In order to understand the ever-changing regulatory landscape, we spoke to eight cybersecurity experts about the latest developments and how businesses should navigate their way through.
Read more...
“Your security is important to us,” is a common phrase on corporate websites and emails, usually after some data breach that affects customers. To prove that statement, corporations invest billions of dollars in the cybersecurity industry. Most market projections say the industry is worth about $180 billion. About 15 percent of that market goes to data security. But all the indications are that we are losing the war in personal identity security That leaves is with the question: Do corporations really care about customer security?
Probably not
US Department of Health and Human Services reported recently that. in the US, there have been 2,213 breaches since 2020, with 152.1M affected individuals. That is almost half of the American population. But that is just breaches involving medical data.
The FBI reports, in the same period, more than 350 million stolen personal information records, exceeding the known population of the country. Worldwide, the number of personal identity information (PII) records exceeds one billion people.
So how bad is it? “I always tell people assume your social security number has been breached. Just assume that,” said John Meyer, senior director for Cornerstone Advisors, an organization providing security consultation to financial organizations.
So we are spending tens of billions of dollars to protect data from exfiltratation on almost a weekly basis from attacks bypassing current defenses. Is it worth the investment? Does protecting that data even matter?
Well, yes… sort of
Data security professionals say it is and it does. Communications, industry intellectual property, state secrets, and control of crucial systems must still be protected. Most professionals we talked to cite ransomware attacks as the primary reason for investing in security precuts and services.
Becoming an expert cybersecurity solution using AI requires processing and analyzing massive amounts of data over time to understand the nuances of how it’s being used for malicious purposes. Data, how it is collected, stored, and analyzed, and the insights gained are essential to successfully protecting, detecting, and responding to cybersecurity threats.
Read more...
Today businesses face increasingly sophisticated cyber threats that necessitate robust security measures. One such innovative approach gaining traction is the Security Operations Center as a Service (SOCaaS). This model offers organizations the opportunity to enhance their security operations efficiently and effectively by leveraging external expertise and advanced technologies.
Read more...
As legislatures around the world try to get a handle on the growth of ransomware, another category of cybercrime is festering out of control: Elder fraud.
The FBI’s Internet Crime Complaint Center (IC3) reported more than 100,000 people in the US, 60 years and older, lost $3.4 billion total to digital scams. The IC3 pointed out that the elderly are half as likely to report a loss. So the actual crimes and losses are probably much higher.
In contrast, the total ransomware payouts last year from reporting companies was $1.1 billion according to Chainanalysis. While the total number of fraud reports to the IC3 appears to have leveled off after years of growth, elder fraud increased by 14 percent year on year.
“Combatting the financial exploitation of those over 60 years of age continues to be a priority of the FBI,” wrote FBI Assistant Director Michael D. Nordwall, who leads the Bureau’s Criminal Investigative Division, in the report. “Along with our partners, we continually work to aid victims and to identify and investigate the individuals and criminal organizations that perpetrate these schemes and target the elderly.”
Who is vulnerable?
Richard Starnes, CISO at Six Degrees, discusses the increasingly pivotal role of today’s CISOs and why, in the face of growing danger from an ever-expanding variety of cyber-attacks, every modern enterprise needs one in place.
The cybersecurity industry seems addicted to research but isn’t all that good at it. Mining the massive amount of data produced is daunting but crucial to everyone.
Surveys and studies are an important part of marketing form the cybersecurity industry. Cyber Protection magazine receives a lot of them. We read them all. In the two months before the RSA Conference, more than one a day came into our inbox. However, they are not a great source of independent data and insight.
Ignoring the cherry-picked data highlighting a particular company’s product or service, there are a few nuggets that, taken together, produce some interesting insights. Out of 60+ reports, we took a pass on any that were repetitive, were suspect methodologically, or effectively plagiarized from another source. We chose to look at seven with a solid methodology, representation of industry-wide concerns, and originality. The reports came from Dynatrace, Black Kite, SlashNext, Metomic, Originality AI, Logicgate, and Sophos. We found three common themes: The impact of AI on security, government regulation compliance, and understanding of security concerns on the C-suites and board levels.
Understanding security issues.
Almost every study has a common complaint. CISOs say application security is a blind spot at the CEO and board levels. They say increasing the visibility of their CEO and board into application security risk is urgently needed to enable more informed decisions to strengthen defenses.
However, Dynatrace’s study said CISOs fail to provide the C-suite and board members with clear insight into their organization’s application security risk posture. “This leaves executives blind to the potential effect of vulnerabilities and makes it difficult to make informed decisions to protect the organization from operational, financial, and reputational damage.”
Recent news shows the study may have a point. Marriott Hotels admitted that a 2018 breach was the result of inadequate encryption of customer data. In 2018 the company claimed their data was protected by 128-bit AES encryption when customer identity was only protected by an outdated hashing protocol. One can imagine the discussion between the CEO and the IT department:
CEO: is our data encrypted?
IT manager: Yeah, sort of.
CEO: OK, good enough
If the CEO doesn’t understand the difference between a hash and AES encryption, that’s a problem.
And there many be evidence that ignorance is widespread. Apricorn reported that the number of encrypted devices in surveyed companies had dropped from 80 percent to 20 percent between 2022 and 2023. Some of that could be attributed to work-from-home (WFH) growth in companies. It is also likely that companies over-reported what was encrypted simply because they did not understand what “encryption” meant. Once they learned the meaning, adjustments were made.
That lack of a foundational security technology could be a reason for the devastating growth in ransomware in the past two years.
We are at an inflection point in the US Congress. For decades technology companies have been given free rein to advance and innovate without concern for the negative impact of what they produce. That honeymoon seems to be over, but their lobbying power has kept the weight of regulation relatively far from them.
Last week, the House Financial Services Committee advanced the Financial Innovation and Technology for the 21st Century Act, also known as the FIT Act, to the House floor for debate and approval.
You must be a Free member to access this content.
The IT skills shortage has become one of the biggest challenges for companies in recent years.…… Membership Required You mustmore...
The digital age has ushered in a golden era for small businesses (SMBs).…… Purchase RequiredThis content requires that you purchasemore...
This content requires that you purchase additional access. The price is $1.00 or free for our Premium members.