Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

BYOD

BYOD security market to reach over $337 million

Technavio’s market research analysts expect the global BYOD security market to reach over $337 million between 2016 and 2020 

The increased use of mobile devices, triggered by the growing need for employee mobility, is the fundamental driving force behind growth in this market.  

The increase in employee mobility and the rising adoption of the Bring-Your-Own-Device (BYOD) policy is leading to the increased use of mobile devices. Enterprises are increasingly adopting BYOD security solutions to secure their networks from growing security threats and to provide secure access to confidential information. 

North America accounts for more than 36% of the market share to dominate the global BYOD security market. The growing awareness among enterprises about the benefits of using BYOD security solutions on mobile devices coupled with the rise in the number of cyber-attacks and malware are some of the key factors contributing to the growth in the BYOD security market in the Americas during the forecast period.

The growing popularity of cloud-based BYOD security is the latest trend in the global BYOD security market. Cloud-based BYOD security does not require any hardware or software and can be controlled remotely, making it cost-effective for the end-users. Also, it has a faster response rate to the new security threats and unauthorized activities as well as allows companies to use software products on a pay-per-use basis and are cost effective. Limited hardware infrastructure, less dependency on internal IT personnel, faster implementation of IT solutions, no licensing costs, and low maintenance costs are some of the advantages of a cloud-based BYOD security system,” says Amrita Choudhury, Lead Analyst, ICT, Technavio Research.

Currently, the Mobile Content Management (MCM) segment occupies almost 52% of the market share to dominate the global BYOD security market. MCM is gaining prominence among large enterprises, government organizations, and small and medium-sized business (SMBs) because of the increased acceptance of the BYOD policy.  

Some vendors in the MCM market are even providing additional security features in the products that they are offering to gain consumer interest and market shares. For instance, AirWatch provides the Secure Content Locker that comprises of secure storage containers to safeguard data stored on mobile devices. 

The key vendors in the global BYOD security market include Citrix Systems, Good Technology, IBM, MobileIron, and VMware. The global BYOD security market highly fragmented owing to the presence of many international, regional, and local vendors. Established BYOD security solution vendors are likely to acquire small vendors to expand their product portfolio and increase their market share.  

During the forecast period, the level of vendor competition is likely to intensify with product and service extensions, technological innovations, and M&As.

 

Advertisements

Are British Businesses over confident about the threat of data breaches?

Ilex International have launched their Breach Confidence Index. The Index is a benchmark survey created to monitor the level of confidence that British businesses have when it comes to security breaches. The Index shows high confidence levels

  • 24% of IT decision makers surveyed very confident
  • 59% fairly confident that their business is protected against a data security breach

The Breach Confidence Index raises major concerns for British businesses. Businesses are not currently required to report security breaches and in many cases, may not even know that they have experienced one. The survey found that 49% said their business has not experienced a security breach. In comparison to actual statistics shared at the 2015 Cyber Symposium, there is a major gap between the perception and reality of security breaches among businesses.

According to the survey the most common weaknesses resulting in a Data Breach were
22% MALWARE VULNERABILITIES
21% EMAIL SECURITY
15% EMPLOYEE EDUCATION
12% CLOUD APPLICATIONS
12% INSIDER THREATS
8% ACCESS CONTROL
8% BYOD OR MOBILE ACCESS
6% NON-COMPLIANCE TO CURRENT REGULATIONS

Weaknesses relating to identity and access management considerably increase as organisations expand their workforce. Some of the most common issues highlighted by large businesses include:

  • 44% insider threats
  • 42% employee education
  • 26% access control
  • 24% BYOD or mobile access

All figures in the Ilex International Breach Confidence Index, unless otherwise stated, are from YouGov Plc. Total sample size was 530 IT Decision Makers. Fieldwork was undertaken between 6th – 12th August 2015. The survey was carried out online.

Policy problems with cloud Storage revealed by survey

UK companies are placing themselves at risk of cyberattacks and data breaches as a result of rampant use of cloud storage services and unclear or non-existent corporate policies according to research released today by WinMagic Inc. The survey, conducted by CensusWide, of 1,000 office workers in organisations of 50 or more employees revealed widespread, and often unilateral employee use of cloud storage services could be leaving businesses with poor visibility of where their data is stored, placing potentially confidential data at risk.

Key Findings

  • 65% of employees don’t have or don’t know the company policy on cloud storage
  • 1 in 10 employees who use cloud storage services at least once a week have no confidence in the security of their data saved and accessed from the cloud
  • Cloud storage use varies widely – 41% use cloud services at least once a week, whilst 42% never use these services at all
  • 1 in 20 employees who use cloud services at least once a week, do so despite these services being restricted by their company
  • 35% of employees used a company sanctioned service
  • 43% were unaware of their employer’s policy on the use of these services. In addition, of those that use cloud storage at least once a week
  • 50% of respondents use personal equipment to access work information and services at least one a week
  • 47% of employees use company-issued equipment at home at least once a week

Darin Welfare, EMEA VP at WinMagic, said: “This survey highlights the challenge businesses face when managing data security in the cloud. IT teams have had to cede a level of control as employees have greater access to services outside corporate control and this research indicates that IT must take additional steps to protect and control company data in this new technology landscape. The wide range of employee adoption of these services also means an additional layer of complexity when devising corporate policies and education programmes for the use of cloud storage services.”

Employees are increasingly accessing work documents and services outside the office, particularly among regular users of cloud storage. The survey revealed 70% of employees who use cloud storage at least once a week will also use work equipment at home at least once a week, significantly higher than the UK average of 47%.

The WinMagic survey highlights a clear disparity between employee use of cloud services and company IT policy, which suggests that businesses must increase focus on devising clearer security policies and better staff training programmes in order to minimise the risk for the business.

Darin Welfare added: “One of the key steps that any organisation can take to mitigate the risk from the widespread use of unsanctioned cloud services is to ensure that all company data is encrypted before employees have the opportunity to upload to the cloud. In the eventuality that the cloud vendor does not adequately put in place control mechanisms and procedures to ensure security across their infrastructure, sensitive and valuable corporate data is still encrypted and cannot be accessed and understood beyond those who have the right to. This approach provides the company with the assurance that the IT team is in control of the key and management of all company data before any employees turn to cloud storage services.”

“This survey should serve as a wake-up call for IT teams to focus resources on crafting the stringent security policies, and employee education programmes that will help the business stay secure. It also indicates that this is not something that is only down to employee behaviour. Businesses need better training for all staff on the potential dangers of cloud services. Businesses must catch up with the employee cloud revolution or risk potentially catastrophic data loss.”

The full press release can be found here.

UK-Avast-for-Business-INFOGRAPHIC

What’s Keeping Higher Education CIOs up at Night?

whats-keeping-higher-education-cios-up-at-night-1-638

Higher Education CIO survey conducted by Extreme Networks.

Enterprises have more than 2,000 unsafe mobile apps installed on employee devices

Veracode has released analytics from its cloud-based platform showing that, based on the mobile applications it assessed, the average global enterprise has approximately 2,400 unsafe applications installed in its mobile environment.

Based on an analysis of hundreds of thousands of mobile applications installed in actual corporate environments across various industries including financial services, media, manufacturing and telecommunications Veracode found 14,000 unsafe applications of which:

  • 85% expose sensitive device data, including SIM card information such as phone location, call history, phone contacts, SMS message logs, device IDs and carrier information.
  • 37% perform suspicious security actions, such as checking to see if the device is rooted or jailbroken (which allows applications to perform superuser actions such as recording conversations, disabling anti-malware, replacing firmware or viewing cached credentials such as banking passwords); installing or uninstalling applications; recording phone calls; or running other programs.
  • 35% retrieve or share personal information about the user such as browser history and calendars, often sending sensitive information to suspicious overseas locations and allowing attackers to develop a complete profile of users and their social connections.

According to Gartner,

Through 2015, more than 75% of mobile applications will fail basic security tests.”  At the same time, cybercriminals and nation-states are constantly looking to exploit insecure applications in order to steal corporate intellectual property, track high-profile individuals or insert aggressive adware for monetary gain.

This creates a challenge for enterprises that want to increase productivity and employee satisfaction by providing BYOD programs or corporate-owned devices.  Modern MDM and enterprise mobility management (EMM) systems are designed to enforce corporate policies on managed devices, but need an automated and scalable mechanism for maintaining up-to-date information about thousands of unsafe apps that are constantly being added to public app stores around the world.

Existing approaches for addressing unsafe mobile apps, such as manually-curated blacklists, are difficult to scale because of the sheer size and constantly-changing nature of the problem.  As a result, they either fail to keep up with mobile threats or frustrate employees by prohibiting apps for no reason.

Many mobile apps are unsafe because they unknowingly access insecure third-party libraries and frameworks in the software supply chain – while other apps have been specifically designed to perform malicious actions,” said Chris Wysopal, Veracode co-founder, CISO and CTO. “Veracode’s automated cloud-based reputation service and MDM/EMM integrations were purpose-built to address the speed and scale required to effectively secure employee devices in global enterprise environments

5 Cloud Mobility Trends

Mobile Insecurity as an Infographic

IBM Mobile Insecurity

The costs of a cloud data breach revealed.

A summary of the Data Breach: The Cloud Multiplier Effect” survey from Ponemon sponsored by Netskope is below.

The survey reveals how the risk of a data breach in the cloud is multiplying. This can be attributed to the proliferation of mobile and other devices with access to cloud resources and more dependency on cloud services without the support of a strengthened cloud security posture and visibility of end user practices.

Ponemon surveyed 613 IT and IT security practitioners in the United States who are familiar with their company’s usage of cloud services.

  • 51% say on-premise IT is equally or less secure than cloud-based services
  • 66% of respondents say their organization’s use of cloud resources diminishes its ability to protect confidential or sensitive information
  • 64% believe it makes it difficult to secure business-critical applications

A lack of knowledge about the number of computing devices connected to the network and enterprise systems, software applications in the cloud and business critical applications used in the cloud workplace could be creating a cloud multiplier effect. Other uncertainties identified in this research include how much sensitive or confidential information is stored in the cloud.

For the first time, Ponemon attempt to quantify the potential scope of a data breach based on typical use of cloud services in the workplace or what can be described as the cloud multiplier effect. The report describes nine scenarios involving the loss or theft of more than 100,000 customer records and a material breach involving the loss or theft of high value1 IP or business confidential information.

When asked to rate their organizations’ effectiveness in securing data and applications used in the cloud.

  • 51% of respondents say it is low
  • 26% rate the effectiveness as high. Based on their lack of confidence
  • 51% say the likelihood of a data breach increases due to the cloud

Key takeaways from this research include the following:

Cloud security is an oxymoron for many companies.

  • 62% of respondents do not agree or are unsure that cloud services are thoroughly vetted before deployment
  • 69% believe there is a failure to be proactive in assessing information that is too sensitive to be stored in the cloud

Certain activities increase the cost of a breach when customer data is lost or stolen.

An increase in the backup and storage of sensitive and/or confidential customer information in the cloud can cause the most costly breaches. The second most costly occurs when one of the organization’s primary cloud services provider expands operations too quickly and experiences financial difficulties. The least costly is when the use of IaaS or cloud infrastructure services increases.

Certain activities increase the cost of a breach when high value IP and business confidential information is lost or stolen

Bring Your Own Cloud (BYOC) results in the most costly data breaches involving high value IP. The second most costly is the backup and storage of sensitive or confidential information in the cloud increases. The least costly occurs when one of the organization’s primary cloud providers fails an audit failure that concerns the its inability to securely manage identity and authentication processes.

Why is the likelihood of a data breach in the cloud increasing?

Ideally, the right security procedures and technologies need to be in place to ensure sensitive and confidential information is protected when using cloud resources. The majority of companies are circumventing important practices such as vetting the security practices of cloud service providers and conducting audits and assessment of the information stored in the cloud.

The findings also reveal that 55% do not believe that the IT security leader is responsible for ensuring the organization’s safe use of cloud computing resources. In other words, respondents believe their organizations are relying on functions outside security to protect data in the cloud.

  • 62% of respondents do not agree or are unsure that cloud services are thoroughly vetted for security before deployment
  • 63% believe there is a lack of vigilance in conducting audits or assessments of cloud-based services
  • 69% of respondents believe there is a failure to be proactive in assessing information that is too sensitive to be stored in the cloud

There is a lack of confidence in the security practices of cloud providers

Respondents are critical of their cloud providers’ security practices. First, they do not believe they would be notified that the cloud provider lost their data in a timely manner. Second, they do not think the cloud provider has the necessary security technologies in place.

  • 72% of respondents do not agree their cloud service provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information
  • 71% of respondents fear their cloud service provider would not notify their organization immediately if they had a data breach involving the loss or theft of customer data.
  • 69% of respondents do not agree that their organization’s cloud service use enabling security technologies to protect and secure sensitive and confidential information
  • 64% say these cloud service providers are not in full compliance with privacy and data protection regulations and laws

Lack of visibility of what’s in the cloud puts confidential and sensitive information at risk

The number of computing devices in the typical workplace is making it more difficult than ever to determine the extent of cloud use. According to estimates provided by respondents, an average of 25,180 computing devices such as desktops, laptops, tablets and smartphones are connected to their organization’s networks and/or enterprise systems.

Ponemon asked respondents to estimate the percentage of their organizations’ applications and information that is stored in the cloud. They were also asked to estimate the percentage of these applications and information that are not known, officially recognized or approved by the IT function (a.k.a. shadow IT).

30% of business information is stored in the cloud but of this, respondents estimate 35% is not visible to IT. This suggests that many organizations are at risk because they do not know what sensitive or confidential information such as IP is in the cloud.

What employees do in the cloud?

  • 44% of employees in organizations use cloud-based services or apps in the workplace
  • 53% use their personally owned mobile devices (BYOD) in the workplace
  • 50% of these employees use their own devices to connect to cloud-based services or apps.

Do certain changes in an organization’s use of cloud services affect the likelihood of a data breach?

  • 17% say the use of cloud-based services significantly increases
  • 34% say it increases the likelihood of a data breach. Ponemon define a material data breach as one that involves the loss or theft of more than 100,000 customer records or one that involves the theft of high value IP or business confidential information.

Calculating the economic impact of a data breach in the cloud.

Ponemon calculate what it might cost an organization to deal with a data breach in the cloud involving customer records. These calculations are based on Ponemon Institute’s recent cost of data breach research and the estimated likelihood or probability of a data breach based on cloud use. The calculation involves the following four steps:

  • First, drawing upon Ponemon Institute’s most recent cost of data breach study. Ponemon determine a cost of $201.18 dollars per compromised record.
  • Second, based on a data breach size of 100,000 or more compromised records in the survey and using the unit cost of $201.18 times 100,000 records. Ponemon calculate a total cost of $20,118,000
  • Third, from the survey results Ponemon extrapolate the average likelihood of a data breach involving 100,000 or more questions at approximately 11.8% over a two-year period.
  • Fourth, multiplying the estimated likelihood or probability of a data breach at 11.8% times the total cost of $20,118,000 Ponemon calculate a baseline expected value of $2.37 million as the average of what an organization would have to spend if it had a data breach involving customer records lost or stolen in the cloud.

Ponemon calculate what it might cost an organization to deal with a data breach in the cloud involving high value IP. Once again, these calculations are based on Ponemon Institute’s recent cost of data breach research and the estimated likelihood or probability of a data breach based on cloud use. The calculation involves the following steps:

  • First, drawing upon Ponemon Institute’s IT security benchmark database consisting of 1,281 companies compiled over a 10-year period, Ponemon estimate an expected value of $11,788,000.
  • Second, based upon the estimates provided by respondents Ponemon extrapolate the likelihood of a data breach involving the theft of high value information at 25.4%.
  • Third, multiplying the estimated likelihood or probability of a data breach at 25.4% times the total cost of $11.788 million Ponemon calculate a baseline expected value of $2.99 million as the average economic impact for organizations in our study.

What can cost an organization the most when it has a data breach involving the loss or theft of IP? The most costly scenarios involve the growth in the number of employees using their own cloud apps in the workplace for sharing sensitive or confidential information (a.k.a. BYOC) and an increase in the backup and storage of IP or business confidential information in the cloud.

The average costs to deal with these two types of data breaches are $5.38 million and $4.93 million, respectively.

Information Security and Cyber Liability Risk Management – a 2014 survey

Advisen Ltd and Zurich have partnered for a fourth consecutive year on a survey designed to gain insight into the current state and on going trends in information security and cyber liability risk management. Invitations to participate were distributed via email to risk managers, insurance buyers and other risk professionals. The survey was completed at least in part by 507 respondents.

The majority of respondents classified themselves as either

  • Member of Risk Management Department (not head) (38%)
  • Chief Risk Manager/Head of Risk Management Department (33%)

Respondents with more than 20 years of risk management and insurance experience represented the largest group at 39% of the total, followed by 25% with between 11 – 20 years, 18% with 5 years or less, and 17% with between 6 – 10 years.

A summary of the survey is below.

Perception of Cyber Risks

Respondents’ perception of cyber risk is largely unchanged from last year with 88% considering cyber and information security risks to be at least a moderate threat to their organization. Respondents do however believe that board members and executive management are viewing cyber risks more seriously.

“In your experience, are cyber risks viewed as a significant threat to your organization by:”

  • 64% said “yes” for Board of Directors (54% in 2013)
  • 72% said “yes” for C-Suite Executives (6% in 2013)

Perception of risk varies based on size of business. Although studies have suggested that small companies are targeted as frequently, if not more so, than larger companies, as a group they continue to view cyber risks less seriously. In response to the question

How would you rate the potential dangers posed to your organization by cyber and information security risks?”

  • 81% of the smallest companies (revenues less than $250 million) consider cyber risks to be at least a moderate danger
  • 93% of the largest companies (revenue greater than $10 billion) consider them to be so.

Consistent with last year’s study, on a scale of one to five, with 5 as very high risk and 1 as very low risk, “damage to your organization’s reputation resulting from a data breach” is the biggest concern of respondents with 64% rating it a 4 or 5. This was closely followed by “incurring costs and expenses from a cyberattack” with 62%, and “privacy violation/data breach of customer records” with 61%.

In contrast, the exposure perceived as the least risky was “theft or loss of customer intellectual property” with 43% rating it a 1 or 2. This was followed by “business interruption due to customer cyber disruptions” with 33%, and “employment practice risk due to use of social media” with 32%.

Data Breach Response

Over the past year, huge and highly recognizable U.S. businesses have fallen victim to some of the largest data breaches in history. These breaches are proof that even those with the most sophisticated information security practices and infrastructures are vulnerable to a cyber-attack. Some suggest that corporate data breaches are no longer an “if” or even a “when” proposition, but rather “how bad” will the inevitable breach be. When a breach does occur, research suggests that organizations that have data breach response plans in place prior to a breach, fare much better than those who do not.

“Does your organization have a data breach response plan in the event of a data breach?”

  • 62% said yes
  • 14% said no
  • 24% did not know

“In the event of a data breach, which department in your organization is PRIMARILY responsible for assuring compliance with all applicable federal, state, or local privacy laws including state breach notification laws?”

  • IT – 38%
  • General Counsel – 21% received the highest percentage of the responses.

Information Security and Cyber Risk Management Focus

Consistent with the 2013 survey, 80% claim that information security risks are a specific risk management focus within their organization. Larger companies are slightly more likely to make it a focus with 83% of companies with revenues in excess of $1billion doing so, compared with 77% with revenues under $1billion. However, the 6% point difference between small and large companies is significantly less the 17% difference from a year ago.

The difference is even more significant when comparing the largest companies (revenues of $10 billion or greater) and the smallest companies (revenues of $250 million or less), with 92 % of the largest companies making information security a risk management focus compared with only 72% of the smallest companies.

For a second consecutive year, the percentage of respondents with a multi-departmental information security risk management team or committee has declined, 52% have an information security risk management team or committee which is down from 56% in 2013, and 61% in 2012. Although statistically still within the margin of error, this is a potential trend worth following. As in previous years, however, this varies materially based on the size of company with 58% of larger companies ($1billion in revenue or greater) claiming to have this team or committee compared to 42% of smaller companies (under $1billion in revenue).

The departments most likely to have representation on the information security risk management team are:

  • IT – 90%
  • Risk Management/Insurance – 73%
  • General Counsel – 63%
  • Compliance – 55%
  • Internal Audit – 47%
  • Treasury or CFO’s Office – 40%
  • Chief Privacy Officer – 36%
  • Marketing – 10%
  • Investor Relations – 6%
  • Sales – 5%
  • 9% Didn’t Know
  • 15% said Other
  • The most common write-in responses under “Other” were Operations and Security

The IT department is still acknowledged as the front line defense against information losses and other cyber liability risks. In response to the question “Which department is PRIMARILY responsible for spearheading the information security risk management effort?”

  • 69% responded IT
  • 11% Risk Management/Insurance
  • 5% responded Other. The most common other being Information Security

Social Media

Social media provides businesses with an array of benefits such as increasing brand awareness, promoting products, and providing timely support. It also exposes organizations to a degree of risk, such as the potential for reputational damage, privacy issues, infringing other intellectual property, and data breaches.

“Does your organization have a written social media policy?”

  • 74% responded yes
  • 17% no

Cloud Services

For a third consecutive year respondents were asked questions on cloud services. Thanks to its cost effectiveness and increased storage capacity, cloud services have become a popular alternative to storing data in-house. Warehousing proprietary business information on a third-party server, however, makes some organizations uncomfortable due to the lack of control in securing the information. Nonetheless, security concerns continue to be outweighed by the benefits.

“Does your company use cloud services?

  • 66% responded yes, up from 55% last year, and 45% in 2012.

“Is the assessment of vulnerabilities from cloud services part of your data security risk management program?”

51% responded yes – consistent with last year

Mobile Devices

“Does your organization have a mobile device security policy?”

  • 74 % said yes
  • 15 % said no
  • 13 % did not know

Larger companies continue to be more likely to have such a policy with

  • 82 % of large companies ($1 billion or greater) responding yes
  • 62 % of smaller companies ($1 billion or less).

The use of personal handheld devices for business purposes is increasingly preferred by employees and allowed by employers. These non-company controlled devices, however, are accessing proprietary corporate information and frequently exposing organizations to a higher degree of risk.

“Does your organization have a bring your own device (BYOD) policy?”

  • 47% responded yes which is consistent with last year’s response.

The Role of Insurance in Information Security and Cyber Risk Management

The upward trend in the percentage of companies purchasing cyber liability insurance plateaued in 2014.

“Does your organization purchase cyber liability insurance?”

  • 52% responded yes
  • 35% said no
  • 13% did not know

Of the respondents who purchase coverage

  • 32% have purchased it for less than two years
  • 47% between three and five years
  • 22% for more than five years
  • The percentage of companies who buy coverage for loss of income due to a data breach dropped slightly from 54 % in 2013 to 48 % this year.

Finally, respondents that do not currently purchase cyber insurance were asked “Are you considering buying this coverage in the next year?” 54% said yes. This was only a one percentage point increase from 2013.

The full survey can be found here.

95% of enterprises allow BYOD

winning-with-mobile-infographic-700x2520

Courtesy of Symantec.

Private Cloud Security Keeps IT Up At Night

Catbird_Survey_Infographic

NQ-Mobile-Mobile-Malware

What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

Ponemon Institute has released its CA Technologies sponsored study “The Identity Imperative for the Open Enterprise: What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

They surveyed 1,589 IT and IT security practitioners and 1,526 business users with more than 1,000 employees in United States, Australia, Brazil, Canada, France, Germany, India, Italy and the United Kingdom to understand current trends in Bring your Own Identity or BYOID, which is defined as the use of trusted digital or social networking identities.

  • 74% of the IT users surveyed report to the CIO
  • 15% report to the CISO
  • 55% of the business users in this research report to the lines of business leader
  • 10% report to the marketing officer 

The majority of respondents in both groups have high levels of interest in BYOID, but IT users and business user groups have different views about the perceived potential value of BYOID. 

  • IT users view BYOID primarily for fraud reduction, risk mitigation and cost reduction
  • Business end users are more interested in how BYOID can streamline customer’s experience and assist in targeted marketing campaigns.

Some of these differences can be expected because of the different job responsibilities of each group. These differences do not necessarily portend conflict, but rather show the need for collaboration between IT and the business functions to yield maximum benefits for any organisation deploying a BYOID system. By developing a cross-functional BYOID strategy around several well-defined use cases, organisations can differentiate themselves from competitors and further grow their business.

Key finding of the study are:

The Application Economy Drives BYOID Interest

In today’s application economy, organisations need to securely deliver new apps to grow their business quickly. This can increase IT risks, which puts a premium on an organisation’s ability to simplify the user experience without sacrificing security. Using an existing digital or social identity issued by a trusted third party to access applications can help organisations meet the need for simplicity, security and a positive customer experience.

  • 67% of IT users say the primary value of BYOID is from strengthening the authentication process
  • 54% from reducing impersonation risk
  • 79% of Business users believe the BYOID value comes from delivering a better customer experience 76% believe it is from increasing the effectiveness of marketing campaigns

While IT sees value primarily in risk mitigation/cost reduction, business users see the value of BYOID in improving the consumer experience to increase customer loyalty and generating new revenue streams. This underscores the need for IT and business collaboration to address the challenge that today’s organisations face: how to secure the business while simultaneously empowering

Mobile and Web Users Drive BYOID

Today’s IT organisations must deliver secure access to a highly distributed and growing user population. These users expect to access information anywhere, anytime from multiple devices. This is changing how user identities should be managed and is affecting the demand for BYOID.

When IT practitioners and business users were polled on their level of interest in accepting identities for different user populations such as job prospects, employees, contractors, retirees, website customers or mobile customers, mobile and web customers received the most interest, far exceeding that of the other populations.

  • 50% of IT respondents and 79% of business respondents have very high or high interest in BYOID for website user populations
  • 48% of IT respondents and 82% of business respondents have very high or high interest in BYOID for mobile user populations

BYOID Requires Security Enhancements to Drive More Adoption

While the survey results indicate interest in BYOID from both IT users and business users, both groups identified features that could contribute to broader BYOID adoption.

When asked which features would most likely increase BYOID adoption within their organisation;

  • 73% of IT users’ top features are identity validation processes
  • 66% have multi-factor authentication as the top feature
  • 71% of Business users say both identity validation processes and simplified user registration are the most popular features for increasing adoption.

The study also indicates a high level of interest for some level of accreditation of the identity providers

  • 59% of IT saying it is essential or very important
  • 21% saying it is important
  • 27% of business respondents say accreditation is essential or very important with 48% believe it’s important

.

Why is there a Cloud Multiplier effect on the risk of a Data Breach?

Netskope-data-breach

65% have experienced an SQL injection attack

The second DB Networks sponsored Ponemon Institute report on the SQL injection threat has been released. 

The report explores what IT security professionals think about the likely attack chain of recent data breaches involving major retailers such as Target, Michaels and Neiman Marcus. The first report focused on how organizations respond to the SQL injection threat and their awareness about different approaches to managing this risk. 

The study surveyed 595 individuals who work in IT and IT security. The majority of respondents are familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database. 

69% of respondents say their organization must comply with Payment Card Industry Data Security Standard (PCI DSS). As such, a majority of the respondents are very familiar with and required to comply with the security requirements for retailers who accept payment cards. 

SQL injections have been defined as being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways.

Background on retail breaches 

Details of the recent retailer network intrusion and data breach haven’t been readily forth coming from either the retailers who were breached or the U.S. Secret Service in charge of the breach investigations. As a result, security professionals are left to piece together the attack chain details based on the nascent amount of information that has been shared thus far. 

Target, for example, has revealed the credentials from an HVAC contractor were compromised. Those compromised credentials they claim initiated the attack chain that ultimately resulted in two major breaches. While certainly an interesting factoid, that information actually offers little insight into the events that ultimately resulted in the breach of 40 million credit cards and another 70 million database records containing personally identifiable information (PII). 

The HVAC vendor credentials only provided access to Target’s vendor billing and invoicing system. It’s a rather long leap from those systems into Target’s POS systems. How that feat was accomplished hasn’t been made public. Further, a report by BusinessWeek revealed that Target’s IT security systems were able to identify the hacker’s suspicious activity multiple times during the attack. But unfortunately those alerts were not agreed upon by Target’s IT security staff. 

Some of the key takeaways from this study include:

  • 50% of respondents believe cyber syndicates are to blame for the large retail data breaches. Only 16% believe an individual perpetrated the attack.
  • Many respondents believe notification of victims is better later than sooner. 36% of respondents would prefer to wait to notify victims until a thorough investigation was conducted.
  • SQL injection threat was one of the components of these retail breaches. 53% of respondents say SQL injections were used to steal sensitive and confidential information.
  • 65% of respondents say continuous monitoring of the database network followed by advanced database activity monitoring are the best approaches to avoiding a mega data breach
  • 33% of respondents say they either scan continuously or daily for active databases. However, 25% scan irregularly and 22% do not scan at all
  • SQL injection was considered by respondents to be one of the components of these attacks. 57% (36% + 21%) of respondents believe the likelihood that the attacks against the U.S. retailers involved SQL injection was 51% or greater
  • 65% of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defences in the last 12 months.
  • 49% say the SQL injection threat facing their company is very significant. On average, respondents believe 42% of all data breaches are due, at least in part, to SQL injections.
  • Many organizations are not familiar with the techniques used by cyber criminals.
  • 46% are familiar with the term Web Application Firewalls (WAF) bypass
  • 39% of respondents are very familiar or familiar with the techniques cybercriminal use to get around WAF perimeter security devices
  • BYOD makes understanding the root causes of an SQL injection threat more difficult. 56% of respondents say determining the root causes of SQL injection is becoming more difficult because of employees’ use of personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41% of respondents, is increasing stealth and/or sophistication of cyber attackers
  • Expertise and the right technologies are critical to preventing the SQL injection threat. While respondents see the SQL threat as serious, only 31% say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect SQL injection threats and 34% agree that they have the technologies or tools to quickly detect a SQL injection threat 

Find the report here

Top 10 Tips for Cyber Resilience in businesses

The dramatic increase in both the sophistication and frequency of cyber risks and attacks on businesses has profoundly changed the security threat landscape. Gone are the benign days of the Anna Kournikova virus or the “I Love You” bug. Today cyber risks and threats can lead to breaches of sensitive data, harming consumers, businesses and governments of all sizes. But there is a way to stay ahead of these risks by crafting an effective security strategy, and being cyber resilient.

Cyber resilience is not just about installing point products into your IT environment but rather it is about understanding a broader set of business and technical challenges. These include understanding the risks in an increasingly connected cyber world and in particular the risks facing an organisation with rapidly evolving technologies such as mobile, cloud, virtual, big data, and social; as well as increasing dependence on the Internet to conduct business.

Many businesses currently don’t have holistic IT security practices and technologies in place to deal with all of these new challenges. Breaches can and will happen. How businesses prepare for a breach is just as important as how they respond to one. Organisations should consider the following measures to mitigate the risk of an attack and become cyber resilient:

  1. Make security personal to your business – understand your business and how security can be built into your IT practices
  2. Baseline your security regularly – analyse your state of readiness, so that you can interpret the symptoms that can lead to a security incident
  3. Get executive and board engagement – cyber resilience starts at the top of the organisation
  4. Have a plan – security incidents happen every day. Develop a plan that addresses how businesses identify the important incidents and ensure they remain up and running no matter what
  5. Education – from board to new hire, it’s essential that everyone understands that they are responsible and accountable. All employees need to know what part they play in the bigger picture
  6. Do the basics well – leverage government and industry guidelines. This includes aspects such as patching and good user-level access management
  7. Plan for today and scale for the future – for example, BYOD is here to stay. Don’t just apply quick fixes; align your IT to a longer-term strategy
  8. Start small, but think big – Information protection is a long-term project, but organisations need to start where they will add the most business value and then expand where there is further, long-term value. For example, the supply chain and how an organisation interacts with its wider network of vendors and partners. The key is to think big but have a maturity plan, which must be linked to strategic business value and growth
  9. Be accountable – understand what the regulatory, legislative and peer-to-peer controls are that the business needs to adhere to. Make sure there is a clearly defined owner for each of these and an executive sponsor
  10. Don’t wait for it to happen – test your processes, procedures and people regularly. Make sure the business has clearly defined lifecycles that reflect changes in business strategy, technology use and culture. Make sure the strategy is current and effective for the business and the risks.

For an organisation to be cyber resilient there needs to be in place a strategy that adapts to the ever changing cyber security landscape. This strategy should not only make your organisation cyber resilient but it should be designed to make security your competitive advantage.

Written by Brenton Smith, Managing Director & VP Pacific at Symantec and original posted here.

Security Metrics to Manage Change: Which Matter, Which Can Be Measured? A Ponemon Study.

The Firemon sponsored study by Ponemen surveyed 597 individuals who work in IT, IT security, compliance, risk management and other related fields. All respondents are involved in IT security management activities in their organizations. They also are involved in assessing or managing the impact of change on their organization’s IT security operations. The following are the themes of this study:

  • Tale of two security departments
  • The importance of metrics to driving more informed decisions
  • Practices to achieve effective security change management
  • The right metrics for managing change

What is security change management?

Ponemon defines this in the study as “security change management as a formal approach to assessing, prioritizing and managing transitions in personnel, technologies, policies and organizational structures to achieve a desired state of IT security. The security risk landscape is defined as rapidly mutating threats at every point of entry from the perimeter to the desktop; from mobile to the cloud. The fast evolution of the threat landscape and changes in network and security architectures creates a challenging and complex security ecosystem.

The key findings of the study

The security posture perception gap puts organizations at risk. 13% of respondents would rate the security posture of their organization as very strong. Whereas, 33% of respondents say their CEO and Board believes the organization has a very strong security posture. Such a gap reveals the problems the security function acknowledges in accurately communicating the true state of security.

Why can’t communication be better? 71% of respondents say communication occurs at too low a level or only when a security incident has already occurred (63% of respondents). 51% admit to filtering negative facts before talking to senior executives.

Agility is key to managing change. However, when asked to rate their organization’s agility in managing the impact of change on IT security operations, only 16% of respondents say their organizations have a very high level of agility and 25% say it is very low.

Metrics that reveal the impact of change are most valuable. According to 74% of respondents, security metrics that measure the impact of disruptive technologies on security posture are important. 62% of respondents say metrics fail to provide this important information.

Real-time analysis for managing change is essential. When asked about the importance of real-time analysis for managing changes to the organization’s security landscape, 72% of respondents say it is essential or very important. 12% say it is not important.

Organizations are not using more advanced procedures to understand the impact of change on their organization’s security posture. 26% of respondents say they are using manual processes or no proactive processes to identify the impact of changes on the organization’s security posture. 15% are using automated risk impact assessments, 13% say they are using continuous compliance monitoring and 11% rely on internal or external audits.

Senior executives are believed to have a more positive outlook on the effectiveness of their IT security function. While respondents rate their organization’s security posture as just about average, they believe their CEOs and board members have a much more positive perception, and would rate their organization’s security posture as above average. 13% of respondents would rate the security posture as strong. Whereas, 33% of respondents say their CEO and Board believes their organization has a very strong security posture. This perception gap signals that security practitioners are not given an opportunity and/or cannot communicate effectively the true state of security in the organization. As a result it is difficult to convince senior management of the need to invest in the right people, processes and technologies to manage security threats. Likewise, respondents believe key stakeholders also consider the organization’s security posture as being above average. 26% of respondents say this group rates their organization’s security posture as very strong. These include business partners, vendors, regulators, and competitors.

Lack of communication seems to be at the root of the C-suite and IT security disconnect. Too little and too late characterizes communication to senior executives about the state of security risk. 29% of respondents say they do not communicate to senior executives about risks and 31% say such communication only occurs when a serious security risk is revealed. As a result, they admit the state of communication about security risks is not effective. 6% of respondents say they are highly effective in communicating all relevant facts to management.

Why can’t communication be better? The main complaints are that communication occurs at too low a level or when a security incident has already occurred. Other problems stem from the existence of silos that keep information from being communicated throughout the organization. Respondents also recognize that the technical nature of the information could be frustrating for senior executives. Very often, the whole story is not revealed because negative facts are filtered before being disclosed to senior executives and the CEO.

What are the implications of senior executives and IT security not having the same understanding of the organization’s security effectiveness? According to the findings, an important capability such as having the agility to manage the impact of change on IT security operations could be affected by not being able to convince management of the need for enough resources, budget and technologies. When asked to rate their organization’s overall agility in managing the impact of change on IT security operations, respondents say it is fairly low. 16% of respondents say their organizations have a very high level of agility and 25% say it is very low. This is also the case when asked to rate their organization’s effectiveness in managing the impact of change on IT security operations. 17% say their organizations are very effective and 30% say their organizations are very ineffective.

The top three barriers to achieving effective security change management activities are

  1. insufficient resources or budget
  2. lack of effective security technology solutions
  3. lack of skilled or expert personnel

When asked about the importance of real time-analysis for managing changes to the organization’s security landscape, 72% of respondents say it is essential or very important. 12% say it is not important.

  • 26% of respondents say they are using manual processes or no proactive processes to identify the impact of changes on the organization’s security posture
  • 15% are using automated risk impact assessments
  • 13% say they are using continuous compliance monitoring
  • 11% rely on internal or external audits

Those technologies most often fully deployed to facilitate the management of changes that impact an organization’s security risk profile are:

  • Incident detection and alerting (including SIEM)
  • Vulnerability risk management
  • Network traffic monitoring
  • Security configuration management follow
  • Technologies that are often only partially deployed are log monitoring (46% of respondents) and file integrity monitoring (35% of respondents).
  • Minimally or not deployed at all are: big data analytics (64% of respondents), automated policy management (45% of respondents), and sandboxing (44% of respondents).

Current metrics in use do not communicate the true state of security efforts. When asked if the metrics that are in use today adequately convey the true state of security efforts deployed by their organization, 43% of respondents say they do not and 11% are unsure. The biggest reasons for the failure to accurately measure the state of security are more pressing issues take precedence, communication with management only occurs when there is an actual incident, the information is too technical to be understood by nontechnical management, and a lack of resources to develop or refine metrics.

What are the strengths and weaknesses of the security function? Respondents were asked rate their organizations’ ability to accomplish seven specific factors that may impact the security posture. The findings reveal that most respondents say their organizations are best at managing security threats, hiring and retaining competent security staff and employees and discovering and containing compromises and breaches quickly. They are not as effective at achieving compliance with leading security standards and frameworks and minimizing third-party security risks.

What events are most likely to disrupt the organization’s infrastructure and ability to manage security threats? The expansion of mobile platforms and migration to the cloud are the most likely to affect the security posture. Use of employee-owned devices (BYOD) and the implementation of a next generation firewall have moderate impact. Events that are considered to have a low impact are the move or consolidation of data center resources, implementation of virtualized computing and storage, a security audit failure, and reorganizing and downsizing the enterprise and IT function. Who is accountable for managing the risk created by the introduction of such changes as mobile platforms and the clouds? According to respondents, most responsible for managing the impact of these changes is the CIO or CTO followed by no one has overall responsibility.

Metrics must be aligned with business goals. 83% of respondents say it is important to have security metrics fully aligned with business objectives. However, most organizations represented in this study do not seem to be achieving this goal. In fact, 69% say security metrics sometimes conflict with the organization’s business goals.

  • 74% agree that security metrics that show the impact of disruptive technologies on security posture are important
  • 62% of respondents say metrics fail to provide information about the impact of change
  • 54% agree that metrics do not help understand the vulnerabilities to criminal
  • 46% of respondents say they do not help assess or manage risks caused by the migration to the cloud
  • 56% agree that metrics can help justify investment in people, processes and technologies
  • 57% of respondents agree the CEO and board do care about the metrics used to measure security posture

What is the metrics that matter gap? Respondents were asked to rate the metrics most important in communicating relevant facts about the state of security risks to senior executives and IT management. The top metrics in terms of their importance are discovery and containment of compromises and breaches and management of resources and spending. However, the actual average use of metrics in these categories average only 43% and 37% of organizations represented in this research. The biggest gaps in importance vs. use are with metrics that track disruption to business & IT operations (36% gap), management of resources and spending (35% gap), and discovery and containment of compromises and breaches (31% gap). The smallest gaps between importance and use are with third-party risks (7%) and staff and employee competence (2%).

Tracking how fast a security incident is discovered and contained is the most important metric but not often used.

Practices to achieve effective security change management. In this section, we look at the different practices of organizations that were self-reported to have a high security posture and those that have a low security posture. The findings reveal that there is a difference in the technologies deployed, perceptions about barriers to managing the impact of change to the security infrastructure, effectiveness in communication with senior management, and frequency of communications.

Firemon’s report can be found here.

65% of organisations have been breached by a SQL Injection attack

Ponemon Institute have released their The SQL Injection Threat Study sponsored by DB Networks. The purpose of the research was to understand how organisations respond to the SQL injection threat and their awareness about different approaches to managing this risk.

The study surveyed 595 individuals who work in IT and IT security. The majority of respondents were familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database.

SQL injections are defined as:-

being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways

Key findings extracted from the report:-

  • The SQL threat is taken seriously because 65% of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defences in the last 12 months.
  • 49% of respondents say the SQL injection threat facing their company is very significant. On average, respondents believe 42% of all data breaches are due, at least in part, to SQL injections.
  • Many organizations are not familiar with the techniques used by cyber criminals. 46% of respondents are familiar with the term Web Application Firewalls (WAF) bypass. Only 39% of respondents are very familiar or familiar with the techniques cyber criminal use to get around WAF perimeter security devices.
  • BYOD makes understanding the root causes of an SQL injection attack more difficult. 56% of respondents say determining the root causes of SQL injection is becoming more difficult because of the trend for employees to use their personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41% of respondents, is increasing stealth and/or sophistication of cyber attackers.
  • Expertise and the right technologies are critical to preventing SQL injection attacks. While respondents see the SQL threat as serious, only 31% say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect a SQL injection attack and 34% agree that they have the technologies or tools to quickly detect a SQL injection attack.
  • Measures to prevent SQL injection attacks are also lacking. Despite concerns about the threat, 52% do not take such precautions as testing and validating third party software to ensure it is not vulnerable to SQL injection attack.
  • Organizations move to a behavioural analysis solution to combat the SQL injection threat. 88% of respondents view behavioural analysis either very favourably or favourably.
  • 44% of respondents say their organization uses professional penetration testers to identify vulnerabilities in their information systems but only 35% of these organizations include testing for SQL injection vulnerabilities.
  • 20% continuously scan active databases, 13% do it daily, 25% scan irregularly and 22% do not scan at all.

The full report can be found here.



Dell's New Unknown Threats Infographic

According to Dell organisations are overlooking powerful new unknown threats.

Read more here https://brianpennington.co.uk/2014/02/20/byod-cloud-and-the-internet-are-the-top-areas-of-concern-for-security-threats/

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: