victims of crime such as Netflix and Sony. This incident is another reminder that broadcasters must invest in fundamental security controls and practises – encryption, key management and two-factor authentication – to control access to highly sought-after content and protect it in the event that a breach takes place.”

To read the full article click here.

eSecurity Planet – HBO Hack Highlights Importance of Encryption, Data Governance

esp_logo1.5 TB of data, including unreleased episodes of upcoming shows, was stolen and leaked online.

Gemalto CTO of data protection Jason Hart said by email that broadcasters in particular face a unique threat. “Due to the nature of the industry, hackers have the opportunity to access data as it is transmitted between multiple data centers, and so they require solutions to help encrypt their high value TV transmissions — without interfering with the audience’s viewing experience,” he said.

“HBO now joins a list of other Hollywood victims of crime such as Netflix and Sony,” Hart added. “This incident is another reminder that broadcasters must invest in fundamental security controls and practices — encryption, key management and two-factor authentication — to control access to highly sought-after content and protect it in the event that a breach takes place.”

To read the full article click here.

Game of Threats: It’s Time for a New Data Security Script

game-of-threats-imageHBO now finds itself among a growing list of Hollywood data breach victims, joining Netflix and Sony, to have some very serious intellectual property stolen by hackers – their programming content. One would think media companies would defend their most sensitive assets like banks do with financial data. That does not seem to be the case here. There’s an explanation for that, which I will get to shortly. But let me start with some context.

This data breach comes just as HBO has released the seventh series of Game of Thrones. For the first six seasons, it’s been somewhat easy to predict what might happen because readers of George R. R. Martin’s books knew the general storyline. Season seven is different. There’s no book to provide a script. This time around, viewers are all flying blind – with the exception of a few clues that may foreshadow the events of this new season. (Of course, this could now change because of the breach, but .)

This is kind of how IT and security teams find themselves today when it comes to protecting their data and networks from hackers and other threats. It’s a new Game of Threats and there’s no script to follow. There’s so much data to defend, the attack surfaces have increased and the threat vectors are too large to stay on top of. Security teams can no longer rely on what traditional strategies have told them in order to predict how best to defend their networks and what is most critical – their data. The script they have followed –breach prevention – is a thing of the past just like medieval history and the dodo bird.

Much like the castles of Dragonstone, Riverrun and Winterfell that were built to protect the great houses in the Game of Thrones, today’s security teams continue to rely on defending the perimeter as the foundation of their strategy. Build walls and moats, set up sentries to keep guard and monitor who gets in (or not) with the right password or credentials. Even as the threats and technology landscape has changed dramatically, this is the essence of security practiced today. But just like the first (and second) Siege of Riverrun, castles and perimeter defenses can easily be compromised and taken control of by outsiders.

Breach prevention (as a foundational strategy) is dead. Relying on perimeter security as the principle means of protecting sensitive information is a fool’s errand. Instead, companies should stop pretending they can prevent a perimeter breach. They should accept this reality and build their security strategies accordingly. They need to learn how to best secure the breach and adopt cybersecurity situational awareness.  It is impossible to protect everything by building bigger walls and adding more guards to detect attacks. Deploy layered defensive strategies that enable them to protect what matters most, where it matters.

In 2017, companies will spend $90 billion on information security worldwide, up nearly eight percent from last year. Most of this is being spent on prevention, detection and response products and services. Now let’s weigh that against how effective this has been. According to the Breach Level Index, in 2016 there were more than 1.4 billion data records stolen which was up 86% versus 2015. So, one might say companies are not making very good investments with their IT budgets. You know the saying made famous by Albert Einstein that the definition of insanity is doing the same thing over and over again and expecting different results? It applies very well with how data security is done today.

It’s time for a new data security mindset. One that shifts from breach prevention to breach acceptance and is focused on securing the breach. This Secure the Breach manifesto is something we have been saying for five years. Companies need to move their security controls as close as possible to the data and users accessing that data because perimeter security controls do not protect data. By embedding protection on the assets themselves you ensure that even after the perimeter is breached, the information remains secure. By implementing a three step approach – encrypting all sensitive data at rest and in motion, securely managing and storing all of your encryption keys, and controlling access to apps and authentication of users – you can effectively prepare for a breach. That way, you can Secure the Breach and more effectively defend your company in the Game of Threats.

Protect what matters, where it matters – Discover how at Secure the Breach.

This post also appears on the Gemalto Enterprise Security Blog here.

 

eSecurity Planet – Massive Breach of Swedish Citizens’ Data Points to Desperate Need for Risk Management

esp_logoVehicle registration data for every Swedish citizen was exposed — including those under witness protection.

“It is clear that there is a divide between organizations’ perceptions of the effectiveness of perimeter security and the reality,” Gemalto vice president and chief technology officer for data protection Jason Hart said in a statement. “By believing that their data is already secure, businesses are failing to prioritize the measures necessary to protect their data.”

To read the full article click here.