What should CISOs be prioritising in 2019?

What should CISOs be prioritising in 2019?

There is no doubt that 2018 has been a memorable year for cybersecurity professionals and the industry as a whole. From overseeing the implementation of the General Data Protection Regulation (GDPR), to the record-breaking number of data breaches, CISOs have had increasing pressures on their shoulders. And, as technologies like Artificial Intelligence (AI) gain more prominence and emerging technologies such as quantum computing are pursued even further, 2019 looks like it could be another hard year for the industry.

With all this in mind, what might the next 12 months bring the security industry?

Quantum Computing Puts Pressure on Crypto-Agility

Next year will see the emergence of the future of security – crypto-agility. As computing power increases, so does the threat to current security protocols. But one notable example here is encryption, the static algorithms of which could be broken by the increased power. Crypto-agility will enable businesses to employ flexible algorithms that can be changed, without significantly changing the system infrastructure, should the original encryption fail. It means businesses can protect their data from future threats including quantum computing, which is still years away, without having to tear up their systems each year as computing power grows.

Hackers will launch the most sophisticated cyber-attack ever using AI in 2019

Up until now, the use of AI has been limited, but as the computing power grows, so too do the capabilities of AI itself. In turn this means that next year will see the first AI-orchestrated attack take down a FTSE100 company. Creating a new breed of AI powered malware, hackers will infect an organisations system using the malware and sit undetected gathering information about users behaviours, and organisations systems. Adapting to its surroundings, the malware will unleashing a series of bespoke attacks targeted to take down a company from the inside out. The sophistication of this attack will be like none seen before, and organisations must prepare themselves by embracing the technology itself as a method of hitting back and fight fire with fire.

Growing importance of digital transformation will see the rise of Cloud Migration Security Specialists in 2019

As organisations embrace digital transformation, the process of migrating to the cloud has never been under more scrutiny; from business leaders looking to minimise any downtime and gain positive impact on the bottom line, to hackers looking to breach systems and wreak havoc. As such, 2019 will see the rise of a new role– the Cloud Migration Security Specialist – to help the CISO securely manage the transition. Whether the role is internal or external, a vital part of supporting the CISO is to ensure that as workloads transition to the cloud they are secure from any potential hackers.

Security Boulevard – Gemalto Launches the New Data Security Directions Council

security-boulevardOur industry is undergoing a period of rapid evolution at the moment on many different levels, so at times like this it becomes vital that we pool our knowledge and insight to help inform the strategic decisions that each organization will have to make. To play our part in that, Gemalto has created the Data Security Directions Council (DSDC).

The mission of the DSDC is to bring together information security leaders from across the globe and from different industry sectors so that they can share their strategic insights on future issues and challenges associated with data protection. In fact, the first Data Security Directions Council report has just been released. In Information Security 2025: Insights into the future of data security, data threats, regulations and technology members of the DSDC shared their thoughts on what different aspects of information security might look like in the year 2025. Their predictions covered a large variety of security-related topics and offered a diverse set of opinions and insight.

gemalto-data-security-directions-council-300x188For example, Rick Robinson, Offering Manager for Encryption and Key Management for the Data Security Group at IBM Security, forecasted in the report that organizations will in time become more comfortable with encryption. He also explained how he anticipates that attackers and law enforcement will continue their cat-and-mouse game around the theft of account credentials.

Meanwhile, Western Union’s information security director Roman Gruber emphasized that he believes that basic security practices will still be as relevant in the future:

Root concepts still need to be applied even if the end-points change. You still have to protect the data and OS. Root principles and attacks will change but the principles remain the same.

The council members also provided some real insight into other aspects likely to impact the shape of Information security in this timeframe. They tackled topics like the cloud will have changed the security paradigm, and how the regulatory landscape and law enforcement efforts will need to evolve. These experts also weighed in on how IoT and mobile employees will shape information security practices going forward and what data breach prevention might look like in the coming years.

For me, it was interesting to see how current “hot” topics such as Blockchain and Quantum Computing weighed in on their thinking. I think the resulting commentary may surprise you.

I, for one, am really looking forward to future reports, insight, debates and conversations with the council and its members. It’s all too easy for us all to get bogged down in the weeds of our day-to-day work life and the DSDC offers us a rare opportunity to step back for a moment and consider the bigger picture. These reports are set to become “must read” documents for any security leader.

Interested in Becoming a Council Member?

Council members are drawn from individuals, organizations and disciplines leading the way in Information security across the globe. Members provide insight on topical information security developments based upon their own experience and understanding, with the sole aim of advancement of security practice. Outside of input to the reports, the council also provides opportunities for members to represent the council’s work publically and offering them an opportunity to address broader issues than potentially possible in their current roles.

Those interested in learning more about the Data Security Directions Council should reach out to Anina Steele, Senior Public Relations Manager at Gemalto, by emailing Anina.steele@gemalto.com or calling +44 1276 608 055.

4 Important trends in cloud security

Significant security challenges confront organizations as they migrate their IT needs and processing resources to the cloud. They must first select a cloud service provider that can hopefully ensure security of the cloud and thereby fulfill their half of the Shared Responsibility Model. Next, they must implement appropriate security controls such as encryptionaccess management and multi-factor authentication in their effort to secure corporate and customer data.

This process is becoming more and more complicated as time goes on. On the one hand, IT personnel no longer have the control over data in the cloud and IT spending they once had, which is shaping the types of security process in which organizations are investing. On the other hand, external forces like new data protection regulations such as the European Union’s General Data Protection Regulation (GDPR) will likely affect cloud storage practices, yet it’s unclear how organizations’ efforts to comply with the regulation could change cloud governance.

These are some of the realities in Gemalto’s 2018 Global Cloud Data Security Study.

cloud security infographic

For the report, Gemalto commissioned the Ponemon Institute to survey 3,621 IT and information security practitioners in the United States, the United Kingdom, Australia, Germany, France, Japan, India, and Brazil about their organizations’ use of the cloud and the security challenges they are facing as a result. The survey yielded several key trends. Here are four that are particularly relevant for organizations and their cloud data security strategies:

  1. Organizations Are Not Fulfilling Their Commitment to Cloud Data Security

For Gemalto’s 2018 study, Ponemon Institute found that 67% of respondents say their organizations are committed to protecting confidential and sensitive information in the cloud. That pledge notwithstanding, fifty-three percent of respondents do not agree their companies have a proactive approach to compliance. Even more than that (57%) do not believe their organizations are careful enough when sharing sensitive information with third parties.

As a result, many respondents are concerned about the security of the data their employers store in the cloud. Organizations primarily store customer information (59%), email (49%), consumer data (47%) employee records (38%), and payment information (39%) in the cloud. Approximately half of participants in Gemalto’s study worrying most about payment information and customer information at 54% and 49%, respectively. Eighty-eight percent of respondents are also concerned the European Union’s GDPR will play some role in demanding more from organizations and their commitment to cloud data security.

  1. The IT Department Is Losing Control of Cloud Security Practices and Budget

Gemalto’s report reveals that IT is losing control of both its budget and corporate data stored in the cloud. Indeed, the average percent of IT spending controlled by the IT department was fifty-three percent in 2016. That proportion declined to under half (40%) of spending in 2017.

At the same time, functions outside of information technology are deploying an average of fifty-eight percent of cloud services. This figure represents a significant increase over 2016. So too does the fact that the average percent of corporate data stored in cloud environments and not managed by IT has grown from 44 percent to 53 percent.

  1. Challenges and a Lack of Focused Practices Abound in Cloud Security

Survey respondents report the difficulty in protecting confidential information when using cloud services has decreased in several key areas. 54% of IT and infosec professionals say it’s more difficult to defend cloud data in Gemalto’s 2018 study. That figure is down from sixty percent the previous year. At the same time, the difficulties in restricting end-user access decreased from 53% of respondents in 2016 to 51% of participants in 2017.

Even so, challenges still abound in cloud security. Seventy-one percent of survey respondents say it’s difficult to apply conventional information security principles in a cloud environment, with close to that same percentage of participants (62%) saying their organization’s use of cloud resources increases compliance risk. Meanwhile, sixty-seven percent of IT professionals cite their companies’ inability to directly inspect cloud providers for security compliance as a source of difficulty, though 61% of respondents say their organizations now evaluate the security capabilities of a cloud provider prior to engaging their services and deploying their technology.

  1. Encryption and Access Management Solutions Are Growing in Use and Importance

Seventy-seven percent of those who participated in Gemalto’s 2018 study think the ability to encrypt or tokenize sensitive or confidential data stored in the cloud is important, with more than nine in ten (91%) saying it will become more important in the next two years. At this time, 47 percent of respondents say they use encryption or similar tools to secure data at rest in the cloud; 58% report that encryption is used for data sent and received by the cloud provider. Encryption or tokenization of data within cloud applications has also increased by eight percentage points (from 28% to 36%) over the last two years.

In addition, strong user access controls and access management to data stored in the cloud has increased in importance according to the study. The ability to control strong authentication prior to accessing data and applications in the cloud has increased from 73 percent of respondents to 81 percent of respondents over the past few studies. In addition, 53 percent of respondents say their organization uses multi-factor authentication to secure access to data in the cloud environment. Just under that percentage of respondents (47 percent) say their organizations use multi-factor authentication for employees’ access to the cloud. When asked the percent of cloud applications that have user-enabled access controls, the average is only 19 percent.

The Tip of the Iceberg

The findings presented above are just a snapshot of Gemalto and Ponemon Institute’s study on the ever-evolving cloud data security landscape. The report also investigates what organizations look for when choosing a cloud service provider (CSP) and what IT professionals consider to be the most important identity and access management features for the cloud. It also delves into organizations’ engagement with the cloud differentiated by respondents’ country of origin.

For insight into these and many other issues, download Gemalto’s Cloud Governance and Security Research.

 

This blog post also appears on the Gemalto Security blog here.

Four Data Security Trends that Defined 2017

With 2018 upon us, it’s important we take stock of the data security trends and threats that defined 2017. Several notable trends emerged over the course of the year, after all, and these will no doubt continue to shape the data security landscape into 2018 and beyond.

Here are four such remarkable data security trends that helped mould the past year:

1. International Malware Outbreaks

One of the most notable data security trends of 2017 were three strains of malware made headlines for attack campaigns that swept across national boundaries. On 12 May, WannaCry ransomware got things going with an outbreak that claimed the United Kingdom’s National Health Service (NHS), Spanish telecommunications giant Telefonica, and at least 200,000 other organizations worldwide as victims. NotPetya followed less than two months later when the Petya impersonator/wiper malware struck a Ukrainian power supplier, France’s Saint-Gobain, and close to 17,000 other targets primarily in North America and Europe. Both attacks leveraged EternalBlue, an exploit which abuses a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol, for distribution.

It wasn’t until October 2017 that Bad Rabbit, a strain of Diskcoder, reared its head. This malware used drive-by attacks as its primarily means of infecting users. As a result, it infected only a few hundred computers mainly located in Russia, Ukraine, Germany, Turkey, South Korea, the United States, and a few other countries.

2. Mega-Breaches (and Curious Responses)

In light of the hacking attack disclosures involving LinkedInDropbox, Yahoo (which only got worse), and others, history will no doubt remember 2016 as the “Year of the Mega Breach.” 2017 didn’t produce as many mega-breaches as 2016, but it nevertheless yielded some notable data security incidents…with some equally extraordinary responses. You can find a database of data breaches going back to 2013 in Gemalto’s Breach Level Index.

For instance, Equifax acknowledged in the beginning of September that hackers had breached its systems and thereby compromised the personal information of 143 million American citizens. Consumers’ personal data was simply left unencrypted. Things went awry on the day of disclosure when the credit bureau directed concerned users to visit a resource to verify if they were victims of the breach. That resource was located at a separate site riddled with bugs. Additionally, a slow disclosure time and subsequent gaffes on Twitter led Brian Krebs to call the response a “dumpster fire.”

Two months later, the world learned of the data breach at Uber that compromised 57 million driver and rider accounts in 2016. The ride-sharing company ultimately met the hackers’ ransom of $100,000 to ensure the attackers deleted their copy of the stolen data. It then went further by insisting the hackers sign a NDA, camouflaging the ransom payment as a bug bounty program payout, and remaining silent about the breach for more than a year.

3. CIA Hacking Tools

In the spring of 2017, WikiLeaks published a series of documents pertaining to the Central Intelligence Agency’s hacking operations. Detailedin those leaked sources are various tools used by CIA agents to infiltrate their targets, including malware for smart TVsand iOS exploits. The documents even include borrowed code from public malware samples.

Symantec subsequently analyzed those hacking tools in April and linked them to 40 attacks in 16 countries conducted by a group called Longhorn. It’s unclear how many additional attacks those tools have since facilitated.

4. Attacks against Cryptocurrency Exchanges

One Bitcoin was worth just $979 on 1 January 2017. Since then, its value has multiplied more than 13 times, with its rate peaking at $19,843. Investors no doubt celebrated that price explosion. But they weren’t the only ones tracking the digital money’s increase. Malefactors also saw the rise of Bitcoin; they took it upon themselves to try to hack various exchanges for the cryptocurrency. Indeed, at least eight marketplaces have suffered data breaches as of 23 December, with Parity Technologies losing $32 million in Ethereum and hackers stealing $70 million in Bitcoinfrom NiceHash. One can expect this data security trend to continue into 2018.

What Made 2017 Stand Out for You?

Which of these data security trends and threats concerns you most? Also, what other data security trend grabbed your attention in 2017? If so, let me know in the comments!

 

This post also appeared on the Gemalto Security blog here.

6 steps to prepare for post Brexit GDPR compliance

Ever since the vote to leave Are you ready for GDPR? the EU last year, it’s been unclear how much, if any, of the incoming GDPR legislation would be applied in the UK. Thankfully, the government has taken this on board, and today revealed plans to improve our current data protection legislation.

This updated law aims to:

  1. Transfer the European Union’s current General Data Protection Regulation into UK law
  2. Grant the UK’s data protection watchdog new powers to levy bigger fines on firms that break laws
  3. Give UK citizens more control over what happens to their personal information, such as asking for personal data posted when they were children to be deleted

This overhaul of UK data protection law is a big step towards updating the country’s approach to cybersecurity. By putting control of their personal data back in the hands of consumers, the pressure is on for businesses to ensure they are adhering to data protection laws. Those that don’t risk losing consumer trust.

Incorporating the incoming GDPR legislation into UK law is an important step, as it will dispel any uncertainty businesses had around its fate post-Brexit. With the deadline for compliance fast approaching, there is now no reason for UK businesses not to be moving towards meeting these data protection laws.

Six steps every business should undertake ahead of GDPR
While it’s all well and good talking about compliance, it’s another thing entirely to understand the steps a business must take to work towards it. So, what does a business need to do, to ensure it’s protecting the data it holds? Below are six steps every business should undertake on its journey towards GDPR compliance.

Step one – Get to grips with GDPR’s legal framework
The first step that any business needs to take is to understand how each aspect of the legislation apply to them. By conducting a full audit against the GDPR legal framework, a business will need to understand what it needs to do and what the consequences for failing to do so are. As part of this compliance audit, a business should hire a Data Protection Officer (DPO), who will be responsible for ensuring the company adheres to the regulations. Ideally, a DPO would have a background in both law and technology, so they’re able to understand both the technical specifications and the regulatory framework needed to meet this. Every organisation is different, and so no GDPR journey will look the same – correct guidance from business leaders to employees is needed ensure the whole company understands how to be compliant.

Step two – Create a Data Register
Once a business understands the steps they need to take, it’s important that they keep a record of the process. This is best done with a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of each country will enforce GDPR, and be responsible for judging if a business is compliant when determining any penalties for being breached. In this event, the Data Register will be a crucial tool for demonstrating the progress the affected business has made in becoming compliant. If they have no proof, the DPA would be able to fine between 2% and 4% of the company’s turnover. The amount and speed of the DPA’s decision would depend on the sensitivity of the data.

Step three – Classify data
While understanding what protections, if any, are already in place is important, this step focuses on helping businesses understand what data they need to protect and how that is being done. First, a business must locate any Personal Identifiable Information – information that can directly or indirectly identify someone – of EU citizens. It’s crucial to know where this is stored, who can access it, who it has been shared with etc. It can then determine which data is more vital to protect. In addition to this, it’s important to know who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.

Step four – Identify the top priorities 
Next, a business needs to evaluate how that classified data is being produced and protected. Regardless of how data is collected, the first priority should always be to protect the user’s privacy. Businesses should ask themselves if they need the sensitive data they have collected – this data is worth a lot to a hacker, and has the greatest risk of being stolen. Businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of all security policies. When doing this, it’s important to keep the rights of EU citizens in mind, including restrictions of processing and data portability. In particular, any data third parties use to identify someone must be deleted if requested by that individual and approved by the EU. It’s crucial that all this data is correctly and promptly destroyed and can’t be accessed. This process is known as the “right to be forgotten”.

Evaluating how the business protects this data comes next (for example, with encryption, tokenisation or psuedonymisation). The evaluation must explore: any historical data, the data being produced and any data that is backed up – either on-site or in the cloud. This data must be anonymised to protect the privacy and identities of the citizens it relates to. All data needs to be protected from the day it is generated to the day it is not needed.

Step five – Document and assess any additional risks and processes 
Of course, there’s more to compliance than just protecting the most sensitive data – the next stage of the process is to assess and document any other risks, to discover any other processes or areas that might be vulnerable. While doing this, the business should update its Data Register, to show the DPA how they are addressing any existing risks. Only by doing this can a business demonstrate to the DPA that it is treating compliance and data protection seriously and with respect.

Step six – Revisit and repeat
Finally, the last step on the compliance journey focuses on revisiting the outcome of the previous steps and remediating any potential consequences, tweaking and updating where necessary. Once this is complete, businesses should evaluate their next priorities and repeat the process from step four.

The basis of this new data protection bill and GDPR is to push businesses into action and start putting security at the top of the agenda. When next May comes around, businesses won’t be able to hide anymore. It’s vital to start making the preparations for compliance now, before it’s too late. It’s not a case of if, but when, a breach occurs and that revelation could cause serious damage to their reputation. Not only this, but businesses will also face severe fines. With just a year to go, there are no longer any excuses for businesses when it comes to protecting their customers data.

What can you do to prepare for the emerging GDPR requirements? Read Preparing for the General Data Protection Regulation.

Game of Threats: It’s Time for a New Data Security Script

This data breach comes just as HBO has released the seventh series of Game of Thrones. For the first six seasons, it’s been somewhat easy to predict what might happen because readers of George R. R. Martin’s books knew the general storyline. Season seven is different. There’s no book to provide a script. This time around, viewers are all flying blind – with the exception of a few clues that may foreshadow the events of this new season. (Of course, this could now change because of the breach, but .)

This is kind of how IT and security teams find themselves today when it comes to protecting their data and networks from hackers and other threats. It’s a new Game of Threats and there’s no script to follow. There’s so much data to defend, the attack surfaces have increased and the threat vectors are too large to stay on top of. Security teams can no longer rely on what traditional strategies have told them in order to predict how best to defend their networks and what is most critical – their data. The script they have followed –breach prevention – is a thing of the past just like medieval history and the dodo bird.

Much like the castles of Dragonstone, Riverrun and Winterfell that were built to protect the great houses in the Game of Thrones, today’s security teams continue to rely on defending the perimeter as the foundation of their strategy. Build walls and moats, set up sentries to keep guard and monitor who gets in (or not) with the right password or credentials. Even as the threats and technology landscape has changed dramatically, this is the essence of security practiced today. But just like the first (and second) Siege of Riverrun, castles and perimeter defenses can easily be compromised and taken control of by outsiders.

Breach prevention (as a foundational strategy) is dead. Relying on perimeter security as the principle means of protecting sensitive information is a fool’s errand. Instead, companies should stop pretending they can prevent a perimeter breach. They should accept this reality and build their security strategies accordingly. They need to learn how to best secure the breach and adopt cybersecurity situational awareness.  It is impossible to protect everything by building bigger walls and adding more guards to detect attacks. Deploy layered defensive strategies that enable them to protect what matters most, where it matters.

In 2017, companies will spend $90 billion on information security worldwide, up nearly eight percent from last year. Most of this is being spent on prevention, detection and response products and services. Now let’s weigh that against how effective this has been. According to the Breach Level Index, in 2016 there were more than 1.4 billion data records stolen which was up 86% versus 2015. So, one might say companies are not making very good investments with their IT budgets. You know the saying made famous by Albert Einstein that the definition of insanity is doing the same thing over and over again and expecting different results? It applies very well with how data security is done today.

It’s time for a new data security mindset. One that shifts from breach prevention to breach acceptance and is focused on securing the breach. This Secure the Breach manifesto is something we have been saying for five years. Companies need to move their security controls as close as possible to the data and users accessing that data because perimeter security controls do not protect data. By embedding protection on the assets themselves you ensure that even after the perimeter is breached, the information remains secure. By implementing a three step approach – encrypting all sensitive data at rest and in motion, securely managing and storing all of your encryption keys, and controlling access to apps and authentication of users – you can effectively prepare for a breach. That way, you can Secure the Breach and more effectively defend your company in the Game of Threats.

Protect what matters, where it matters – Discover how at Secure the Breach.

This post also appears on the Gemalto Enterprise Security Blog here.

 

What challenges enterprise cyber security executives?

data-security-confidence-index-2017-infographic-image-300x179Here’s an understatement for you: this is an interesting time to be a cyber security or risk management executive at an enterprise.

In reality, this is the most challenging period ever for organizations when it comes to safeguarding data and systems. There is a rising number of data breaches—nearly 1.4 billion data records were lost or stolen in 2016, according to Gemalto’s Breach Level Index—and serious threats such as ransomware are making worldwide headlines on a regular basis.

On top of that, companies are having to deal with a growing number of data protection regulations. This includes the General Data Protection Regulation (GDPR), a set of rules created by the European Parliament, European Council and European Commission to strengthen data protection for individuals within the European Union (EU).

Despite these and other developing challenges swirling around the cyber security landscape, many organizations are relying on the same old security solutions they’ve had in place for years. For example, a majority of IT professionals still think perimeter security products are effective at keeping unauthorized users out of their networks, according to a new Gemalto report conducted by independent research firm Vanson Bourne.

The report, Gemalto’s fourth-annual Data Security Confidence Index, also shows that companies are under investing in technology that adequately protects their business.

To gather data for the study, Vanson Bourne surveyed 1,050 IT decision makers across the U.S., U.K., France, Germany, India, Japan, Australia, Brazil, Benelux the Middle East and South Africa on behalf of Gemalto. The sample was split between manufacturing, healthcare, financial services, government, telecommunications, retail, utilities, consultation and real estate, insurance and legal, IT and other sectors from organizations with 250 to more than 5,000 employees.

A huge majority of those surveyed (94%) think perimeter security tools are quite effective at keeping unauthorized users out of their networks. But at the same time, about two thirds (65%) are not extremely confident that their data would be protected should their perimeter be breached. This represents a slight decrease from the survey conducted last year (69%). And despite the broad lack of confidence, nearly six in 10 of the organizations report that they think all their sensitive data is secure.

This shows that at many organizations, perimeter security is the focus but a good understanding of technology and data security is still lacking. Many of these businesses are continuing to prioritize perimeter security without realizing it has been largely ineffective against sophisticated cyber attacks.

The latest Gemalto research findings show that 76% of the decision makers said their organization had increased investment in perimeter security technologies such as firewalls, intrusion detection and prevention systems (IDPS), antivirus software, content filtering tools and anomaly detection systems to protect against external attackers.

Despite this investment, however, two thirds of the survey respondents (68%) think unauthorized users could access their networks, rendering their perimeter security ineffective.

These findings suggest a lack of confidence in the solutions being used today, especially when you consider that more than one quarter of the organizations (28%) have suffered perimeter security breaches over the past 12 months.

The reality of the situation gets even worse when you take into account the fact that, on average, only 8% of the data breached was encrypted. That means the vast majority of the stolen data was completely exposed to attackers—an unacceptable situation for organizations that should be doing all they can to protect sensitive information.

Furthermore, according to the report more than half of the respondents said they do not know where their sensitive data is stored, and more than one third of businesses do not encrypt valuable information such as payment or customer data. In other words, if this data is stolen, a cyber criminal would have full access to the information and could use it for crimes such as identify theft, financial fraud or ransomware.

It is clear that there is a divide between organizations’ perceptions of the effectiveness of perimeter security and the reality. By believing that their data is already secure, businesses are failing to prioritize the measures necessary to protect their data.

Businesses need to be aware that hackers and other bad actors are going after companies’ most valuable assets: their data. It’s important that they focus on protecting these resource, otherwise reality will inevitably bite those that fail to do so.

Inadequate security not only exposes organizations’ data to attackers, it leaves enterprises open to the risk of non compliance with regulations such as GDPR. There seems to be a global trend toward reforming and enhancing data protection laws, and many companies are not sure how to approach these new requirements.

That’s especially true of data privacy, which has traditionally been an afterthought, rather than included in products “by design.” This necessitates a longer-term change in approach and mindset.

With GDPR, which becomes enforceable in May 2018, organizations need to understand how to comply by properly securing personal data to avoid the risk of administrative fines and reputational damage. However, more than half of the survey respondents said they do not think they will be fully compliant with GDPR by May next year.

With less than a year to go, companies need to begin introducing the correct security protocols in their efforts to reach GDPR compliance, including encryption, two-factor authentication and key management strategies.

Investing in cyber security solutions has clearly become more of a focus for businesses in the last 12 months. However, what is of concern is that so few are adequately securing the most vulnerable and crucial data they hold, or even understand where it is stored. This is standing in the way of GDPR compliance, and before long the businesses that don’t improve their cyber security will face severe legal, financial and reputational consequences.

That’s not all. Organizations that don’t bring their security infrastructure up to date might also face the wrath of their customers, employees, business partners and other stakeholders. Fortunately, they can take steps to bolster security before it’s too late.

Discover more and download the Data Security Confidence Report.

Also posted on the Gemalto Enterprise Security blog here.

My Situational Awareness – It is going to get Worse

3-types

In a nutshell

Forget everything that you know about information security as what you are doing is not working, you need to completely change your mind-set. Data breaches were going to get worse, they going to cause more damage, and most of us simply are not aware of how little we are doing about it. “Data is the new oil,” “Because it’s just as valuable. The challenges in security we face are enormous,”

Why is data the new oil?

Because it can be monetized !!

A hacker can infiltrate data, extract it, refine it, redistribute it and use it for financial and/or political gain. Data integrity attacks have the power to bring down an entire company.
And the problem is only going to get worse as the Internet of Things (IoT) – the process whereby all products and processes are linked via the internet – proliferates.

“IoT is not your traditional tech,” “It has multiple personas: the manufacturer of the device, the consumer, the cloud provider, the 3rd parties, the APIs, there are five different environments, processes – thus many security risks and attack points for the bad guys While you may think that we are already in the age of data, we have barely crossed the start line. The explosion in data was yet to come, driven mostly by the Internet of Things.

“We create more sensitive data than you can imagine. Every time you click on your phone you’re creating data. “Since 2013, over 5 billion pieces of individual information have been compromised – but that’s only what has been reported. They occur on a daily basis and they are never published,” This mean more data for criminals to get their hands on. Passwords could easily be mined from the web, as could encryption keys as unless they are protected correctly, two of the major controls in use to prevent people accessing data. 15 years ago as an ethical hacker spending weeks to gain access to an organisation” (something at which, by the way, I was 100% successful at) “are gone,” “It now takes minutes, if not seconds.”

A simple google search allows you to gain full access to many business. However there is a solution, it lays in your own hands.

situational-awareness

Situational Awareness

We all need to be a bit more like Jason Bourne.
Bourne, for the uninitiated, is the lead character in the eponymous series of films, who is forever eluding the authorities. He does this by always knowing and assessing what is going on around him – I call this “situational awareness”. We all need to be more like Bourne. The problem is that few understand the critical importance of knowing the impact of people, data and processes, and this was the weakness that cyber criminals were exploiting. There are those that were simply ignorant, who just weren’t looking or considering the impact of people, data and processes. And there are those that are arrogant and think they knew it all, thinking that massive investment in the latest security products will stop a breach. But it was that very arrogance that make them vulnerable. In both cases, there is a serious lack of situational awareness.

A new mindset

“These problems can all be solved overnight but we need to think differently, we have to know what the risks are that we are trying to mitigate. “We need a new mindset, we’re still in the world of breach prevention. You’re never going to prevent a breach, there are too many elements, data in too many places. “We need to change our attitude to one of breach acceptance. The key is knowing what it is that you are trying to protect. “Think like a bad guy – what do they want? They want data,” “Accept that breach is going to happen, but understand what types of data you have, where it is and what the processes are, and you’ll get a head start,” “It all comes back to the same thing; situational awareness.

bad-guys-weapon

“I see organisations around the world writing huge cheques for technology to solve the problem, but they don’t know what it is they are trying to protect. “Where is that data? What type of data is it? Personal? Credit card? Trade secrets? “You have to know where it is, what the process is, how people get to it. You have to understand what the risk is. Is it a confidentiality risk? Or an integrity risk? Depending on which, you can apply the appropriate action,”

“It’s really that simple. The world is all about data. Unless we face up to the problem and solve it, it’s only going to get worse.”

Do the basics

cia

Cyber Investigator Chronicles – a guide to the villains

guidetothevillans

 

If you’ve been following the news recently, you’ll know that cybersecurity is becoming increasingly important. It’s crucial that company executives take the threat of a cyber-attack seriously, as a data breach has the potential to inflict long-lasting, perhaps irreversible, damage on an organization. Fortunately, as you’ll see in our brand new comic story, Gemalto’s Cyber Investigator Chronicles, enterprises can protect themselves if they take the threat seriously. To defeat your enemy, you must understand their motives and techniques.

Here’s a guide to the villains of our Cyber Investigators comic. While they may be fictional, there are many, many people exactly like them across the world, ready to attack your organization. That’s why you must be prepared.

And don’t worry, before you ask, there aren’t any spoilers.

The hacktivists
cyber-investigators

As you’ll find out in our comic, not all hackers are driven by money. Some seek to destabilize governments and organizations in pursuit of political ambitions. A recent example was the cyber-attack on the Democratic National Committee, which was probably politically motivated. Often these hackers seek to acquire emails or documents that could cause embarrassment for an organization or state institution. Alternatively, they might try to shut down a company’s networks, preventing the enterprise from functioning and inflicting long-term damage.

The mercenaries

mercanaries-cyber-investigators

A lot of hackers are just in it for the money. As our comic villain says, “we’re going to make a fortune”. Cyber-attackers who fall into this description use lots of devious techniques. Some use malware to exploit a vulnerability in security systems, accessing customer data, which they then sell on the dark web (if you’re unsure what we mean by ‘dark web’, check out our JustAskGemalto website). Others might block access to data on individual machines or servers, using malicious software called ransomware, and demand large sums of money to restore access. This type of attack has become increasingly common, affecting several hospitals in the United States.

The malicious insider

malicious-insider-cyber-investigators

Sometimes hackers act in conjunction with a malicious insider at an organization or government body. These people can have different motivations – as we promised no spoilers, we won’t reveal anything here about our comic book villain’s intentions. These insiders might provide their username and password to a devious cyber-attacker, or deliberately leak confidential information to embarrass their employers, or give privileged access to an attacker through some other means.

There are other players in the cyber attacker landscape; anarchists after chaos and disorder, opportunists, egotists trying to demonstrate their cleverness and nation states or corporations engaging in (corporate) espionage.

As you can see, hackers can have a variety of motives, and can be extremely devious in achieving them. You may not think yourself a target, but if your customer is one, or you’re a supplier to another, you may fall into the crosshairs. By securing the breach, taking steps to deploy effective authentication, encryption and key management systems, it’s possible to reduce the impact of any cyber-attack.

To find out more about the different types of hackers – and, crucially, how to stop them – make sure you read our comic and follow the Cyber Investigators as they fight some dangerous enemies. Plus, you can join our CrowdChat, where I will be taking part in a discussion on issues raised in our story.

Network World: 2017 breach predictions

In 2017, we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation

 

data-integrity-attacks-have-the-power-to-bring-down-an-entire-company-and-beyond

We’ve reached that time of year where everyone in the security industry is pulling together predictions for what we expect to see over the next year, and/or slowly backing away from any imperfect predictions we might have put forth the year before.

Last year, I offered up a number of predictions, but the one continuing to make huge waves in 2017 is around data integrity attacks. Quite simply, I expect that we’ll see more intricate, complex and undetected data integrity attacks and for two main reasons: financial gain and/or political manipulation.

Data integrity attacks are, of course, not entirely new. Data integrity is a promise or assurance that information can be accessed or modified only by authorised users. Data integrity attacks compromise that promise with the aim of gaining unauthorised access to modify data for a number of ulterior motives. It is the ultimate weaponisation of data.

A few classic examples include the 2008 case of Brazilian logging companies that accessed government systems to inflate logging quotas and the famous 2010 story on how the Stuxnet worm used very minor changes to attempt to destroy Iran’s nuclear program. In 2013, a Syrian group hacked into the Associated Press’ Twitter account and tweeted that President Obama had been injured in explosions at the White House. (That single tweet caused a 147-point drop in the Dow.)

Fast forward to 2015 when Anonymous began releasing financial reports exposing firms in the U.S. and China trying to cheat the stock market, in one case, damaging the brand reputation of REXLot Holdings, a games developer that had inflated its revenues. The same year, there was the JP Morgan Chase breach and subsequent attempt at market manipulation. Which leads us, of course, to 2016, with the World Anti-Doping Agency and Democratic National Committee breaches, both examples of how hackers are using data integrity attacks to embarrass organisations.

How will cyber attacks get worse?

What’s different now from last year’s prediction? Why will these attacks get worse? The first generation of cyber attacks were about cutting access to data, and then we moved on to data theft. Now, we’re starting to see evidence of that stolen data being altered before transition from one machine to another, effecting all elements of operations.

The proliferation of the Internet of Things (IoT) means hackers have a seemingly infinite number of different attack surfaces and personas that they can manipulate. Use your Fitbit as an example, and look at the number of people who touch it—the user, the manufacturer, the cloud provider hosting the IT infrastructure, the third parties accessing it via an API, etc. This creates a cross-pollination of risk that the security industry has not seen before, and that’s just one person’s “thing.”

Today’s connected world constantly generates mounds of data that businesses, industry pros and analysts use to drive decisions, make projections, issue forecasts and more.

Data integrity attacks have the power to bring down an entire company and beyond. Entire stock markets could be poisoned and collapsed by faulty data. The power grid and other IoT systems from traffic lights to the water supply could be severely disrupted if the data they run on were to be altered. And perhaps the greatest danger is that many of these could go undetected for years before the true damage reveals itself. What’s at stake is trust. Decision-making by senior government officials, corporate executives, investors and average consumers will be impacted if they cannot trust the information they receive.

What you can do to protect data

At this point, you’re probably terrified—or morbidly depressed. Is there anything we can do? And the answer to that is yes. When I talk to the businesses we work with, one of the first questions I ask is, “What are you trying to protect?” If you don’t know what data you’re trying to protect, there is no point in spending money to protect it. It’s a straightforward enough question perhaps, but it isn’t very easy to answer. Despite this, working out an answer is one of the most fundamental things an organisation can do towards making itself secure. Last month’s blog, Securing the breach trumps breach prevention, detailed some additional tangible steps you can take.

Breaches will continue to happen—to expect otherwise would be unrealistic. But as their scale and complexity grows, focusing on them first would take up all of an organisation’s IT security bandwidth. A better starting point is to know what you are trying to protect.

This blog post also appears here in my regular blog for Network World.