cybersecurity

now browsing by tag

 
 

‘Cyber is the New #Black’: #Cyber Expert Points to #Diplomacy to #Solve Global #Cybersecurity Issues

Source: National Cyber Security – Produced By Gregory Evans

With growing threats not only in the physical world but also in today’s nebular cyber world, Christopher Painter ’80 argued that “cyber is the new black,” meaning that “everyone cares about cyber” now.

Painter, who has been at the forefront of cyber issues for the last 25 years, addressed growing security concerns and the role of modern cyber-diplomacy at the 2017 Bartels World Affairs Fellowship Lecture this Wednesday.

Painter, the “weary warrior” of cyber warfare for his entire career, started his career as a prosecutor dealing with cyber cases and served as the U.S. State Department’s first coordinator for cyber issues from 2011 until July this year.

While studying at Cornell in 1979, Painter used punched cards for computer programming and played hundreds of sessions of BakéGyamon, an anime computer game, for his work study. Back then, Painter reflected, “the internet … existed in very basic form. The world wide web certainly didn’t exist.”

But technology has come far since; today, “we are all dependant [on the internet] for financial transactions, social transactions and to communicate really for everything,” Painter said.

However, though this rapid technological innovation has largely “been a tremendous force for good,” it does not come without its dangers.

“[The internet] has been the target of criminals, malicious state actors, terrorists and others,” Painter said.

Therefore, it is essential to find the balance, so that we are “not trading security for openness … but having all these things together,” Painter said.

“Back then, people looked at computer hackers as Robin Hood’s,” Painter said, because the common citizen’s information was not stolen, nor were they personally threatened.

This is no longer the case for the common citizen today.

In 2000, Painter was involved in a case that seemed to be a sophisticated, dangerous attack because it was on a global scale, but in reality, it was a fourteen-year-old Canadian boy, called the “MafiaBoy,” hacking computers.

His acts, Painter said, “had really a disproportionate effect and demonstrates the asymmetric nature of the technical threat.”

On a more serious note, Painter discussed the time North Korea hacked into Sony to pull back the distribution of an image, in which the country was “not only hacking into a system but was meant to curtail freedom of expression rights,” he said.

Taking this a step further, Painter highlighted a major concern regarding cybersecurity: “the fear of a debilitating attack against our infrastructure,” he said, pointing to possible examples of taking down the water system and the power system.

Painter said plainly, “It would have long-term, terrible consequences” as “not just a cyber but as a physical event.”

Therefore, “we have to be cognisant of these threats going forward,” he said.

These threats transcend individual hackers to entire nations, with different states having different visions for the future of technology.

Whereas much of the Western world is open about sharing information, Russia and China are among the countries that “want absolute sovereignty in cyberspace,” Painter said.

“The internet is not run by states — not run by government,” Painter said.

Although governments have influence over the internet to some extent, the private sector is involved, too, as Painter explained, so it is an international issue that different groups of people have to confront together.

Painter believes international law should apply to cyberspace as it does to the physical world. There are a set of norms many countries agree to, such as the idea that a nation should not attack infrastructures meant for the public good.

“You have to get countries around the world to embrace this to really make these norms stick,” he said.

So, how do we deal with the issue of cybersecurity?

Painter said, “It all comes down to the role of diplomacy — in all of this, the role of building alliances and shaping the environment and showing international cooperation is really paramount.”

The post ‘Cyber is the New #Black’: #Cyber Expert Points to #Diplomacy to #Solve Global #Cybersecurity Issues appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Far-reaching #cyber-security #Bill not uncommon in other #countries, say #Singapore experts, #industry players

Source: National Cyber Security – Produced By Gregory Evans

Singapore is not alone in proposing a far-reaching Bill to beef up cyber security, said experts, even as it wins the support of stakeholders following a recently concluded public consultation on the issue.

Concerns about the Cyber Security Agency (CSA) of Singapore’s far-reaching powers had surfaced during the consultation. Firms must surrender any information requested when CSA investigates a suspected cyber attack, as its proposed Bill would take precedence over bank and privacy rules that prohibit data sharing.

Convinced that Singapore should not have it any other way, lawyer Gilbert Leong, senior partner at Dentons Rodyk & Davidson, said: “The far-reaching Bill is justifiable in the light of the potential damage from state-sponsored cyber espionage.”

CSA’s powers, like those of the police, are calibrated and are strictly meant to keep the lights on for essential services, Mr Leong said.

In announcing on Monday (Nov 13) its decision to keep most of its proposed ideas in the Bill, CSA responded to public feedback received during the consultation, and said the designation of a computer as critical information infrastructure would no longer be an official secret under the Official Secrets Act.

The proposed Bill, to be tabled for debate in Parliament next year, also mandates that owners of critical information infrastructure, such as those in banking, telecom and energy sectors, report security breaches and attacks “within hours”.

Similar mandatory data breach reporting requirements have been in place in the US, Europe, Japan, Australia and South Korea for years.

Mr Shlomo Kramer, founder and chief executive officer of Israeli cyber-security start-up Cato Networks, said Singapore is, in fact, playing “catch-up” with these nations in this respect.

“Such regulation will move the needle in a positive way and make organisations feel accountable,” said Mr Kramer, who also co-founded what was the first firewall solutions provider Check Point in 1993.

He spoke to The Straits Times three weeks ago when he was in Singapore to meet local cyber-services resellers ViewQwest and Quann.

Checks and balances – which are included in the proposed Bill – prevent the abuse of disclosed information, Mr Kramer noted. For instance, CSA officers may be held criminally liable if they are found to have misused the information.

Mr Bryce Boland, chief technology officer for Asia-Pacific at cyber-security firm FireEye, said laws are generally stronger in countries with a high dependence on technology. Thus, the far-reaching aspects of Singapore’s cyber-security Bill could be compared to similar laws in the United States and Britain, said Mr Boland.

Said lawyer Koh Chia Ling from law firm OC Queen Street: “The general global trend is that countries are enacting such laws and Singapore is essentially doing the same.”

Mr Jack Ow, technology partner at law firm RHTLaw Taylor Wessing, said Germany, the Czech Republic and China have similar cyber-security regimes. “The loss or compromise of such computers and computer systems could adversely affect national security or public health, safety and order,” said Mr Ow.

Technology lawyer Bryan Tan of Pinsent Masons MPillay said that debates are ongoing in the United States just like they have taken place in Singapore, arising from an ever-growing tension between security and privacy.

Referring to preserving privacy in the US, he added: “All bets are off when it comes to fighting terror or a national security issue – no one will compromise.”

Owners of critical information infrastructure said the Bill is necessary. They are waiting to work out implementation details with CSA and their sectors’ regulators.

A spokesman for telco Singtel said: “The risk of cyber-security breaches is growing, especially now as Singapore pursues its ambition to become a Smart Nation.”

An M1 spokesman said: “It is important that the powers under the Bill are exercised reasonably.”

Meanwhile, such stringent reporting requirements are not new to the banking sector.

Mr Patrick Chew, OCBC Bank’s head of operational risk management, said: “Under the Technology Risk Management Guidelines introduced in 2013, financial institutions in Singapore are already required to notify our regulator as soon as possible of any critical system failures arising from (technology) and cyber security incidents.”

The post Far-reaching #cyber-security #Bill not uncommon in other #countries, say #Singapore experts, #industry players appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity: #Barely perceptible #threat has potential to #derail #Canada’s #economy

Source: National Cyber Security – Produced By Gregory Evans

What is nearly imperceptible, leaks important secrets and can keep Canada’s top bankers up at night?

A cyberattack.

It’s not a punch line but a seriously haunting prospect for those in the upper echelons of Canadian governments and corporations.

When Victor Dodig checks his phone in the morning, the chief executive of CIBC dreads reading that any government or corporation, anywhere in the world, has been hacked, he told an Ontario Securities Commission panel last month.

“Obviously, it would be more of a concern if our institution was, but we’re so interconnected that one weak link creates an issue for all of us.”

Of all the nightmare scenarios that run through Bank of Canada governor Stephen Poloz’s head, the threat of a cyberattack is “more worrisome than all the other stuff,” he told The Canadian Press in an October interview.

Cybersecurity experts fear government and corporate defensive capabilities are not keeping pace with growing ranks of sophisticated hackers, a sentiment underscored by recent events.

This week, The New York Times reported that the National Security Agency — America’s largest intelligence organization known for its own clandestine hacking operations — had been infiltrated by a hack, an insider’s leak, or both. The cyberweapons it developed to spy on other countries are now being used against it, and a 15-month investigation has not produced a clear source of the leak.

The latest revelations come two months after Equifax Inc. disclosed that nearly half the U.S. population had sensitive personal information stolen by hackers who exploited a weakness in its system.

The data breach was announced in September, almost five months after hackers first broke in. They downloaded sensitive information undetected for almost two months before Equifax discovered the breach.

While U.S. politicians lambasted the company for its slow response, the political reaction in Canada was decidedly less strident, despite the fact that the company declined for weeks to identify just how many Canadians had been affected.

Equifax Canada’s silence was enabled by the lack of federal laws to force companies to disclose breaches and theft of information or money.

But that could change if a mandatory data breach reporting requirement amendment to the Personal Information Protection and Electronic Documents Act is passed. It must undergo several more stages after a consultation period for a draft closed last month, more than two years after it was first proposed.

In the meantime, cyberattacks have become increasingly routine.

Almost 60 per cent of Canadian businesses who responded to an Ipsos poll in February said they either suspect or know for certain that they were hacked last year, while more than one-third of Canadian individuals said in an Accenture survey they have been the target of a cyberattack.

Hacks involving extortion were up 50 per cent last year, according to a report by Verizon Communications. And that company knows all too well the fallout from a hack: it recently acquired Yahoo Inc., the victim of the largest data breach in history, in which three billion user accounts were compromised.

Estimates suggest cybercrime costs the Canadian economy between $3 billion and $5 billion a year. The average per company cost of a data breach has risen as high as $6 million, according to the Canadian Chamber of Commerce.

The Bank of Canada has warned that Canadian banks are vulnerable to a cascading series of attacks that could not only undermine confidence in the financial system, but spill over into other sectors, such as energy or water systems.

Hacking has already been deployed as a weapon of war.

The first known attack to take out an electrical grid using malicious software occurred two years ago, in the middle of Russia’s siege of Ukraine. Russian hackers have undermined almost every sector in Ukraine, including the Ukrainian tax filing system, pharmacies’ prescription tracking system and the radiation monitoring system at Chernobyl.

The hacks of Ashley Madison, Yahoo and now Equifax have sparked alarming headlines, federal investigations and passing political ire, but have amounted to little real change, leaving our institutions vulnerable to Poloz’s nightmare cyberattack that could grind the gears of modern civilization to a halt — a scenario that suddenly doesn’t seem so far-fetched.

The post Cybersecurity: #Barely perceptible #threat has potential to #derail #Canada’s #economy appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Smart #behaviors that can #improve your #cybersecurity

Source: National Cyber Security – Produced By Gregory Evans

Some of the cybersecurity best practices for advisors are smart moves for consumers, too.

“Don’t make the mistake of thinking of [cybersecurity] as a technology thing. It’s not,” Adam Moseley, managing director of Schwab Business Consulting and Education at Charles Schwab, told advisors Tuesday at Schwab IMPACT 2017 in Chicago.

Much of protecting yourself is about behavior and education, he said. (See infographic below for tips.)

Advisors are right to be worried about cybersecurity. The broader financial services sector has been attacked more than any other industry, according to the 2017 IBM X-Force Intelligence Index.

“It is no longer a matter of if, but when, you’re going to be compromised.”-Adam Moseley, Charles Schwab

The number of attacks on financial services companies rose 29 percent in 2016, to a total 1,684, according to IBM. Over the same period, the number of records breached jumped 937 percent, to 200 million from roughly 20 million — ranking the financial services industry third in number of records compromised.

“It is no longer a matter of if, but when, you’re going to be compromised,” Moseley said.

Advisors and consumers can both benefit from improvement in these areas:

Email habits

“I don’t think there’s a single greater threat to your organizations outside of email,” Moseley said. “We don’t hesitate to click a link, to open an attachment.”

Ransomware, malicious links, social engineering and other common scams all come in via email, he explained.

One smart thing a financial advisor can do is hire an outside firm to send employees test spam, to see what they are opening or clicking when they shouldn’t, he said. It helps firms see how to focus their efforts educating employees.

Be suspicious of any links or attachments in an email, Moseley said. If the email seems to be from a legit source, call the sender to make sure it’s legit before clicking.

It also helps to rethink that information you’re sending in emails, he said. Try to keep personal and sensitive data out of email altogether; if you must send it, look for a more secure method. For example, if you’re reaching out to your financial advisor, many have secure client-access portals where you could submit that tax return or account statement.

Passwords

Pick a password that’s long. Hackers will have an easier time brute-force cracking an eight-character password than one that has 12 or 15 characters, he said. (That length may mean you think about your password as a phrase rather than a word.)

Unique is key, too. Thieves often try login details captured in one breach at other sites, to see where they might gain access if you’ve reused that combo. Schwab has tracked nearly 1 billion of those so-called credential replay attempts, Moseley said.

Consumers and advisors should both look to implementing additional protections like two-factor authentication where available.

“If you’re not using multi-factor or two-factor authentication and it’s available to you…you’re behaving recklessly online,” Moseley said.

The post Smart #behaviors that can #improve your #cybersecurity appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

White House increases #transparency around #cybersecurity flaw #disclosure

more information on sonyhack from leading cyber security expertsSource: National Cyber Security – Produced By Gregory Evans Dive Brief: The White House released the charter for the Vulnerabilities Equities Process (VEP), an interagency operation assessing whether the federal government should disclose cyber vulnerabilities it finds to vendors of a technology or whether it should “restrict” the finding in light of national security or law […] View full post on AmIHackerProof.com | Can You Be Hacked?

IBM’s #Schneier: It’s #Time to Regulate #IoT to Improve #Cyber-Security

Source: National Cyber Security – Produced By Gregory Evans

The time has come for the U.S. government and other governments around the world to start regulating internet of things (IoT) security, according to Bruce Schneier, CTO of IBM’s Resilient Systems.

Schneier delivered his message during a keynote address at the SecTor security conference here Nov. 15. Today everything is basically a computer, whether it’s a car, a watch, a phone or a television, he said. IoT has several parts, including sensors that collect data, computing power to figure out what to do with the collected data and actuators that affect the real world.

“Sensors are the eyes and ears of the internet, actuators are the hands and feet of the internet, and the stuff in the middle is the brain,” Schneier said. “We’re creating an internet that senses, thinks and acts—that’s the classical definition of a robot.

“We’re building a robot the size of the world, and most people don’t even realize it,” he said.

What that means is that internet security is now becoming “everything” security, according to Schneier. As such, he noted that computer security expertise is now needed in the auto industry because cars are now computers and all the lessons of the cyber-world are applicable everywhere.

“Availability and integrity threats are important as real risks to life and property now,” he said. “So now vulnerabilities have very different consequences. There is a difference between when a hacker crashes a computer and you lose your data and when a hacker hacks your car and then you lose your life.”

In Schneier’s view, many of the existing security paradigms fail in the new world of IoT. Whereas traditional software firms and big mobile vendors like Apple and Google have dedicated security teams, the same is not always true for IoT vendors. As such, Schneier said that IoT devices are often not patched quickly, if at all.

“A home DVR could have been part of the Mirai botnet, and likely most people just don’t care so long as the device works,” Schneier said. “Defending against Mirai is hard because it’s not just dropping a patch on Windows and making it go away.”

Time for Regulation

The challenge of cyber-security cannot be effectively solved by industry alone, according to Schneier. Instead, he advocated for government involvement to help regulate technology security. As internet connected devices move into regulated industries, Schneier expects that computer software that has largely been regulation-free will need to change. There are also historical precedents for new technology usage leading to new government agencies and regulations. For example, the emergence of cars, airplanes, radio and television have all led to government agencies and regulation.

“In the 20th century, new technology led to the formation of new agencies all the time,” he said.

There are a lot of problems that markets cannot solve on their own, since markets are typically short-term profit motivated and can’t solve collective action problems, he said. Additionally, Schneier said there is a need to have a counter-balancing force for corporate power.

“Government is how we solve problems like this,” he said.

Schneier expects that there will be a lot of issues that will need to debated and resolved about connected technology regulations, but in his view there really isn’t a better alternative to ensuring cyber-security safety than government regulations. That said, the reason why he was speaking at SecTor was to help raise awareness and get cyber-security professionals engaged in government policy conversations, he said.

“As technologists, we need to get involved in policy, since IoT brings enormous potential and enormous risks,” Schneier said. “As internet security becomes everything security, all security has strong technological components.

“We’ll never get policy right if policy makers get technology wrong,” he said.

The post IBM’s #Schneier: It’s #Time to Regulate #IoT to Improve #Cyber-Security appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

GDPR #Raising #Cybersecurity #Awareness Among #EU Business #Leaders

Source: National Cyber Security – Produced By Gregory Evans

As if the daily beating of data breach news wasn’t enough reason to bring the stark reality of cyber risks to the attention of corporate leaders, here comes the European Union’s General Data Protection Regulation (GDPR). Taking effect in May 2018, GDPR is managing to elevate cyber risks to the top of the corporate agenda for organizations that store data in citizens of the European Union.

According to a survey of more than 1,300 senior executives, conducted by insurance and risk management firm Marsh, 65 percent of respondents from organizations that operate in the EU say that they consider “cyber” to be a top risk. That’s a doubling from a similar survey conducted last year that found 32 percent citing “cyber” as a top five risk. Further, the survey finds that 23 percent of those organizations that fall under GDPR have endured a successful cyber attack in the past year.

The heightened cybersecurity concerns and looming GDPR deadline have EU organizations upping their security and risk management spending. “Of those respondents whose organizations have plans for GDPR implementation, 78% said they would increase spending on addressing cyber risk over the next 12 months, including spending on cyber insurance. Notably, 52% of those who do not have a plan for GDPR indicated that their investment in cyber risk management would increase,” Marsh writes in this news release.

Surprisingly, with about seven months left, only 8 percent of survey respondents claim that their organizations are currently GDPR compliant and a startling 57 percent say that their enterprises are currently developing compliance plans. And another 11 percent of respondents are in for a very rude awakening, as they’ve reported that they have no compliance plans at all. “Smaller organizations were more likely not to have a plan for GDPR with 19% of respondents from businesses with less than $50m annual revenue replying that no plan was in place,” Marsh wrote.

For those not familiar, GDPR mandates:

  • EU citizens’ personally identifiable information (PII) must be adequately protected, managed, and controlled.
  • Data breaches must be reported within 72 hours.
  • Non-compliant organizations risk significant fines, from 4 percent of annual revenue down to €20 million.

Forty-nine percent have fully developed a data breach incident response plan. Another 10 percent, however, have no plans to do so. It’s shocking that any organization today doesn’t have an incident response plan should sensitive data be exposed.

It is not pragmatic for an organization to assume it will never have to disclose a breach as required by GDPR – that’s just hope. It’s much more sensible to expect to be breached at some point and consider how to make a public disclosure. Because when it comes down to it, the difference between the winners and losers here is how well the breach is mitigated and managed, and the effectiveness of the public response.

 

The post GDPR #Raising #Cybersecurity #Awareness Among #EU Business #Leaders appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity #101 for #Manufacturers: Why Should You #Care?

Source: National Cyber Security – Produced By Gregory Evans

Anyone living through today’s news cycle who does not recognize cybersecurity as an issue is simply not paying attention. But, until recently, most manufacturing companies have considered it someone else’s issue. Most reported cyber incidents have been aimed at acquiring large caches of consumer data (think breaches at Target affecting 70 million consumers, and Verizon affecting 40 million consumers.) Hackers were historically intent on identity theft, and the acquisition of consumers’ personally identifiable information (PII) is a first step toward that goal. Most manufacturers do not deal directly with consumers or collect their data, so many put cybersecurity on the back burner. However, a recent study found that the manufacturing sector is now the second most frequently hacked industry, after healthcare. (2016 Cyber Security Intelligence Index, IBM X-Force Research.)

Recent cyber breaches have gone far beyond collecting consumer PII. Cyber criminals (and some foreign countries) are after trade secret technology and IP — yours, your vendors’, and your customers’.  Losses from these breaches can include direct payments in the form of “ransom” for shutting down your computerized systems and holding your data hostage (ransomware); business email compromises (BECs), where inside information about upcoming transactions or wire transfers are mistakenly directed to a cybercriminal by your own employees under the misapprehension they are acting on the instructions of a senior executive (phishing); or loss of employee PII or a whole host of other information you may not realize is accessible to a sophisticated cybercriminal.

All Modern Manufacturing Systems are Susceptible to Exploitation. Think about your company’s reliance on computerized industrial control systems (ICS) and supervisory control and data acquisition (SCDA) systems, employees’ use of multiple data storage devices (servers, laptops, smartphones, social media), your vendors’ and customers’ everyday access to your systems to streamline communications or production, cloud computing, vindictive or disgruntled employees with access to sensitive information, or innocent employees opening an email link or attachment without verifying the source. Any and all of these may provide points of entry for a determined hacker or data phisher. Target’s massive data breach in late 2015, for instance, was engineered through access unwittingly provided by a company HVAC vendor that did not have a secure system, despite Target’s own otherwise sophisticated and thorough security and breach prevention program.

Ransomware/BEC attacks have not distinguished manufacturing companies from other targets. A hacker may gain access to a company’s computerized systems by means of an insider/employee opening an official-seeming link or attachment in an innocent-seeming email, and implant a virus into the system that holds critical data hostage or shuts down critical functions. Even payment of the demanded “ransom” to unfreeze the system may not guarantee a return of data or normal functionality.

Data and System Breaches are Expensive. Costs can include business disruption, product discounts, forensic and investigative activities, loss of customers, litigation and regulatory, and reporting costs. According to the 2017 Cost of Data Breach Study recently released by the Ponemon Institute, the total organizational cost per data breach incident for the U.S. was $7.35 million last year, the highest of the 13 countries studied. The study did not address loss of competitive advantage when trade secret technology and IP are stolen, which could be substantially more costly; the U.S. Federal Bureau of Investigation (FBI) estimated that $400 billion of intellectual property leaves the U.S. every year as a result of cyberattacks targeted at manufacturing companies.

BECs increased 2,370% between January 1, 2015 and December 31, 2016, with victims reporting losses of $346 million. The FBI estimated in a May 2017 alert that such crimes have caused losses of $1.6 billion in the U.S. since 2013 and $5.3 billion globally. For instance, in 2015 paint manufacturer Sherwin-Williams reportedly sent $6.5 million to overseas bank accounts of Russian criminals due to BECs.

How Can You Fight Back? There are a number of protections available to manufacturing companies, many of which are relatively inexpensive.

  • Train your employees. People are the weakest link in cybersecurity, since hackers can access your systems through a single point of contact. If employees are alert to potential email threats, confine their work to your secure network, and limit postings on social media, many potential attacks can be blocked.
  • Use two-step authentication to mitigate threats from BECs. Companies that require confirmation of funds transfer requests by secure telephone or a secondary sign-off by company personnel can virtually eliminate unauthorized transfers.
  • Segment your network on a “need to access” basis. This practice limits accidental transfer of critical data and prevents a hacker from using one point of entry to move a virus or malware through your entire system.
  • Encrypt critical data and back up your systems regularly.
  • Audit your vendors’ and contractors’ cybersecurity systems. Contractual provisions can create cybersecurity duties for your business partners and give you the right to examine their systems for weaknesses that might otherwise compromise your network.
  • Use penetration testing or public domain audits regularly to ensure that your sensitive information is not accessible online.
  • Apply software patches and update your systems on a timely basis. Operators of ICS/SCADA tend not to update or apply software patches because these require system downtime or gaps in service, but most of the systems hacked in recent ransomware attacks were running out-of-date software, and the attacks could have been foiled if the victims had simply applied manufacturer-supplied patches regularly.
  • Check the NIST Guide to Industrial Control Systems (ICS) Security for additional cybersecurity guidance.
  • Have a response plan in place in case of a breach.
  • Look into cyber insurance to mitigate the cost of a cyber incident. The current insurance market is competitive and well-priced, so you should be able to negotiate for the appropriate protection.

 While it is impossible to create impenetrable systems, be aware that hackers tend to go after low lying fruit. The more protections you implement, the less likely you are to experience a debilitating cyber-attack.

The post Cybersecurity #101 for #Manufacturers: Why Should You #Care? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Here is #why you need to take #Cybersecurity #seriously

Source: National Cyber Security – Produced By Gregory Evans

There is no doubt that there are numerous threats to organisations worldwide, and that it can seem increasingly difficult to manage your chances adequately. Whereas many years ago cyber-attacks were a rare warning sign, nowadays cybersecurity has increased in danger and frequency.

It seems that every day you can encounter another article on the topic, and this has managed to create a real and significant concern for both small and large organisations. More and more people are turning to reliable services such as those provided by Prosyn, a London IT services company dedicated to implementing safe and stress-reducing IT solutions.

Although some have taken precautionary measures against these possible attacks, many organisations have continually underfunded their importance. Here is why you need to take cybersecurity seriously:

Cybersecurity Threats are everywhere

As a general rule of thumb, we view technology as an intriguing subject which is bound to increase our lifespan and quality of life. However, it’s essential to understand that while some people can focus on innovative ways to help others, there will always be the ones who will look for an easy way to make money.

Professional hackers are paid to understand possible cybersecurity problems, and this is done in order to make the technology of a specific company safer and more reliable. Nonetheless, it appears that a reoccurring theme can be spotted: we are not getting better, and our security problems are not changing. While we depend more and more on technology and potential advancements, we are opening ourselves more and more to the possibility of an attack.

Hackers will tell you that most technology is prone to these attacks, rendering it vulnerable. There are many examples in our everyday lives, starting from smartphones, home alarm systems, cars, plane systems, and even medical pacemakers. Of course, the goal is not to instil fear in you, but to make you aware that even critical infrastructure such as dams or power grids can and have been hacked in the past. Thus comes the question, how confident are you in your cyber security measures?

Loss of revenue

According to experts in the industry, a staggering 60% of smaller businesses suffer a data breach each year, and that sometimes includes bigger names you might not expect. Yahoo and UPS are two clear examples of this threat, and so is JP Morgan –having lost the details of 76 million customers during an attack. This loss means that you are exposing your customer’s sensitive information, endangering their financial health, and causing significant revenue loses for your company.

According to a 2015 report published by the World Economic Forum (WEF), a whopping 90% of companies worldwide recognise the fact that they are ill prepared in case of a cyber-attack or breach of confidential data. In fact, it is estimated that this problem costs the global economy over US$400 billion per year –based on a prognosis by the Centre for Strategic and International Studies

The consequences of cyber crime

There are two main aspects that organisations should have in mind when dealing with cyber-attacks: are they meant as a data security breach or a deliberate act of sabotage? A security breach can be viewed as intellectual property or company secrets that an attack might target –ranging from information about bids to personal data. In comparison, sabotage is when fake messages flood web services, or when there is an effort to disable infrastructure systems which are being used by millions each day.

The direct result of these problems is not only a commercial loss, but also a disruption of public relations, with the goal of potentially extorting an individual, company, or organisational chain. Of course, there are also modern-day vigilantes who tirelessly work to expose negligence claims, fraud, and other issues which an organisation may try to sweep under the rug.

Whatever the reason for the cyber-crime, it should be noted that most of these incidents are often not reported, and that loss of information is rarely if ever mentioned. This problem does go hand-in-hand with companies not wanting to damage their reputation or be seen as unsafe by its customers. Besides, it’s hard to take legal action against the culprits –many of them have not even been identified.

Why do some companies underestimate the threat?

One of the main reasons that experts highlight is the difficulty of predicting the likelihood of a cyber-attack happening in your company. It’s also incredibly hard to estimate potential losses; thus the question many have on their mind is “should I invest this much to protect something that might never happen to me?”

An article published in the Harvard Business Review revealed that many decision makers are faced with making the judgement of how much they are willing to invest in cybersecurity, and most of them don’t fully understand the dangers of it. Here are the three main reasons highlighted in the article:

 An empirical assumption that security frameworks like FISMA or NIST represent sufficient security

 A security breach has never been an issue in the past, so there is no need to fix what isn’t broken

 Companies have previously dealt with a small cyber-attack which was quickly resolved

It’s easy to see how individuals would follow this mindset. However, the problem with these mental models is that they view cybersecurity as a problem that can be solved, rather than on-going process which requires a robust prevention strategy. In fact, cybersecurity should focus mainly on risk management and minimise the possibility of future attacks rather than on risk mitigation. As previously discussed, some attacks could cost millions or even put you out of business.

Conclusion

The reality is that cyber-attacks are not solely related to one geographical area or another; criminals operate across borders, and very few of them have moral principles relating to uncovering corruption plots or cases of fraud. Therefore, there is a need to respond to cyber-attacks by having a global vision and strategy, all while understanding how law enforcement agencies work and how IT services can aid you.

The post Here is #why you need to take #Cybersecurity #seriously appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

US #rules on #reporting #cybersecurity #flaws set to change #according to #source

Source: National Cyber Security – Produced By Gregory Evans

The Trump administration is set to release its rules for determining whether to disclose t that they find, according to a national security official in the US.

Speaking to the Reuters news agency, the anonymous source stated that the revised rules would be released on whitehouse.gov on Wednesday. The changes are expected to make the process, which federal agencies go through when dealing with finding cybersecurity flaws, more transparent.

The move is seen as an attempt by the US government to fend off criticism that it routinely exposes internet security by keeping cybersecurity flaws and vulnerabilities secret. for

According to the report on Reuters.com, the proposed rule change will name the agencies involved in the process, such as the Departments of Commerce, Treasury and State.

Currently the US government employs an inter-agency review, created under former President Barack Obama. Known as the Vulnerability Equities Process, it is tasked with deciding what happens to any cybersecurity flaws that is discovered by the National Security Agency (NSA).

This approach to online security has received criticism from experts who claim a failure to disclose findings has a more negative impact on the industry, with Reuters pointing out the dangers experts find with the approach:

“The criticism grew earlier this year when a global ransomware attack known as WannaCry infected computers in at least 150 countries, knocking hospitals offline and disrupting services at factories.

The attack was made possible because of a flaw in Microsoft’s Windows software that the NSA had used to build a hacking tool for its own use.

Named WannaCryptor, but also referred to as WannaCry, it spread rapidly by utilizing the eternalblue SMB exploit, part of a large collection of files that leaked from the NSA.

The post US #rules on #reporting #cybersecurity #flaws set to change #according to #source appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures