Posts

Cybersecurity tips at a glance: Managing IoT devices

As the realm of the internet of things grows, it is important to understand all aspects of the technology’s performance. Companies and industries that see only the benefits open themselves up to data breaches, public embarrassment and even legal action. IoT technology can boost productivity when done right but lead to costly and unnecessary expenses if utilized without proper foresight.

The possible downsides of exercise wearables
Employee wellness is a trend that is sweeping across industries. These initiatives have shown positive results, such as increasing worker morale and promoting healthy behaviors. One study from the Journal of Occupational and Environmental Medicine even found that employee wellness diet programs can reduce health risks.

To this end, exercise wearables, such as Fitbit, appear to make sense. These devices can track heart rate, body temperature, calorie consumption and sleep quality. Many come with a social aspect, as well, allowing co-workers to engage in friendly competition to see who is the most active within the office.

For many industries, these wearables have no real downside. However, employers should know that the data gathered by many fitness wearables can be used to track employee location. This vulnerability has been problematic, especially for those working for the U.S. armed forces. According to The Washington Post, several previously secret military bases were revealed when data gathered by GPS tracking company Strava was made public.

The U.S. army had been using these fitness wearables for their advantages without fully understanding how the technology could be exploited. Most commercial hardware is designed for ease of use and cost affordability. These traits are in part the reason why IoT has famously encountered cybersecurity concerns over the past several years.

For enterprises working with sensitive and classified materials, IoT wearables may have a downside. Outside parties, benign and malicious, can track employee movement, knowing more about workers than may be deemed safe.

Augmented reality glasses can also potentially leak vital secrets, as they see and record all the employee does. Augmented reality glasses can also potentially leak vital secrets, as they see and record all the employee does.

Know where backup data is stored
Many IoT devices provide extra “eyes” on the field. Drones have been performing various types of reconnaissance missions for decades, whether for government contractors or farmers wishing to understand more about their soil. These unmanned aerial vehicles, or UAVs, are built to capture, transmit and store data.

While useful, drones have several serious cybersecurity concerns. They can be intercepted, and if so, their data is easily accessible. This risk is especially a problem for devices that back up information into themselves. A report from Syracuse University indicates that there are concerns that data stored on Chinese manufactured drones could be accessed by their government and would be out of U.S. control.

Using IoT devices has many advantages, but executives must always consider the full picture before implementation.

Exploring the true value of a CISO

As cybersecurity issues become more prevalent, one position within the corporate ladder is gaining new attention: the chief information security officer. The financial burden of data breaches continues to rise. One recent report from Accenture stated that the average global cost of cybercime reached $11.7 million in 2017. This was a 27.4 percent raise from $9.5 million in 2016.

Along with the rising expenses of cyberattacks, companies have been spending more on protection, primarily on CISOs. Security Current data indicated that the overall average salary for an CISO was $273,033 by end of 2016 and this number is only expected to have increased. As organizations continue to pay more for CISO expertise, the question becomes: What value do CISOs truly bring to the organizations they serve?  

Distilling decision-making to one person
Cybercriminals have certain inherent advantages over the companies they target. For one, their anonymity. Hackers typically research an organization's staff as this aids with spear phishing and other data breach initiatives. By contrast, businesses have no certainty they're even being targeted until they've been attacked.

Another crucial advantage on the side of hackers is that many corporations, especially those small- to medium-sized businesses, don't have CISOs. This means that all cybersecurity policies and initiatives must go through the IT department or other group. When a chief technology officer has to deal with cybersecurity on top of other duties, the initiatives can be slowed, in some cases encountering month-long delays or more.

Cybercriminals are constantly adapting and incorporating new malicious software into their arsenals. In order to keep pace with this rapid innovation, one person within the organization must function as the hacker's opposite, keeping the company cybersecurity policies fluid and responsive. As Helpnet  Security pointed, CISOs must not only be leaders but also serve as the link between innovation and defense. A single, dedicated person can do this much more effectively than a distracted team.

Having a leader creates a clear, authoritative flow for decision making. Having a leader creates a clear, authoritative flow for decision-making.

Presenting a single, unified cybersecurity vision
Likewise, a C-level executive is typically the only class of employee capable of making real, impactful decisions within a corporate structure. Unfortunately, many executives and decision-makers remain uneducated about issues of cybersecurity. A BAE Systems survey found only 42 percent of executives felt they were very or extremely knowledgeable about their company's cybersecurity policies.

In order to create comprehensive, overarching information security standards, businesses need a respected voice in the room who can articulate and educate other executives on the need for cybersecurity initiatives. CISOs have this presence and, unlike CTOs, they are not hindered by distractions that can occur in other business segments. 

"Think in terms of 'when' instead of 'if.'"

Creating and updating corporate response strategy
Experts agree that companies that develop cyberattack response strategies minimize losses and more quickly seal breach points. While it is nice to hope that your organization will never be affected, the far more prudent strategy is to think in terms of "when" instead of "if." When a cyberattack occurs, organizations must have a clear, itemized response plan.

According to Risk Management, the best plans are proactive; changing biannually or even quarterly to adapt to new methods of cyberattack. A comprehensive plan includes steps like workforce education, breach detection tools, consumer alerts and legal recourse tools.

Once a data incursion occurs, the CISO and his or her team must be able to detect it immediately. With cyberattacks, the longer they go unnoticed, the worse they are. Placing a CISO in charge of maintaining and updating this response plan will ensure that it gets done and comes from a point of clear authority.

When a data breach occurs, the last thing that decision-makers want or need is to be arguing about what to do and who should do it.

Allowing the IT team to focus
IT teams within companies are frequently overburdened. In addition to maintaining and updating company software, IT personnel regularly respond to the daily crises of other employees. Every hardware, email or other type of problem distracts IT groups from performing their primary duties.

While typical employees tend not to notice whether or not an operating system is updated, it is these performance checks that ultimately help keep company networks safe from unauthorized access.

Bringing in a CISO allows the IT group more time to focus on their core responsibilities. The CISO may even operate alongside regular IT staff during certain times, however, it is best not to overlap duties too much. CISOs can handle red flags, such as phishing emails and imbedded malware that may otherwise escape detection or occupy IT manpower.

CISOs don't need to be paid a quarter million dollars a year to be valuable. Essentially, they act as a point person in  the realm of cybersecurity, a clear head that can dictate commands and formulate strategy. Too often, companies take a relaxed approach to cybersecurity, which almost always results in lost income and damaged reputation.

For organizations that cannot afford to keep a full-time CISO, other options remain. Cloud solutions tend to be more secure than in-office networks and some managed IT providers offer the same level of oversight and proactive planning. Regardless of who or what is in charge of information security, companies must prioritize all compliance and protection development as crucial issues.

How will the GDPR affect your business?

After two years of preparation, the European Union's General Data Protection Regulation is set to go into effect May 25, 2018. Designed to replace the Data Protection Directive of 1995, this legal framework will provide substantial protection for EU citizen's data by imposing heavy fines on any company found to be in violation of the GDPR.

While large companies within the EU have been bracing themselves for impact, many organizations feel unprepared. A report from information security provider Varonis found that 55 percent of businesses worldwide were worried about incurring fines for a GDPR violation. Given that these penalties can be severe – with a maximum fine of €20 million or 4 percent of annual worldwide turnover – organizations may have reason for alarm.

However, arguably the group most at risk are smaller businesses not based in the EU, or companies that don't primarily deal with data. After all, the GDPR is all about regulating data privacy. Yet these organizations may be in the crossfire. Any business that collects data, any amount of it, from an EU citizen or the EU market must fully comply with GDPR standards.

Who needs to comply with the GDPR?
According to the New York University School of Law, any U.S. organization possessing an entity or any kind (person or office) should ascertain if they will be required to follow the new GDPR policy. GDPR standards will apply to all businesses that process any amount of "personal data" from individuals located in, or protected by, the EU.

The definition here of personal data is broad. According to the initiative, personal data is now any information, not just personally identifying information, that relates to a natural person, identified or identifiable. These new standards apply to log-in information, vehicle ID numbers and IP addresses.

"Any operation or set of operations which is performed on personal data or on sets of personal data" will be regulated by the new standard, according to the articles of the GDPR. These broad definitions and regulations have been purposely worded to incorporate not just companies within the EU but global organizations as well. While the GDPR is a Euro-centric law, its implications may create a new global standard of internet data security.

Businesses with remote employees who are citizens of the EU should investigate whether they will be bound to GDPR policy. Businesses with remote employees who are citizens of the EU should investigate whether they will be bound to GDPR policy.

How prepared generally is the U.S.?
Unfortunately, many businesses in the U.S. simply are not sufficiently informed regarding the coming measure. The Varonis report found that U.S. awareness of the GDPR was only at 65 percent, below the overall average of 79 percent. Only 30 percent of U.S. respondents reported being in full compliance with the upcoming laws. Over 10 percent of organizations still didn't know whether the bill would affect them.

When looking at overall measure compliance completion, the majority of U.S. companies affected by the GDPR have re-evaluated data breach detection procedures, as the GDPR mandates that any EU citizen affected by a breach must be notified within 72 hours of its detection. A little less than 60 percent of U.S. organizations have also conducted a comprehensive assessment of personal data stored within their organization.

This procedure is highly recommended for all companies that may even remotely store some sort of personal data from the EU. It is only after such an assessment has been performed that an organization can be sure whether or not it will be affected by the GDPR.

About 7 percent of U.S. businesses had completed no significant measures to comply with the GDPR.

"About 7 percent of U.S. businesses had completed no significant measures to comply with the GDPR."

What does the GDPR mean for data collection?
Personal data collection will become more transparent under GDPR guidelines. Everyone, personally and professionally, is familiar with user agreements, popular on social media sites like Facebook and Google. These documents have been full of dense legalese designed to disguise their intentions and limit consumer knowledge of the websites' activities.

Under the GDPR, these wordy documents will be made illegal, replaced by concise, comprehensible wording that will alert the "data subject" of exactly what information is being taken. The individual will reserve the right to leave said data contract anytime with no negative repercussions allowed. In short, the naive early days are over and the GDPR will arm at least EU consumers will the tools needed to determine what, if any, information they allow to be shared for commercial purposes.

Data protection by design will also be mandated. Companies will have to factor in information security at every stage of data collection software collection, instead of regulating it to outside software or hardware.

How the GDPR will impact overall data collection remains to be seen. However, what is clear now is that many organizations still have work to do before May 25. With such steep penalties for failure to comply, businesses cannot afford to be asleep on this issue, or even to drag their feet. The fundamental nature of information security could well change from this act. Hopefully, it will be for a better, more secure data privacy marketplace. 

Data Madness: Physical and digital, ensuring that critical data stays safe

With March winding down, it is important to remember the significance of confidential corporate information. Data has been called the new oil, however, as Business Insider pointed out, this is not a great comparison. Unlike oil, more data does not intrinsically mean greater value. The nature of this information greatly matters.

So really, data is more like sediment. Some bits are just pebbles – numerous beyond count and basically interchangeable. However, certain information – like say personal identification information and dedicated analytical data – is immensely valuable. These are the gemstones, the gold, and this data must be protected.

To avoid data madness, or the immense financial and irreparable damage done by lost confidential information, follow these tips to safeguard valuable data:

"Around 23 percent of IT thefts occur in office."

Securing physical data
While many organizations worry about theft from cars, airports or other public places – not enough information is paid to a real danger: the office. According to a Kensington report, 23 percent of IT thefts occur in office. This is nearly 10 percent higher than hotels and airports.

The same report found that over a third of IT personal have no physical protection in place to prevent hardware from being stolen. Only 20 percent used locks to protect hard drives.

While organizations worry about small devices like wearables and smartphones, basic security cannot be overlooked. Companies must take steps to ensure that only employees or approved guests have access to the premises. Even then, not every worker needs universal access. Server rooms and hardware storage should be kept behind additional locks.

IT teams should also be required to keep a thorough inventory of all network-enabled data devices. This will alert the organization quickly should a theft occur. While cybersecurity grabs headlines – the importance of a good, strong physical lock cannot be overstated.

Malicious third parties are not above using simple and primitive tactics.

Protecting digital data
While physical protection is essential, cybersecurity is rising in importance. Gemalto data states that, since 2013, more than 9 billion digital records have been stolen, misplaced or simply erased without authorization. More troubling is the recent increases in data loss. Gemalto also recorded a steady rise data breach occurrence and a dramatic uptick in misplaced or stolen information.

Cybercriminals adapt quickly and their tools are constantly evolving. Deloitte released a report chronicling the increasing tenacity and sophistication of ransomware, a disturbing cyberattack that strips away essential data access from organizations and charges them to get it back. Infamous attacks like WannaCry made headlines last year and unfortunately these incidents are expected to become more common.

When enhancing cybersecurity, take a company-wide approach. Every employee with network access needs to be educated on basic risks. Network administrators should also structure internet connectivity to run on the principle of least privilege. As with the physical server room, not every employee needs access to every file. Permissions should be given sparingly.

Lastly, businesses need a concrete plan if and when a data breach do occur so that they may respond efficiently and swiftly to contain the attack. 

Finding  the point of breach quickly can reduce the damage done by cybercriminals. Finding the point of breach quickly can reduce the damage done by cybercriminals.

The Cloud Advantage
One of the reasons that cloud services are so popular is that they alleviate certain cybersecurity concerns. Many businesses, especially smaller organizations, have budget restrictions, whereas a cloud services provider like Microsoft annually invests $1 billion in cybersecurity, according to Reuters.

Handing off information security concerns to a trusted organization with more resources is a way to help safeguard your data, backing it up so that it will never be lost or stolen by a malicious third party.

Data Madness: Exploring the reliability of in-house data vs. cloud servers

Much is made today about choosing the right kind of data storage. When you’re running a team, the last thing you want is for some crucial information to go missing. Such a setback can be disastrous, especially if the data lost was from a survey or customer response. In addition, you have the added anxiety of only hoping the data was lost, not stolen.

As data madness continues, we’re exploring the most secure methods to backup essential data. In today’s article, we’re putting the two most popular solutions under a microscope: in-house servers and cloud data storage. For many companies, success literally hinges on data security. Know the best method and keep your organization running.

How to keep in-house servers running effectively
The longer a server is in operation, the more likely it is to break down. A Statista report found that only 5 percent of servers broke after the first year. By the fourth year, that number had more than doubled. By year seven, nearly 20 percent of servers failed. While the likelihood of a break is still relatively low after seven years, organizations are clearly taking a huge risk. Executives at this hypothetical company might as well tell their employees that there is only an 80 percent chance for productivity each day.

Servers should be continually replaced and upgraded to be effective at securely housing data. However, age is not the only factor that can cause a server to malfunction. RocketIT stressed the need to continuously upgrade server software to keep it protected and compatible with modern systems.

Since servers are gold mines of confidential data, they are the prime targets for any malicious hacker. Keeping servers up to date not only keeps them running smoothly, it also reduces the risk of viruses and malware being able to infiltrate the hardware.

Lastly, if your business opts for servers then it needs a dedicated, maintained space in which to house them. According to Serverscheck, the ideal server room temperature is between 64-80 degrees Fahrenheit with no more than 60 percent humidity. Servers work best with constant conditions so any change could impact device functionality. In addition, if there is a flood or water leakage in the room, then the organization is at serious risk of data loss.

Servers need dedicated, environmentally-controlled space in order to function at peak levels. Servers need dedicated, environmentally-controlled space in order to function at peak levels.

Choosing the right professional cloud services provider
If your company instead opts for a cloud service provider, it must choose the right provider. There are currently numerous options in the field, with Amazon and Microsoft standing out as the dominant players.

Many cloud service providers use physical servers themselves. Essentially, they handle all the maintenance, storage and cybersecurity responsibilities and charge clients for the operations. While some servers, like Cisco in a recent fiasco, have lost client data, the problem has so far been a rare occurrence, according to The Register.

However, there is another side to cloud data. It can keep existing even when the order is given for deletion, as some celebrities learned in an unfortunate way, according to Wired. If an organization is going to store data through a cloud provider, they should be very careful if and when additional backups are made. Data that survives its intended expiration can be dangerous, especially if the parent company has no idea it exists.

And the most secure data storage method is…
Oxford Dictionaries chronicled the phrase “you can’t have your cake and eat it too” as a way of summarizing that you need to choose only one option. With data storage – you can eat as much of your cake as you want, while still having an infinite supply left over. For companies serious about safeguarding data, the best option is simply both.

Backing up data to multiple sources is one of the best ways to ensure that it is never accidently deleted. Just be sure that every copy is secure, to keep classified information out of malicious hands.

Storing data in multiple sites ensures that it lasts longer. Storing data in multiple sites ensures that it lasts longer.