Month: April 2016

Posted on

BYOD Stalled? Three Tips to Get It Going

Despite some surveys that say Bring Your own Device (BYOD) is growing, the CyberEdge Group’s recently released 2016 Cyberthreat Defense Report found that enterprise BYOD programs have stalled. Only one-third of respondents this year had implemented a BYOD policy—the same as two years ago. And 20 percent still have no plans to add one.

The delay in leveraging BYOD programs may be because organizations find them harder to establish, manage and secure than first thought. But the lack of an official policy doesn’t mean employees aren’t plugging their unapproved devices into the network. A Gartner survey found that 45 percent of workers use a personal device for work without their employer’s knowledge.

So here are answers to three key BYOD sticking points, to help organizations get unstuck and leverage the increased productivity gains BYOD can bring:

Q: How do we separate corporate and personal data on a device?
A: Containerization.

Most mobile device management (MDM) programs today allow you to separate the corporate workspace from the personal workspace on mobile devices. Containerization, also know as sandboxing, helps reduce the number of policies required to effectively manage mobile risks. It can also assuage employee fears that if they’re terminated or report a device missing, you’ll wipe away the entire contents of their device—including personal data like photographs and emails.

Q: How do we keep tabs on all that roaming mobile data?
A: With a comprehensive cloud endpoint backup system.

Modern cloud endpoint backup solutions serve as the new data guardian, continuously and automatically moving data from a device to the cloud and back again to a new machine whenever it’s needed. It protects enterprise data by continuously backing up every change and deletion. The best endpoint backup systems also give IT a comprehensive, single point of aggregation and control. You can see what’s on your network, how each device is configured, how it interacts with your environment, as well as where and when data was created, if it’s been altered, and who changed it. This happens whenever the machine is connected to the Internet, without prompting the user to engage with it, all while running seamlessly and silently in the background.

Q: Who pays and how?
A: You, the enterprise, by automating reimbursement.

With California leading the way, BYOD reimbursement won’t just be the ethical thing to do, it will be legally required under fair labor laws. But manually managing reimbursement via expense reports is archaic and expensive. It can cost $15 to $20 per expense report in internal labor, because so many different departments have to touch the report, from accounts payable to finance to IT. Instead, do like Intel did and automate reimbursement by setting up corporate-funded plans with mobile providers. That way, your company takes care of the bill and can negotiate corporate discounts with providers.

To get started developing a BYOD strategy, download this BYOD checklist.

Susan Richardson, Manager/Content Strategy, Code42

[Cloud Security Alliance Blog]

Posted on

Growing Awareness of Cyber Framework Bodes Well for Global Risk Management

By Danielle Kriz, Sr Director, Global Policy, Palo Alto Networks and Sean Morgan, Advisor, Cybersecurity Policy, Palo Alto Networks

Earlier this month, Palo Alto Networks joined approximately 1,000 stakeholders at theCybersecurity Framework Workshop 2016, organized and hosted by the National Institute of Standards and Technology (NIST) on its campus in Gaithersburg, Maryland. The workshop represented just the latest example of an ongoing, inclusive dialogue that started during the initial development of the Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) in 2013 and has continued since its official launch in February 2014.

The workshop highlighted the many ways that governments around the world, and businesses large and small, have uniquely applied the Framework to help manage and reduce their cybersecurity risks. NIST should be commended for its continued efforts to bring together key stakeholders from industry, academia and government to discuss uses and best practices and ensure the Framework remains the flexible, voluntary guidance document it was intended to be. Although the Framework has gathered extensive support across, and promotion by, multiple industry sectors since its launch – as evidenced by the broad spectrum of entities engaged in the workshop dialogue – NIST’s leadership and guidance remains essential.

From our perspective, a few key themes emerged at the workshop. One was the growing global dimension of the conversation – not simply about the Framework itself, but about the broader importance of developing a common cyber risk management lexicon as the world becomes increasingly interconnected. The central tenets of the Framework’s Core – Identify, Protect, Detect, Respond and Recover – provide precisely this type of shared baseline necessary to facilitate strategic cyber risk management conversations across organizational levels and borders.

One panel, in particular, on international alignment of the Framework, featuring speakers from Japan and Italy, was a testament to this conversation’s expanding reach. Increased international engagement in and acceptance of this type of inclusive, public-private partnership approach to cybersecurity policy development is essential. More granularly, a reaffirmation of the value of using globally accepted, industry-led, voluntary consensus standards for cybersecurity risk management will help drive greater competition and innovation in the global marketplace.

Another important discussion at the workshop was how U.S. federal agencies are using the Framework. In fiscal year 2016, the CIO FISMA Metrics – a critical tool for measuring department and agency cybersecurity – are organized around the Framework’s five functions. U.S. federal agencies and contractors in the workshop session reported various degrees of activity; some were already mapping various activities to the Framework, while others reported that more awareness about the Framework was needed. We strongly support the efforts to drive alignment of cybersecurity requirements for federal information systems with the Framework. It is good for federal cybersecurity, exemplifies a best practice to industry, and indicates to other governments around the world the United States’ sincerity about utilizing the Framework.

Finally, the workshop featured a series of conversations about the future of the Framework. One question was about the value of updating it. We agree with many in industry that it is too soon to make major changes and move to “version 2.0.” The Framework needs to gain traction with a broader diversity of stakeholders to more fully realize its potential as a risk management tool. Any updates should focus on Framework refinement rather than expansion. To this end, like others in industry, we believe that the list of voluntary standards (the “informative references”) should be updated if new standards have gained widespread, voluntary global adoption since the Framework was first published. We also believe NIST’s efforts to raise awareness about the Framework should reflect global security trends toward threat prevention as an integral part of the “Protect” function.

On these and other issues, NIST used the workshop as an opportunity to solicit stakeholder input, and we encourage that all future decisions continue to be made in the same inclusive and thoughtful manner as that which produced the Framework itself. Since that original inception and throughout its development and implementation, Palo Alto Networks has been a strong advocate for the Framework’s importance both individually and as part of broader technology coalitions. As a company, we believe strongly in the principles the Framework espouses: public-private partnership, the importance of sound cyber risk management policies, and a recognition that cybersecurity policies and standards must be considered on a global scale. We look forward to continuing to be a constructive part of this important dialogue.

and

[Palo Alto Networks Research Center]

Posted on

Navigating the Breach Regulatory Maze: Proper Incident Risk Assessment and Response

Cyber attacks. Lost paper files. Third-party snafus. Misdirected emails. Endless are the ways in which sensitive personal information is accidentally or deliberately exposed. Despite best efforts, it is impossible to stop sensitive data from falling into the wrong hands.

According to a new report, Risk Based Security identified 3,930 data breaches reported during 2015, exposing more than 736 million records. Poorly managed, these data security and privacy breaches put organizations at high risk for regulatory fines, lawsuits, lost business and reputational harm. In addition, customers, patients and employees affected by the exposure of their sensitive information fall prey to identity theft and other forms of fraud.

The Challenges of Incident Risk Assessment
No incident is alike. The types and sensitivity of data exposed, the root cause of the incident, the nature and intent of the recipient of the exposed data—these and other variables make consistency of incident risk assessment a difficult challenge for privacy, compliance and risk professionals.

For example, the Risk Based Security report found that:

  • Hacking accounted for 64.6 percent of breaches and 58.7 percent of exposed records.
  • Nearly half of breaches involved passwords and more than 45 percent exposed email addresses.
  • The breaches reported covered more than a dozen industry sectors, from technology to government to retail to healthcare.

In addition to incident variability, data breach laws are a maze of growing complexity and ambiguity. There are 51 state and territory breach notification laws that have different definitions of personal information, allow varying exceptions and have different requirements regarding notification thresholds, content and timing. And these laws are rapidly changing and getting stricter:  In 2015 and the first part of 2016, 10 states enacted new addendums or breach laws. Adding to the complexity is a plethora of federal regulations and standards—HIPAA, GLBA and PCI to name a few—as well as international laws and the long awaited European Union’s General Data Protection Regulation (GDPR).

The primary struggle for privacy and compliance professionals is lack of consistency given the manual and highly subjective methods of conducting the required multifactor risk assessments. This is understandable, given the challenge of assessing the unique nature of each incident against this backdrop of complex breach notification regulations and lack of purpose-built and automated incident risk assessment tools. And if such a homegrown tool is developed, many organizations find it doesn’t scale, it can’t keep up with the changing regulations and is difficult to use.

Four Steps to Successful Incident Risk Assessment and Response
In order to reduce the risks from unavoidable privacy or security incidents, organizations need an automated and highly consistent process for incident risk assessment. This process must allow each unique incident to be assessed with the latest updates to breach notification laws. To help you accomplish this, consider these four tips:

  1. Understand the difference between an event, an incident and a breach. These terms are often used synonymously or incorrectly, but important distinctions exist. For example, an incident is an event that violates an organization’s security or privacy policies involving sensitive information. A breach, on the other hand, is an incident that meets the legal definition of a breach and requires notification to affected individuals.
  2. Develop a scalable process for reporting incidents. Timely and efficient reporting of suspected incidents by employees, customers and third-party entities is critical for implementing a successful incident response process. Use web forms to efficiently and securely capture incident information and to automatically route the information to the appropriate professionals for investigation and incident risk assessment.
  3. Automate data breach risk assessment. Given the short time line for notifications based on a multifactor incident risk assessment, you need a system that is agile and provides a multifactor risk assessment based on the latest in breach notification laws across all jurisdictions where you have regulatory obligation.
  4. Track trends in incident categories and root causes. Learn from your incidents. Accurately identifying weaknesses in your systems, departments or processes can reduce the number of incidents and your organizational risk. Automation is key to ensuring proper analysis and risk mitigation.

Organizations can ill afford to underestimate the importance of consistent incident risk assessment and response. Done right, this process provides a road map for successfully responding to potential breaches, meeting regulatory requirements and protecting the people who trust us with their most confidential information.

Join Mahmood Sher-Jan at ISACA’s North America CACS in New Orleans 2-4 May. Sher-Jan will present Navigating the Data Breach Regulatory Maze (session 234/Privacy Track) in depth on Tuesday, May 3.

Mahmood Sher-Jan, CEO, RADAR® business unit, ID Experts

[ISACA Now Blog]

Posted on

New on Security Roundtable: Cyber Insurance is a Misnomer

Security Roundtable is a community designed to share best practices, use cases, and expert advice to guide executives on managing cybersecurity risks. In this article, excerpted below, Scott Kannry, CEO of Axio Global, dives into why attention to detail is key when evaluating cyber insurance.

“My title is not meant to suggest that cyber insurance is flawed.  To the contrary; it’s a valuable risk transfer instrument that has performed as advertised in the vast majority of loss situations and often provides policyholders with a gateway to a host of response and mitigation providers that otherwise might be too costly or unavailable when most needed.  Most articles questioning the viability of the product are usually centered on denied claims from types of insurance policies that were not designed to cover emerging cyber risks, or written by folks whose knowledge of actual policy language harkens back to earlier generation policies that sometimes contained strict stipulations about maintaining consistent levels of security.

Rather, my title intends to raise awareness that ‘cyber insurance,’ as is commonly offered by the insurance industry, is not an “all-risk” type of policy that covers anything and everything resulting from a cyber event…”

Read the full article at Security Roundtable.

[Palo Alto Networks Research Center]

Posted on

Is Cybersecurity Everyone’s Concern?

Is your business connected to the Internet for any services? Do you shop online or purchase any products or services online? Are you on Facebook, Twitter, LinkedIn or any other social networking web sites? Do you have a high-end mobile phone and use chat applications such as WhatsApp? If so, cybersecurity is an issue about which you should be concerned.

If you think that you could never be a victim of an attack originating on any of these platforms, you should think twice, because cybercriminals are keenly tracking your identities and researching your shopping behavior, watching what you do online and, ultimately, profiling the very devices through which you are connected to cyberspace. Since you are part of the bigger, interconnected network, you are a potential target of a cyberattack.

If you are thinking to yourself, “What do I possess that will interest a cybercriminal?,” think of it this way:  You are targeted, not to steal anything specific, but to possibly build in-roads to a bigger trusted network to which you belong. Once your systems and networks are compromised, it may appear that the cyberattack has originated from your organization while it was actually performed by an invisible cyberattacker from your IP addresses using your system signatures.

Even if your interconnected networks are protected through a firewall or other security measures, a persistent hacker could still closely footprint your activities, e.g., when have you scheduled your next maintenance of systems and networks, the security behavior of users, or the tools and technologies deployed in your organization. In many cases, cybercriminals operate in stealth mode for a period of time before attacking. Once they are inside a network, they quickly adapt to the network behavior, making it difficult for the existing intrusion detection system to flag them. People are the weakest link that is targeted by a cyberattacker.

Essentially, every organization in cyberspace has to rethink with whom and how they are connected in cyberspace and prepare for any threats that can appear because of these interconnections. It is possible that something is already in place; it may just need strengthening through anti-hacking measures such as user awareness, firewalls, patch management, incident response, authentication, authorization and other controls.

Read Sanjiv Agarwala’s recent Journal article:
Quick Fixes for Improving Cyberdefenses,” ISACA Journal, volume 2, 2016.

Sanjiv Agarwala, CISA, CISM, CGEIT, BS25999/ISO 22301 LA, CISSP, ISO 27001:2013 LA, MBCI

[ISACA Journal Author Blog]

English
English
Exit mobile version