Browsing category

Data Privacy

Artificial intelligence, Artificial Intelligence (AI), Chief Information Security Officer (CISO), Cognitive Security, Data Management, Data Privacy, Governance, Internet of Things (IoT), Security Strategy, Security Technology,

How CISOs Can Facilitate the Advent of the Cognitive Enterprise

Just as organizations are getting more comfortable with leveraging the cloud, another wave of digital disruption is on the horizon: artificial intelligence (AI), and its ability to drive the cognitive enterprise.

In early 2019, the IBM Institute for Business Value (IBV) released a new report titled, “The Cognitive Enterprise: Reinventing your company with AI.” The report highlights key benefits and provides a roadmap to becoming a cognitively empowered enterprise, a term used to indicate an advanced digital enterprise that fully leverages data to drive operations and push its competitiveness to new heights.

Such a transformation is only possible with the extensive use of AI in business and technology platforms to continuously learn and adapt to market conditions and customer demand.

CISOs Are Key to Enabling the Cognitive Enterprise

The cognitive enterprise is an organization with an unprecedented level of convergence between technology, business processes and human capabilities, designed to achieve competitive advantage and differentiation.

To enable such a change, the organization will need to leverage more advanced technology platforms and must no longer be limited to dealing only with structured data. New, more powerful business platforms will enable a competitive advantage by combining data, unique workflows and expertise. Internal-facing platforms will drive more efficient operations while external-facing platforms will allow for increased cooperation and collaboration with business partners.

Yet these changes will also bring along new types of risks. In the case of the cognitive enterprise, many of the risks stem from the increased reliance on technology to power more advanced platforms — including AI and the internet of things (IoT) — and the need to work with a lot more data, whether it’s structured, unstructured, in large volume or shared with partners.

As the trusted adviser of the organization, the chief information security officer (CISO) has a strong role to play in enabling and securing the organization’s transformation toward:

  • Operational agility, powered in part by the use of new and advanced technologies, such as AI, 5G, blockchain, 3D printing and the IoT.

  • Data-driven decisions, supported by systems able to recognize and provide actionable insights based on both structured and unstructured data.

  • Fluid boundaries with multiple data flows going to a larger ecosystem of suppliers, customers and business partners. Data is expected to be shared and accessible to all relevant parties.

Shows relationship between data, processes, people, outside forces, and internal drivers (automation, blockchain, AI)Source: IBM Institute for Business Value (IBV) analysis.

Selection and Implementation of Business Platforms

Among the major tasks facing organizations embarking on this transformation is the need to choose and deploy new mega-systems, equivalent to the monumental task of switching enterprise resource planning (ERP) systems — or, in some cases, actually making the switch.

The choice of a new platform will impact many areas across the enterprise, including HR and capital allocation processes, in addition to the obvious impact on how the business delivers value via its product or service. Yet, as the IBM IBV report points out, the benefits can be significant. Leading organizations have been able to deliver higher revenues — as high as eight times the average — by adopting new business and technology platforms and fully leveraging all their data, both structured and unstructured.

That said, having large amounts of data doesn’t automatically translate into an empowered organization. As the report cautions, organizations can no longer simply “pour all their data into a data lake and expect everyone to go fishing.” The right digital platform choice can empower the organization to deliver enhanced profits or squeeze additional efficiency, but only if the data is accurate and can be readily accessed.

Once again, the CISO has an important role to play in ensuring the organization has considered all the implications of implementing a new system, so governance will be key.

Data Governance — When Security and Privacy Converge

For the organization to achieve the level of trust needed to power cognitive operations, the CISO will need to drive conversations and choices about the security and privacy of sensitive data flowing across the organization. Beyond the basic tenets of confidentiality, integrity and availability, the CISO will need to be fully engaged on data governance, ensuring data is accurate and trustworthy. For data to be trusted, the CISO will need to review and guarantee the data’s provenance and lineage. Yet the report mentions that, for now, fewer than half of organization had developed “a systemized approach to data curation,” so there is much progress to be made.

Organizations will need to balance larger amounts of data — several orders of magnitude larger — with greater access to this data by both humans and machines. They will also need to balance security with seamless customer and employee experiences. To handle this data governance challenge, CISOs must ensure the data flows with external partners are frictionless yet also provide security and privacy.

AI Can Enable Improved Cybersecurity

The benefits of AI aren’t limited to the business side of the organization. In 2016, IBM quickly recognized the benefits cognitive security could bring to organizations that leverage artificial intelligence in the cybersecurity domain. As attackers explore more advanced and more automated attacks, organizations simply cannot afford to rely on slow, manual processes to detect and respond to security incidents. Cognitive security will enable organizations to improve their ability to prevent and detect threats, as well as accelerate and automate responses.

Leveraging AI as part of a larger security automation and orchestration effort has clear benefits. The “2018 Cost of a Data Breach Study,” conducted by Ponemon Institute, found that security automation decreases the average total cost of a data breach by around $1.55 million. By leveraging AI, businesses can find threats up to 60 times faster than via manual investigations and reduce the amount of time spent analyzing each incident from one hour to less than one minute.

Successful Digital Transformation Starts at the Top

Whether your organization is ready to embark on the journey to becoming a cognitive enterprise or simply navigating through current digital disruption, the CISO is emerging as a central powerhouse of advice and strategy regarding data and technology, helping choose an approach that enables security and speed.

With the stakes so high — and rising — CISOs should get a head start on crafting their digital transformation roadmaps, and the IBM IBV report is a great place to begin.

The post How CISOs Can Facilitate the Advent of the Cognitive Enterprise appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christophe Veltsos

Chief Information Security Officer (CISO), CISO, Data Breaches, Data Privacy, Internet of Things (IoT), Personally Identifiable Information (PII), Risk Management, Security Framework, Security Intelligence & Analytics, Security Strategy, Security Testing, Vulnerabilities,

An Apple a Day Won’t Improve Your Security Hygiene, But a Cyber Doctor Might

You might’ve begun to notice a natural convergence of cybersecurity and privacy. It makes sense that these two issues go hand-in-hand, especially since 2018 was littered with breaches that resulted in massive amounts of personally identifiable information (PII) making its way into the wild. These incidents alone demonstrate why an ongoing assessment of security hygiene is so important.

You may also see another convergence: techno-fusion. To put it simply, you can expect to see technology further integrating itself into our lives, whether it is how we conduct business, deliver health care or augment our reality.

Forget Big Data, Welcome to Huge Data

Underlying in these convergences is the amount of data we produce, which poses an assessment challenge. According to IBM estimates, we produce 2.5 quintillion bytes of data every day. If you’re having problems conceptualizing that number — and you’re not alone — try rewriting it like this: 2.5 million terabytes of data every day.

Did that help? Perhaps not, especially since we are already in the Zettabyte era and the difficulty of conceptualizing how much data we produce is, in part, why we face such a huge data management problem. People are just not used to dealing with these numbers.

With the deployment of 5G on the way — which will spark an explosion of internet of things (IoT) devices everywhere — today’s Big Data era may end up as a molehill in terms of data production and consumption. This is why how you manage your data going forward could be the difference between surviving and succumbing to a breach.

Furthermore, just as important as how you will manage your data is who will manage and help you manage it.

Expect More Auditors

It’s not uncommon for larger organizations to use internal auditors to see what impact IT has on their business performance and financial reporting. With more organizations adopting some sort of cybersecurity framework (e.g., the Payment Card Industry Data Security Standard or NIST’s Framework for Improving Critical Infrastructure Cybersecurity), you can expect to hear more compliance and audit talk in the near future.

There is utility in having these internal controls. It’s a good way to maintain and monitor your organization’s security hygiene. It’s also one way to get internal departments to talk to each other. Just as IT professionals are not necessarily auditors, neither are auditors some sort of IT professionals. But when they’re talking, they can learn from each other, which is always a good thing.

Yet internal-only assessments and controls come with their own set of challenges. To begin, the nature of the work is generally reactive. You can’t audit something you haven’t done yet. Sure, your audit could find that you need to do something, but the process itself may be very laborious, and by the time you figure out what you need to do, you may very well have an avalanche of new problems.

There are also territorial battles. Who is responsible for what? Who reports to whom? And my personal favorite: Who has authority? It’s a mess when you have all the responsibility and none of the authority.

Another, perhaps bigger problem is that internal controls may have blind spots. That’s why there is value in having a regular, external vulnerability assessment.

When it Comes to Your Security Hygiene, Don’t Self-Diagnose

Those in the legal and medical fields have undoubtedly been cautioned not to act as their own counsel or doctor. Perhaps we should consider similar advice for security professionals too. It’s not bad advice, considering a recent Ponemon Institute report found that organizations are “suffering from investments in disjointed, non-integrated security products that increase cost and complexity.”

Think about it like this: You, personally, have ultimate responsibility to take care of your own health. Your cybersecurity concerns are no different. Even at the personal level, if you take care of the basics, you’re doing yourself a huge favor. So do what you can to keep yourself in the best possible health.

Part of healthy maintenance normally includes a checkup with a doctor, even when you feel everything is perfectly fine. Assuming you’re happy with your doctor and have a trusting relationship, after an assessment and perhaps some tests, your doctor will explain to you, in a way that you are certain to understand, what is going on. If something needs a closer look or something requires immediate attention, you can take care of it. That’s the advantage of going to the doctor, even when you think you’re all right. They have the assessment tools and expertise you generally do not.

‘I Don’t Need a Doctor, I Feel Fine’

Undoubtedly, this is a phrase you have heard before, or have even invoked on your own. But cybersecurity concerns continue to grow and internal resources remain overwhelmed by responding to so many alerts and financial constraints or understaffing. Therefore, the need for some outside assistance may not only be necessary, but welcomed, as that feeling of security fatigue has been around for some time now.

There is an added wildcard factor too: I’m confident many of us in the field have heard IT professionals say, “We’ve got this” with a straight face. My general rule of thumb is this: If attackers can get into the U.S. Department of Defense, they can get to you, so the “I feel fine” comment could very well include a dose of denial.

When considering external assistance — really just a vulnerability assessment — it’s worth thinking through the nuance of this question: Is your IT department there to provide IT services, or is it there to secure IT systems? I suggest the answer is not transparently obvious, and much of it will depend on your business mission.

Your IT team may be great at innovating and deploying services, but that does not necessarily mean its strengths also include cybersecurity audits/assessments, penetration testing, remediation or even operating intelligence-led analytics platforms. Likewise, your security team may be great at securing your networks, but that does not necessarily mean it understands your business limitations and continuity needs. And surely, the last thing you want to do is get trapped in some large capital investment that just turns into shelfware.

Strengthen Your Defenses by Seeing a Cyber Doctor

Decision-makers — particularly at the C-suite and board level, in tandem with the chief information security officer (CISO) and general counsels — should consider the benefits of a regular external assessment by trusted professionals that not only understand the cybersecurity landscape in real time, but also the business needs of the organization.

It’s simple: Get a checkup from a cyber doctor who will explain what’s up in simple language, fix it with help if necessary and then do what you can on your own. Or, get additional external help if needed. That’s it. That semiannual or even quarterly assessment could very well be that little bit of outside help that inoculates you from the nastiest of cyber bugs.

The post An Apple a Day Won’t Improve Your Security Hygiene, But a Cyber Doctor Might appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: George Platsis

Blockchain, CISO, Collaboration, Cryptography, Cybersecurity Jobs, Cybersecurity Legislation, Data Privacy, Government, RSA, RSA Conference,

At RSAC 2019, It’s Clear the World Needs More Public Interest Technologists

Cybersecurity experts are no longer the only ones involved in the dialogue around data privacy. At RSA Conference 2019, it’s clear how far security and privacy have evolved since RSAC was founded in 1991. The 28th annual RSAC has a theme of “better,” a concept that speaks to the influence of technology on culture and people.

“Today, technology makes de facto policy that’s far more influential than any law,” said Bruce Schneier, fellow and lecturer at the Harvard Kennedy School, in his RSAC 2019 session titled “How Public Interest Technologists are Changing the World.”

“Law is forever trying to catch up with technology. And it’s no longer sustainable for technology and policy to be in different worlds,” Schneier said. “Policymakers and civil society need the expertise of technologists badly, especially cybersecurity experts.”

Public policy and personal privacy don’t always coexist peacefully. This tension is clear among experts from cryptography, government and private industry backgrounds at RSAC 2019. In the past year, consumer awareness and privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), has created an intensely public dialogue about data security for perhaps the first time in history.

The Cryptographer’s Panel, which opened the conference on Tuesday, delved into issues of policy, spurred in part by the fact that Adi Shamir — the “S” in RSA — was denied a visa to attend the conference. Bailey Whitfield Diffie, who founded public-key cryptography, directly addressed the tension between the legislature, personal privacy and autonomy. Other keynote speakers called for collaboration.

“We are not seeking to destroy encryption, but we are duty-bound to protect the people,” stated FBI Director Christopher Wray. “We need to come together to figure out a way to do this.”

Moving forward to create effective policy will require technical expertise and the advent of a new type of cybersecurity expert: the public interest technologist.

Why Policymakers Need Public Interest Technologists

“The problem is that almost no policymakers are discussing [policy] from a technologically informed perspective, and very few technologists truly understand the policy contours of the debate,” wrote Schneier in a blog post this week. “The result is … policy proposals — ­that occasionally become law­ — that are technological disasters.”

“We also need cybersecurity technologists who understand­ — and are involved in — ­policy. We need public-interest technologists,” Schneier wrote. This profession can be defined as a skilled individual who collaborates on tech policy or projects with a public benefit, or who works in a traditional technology career at an organization with a public focus.

The idea of the public interest technologist isn’t new. It has been formally defined by the Ford Foundation, and it’s the focus of a class taught by Schneier at the Harvard Kennedy School. However, it’s clear from the discussions at RSAC and the tension that exists between privacy, policy and technology in cybersecurity dialogue that public interest technologists are more critically needed than ever before.

Today, Schneier said, “approximately zero percent” of computer science graduates directly enter the field of public interest work. What can cybersecurity leaders and educators do to increase this number and the impact of their talent on the public interest?

Technology and Policy Have to Work Together

Schneier wants public interest technology to become a viable career path for computer science students and individuals currently working in the field of cybersecurity. To that end, he worked with the Ford Foundation and RSAC 2019 to set up an all-day mini-track at the conference on Thursday. Throughout the event, there was a focus on dedicated individuals who are already working to change the world.

Schneier isn’t the only expert pushing for more collaboration and public interest work. A Tuesday panel discussion focused on how female leaders in government are breaking down barriers, creating groundbreaking policy and helping the next generation of talent flourish. Public interest track speaker and former data journalist Matt Mitchell was inspired by the 2013 George Zimmerman trial to create the nonprofit organization CryptoHarlem and start a new career as a public interest cybersecurity expert, according to Dark Reading.

On Thursday, IBM Security General Manager Mary O’Brien issued a clear call for organizations to change their approach to cybersecurity, including focusing on diversity of thought in her keynote speech. “Cross-disciplinary teams provide the ideas and insights that help us get better,” O’Brien said. “We face complex challenges and diverse attackers. Security simply will not be better or best if we rely on technologists alone.”

It’s Time for Organizations to Take Action

When it comes to creating an incentive for talented individuals to enter public interest work, a significant piece of responsibility falls on private industry. Schneier challenged organizations to work to establish public interest technology as a viable career path and become more involved in creating informed policy. He pointed to the legal sector’s offering of pro bono work as a possible financial model for organizations in private industry.

“In a major law firm, you are expected to do some percentage of pro bono work,” said Schneier. “I’d love to have the same thing happen in technology. We are really trying to jump start this movement … [however, many] security vendors have not taken this seriously yet.”

There are already some examples of private organizations that are creating new models of collaboration to create public change, including the Columbia-IBM Center for Blockchain and Data Transparency, a recent initiative to create teams of academics, scientists, business leaders and government officials to work through issues of “policy, trust, sharing and consumption” by using blockchain technology.

It’s possible to achieve the idea of “better” for everyone when organizations become actively involved in public interest work. There is an opportunity to become a better company, strengthen public policy and attract more diverse talent at the same time.

“We need a cultural change,” said Schneier.

In a world where technology and culture are one and the same, public interest technologists are critical to a better future.

The post At RSAC 2019, It’s Clear the World Needs More Public Interest Technologists appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jasmine Henry

Application Security, Blockchain, Data Privacy, Data Protection, Data Security, Encryption, Encryption Keys, IBM Security, Identity & Access, Identity and Access Management (IAM), Identity Governance, Penetration Testing, Security Services, X-Force,

Blockchain: Making the Reward Much Greater Than the Risk

What is the first thought that comes to mind when someone mentions blockchain? Many of you may say bitcoin, which is what’s to be expected considering bitcoin was the first major cryptocurrency that made blockchain a household name. However, bitcoin is only one among a large variety of cryptocurrencies, and while it was the first large-scale implementation of blockchain technology, it is merely one application of many uses by which blockchain can aid society and commerce.

Blockchain technology provides a means to store data in a distributed ledger. The data is stored within a block, where it is digitally recorded and linked together with other blocks, forming a chain. The chain provides the entire history of all recorded data. Data is committed to the chain in the form of transactions. The transactions are only added after they have been validated by the blockchain network’s consensus protocol, so that there is only one version of the truth. Any data stored on the blockchain is “immutable,” meaning it cannot be changed. Also, all network participants have a copy of the data, meaning everything is transparent and everyone has the same version of truth.

The first major implementation of blockchain technology was introduced in 2008 with the release of bitcoin, but it’s only during the past few years that enterprises have come to grasp the technology’s potential. This is happening because the past decade has seen a tremendous reduction in the costs of secure storage, computation power and communications. As a result, more innovation makes its way into mainstream markets, served to average consumers.

The same applies to the business realm. Nowadays, we are starting to see more blockchain adoption across many industries, including financial, food services, healthcare, aviation, automotive and logistics. In 2017, the blockchain market was valued at $708 million. Two separate reports have estimated that by 2024–2025, the market could be valued between $20 to $60 billion. This significant growth represents up to an 8,300 percent increase in the span of less than 10 years.

We are still in the early stages of exploring this technology, and it will take time to fully realize its applications and potential. For example, it took almost 10 years for computers to reach an adoption rate of 80 percent. For enterprises, blockchain technology at scale has only been around since late 2015. So what does this mean, exactly? As we watch a new technology emerge and steadily grow, people who love to be on the cutting edge of technology are excited about the endless possibilities blockchain affords. That said, with new technology also comes new challenges, especially regarding security.

Big Implementations, Limited Experts

The people who deeply understand blockchain infrastructure are typically blockchain developers and architects, whose numbers are increasing, but are still few and far between. If you layer on blockchain security expertise, you will find that number to be even smaller. Hardly any published information or guidance exists about blockchain security.

So what are the implications of developing these full-fledged solutions with little knowledge about the potential attack vectors and risks that could bring the entire system crashing down? Inherently, the decentralized nature of blockchain, coupled with consensus protocols, helps to address some security needs, but the consequences can be dire if security isn’t fully explored.

Blockchain Is Code, and Code Can Be Flawed

As previously mentioned, at its core, the blockchain concept is simple: It is a distributed, immutable, cryptographically assured ledger that can have applications, often called “smart contracts,” interface with it.

A smart contract is made up of numerous lines of code, which are stored within the blockchain. These contracts automatically execute when predetermined terms and conditions are met. They are small programs that replicate processes or business logic and can be used to enforce an agreement between multiple parties in such a way that they can be certain of the outcome without any need for an intermediary.

For example, smart contracts may be used in the healthcare industry. Users’ data, such as blood pressure and other metrics, could be published to a chain, and once a metric rises above a specified threshold, the smart contract could execute actions such as notifying the user and/or processes such as further consultations with specialists to resolve their health problems. A flaw capable of compromising smart contracts could allow an attacker to modify critical details in the code. In the above example, what happens if an attacker is able to affect the business logic or introduce additional code to perform unintended actions?

But as with many powerful technologies, while blockchain is straightforward in concept, if improperly implemented, flaws and vulnerabilities can result in risk and security consequences. Think about what would happen if one could change the smart contract’s data before it is stored on the chain? Data on the chain is supposed to be trusted, right? What about a smart contract flaw that results in business logic not behaving as expected?

In the past few years, X-Force Red has seen a plethora of risks introduced into blockchain ecosystems where it was possible to abuse access controls at the user and administrative levels. For example, some vulnerabilities may enable attackers to inject malicious code into the network, effectively compromising all nodes.

Putting the technology aside, your standard everyday applications (i.e., web/mobile applications) still need to interface with the chain on some level. It has been possible for our penetration testers to compromise these components and pivot to backend systems where there is little to no security, giving an attacker the ability to insert data on the chain or execute any function that is exposed. Functions may include higher-privileged administrative access or accessing data that a user should not have access to. If that happens, how does an environment protect itself against malicious actions?

Raising the Bar on Blockchain Security

Security is about raising the bar high enough that attackers would be extremely hard-pressed to exploit any vulnerability. If they were to attack, they would make enough noise on the network to be detected and incident response procedures would hopefully slam the door shut. So, monitoring from both an application and network level is key to protecting blockchain implementations. Should an internal host be scanning your internal network? I think not!

Another precaution is to take a page out of the renowned television show, “The X-Files,” and trust no one:

  • Build a layered defense where each layer of the solution provides some level of distrust of all the layers above it.
  • Enforce strict access controls both at the application and blockchain layers to prevent overly permissive access and abuse.
  • Ensure there are strong governance controls and processes around the handling of all sensitive information, including key material. Should your certificate authority be disclosed to an unauthorized third party, then it’s game over; they would have full control of your blockchain environment.
  • Implement strong change control and a secure code review process to ensure all configuration settings and source code (i.e., smart contracts) are as secure as possible and do not contain any weaknesses that can be abused.

These are only a handful of basic actions that you can take to help protect the integrity, availability and confidentiality of your blockchain-enabled environment.

At X-Force Red, we have many experienced hackers with blockchain-specific skill sets to perform security assessments and penetration tests on anything within the blockchain technology and connected infrastructure.

IBM is an industry leader in blockchain technology and, as such, our X-Force Red hackers are exposed to numerous areas of the technology while working with leading experts in the field.

This all culminates into possessing a deep technical understanding and the ability to assess any blockchain-enabled solution from an end-to-end perspective. X-Force Red can review the environment from a design/architectural perspective and manually review smart contracts, access controls, configuration of critical components and more. We can also test all applications and technologies that interface with the blockchain, work with key stakeholders and developers to fully realize the potential risks they may face, and assist in reducing the risk of a compromise.

Learn more about X-Force Red’s blockchain testing services

The post Blockchain: Making the Reward Much Greater Than the Risk appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Christopher Thomas

Artificial Intelligence (AI), CISO, Cloud, Cloud Security, Connected Devices, Cyberattacks, Data Privacy, Data Protection, Healthcare, healthcare security, himss, Incident Response (IR), Information Sharing, Quantum Computing, Risk Management, Security Conferences, Threat Response, Watson, X-Force,

Recapping IBM Think 2019 and HIMSS19: The Shared Landscape of Global Security

With IBM Think 2019 and HIMSS19 in the books, it’s worth making time for a quick debrief. Which topics resonated the most with attendees? Where did conference themes and discussions overlap? And what’s on the horizon for global cybersecurity this year and beyond?

Key Takeaways From Think 2019 and HIMSS19

According to IBM CEO, President and Chairman Ginni Rometty in her Think opening address, “chapter two” of digital transformation has arrived. For Rometty, this next chapter is scalable, driven by artificial intelligence (AI) and embedded across the enterprise. But without information architecture, she noted, “there is no AI.”

Trust underpins every aspect of effective digital transformation. This ties into IBM’s biggest push during the conference: Watson Anywhere. Built on the open-source orchestration engine Kubernetes, the microservices-based Watson Anywhere empowers organizations to run AI across the cloud environment of their choice, in effect democratizing AI technology to meet consumers along the path of their digital transformation journey — wherever they may be.

HIMSS19, meanwhile, had a clear focus on patient data, specifically the development of interoperability rules that prevent data blocking and empower effective information sharing. But there was also significant overlap with IBM’s initiatives; as Healthcare Dive reported, cloud and AI innovations were on full display at the Orlando event. Even more telling was the conference’s tag line, “Champions of Health Unite,” which speaks to the democratization and rapid uptake of healthcare technology, in turn allowing patients to manage their own healthcare experiences.

Hot Topics in San Francisco and Orlando

In San Francisco, IBM thought leaders, innovators and industry front-runners provided hundreds of great sessions for attendees, covering topics from AI acceleration to quantum computing and innovative security. Highlights included:

  • Accelerating the Journey to AIWhile 80 percent of organizations recognize the strategic potential of AI, just 19 percent understand what’s required to convert potential into profitability. State of New Jersey Judiciary CIO Jack McCarthy was joined by IBM Cloud and Cognitive Software Senior Vice President Arvind Krishna and other experts to help attendees develop a prescriptive approach to AI development across any cloud.
  • Innovation Doesn’t Happen Without Security. And Security Needs InnovationGlobal security challenges demand innovative technologies capable of doing more than responding to threats as they occur. But the innovation required to stay ahead of your competition isn’t possible without a solid security foundation. In this session, IBM Security General Manager Mary O’Brien, Westfield Insurance CISO Kevin Baker and former professional racecar driver Danica Patrick tackled the cyclical challenge of security, innovation and IT evolution.
  • The Journey to Cloud Community CrowdChat — In a more free-form session, the #Think2019 conference community CrowdChat tackled the challenge of cloud transition. According to Silicon Angle, chat participants highlighted both emerging needs for cloud-native tools capable of delivering “unprecedented flexibility” and commensurate security practices that drive both effective application development and DevOps processes.
  • Access the Future Today: Quantum ComputingWhile quantum computing has largely been confined to high-level enterprise use, this IBM session — led by Dr. Dario Gil, director of IBM Research — spoke to the development of road maps for mainstream adoption of cloud computing and how businesses could benefit from quantum solutions in the near term.

At HIMSS, meanwhile, hot conference topics included:

  • Patient-Centric Health Information ExchangeDisparate health information management systems are causing problems for physicians and patients alike. In this session, IBM Blockchain Solutions Architect Shahryar Sedghi and AT&T Director of Healthcare Solutions Thyge Knuhtsen helped define the requirements for patient-centric healthcare interoperability resources that leverage tools such as blockchain to “liberate” personal healthcare data.
  • Combating Cyberattacks with a Security ResidencyJennifer Kady, director of IBM Security solutions for the U.S. public sector, tackled the increasing risk of cybersecurity incidents with a new solution: security “residencies” that help train healthcare IT teams to effectively respond in the event of an attack.
  • Mitigating the Next Generation of Risk: Connected Medical DevicesThe use of connected medical devices is on the rise, but just 51 percent of device manufacturers follow FDA guidance to mitigate risks. This session focused on the development of programmatic, end-to-end security approaches to secure both IT assets and medical devices.
  • Reactions from the Field: AIThree industry leaders came together for a discussion of healthcare AI in the field. What’s working, what isn’t and what needs to change? From streamlining workflows and eliminating repetitive tasks, cloud-based AI has real potential for healthcare if companies can leverage clean, normalized “good data” to make accurate predictions and take critical action.

The Future of Global Security

Cybersecurity is now a serious global concern. For healthcare organizations, this is reflected in the $1.4 million it costs to recover from “average” cyberattacks, according to HealthITSecurity, and worrisome data from Proofpoint that shows health-focused email attacks are up 473 percent over the last two years. For IBM, AI-driven digital transformations aren’t possible without the solid foundation of innovative security and consumer trust.

Taken together, the topics and keynotes from both conferences suggest three emerging trends for cybersecurity in 2019:

  • Intelligence-driven response — Innovation drives success, and security is no exception. The rise of any-cloud AI makes innovative, intelligence-led incident response (IR) an attainable goal, and one that will quickly become necessary as threat actors leverage their own versions of AI to compromise global targets.
  • Personalized accountability — Patient healthcare data is an incredibly valuable resource. While the shift to “unblocked” data offers more granular control for patients and caregivers alike, it also speaks to the need for increased accountability; from connected devices to security readiness, enterprises must be prepared to defend data both at scale and in-situ.
  • Open data defense — Interoperability is critical for healthcare data, and data sharing is paramount for advanced AI systems. As data becomes more “open,” organizations must leverage advanced solutions such as quantum computing and IBM X-Force residencies to help defend this critical resource.

We’re only a few months into the year, but HIMSS19 and Think 2019 have already helped shape this year’s focus on enterprise transformation, innovation and global cybersecurity.

The post Recapping IBM Think 2019 and HIMSS19: The Shared Landscape of Global Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Douglas Bonderud

Bring-Your-Own-Device (BYOD), Business Email Compromise (BEC), Data Privacy, Data Protection, Endpoint, Endpoint Security, Network, Network Security, Phishing, Security Testing, Security Training, Social Engineering, social media,

When Combating Emerging Social Media Attacks, Don’t Try to Swim Against the Current

The greatest threats to the enterprise are often those that use social engineering to extract information or data from employees. For threat actors, this tactic rarely requires any technical know-how, so the barrier to entry is low.

To make matters worse, the rapid rise in social media use lowers this barrier even further. Regardless of whether your enterprise has rules in place to limit social media use, you can’t stop employees from using social media 24/7. As threat actors continue to leverage social media attacks as a launchpad to infiltrate enterprise networks, what are some defensive tactics organizations should be aware of?

Before we get into specifics, it’s critical for the enterprise to recognize that as social media use increases, the threat of attacks carried out via social media escalates as well.

Understanding Attackers’ Social Media Tactics

The first thing organizations should be concerned about is the ease with which a bad actor can target employees through social media.

“It’s not that difficult with a little bit of information going in,” said Paul Bischoff, privacy advocate at Comparitech.com. According to Bischoff, a threat actor only needs to know the name of one person who lists a target employer in his or her profile.

If it’s a big company, the attacker may not even need to know a specific person’s name — they can simply take a guess at common names. Now that the threat actor has their target, they have several options. One is to try hacking the account, possibly by using passwords leaked in data breaches at other companies. Or, they can attempt to establish contact with the target and use a phishing attack to get the information they need, such as getting access to a business email account. They could even try to add the mark as a friend or hack an existing friend’s account to impersonate them and communicate with the original target.

Using social media can help threat actors evaluate their targets both inside and outside of the workplace. People share a lot of personal information on social media, which often includes valuable nuggets of data about their work life. While the ubiquity of social media is relatively new on the technology timeline, social engineering is a scheme as old as time.

In our hypothetical hacking situation, if access to the employee’s accounts is compromised, the next step for the attacker can be to infiltrate the target’s corporate network. Depending on the network, the starting point is often getting access to business email, according to Bischoff.

“If a hacker manages to break into someone’s email, they can wreak havoc,” Bischoff added. “Not only are they privy to existing emails, but they can write new ones. Furthermore, an email account is often where two-factor authentication PINs, password reset links and other sensitive account information is sent for all sorts of online accounts.”

Once the threat actor logs in to a victim’s email account, they can buy themselves time by taking steps to lock the target out by changing the password and/or recovery email address. Because these problems can take a while to resolve, attackers typically have some leeway to work their way up the food chain, impersonating victims and sending convincing phishing emails to others in the company.

Exploring Some Simple Prevention Techniques

One prolific method that threat actors use as a stepping stone to access sensitive corporate data is profile cloning, in which fake Facebook (or Instagram or another social network) profiles are created by using duplicate photos and relevant data stolen from a targeted user’s real social media profile.

“Facebook cloning can be used to establish contact with the target by impersonating an acquaintance,” said Bischoff. “The hacker might even clone an existing friend’s profile — would you notice if someone who didn’t post much on Facebook added you as a friend a second time? Facebook mitigates this by showing how many mutual friends you have with anyone who sends you a friend request, but not everyone pays attention or cares.”

To thwart these types of attacks, Bischoff advised employees to not post an employer on their social media profiles. If they must, instead of selecting from the drop-down list of existing employers that appears when you start typing, they can “create” a new employer. This prevents the employee from showing up on the threat actor’s list when they target that specific company.

Additionally, as security experts have mentioned repeatedly, it’s critical to educate employees on common phishing tactics and even consider testing this in real-time with practice phishing emails. With 27 percent of users failing a phishing test, according to a 2018 study, we must continue educating and testing teams across the organization and providing role-based education and awareness sessions. Finally, Bischoff suggested establishing rules that require a second form of identity verification to share certain information.

“For example, if someone requests a password to use the office VPN, that person should also verify the request in person or by phone, and be sure not to use a phone number listed in the email,” Bischoff said.

Stand United to Fend Off Emerging Social Media Attacks

I’m not suggesting that you dictate how and when your employees use social media — a fool’s errand if there ever was one. Especially in this bring-your-own-device (BYOD) era, social media use, even at work, is only going to keep rising. I distinctly recall the arduous task of trying to monitor social media use in the early days of Facebook, and can’t imagine how difficult it would be for IT decision-makers today.

The lure of social media is too much to fight against. Instead of pushing back, we need to work with what we’ve got and do our best to educate employees about potential social media attacks. Make employees part of the process instead of restricting their online behaviors, and arm them with knowledge that can help them become a layer in the organization’s security shield.

“A chain is only as strong as its weakest link,” said Bischoff. It’s all about strengthening the links.

The post When Combating Emerging Social Media Attacks, Don’t Try to Swim Against the Current appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Mark Stone

CISO, Compliance, Cost of a Data Breach, customer experience, Data Breach, Data Privacy, Data Protection, Data Security, regulatory compliance, Security Awareness, Shadow IT,

Why You Need a Security-First Culture to Deliver on Your Customer-First Goals

I’ve been working in the security industry for mumble mumble years, and one recurring problem I’ve noticed is that security is often considered an add-on to business initiatives. This is neither new, nor surprising. And while the “customer-first” approach is not really a new talking point for most companies, “customer-obsessed” became a major business initiative for many in 2018. This is due to a number of factors — increased brand visibility via social media, changing buyer behaviors and evolving data privacy legislation, to name a few — and doesn’t show any signs of changing in 2019.

What Does It Mean to Be Customer-First?

Contrary to what many businesses seem to believe, customer obsession doesn’t mean sending six emails in two weeks to make sure your customer is happy with his or her purchase and requesting a good review or rating. Being customer-first simply means listening to your customers’ needs. It requires you to quickly adjust and react to meet those needs — or, ideally, anticipate them and proactively offer solutions to your customers’ issues.

Most of all, customer obsession requires trust. To build trust among your end users, security must be the foundation of every customer-first initiative. In fact, I’d argue that organizations must be security-obsessed to effectively deliver on their customer-first plans.

Prioritize Security to Build Customer Trust

The benefits of a customer-first business approach are clear: increased loyalty to your brand, revenue gains, etc. It is also apparent why security is so important: No organization wants to suffer the consequences of a data breach. However, by looking deeper into what a security-first to customer-first culture looks like, you’ll quickly uncover the complexity of this issue.

First, there is a distinct difference between checking the boxes of your security requirements (i.e., compliance) and truly making your customers’ welfare a top priority. Of course, adherence to security and privacy regulations is essential. Without these standardized compliance policies, companies could measure success in a variety of ways, which would look different to everyone. And if we’re being honest, meeting compliance regulations is often more about avoiding penalties than improving your business.

Second, your brand is more than just your product or service; it encompasses the way your company looks, feels, talks and spends money and is representative of its culture and beliefs. In other words, your brand is about the way people feel when they interact with your company. According to Forrester Research, today’s buyers are increasingly looking at these other characteristics when they make decisions about the products or services they use.

This is where security becomes essential. If you want to instill trust among your end users, you need to go beyond standard compliance measures. Security must become a foundation of your company culture and your customer-first initiatives. It must be threaded into every business initiative, corporate policy, department and individual. This means technology purchases should be made with your end users’ security in mind, as well as your employee data and corporate assets.

It also means evaluating your business partners and the policies they have in place to ensure they fall within your standards. For example, are you considering moving critical business technology to the cloud as part of your digital transformation initiatives? If so, what do you know about your cloud provider’s security precautions? Are you working with advertisers or marketing organizations that interact with your end users? If so, do you know how they handle your customers’ and prospects’ personal data?

How to Develop a Strong Security Culture

Operating a business that is customer-first is ambitious. It’s also really, really hard. By making security a cultural tenet throughout your organization, you communicate to your customers that your brand is trustworthy, your business has integrity and that they matter to you. So how do you do it?

Collaborate

Design collaboration into your security strategy with open solutions. The threat-solution cycle is a familiar one: A new security event occurs, the news covers it, a new company emerges to solve the problem, your company deploys the solution and then a new security event occurs. The entire industry is stuck in a vicious cycle that we, as vendors, have created. To break this cycle we need to take a page from our adversaries. Share intelligence with our peers and our competitors. Learn from other industries. Use open technology that integrates multiple sources of data. Only then are we equipped to uncover risks to our customers that hide among the chaos.

Build Security Muscle Memory

Many organizations are spending a lot of money on security awareness training, which is great. However, the best training is useless if employees are bypassing security measures for convenience. Make security processes required, enforceable and, above all, easily incorporated into the daily life of your users.

Shift Your Perspective

Security strategy is often an afterthought to business initiatives that cut costs, increase revenue and improve efficiency. Security is, after all, a cost. But a good security culture can set your company apart. It can be the champion or the killer for your brand, particularly in an era where customers’ buying motivations have shifted.

Right now, brand loyalty is an asset. A recent Harris Poll survey found that 75 percent of respondents will not buy from a company, no matter how great the products are, if they don’t trust it to protect their data. Stability, integrity and corporate responsibility are key factors in purchasing decisions. Making security a strategic pillar of your company’s brand is a tremendous responsibility, but one that will go a long way toward establishing trust among your users.

The Best Way to Grow Your Business

A customer-first approach is, arguably, the business initiative that can impact your bottom line the most. Understanding and proactively addressing your customers’ security and privacy concerns shows that you’re not just trying to sell a product or service, but that you are responsible with their data and operate with integrity. In an era where brand integrity matters, security-first is the best way to grow your business.

The post Why You Need a Security-First Culture to Deliver on Your Customer-First Goals appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jennifer Glenn

Compliance, Data Breach, Data Privacy, Data Protection, General Data Protection Regulation (GDPR), Risk Assessment, Risk Management,

What Have We Learned About Data Protection After Another Year of Breaches?

There was no shortage of talking points on data protection in 2018, from concerns over data risk and compliance requirements to the challenges of operational complexities. When we surveyed some of the most prominent trends and themes from the last year, three topics stood out among the many facets of these core cybersecurity challenges: regulatory compliance, data breach protection and risk management.

As we settle into 2019, let’s take a closer look at what we learned in the past year and explore how organizations around the world can improve their data security posture in the long term.

Navigating Your GDPR Compliance Journey

When the General Data Protection Regulation (GDPR) took effect last May, companies were seeking guidance and best practices to address their compliance challenges. Although this sense of urgency is beginning to diminish, the demand for data privacy controls will only increase as organizations across industries and geographies adjust to the post-GDPR world.

In January 2020, the California Consumer Privacy Act (CCPA) will go into effect, and Brazil’s data protection law, Lei Geral de Proteção de Dados Pessoais (LGPDP), will kick in the following month. Many of the processes and requirements — not to mention the benefits — associated with GDPR compliance will be highly relevant to organizations’ preparations for these new regulations. In the year ahead, security teams should continue to focus on:

  • GDPR readiness: Complying with GDPR can require changes across nearly every aspect of your business, from customer communications to social media interactions and data protection processes for handling and storing personal and financial information. Analyze your GDPR readiness and kick-start compliance with this five-phase GDPR action plan.
  • How to report a breach: The GDPR requires companies to report a breach within 72 hours of their becoming aware of it, where feasible — an unprecedented timeline. Be sure to understand the requirements for reporting a breach, from the root cause to the assessment of the scope and the mitigation action plan.
  • GDPR and business success: Beyond the challenges and demands of compliance, the GDPR can be good for your business. When managed appropriately, compliance can help drive the organization to a more robust and future-proof security posture.

Data Protection Is a Hot Topic as Breaches Soar

Given that 27 percent of organizations will experience a recurring material breach in the next two years — coupled with the rapid proliferation of attack vectors such as the internet of things (IoT) — it’s no surprise that data security was top of mind for security professionals in 2018. Below are some of the salient themes:

  • Avoiding breaches: Data breaches are on the rise, due in part to an increase in the number of attack vectors created by complex IT environments. Yet many of these breaches are preventable. While every organization’s challenges are different, some of the most common data security mistakes can put enterprise and customer data at serious risk.
  • Responsibility: Who is responsible for data risk management? Blamestorming — the unpleasant, often futile process of pointing fingers — often follows a breach. By determining who is ultimately accountable before a breach, the C-suite can help prevent a breach in the first place and avoid the blamestorming.
  • Maintaining control over data: With the increasing number of ransomware variants, it’s critical to augment ongoing user education with technical controls and processes for optimal protection. Yet these measures can only do so much; technologies and processes that deliver preventive protection and instant remediation can help you maintain control of your data in the face of an attack.

Gain the Upper Hand Through Risk Management

Hand in hand with concerns about breaches, organizations are proactively seeking ways to understand, reduce and mitigate the risks that lead to these breaches. The third most popular topic covered a variety of risk mitigation and management themes that can help organizations on their journey toward smarter data protection, including:

  • Formalizing processes: Proactively finding and protecting the crown jewels is the only pre-emptive advantage organizations have in the battle of the breach. Creating and deploying formal risk management processes can help organizations evaluate information assets and the vulnerabilities that threaten to compromise them.
  • Structured versus unstructured data: Both structured and unstructured data are core business assets. That’s why it’s important to understand the differences between them and key considerations for assessing the risk levels for both structured and unstructured data when building a data protection strategy.

As you grapple with today’s data privacy, protection and risk management challenges — and prepare for tomorrow’s — these lessons, best practices and expert opinions from 2018 can help guide your security strategy and improve your data protection posture in 2019 and beyond.

Learn more about data protection

The post What Have We Learned About Data Protection After Another Year of Breaches? appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Joanne Godfrey