Category: All

Compliance: It’s necessary but it doesn’t mean you are secure

Any organization that functions under the guidelines and requirements of an industry that requires ‘compliance’, is aware of the challenges that must be met and the ‘hoops’ that must be jumped through for accommodation. Beyond just the intense proof that your system and data is being stored in the required secure method, there are often intense processes that must be met for continual auditing. But even with all of these protocols in place and the vast amount of experienced professionals required to reinforce the process, circumstances still exist that can wreak havoc and demonstrate that you are not as secure as you might think.

For example: Whenever there is human intervention, there is a possibility for error. In the world of compliance, whether FERC, NERC, HIPAA or other government regulated scenarios, people are usually the main reason for lowered system security. You might ask how such well-planned and executed systems could possibly allow something as simple as human intervention to cause such problems. The answer goes beyond just the lack of keeping security software updated and enters into the realm of negligence.

A BakerHoestler Privacy and Data Protection Team study was released on the number of data security incidents in 2014. The report showed that 36% of the situations were a direct result of negligence by employees and identifying the situations took an average time lapse of 134 days from the occurrence. These situations resulted in the leak of proprietary information regarding patient medical data and resulted in a variety of scenarios from notification to litigation.

While cloud storage remains the most secure method of storing information, much of this data is shared with API situations and not all ‘partner vendors’ may be secure. From email malware to human error input by selecting the wrong ‘field’ to upload, the methods of exposing both the security of a system as well as the data itself crosses a broad spectrum of opportunities.

The complicated world of compliance requires a focus on trying to ensure that the data and information itself is maintained in a strict environment, but often forgoes the small ways that a breach can actually occur. Such situations as employee training to avoid methods of intrusion, as well as recognition and actions when a system breach occurs, can not only allow a break in the security but create a situation where lack of discovery creates a bigger situation.

Remote access to information, even on those systems that have focused on their security has opened the doors to potential security hazards. It’s not enough to simply have a high-level password and encryption, but also requires the validation of the technology devices themselves. Cybercriminals are aware of these tactics and take every advantage with sophisticated viruses and programs designed to infiltrate.

Strict compliance standards have typically not included the focus on potential breaches due to human error. They have been established to concentrate on the methodology of storage and transmission, but not in the small ways that people can affect those processes. All organizations that are involved in a line of business that has serious compliance requirements must add this element into their security practices.

The times they are changing: ‘How cybercrime is hitting the smaller company’

You can’t help but notice all the recent news events on hacked identities and financial information stolen by cybercriminals; News about some major company being breached and millions of customer credit card details stolen. These breaches seem to be more regular and it’s true, they are. The latest research by Price Waterhouse Cooper (PWC) in their Global State of Information Security Survey shows that there were 42.8 million cybersecurity incidents in 2014, an increase of 48% from the previous year.

As a smaller business, it’s easy to brush cyber threats off as being a problem for the ‘big boys’. That was certainly the case, 10 years ago, but not now. Now cybercriminals are turning their bready eyes on you – the small business.

Analysis of the situation has borne this out. A number of analysts and companies have quantified the threat to smaller organizations from cybercrime. A report by Verizon found that almost 62% of breaches were against SMB’s. And according to IBM and the Ponemon Institute, smaller companies feel the pain of a breach more too, with a higher per capita cost than an enterprise. 

It seems that cybercriminals want to expand their portfolio and they are doing it at the cost of the smaller organization. In the security report by PWC mentioned above they describe the situation like this:

“Small firms often consider themselves too insignificant to attract threat actors—a dangerous misperception.”

Why are Smaller Companies a Target?

There are three main reasons why cybercriminals are targeting the SMB:

1.     You seem like easy prey. Smaller organizations don’t have the time, money or internal knowledge base to cope with cyber threats

2.     You are often part of a bigger chain. Cybercriminals are targeting smaller organizations as a way of getting at the ‘big boys’ through the supply chain

3.     It is becoming easier to hack. Malware can be bought, sometimes for a few dollars from the dark web. Legitimate devices used by penetration testers can be bought for less than $100 and can be used to intercept internet traffic and steal login credentials.

Types of SMB Focused Cyber Threats

Let’s look at some of the ways that smaller companies are being targeted.

Phishing emails: Phishing and its partner in crime, spear phishing, is the weapon of choice for infecting a small company with malware. Phishing emails are emails that look like they’ve come in from a legitimate company like PayPal or Amazon and they ask you to click on a link. The link takes you to a site that looks just like the real one. There, you are asked to log in. If you do, the phisher takes your login credentials and hey presto can now access your real account.

Phishing is quite widely understood, but its counterpart, spear phishing is more sinister and is on the rise as a means of attack against the smaller business. It originally was the preserve of large enterprises such as Microsoft who suffered at the hands of spear phishers. But a 2015 report by Symantec on the levels of spear-phishing experienced by different size companies has shown that firms with 1-250 employees suffer spear-phishing attacks almost as much as those with 2500+ employees, seeing 31.5% and 37.6% of spear-phishing attacks respectively.

A spear-phishing email is targeted. They find a company, pick a high-level employee, typically a business owner, director, or IT administrator and send out a phishing email to that person. The email will be highly personalized; it will use their name and often masquerade as an internal email, perhaps from a superior, asking the user to login to the network. The type of person they target will invariably have privileged access to their company resources. Again, the link in the email will be to a spoof site. Once login credentials are entered the cybercriminal has your login details and can access whatever business resources you can.

Spear phishing emails have been behind some of the largest cyber-breaches in recent years. In many cases the email is sent to a supply chain member – a small vendor who services a much larger company. Often supply chain members are given privileged access to network resources. This was the case in the Target breach, which saw the loss of 70 million personal records. In this breach, a spear phishing email was sent to an HVAC company in the supply chain. Once phished, the login credentials were used to hack Target – I doubt that Target employ that company now.

Business email compromise: Hackers are going after small business bank accounts big time. The FBI began tracking these types of attacks in 2013 and has seen losses of $740 million in the U.S. alone. This type of scam uses social engineering, or computer intrusion techniques, to gain access to the email accounts of senior executives or spoof emails. There are several variants of this attack but all involve some sort of reconnaissance on their targets, which can be small or large companies across all sectors. Sometimes email accounts of executives are hacked, sometimes, it is a phishing email, but the results are a wire transfer to a ‘trusted supplier’ or ‘law firm’ into a hackers account.

Ransomware: one of the most scary and nasty pieces of malware is the infamous ransomware. A variant of this is Cryptowall. Ransomware is a type of malware. If you become infected it will encrypt data on your local machine, network drives and even cloud storage. Once encrypted it then opens a screen on your computer which says if you pay up (usually $500-$1000, but sometimes as much as $10,000) in 7 days, your data will be decrypted. Of course we’re dealing with cybercriminals here so there’s no guarantee decryption will happen. The FBI has said that Cryptowall is the largest ransomware threat to small business. In the 2nd quarter of 2015 Cryptowall extorted $18 million from U.S. businesses.

Data losses: IBM x-Force in conjunction with Ponemon Institute has shown that 2014 was the year of the leaked record. 2014 saw more than 1 billion pieces of Personally Identifiable Information (PII) stolen, up 25% on 2013, which in itself was a record year. Cyber thieves are after data. If you hold customer records, have intellectual property or proprietary information, cybercriminals are after it. There are a number of ways that data can be stolen – phishing emails that grab login credentials, malware that sits and slowly steals data, and insiders, simply stealing information they have access to.

What Can a Small Business Do To Thwart Cybercrime?

There are some basic actions you can take to help mitigate the threats of cybercrime against you, your business and your customer.

1.     Keep software patched. Malware is usually successfully installed because it finds a hole in your software. Make sure you have the latest versions of software such as, operating systems, browsers and Adobe Flash installed. Also check with your web hosting company that web servers and third party plug-ins are secure and patched.

2.     Have robust sign in credentials. If you only have the choice of a username/password, then make sure they are both not easily guessed and are strong. If you have a choice to use second factor, such as a text message pin number, do so, this is especially important for server and website administration access.

3.     Backup critical data. Make sure you have redundancy in your backups too.

4.     Train your employees. About phishing and especially spear phishing; be guarded.

5.     Think about security. Put a strategy in place to handle security threats, incidents and breaches.

6.     Cyber insurance. Look into putting some sort of insurance plan in place.

Small businesses are as much of a target as a large enterprise, but often don’t have the resources to manage cyber threat levels. Being aware of the methods that cybercriminals use to target your company and knowing what you can do to lower those risks, may start to waken the world of cybercrime up and show them that small doesn’t mean an easy target.

Every size business needs to be alert to cybersecurity

Almost every week we hear about one of the large giant corporations that have suffered from a cyberattack. These are the companies that have invested large dollar volume in security and IT staff and a lot of time and effort in trying to keep themselves protected. The main question that always occurs is: “If it can happen to them, what about the small or medium business that doesn’t have their budget?” Cybercriminals are becoming increasingly aware of the fact that proprietary information may be easier to access in the small to medium-sized business arena. If this fits your company profile, it’s time that you sit up, pay attention and take action.

From malware to viruses, criminals are becoming much more sophisticated in the methods for their madness. While the government is on a continual hunt in the ‘dark net’ to find and prosecute those involved in cybercrime, the culprits are working around the globe and locating them takes time.  Their ability to anonymous and elusive while targeting companies to access critical data has been the mainstay of the cybercrime world. Any business that does not have a security strategy in place, combined with staff education on recognizing and emergency actions for a breach, is literally a ‘sitting duck’ for an attack.

The Symantec 2015 ISTR20 Internet Security Threat Report stated, “Almost no company, whether large or small, is immune. Five out of every six large companies (2,500+ employees) were targeted with spear-phishing attacks in 2014, a 40 percent increase over the previous year. Small- and medium-sized businesses also saw an uptick, with attacks increasing 26 percent and 30 percent, respectively.”

There is also an evolution in cybercrime. The number of email attacks seems to be reducing, but attacks on an unprotected or barely protected company system are fair game for these criminals. Their ability to send more sophisticated inquiries to test and try out the security levels are also combined as multiple attacks on the mobile and website fronts. Any access point that they can locate is an entrance for a virus, malware of full-on system takeover.

In the same Symantec report, they included: Attackers Are Streamlining and Upgrading Their Techniques, While Companies Struggle to Fight Old Tactics

In 2014, attackers continued to breach networks with highly targeted spear-phishing attacks, which increased eight percent overall. They notably used less effort than the previous year, deploying 14 percent less email towards 20 percent fewer targets. Attackers also perfected watering hole attacks, making each attack more selective by infecting legitimate websites, monitoring site visitors and targeting only the companies they wanted to attack.

Further complicating companies’ ability to defend themselves was the appearance of “Trojanized” software updates. Attackers identified common software programs used by target organizations, hid their malware inside software updates for those programs, and then waited patiently for their targets to download and install that software—in effect, leading companies to infect themselves. Last year, 60 percent of all targeted attacks struck small- and medium-sized organizations. These organizations often have fewer resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver email attachments. This puts not only the businesses but also their business partners, at higher risk.

The picture that is painted isn’t all doom and gloom. There are strategies that can be put in place to assist in protecting your proprietary company information as well as that of your customers. Many small to medium-sized businesses find themselves in the position where they have either not sufficiently prepared for an attack, have allowed software updates to lapse, or lack the trained staff or personnel to take emergency action. In these situations, a cyberattack could occur and not be discovered for many months.

Protection of your business reputation and data is the key element. Coordinating efforts with a professional company that can work with your company for an overall strategy is the best method to combat against a breach. Educating staff as well as having a set of emergency actions in place can help to maintain your system integrity. 

Breaches happen and they could come from you friends…

You take pride in your company and have spent years building up your products, services, and reputation. However, one of the weak spots that occur in many small to medium businesses is the “it won’t happen to us” syndrome. When it comes to security breaches and cyberattacks, many smaller companies assume that the criminals are looking for the ‘big fish’ and that they won’t come after you. This assumption is incorrect, as the attacks on smaller businesses are on the increase and these wily and crafty people look to any access method, including and unknowingly through your own partner vendors.

In a 2014 Sans Whitepaper, sponsored by the security company, Symantec, they pointed out the importance of Know What You Have:

Being prepared to detect and respond to attacks and attempted attacks starts with knowing your environment, no matter how complex, as described in the first two Critical Security Controls. Getting full visibility into your environment is not as easy as it sounds. Automated tools such as Nmap provide some visibility into devices, systems and users on the network, but they may fail to recognize other entry points such as: Wi-Fi networks, virtual server instances, rogue web applications with access to the data center, printers or other devices with network access.”

While this may sound a bit like paranoia, in today’s business world, the top security companies advise you and your company to be paranoid, suspect everything and be diligent in having the right security in place. One of the critical elements that small and medium-sized organizations take for granted is the trust that they place in their partner vendors. Even when both of your IT staff members have talked things out and may be convinced that you are both safe in sharing or transmitting data, there is always a possibility for error.

A typical data exchange through an API may seem like it is safe enough. After all, there is a level of encryption in place and the proprietary or even customer data should be secure. However, if a cyber hacker has inserted malware and your partner is infected, the malware can be hidden and then transmitted to your company and potentially into your server. The ‘infection’ can happen so quickly and with very few symptoms that even trained IT professionals don’t discover the damage for long periods of time.

The more recent types of attacks in the last few years have been ‘ransomware’ that appears as though it is arriving from a valid email address and could be emulating one of your business partners. Once opened, there is an attachment that immediately takes over the computer, seeks out access to the network and encrypts all of the important files. The user then sees a display on their screen that alerts them to the fact that they cannot have access or the de-encryption ‘key’ until a specified amount of money is paid. (Usually Bitcoin, but some are now choosing PayPal cards).

Small to medium companies don’t have the budget to devote to the high-end requirements of top IT staff or to the type of monitoring and protection that is crucial in protecting your information as well as your reputation. But in this changing world of cybercrime, the answer is in aligning yourself with a professional company that can come in, work with your existing staff, accomplish a system analysis, makes recommendations to assist in the protection that you need and educates everyone on what to look out for. This is a company that stays on top of the constantly evolving requirements that are needed to keep your business safe. Choosing a professional security organization will allow you to focus on your success without the need for hiring additional IT employees. 

SecurIT receives highest partner level in CyberArk’s new Partner Program

CyberArk has introduced a new Partner Program focused on a competency-based model that enables increased opportunities to grow. The new program is comprised of three tiers (Advanced, certified, and Authorized), and SecurIT is proud to receive the highest partner level “Advanced“. SecurIT is one of the few companies in The Netherlands with “advanced” status.

The demand for Privileged Access Security and Privileged Account Management solutions are driving the need for a more knowledgeable and skilled partner community to help CyberArk address customers’ most critical security business challenges. To address this demand, they have shifted their program to a competency-based model so that both CyberArk and their partners are in a better position to ensure customer success through increased certification and training.

Moreover, the CyberArk Partner Network recognizes partners that have invested time and resources in developing significant expertise in CyberArk security products and solutions by providing preferred benefits and increased revenue opportunities for those advanced partners.

Certifications for Partners

Partner tiers within the CyberArk Partner Network (Authorized, Certified, and Advanced) are determined by the number of certifications obtained by an organization. CyberArk maintains dedicated learning paths for sales, pre-sales, and delivery engineers to align with the competency requirements of the CyberArk Partner Network.

CyberArk certification enables SecurIT to:
– Build our knowledge and skillset with the industry’s leading privileged account security solution
– Validate our proficiency to secure against harmful and costly cyber-attacks
– Demonstrate our security expertise and position ourselves as a valuable asset to today’s security-challenged organizations
– Establish our team as professionals on the leading edge of one of today’s greatest business challenges – securing and protecting high-value information assets, infrastructure, and applications
– Affirm our ability to implement innovative cyber threat solutions to global organizations deploying CyberArk Privileged Access Security technology

The CyberArk Partner Network allows for global consistency, program scalability, and continued partner profitability with increased focus and emphasis on competency-based requirements and associated benefits. In return, partners gain access to an escalating array of resources and support to build their business with CyberArk:
• Technical and Sales Training
• Business Development Tools
• Technical Support
• Sales and Marketing Resouce

Compliance across industry cybersecurity compliance requirements by industry – Series

Each sector has its own cybersecurity pain points, and there is, of course, much overlap as well. Phishing is especially an issue across all industry sectors, likely because it taps into our behavior, and because of that it is very successful as an attack vector. To attempt to counter the onslaught of cyber threats against our nation’s industries, each sector has in place measures of compliance and regulations, with elements of security and privacy requirements specifically dealt with. In this final, round-up article, we’ll be looking at the compliance expectations of each sector, and how those guidelines should fit in with any industry sector security strategy.

Healthcare Compliance and Regulations

Healthcare is a data-rich industry sector and as such has some extensive security regulations to adhere to. The main body of regulations used within this sector is the Health Insurance Portability and Accountability Act (HIPPA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).

HIPPA was introduced in 1996 and the HIPPA Privacy Rule covers the security of Personal Health Information (PHI). PHI is has a very wide scope. It includes all personal information, such as name address and so on, but it also includes medical records and even DNA. HIPPA specifically regulates how PHI is handled, i.e. used and disclosed. It is meant, however, to get the balance between security and usability of PHI right; it is important to keep health data flowing and available for improved health care. The Privacy Rule covers health plans, healthcare providers, and health care clearinghouses. Importantly, it also covers ‘business associates’. This means that the extended ecosystem of third-party vendors used by health care also needs to be HIPPA compliant. Essentially any healthcare CIO is responsible for ensuring that third-party vendors take due care of any PHI that comes under their remit.

HITECH was introduced in 2009 as a way of encouraging the use of Electronic Health Records (EHR). HITECH is a separate law to HIPPA but they work in symbiosis. HITECH, for example, has set fines for non-compliance of HIPPA security regulations.

The HIPPA Omnibus rule, introduced in 2013, strengthens the main security requirements of HIPPA and sets the expectations of the breach notification rule to cover any breach of over 500 individuals. The breach must be reported to the U.S. Department of Health and Social Services, and the details made publically accessible.

Financial Services Compliance and Regulations

The financial services industry has a focus on the protection of financial data, including payment card information. Compliance requirements across the industry are complex and can be country-specific. The Payment Card Industry Data Security Standards (PCI-DSS) specifically covers the handling and management of payment card data. This act covers all aspects of payment card data handling, from acquiring, transmitting, storing and processing these data. PCI-DSS is based on a process of, “access, report, remediate. It is about understanding your IT assets and processes around payment card handling, sorting out any vulnerabilities, and keeping records, as well as submitting compliance reports to the banks and card brands a company is associated with. Financial services companies need to ensure that their services can be PCI-DSS compliant.

The Sarbanes Oxley Act was brought in to protect the public from fraudulent financial transactions by corporations in general. However, it also impacts the financial sector. Its main thrust is around what records to store and for how long. The act specifies security measures that need to be undertaken to protect the stored records.

Payment protection is one area of compliance, but this doesn’t mean there isn’t a requirement to also protect Personally-Identifying Information (PII) – see ISO27001 below.

Manufacturing Compliance and Regulations

There are a plethora of regulations covering the manufacturing industry, some being specific to the industry type, e.g. toy manufacture. However, in terms of security, the industry has to cover areas as diverse as data protection, IT safety and security, to health, safety, and environmental impact. One of the most prevalent security-based regulatory standards in this industry sector is the ISO27001 series. ISO/IEC 27001:2013 is a generic version of the regulation applied across all industry sectors. It is a regulation designed to establish an information security management system within an organization. The regulation looks at risks across the IT systems of a company, including how IT security is managed, access controls, operations security, and even human resource security. Meeting ISO/IEC 27001:2013 is an intensive process where the company must meet all of the requirements.

Automotive Compliance and Regulations

The automotive industry as a sub-sector of the manufacturing industry has to meet the compliance requirements of that industry. However, areas of automotive also offer financial packages for car purchases, and as such also need to meet various financial regulations, like PCI-DSS.

Transportation has to look to ISO27001 to ensure that customer and supplier information is kept safe, and to make sure their vendor ecosystem is also conforming to the remit of the standard.

The automotive industry has a specific requirement in terms of car safety too. As the automotive industry embraces the IoT and driverless cars, regulations covering those specifics will likely be covered by extensions to existing regulations.

Energy Compliance and Regulations

The North American Electric Reliability Council (NERC) controls the compliance requirements of the utility companies under the banner of energy. NERC specifically looks after the cybersecurity expectations of the sector, and more recently the impact of cybersecurity on the Smart Grid.

This sector is also covered by the Critical Infrastructure Protection (CIP) standard. Versions run from CIP-002 to CIP-009. A BES Cyber System is the term used in the sector to describe cyber assets that require protection. This includes control units such as SCADA and ICS.

Retail Compliance and Regulations

One of the main regulations overseeing security in the retail sector is PCI-DSS in controlling the handling and management of payment cards. PCI-DSS also covers Point of Sale (POS) transactions. This sector, as a major target for data theft, so is also under pressure to protect PII. Retail outlets build online stores requiring accounts to be created that store Personally-Identifying Information, such as your name, address and email address. These data need to be protected using standards such as ISO27001.

Many of the standards and regulations have cross-industry application. This makes sense in light of the cross-industry attack vectors, many of which we have explored in each of the six industry sector articles looking at cybersecurity. Although some of the sectors have specific needs, such as the healthcare industry, all require a strategic approach to ensuring that the often complex compliance requirements can be met. It can take many months to get through the onerous requirements of compliance standards such as ISO27001, but the protection that a well thought through and regulated cybersecurity strategy can offer, is worth it in the long run, especially in light of the enormous efforts made by today’s cybercriminals.

All The PXI’s (PCI/PII/PHI): Putting the P Back In Protection of the Enterprise

You may have noticed in the technology world that we use acronyms a lot. It’s a bit of a running joke in the industry in fact. However, the acronyms we are going to discuss today are no joke and are some of the most important ones in the world of cybersecurity. The acronyms up for discussion today, I am calling ‘all the PXI’s”, and they cover a wide gamut of security issues that cut across compliance and the supply chain. You will notice that across the PXI’s there is a real feeling that protection of data, in whatever form, needs to be carried out across the entire ecosystem of business partners and suppliers.

The Financial Sector and PCI

PCI stands for Payment Card Industry, and it is the acronym half of the well-known compliance standard PCI-DSS or Payment Card Industry Data Security Standard. The standard is a framework or a set of guidelines that define the types of security required to ensure that payments are secured. Any organization, from a small local shop, to a multinational bank, has to conform to the measures set out in PCI-DSS when protecting payment card information. This means taking responsibility to ensure that financial data is protected when it is accepted, transferred, stored and processed.

The major payment card vendors oversee PCI-DSS. It is broken down into six main goals that need to be achieved at varying levels to conform to PCI-DSS requirements. Which level you need to achieve depends on the volume and type of transactions you perform. Just to make it even more complicated, each card vendor has its own variation on a level. WorldPay has a set of guidelines for merchants that helps them to establish which level they need to reach. The six requirement goals cover the following:

1.     Don’t store any authentication data from a customer (such as a PIN number).

2.     Control system and network access and protect cardholder information.

3.     Any payment card applications need to be secured.

4.     Monitor system access.

5.     If you do have to store payment card information, protect it.

6.     Pull all compliance efforts together and make sure security policies are in place.

In April of this year, PCI-DSS released a new version, 3.2.  This version was released to bring PCI-DSS up to date in terms of the new threats from mobile and Cloud computing. Version 3.2 also has a number of supply chain-related requirements, such as:

 “12.3.9 Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use”

The action above is likely to have come as a direct result of breaches like Target Corp where a third party vendor was phished with the result of Target’s core network being accessible by cybercriminals.

Following on from the ethos inherent in V3.2 of PCI-DSS, there is a strong push towards the ‘shared responsibility’ in protecting the payment card data of customers across the supply chain, and with business associates.

Healthcare and PHI

PHI stands for Protected Health Information and it is one of the most sought after blobs of data that a cybercriminal has in their sights. PHI comprises a multitude of information. PHI is defined by the Health Insurance Portability and Accountability Act(HIPPA) and is made up of any data that can be used to associate a person’s identity with their health care. A full list of the 18 identifiers that make up PHI, can be seen here. PHI is a valuable asset and sold on the dark web for more money than any other data set, according to Ponemon Institute. In terms of the protection of PHI, HIPPA and the related Health Information Technology for Economic and Clinical Health Act (HITECH) – brought in to enable electronic medical records (EMR), offer the guidelines for the protection of PHI. Within HIPPA is the ‘privacy rule’ and the subsets, ‘security rule’, ‘enforcement rule’ and ‘breach notification rule’ all of which deal with various aspects of the protection of PHI. This section of HIPPA gives general guidance as to what steps to take to implement a protection policy for PHI and in particular electronic PHI (ePHI). The security section is made up of three main parts:

1.     Technical safeguards: The security rule goes through all of the likely areas that need to be addressed to ensure PHI protection. This includes authentication and access control, the integrity of data, and transmission security (encryption)

2.     Physical safeguards: Such as workstation security, removable media protection, and facility access control.

3.     Administrative safeguards: Having a policy in place to cover processes and procedures. This section also looks at security awareness training.

The protection of PHI has become a serious matter. Recent years have seen major PHI breaches, with 112 million records being stolen in 2015, and 2016 looks likely to exceed that. U.S. Department of Health and Human Services Office for Civil Rights (OCR) has suggested that as many as 40% of these breaches have been associated with third-party vendors. To counter this, recent changes to the twin acts HITECH and HIPPA have been implemented to extend the reach of the acts to associated businesses. The HIPAA Omnibus rule has come into play to ensure that any company that touches, at any time, a PHI record must comply with the same regulations as the main organization.

Every Industry and PII

PII stands for Personally-Identifying Information, and it ultimately impacts all organizations, of all sizes and types. Both PHI and PCI can be seen as special cases of PII. As far as cyber criminals are concerned, PII is the golden chalice. PII is any information that can be used to identify a person; For example, your name, address, date of birth, social security number and so on. Once you have a set of PII, not only can you sell it on the dark web, but you can also use it to carry out other attacks. This was exemplified perfectly in the attacks on the Office of Personnel Management, and the Anthem breach of 2015. Here multiple millions of PII data was stolen and then used to perpetrate further attacks on organizations such as the IRS.

The protection of PII is something that every industry must address and have security policies and strategies in place to mitigate the risk to PII. The National Institute of Standards and Technology (NIST) has a series of guidelines, which help to steer your security policy on PII protection. The NIST “Guide to CyberThreat Information Sharing“ focuses in on the benefits of using a shared intelligence approach to information security. The guide states that:

“Through the exchange of cyber threat information with other sharing community participants, organizations can leverage the collective knowledge, experience, and capabilities of a sharing community to gain a more complete understanding of the threats they may face.”

This is an important consideration in light of findings from a Ponemon Institute report “Data Risk in the Third-Party Ecosystem” which points out that 49% of respondents had a breach of sensitive data caused by one of their vendors.  If you don’t extend your security policies across your supply chain, then you are at a major risk from the extended ecosystem.

All the PXI’s are at risk from cyber threats. They are each valuable in their own right and in the wrong hands can be used to perpetrate crimes, over and over. We as organizations are compelled by law and ethics to protect the information of our customers. It is a mutually beneficial action. In protecting our customers’ data, we, in turn, protect our reputation and our bottom line. But we cannot do this alone. The extended supply chain needs to be brought under the umbrella of compliance and information protection, not only because the laws themselves are mandating it, but because working together will give the type of holistic, far-reaching protection that we need, to fight the ever-present danger of cybercrime.

Digital identity: The final frontier?

Identity and access management (IAM) has come a long way in the last ten years. Where once it was confined to the internal network of the enterprise, now it has broken free of those chains, and is out in the wild. The reasons for this are many, including changes in working habits, like BYOD, and the extension of the enterprise network outwards into the Cloud so that it effectively no longer exists. Also, closer working relationships with third parties, such as contractors and vendors have had an effect. All these changes have contributed to the evolution of IAM from an enterprise-only luxury, to a system that is used by everyone, across consumer and company boundaries.

Digital identity and it’s cousin, IAM are also changing the face of cyber security and how we deal with security threats. Online identity is a fuzzy concept, but more often than not, it’s being used as the method of identifying a person and assigning privileged access rights. The initial touch point of a breach is often via a social engineering attack that steals login credentials associated with a user’s digital identity login. The two concepts, online identity, and IAM are becoming more and more intrinsically linked as our online lives outside of work, and our access rights inside work, merge.

Digital identity: The Future is Now

Gartner is predicting that by 2019, third party provided identity services (IDaaS) will account for 40% of enterprise ID systems, replacing traditional IAM. What this means is that dedicated identity providers (IdP’s or identity platforms) will offer hosting and identity management services that will allow on boarding of employees. These systems offer a wider scope of identification services than traditional IAM, and can handle a wider set of use cases than internal identity systems, whilst still utilizing existing directory structures, like LDAP or Active Directory. IDaaS has the potential to create ‘hybrid identities’ where a mix of a consumer identity, verified by services such as credit file agencies or even social network participation, are combined with business identifiers. This idea of a hybrid identity, straddling all aspects of our personal and work life is a powerful concept and one driving changes in the IAM and general digital identity industry.

Identity and Security: Co-dependent Species

We’ve seen in the past few years a number of cyber attacks that have presented as a credential management issue. For example, the infamous Target Corp breach of 2013/2014, originated from a phishing exposure of third-party administrator credentials; the hackers using these to access customer accounts. Issues such as these will escalate as IAM and IDaaS systems are used in a more distributed manner, across companies, services, and systems. Ensuring that the right level of security is applied, at the right juncture, whilst retaining the usability needed for mass usage of identity and associated login, is a fine balancing act. One area that is being mixed into identity management is adaptive authentication, whereby user credentials are linked to a risk based policy or rule set. Here, a user can utilize the same identity as a consumer and as a business user, but the use of that identity and their associated login is controlled by rules. For example, if the user is accessing a company resource from outside the company geography or IP address, then they will need to enter a second factor such as a mobile app based code to gain access. Single Sign On (SSO) is used effectively with adaptive settings to ‘up the ante’ in login expectations based on a variety of rules, whilst retaining the usability afforded by SSO. This type of adaptive setting is now being expanded to IDaaS platforms where you want to create a hybrid identity, made up from a consumer profile, coupled with a business profile. This is being exemplified in the verification of the individual. Verification within an enterprise is often done using the company’s rules of on boarding of an employee. Verification outside of a company is much less controlled, but there are systems that can add levels of assurance that the individual is, who they say they are, and these types of verification services are starting to become de rigueur in modern IDaaS platforms.

Government Driving Identity Innovation

A number of governments, including the USA and UK are working on making online citizen identity a reality. In the UK, the government Verify initiative is taking the ideas of identity verification, fraud handling, and second factor authentication, and wrapping them up into the concept of a ‘level of assurance’ or LOA. The Verify system uses commercial IdP’s from the likes of Barclays Bank, Royal Mail, and Experian, to issue and manage the user identities to a LOA 2 level. This effectively means the user has gone through an identity checking experience that incorporates a third party external ID check, coupled with document ID checks, and something known as Knowledge Based Authentication (KBA) whereby they must answer a series of questions personal to themselves. The Verify system went into full production earlier this year and is being used for a number of online government services.

In the USA, a much larger and more dispersed population than the UK, the idea of citizen identity is more of a challenge. However, there is a lot of work going on in this area, and movement is happening. The National Strategy for Trusted Identities in Cyberspace (NSTIC) which is part of the National Institute of Standards and Technology (NIST) is developing the framework for an online, secure, and privacy enhanced identity system for online service access across a consumer and business environment. Working groups like of which NIST has input, are working out the technology implications of such a framework for government – citizen use.

The type of mass adoption afforded by government based identity systems has to drive innovation, as the demography is large and complex. These innovations are bound to trickle down to the use within a commercial context.

IAM to IDaas to More Secure Working

One of the best outcomes from the transition to Cloud based identity systems is to have a more holistic view of what working securely really is. Our online identity is becoming intrinsically linked with our access to our work resources. As government drivers cross into the commercial world, and as our personal identity and work identity become ever more blurred, we will see IDaaS become the frontline of secure working. We are already seeing strides forward in making identity access and credential management a better proposition. Just this last month, NIST set out a directive around the use of SMS text message as a second factor – NIST deprecating the use of SMS as a 2FA because of inherent security issues. Work is continuing to make online identity across disparate systems and resources even more of a way of life for all of us. New protocols like OpenID Connect will likely replace SAML 2.0 in the longer term, purely because they have been specifically designed for large scale Internet use. Movements in the space that make identity both a usable and secure proposition, but one that connects back to existing company directories, will only continue to strengthen the use of a fully verified identity as a front door into our IT networks and resources.

Learn more, and download one of our whitepapers today!

Cost of a Data Breach Report 2019

This year’s Cost of a Data Breach Report explores several new avenues for understanding the causes and consequences of data reaches. For the first time, this year’s report details the “long tail” of a data breach, demonstrating that the costs of a data breach will be felt for years after the incident. The report also examines new organizational and security characteristics that impact the cost of a data breach, including: the complexity of security environments; operational technology (OT) environments; extensive testing of incident response plans; and the process of closely coordinating development, security, and IT operations functions (DevSecOps). Continuing to build on previous research, the 2019 report examines trends in the root causes of data breaches and the length of time to identify and contain breaches (the breach lifecycle), plus the relationship of those factors to the overall cost of a data breach. Following the 2018 report’s initial examination of “mega breaches” of greater than 1 million lost or stolen records, we continue this research with comparative data for 2019. And for the second year, we examined the cost impacts of security automation, and the state of security automation within different industries and regions.

Lost business is the biggest contributor to data breach costs*

The loss of customer trust has serious financial consequences, and lost business is the largest of four major cost categories contributing to the total cost of a data breach. The average cost of lost business for organizations in the 2019 study was $1.42 million, which represents 36 percent of the total average cost of $3.92 million.** The study found that breaches caused abnormal customer turnover of 3.9 percent in 2019. Whereas organizations that lost less than one percent of their customers due to a data breach experienced an average total cost of $2.8 million, organizations with customer turnover of 4 percent or more averaged a total cost of $5.7 million – 45 percent greater than the average total cost of a data breach.

Data breach costs impact organization for years

About one-third of data breach costs occured more than one year after a data breach incident in the 86 companies we were able to study over multiple years. While an average of 67 percent of breach costs come in the first year, 22 percent accrue in the second year after a breach, and 11 percent of costs occur more than two years after a breach. The long-tail costs of a breach were higher in the second and third years for organizations in highly regulated environments, such as the healthcare and finance industries. Organizations in a high data protection regulatory environment saw 53 percent of breach costs in the first year, 32 percent in the second year and 16 percent more than two years after a breach.

* The research in the Cost of a Data Breach Report is based on a non-scientific sample of 507 companies. The key findings are based on IBM and Ponemon analysis of the data and do not necessarily apply to organizations outside of the group that was studied.

** Local currencies were converted to U.S. dollars.

Learn more?


How can you raise cybersecurity awareness within your organization? The cybercrime wave that has been the hot topic continues to rumble on. We are in fact in a bizarre situation where we, as well as commercial competitors, have cybercriminals competing with us. The competition, in this case, is for data, an item that straddles all industry sectors.

Cybercriminals make a lot of money from the data they compromise. It is estimated that currently, cybercrime is costing the global economy around $450 billion annually. Some, like Juniper Research, are predicting those costs will spiral to around $2 trillion by 2019. Once you start describing losses in the trillions, rather than billions, you know you really do need to take stock. Analysts, HPS, have shown that cybercrime is truly a globally competitive business, comparing it to the likes of Apple and Microsoft in terms of revenue generation. Cybercrime is a formidable and successful competitor in today’s data stakes.

Source: HPS

With a business model this effective, cybercrime is set to continue as a major threat to normal business operations. Changes in the threat landscape, such as models enabling cybercrime, like ‘Malware as a Service (MaaS)’, make this onslaught of attacks even more likely. We are left with no option but to take this all very seriously. It’s too bad though that the old methods of defense, like anti-virus software, are showing cracks in their armor. With anti-virus vendors like Symantec stating that anti-virus software is only effective against 45% of viruses. We need to move to a new paradigm in our approach to mitigation of cyber threats – the war against cybercrime is now about a simple concept…awareness.

The Biggest Threat is You

Any type of crime, be it real world or digital, has an element of human behavior about it. One of the world’s most famous scams, the Ponzi Scheme, carried out back in 1920 was based on the basic human behavior to accumulate resources – in this case, lots of money. Today, cybercriminal scams also focus on human behavior to elicit knee-jerk reactions. Phishing, a technique based on social engineering, which encourages its target to perform an action that benefits the cybercriminal, is the most successful vector for cybercrime according to a report by Phishlabs. And in 2016 this continues to be the case with the first quarter of 2016 seeing an increase of 250% in phishing attacks.

Phishing is a perfect example of the use of human behavior to exact an outcome. Phishing comes in a myriad of forms, morphing into new ones as older ones become recognizable and less effective. The reason why this method is so successful, with SANS Institute, estimating that phishing is behind 95% of all security breaches, is because the successful cybercriminal uses their knowledge of how we tick as much as they use software code. What this means for us, as business owners, IT staff and company employees, is that we need to be much more aware when it comes to security, especially cyber. With the type of cyber-threat climate we face today, we cannot rely solely on technology to get us out of sticky cyber-situations.

Cybersecurity Awareness

Being security aware is about creating a culture of security within an organization. In practice this will require everyone, from the board to the IT department, to the sales team, out into your extended third party vendor system, to understand the implications of the modern cybersecurity threat.

Security awareness includes understanding the security requirements and impact of common standards and compliance, such as HIPPA and PCI-DSS. However, security awareness is much more than just complying with laws. Security awareness is about knowledge and understanding of what the threat landscape has in store for us, and the techniques used against our organization and ourselves. To be security-aware you need to:

1.     Know the types of attacks being targeted at your specific industry area (check out our industry series covering six industry sectors, and the types and levels of cybercrime they experience)

2.     Use this knowledge to set up the best type of security awareness program to put in place in your company

3.     Use special programs, like phishing awareness to train your staff and extended vendor ecosystem in what a phishing campaign will look like. This can include creating mock phishing attacks. Metrics from these mock attacks can also help you to understand where in the organization to concentrate security awareness training on.

4.     Recognize that security awareness is an ongoing activity. Cybercrime is not a static practice; it morphs and changes to optimize better outcomes. The fact that cybercrime revenue is up there with the most successful companies in the world is a testament to the cyber criminal’s continuous improvement of their business models.

Being mindful of the benefits of security awareness is a modern way of tackling cybercrime. It allows us to form a concentrated defense system, utilizing the very thing that cybercriminals rely on to bring about a breach – ourselves.

Learn more, and download one of our whitepapers today!