5 identity priorities for 2020 according to Microsoft Azure—preparing for what’s next

As we reflect over the past decade, it’s remarkable how the digital transformation has reshaped the way people work and how companies do business. Let’s take one example—your users. At one time, “users” meant employees. Users now include partners, customers, even software bots and devices. What started as identity for the workforce is now identity for everyone and everything. The corporate network perimeter has disappeared, making identity the control plane for security that now provides effective access control across all users and digital resources.

2020-01-23 Blog - Graphic - Old World New World.png

This makes identity absolutely critical to the business success of our customers. It’s not only central to security, but also to business transformation. For that reason, we want to share five areas to prioritize in 2020, and one technology to watch as you’re getting ready for what’s next. These priorities are based on many conversations we’ve had while working closely with our customers to re-architect their environments as they digitally transform.

5 identity priorities for 2020

1. Connect all applications and cloud resources to improve access controls and the user experience.

Digital natives are joining the workforce in ever-increasing numbers. They expect to collaborate on any project from anywhere using any app—and they only want to sign in once. Connecting all applications—from popular SaaS applications to on-premises applications and cloud resources—to a single cloud identity service will not only give your users single sign-on (SSO) for a better experience but also improve security.

With Azure Activity Directory (Azure AD) as the single control plane for all your apps, you get visibility and adaptive granular access controls across your entire digital estate. You also benefit from the 171 terabytes of data our cloud-scale machine learning algorithms process each day to learn behavioral patterns for each user and application, flag potential attacks and remediate them. For example, to protect users who may be at risk, you can apply simple policies like forced password reset that prevent identity compromise with minimal user disruption.

2. Empower developers to integrate identity into their apps and improve security.

Most organizations are dealing with an explosion of applications, which introduce increasingly complex security and privacy requirements. Integrating with Azure AD improves application security and privacy. But keeping up with the flood of new applications while continuing to manage an already overwhelming portfolio is a big job for Identity admins. They need help.

To be successful, Identity admins need to delegate more to their application development teams. So, we’re making it easy for developers to integrate authentication into their apps with Microsoft Identity Platform and to build data-driven applications and automation with Microsoft Graph. As an added benefit, developers can set up granular permissions that specify minimum necessary privileges for each application, so that it can only access the Microsoft Graph data necessary to complete its tasks.

3. Go passwordless to make security effortless for users.

We all know that passwords are not secure, expensive to manage, and frustrating for users. That’s why over the past two years we’ve been on a mission to eliminate passwords, partnering with the FIDO alliance and leading the charge with our own employees. The time to get ready for a world without passwords is now.

There are so many benefits to passwordless authentication. One of them, as we’ve seen from Microsoft’s own journey, is an 87 percent reduction in hard and soft costs. To help every organization get ready to go passwordless, we offer a variety of methods—from Windows Hello to the Microsoft Authenticator and FIDO2 security keys—which will work across cloud and hybrid environments. And to make it easier to get started, we’ve identified four steps to start planning your rollout based on the experience of our customers and our own IT team.

4. Enable boundaryless collaboration and automated access lifecycle for all users.

Digital collaboration, both inside and outside of organizational boundaries, has increased exponentially. Today, identity supports all your digital relationships, for example, with customers and partners or over two billion Firstline Workers who were previously excluded from the benefits of digital transformation. In the future, it will also power collaboration between people and software bots, microservices, and smart devices.

Effective collaboration requires more than simply connecting all users. It requires giving the right users the right access to the right resources at the right time. With the growth in numbers of users and applications, it’s not possible for IT to know everyone’s access needs. This is where identity governance can help. Cloud-based identity governance automates the access lifecycle through integration with HR systems like SAP Success Factors or Workday and simplifies access decisions for reviewers through the power of machine learning and analytics. It also empowers business users to manage access through access requests and workflows or delegated user management for Firstline Managers.

5. Start your Zero Trust journey to protect your organization as you digitally transform.

The customers we speak with are absolutely clear on one point: with no network perimeter, no boundaries around collaboration, and an explosion of devices and applications, the old security paradigm no longer applies. In this world, Zero Trust is both a worldview and a security strategy. It replaces the assumption that everything behind the corporate firewall is safe with three simple principles: verify explicitly, use least privileged access, and assume breach.

As Microsoft has learned from our own experience, every Zero Trust journey will be unique based on your business priorities, the technologies you already own, and the assets you want to protect. As you build on your existing investments, you can assess your Zero Trust maturity and take practical steps toward an even stronger security posture.

Identity Priorities - Line on left.png

The identity landscape beyond 2020

Looking beyond 2020, many exciting technologies are poised to change the identity landscape. I’d like to highlight one in particular—decentralized identity.

Greater verifiability and privacy with decentralized identity and verifiable claims.

As more transactions and information exchanges take place digitally, it’s essential to verify that people are who they are and that the information they present is accurate. This puts enormous pressure on organizations to validate the data that they collect while keeping it private and secure. It also requires people to put enormous trust in the organizations that steward their identities and collect personal information around them.

Decentralized identity will transform our digital interactions, making every online claim easily verifiable while giving people back control over their data. And it’s not just a concept—it’s real. Through a community effort with the Decentralized Identity Foundation (DIF), we are on the path to a new W3C web standard for verifiable credentials. And we are piloting decentralized identity in partnership with the UK National Health Service, Blackpool Teaching Hospitals, and Truu. Through this pilot, we were able to reduce the time it takes for doctors to validate their credentials from five months to five minutes, helping them spend more time with their patients.

Our commitment for the next decade

In this new decade, as in the last, the business priorities our customers share with us will guide our engineering investments in identity. Our team’s top priority is the reliability and security of the service. Our core innovation principles remain the same:

  • Start with industry-leading security.
  • Build a simple, integrated, and complete identity solution.
  • Support an open and interoperable ecosystem.

Even though each of your identity priorities for 2020 will be unique to your organization’s goals, identity will be a critical part of your business transformation journey. My team is committed to working closely with you to innovate our products, help you design an optimal identity architecture, and quickly roll it out to your organizations. Our plans always start with your feedback, so let us know what you need to stay ahead of what’s next.

About the author

Joy Chik is a Corporate Vice President, Identity Division at Microsoft. She leads engineering for Microsoft’s multi-billion-dollar Identity business that is building greater security and mobility into consumer and enterprise technologies that billions of people rely on every day. Her team is responsible for building all of Microsoft’s identity technologies and services, including Active Directory, Azure Active Directory, which provides end to end identity and access management solutions to secure organizations of all sizes and Microsoft Account (MSA) that secures identities for almost 1 billion consumers around the world. Joy serves on the Board of Trustees for the Anita Borg Institute and on the Board of Directors of Sierra Wireless. She’s active in charities that encourage women and girls to pursue technology careers.


How to Prevent Fraud in your company – Mitigate your risks

Technical malfunctions in the payment chain have a major impact on both consumers and business owners. Fraud occurs in a variety of forms, such as phishing, skimming, shouldering and theft, cash trapping, etc. Many parties are involved in fraud prevention: banks, transaction processors, POS terminal suppliers, brand owners, and also business owners and consumers.  But how can you prevent fraud and reduce your risks?

In 2002 the movie “Catch Me If You Can” came out. The story of one of the most notorious conmen, Frank Abagnale, was set in film. With Leonardo Dicaprio in his shoes. What this movie shows, is that social engineering isn’t something new. In an example, Abagnale went to the bank, in a pilot suit, and a boost of confidence, and asked the bank cashier if they could cash the check for him. They would often oblige because they only saw the pilot, and Abagnale stated; ” The difference today is that when I used to pass cheques, 90% was the presentation, 10% was the cheque. Today, it’s the other way round”.

The three (security) lessons from Catch Me If You Can

Catch Me If You Can is an incredible story to see/read. Not only because we see a charming Leonardo DiCaprio, but it also gave us some insights into a real conman. These are three (security) lessons we can learn from Catch Me If You Can:

1. Social engineering isn’t new. It’s about confidence, targeting the right people in the chain to get what you want and look legit. Abagnale knew he could pull it off if he looks like he has the authority to cash money he didn’t have. – Luckily, social engineering is beatable. If they’ve looked to the details, they should’ve known something wasn’t right. It’s the same with scammers. If you know something isn’t right, there usually isn’t.

2. Information is key

Frank Abagnale Jr. impersonated some of the most educated careers in America without a fragment of background education. But he had an innate ability to learn quickly and think on his feet, allowing him to mesh well with his highly educated colleagues. It only took him so far, because, at the end of each of his scam, he chooses to flee, because his surroundings became suspicious about his real background and education. – For scammers nowadays, it’s just the same. They don’t know a lot, but what they do know about you, and about your company, lets them learn more, with the result to outwit the key person in your company. Moreover, it is really important to educate your colleagues about the risks, because once they are aware, they know which kind of questions they should/could ask to prevent a successful scam.

3. Technology (and policies) can prevent human error.
Last, but not least, technology could’ve prevented a lot of problems that Abagnale has caused. It wasn’t as sophisticated as it is now, but you could still see through the lies of Abagnale. The same with policies, or rather, the lack of. The only reason why Abagnale had the luck to fly all over the world, was because of policy between airlines (where pilots could fly for free). If they had checked Abagnale properly (according to policy), he couldn’t even get his hands on a pilot costume. – Again, it’s the same principle for most of the companies. With the right systems, technology and policies in place, it should be a lot harder to hack or social engineer into your company.

Privileged user accounts are magnets for hackers, fraudsters and auditors!

Earlier, it is mentioned that fraud comes in different sizes. Most of those cybercrimes are targeting privileged user accounts, and in 2019 it resulted in a dazzling estimated US$3.5 billion in losses. Why do you ask? Because a privileged user is someone who has administrative type access to critical systems. As ‘trusted’ users, they have the most powerful access to anyone within the organization. Often, they are able to carry out a wide range of system administration tasks, such as amend system configurations, install and/or upgrade software and change access for other users.  They may even be able to override existing security policies, make unauthorized system changes and access confidential data.

Typical job functions include:
– System / Database Administrators
– Human Resources Staff
– Support Staff

It’s worth mentioning that privileged access rights can also be granted to Service Accounts, such as those which are set up to manage integrations.  Although these accounts are not intended for use by humans, they could be abused by anyone who knows the credentials.

Privileged access increases the risk of fraud

PWC’s 2018 Global Economic Crime and Fraud Survey found that “52% of all frauds are perpetrated by people inside the organization.” That brings us back to lesson number 3. It is therefore vitally important that you implement rigorous risk management policies to protect your organization from the dangers associated with privileged access.

Of course, the natural thing to do is to mitigate these users or exclude them from regular audit reporting requirements by stating they are known or trusted – but that should not be acceptable to your organization and would likely result in a deficiency in your next audit.

As with any mitigation, the objective is to reduce the probability or possibility of an event to an acceptable threshold. So you need to consider your options for mitigating privileged access, the cost vs benefit of each option, and the impacts. Risk mitigation can be costly and time-consuming, but not if you do it right (with a suiting roadmap, the right information, and compatible tooling).

Mitigating risk for privileged users: the 3 main areas to consider

There are three main areas to consider if you’d like to mitigate risk for privileged users. The keywords are Manage, Monitor, and Review. Perhaps, you already have a few of these solutions or even an alternative, but it’s still good to check if it’s in place, or if it’s necessary to put it in place. Let’s take a look:

1.     Manage the risk:

Implement a User Management policy that tracks specifics about privileged user accounts, e.g. effective date, usage type (system admin or integration), vendor company name, the expiry date of the contract, or the date when access should cease pending contract renewal. It’s about documenting the “who, what, when and where” for privileged accounts.

Access Management – people often focus on controlling access to roles, but it’s more important to restrict the privileges within the roles. The roles should be created using a model of least privilege, where users only obtain access to the applications, modules, and data that they need to do their job.

For example, a System Administrator may not require access to business transactional applications in the production environment, provided sufficient support resources are available.  Read more about access management

Password Management – passwords for these users should expire more frequently, on a set schedule. They should never be set NOT to expire.

It is also recommended to implement a procedure for joiners/leavers; whereas you could give or take away access for network access. Upon leaving, passwords for service accounts should be changed when possible.

For shared passwords, such as those required for service accounts, passwords should be stored in a third-party password tool or kept in a secure, password-protected location/vault.

2.     Monitor activity:

Maintain on audit trail of changes to critical or master data, such as the address book, vendor / supplier master data and human resources data. Monitoring should consist of capturing before and after results, then reviewing them for unusual activity.

Set up alerts for events such as a high number of password change attempts (in example more than 5), or a significant period since last sign-on date (in example over 30 days). This ensures that you can keep an eye on unusual activity

Segregation of Duties – when access is granted either by a change in a role or the addition of roles to a user, it is critical to check whether this new access causes an SoD conflict.

3.     Review

User Access Review – conduct a review of privileged users on a more frequent basis than business users. It is recommended to do this monthly.

Vendor Review – in conjunction with your User Access Review, you should also check the status of ERP access granted to any vendor employees who work with your organization.

Ask your vendors to regularly supply a list of their employees who are assigned to your account.  Check for the spelling of names/name changes, job titles/position changes, and employment status, so that you can remove any redundant access for people who no longer work for them.

Service Accounts – ask for updates/status reports on the usage of these accounts. Ensure that usage is documented and updated regularly.

Passwords – review and set a schedule for when service account passwords should be changed (note that this may require system downtime). Require evidence of execution.

Terminate redundant access – revoke access when it’s no longer required. Institute an immediate termination policy and require evidence of execution.

Hopefully, this article gave you some useful insights and encouraged you to clamp down on privileged access to your ERP system. Keep in mind, some of the largest data breaches were carried out by insiders with administrative access, such as Edward Snowden.


FBI: Cybercrime losses tripled over the last 5 years

On the upside, the Bureau recovered more than US$300 million in funds lost to online scams last year

In 2019, the United States’ Federal Bureau of Investigation (FBI) received more than 467,000 cybercrime complaints that caused an estimated US$3.5 billion in losses, according to the Bureau’s annual 2019 Internet Crime Report (IC3). Last year saw both the highest number of complaints and the highest dollar losses on record; in 2015, for example, annual losses totaled ‘only’ US$1.1 billion.

Business Email Compromise (BEC) fraud remains the costliest type of fraud on the list, accounting for more than half of the total losses and costing businesses almost US$1.8 billion. These schemes are constantly evolving, too. Back in 2013, scammers would typically hack or spoof the email account of a CEO or CFO to request a fraudulent transfer of funds to accounts under their control. Over the years the tactics have evolved to also include compromising personal or vendor emails as well as spoofing lawyers’ email accounts.

Payroll diversion emerged as a popular form of BEC fraud last year. Scammers target HR and payroll departments by acting as employees who want to update their direct deposit information for the current payment period. The updated information then usually directs the funds to a pre-paid card account.

Elder fraud is also an increasingly pressing issue. With 68,013 victims, this type of fraud had the highest number of victims; under-twenties claimed “just” 10,724 victims. The number of victims may not reflect the true extent of the problem since providing the age range is voluntary.

Seniors are often the targets of romance, tech support, government impersonation, and lottery scams. Victims of these schemes were defrauded out of over US$835 million. Romance and confidence fraud alone accounts for almost half a billion dollars in losses, with the FBI estimating that up to 30% of romance fraud victims had been used as money mules.

Tech support fraud remains a growing problem as scammers attempt to defraud their victims by contacting them under the pretense of resolving a non-existing technical issue with their software licenses or bank accounts.

Recently, however, scammers have started impersonating representatives of well-known travel companies, financial institutions or virtual currency exchanges. Tech support fraud has claimed approximately US$54 million in losses in 2019, a 40% increase compared to the previous year, with most victims falling into the over-60 age category.

Meanwhile, losses emanating from ransomware reached around US$9 billion, almost triple the losses incurred in 2018. The number of reported victims also rose to about 2,000 compared to 1,500 from 2018. While phishing was still the most widespread problem claiming 114,072 victims last year, non-payment and non-delivery scams came in second with about half the number of victims being 61,832.

Not to end on a bleak note, the FBI’s Recovery Asset Team (RAT) helped retrieve almost US$305 million lost in scams, giving it a 79% return rate of reported losses.

This article originates from welivesecurity.com


Cyberthreats are hard to defend against, but it isn’t impossible. One of the solutions you could work with is privileged access management, where you’ll be able to protect your organization and your employees. Learn more about PAM in our free whitepaper!


Cybersecurity: Awareness is Only the First Step

European Cyber Security Month (ESCM) is an annual campaign designed to raise awareness of the myriad of threats individuals and organisations face in today’s ever more connected world

Whether it be malicious hacking, malware, espionage or data loss, we are more at risk of becoming victims of cybercrime than ever before. This trend is only set to increase exponentially into the future. 

The end goal of ESCM is not only to raise awareness of cybersecurity issues, but to also promote best practice, provide access to the resources required to fight cybercrime and, of course, to educate users and decision-makers about the risks they face.

While bringing awareness to an issue is important, one month of highlighting cyber security issues just isn’t enough. Hackers operate 24 hours a day, 365 days a year and it would be foolhardy not to ensure your cybersecurity protocols operate to the same timeframe.

The ever-growing threat

When national security, personal safety and business continuity is at stake, everyone should not only be aware of the threat, they should be taking actionSociety believes in this when it comes to environmental and physical threats so why are we so disengaged when it comes to cyber security?

Cyber security doesn’t just affect a person, but everyone around them. And in the globally connected world we live in, that literally is everyone. Infected devices have a way of infecting other devices, and compromised systems can make everyone vulnerable. So cyber security isn’t just about protecting you – it’s about protecting all of us.

The National Cyber Security Centre recently revealed that it has handled 658 attacks on 900 organisations, including schools, airports and emergency services, and said the attacks pose ‘strategic national security threats to the UK’. The spread of cyber-attacks should come as no surprise. The number of internet-enabled devices is skyrocketing. Already, there are seven billion internet-connected devices globally, and that number will more than triple to over 21 billion by 2025, IoT Analytics predicts. Thanks to the Internet of Things there is now web-enabled software in everything from planes to fridge-freezers. In an era where espresso machines have IP addresses and speakers are connected to the internet, a lot of effort is required to keep safe.

The threat is very real, and very immediate. And where the attacks are coming from a cause for serious concern.

Increased sophistication

Gone are the days where the only concern was the lone attacker wearing a hoodie in his bedroom. While that stereotype might have been true over 20 years ago, organised criminal gangs quickly got in on the action, stealing credit card details and testing the IT structures of retail banks to their very limits. More recently, ‘hacktivists’ like Wikileaks have tried to expose the malpractices and secrets of big businesses and powerful governments. And in the last few years, the advent of state-sponsored attacks have been ever increasing, with accusations of foreign meddling in domestic elections (US, France, Brexit) a massive concern. The transition from the teenager’s bedroom to the upper echelons of power has been frighteningly quick.

It is imperative that we move from a state of apathy to a state of national readiness when it comes to cyber threats. Cyber-attacks are getting more sophisticated, and are having real life consequences for nations, organisations and citizens. The fightback must begin.

The steps we must all take


Businesses need to own their IT. “Owning” your digital profile means taking stock of the apps, appliances and other IoT devices that hold and use personal and corporate data on a daily basis. Solutions which use things like data encryption provide visibility into and security for complex, interconnected IoT systems. They also help ensure devices are authenticated and data/control information is free from tampering.

Only after building a complete picture of your personal and organisational cyber landscape can you begin securing it.  95 per cent of successful attacks on enterprise networks result from spear phishing scams. Identifying a phishing attempt is the first step: always check the actual email and web addresses when you receive an email of which you are unsure. On a technological level, the use of multi-factor authentication and dynamic security policies can mitigate even successful phishing attacks.

The most important thing to remember about cybercriminals is that more often than not they rely on human error to gain access to systems. Continued employee awareness training can help strengthen cybersecurity defences by lowering the risks associated with human error.

Businesses can also make sure strong security processes are in place, including ensuring employees use strong passwords, and that they are changed regularly. Yes, Password123456 – I’m looking at you. 

Keep your software updated to the latest version available because updates often include fixes for disclosed vulnerabilities. Also be wary of public WiFi, especially when connecting in new locations – hotels and other public spaces are common targets for cybercriminals due to their unsecured networks.

And this isn’t only for the grown ups’ table. Just as we teach our kids to lock up their bikes, parents and teachers need to remind children to protect their phones and other devices with passwords. And children need to know that some things in life need to be kept secret!

Stop. Think. Connect.

The organisations behind National Cyber Security Month remind people to Stop. Think. Connect:

STOP: Before you use the Internet, take time to understand the risks and learn how to spot potential problems.

THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, or your family’s.

CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself and your computer (and other devices). 

In a world where cybercrime is to be expected, it is high time we ensure security at all times, not just when awareness is at a peak.


Campbell Murray is Global Head at BlackBerry. Today’s BlackBerry is a software company with a standard of security for managing the network of mobile and wearable devices, desktops and laptops, and other endpoints within enterprises. In addition to developing and providing applications, our BlackBerry Secure platform enables enterprises and independent developers to create applications for smartphones, medical devices, connected cars, consumer appliances and industrial machinery, and much more.

Original post is from Technative


COMPLIANCE ACROSS INDUSTRY: CYBERSECURITY COMPLIANCE REQUIREMENTS BY INDUSTRY SERIES

In the previous six articles, we’ve looked at how cyber security is impacting different industry sectors. The sectors analyzed have been, healthcare, financial services, manufacturing, automotive, energy, and retail. Each sector has its own cyber security pain points, and there is, of course, much overlap as well. Phishing is especially an issue across all industry sectors, likely because it taps into our behavior, and because of that it is very successful as an attack vector. To attempt to counter the onslaught of cyber threats against our nation’s industries, each sector has in place measures of compliance and regulations, with elements of security and privacy requirements specifically dealt with. In this final, round-up article, we’ll be looking at the compliance expectations of each sector, and how those guidelines should fit in with any industry sector security strategy.

Healthcare Compliance and Regulations

Healthcare is a data-rich industry sector and as such has some extensive security regulations to adhere to. The main body of regulations used within this sector are the Health Insurance Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health ACT (HITECH).

HIPPA was introduced in 1996 and the HIPPA Privacy Rule covers the security of Personal Health Information (PHI). PHI is has a very wide scope. It includes all personal information, such as name address and so on, but it also includes medical records and even DNA. HIPPA specifically regulates how PHI is handled, i.e. used and disclosed. It is meant, however, to get the balance between security and usability of PHI right; it is important to keep health data flowing and available for improved health care. The Privacy Rule covers health plans, healthcare providers, and health care clearing houses. Importantly, it also covers ‘business associates’. This means that the extended ecosystem of third-party vendors used by health care, also needs to be HIPPA compliant. Essentially any healthcare CIO is responsible for ensuring that third-party vendors take due care of any PHI that comes under their remit.

HITECH was introduced in 2009 as a way of encouraging the use of Electronic Health Records (EHR). HITECH is a separate law to HIPPA but they work in symbiosis. HITECH, for example, has set fines for non-compliance of HIPPA security regulations.

The HIPPA Omnibus rule, introduced in 2013, strengthens the main security requirements of HIPPA and sets the expectations of the breach notification rule to cover any breach of over 500 individuals. The breach must be reported to the U.S. Department of Health and Social Services, and the details made publically accessible.

Financial Services Compliance and Regulations

The financial services industry has a focus on the protection of financial data, including payment card information. Compliance requirements across the industry are complex and can be country specific. The Payment Card Industry Data Security Standards (PCI-DSS) specifically covers the handling and management of payment card data. This act covers all aspects of payment card data handling, from acquiring, transmitting, storing and processing these data. PCI-DSS is based on a process of, “access, report, remediate. It is about understanding your IT assets and processes around payment card handling, sorting out any vulnerabilities, and keeping records, as well as submitting compliance reports to the banks and card brands a company is associate with. Financial services companies need to ensure that their services can be PCI-DSS compliant.

The Sarbanes Oxley Act was brought in to protect the public from fraudulent financial transactions by corporations in general. However, it also impacts the financial sector. Its main thrust is around what records to store and for how long. The act specifies security measures that need to be undertaken to protect the stored records.

Payment protection is one area of compliance, but this doesn’t mean there isn’t a requirement to also protect Personally Identifying Information (PII) – see ISO27001 below.

Manufacturing Compliance and Regulations

There are a plethora of regulations covering the manufacturing industry, some being specific to the industry type, e.g. toy manufacture. However, in terms of security, the industry has to cover areas as diverse as data protection, IT safety and security, to health, safety and environmental impact. One of the most prevalent security based regulatory standards in this industry sector is the ISO27001 series. ISO/IEC 27001:2013 is a generic version of the regulation applied across all industry sectors. It is a regulation designed to establish an information security management system within an organization. The regulation looks at risks across the IT systems of a company, including how IT security is managed, access controls, operations security, and even human resource security. Meeting ISO/IEC 27001:2013 is an intensive process where the company must meet all of the requirements.

Automotive Compliance and Regulations

The automotive industry as a sub-sector of the manufacturing industry has to meet the compliance requirements of that industry. However, areas of automotive also offer financial packages for car purchases, and as such also need to meet various financial regulations, like PCI-DSS.

Transportation has to look to ISO27001 to ensure that customer and supplier information is kept safe, and to make sure their vendor ecosystem is also conforming to the remit of the standard.

The automotive industry has a specific requirement in terms of car safety too. As the automotive industry embraces the IoT and driverless cars, regulations covering those specifics will likely be covered by extensions to existing regulations.

Energy Compliance and Regulations

The North American Electric Reliability Council (NERC) controls the compliance requirements of the utility companies under the banner of energy. NERC specifically looks after the cyber security expectations of the sector, and more recently the impact of cybersecurity on the Smart Grid.

This sector is also covered by the Critical Infrastructure Protection (CIP) standard. Versions run from CIP-002 to CIP-009. A BES Cyber System is the term used in the sector to describe cyber assets that require protection. This includes control units such as SCADA and ICS.

Retail Compliance and Regulations

One of the main regulations overseeing security in the retail sector is PCI-DSS in controlling the handling and management of payment cards. PCI-DSS also covers Point of Sale (POS) transactions. This sector, as a major target for data theft, so is also under pressure to protect PII. Retail outlets build online stores requiring accounts to be created that store Personally Identifying Information, such as your name, address and email address. These data need to be protected using standards such as ISO27001.

Many of the standards and regulations have cross industry application. This makes sense in light of the cross industry attack vectors, many of which we have explored in each of the six industry sector articles looking at cyber security. Although some of the sectors have specific needs, such as the healthcare industry, all require a strategic approach to ensuring that the often complex compliance requirements can be met. It can take many months to get through the onerous requirements of compliance standards such as ISO27001, but the protection that a well thought through and regulated cyber security strategy can offer, is worth it in the long run, especially in light of the enormous efforts made by today’s cyber criminals.


When Digital Identity and Access Management Meets Physical Security

Where does digital security end and tangible, or physical, security begin? In today’s cybersecurity ecosystem, I’d argue that it’s all just security. In fact, if you are handling these domains in discrete silos, your cyber resilience is already taking a hit.

If your identity and access management (IAM) and physical security initiatives are not working as one, your organization may be suffering from unnecessary grief — and increasing risk.

When Physical and Digital Security Became One

Pinpointing exactly when these two previously discrete functions became one is up for discussion, and some may not even agree that they have become one at all. Regardless, it will be hard to envision them as discrete issues for much longer, particularly as the industry pushes the digital transformation envelope.

At the most basic level, IAM is a username/password credentialing system that gives one layer of authentication. Best practices say to have some second or multifactor authentication (MFA) procedure as part of the process. But this is a more basic question: Even if you’re using MFA, ask yourself, with today’s deceptions, has an identity truly been authenticated?

Not exactly, because in the scenario described, we are only authenticating credentials, not identity. Similar to physical identity and access management (PIAM), which unifies your physical and IT security systems, there is something called dynamic identity management, a next-gen solution gaining some support from major industry players that makes an effort to address the identity issue.

To best explain dynamic identity management, think of a mishmash of facial recognition, internet of things (IoT) sensors and monitors, and risk profiling. You walk into your workplace, a facial recognition system verifies your identity and, based on the risk profile assigned to you, you are allowed access to certain areas, both physical and digital, of the enterprise’s assets.

This certainly sounds like a combined solution that addresses both IAM issues and physical security challenges. From a security perspective, this approach looks fantastic.

But it’s also a brewing privacy nightmare.

Where Security Meets Privacy at the Workplace

Employers and employees generally expect some oversight and monitoring of behavior to occur in the workplace. But when the combination of identity and access management and physical security turns into a form of continuous monitoring that captures what time you get up from your desk and which bathroom in the office you’re using, it’s only a matter of time before privacy is violated.

Furthermore, if the security restrictions become too strict, you end up impacting workflow. Can you imagine what hospital operations would look like in the ER if a doctor or nurse were slowed down due to some IoT sensor failing?

With all the new technological innovations happening right now, it’s a short hop, skip and jump from robust security to behavior control in the workplace — something that, paradoxically, can kill the innovation of organizations. Building out your combined solution will always go back to your risk tolerance. The IBM Institute for Business Value (IBV)’s executive report, “Digital Transformation: Creating New Business Models Where Digital Meets Physical,” captures the essence of this security challenge: “The challenge for business is how fast and how far to go on the path to digital transformation.”

Put differently, before an enterprise makes a decision about which digital transformation path it will take, it should have a relatively good sense of what its security posture should look like post-transformation. Not defining the expected end state can create a huge blind spot that will not only impact security posture, but will also impact business operations as a whole. What’s more, you need to ensure your transformation is trusted by your users, otherwise you’re increasing the likelihood of legal challenges and ethical dilemmas coming toward your enterprise.

Don’t Be Afraid of Low Tech

For the reasons outlined above, there’s a case to be made for some more “archaic” solutions. These include sound human intelligence, situational awareness, and good old-fashioned holistic assessments and education campaigns. For all the gadgetry you integrate into your enterprise, at least in 2019, there is no replacing the gut instinct and human innovation. After all, it is human innovation — albeit sometimes with technical assistance — that circumvents security measures.

The “human touch” needs to be a critical part of identity and access management and physical security systems. The human is where these two issues meet, and trying to move all human security interaction to something more passive will ultimately raise your risk profile, not lower it.

Which is better positioned to see if something is amiss: an IoT sensor, or an employee who knows Johnny shouldn’t be in that part of the building? These are the small vulnerabilities we need to be sensitive to, because for all the wonder and benefit that things like artificial intelligence bring to cybersecurity, we still want to ensure that we are using this great technology as a tool and not a crutch.

Looking further into the future, as you consider which digital transformation strategy will best meet your security needs, remember that there is a technological wildcard waiting to play in the big leagues: quantum computing. Quantum computing has the capability to obliterate credentialing systems as we know them today. We’re not dealing with apples-to-oranges comparisons here — it’s more like apples to locomotives. When quantum computing takes hold, we will not be talking about digital transformation anymore, but instead, quantum transformation.

Key Digital Transformation Takeaways

Because there is so much going on in this space today, it’s worth summarizing some key takeaways.

First, identity and access management and physical security tasks need to be dealt with as one joint task, not two separate ones. Treating them as separate may be a sign that your teams are not aligned internally.

Second, next-gen identity and access management systems, such as those that integrate biometrics and IoT sensors, have incredible potential, but also come with intangible concerns, such as privacy issues. These issues need to be addressed concurrently as part of any digital transformation effort.

Third, before any digital transformation undertaking, make sure you know what the end state is supposed to look like. Not only might you be building more risk and fragility into your system than you bargained for, but new technologies on the horizon may completely alter the expected return on your investment.

Lastly, don’t overlook the human component when facing the digital/physical security challenge. Humans are the glue that connect these two realms — and a critical part of successful digital transformation.

Original post is from Security Intelligence


Businesses have never been more at risk of data breaches

A recent report by DLA Piper found that European companies suffered 60,000 data breaches in the 8 months following the GDPR laws coming into force, equating to one every 5 minutes. Ransomware attacks are also growing by more than 350% annually, while 70% of businesses felt that their security risk increased significantly as recently as 2017.

The reports certainly seem to be reflected in the media, with Microsoft, Facebook and even home improvement retailer B&Q reporting data breaches in recent months. Both Microsoft and Facebook suffered sophisticated hacks, yet B&Q’s records of store thieves were made public simply because the information was stored on open source search engine technology that had not been set up to require user-ID authentication.

This reflects an often overlooked truth about data breaches; although cyber attacks receive more attention in the press, it is more often human error or simple negligence that results in data breaches.

The Information Commissioner’s Office revealed in their yearly financial report for 2017/18 that 4 of the 5 leading causes of data breaches could be attributed to human error.

  1. Data sent by email to inc rep
  2. Data posted/faxed to inc rec
  3. Loss/theft of paperwork
  4. Failure to redact data

Human beings are inherently flawed, and the mistakes of an individual can jeopardise the entire business. Indeed, the notorious Equifax breach of 2017, which leaked the personal data of nearly 146 million Americans, was reportedly due to one employee repeatedly failing to implement software updates that would have prevented the breach.

Given the fact that a company’s employees can often be the weak link in its data security strategy, it is imperative that company directors understand which areas of the business are the most liable to cause a data breach.

1.    Remote Workers

One type of employee that risks putting the wider business at risk is the remote worker. Telecommuting is an increasingly common working arrangement whereby employees are occasionally permitted to work from home, which has led to around 70% of people globally working remotely at least one day a week.

However, remote work carries additional security risks. An employee working with a company laptop in a coffee shop might be using a Wifi network that is not secure, allowing even basic hackers to gain access to private company data. Additionally, few employees can avoid using paper files and these confidential documents can quickly become lost or stolen in public places.

Employers should therefore clearly outline their remote employees’ responsibilities regarding confidentiality and data protection. They must also establish device security policies that remove the scope for costly mistakes, such as by specifying that all file downloads should be work-related. Other advisable policies include implementing device monitoring, rigorous password protection and asking that devices and files are only used in specific locations with secure Wifi networks.

2.    Administration department

Another vulnerable area of any business is the administration department. Responsible for a business’ financial planning, record keeping and logistics, an administrator is often the backbone of an organisation. An administrator’s role is therefore crucial for avoiding a data breach, as if any of their responsibilities are performed incorrectly sensitive data could quickly be obtained by malicious third parties.

With so many documents moving through the admin department every day, sensitive information found on meeting notes, tax forms and financial reports can become lost or stolen if an effective process is not in place. A prerequisite should therefore be establishing a clean desk policy in the office, whereby all employees are required to declutter their workspaces at the end of each day.

By implementing this rule, administrators will find it far easier to store and destroy sensitive documents. Any data that is still used and found in hard copy should be locked in storage cabinets overnight, with the most important files being stored off-site at a secure information management facility. Furthermore, documents that are no longer needed should be shredded immediately rather than thrown in waste bins, where they can be found and potentially used as blackmail or for fraudulent purposes.

3.    Complacent managers

Complacency is perhaps the most common reason for a data breach, and higher-level managers who fail to promote data security best practices pose the greatest risk. Managers are responsible for setting the standard in cybersecurity, but if they become complacent in implementing security awareness programmes their employees may begin to also forget their training.

Poor password management, opening suspect emails and leaving computers unlocked are all practices that creep into a business’ culture if an example is not set at the top. Not only should managers regularly encourage their staff to change their passwords and lock their devices, but they should also arrange for external training to be made available for all staff.

For example, managers should invest in up-to-date e-learning training sessions for both online and offline security, as well as invite IT experts to teach employees about common hacking risks and how they should respond to a successful data breach.

Key Takeaways

The rising threat of cyber attacks is undeniable, and companies of all shapes and sizes should ensure preparations are made to deal with direct attacks. However, businesses cannot afford to neglect the cost of mistakes made by staff and any budget set aside for cybersecurity should include resources for comprehensive training and secure document storage and disposal. Only then can the risk of human error be minimised.

This post originates from technative.io.


Top Privileged Access Management Use Cases

Privileged Access is everywhere. Privileged accounts can be found in every networked device, database, application, and server on-premises and in the cloud. Privileged users have the “keys to the kingdom” and, in the case of a cyberattack or data breach, privileged credentials can be used to cause catastrophic damage to a business. Begin by securing these 6 critical areas with a Privileged Access Management solution. View this infographic to discover where to start.

Download “Top Privileged Access Management Use Cases” Infographic-Privileged-Access-Fundamentals.pdf – Downloaded 96 times – 1 MB


CYBERCRIME AND INDUSTRY #6: HOW CYBERCRIME IS AFFECTING THE RETAIL INDUSTRY

It is an arguable point, but the retail sector has probably changed more than any other industry area in the last 20 years. This is mostly down to the globalization of retail through online sales, but it also because of innovation in the area of marketing and consumer loyalty. For example, in 2106 so far, $300 million has been invested into retail technology start-ups. And we love to shop. In 2016, the expected online spend in retail will be $1.67 trillion and this figure just going to grow and grow through 2020 at least.

The issue that retail has as it expands its business by embracing the Internet as a sales platform, is the same as other industry sectors, it is opening itself to cyber criminals as well as shoppers.

Retail, like many other sectors, is feeling the pinch in terms of costs of cyber attacks. 

Some of the largest breaches to date have occurred in the retail sector including 145 million customer passwords stolen from eBay, 40 million payment cards and 70 million personal account details stolen from Target Corp, and a breach at Home Depot affecting 56 million customer payment cards.

What sorts of cyber crimes affect the retail sector?

According to the Verizon Data Breach Investigations Report 2016, retail saw the greatest cyber threats in the following three main areas:

●      Web app attacks: This is where a web application is targeted. Usually the vectors used are phishing of administration credentials, or exploiting software vulnerabilities then installing backdoor malware to slowly exfiltrate data. DDOS is also included in web app attacks.

●      Point of Sale (POS) attacks: These are remote attacks of POS services. Key logging malware seems to be the main vector of this attack. This type of cyber threat is being targeted against all size retailers because of the Internet enablement of POS assets.

●      Payment card skimmers: In this type of attack, the POS device has to be physically compromised. Often, organized gangs carry out this type of crime. It mainly affects bank ATM’s, but merchants are still at risk from this.

A particularly interesting finding by Verizon was that “97% of breaches featuring stolen credentials leveraged legitimate partner access”. This implies that retail has a major issue with securing the supply chain and managing the risk of third parties.

What are the specific pain points of retail?

The Retail Cyber Intelligence Sharing Center (R-CISC) has identified a number of areas that makes retail stand out in the cyber security risk mitigation stakes. These areas make retail a particular type of target for cybercriminals and include:

●      High turnover of staff. This means that insider threats are more likely.

●      Holding of payment card data which needs to be PCI compliant. This presents issues in dealing with third parties in the supply chain, who have also to be PCI compliant if they in any way manage financial data.

●      Customers are also potential threats. This may be unique in the retail industry where the customer has the potential to commit fraud.

●      Having a widely dispersed attack surface. Many retail outlets have a wide geographic reach in terms of outlets as well as having an online presence.

Retailers have other pressures too, that although not unique to this sector, are a focus of attention. For example, retailers have a number of peak seasons, such as Black Friday, Cyber Monday and Christmas which are known to be extremely busy times and so a target for fraud and sabotage. Cyber Monday 2105 saw the highest ever sales with $3.19 billion being spent in a single day. Cybercriminals have been targeting websites specifically to cause chaos on very busy days like Cyber Monday, using Distributed Denial of Service attacks (DDoS) which make websites and apps fall over. In 2014 the WordPress shopping cart, Cart66, used by large numbers of retailers to add shopping cart functionality to their site, had a massive DDOS attack. Akamai, have found that DDOS attacks have increased by around 22.5% between 2014-2015, with retail being the most popular attack focus for DDOS.

Can retail stop the tidal wave of cybercrime?

Retail analysts, eMarketer, have predicted that by 2017, over 51% of Americans will make at least one online purchase using a smartphone, accounting for over $75 billion in sales. As retail embraces online purchases, and mobile buying starts to become the normal purchase medium, we can expect to see more mobile-based threats emerge. But mobile threats are now becoming a well-known vector, and e-commerce has an opportunity to nip this one in the bud. One of the key areas that need to be dealt with to mitigate web based and ultimately app based security threats, is to harden the software behind the scenes. This means ensuring that mobile and web app development has to be done as a secure coding exercise, following the advice of the Open Web Application Security Project (OWASP). Many smaller retailers use third party apps such as WordPress and associated plug-ins to build their retail sites. Using third parties to build your retail site means that you have to be ultra vigilant, choosing security aware plugins and apps, and maintaining updates. One of the weak points of web and mobile app security is authentication. As mentioned earlier, 97% of breaches are from stolen passwords. It’s important that retail put the hardening of authentication as a priority, especially for administrator and privileged access via supply chain vendors. Putting security measures in place for known threats, using security intelligence from the likes of the National Institute of Standards and Technology (NIST), and R-CISC, will change the future retail threat landscape from one of major breaches, to a much more controlled environment, making it safe for all of us to shop online.


BYOD Adoption and Mobile Threats Increases, Can Enterprise Data Security Keep Up?

By Sue Poremba | 4 min read | Original post from Securityintelligence.com

While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets, and laptops.

In a recent study from Bitglass, 30 percent of the 400 IT experts surveyed were hesitant to adopt BYOD due to security concerns such as data leakage, shadow IT and unauthorized data access. As the General Data Protection Regulation (GDPR) and other data privacy mandates go into full swing, it’s more important than ever for organizations to monitor and protect enterprise data on mobile devices. However, BYOD may still be the Wild West of network access, especially given the rapid proliferation of new endpoints.

All these moving parts beg the question: Is BYOD security any better today than it was when personal devices first entered the workforce?

Growing Acceptance of Personal Devices in the Enterprise

It wasn’t long ago that corporate leadership balked at the idea of their employees using personal devices for work. While workers had been using their personal computers and laptops to access company networks, it wasn’t until smartphones and digital tablets were introduced that the concept of BYOD caught on. Security for these devices wasn’t very mature back then, and IT and security decision-makers had well-founded concerns.

Over the past decade, of course, phones have evolved into personal hand-held computers. According to Comscore, only 17 percent of consumers were using smartphones in 2009, compared to 81 percent in 2016. That irreversible trend, along with the rise of the internet of things (IoT) and wearable devices, linked personal technology inextricably with enterprise networks.

Employees believe they are more productive and efficient when using not only their device of choice but also their preferred software and apps. Apparently, leadership agrees: The same Bitglass study found that 85 percent of companies now allow not only employees, but even contractors, customers and suppliers to access enterprise data from their personal devices. Despite this shift, more than half of those surveyed believe mobile threats have gotten worse.

Mobile Threats Are Rising, but Security Hasn’t Changed Much

Given the ubiquity and relative insecurity of mobile devices in the workplace, it’s no surprise that criminals are targeting them. Threat actors can gain access to both corporate data and personal data from one easy-to-breach device. Basic mobile security protections, such as remote wiping and mobile device management tools, are deployed in just over half of the organizations surveyed by Bitglass. In addition, many security teams lack visibility into apps used on personal devices.

Most threat actors who attack mobile devices are after passwords, according to mobile security expert Karen Scarfone, as quoted by Wired.

“A lot of email passwords still go back and forth in the clear,” she said. “That’s a big problem.”

Passwords remain the keys to the data castle, and they are largely unencrypted and unprotected on mobile devices. This, coupled with the password reuse epidemic, means that threat actors can gain virtually unlimited access to corporate networks through personal devices.

Clearly, there’s plenty of room for improvement when it comes to mobile security. A U.S. Department of Homeland Security (DHS) study mandated by the Cybersecurity Act of 2015 found that while the federal government’s use of mobile technology is improving, “many communication paths remain unprotected and leave the overall ecosystem vulnerable to attacks.”

Similar security holes exist in the private sector. According to SyncDog, mobile devices are the most dangerous point of intrusion to corporate networks. In large enterprises in particular, “mobile devices are looked at as toys with games on them, and protecting them comes last in line to application management, network security, mainframes and other larger IT concerns.”

While most security professionals have come to embrace — or, at least, accept — bring-your-own-device (BYOD) policies, leadership still often lacks confidence in the data security of employees’ personal phones, tablets, and laptops.

In a recent study from Bitglass, 30 percent of the 400 IT experts surveyed were hesitant to adopt BYOD due to security concerns such as data leakage, shadow IT and unauthorized data access. As the General Data Protection Regulation (GDPR) and other data privacy mandates go into full swing, it’s more important than ever for organizations to monitor and protect enterprise data on mobile devices. However, BYOD may still be the Wild West of network access, especially given the rapid proliferation of new endpoints.

All these moving parts beg the question: Is BYOD security any better today than it was when personal devices first entered the workforce?

BYOD Security Starts With Smart Policies

How can chief information security officers (CISOs) and IT leaders ensure that employees use their personal devices in a smart, secure way? First, determine whether the employee needs to use personal devices for work at all. If there are jobs within the organization that doesn’t require regular access to networks, or if employees are working remotely, these users should not be allowed to participate in a BYOD program because their devices are neither authorized nor consistently monitored.

Second, employees should be required — or, at least, highly encouraged — to update their device software, especially operating systems and any security software. Consider requiring all employees who use personal devices to install corporate security software and use the company’s security protocols if they are connecting to enterprise networks.

Third, communicate BYOD policies to employees and implement effective measures to enforce them. Policies should include the most basic data security best practices, such as implementing multifactor authentication (MFA), creating strong and unique passwords, using virtual private networks (VPNs) over public WiFi, and locking devices with biometric controls. In addition to protecting enterprise networks, these steps will help secure employees’ personal data on devices. But remember, a policy is useless if you don’t enforce it. People will break the rules if they know there are no consequences to pay.

When it comes to worker productivity, the embrace of BYOD has been a good thing for businesses. But in a world where cyberthreats loom large and data loss could result in huge fines and reputational damage, enterprises need to prioritize the security of their critical assets — and that of the thousands of endpoints that access them.

To learn more, read the IBM white paper, “The Ten Rules of Bring Your Own Device (BYOD).”


en_USEnglish
nl_NLNederlands en_USEnglish