Brian Pennington

A blog about Cyber Security & Compliance


Computer security

Small firms lose up to £800 million to cyber crime a year

New research from the Federation of Small Businesses (FSB) shows that cyber crime costs its members around £785 million per year as they fall victim to fraud and online crime.

The report shows:

  • 41% of FSB members have been a victim of cyber crime in the last 12 months, putting the average cost at around £4,000 per business.
  • Around 30% have been a victim of fraud, typically by a customer or client (13%) or through ‘card not present’ fraud (10%).

For the first time, the FSB has looked at the impact that online crime has on a business. The most common threat to businesses is virus infections, which 20% of respondents said they have fallen victim to; 8% have been a victim of hacking and 5% suffering security breaches.

The FSB is concerned that the cost to the wider economy could be even greater as small firms refuse to trade online believing the security framework does not give them adequate protection. Indeed, previous FSB research shows that only a third of businesses with their own website use it for sales.

The report also finds:

  • almost 20% of members have not taken any steps to protect themselves from a cyber crime
  • 36% of respondents say they regularly install security patches to protect themselves from fraud
  • almost 60% regularly update their virus scanning software to minimise their exposure to online crime

In response to this, the FSB has developed 10 top tips for small firms to make sure they stay safe online

  1. Implement a combination of security protection solutions (anti-virus, anti-spam, firewall(s))
  2. Carry out regular security updates on all software and devices
  3. Implement a resilient password policy (min eight characters, change regularly)
  4. Secure your wireless network
  5. Implement clear and concise procedures for email, internet and mobile devices
  6. Tran staff in good security practices and consider employee background checks
  7. Implement and test backup plans, information disposal and disaster recovery procedures
  8. Carry out regular security risk assessments to identify important information and systems
  9. Carry out regular security testing on the business website
  10. Check provider credentials and contracts when using cloud services

Launching the report at an event in London today, Mike Cherry, National Policy Chairman, Federation of Small Businesses, said:

Cyber crime poses a real and growing threat for small firms and it isn’t something that should be ignored. Many businesses will be taking steps to protect themselves but the cost of crime can act as a barrier to growth. For example, many businesses will not embrace new technology as they fear the repercussions and do not believe they will get adequate protection from crime. While we want to see clear action from the Government and the wider public sector, there are clear actions that businesses can take to help themselves.

“I encourage small firms to look at the 10 top tips we have developed to make sure they are doing all they can. We want to see the Government look at how it can simplify and streamline its guidance targeted specifically at small firms and make sure there is the capacity for businesses to report when they have been a victim of fraud or online crime

James Brokenshire, MP Parliamentary Under Secretary for Security, Home Office, said:

Having personally been involved in the cyber security debate for several years now, I am pleased that the Home Office is working with the FSB to highlight the current experiences of small businesses.

“Cyber security is a crucial part of the Government’s National Cyber Security Strategy and we need to make sure that all businesses, large and small are engaged in implementing appropriate prevention measures in their business. This report will help give a greater understanding of how online security and fraud issues affect small businesses, giving guidance as well as valuable top tips to protect their business

David Willetts, MP Minister for Universities and Science, Department for Business, Innovation and Skills

The Department for Business, Innovation and Skills (BIS) published guidance in April 2013, ‘Small businesses: what you need to know about cyber security’, based on our comprehensive ‘10 Steps to Cyber Security’ guidance. This guidance sets out the current risks, how to manage these, and plan implementation of appropriate security measures.

“We know only too well of the importance of securing buy-in from both big and small business in implementing appropriate protection against cyber risks – business success can depend on it. Increasing security drives growth.

“I support all efforts, like the FSB’s, to provide clarity on the issues small businesses are facing, and more importantly, what they can do about them. I urge all small businesses to follow the FSB’s advice


What happens after a data breach?

A report by Solera Networks and Ponemon reveals rise in security breaches, with organisations taking months to detect and contain them.

The Ponemon report “The Post Breach Boom”’ commissioned by Solera Networks polled 3,529 IT and IT security professionals in eight countries to understand the steps they are taking in the aftermath of malicious and non-malicious data breaches over the past 24 months.

Highlights of the research include:

Data breaches are on the rise and organizations are unprepared to detect them or resolve them:

  • 54% of respondents said data breaches have increased in both severity
  • 52% said the frequency had increased


  • 63% say that knowing the root causes of breaches strengthens their organization’s security posture
  • 40% say they have the tools, personnel and funding to pinpoint the root causes
  • Breaches remain undiscovered and unresolved for months. On average, it is taking companies nearly three months (80 days) to discover a malicious breach and then more than four months (123 days) to resolve it.
  • Security defences are not preventing a large portion of breaches. One third of malicious breaches are not being caught by any of the companies’ defences they are instead discovered when companies are notified by a third party, either law enforcement, a partner, customer or other party or discovered by accident.
  • 34% of non-malicious breaches are discovered accidentally
  • Malicious breaches are targeting key information assets within organization. 42% of malicious breaches targeted applications
  • 36% targeted user accounts

Details of Impact and the cost of breaches from the report

  • On average, malicious breaches cost $840,000, significantly more costly than non-malicious data breaches at $470,000.
  • The average cost of a data breach per compromised record is $194
  • However, if the root cause is the result of a malicious insider or attack the average per record cost climbs to $222
  • While breaches attributed to a negligent insider averages far less at $174 per compromised record

For non-malicious breaches, lost reputation, brand value and image were reported as the most serious consequences by participants. For malicious breaches, organizations suffered lost time and productivity followed by loss of reputation.

Following a malicious breach, organizations more often invested in enabling security technologies (65% vs. 42% of respondents). More often they also made changes to its operations and compliance processes to better prevent and detect future breaches (63% vs. 54%).

Endpoint security and encryption tools were the most popular following a non-malicious breach and SIEM and encryption tools were most frequently purchased following a malicious breach. Breaches drive increased spending on data security, according to 61% of respondents. The average increase is 20%.

52% of respondents say the breach resulted in an increase in spending on forensic capabilities. Among those organizations that spent more the increase was an average of 33%. This represents 13% more than the increase in data security funding.

Security breaches continue to occupy the headlines on a daily basis, making it clear that there is still much work to be done before companies are prepared for the inevitability of today’s advanced targeted attacks,” said John Vecchi, vice president of marketing, Solera Networks. “In a post-prevention world, organizations must shift their focus toward attaining the real-time visibility, context and big data security analytics needed to see, detect, eradicate and respond to advanced malware and zero-day attacks

“Our study confirms that organizations are facing a growing flood of increasingly malicious data breaches, and they don’t have the tools, staff or resources to discover and resolve them,” said Larry Ponemon, chairman and founder, Ponemon Institute. “Meanwhile, months are passing as their key information assets are left exposed. The results demonstrate a clear need for greater and faster visibility as well as a need to know the root cause of the breaches themselves in order to close this persistent window of exposure


Security is still the biggest technology challenge for retailers

In a communications survey of 60 retailers conducted by Iconnyx the number one challenge to retailers is Security with 47% identifying it as their biggest issue.

The full list of technology challenges for retailers are:

Challenge %
Security 47%
Data storage 20%
Mobile 17%
Ecommerce 10%
Cloud 7%

57% of respondents ranked PCI compliance as a very important business issue.

Other reported business issues were listed

  • answering customer calls
  • synchronisation between Point of Sale and card payment machines
  • reducing the overall cost of connectivity to stores

Tim Walker, Iconnyx Managing Director explains:

 “It’s surprising to see that cloud is low on the list of retailer concerns, given that security and PCI compliance is top of the list.

This signals that for retailers, cloud-based technologies are neither seen as a solution or an issue. In either instance, use of the cloud can resolve security concerns and could be explored as a reliable means of addressing retailers’ issues,

The full press release can be found here.


7 experts predict the IT security and compliance issues and trends of 2012

Here we are on the edge of another year and it is the time of year when the predictions start.

Everyone has an opinion on what could be around the corner, some are based on extensive research and market trends, and some are based on customer expectations and experience.

Rather than bore you with my predictions I thought I would extract the predictions of several leading vendors and consultants and put them into one single post.

The plan is to use a range of industry specialisations, for example Anti-Virus and Authentication, and run them side by side for an easy comparison and to see if there is a trend in the predicted trends.

The 7 specialist predictors are from the organisations listed below

  1. Confident Technologies
  2. Cryptzone
  3. Deloitte
  4. Lancope
  5. Trend Micro
  6. Varonis
  7. WatchGuard

Other opinions and predictions are available and the full predictions of the specific organisation are within the links and the end of each prediction.

Top 5 Authentication Predictions for 2012 from Confident Technologies

  1. BYOMD (bring your own mobile device) will spell big trouble for businesses in terms of data loss in 2012.
  2. There will be a large data breach (reminiscent of the Sony online gaming breach of 2011) which will finally cause organizations across many industries to realize they cannot rely solely on passwords to protect user accounts.
  3. Targeted Variations of Zeus-in-the-Mobile style attacks will grow
  4. Smart devices enable smart authentication: image-based authentication, biometrics and more.
  5. Retailers and mobile payment providers will lead the adoption of new mobile authentication techniques in 2012

Find the Confident Technologies predictions here.

Cryptzone predicts Trends for 2012

Cryptzone, the IT Threat mitigation experts, announced its 8 key predictions for the top security trends for the coming year.

  1. Targeted Attacks
  2. Bring Your Own Device (BYOD)
  3. Greater Security for Production Systems
  4. Intranets on the iPAD
  5. Incident Response Management
  6. Context Awareness for Access Rights
  7. Content Security verses Hardware Security
  8. Shortened Product Development Lifecycles

Peter Davin, CEO of Cryptzone, comments “Employees are now demanding to use their own devices for work with security as a prerequisite. On the other side, hackers have become more sophisticated in whom they target, opting away from indiscriminate strikes. 2012 will see these trends develop even further.”

Find Cryptzone’s predictions here.

Deloitte’s Top five security threats in 2012

  1. Mobile devices (34%)
  2. Security breaches involving third parties (25%)
  3. Employee errors and omissions (20%)
  4. Faster adoption of emerging technologies (18%)
  5. Employee abuse of IT systems and information (17%)

Find Deloitte’s predictions here.

Trend Micro 2012 Threat Predictions:

Attacks Take on More Sophistication in the Post-PC, BYOD Era Trend Micro’s “12 Threat Predictions for 2012” include:

  1. The real challenge for data center owners will be the increasing complexities of securing physical, virtual, and cloud-based systems
  2. Security and data breach incidents in 2012 will force companies worldwide to face BYOD (Bring-Your-Own-Device) related challenges
  3. Security vulnerabilities will be found in legitimate mobile apps, making data extraction easier for cybercriminals
  4. More hacker groups will pose a bigger threat to organizations that protect highly sensitive data
  5. The new social networking generation will redefine “privacy.”
  6. Supporting assets

Find Trend Micro’s predictions here.

Lancope Announces Top Five Security Predictions for 2012

Lancope, Inc., a leader in flow-based security, network and application performance monitoring, unveiled its top five security predictions for 2012.

  1. Advanced persistent threats (APTs) will become more predominant
  2. Insider threats will grow
  3. Industrialized attacks will remain stable
  4. Employee misuse and abuse will create steady risk
  5. Fully automated attacks will trend down

If 2011 taught us anything, it’s that the targeted, highly motivated attacker is real. Tomorrow’s threat landscape requires a new level of preparation when it comes to security,” said Adam Powers, chief technology officer at Lancope.

Find Lancope’s predictions here.

Varonis gives its top predictions for Data Governance in 2012

Varonis Systems Inc., the leading provider of comprehensive data governance software announced its top-level predictions for the Data Governance field in 2012.

  1. Secure Collaboration Goes Viral in 2012. It will be the year data owners take back access control decisions from IT, and demand automation to analyze data, make better decisions, and eliminate costly, ineffective manual processes
  2. Big data analytics will expand its focus to the biggest data of al unstructured information sitting on file servers, NAS devices, and in email systems
  3. We will see some IT departments taking drastic measures, such as shutting down “at risk” servers or access to e-mail if the proper audit trails are not in place
  4. Internal threats will still be a major worry for corporates in 2012 despite the demise of Wiki Leaks

David Gibson, Director of Technical Marketing and Strategic Sales at Varonis said: “When it comes to data loss, threats from inside the organization have become as worrisome, if not more so, than those from outside. In many of the security breaches in 2011, employees or contractors were able to delete or download thousands of files without raising concerns because often no one was able to determine what sensitive data they had access to and secure it before information could be stolen, view an audit trail of what they actually did access after the fact, and certainly not hear any alarms go off while the breach was in progress, when access activity was unusual. Corporates will have to address this issue properly in 2012.”

Find Varonis’s predictions here.

WatchGuard Unveils Top 10 Security Predictions for 2012

WatchGuard Technologies’ security analysts provide their 2012 security predictions

  1. A major cloud provider will suffer a significant security breach. Cloud Computing brings chance of malware-storms
  2. Organized criminals will leverage Advanced Malware techniques in targeted attacks against businesses
  3. The barrage of noteworthy data breaches continues through 2012
  4. Increased reliance on virtualization reawakens need for virtual security. Unprotected virtual machines make bad neighbors
  5. Smartphone app stores and marketplaces help proliferate mobile malware in the real world
  6. Adoption of BYOD and IT self-service results in more data loss. Bring your own device means clean your own infections
  7. As the top vector for social engineering and malware, Facebook is forced to increase its security. In 2012 WatchGuard forecasts Facebook-based attacks will increase and Facebook will be forced to sit up and take notice. Specifically, Facebook will implement new security solutions on their site to avoid losing fed-up users
  8. Attackers launch a digital attack that affects physical infrastructure or equipment. My power plant got a virus infection. Expect at least one digital attack in 2012 to cause a significant repercussion to a physical infrastructure system
  9. Location aware malware customizes its attacks. Spyware knows where you live
  10. HTML5 offers five times the ways to hijack your website. New web technologies like HTML5 fuel the growth for next year’s web application attacks

2012 stands to be a dynamic year for network security as criminals and hackers take threats to new levels,” said Eric Aarrestad, Vice President at WatchGuard Technologies. “Given how new threats are constantly evolving, WatchGuard remains ever vigilant in staying one step ahead of these threats, which gives our customers unparalleled protection for their networks, applications and data.”

Find WatchGuard predictions here.

It appears the common theme is “mobile” as the biggest threat, whether the device is employee owned or not. Similarly they agree that the bad guys will continue to focus of target attacks.

Let’s just hope that 2012 is a more secure year that 2011.


The 10 Ten Early Warning Signs Of Fraud In Organisations

After completing a survey on the activities of the National Fraud Authority (NFA) has offered advice on how to minimise the impact of fraud.

Ten Early Warning Signs Of Fraud In Organisations
1. Erratic reporting
Erratic, incomplete, late or excuse laden management reporting is often a classic sign that something is wrong. One of the possibilities is the existence of fraud. Further investigation will reveal common excuses used are often the frequent occurrence of IT failures, technology compatibility issues between different company systems or international systems. Act: Insist on up-to-date reporting. Wherever appropriate adopt an enterprise-wide approach to technology to help with systems issues.

2. Apparent Process Laziness
A weakening of anti-fraud and data security systems can happen naturally, over time; and is normal – especially when things get busy. However, with the seemingly right processes in place, top level management are often lulled into a false sense of security that they are actually being used, whilst the fraudster is busy at work getting around them. Act: Make sure you implement the suggestions of your internal compliance managers. Where systems/processes are under pressure when used in practise, introduce a review process – and then adapt them promptly.

3. Organisational change and the desire to dump data
A major indicator can be the act of deletion or pressure on staff to delete, remove or otherwise dump past records following a restructure. An excuse of, “oh I’m sorry those files were destroyed.” should be cause for alarm. Act: Take care to establish and log where paper documents are and when they should and should not be stored. Identify who is in control of the system processes and who is responsible for and has ownership of the records.

4. Data Inconsistencies
Whether it is archive data or cross reference checks that are missing or wrong; factual inconsistencies will also occur naturally. The cheats who seek to defraud an organization will use the possibility to explain such inconsistencies and hide their fraud. Act: Make sure that all files are electronically stored, with appropriate back-ups as part of your compliance systems and that no-one has the access to any files that include a DELETE capability.

5. Audit-Time Delays
Excuses, confusion or wild goose chases when disclosing to auditors, be they internal or external, can be a telltale sign too. We need to remember though that the audit team is not there to find fraud, rather to ensure that the correct processes are in place that will deliver appropriate protection. Act: Ensure that everyone treats audits as important and make sure that they are completed on time and properly, and with appropriate audit skills. Make sure that the business critical and financial exposure areas take a priority and act upon all failings both quickly and completely; with follow-up audits if necessary.

6. Behaviour Abnormalities
These can range from acute defensiveness and resistance to attending review meetings, through to blaming strategies or even aggression when specific questions are asked about processes or figures. Research shows that internal fraudsters are most likely to be either ‘youngsters who cut across the processes and systems’ or ‘middle aged executives with the authority and a gripe’. Act: Get HR more closely involved. Then if you still have concerns about such people upon closer inspection, all the relevant files need to be pulled and checked.

7. Gossip Mongers in overdrive
Staff whispers and rumours “that all is not right” should always be taken seriously. These are, however, so often overlooked by senior management. Act: Listen, take all such rumours seriously and investigate the reality.

8. Twitchy Non-Execs
Good non-execs provide a considered, independent and external perspective. Often they bring in specific expertise from outside the board’s immediate experience and their skills can vary from financial knowledge through to IT. When their comfort factor ‘goes south’ or when they have a ‘bee in the bonnet’ about something that does not add up or make sense, they often have good reason to worry. So must you. Act: It is always good for the business to maintain a fresh supply of new thinking, new approaches and new concerns. Thus if non-execs have concerns about particular issues, one should allow them to bring in the appropriate specialist experts that can investigate matters more deeply.

9. Unofficial IT Work
Technical staff working around the enterprise conducting unsupervised IT activity often outside normal hours, can also be a worrying sign, both from a risk and a cost perspective. Not every company is large enough to have a full IT department that might spot such issues through system audit trails. Act: Do the IT security staff look and think further than just password expiry issues? Make sure that someone is on the look out for data-theft, IPR theft, time theft (people spending all day on facebook etc.), or simple theft of IT assets. Make sure you have a proper asset register and IT audit system in place.

10. Scapegoating
Where people are given a title but without actual responsibility, it can effectively cover up what is going on with those who do have responsibility or power in a situation. The fraudster’s hope is that should the balloon go up the scapegoat takes the blame, at least long enough for records to be destroyed and evidence removed. Act: Make sure that you have strong and cascaded accountabilities. Ensure that people know what they should be doing, and that they are doing what is required of them. Make sure that everyone is contributing to the business objectives. Make sure HR is involved in creating or reviewing job specifications.


Merchants are more concerned about their brand than PCI fines

Image representing Cybersource as depicted in ...
Image via CrunchBase

A joint CyberSource and Trustwave survey has shown that nearly 70% of Merchants cited the need to “protect the brand” as the primary driver for tightening controls against hackers and other payment security risks.

Only 26 percent said avoiding fines resulting from non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) were the key motivator.

A few highlights from the report include:

  • Brand Protection is Key Driver of Investment: The need to protect the organization’s brand and its revenues was given as the primary driver for investment in payment security.
  • Threat from External and Internal Sources Perceived as Equal: While the successes of external hackers often make headlines, employees can be an equally damaging source of risk. The survey found that organizations perceive the threats from internal and external sources as being nearly equal.
  • Trend Towards Remote Data Storage: With the need to secure payment data and efficiently comply with PCI DSS, organizations are planning to shift their payment data security approach from an on-site strategy to a remote one. Those organizations that had already made the shift reported shorter time-to-compliance and fewer full-time equivalent employees managing payment security.
  • Payment Security Cost and Complexity Expected to Increase: Most survey respondents expect that the technological complexity, cost, and resources required to manage payment security will increase over the next 24 months.

A breach has serious consequences for nearly every division of an eCommerce merchant’s organization,” said Dayna Ford, Senior Director, Product Management at CyberSource. “But by far the most damaging impact is to the company’s brand, affecting revenue, customer loyalty, and even stock valuation. Knowledge of this phenomenon is now widespread, so we’re not surprised at the survey finding that puts brand integrity as the most important rationale for payment security investment.”

In the face of increasing numbers of security breaches and data theft, there’s a real urgency for organizations to deploy powerful and effective security strategies,” said James Paul, Senior Vice President of Global Compliance Services at Trustwave.  “Studies like ‘The Payment Security Practices and Trends Report,’ published today, should help organizations learn best practices and likely costs to attain appropriate levels of security.”

Selected survey findings

  • Data moving out:  Over the next 24 months, an increasing proportion of organizations expect to remove payment data from their environment as a way of reducing security risks.
  • Efficiency improving: Organizations that do not capture, transmit, or store data inside their own network tend to employ fewer personnel, validate PCI DSS compliance more quickly, and operate at a lower overall cost of payment security management.
  • “Data out” merchants spend less on infrastructure: 75 percent of PCI DSS Level 1 merchants  that have removed payment data from their environments spend less than $500,000  on their payment security infrastructure.  Only 60 percent of those that keep data in-house can make that claim.
  • Risk not confined to outsiders:  In one counter-intuitive finding, respondents said they felt the threat of payment data theft from inside employees was about equal to the threat from external hackers.

Read the full report here, registration is required.

Learn more about the Payment Card Industry Data Security Standard (PCI DSS) by visiting my PCI DS Resources page here.


90 Percent of Businesses Fell Victim to a Cyber Security Breach

The Ponemon Institute has released the the results of a study conducted to determine what IT and IT security practitioners in the US, UK, France and Germany think about how well their organizations are responding to threats against network security. Sponsored by Juniper Networks, they believe the research is important because “it can provide insights from those who are dealing daily with the prevention and detection of these attacks. Specifically, what do they think about the current threat landscape and what are the most effective strategies to keep networks secure”.

Some of the topics addressed include:

  • Are threats to network security increasing in frequency and sophistication?
  • Is their organization’s IT infrastructure secure enough to prevent successful attacks?
  • What is the nature of the attacks and are the attackers and attack vectors known?
  • Do organizations see complexity as a barrier to effective enterprise-wide network security?

They surveyed 583 IT and IT security practitioners in there US with an average of 9.57 years of experience. More than half (51 percent) are employed by organizations with more than 5,000 employees.

The study found the number of successful network security breaches over the past 12 months were:

None 10%
1 time 21%
2 to 3 Times 32%
4 to 5 Times 18%
More than 5 times 9%
Cannot determine 10%

Some of the most salient findings are as follows:

The financial impact of a security breach can be severe. According to 41% of respondents, the financial impact of these breaches was $500,000 or more. However, 16% cannot determine the amount. Respondents were asked to consider cash outlays, internal labor, overhead, business disruption, revenue losses and other expenses.

Security breaches most often occur at off-site locations but the origin is not often known. Mobile devices and outsourcing to third parties or business partners seem to be putting organizations at the most risk for a security breach. 28% say the breaches occurred remotely and 27% say it was at a third party or business partner location.

Attacks are coming from external agents but insider abuse is prevalent. External agents and insiders (employees) are most commonly behind the security breaches according to 55% and 49% of respondents, respectively. Respondents also report that multiple sources can be blamed for the breaches.

Employee mobile devices and laptops are seen as the most likely endpoint from which serious cyber attacks are unleashed against a company. 34% of respondents say attacks occurred from infected laptops or remotely due to an employee’s insecure mobile device. Further, the top two endpoints from which these breaches occurred are employees’ laptop computers (34%) and employees’ mobile devices (29%). 28% say it is employees’ desktop computers.

Complexity and availability of resources are the most serious challenges to combating cyber attacks. 48% cite complexity as one of their biggest challenges to implementing network security solutions. The same percentage of respondents 48% says it is resource constraints. These challenges are followed by lack of employee awareness, which contributes to the insider risk. In addition to simplifying their security operations and increasing available resources, organizations should consider the importance of training and awareness.

Attacks are becoming more frequent and severe. IT practitioners in the study are worried about continuing and more serious attacks. 78% of respondents say there has been a significant increase in the frequency of cyber attacks during the 12 months, and 77% say these attacks have become more severe or difficult to detect, or contain.

Given the current threat landscape, organizations should make prevention and detection of security breaches a primary focus. Only 32% of respondents say their primary focus or approach to network security is on preventing attacks. 16% say it is on fast detection and containment and 15% say it is on network intelligence. 23% say their network security strategy is to baseline their approach against best practices and 14% say it is IT governance.

Ponemon’s Conclusions

They believe their research provides evidence that many organizations are lacking the right strategy to prevent cyber attacks against networks and enterprise systems. Their study suggests conventional network security methods need to improve in order to curtail internal and external threats.

They believe organizations should consider incorporating the following recommendations in their network security strategy:

  • Understand the risk employees’ mobile devices create in the workplace. In addition to problems created when inappropriately being connected to the network, breaches involving lost or stolen laptop computers or other mobile data-bearing devices remain a consistent and expensive threat. According to Ponemon Institute’s 2010 Annual Cost of a Data Breach Study, 35 percent of organizations report that a lost or stolen mobile device caused the data breach they experienced.
  • Create a comprehensive policy (including detailed guidelines) for all employees and contractors who use mobile devices in the workplace. The policy should address the risks associated with each device and the security procedures that should be followed. Guidelines can range from such topics as to what types of data should not be stored on these devices, how to determine if an application can be safely downloaded and how to report a lost or stolen device.
  • Improve ability through expertise and enabling technologies to detect and prevent breaches. Understanding the source of the breaches can help organizations strengthen their cyber security strategy.
  • Address the insider threat through the creation of an enterprise wide security policy that includes the responsibilities of employees to help protect network security. The policy should be easily accessible. In addition, there should be a training and awareness program to ensure employees understand the various risks to the network and how they can contribute to preventing security breaches.
  • Complexity is recognized as a barrier to effective network security strategy. Organizations should assess their current procedures and technologies to understand how best to streamline their approach and have an end-to-end (holistic) approach to network security. The studies consistently show that the cost of cyber attacks is increasing. Reducing an organization’s vulnerability to such attacks through the combination of proper staffing, enabling technologies and training programs can help prevent the pattern of multiple breaches experienced by so many in our study.

The full study can be downloaded here


Network Barometer Report 2011 – Dimension Data’s annual report

Dimension Data announced the results of its Network Barometer Report for 2011. The findings of the report have been taken from 270 “Technology Lifecycle Management” (TLM) assessments of enterprise organizations.

The annual Dimension Data report gauges the readiness of organizations’ networks to support business by evaluating adherence to best practices, potential security vulnerabilities and the end-of-life status of network devices.

Key findings from the 2011 report are:

  • More than 73% of corporate network devices had at least one known security vulnerability, nearly double the 38% recorded in last year’s report.
  • A single, higher-risk vulnerability identified by Cisco’s PSIRT* (Product Security Incident Response Team) in September 2009 – PSIRT 109444 – was found in a staggering 66% of all devices, and was responsible for this jump.
  • With PSIRT 109444 removed from the equation, the next four vulnerabilities were found in less than 20% of all devices, indicating that organizations are stepping up remediation efforts.
  • 47% of devices were in late stage obsolescence – characterized as “beyond end-of-contract renewal” – which is the highest risk phase of the product lifecycle. At this point, organizations can no longer purchase additional support and are less likely to have access to the latest vendor-supplied security patches, leaving them vulnerable to security breaches and compliance violations.
  • The average number of configuration violations per device has decreased by 30%; however, AAA (authentication, authorization and accounting) errors continue to dominate.
  • A fall in the total number of configuration issues per device indicates that there has been progress in organisations’ response to configuration errors.
  • Despite some improvement, potential security violations still represent the single largest block of configuration errors.
  • Technology obsolescence is running at 38% of organisations’ installed asset base – little change in the past 3 years
  • The percentage of devices in late stage end-of-life dropped from 58% last year to 47% this year, and those beyond LDoS dropped from 31% last year to 9%. This suggests that organisation are managing their network assets in a much more effective manner and refreshing those devices where the risk is greatest.
  • An increase in technology obsolescence in the cases of repeat assessments also suggests that organisations are using an overall understanding of their technology estate to ‘sweat assets’ intelligently.

“The Network Barometer Report 2011 raises the question of whether organizations have the necessary visibility into their overall technology environment to adequately protect customer data, privacy and sensitive business information, and to intelligently manage and ‘sweat’ IT assets,” said Wesley Johnston, chief operating officer, Dimension Data Americas.

“Previous research that we’ve conducted – unrelated to the Network Barometer Report – supports this concern, revealing that companies are unaware of as much as 25% of their networking devices. Organizations need a full view of every device on the network – including where it is, what it does and what the implications are when it breaks or becomes unsupportable – in order to protect themselves and their customers and ensure business productivity and efficiency,” stated Johnston.

 The Dimension Data Network Barometer Report can be downloaded here


Study: Consumers’ Reaction to Online Fraud

Image representing ThreatMetrix as depicted in...
Image via CrunchBase

ThreatMatrix and Cloud-based Fraud Prevention Company and the Ponemon Institute have released the findings of their joint study on Consumers and their awareness and appreciation of online fraud.

The study has revealed

  • 85% of respondents reported being worried and dissatisfied with the level of protection online businesses are providing to stop fraudsters. This % is up 5% on the Ponemon study of 2009.
  • 42% of respondents said they have been the victim of online fraud.
  • 80% of victims said they did not report the crime.
  • 19% that said they had reported the fraud only reported to the online business.

A lot of fraudulent activity goes unreported today, making it difficult for online businesses to fully understand the prominence and seriousness of the problem,” said Reed Taussig, president and CEO, ThreatMetrix. “With a rise in online transactions and activities across devices, more needs to be done to educate online merchants, banks, social outlets and other businesses on how to decrease fraudulent activity.”

Those respondents that expressed concern over online fraud said they felt online merchants, banks and social networks need to take additional steps to prevent fraudsters from stealing consumer information.

  • 68% would allow a trusted online business to place a cookie on their computer to automatically authenticate them
  • 82% indicated that they would expect an online business to offer alternative authentication methods if they were unable to match the consumer’s digital fingerprint to their security system.

“Our survey results help validate the need and consumer preference for technology, such as device identification, to authenticate identity as opposed to using personally identifiable information,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Consumers expressed much more willingness to share data like ISP, computer serial number, type and make, rather than information like date of birth and telephone number.”

Information Consumers are Willing to Allow a Trusted Online Business to Check to Verify Their Identity, or Digitally Fingerprint Their Computer:

1. Serial number of computer 88%
2. Type and make of your computer 83%
3. Internet service provider 76%
4. Browser settings  71%
5. Type of browser  65%
6. IP address 59%
7. Types of software applications residing on your device 54%
8. Email address  46%
9. Purchase history  39%
10. Planned future purchases  35%
11. Date of birth  34%
12. Telephone number  17%
13. Home address  16%
14. Name  14%
15. Zip code 9%
16. Social Security number 4%
17. Driver’s license number 2%

Study findings indicate that consumers have a “positive perception about companies that use authentication and fraud detection tools to prevent online fraud”.

  • 56% of consumers indicated they are ‘more willing’ to shop or browse an online business if they know that company is taking specific measures toward combating fraud.
  • 88% of respondents stated a preference for companies to share information about their device for authentication purposes — as opposed to sharing personal information to verify their identity.

 Read the whole study here.

PCI DSS Compliance Trends Study, 2011

PB Visa Gold Credit Card
Image by liewcf via Flickr

Imperva and Ponemon 2011 PCI DSS Compliance Trends Study. Survey of IT & IT security practitioners in the U.S.

The Payment Card Industry Data Security Standard (PCI DSS) continues to be one of the most important regulations for all organizations that hold, process or exchange cardholder information.

In 2009, Ponemon Institute, with sponsorship from Imperva, conducted the first study to determine if IT and IT security practitioners believe PCI compliance improves organizational security and how it affects the ability to respond to security threats affecting payment account data.

In this study, 2011 PCI DSS Compliance Trends Study, we (Imperva and Ponemon) continue to examine how efforts to comply with PCI affects the organization’s strategy, tactics and approach to achieving enterprise data protection and security and how the state of PCI compliance has changed since the first study. We also consider the reactions of IT and IT security practitioners in different-sized organizations have about compliance with PCI.

A total of 670 US and multinational IT and IT security practitioners who are involved in their companies’ PCI compliance efforts were surveyed on the following topics:

  • What is the state of PCI DSS compliance in the organization?
  • Who is most responsible in an organization for ensuring compliance with PCI DSS requirements?
  • What technologies are preferred to achieve compliance with PCI DSS requirements?
  • Does PCI DSS contribute to a decline in data breaches?
  • Where are the greatest threats to the security of cardholder data located?
  • What is the value PCI DSS compliance provides to the organization?

 This year’s report shows that:

  • 55% of respondents say their organization’s data breach incident did not concern the loss or theft of cardholder data 
  • 39% say one of the data breach incidents involved cardholder data and 6% report two to five incidents involving cardholder data 
  • The percentage of respondents reporting that their organization had a data breach in the past 24 months increased from 79% in 2009 to 85% in 2011 
  • The majority of PCI compliant organizations suffer fewer or no breaches, most practitioners still do not perceive the mandate to have a positive impact on data security 
  • About 64% of PCI-DSS compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of non-compliant organizations reported suffering no breaches involving credit card data over the same period 
  • Certain technologies are adopted more quickly than others to comply with PCI. For example, code review saw the biggest decline in adoption 
  • The percentage of non-compliant companies decreased from 25% to 16%. Correspondingly, the percentage of fully compliant companies increased from 22% to 33% 
  • 38% of the compliant organizations say their organizations had two or more breaches in the past 24 months versus 78% of respondents in the non-compliant group 
  • 66% of respondents say their organizations retain and store primary account numbers for various reasons 
  • 33% of respondents see PCI DSS compliance costs as adding more value than other IT security expenditures. Another 35% say these expenditures are at about the same level of value. Finally, 32% see PCI DSS compliance costs as adding less value than other IT security expenditures made
  • 58% of respondents say that their organization has conducted or is in the process of conducting an audit or assessment by a bona fide QSA professional. Of those who have completed such an audit or assessment, 68% say that it helped the organization achieve its PCI DSS compliance requirements

Download the Imperva and Ponemon Report here


Low security awareness found across IT

Extract from the Computerworld article:


The survey, polled 430 members of the Oracle Application Users Group (OAUG) conducted by Unisphere Research and sponsored by Application Security Inc.


About 22% of respondents claimed to be extensively involved in security functions


60% claimed a limited or supporting role, and the rest said they were not involved with security at all.


About 100 respondents belonged to companies with more than 10,000 employees.


Just 4% admitted to being fully informed about security breaches within their organizations.


About 80% of those who said their organizations had suffered a data breach in the past year were unable to tell which IT components might have been impacted by the breach.

 Low security awareness found across IT – Computerworld.

Blog at

Up ↑

%d bloggers like this: