OptimumSecurity has created an infographic that is a great representation of many significant data breaches.
OptimumSecurity has created an infographic that is a great representation of many significant data breaches.
According to BDO’s analysis of risk factors listed in the most recent 10-K filings of the 100 largest U.S. retailers, risk associated with a possible security breach was cited unanimously by retailers, claiming the top spot, up from the 18th spot in 2007.
Since major retail security breaches began making national headlines in 2013, retailers have become acutely aware of the growing cyber threat and cyber-related risks. Between new point-of-sale systems and evolving digital channels, the industry faces unique vulnerabilities: Retailers are responsible for safeguarding consumer data as well as their own, in addition to protecting against potential gaps in security related to third-party suppliers and vendors.
2016 marks the 10th anniversary of our retail risk factor analysis, and throughout the decade, we’ve seen the retail landscape undergo a dramatic evolution in response to the recession, new and maturing e-commerce channels and evolving consumer preferences,” said Doug Hart, partner in BDO’s Consumer Business practice. “Retailers over the years have proven to be in tune with the industry-wide issues and trends that could pose risks to their businesses, and they are clearly not tone deaf when it comes to reacting to the urgency of cybersecurity
The following chart ranks the top 25 risk factors cited by the 100 largest U.S. retailers:
|Top 20 Risks for Retailers||2016||2015||2014|
|General Economic Conditions||#1||100%||#1||100%||#1||100%|
|Privacy Concerns Related to Security Breach||#1t||100%||#4t||99%||#8||91%|
|Competition and Consolidation in Retail Sector||#3||98%||#1t||100%||#3||98%|
|Federal, State and/or Local Regulations||#4||96%||#1t||100%||#2||99%|
|Natural Disasters, Terrorism and Geo-Political Events||#5||94%||#7||96%||#13||87%|
|Implementation and Maintenance of IT Systems||#6||93%||#4||99%||#7||92%|
|U.S. and Foreign Supplier/Vendor Concerns||#6t||93%||#6||98%||#4||96%|
|Labor (health coverage, union concerns, staffing)||#9||91%||#7t||96%||#5||94%|
|Impediments to Further U.S. Expansion and Growth||#10||90%||#12t||92%||#17||78%|
|Dependency on Consumer Trends||#11||88%||#9||95%||#6||93%|
|Consumer Confidence and Spending||#12||87%||#15||89%||#8t||91%|
|Credit Markets/Availability of Financing and Company Indebtedness||#13||85%||#11||94%||#11||89%|
|Failure to Properly Execute Business Strategy||#14||82%||#12||92%||#11t||89%|
|Changes to Accounting Standards and Regulations||#15||76%||#14||90%||#13t||87%|
|Loss of Key Management/New Management||#16t||73%||#19||80%||#16||79%|
|Marketing, Advertising, Promotions and Public Relations||#18||66%||#25||68%||#24||64%|
|Consumer Credit and/or Debt Levels||#19||62%||#27||65%||#23||65%|
Additional findings from the 2016 BDO Retail Risk Factor Report:
Cyber Risks Include Compliance Measures
As the cyber threat looms larger, retailers are bracing for new and emerging cybersecurity and data privacy legislation. Risks associated with cyber and privacy regulations were cited by 76 percent of retailers this year. This is in line with the findings from the 2016 BDO Retail Compass Survey of CFOs, in which nearly 7 in 10 retail CFOs said they expected cyber regulation to grow in 2016. These concerns have been highlighted by President Obama’s recently unveiled Commission on Enhancing National Cybersecurity and continued debate in Congress over information sharing between the government and private industry.
Retailers have not escaped regulatory scrutiny. The industry is also subject to Europay, Mastercard and Visa (EMV) standards that bolster credit card authentication and authorization. Industry analysts estimate that just 40 percent of retailers are compliant with EMV standards despite the Oct. 1, 2015 deadline.
“Mandating EMV chip-compliant payment systems is an important first step in shoring up the industry’s cyber defenses, but it’s just the tip of the iceberg,” said Shahryar Shaghaghi, National Leader of the Technology Advisory Services practice group and Head of International BDO Cybersecurity. “Online and mobile transactions remain vulnerable to credit card fraud and identity theft, and POS systems can still be hacked and provide an access point to retailers’ networks. New forms of malware can also compromise retailers’ IT infrastructure and disrupt business operations. Every retailer will experience a data breach at some juncture; the real question is what mechanisms have been put in place to mitigate the impact.”
E-Commerce Ubiquity Drives Brick & Mortar Concerns
Impediments to e-commerce initiatives also increased in ranking, noted by 57 percent of retailers in 2016, a significant contrast from 12 percent in 2007. In 2015, e-commerce accounted for 7.3 percent of total retail sales and is continuing to gain market share.
As e-commerce grows and businesses strive to meet consumers’ demand for seamless online and mobile experiences, retailers are feeling the effects in their physical locations. The recent wave of Chapter 11 bankruptcies and mass store closings among high-visibility retailers has raised concerns across the industry. Ninety percent of retailers are worried about impediments to growth and U.S. expansion this year. Meanwhile, risks associated with owning and leasing real estate jumped 14 percentage points to 54 percent this year.
Heightened worries over the impact of e-commerce on physical locations are far reaching, driving concerns over market competition for prime real estate and mall traffic to rise 19 percentage points to 46 percent. Meanwhile, consumer demand for fast shipping fueled an uptick in risks around the increased cost of mail, paper and printing, rising 10 percentage points from seven percent in 2015 to 17 percent this year.
General Economic Conditions Hold Weight
General economic risks have been consistently top of mind for retailers throughout all ten years of this survey. Even at its lowest percentage in 2008, this risk was still the second most cited, noted by 83 percent of companies.
Despite the fact that since 2013, general economic conditions have remained tied for the top risk, concerns about specific market indicators have receded.
For more information on the 2016 BDO Retail RiskFactor Report, view the full report here.
About the Consumer Business Practice at BDO USA, LLP
BDO has been a valued business advisor to consumer business companies for over 100 years. The firm works with a wide variety of retail and consumer business clients, ranging from multinational Fortune 500 corporations to more entrepreneurial businesses, on myriad accounting, tax and other financial issues.
For any organization connected to the internet, it is not a question of if but when their business will be under attack, according to a recent cybersecurity report from Symantec, which found Canada ranked No. 4 worldwide in terms of ransomware and social media attacks last year. These increasing attacks put customer information, and especially payment data at risk for compromise.
When breaches do occur, response time continues to be a challenge. In more than one quarter of all breaches investigated worldwide in 2014 by Verizon, it took victim organization weeks, or even months, to contain the breaches. It is against this backdrop that global cybersecurity, payment technology and data forensics experts are gathering in Vancouver for the annual PCI North America Community Meeting to address the ongoing challenge of protecting consumer payment information from criminals, and new best practices on how organizations can best prepare for responding to a data breach.
A data breach now costs organizations an average total of $3.8 million. However, research shows that having an incident response team in place can create significant savings. Developed in collaboration with the Payment Card Industry (PCI) Forensic Investigators (PFI) community, Responding to a Data Breach: A How-to Guide for Incident Management provides merchants and service providers with key recommendations for being prepared to react quickly if a breach is suspected, and specifically what to do contain damage, and facilitate an effective investigation.
The silver lining to high profile breaches that have occurred is that there is a new sense of urgency that is translating into security vigilance from the top down, forcing businesses to prioritize and make data security business-as-usual,” said PCI SSC General Manager Stephen W. Orfei. “Prevention, detection and response are always going to be the three legs of data protection. Better detection will certainly improve response time and the ability to mitigate attacks, but managing the impact and damage of compromise comes down to preparation, having a plan in place and the right investments in technology, training and partnerships to support it
This guidance is especially important given that in over 95% of breaches it is an external party that informs the compromised organization of the breach,” added PCI SSC International Director Jeremy King. “Knowing what to do, who to contact and how to manage the early stages of the breach is critical
At its annual North America Community Meeting in Vancouver this week, the PCI Security Standards Council will discuss these best practices in the context of today’s threat and breach landscape, along with other standards and resources the industry is developing to help businesses protect their customer payment data. Keynote speaker cybersecurity blogger Brian Krebs will provide insights into the latest attacks and breaches, while PCI Forensic Investigators and authors of the Verizon Data Breach Investigation Report and PCI Compliance Report, will present key findings from their work with breached entities globally. Canadian organizations including City of Calgary, Interac and Rogers will share regional perspectives on implementing payment security technologies and best practices.
Download a copy of Responding to a Data Breach: A How-to Guide for Incident Management here.
The original PCI SSC press release can be found here.
Bloomberg Intelligence August 24, 2015
This analysis is by Bloomberg Intelligence analysts Charles Graham and Edmond Christou. It originally appeared on the Bloomberg Professional Service.
Personal data theft, cyber-attacks whet appetite for insurers
The value of personal data stored on corporate databases is rapidly increasing. For EU citizens it is set to reach 1 trillion euros ($1.4 trillion) by 2020, according to Boston Consulting Group. This is raising the need for greater protection. The increased incidence of data breaches and misuses as hackers become more sophisticated has also imposed greater regulatory requirements on businesses. Companies are seeking new products from insurers to limit the cost of interruption, reputational damage and penalties.
Companies Impacted: While cyber risk potentially affects many classes of business, there are a number of providers including AIG, Allianz, Munich Re, Swiss Re and Zurich Insurance Group, as well as specialist insurers like Beazley and Hiscox, which have developed specific cyber products.
Photographer: Craig Warga/Bloomberg
Insurers view industry as ill-prepared for risk of cyber theft
Cyber theft is top of the list of risks for which businesses are least prepared, according to Allianz’s 2015 Risk Barometer Survey. Companies need to understand the potential effect of a cyber-attack on their supply chain, the liability they could face if they can’t deliver products on time and the legal penalties if they lose customer data. While computer systems can be improved, it is impossible to make them entirely secure. This is creating opportunities for insurers.
Companies Impacted: Allianz’s 4th Risk Barometer Survey was conducted among global businesses and risk consultants, underwriters, senior managers and claims experts within Allianz in October and November 2014. Insurers offering cyber-risk cover include AIG, Allianz, Zurich, Beazley and Hiscox.
Swelling cyber-attack costs are driving wider insurance coverage
The average cost of a data breach has increased to $3.79 million, according to a study by the Ponemon Institute based on a survey of 350 companies in 11 countries. This cost has increased by 23% since 2013. The average cost for each lost or stolen record containing sensitive information rose to $154 this year from $145 in 2014. Concerns about data breaches and privacy have led to legal reforms in the U.S. and Europe, which may help drive demand for cyber-insurance.
Companies Impacted: Increasing cyber-attacks have driven insurers such as AIG, Allianz, Beazley, Hiscox and Zurich Insurance, to expand their product offerings to include first- and third-party coverage for cyber-risk.
Retailers face biggest threat from cyber theft, data breaches
Retailers face the biggest threat from data breaches, according to figures compiled by Zurich Insurance. The food and beverage industry is second in line for hackers followed by hospitality, finance and professional services. Carphone Warehouse discovered on Aug. 5 that personal data of 2.4 million of its customers and encrypted credit card details for 90,000 clients may have been accessed in a data breach. Insurers are tailoring products to meet different industries cyber risks.
Companies Impacted: Insurers work with companies to identify best practices in data privacy and security to help to minimize the financial cost should a breach occur. AIG, Allianz, Beazley, Hiscox, Zurich Insurance are among the companies to have developed cyber-insurance coverage.
Die hard 4.0 cyber scenario could cost more than $1 trillion
A cyber-attack on the U.S. power grid could cost $243 billion rising to more than $1 trillion in the most extreme scenario, according to a study by Lloyd’s of London and the University of Cambridge. The report examines the insurance implications of a major cyber-attack. It depicts a scenario where hackers shut parts of the grid, plunging 15 U.S. states and Washington DC into darkness, leaving 93 million people without power. Insurers are just starting to wake up to the scale of potential losses.
Companies Impacted: Cyber-insurance risks are widely underwritten at Lloyd’s with 47 managing agents offering cover, including quoted groups Beazley, Hiscox and Novae. Lloyd’s introduced new risk codes for data and privacy breaches and cyber-related property damage in 2015.
Swiss re joins forces with IBM to fight cyber threat
Munich Re has partnered with Hewlett-Packard and Swiss Re with IBM to develop solutions that offer clients cyber protection and provide support in the event of a security breach. IBM will assess clients’ external and internal vulnerability to cyber-attacks and offer options for mitigating these risks. IBM’s security platform provides intelligence to help organizations protect their clients’ data, applications and infrastructure.
Peer Comparison: Swiss Re’s Corporate Solutions business is one of a number of insurers offering cyber coverage. Other companies include AIG, Allianz and Zurich Insurance.
Vectra Networks announced the results of the second edition of its “Post-Intrusion Report”, a real-world study about threats that evade perimeter defenses and what attackers do once they get inside your network.
Report data was collected over six-months from 40 customer and prospect networks with more than 250,000 hosts, and is compared to results in last year’s report. The new report includes detections of all phases of a cyber attack and exposes trends in malware behavior, attacker communication techniques, internal reconnaissance, lateral movement, and data exfiltration.
According to the report, there was non-linear growth in lateral movement (580%) and reconnaissance (270%) detections that outpaced the 97% increase in overall detections compared to last year. These behaviors are significant as they show signs of targeted attacks that have penetrated the security perimeter.
While command-and-control communication showed the least amount of growth (6%), high-risk Tor and external remote access detections grew significantly. In the new report, Tor detections jumped by more than 1,000% compared to last year and accounted for 14% of all command-and-control traffic, while external remote access shot up by 183% over last year.
The report is the first to study hidden tunnels without decrypting SSL traffic by applying data science to network traffic.
A comparison of hidden tunnels in encrypted traffic vs. clear traffic shows that HTTPS is favored over HTTP for hidden tunnels, indicating an attacker’s preference for encryption to hide their communications.
The increase in lateral movement and reconnaissance detections shows that attempts at pulling off targeted attacks continue to be on the rise,” said Oliver Tavakoli, Vectra Networks CTO. “The attackers’ batting average hasn’t changed much, but more at-bats invariably has translated into more hits
Key findings of the study include:
The data in the Post-Intrusion Report is based on metadata from Vectra customers and prospects who opted to share detection metrics from their production networks. Vectra identifies active threats by monitoring network traffic on the wire in these environments. Internal host-to-host traffic and traffic to and from the Internet are monitored to ensure visibility and context of all phases of an attack.
The latest report offers a first-hand analysis of active “in situ” network threats that bypass next-generation firewalls, intrusion prevention systems, malware sandboxes, host-based security solutions, and other enterprise defenses. The study includes data from 40 organizations in education, energy, engineering, financial services, government, healthcare, legal, media, retail, services, and technology.
The full report can be found here
There are significant gaps in cybersecurity knowledge, shared visibility and mutual trust between those who serve on organizations’ board of directors and IT security professionals. These gaps between those responsible for corporate and cyber governance and those responsible for the day-to-day defense against threats could have damaging impacts on organizations’ cybersecurity posture, leaving them more vulnerable to attack and breaches.
This data comes from a new survey, Defining the Gap: The Cybersecurity Governance Survey, conducted by the Ponemon Institute and commissioned by Fidelis Cybersecurity.
Cybersecurity is a critical issue for boards, but many members lack the necessary knowledge to properly address the challenges and are even unaware when breaches occur. Further widening the gap, IT security professionals lack confidence in the board’s understanding of the cyber risks their organizations face, leading to a breakdown of trust and communication between the two groups.
The survey asked more than 650 board members and IT security professionals (mainly CIOs, CTOs and CISOs) for their perspectives regarding board member knowledge and involvement in cybersecurity governance.
Key findings include:
Lack of Critical Cybersecurity Knowledge at the Top
76% of boards review or approve security strategy and incident response plans, but 41% of board members admitted they lacked expertise in cybersecurity. An additional 26% said they had minimal or no knowledge of cybersecurity, making it difficult, if not impossible, for them to understand whether the practices being discussed adequately address the unique risks faced by their organization. This renders their review of strategy and plans largely ineffective.
Limited Visibility into Breach Activity
59% of board members believe their organizations’ cybersecurity governance practices are very effective, while only 18% of IT security professionals believe the same. This large gap is likely the result of the board’s lack of information about threat activity. Although cybersecurity governance is on 65% of boards’ agendas, most members are remarkably unaware if their organizations had been breached in the recent past. Specifically, 54% of IT security professionals reported a breach involving the theft of high-value information such as intellectual property within the last two years, but only 23% of board members reported the same, with 18% unsure if their organizations were breached at all.
As the breadth and severity of breaches continues to escalate, cybersecurity has increasingly become a board level issue,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “The data shows that board members are very aware of cybersecurity, but there is still a lot of uncertainty and confusion. Many lack knowledge not only about security issues and risks, but even about what has transpired within their own companies, which is shocking to me. Without an understanding of the issues, it’s impossible to reasonably evaluate if strategies and response plans are effectively addressing the problem
Absence of Trust Between Boards and IT Security Professionals
The board’s lack of knowledge has created a further divide. Nearly 60% of IT security professionals believe that the board does not understand the cybersecurity risks of the organization, compared to 70% of board members who believe that they do understand the risks.
The gap in knowledge and limited visibility into breach activity means board members don’t have the information they need to make smart cybersecurity governance decisions, and IT security professionals don’t have the support, monetary or otherwise, to maintain a strong security posture,” said retired Brig. Gen. Jim Jaeger, chief cyber services strategist at Fidelis. “Board members don’t need to be cyber experts, but they should have a thorough knowledge of the risks their organization faces and be able to provide the support needed for the security teams to protect against those risks
Additional Key Findings Include:
Tripwire have announced the results of a study on the cyber literacy challenges faced by organisations.
The study evaluated the attitudes of executives as they relate to cybersecurity risk decision-making and communication between IT security professionals, executive teams and boards. Study respondents included 101 C-level executives and directors as well as 176 IT professionals from both private and public U.K. organisations.
Despite the increasing number of successful cyberattacks against U.K. organisations, the study revealed that 54% of C-level executives at organisations within the Financial Times Stock Exchange (FTSE) 100 index believe their board is both cybersecurity literate and actively engaged in routine security. IT professionals from the same organisations are less confident in their boards cybersecurity knowledge, with 26% stating their boards only steps in when there is a serious incident.
While the results of the study point to executive confidence, they reveal the uncertainty of IT professionals. When asked if their board was “cyber literate,”29% of IT professionals either answered “no” or “not sure.” However, when C-level executives were asked the same question, 84% answered “yes.”.
There’s a big difference between cybersecurity awareness and cybersecurity literacy,” said Dwayne Melancon, chief technology officer for Tripwire. “If the vast majority of executives and boards were really literate about cybersecurity risks, then spear phishing wouldn’t work. I think these results are indicative of the growing awareness that the risks connected with cybersecurity are business critical, but it would appear the executives either don’t understand how much they have to learn about cybersecurity, or they don’t want to admit that they that they don’t fully understand the business impact of these risks
Other key findings include:
Most organisations are not struggling with communication tools said Melancon. They are instead struggling with finding the right vocabulary and information to accurately portray cybersecurity risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk
2014 was another busy year for the Information Commissioners Office with yet more breaches of the Data Protection Act.
There are normally three types of punishments administered by the ICO
Below is a summary of the ICO’s activity in 2014 across all three “punishment” areas.
Monetary penalty notices
A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury.
Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.
Who has breached the Data Protection Act in 2012? Find the complete list here.
Who breached the Data Protection Act in 2013? Find the complete list here.
The UK Information Commissioner Office (ICO) has warned shoe retailer Office after the personal data of over one million customers was hacking.
The hacker accessed customers’ details and website passwords via an unencrypted database.
Sally-Anne Poole, Group Manager at the Information Commissioner’s Office said:
The breach has highlighted two hugely important areas of data protection: the unnecessary storage of older personal data and the lack of security to protect data.
“All data is vulnerable even when in the process of being deleted, and Office should have had stringent measures in place regardless of the server or system used. The need and purpose for retaining personal data should also be assessed regularly, to ensure the information is not being kept for longer than required.”
“Fortunately, in this case there is no evidence to suggest that the information has been used any further and the company did not store any bank details.”
The data breach also highlights the risks associated with customers using the same password for all their online accounts.
Sally-Anne Poole added:
“This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question. It’s important to use a unique, strong password for each separate account; preferably a combination of numbers and letters – not a name or dictionary word.”
Office has agreed to an “undertaking under the Data Protection Act 1998”, the details are here.
A summary of the “Data Breach: The Cloud Multiplier Effect” survey from Ponemon sponsored by Netskope is below.
The survey reveals how the risk of a data breach in the cloud is multiplying. This can be attributed to the proliferation of mobile and other devices with access to cloud resources and more dependency on cloud services without the support of a strengthened cloud security posture and visibility of end user practices.
Ponemon surveyed 613 IT and IT security practitioners in the United States who are familiar with their company’s usage of cloud services.
A lack of knowledge about the number of computing devices connected to the network and enterprise systems, software applications in the cloud and business critical applications used in the cloud workplace could be creating a cloud multiplier effect. Other uncertainties identified in this research include how much sensitive or confidential information is stored in the cloud.
For the first time, Ponemon attempt to quantify the potential scope of a data breach based on typical use of cloud services in the workplace or what can be described as the cloud multiplier effect. The report describes nine scenarios involving the loss or theft of more than 100,000 customer records and a material breach involving the loss or theft of high value1 IP or business confidential information.
When asked to rate their organizations’ effectiveness in securing data and applications used in the cloud.
Key takeaways from this research include the following:
Cloud security is an oxymoron for many companies.
Certain activities increase the cost of a breach when customer data is lost or stolen.
An increase in the backup and storage of sensitive and/or confidential customer information in the cloud can cause the most costly breaches. The second most costly occurs when one of the organization’s primary cloud services provider expands operations too quickly and experiences financial difficulties. The least costly is when the use of IaaS or cloud infrastructure services increases.
Certain activities increase the cost of a breach when high value IP and business confidential information is lost or stolen
Bring Your Own Cloud (BYOC) results in the most costly data breaches involving high value IP. The second most costly is the backup and storage of sensitive or confidential information in the cloud increases. The least costly occurs when one of the organization’s primary cloud providers fails an audit failure that concerns the its inability to securely manage identity and authentication processes.
Why is the likelihood of a data breach in the cloud increasing?
Ideally, the right security procedures and technologies need to be in place to ensure sensitive and confidential information is protected when using cloud resources. The majority of companies are circumventing important practices such as vetting the security practices of cloud service providers and conducting audits and assessment of the information stored in the cloud.
The findings also reveal that 55% do not believe that the IT security leader is responsible for ensuring the organization’s safe use of cloud computing resources. In other words, respondents believe their organizations are relying on functions outside security to protect data in the cloud.
There is a lack of confidence in the security practices of cloud providers
Respondents are critical of their cloud providers’ security practices. First, they do not believe they would be notified that the cloud provider lost their data in a timely manner. Second, they do not think the cloud provider has the necessary security technologies in place.
Lack of visibility of what’s in the cloud puts confidential and sensitive information at risk
The number of computing devices in the typical workplace is making it more difficult than ever to determine the extent of cloud use. According to estimates provided by respondents, an average of 25,180 computing devices such as desktops, laptops, tablets and smartphones are connected to their organization’s networks and/or enterprise systems.
Ponemon asked respondents to estimate the percentage of their organizations’ applications and information that is stored in the cloud. They were also asked to estimate the percentage of these applications and information that are not known, officially recognized or approved by the IT function (a.k.a. shadow IT).
30% of business information is stored in the cloud but of this, respondents estimate 35% is not visible to IT. This suggests that many organizations are at risk because they do not know what sensitive or confidential information such as IP is in the cloud.
What employees do in the cloud?
Do certain changes in an organization’s use of cloud services affect the likelihood of a data breach?
Calculating the economic impact of a data breach in the cloud.
Ponemon calculate what it might cost an organization to deal with a data breach in the cloud involving customer records. These calculations are based on Ponemon Institute’s recent cost of data breach research and the estimated likelihood or probability of a data breach based on cloud use. The calculation involves the following four steps:
Ponemon calculate what it might cost an organization to deal with a data breach in the cloud involving high value IP. Once again, these calculations are based on Ponemon Institute’s recent cost of data breach research and the estimated likelihood or probability of a data breach based on cloud use. The calculation involves the following steps:
What can cost an organization the most when it has a data breach involving the loss or theft of IP? The most costly scenarios involve the growth in the number of employees using their own cloud apps in the workplace for sharing sensitive or confidential information (a.k.a. BYOC) and an increase in the backup and storage of IP or business confidential information in the cloud.
The average costs to deal with these two types of data breaches are $5.38 million and $4.93 million, respectively.
The spate of recent data breaches at big-name companies such as JPMorgan Chase, Home Depot, and Target raises questions about the effectiveness of the private sector’s information security.
According to FBI Director James Comey
There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked
A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.
This paper lists known cyber attacks on private U.S. companies since the beginning of 2014. (A companion paper discussed cyber breaches in the federal government.) By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U.S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U.S. businesses have been affected by the Backoff malware, which targets point-of-sale (POS) systems used by most retail industries. These attacks targeted administrative and customer data and, in some cases, financial data.
This list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves.
The data breaches below are listed chronologically by month of public notice.
As cyber attacks on retail, technology, and industrial companies increase so does the importance of cybersecurity. From brute-force attacks on networks to malware compromising credit card information to disgruntled employees sabotaging their companies’ networks from the inside, companies and their customers need to secure their data. To improve the private sector’s ability to defend itself, Congress should:
The recent increases in the rate and the severity of cyber attacks on U.S. companies indicate a clear threat to businesses and customers. As businesses come to terms with the increasing threat of hackers, instituting the right policies is critical to harnessing the power of the private sector. In a cyber environment with ever-changing risks and threats, the government needs to do more to support the private sector in establishing sound cybersecurity while not creating regulations that hinder businesses more than help them.
— Riley Walters is a Research Assistant in the Asian Studies Center, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.
The original research article can be found here.
Guest Blogger Barry Schrager.
I recently read a posting “Where’s the Compliance Experience on Corporate Boards?” [i] which showed some disturbing results describing the backgrounds of the Fortune 500 Board Members in terms of Compliance. Here are the results:
|Background||No. of Board Members||No. of Companies|
Add to this, in the recent speech given by Security and Exchange Commissioner Luis Aguilar at the New York Stock Exchange Conference “Cyber Risks and the Boardroom”,[ii] he emphasized the importance of cybersecurity and how fast the need for cybersecurity has grown in such a short time period, pointing out that U.S. companies experienced a 42% increase between 2011 and 2012 in the number of successful cyber-attacks they incurred per week. He cautioned,
Boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril
Mr. Aguilar recommends that Boards institute structural changes to focus on appropriate Cyber-Risk Management.
Companies must have someone on the board that is able to adequately understand and implement cybersecurity procedures. Many boards lack the necessary technical expertise to be able to evaluate whether management is taking appropriate steps to address cybersecurity issues. This responsibility often falls to the audit committee, but they may not have the expertise or skills to add cyber-risk oversight to their long list of duties. Commissioner Aguilar recommends that boards create a separate enterprise risk committee that can provide improved risk reporting and monitoring, as well as push necessary resources and overall support to company executives responsible for risk management
Navy Admiral Michael S. Rogers, director of the National Security Agency and head of U.S. Cyber Command stated
Military commanders must ‘own’ cyber. Networks and cyber [should be] the commanders’ business.” Commanders operate under the “flawed” notion that they can turn over network responsibilities to the unit’s information technology experts, said Rogers. “Commanders have to own this mission and integrate it into operations.” Senior officers ought to be as knowledgeable about a unit’s network capabilities and potential vulnerabilities as they would be about its fuel and ammunition supplies, he added. “The challenge to that is as much cultural as it is technical [iii]
There is a definite pattern here. It is clear from the survey results and statements presented above that the proper disciplines and backgrounds are not present on the Boards nor the military leadership. This lack of knowledge and background represents a risk for these companies and investors that should not exist and can be addressed. Additionally, these organizations have an obligation to protect the information gathered from their customers, partners and those individuals who interact with them.
If someone on the Board was knowledgeable and asked questions of the senior executives on cybersecurity and compliance then the senior management would be sure to have someone in their group who was capable of seriously addressing these issues. This would cascade down the organization and the employees would be more focused on security and, more importantly, feel free to raise their perceived security issues up the management chain and receive appreciation for their input, and more importantly, the organization would obtain more effective cyber controls and compliance controls.
This is not just an IT problem and executives cannot just assume that this will be handled by the IT people because it usually involves budget, procedural changes that affect other departments, etc. If the executives do not listen and understand what the IT Security and Compliance people are asking for, they will not fund the requested programs and projects until there is a data breach and then they will finally provide whatever funding is requested. This is not the way to operate. Organizations and people will be hurt.
Barry Schrager is credited as one of the people who started the concept of data security when he founded and was the first Manager of the SHARE Security Project in 1972. The project delivered a series of requirements to IBM in 1974 including data protection by default and algorithmic grouping of users and resources. When IBM delivered its security product, RACF, in 1976, it did not meet the requirements and IBM told him they were not achievable. So, Barry developed his own security product, ACF2, which met the requirements and was used by customers such as General Motors, the Central Intelligence Agency, the National Security Agency, Britain’s MI-5, the Federal Reserve System and the Executive Office of the President of the United States. When Barry sold the company, SKK, Inc., it had a 60 percent market share against IBM’s RACF and CA’s Top Secret. Under Barry’s leadership, SKK developed the first VM operating system security product, ACF2-VM, and the first automated Operating System auditing product, Examine-MVS, now known as CA-Auditor.
In addition to that, Barry has a variety of experiences in mainframe software development, including the Neon Systems Shadow (now Rocket Software’s Shadow z/Direct), the EKC E-SRF Access Analysis product, JME Software’s Deadbolt product, the Vanguard Integrity Professionals line of RACF security products and Xbridge Systems’ DataSniff product. Additionally, Barry has done security reviews at institutions such as the FDIC and Morgan Stanley.
Barry’s experience covers everything from software designer/developer to executive management to consulting services.
Barry is honored to be selected as a member of the Enterprise Executive Magazine’s Mainframe Hall of Fame.
Barry’s contact information is: BarrySchrager@cs.com / (970) 479-9377
The U.S. Secret Service has issued an advisory to the hospitality industry to be on alert for keyloggers on the computers in the business center. Whether your hotel received this advice or not, this is something that will undoubtedly affect your business in the near future. We’ve put together this brief guide on reacting to the advisory.
The suspects were able to obtain large amounts of information including other guests’ personally identifiable information (PII), log in credentials to banks, retirement, and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers
What is a keylogger?
How to check if a business center has been compromised
What to do if you have a compromised business center?
What should you tell your compromised customers?
How can you protect your business center?
Overall, the impact of this issue can be devastating to a business. Performing some or all of the proactive actions listed here can be critical to identifying these issues in your environment. In a perfect world, these proactive checks will find no evidence of intrusion or compromise. In that case, your business would be able to prove ‘due diligence’ in the face of this advisory, and could quell any customer concerns before they arose.
Written by Dan Fritsche, Practice Director, Coalfire Labs. The original post is here.
Sony has reached a Class Action Settlement for its PSN Data Breach (good article here Preliminary $15M Settlement Reached in Sony PSN Data Breach Class Action).
The Data Breach happened in 2011 and since then Sony has been hit by all manor of Data Protection agencies and now they appear to have settled on a class action in the USA.
However the actual final hearing on whether the settlement was fair is in May 2015 which means the sorry Sony story will have been kicked around for over 4 years.
Every time the story appears Sony users and the security industry do a double take to make sure that it isn’t “another data breach” which further impacts the reputation of the organisations.
Data Breaches have a habit of lingering like bad odours and organisations should think about that when planning their approach to Cyber Security.
According to IDG research in a CSG Invotas white paper “Security Automation: Time to Take a Fresh Look” most organisations struggle to resolve the effects of a breach.
There’s no doubt that improving intrusion response and resolution times reduces the window of exposure from a breach,” said Jen McKean, research director at IDG Research. “More companies seek security automation tools that will enable them to resolve breaches in mere seconds and help maintain business-as-usual during the remediation period
Researchers polled decision makers of information security, strategy, and solution implementations at companies with 500 or more employees. They explored the security challenges commercial organizations face when confronted with security breaches across their networks. Key findings include:
Business process automation solutions offer a new approach to the most difficult step in security operations: taking immediate and coordinated action to stop security attacks from proliferating. Building digital workflows that can be synchronized across an enterprise allows a rapid counter-response to cyber-attacks. Speed, accuracy, and efficiency are accomplished by applying carrier-grade technology, replicating repetitive actions with automated workflows, and reducing the need for multiple screens.
It is no longer a surprise to hear that a breach has compromised data related to customers, employees, or partners,” said Paul Nguyen, president of global security solutions at CSG Invotas. “CIOs recognize that they need faster, smarter ways to identify security breaches across their enterprises. More importantly, they need faster, smarter ways to respond with decisive and coordinated action to help protect threats against company reputation, customer confidence, and revenue growth
A quarter of respondents say they are comfortable with the idea of automating some security workflows and processes and that they deploy automation tools where they can. 57% of respondents say they are somewhat comfortable with automation for some low-level and a few high-level processes, but they still want security teams involved. On average, respondents report that 30% of their security workflows are automated today; but nearly two-thirds of respondents expect they will automate more security workflows in the coming year.
The full survey and key findings are available here.
The 2014 Debit Issuer Study, commissioned by PULSE, found sustained growth in both consumer and business debit in 2013. Financial institutions weathered the Target data breach and are looking for solutions to enhance security, with many issuers now planning to implement EMV debit, the study shows. Debit program performance continues to improve, as active cardholders increase their usage of debit.
Key findings include:
In the wake of several high-profile data breaches, the industry has come together to look for solutions to increase security and advance EMV implementation,” said Steve Sievert, executive vice president of marketing and communications for PULSE. “While PIN debit remains the most secure payment method in the market, this year’s study confirms the industry is reaching a tipping point toward EMV. The majority of financial institutions plan to issue EMV debit cards starting in 2015
Target breach was watershed event
The Target breach impacted every financial institution that participated in the study, causing fraud loss rates to increase in 2013 and compelling issuers to re-evaluate their strategies for improving card security in 2014, the study found.
Overall, 14% of all debit cards were exposed in data breaches in 2013, compared to 5% in 2012. The resulting 2013 fraud losses to financial institutions amounted to 5.7 basis points for signature debit and 0.7 basis points for PIN debit. Compared with the prior year, PIN debit fraud loss rates remained constant at 0.3 cents per transaction, on average, while signature debit loss rates increased to 2.2 cents per transaction, up from 2.0 cents.
Issuers also reported on fraud loss rates by payment usage point. International transactions caused loss rates of 51 basis points, compared to 8 basis points for domestic card-not-present transactions and 2 basis points for domestic card-present transactions.
Data breaches heightened attention to issues of debit card security. Prior to the Target incident, many financial institutions were hesitant to commit to EMV because of uncertainty around retailer adoption of chip card point-of-sale terminals, questions about the viability of the business case for migrating from magnetic stripe cards to chip cards, as well as unresolved issues related to regulation and support for merchant routing choice. In many ways, the Target breach served as a catalyst for the resolution of these issues.
The most common strategy among financial institutions is to provide account holders with an EMV debit card as part of their regular card reissuance cycle. Migration to EMV debit cards will begin in earnest in early 2015 and will span approximately three years, with many issuers attempting to provide chip cards to their international travellers and heavy debit users in advance of the liability shift in October 2015.
We were quite surprised by the across-the-board embrace of EMV by debit issuers,” said Tony Hayes, a partner at Oliver Wyman who co-led the study. “There has been a dramatic shift from issuers’ tepid interest last year to their active plans to implement EMV beginning in 2015
Debit continues to grow, as issuers focus on growth strategies
Outside of the challenges caused by data breaches, debit continued its growth trajectory in 2013. On the consumer side, the primary performance improvement was in transactions per active card per month, which rose to 20.1 in 2013 from 19.4 in 2012. Other metrics, such as penetration, active rate and ticket size, remained consistent year-over-year. There was an uptick in usage of business debit cards: transactions per active card per month grew to 14.5 from 13.5.
Continuing historical trends, signature debit declined in share of total transactions between 2012 and 2013, falling to 62% from 64% for consumer cards, and to 70% from 72% for business cards. As regulated issuers (those with more than $10 billion in global assets) receive equivalent interchange for signature and PIN transactions but incur lower costs on PIN transactions, large debit issuers now tend to prefer PIN transactions.
As issuers continue to promote the migration of cash payments to cards, PULSE expects overall ATM use to naturally decline. In 2013, ATM withdrawals reached a study-wide low of 2.3 per active card per month. Large banks expect ATM transactions to continue to decline, but community banks and credit unions project increased ATM transaction volume as they seek to drive traffic from the branch to the ATM.
The original press release can be found here.
I thought I had published this months ago but found it still in my drafts.
2013 was a very busy year for the UK’s Information Commissioners Office (ICO) as he issued record numbers of fines and enforcements.
There are normally three types of punishments administered by the ICO:-
The complete list of those who fell foul of the Data Protection Act in 2013 is below:-
Monetary penalty notices
A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury. The size of the fines might change with the pending revision to the Data Protection Act.
The list has the most recent first.
Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.
The list has the most recent first.
The list has the most recent first.
Find the 2012 list here.