Calculating the Costs of a Cyber Breach: Becoming the “Antifragile” Cyber Organization

What is worrying us is the intangible like human interaction with and dependence on machines, human decision-making…In this space, we actually feel we are doing the opposite of getting better; instead, we are getting worse. We are becoming even more fragile.

The 2017 Ponemon Institute Cost of a Data Breach Study found that the cost of a data breach is going down, but the size of a data breach is going up.” Additional key findings included the following:

  • The average total cost of a data breach decreased from $4.00 to $3.62 million.
  • The average cost for each lost or stolen record containing sensitive and confidential information also decreased from $158 in 2016 to $141. (The strong USD played a role in reducing the costs.)
  • The average size of the data breaches investigated in the research increased 1.8 percent.

Okay, so what does all that mean? Good news? Bad news? Mixed news?

Continue reading “Calculating the Costs of a Cyber Breach: Becoming the “Antifragile” Cyber Organization”

Local LinkedIn pick as cybersecurity guru talks trends

I think government is traditionally been way behind on procurement issues and recently, enactment of legislation for modernization has taken place. They’re trying to replace a lot of legacy systems.

Our guest today was recently named by LinkedIn as one of the top five people to follow in cybersecurity issues among their 500 million members. He was also just selected as LinkedIn to be an advisor on cybersecurity and emerging technology issues, and we’re lucky enough to have him here in the studio– Chuck Brooks of Chuck Brooks Consulting. Chuck, thanks for joining us. Continue reading “Local LinkedIn pick as cybersecurity guru talks trends”

Four Key Lessons From NACD’s ‘2018 Governance Outlook’ About Managing Cyber Risks

“Being ‘secure’ is not a static end state that lends itself to inflexible compliance checklists; it requires a constant evaluation of risk relative to a rapidly evolving cyberthreat landscape.”

In mid-December 2017, the National Association of Corporate Directors (NACD) published its “2018 Governance Outlook: Projections on Emerging Board Matters” report, designed to highlight key areas of focus for board directors in 2018. It also offered recommendations for improving enterprise risks, including a section dedicated to cyber risks.

Four Key Takeaways From the NACD ‘s ‘2018 Governance Outlook’

The report — and the underlying NACD Public Company Governance Survey — found that only 49 percent of board directors are confident about management’s ability to effectively handle cyber risks. In the same vein, since there are increasing calls for cyber risks to be integrated within the enterprise risk management (ERM) system, 58 percent said it was important or very important for their boards to improve oversight of risk management in the coming year. Continue reading at SecurityIntelligence.com

Treat Your Data Like Cash

Information is just another form of currency (arguably, the most valuable), which is why if you believe in the old saying “cash is king” then we should really start thinking “data is king” also.

How annoyed are you when you find out you lost some cash?  Whether it is a few bucks in your jeans pocket or that “emergency stash” under the mattress, losing that “cold hard cash” is a feeling that always twists your stomach.  Sometimes you blame yourself.  Sometimes you blame others.  Depending on the amount lost, your emotions could range from the standard “how could I be so stupid?” to a profanity-laced tirade that is not suitable for print here.

Question: do you feel the same way when you experience credit card fraud?  My instinct is that while you would feel some sort of violation and negative feelings, it’s just not “the same” as losing cash. Continue reading “Treat Your Data Like Cash”

Where the CISO Should Sit on the Security Org Chart and Why It Matters

To ensure that the CISO is so empowered, top leadership must view and treat security as a strategic element of the business. In other words, they must view cyber risks as strategic risks. Internal collaboration with the security function should be supported and strongly encouraged at all levels of the organization.

In early 2016, boards were starting to take cybersecurity more seriously and, in the process, increasing their interactions with chief information security officers (CISOs). How much has changed in the past two years? To whom do CISOs report today, and why does it matter?

The State of the Security Org Chart in 2018

In the latest edition of its “Global State of Information Security Survey,” PricewaterhouseCoopers (PwC) found that 40 percent of CISOs, chief security officers (CSOs) or other equivalent information security executives report to CEOs, while 27 percent report to board directors, 24 percent report to a chief information officers (CIO), 17 percent report to a CSO and 15 percent report to a chief privacy officer (CPO). Since PwC’s numbers add up to more than 100 percent and the actual survey questions aren’t provided, these numbers likely include dotted lines of reporting in addition to direct reports. Continue reading at SecurityIntelligence.com

Five New Year’s Resolutions to Help CISOs Improve Enterprise Security in 2018

As we turn the page to 2018, organizations and their CISOs should commit to improving the way they consider, manage, communicate and respond to cybersecurity issues. That means introducing cognitive technology into the security environment, educating top leadership about cyber risks, promoting a culture of security awareness throughout all levels of the organization, conducting data breach simulations and tabletop exercises to hone incident response capabilities, and measuring the progress and maturity of security activities.

If you survived 2017 — a year full of data breaches, ransomware, distributed denial-of-service (DDoS) attacks and a multitude of other high-profile security incidents — you deserve a pat on the back. Some of us weathered the storm thanks to our careful preparations, the security controls we deployed, the incident response strategies we practiced and the recovery mechanisms we put in place. The rest of us can thank our lucky stars that things didn’t turn out for the worse.

Five Enterprise Security Resolutions for 2018

No matter how you navigated the treacherous threat landscape during the past year, it’s time for all of us in information security to make our New Year’s resolutions. If you’d rather not leave the fate of your organization to luck in 2018, here are five resolutions for chief information security officers (CISOs) to apply in the new year. Continue reading at SecurityIntelligence.com

Long Road Ahead or Unbridgeable Chasm? Lessons From the EY ‘Global Information Security Survey’

In many organizations, the executives need to increase the frequency and quality of interactions with the CISO and adopt a more hands-on approach to improving the way cyber risks are managed and governed. In companies where the cybersecurity function still reports to IT, dotted lines of reporting should be created to ensure direct access to top leadership.

If it appears to you that 2017 was a dismal year for cybersecurity, join the club: According to the latest edition of EY’s “Global Information Security Survey,” most security leaders feel they are more at risk today than they were 12 months ago.

The report surveyed chief information officers (CIOs), chief information security officers (CISOs) and other executives from 1,200 organizations around the world. More than 50 percent of survey responses came from small and midsized organizations with fewer than 2,000 employees. Although the top five sectors by respondents were banking and capital markets, consumer products and retail, government, insurance, and technology, other sectors, such as health, power and utilities, and real estate, were also included.

The report shed light on the state of cybersecurity and resilience, which is especially relevant since the global cost of cybersecurity breaches is estimated to reach $6 trillion by 2021. Cyberattacks are becoming more sophisticated, and new and disruptive technologies such as the Internet of Things (IoT) are rapidly increasing the level of connectedness across organizations, thus increasing the attack surface. Continue reading at SecurityIntelligence.com

Attacks to Critical Infrastructure Are Real, & They Can be Incredibly Easy

If you’re unsure an email is legitimate, take the 30 seconds to call your colleague, friend, or family member and say, “did you really send me this?” That call could save you millions of dollars, your job, and avoid an avalanche of bad PR.

In our previous article, we started to lay out some important social engineering terms, such as phishing, spear-phishing and pretexting. We even introduced to you what we call “Potentially Unwanted Leaks” (PUL) as tidbits of information that, when out in the wild, become valuable nuggets to be used against you in a social engineering attack.

This last installment in our ICS/SCADA series shows how social engineering was used to cause a blackout, the first known case of a cyberattack being directly responsible for a power outage.

On December 23, 2015, at 3:35 pm local time, in Ivano-Frankivsk Oblast (a southwestern region of the Ukraine that borders Romania and is in close proximity to the borders of Hungary, Slovakia, and Poland), seven 110 kV and twenty-three 35kV substations were disconnected for three hours.

The power outage, which took out 30 substations, could have impacted up to three different energy distribution companies, causing 225,000 customers to lose power. Shortly thereafter, Ukraine’s SBU state security service responded by blaming Russia, not an unreasonable assertion given that plenty of lead time was required to conduct this operation.

How was this allowed to happen? Continue reading “Attacks to Critical Infrastructure Are Real, & They Can be Incredibly Easy”

Understanding the COSO 2017 Enterprise Risk Management Framework, Part 2: Combining Apples With Oranges

There has never been a better time to understand the linkage between cyber risks, business strategy and performance, and to ensure that at all levels of the organizations are making the best decisions possible — for both today’s world and tomorrow’s cyber earthquakes.

This past September, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission issued an updated enterprise risk management (ERM) framework, titled “Enterprise Risk Management — Integrating with Strategy and Performance,” to help business leaders understand the risks their organizations face and evaluate their impact on business performance.

While the COSO ERM guidance is designed to simplify risk management at an enterprise level, organizations can derive even more value from the framework by coupling it with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which is geared more toward day-to-day, ground-level risk management. Continue reading at SecurityIntelligence.com

Emerging Technologies and the Cyber Threat Landscape

Nothing is completely un-hackable, but there is a myriad of emerging technologies that can help us navigate the increasingly malicious cyber threat landscape.

Cybersecurity is at a tipping point, the sheer volume of breaches, attacks, and threats has become overwhelming.  Juniper Research, suggests that the rapid digitization of consumers’ lives and enterprise records will increase the cost of data breaches to $2.1 trillion globally by 2019. About 1.9 billion data records got exposed in the 918 data breaches that occurred in the first half of 2017—up 164 percent from the last half of 2016. According to a recent AT&T Cybersecurity Insights report, some 80 percent of the IT and security executives surveyed said their organizations came under attack during the previous 12 months.

This rising threat trend, coupled with the rapid growth of sophistication in malware, ransomware, DDoS, and social engineering attacks has created a conundrum. How do we protect ourselves in an increasingly connected world? Continue reading “Emerging Technologies and the Cyber Threat Landscape”