data loss

Cyber Security Developments

Cyber Security Is The Backbone Any Online Businesses – Here Are Some Quick Tips To Keep Yourself Informed About The Latest Threats Surrounding Your Business.

                                    Cyber Security Developments

                                    Cyber Security Developments

Within a standard nine to five working day, it’s said that there are almost two million data records lost or stolen. Cybercrime has become something of an epidemic in recent years – and it’s no exaggeration to say that everyone is at risk.

Hackers operate in an increasingly complex way and are happy to target small businesses and individuals, who are most likely to be vulnerable to attack. The nature of the threat changes as technology advances and so the only way to stay safe is to stay up to date.

But that’s easier said than done, right? How do you keep up to date with the latest cybersecurity developments?

Follow The News

When it comes to cyber security, ignorance is not bliss – it’s a recipe for disaster. It’s imperative that you identify and follow a news feed that you can trust. By doing so, you can keep on top of any fresh threats that have emerged, learn lessons from other cyber attacks and pick up the latest tips and advice from influencers and experts in this field.

News from this sector really shouldn’t be seen as the preserve of IT specialists – the scale and nature of the threat suggest that this should be of interest to everyone. There’s a burgeoning band of podcasts available on the subject for people who prefer to digest content in this way too.

Bring Up The ‘Security Question’

If you think that installing an anti-virus program is enough, then you’re mistaken. Don’t just presume that you’re safe because you have this because this is merely the first line of defense to root out attacks. By adopting a safety first mindset you can ensure that the way you handle your data is less risky.

Whether it’s securing your Wi-Fi network at home, managing and updating your passwords on a regular basis or the way you collect, collate and analyze data throughthe point of sale software at work, continually ask yourself ‘is this safe?’ Just as ignorance isn’t bliss, complacency could prove your undoing. Place ‘security’ high on the list of credentials to consider when buying new software or hardware, don’t just go for the cheapest option.

Training

Even the experts are constantly having to refresh their understanding of the threat posed by cyber attacks. It pays to search out training opportunities, especially if you’re a business. You are, after all, only as safe as the people operating your software and systems and you don’t want to put the security of your business in the hands of someone who is unsure about what they are doing. Individuals and businesses alike can find free learning materials on Cybrary to help plug any knowledge gaps they have.

It’s Good To Talk

Cyber attacks are incredibly common – but people don’t often enough talk about their experiences. Perhaps you’re afraid or embarrassed to have been caught out? There’s no need to be. In fact, talking with friends and colleagues could really help you to stay safe. Pass on tips about new apps, good software, neat tips and tricks and any new cyber attack tactics you have come across and you can help to do your own bit to combat the criminals.

By keeping up to speed with security news, refreshing your training, sharing tips and tricks and adopting a safety first attitude you’ll give yourself the best possible chance of staying on top of cyber security developments and, best of all, safe.

New York State Reminds New Yorkers to Protect Themselves from Cyber Crime in Recognition of Data Privacy Day

 

Data Privacy Day on January 28 Promotes Privacy and Data Protection

New Yorkers Should Take an Active Role in Protecting Their Digital Information

The New York State Office of Information and Technology Services and the Division of Consumer Protection today reminded consumers and businesses to protect their online privacy and information from unscrupulous scammers. New Yorkers should follow several key privacy and data security tips shared as part of an effort to raise awareness in recognition of National Data Privacy Day on Sunday, January 28.

“Data Privacy Day serves as an important reminder about how we can keep our data safe from cyber criminals with tips we can follow all year long,” said New York State Chief Information Officer Robert H. Samson. “While New York State is a leader in keeping New York’s critical infrastructure secure, thanks in large part to Governor Cuomo’s leadership, taking appropriate steps to safeguard personal information to minimize risk and avoid becoming a victim is the responsibility of all New Yorkers.”

“It is incumbent upon all New Yorkers to conduct online security checks for all their accounts,” said New York State Secretary of State Rossana Rosado. “Data Privacy Day is a great opportunity to remind consumers of critical steps to safeguard their information. Consumers must be vigilant in their daily interactions both on and offline to best prevent breaches that can wreak havoc on people’s lives.”

New York ranked fourth highest in the nation for the number of internet crimes reported with more than $106 million in losses to consumers, according to the FBI’s 2016 Internet Crime Report. The Division of Consumer Protection received 1,260 breach notifications, affecting almost 2 million New Yorkers.

Last year, the credit reporting agency Equifax experienced a cyberattack that led to the release of personal private data of nearly 150 million consumers nationwide. In the wake of the unprecedented breach, Governor Cuomo announced significant actions to protect impacted consumers.

To keep personal information and data safe, the following tips are recommended:

  • Be Wary of Unsolicited Emails and Calls Asking for Personal Information -- Never share personal information, such as your Social Security number, in response to an unsolicited email or telephone call. If the email or call claims to be from a company you do business with, call them first to confirm the contact is legitimate.
  • Secure your Mobile Devices -- Apply software updates that patch known vulnerabilities as soon as they become available. Use security features built into your device such as a passcode, and programs that encrypt data and remotely wipe contents if the device gets lost or stolen.
  • Be Careful with Wi-Fi Hotspots -- Public wireless hotspots are not secure, which means that anyone could potentially see what you are doing on your mobile device while you are connected. Limit what you do on public Wi-Fi, and avoid logging into sensitive accounts.
  • Know your Apps -- Be sure to thoroughly review the details and specifications of an app before you download it. Review and understand the privacy policy of each mobile app. Be aware that the app may request access to your location and personal information.
  • Be Cautious about the Information you Share on Social Media -- Avoid posting your birthdate, telephone number, home address, or images that identify your job or hobbies. This information may often reveal answers to security questions used to reset passwords, making you a possible target of scammers looking to access your accounts and secured information.
  • Use Strong Passwords -- Create unique passwords for all your accounts. Use 10-12 characters in a combination of letters (upper and lower case), numbers and symbols. Individuals should regularly change their passwords as well.
  • Change your security questions -- Don't use the same security questions on multiple accounts. Be careful to select security questions for which only you know the answer. Make sure the answers cannot be guessed or found by searching social media or the internet.
  • Turn on Two-Step Verification to access accounts -- To enhance the security of your account, require your password and an extra security code to verify your identity whenever you sign-in to your accounts, where available.
  • Beware of phishing -- Do not click on links, download files or open attachments in emails from unknown senders. It is best to open attachments only when you are expecting them and know what they contain, even if you know the sender. And be wary of calls or texts asking for your personal information.
  • Use Automatic updates and back-up data -- Make sure automatic updates are turned on for your software and that you back up all information.
  • Monitor your financial accounts -- Review your bank, credit card, and account statements billing statements carefully to check for suspicious activity. Report any suspicious charges immediately to the responsible financial institution.
  • Check your credit report and consider placing a Security Freeze -- If you identify inaccurate, suspicious or unusual activity on your consumer credit report notify the reporting consumer credit reporting agency and the respective financial entity immediately. New Yorkers may also want to consider placing a Security Freeze on their credit reports.
    • Experian: 1-888-397-3742
    • TransUnion: 1-800-680-7289
    • Equifax: 1-800-525-6285
  • Keep records -- Keep all notes and records about the security breach in the event fraudulent activity arises later.

 

Acting Commissioner of Taxation and Finance Nonie Manion said, “Unscrupulous people are using stolen information to file tax returns claiming refunds they’re not entitled to. They’re trying to steal this money from honest citizens. All New Yorkers should remain vigilant and secure their private information to help prevent it from falling into the wrong hands. The Tax Department offers a number of secure resources to manage your taxes online at www.tax.ny.gov and to report tax fraud, scams, and identity theft.

Financial Services Superintendent Maria T. Vullo said, “As our landmark cybersecurity regulation demonstrates, New York leads the nation in protecting the sensitive data of consumers and the stability of the financial services industry. And we are continuing our nation-leading efforts in ensuring that credit reporting agencies protect consumer data as well. Today we take the opportunity remind consumers how critically important it is to take all necessary precautions to defend against cyber criminals.”

Division of Homeland Security and Emergency Services Commissioner Roger L. Parrino, Sr. said, “By following some simple, common-sense steps you can help protect yourself and family from cybercrimes. If you have been the victim of a cybercrime, alert law enforcement, no matter how minor.”

New York State Chief Information Security Officer Deborah Snyder said, “The Internet makes it easier than ever to share data and files. However, many people don’t recognize the potential privacy risks of their online activities. National Data Privacy Day brings awareness to the importance of protecting personal information.”

For more helpful cyber tips, and additional online safety resources, including real-time advisories, visit the New York State Office of Information Technology Services website at https://its.ny.gov/eiso.

For more information on security breaches and avoiding identity theft visit the Division of Consumer Protection website at http://www.dos.ny.gov/consumerprotection/security_breach/. Consumers may also contact the Division’s Consumer Assistance Helpline at (800) 697-1220. You can also follow the Division of Consumer Protection on social media on Twitter (@NYSConsumer) and Facebook (www.facebook.com/nysconsumer).

Congress cyber security accountability and transparency

Less than two months after Intel and other technology companies disclosed the Spectre and Meltdown speculative execution vulnerabilities, the Securities and Exchange Commission (SEC) published updated guidelines instructing public companies on how and when to disclose cybersecurity vulnerabilities and incidents that could potentially cause risk to the public. These significant security lapses have once again brought data security to the attention of the U.S. government, businesses and consumers around the world, but far too little has been done to hold companies accountable for when and how security concerns are disclosed to the shareholders and the public.

More concerning, there has been a troubling pattern recently of company executives apparently dumping shares before publicly disclosing a known cybersecurity incident. For example, the Equifax breach, which exposed the personal data of almost 145.5 million Americans, made news when three company executives were alleged to have sold shares worth a collective $2 million just days after the breach was discovered, but over a month before it was disclosed.

Within one week of the breach, the company lost nearly $4 billion in market value. That scandal reportedly has resulted in a Department of Justice investigation. Similarly, it has been reported that Intel CEO Brian Krzanich sold millions of dollars’ worth of company stock after his company became aware of the Spectre and Meltdown security vulnerabilities, but before they were publicly disclosed.
 

We take our roles in the fight against cybercrime seriously. We understand that investigating a data breach or other cyber security incidents properly and thoroughly can take weeks or even months. We further understand that it’s imprudent to release information about a suspected data breach without first conducting a proper investigation. But it is reckless and inappropriate for executives to delay steps to reveal and remedy cyber security incidents from shareholders and the public while they continue to trade securities — even if those trades are made on an automated plan.

Enterprises’ insufficient and dilatory responses following high-profile cyber incidents not only jeopardize corporations, but also increase public distrust and anxiety regarding the security of their personal data.

In the new guidelines issued on Feb. 21, the SEC warned that security breaches and vulnerabilities could constitute “material” information, noting that it’s illegal under U.S. securities laws for insiders to trade stocks based on such information before it becomes public. Such sales may also violate companies’ ethics and insider-trading policies.

The SEC’s action, even if it is primarily responding to the concerns of shareholders, is a positive early step towards creating accountability and transparency in the wake of headlining breaches that have become so familiar. Cyber risk affects virtually every kind of enterprise. It is not a matter of if, but when. Companies should start with the presumption that they will be attacked and have a comprehensive incident response plan in place. An incident response plan should include a consumer notification process especially when sensitive data such as Social Security numbers and financial information is corrupted. Regulation or industry standards should be put in place to protect consumers and relevant stakeholders from experiencing material damage and ensuring transparency from company officers.  

Another step in the right direction are proposed laws such as the Data Security and Breach Notification Act, which would create the first federal standard for penalizing companies that do not disclose a breach. The Data Security and Breach Notification Act would require companies to notify consumers that they have had a security breach within 30 days, institute a maximum five-year prison sentence for intentionally hiding such a breach, and create financial incentives for companies or organizations utilizing technologies that make consumer information unreadable in the event of a breach. Regulation such as this would be a strong deterrent to companies acting intentionally in bad faith against consumers and shareholders.

 There’s more to be done by the SEC and Congress with respect to cyber guidelines on disclosure and insider trading rules, but this move represents necessary progress on a critical issue. The guidelines issued last week are neither perfect nor a comprehensive solution, but the SEC’s latest effort represents a needed push to ensure corporate transparency and a well-regulated response to cyber incidents.

 Michael Chertoff was secretary of the Department of Homeland Security from 2005 to 2009. He is executive chairman of The Chertoff Group, a security and risk-management advisory firm, and author of the forthcoming book, “Exploding Data: Reclaiming Our Cyber Security in the Digital Age.”

 Bill Conner is the president and CEO of SonicWall, an internet security firm in San Jose, California., and chairman of the board of Comodo CA, an internet security firm in Clifton, New Jersey. He has more than 30 years of experience in high-tech industries, is a corporate turnaround expert, and a global leader in security, data and infrastructure.

Social Security numbers exposed in data breach California state workers

Social Security numbers for thousands of state employees and contractors were exposed in a recent data breach at the Department of Fish and Wildlife, according to a memo that the department sent to its workers this week.

The department discovered the data breach on Dec. 22, but did not disclose the breach to employees until this week. The California Highway Patrol has been investigating the incident for the past two months.

According to the memo, a former state employee downloaded the data to a personal device and took the records outside of the state’s network. The memo does not say when or why the former employee downloaded the information to an unsecured network.

The data included names and Social Security numbers of people who worked at the department and the state’s wildlife conservation board in 2007. The data also included personal information for vendors who worked with the department and with the conservation board between 2007 and 2010.


About 2,300 people worked for the department in 2007, according to the state budget from that year. The memo encouraged employees to obtain more information about monitoring identity theft from the Attorney General’s Office, or to contact one of the three credit bureaus: Equifax, Esperian and TransUnion.

The department has not yet seen evidence that cyber criminals are trying to profit from the data, department spokeswoman Jordan Traverso said. She said the department discovered the improper download when supervisors discussed other work-related issues with the employee. The memo said the former employee did not appear to have had malicious intent in downloading the data to a personal device.

The department did not say when the former employee downloaded the data.

A 2015 report by the state auditor encouraged California government agencies to tighten up their cyber security precautions. Last year, one department drove home the message with a fake phishing message that played on its employees’ anticipation for bonuses they received in a new contract.

CEOs and Tech Exes CISOs, CIOs, and CTOs Divided on Security

 

Survey shows 60% of CEOs plan to invest the most resources in malware prevention, but CISOs, CIOs, and CTOs are on a different page.

More than 60% of CEOs believe malware is the biggest threat to their organization, but just one-third of CISOs, CIOs, and CTOs agree. 

It's just one data point in a new study by identity management company Centrify that shows a major disconnect on this and many other security issues between CEOs and their technical officers (TOs), which include CIOs, CTOs and CISOs. 

CEOs and TOs also diverged on whether they knew if their organization had experienced a breach. Only 55% of CEOs say their organization experienced a breach, while 79% of TOs say so. On the technology front, 62% of CEOs say two-factor authentication technologies are difficult to manage, while only 41% of TOs concur with that statement. 

"Part of the problem is that the technical people tend to try to keep the breach quiet," says Tom Kemp, CEO at Centrify. "I think overall, the TOs need to do a better job managing up, because with SEC regulations and various state breach notification regulations, organizations really do have to report if they have been breached today."

Kemp points out that 42% of TOs point to identity breaches as one of the primary threats to their organizations. And 68% of executives whose companies experienced significant breaches indicate it would most likely have been prevented by either privileged user identity and access management or user identity assurance. Only 8% of all executives whose companies experienced a significant breach say that anti-malware technology would have prevented the more significant breaches with serious consequences.

Frank Dickson, an IDC analyst who focuses on identity and access management, points out that the 2017 Verizon Data Breach Investigations Report found that 81% of hacking-related breaches leveraged stolen and/or weak passwords.

"Our goal is not to eliminate malware, our goal is to eliminate breaches," Dickson says. "By strengthening authentication, it lets us build security into the network," and potentially eliminate the vast majority of breaches.

Lawrence Orans, a research vice president at Gartner who focuses on network security, says he doesn't think it's helpful to set security up as a choice between identity management versus malware detection.

"For example, malware could be used to steal credentials and execute an even broader attack," he says. "And it actually makes sense that there would be a disconnect between the CEO's understanding of new security technologies versus the TO's: that's what the CEO has the technical people for in the first place."

Centrify's Kemp maintains that TOs need to educate their CEOs on identity management issues, citing the three main tenets of so-called zero trust security:

  • Verify users. Companies can do this with single sign-on software that's layered in with two-factor authentication.
  • Validate devices. Have a procedure for determining if the devices are enrolled with the IT department with the right OS versions, patch levels, and antivirus software. IT must also check past usage, including a user's geography. (A user can't be in New York one minute, then San Jose five minutes later).
  • Limit access and privileges. Companies should move to a least-privilege model in which users only gain access to a system if they need it for their jobs, and only for a defined time period.

The study was based on a survey of 800 senior executives conducted in November 2017 by Dow Jones Customer Intelligence, a unit of the Wall Street Journal/Dow Jones Advertising Department. More than 75% of the executives surveyed are CEOs, CTOs or technical officers such as CIOs, CTOs and CISOs; the rest are their direct reports.

Source: darkreading.com

Fresenius five separate data breaches and agreed to pay $3.5 million

Medical supplies giant Fresenius Medical Care North America (FMCNA) agreed to pay $3.5 million to U.S. federal regulators after five separate data breaches in 2012.

The  U.S. Department of Health and Human Services Office for Civil Rights levied the fine along with a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. A federal investigation found the company failed to conduct an accurate risk analysis of vulnerabilities to its protected information.

FMCNA filed five breach reports in January 2013 covering incidents from February-July 2012 impacting the electronic protected health information for five FMCNA-owned branches across the United States.

The list of violations is long. One branch didn’t encrypt sensitive information, another had no policies around removing hardware from facilities, two businesses had no safeguards against unauthorized access or theft while yet another had no procedure to address security incidents, according to the federal investigation.

“The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity,” OCR Director Roger Severino said in a statement. “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Fresenius Medical Care is a German-based international conglomerate that sells medical supplies around the world, with a concentration on kidney health. The company makes about $18 billion per year in revenue as of FY 2016.

FMCNA did not respond to a request for comment.