Category: Steps forward

The cybersecurity landscape is constantly changing. While it might seem like throwing more money into the IT fund or paying to hire cybersecurity professionals are good ideas, they might not pay off in the long run.

Related: Security no longer just a ‘cost center’

Do large cybersecurity budgets always guarantee a company is safe from ongoing cybersecurity threats?

According to research from Kiplinger, businesses are spending less money on capital equipment, especially as rumors of a mild recession in the future loom. However, organizations in 2023 know one crucial area to spend money n is cybersecurity.

Cyberattacks are becoming more frequent, intense and sophisticated than ever. In response, many businesses of all shapes and sizes will allocate funds to their IT departments or cybersecurity teams to make sure they’re well-defended against potential threats. They may incorporate tools such as firewalls or antivirus software, which are helpful, but not the only tactics that can keep a network secure.

Unfortunately, having a large cybersecurity budget does not necessarily mean a company has a solid, comprehensive security plan. Organizations can spend all they have on cybersecurity and still have pain points within their cybersecurity program. Threat actors will still use social engineering tactics like phishing or ransomware to target businesses, steal data and earn a significant payday.

Amos

One of the best ways to utilize a large cybersecurity budget is to take an intelligent threat approach. This approach involves companies using all their resources and information to determine which cybersecurity threats will most likely impact them. However, using this approach does not require vast amounts of spending.

An intelligent threat approach should leverage four key principles: accuracy; relevance; actionability; cost-effectiveness.

The information used to guide a cybersecurity program should always be accurate and relevant to existing and emerging threats. Additionally, identifying threats enables organizations to take action without spending too much of their resources. These four principles are fundamental if businesses want to build a cost-effective cybersecurity program.

Here are some do’s and don’ts that will help companies save on their cybersecurity budgets and still maintain good cybersecurity posture in an increasingly threatening environment.

Do:

•Research cybersecurity solutions before spending to find the most cost-effective options.

•Partner with a third-party cybersecurity firm to lean on for guidance.

•Focus on creating a mitigation and remediation plan to be proactive.

•Move toward a converged IT solution to bring together data analytics and cybersecurity.

•Eliminate tools that are not delivering valuable insights or solutions to the organization.

•Only adopt the necessary cybersecurity solutions based on the organization’s needs.

Don’t:

•Hire unnecessary personnel to handle cybersecurity tasks.

•Implement too many solutions, as it can lead to confusion and complexity. Only adopt the necessary cybersecurity solutions based on the organization’s needs.

•Overspend just for the sake of saying the cybersecurity team is well-funded.

Although a good cybersecurity strategy does require businesses to spend a considerable amount of money, not every strategy requires hundreds of thousands or millions of dollars to be strong, nor is every strategy complete just because it’s received an influx of funds.

Depending on the organization, it’s crucial to find the right cybersecurity solutions to ensure IT pros can perform their duties and protect the organization. Ultimately, companies should strike a balance between overspending and spending the right amount of money on valuable solutions and tools to ensure their defenses are as impenetrable as possible.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

A new report from the Bipartisan Policy Center (BPC) lays out — in stark terms – the prominent cybersecurity risks of the moment.

Related: Pres. Biden’s impact on cybersecurity.

The BPC’s Top Risks in Cybersecurity 2023 analysis calls out eight “top macro risks” that frame what’s wrong and what’s at stake in the cyber realm. BPC is a Washington, DC-based think tank that aims to revitalize bipartisanship in national politics.

This report has a dark tone, as well it should. It systematically catalogues the drivers behind cybersecurity risks that have steadily expanded in scope and scale each year for the past 20-plus years – with no end yet in sight.

Two things jumped out at me from these findings: there remains opportunities and motivators aplenty for threat actors to intensify their plundering; meanwhile, industry and political leaders seem at a loss to buy into what’s needed: a self-sacrificing, collaborative, approach to systematically mitigating a profoundly dynamic, potentially catastrophic threat.

Last Watchdog queried Tom Romanoff, BPC’s technology project director about this analysis.  Here’s the exchange, edited for clarity and length:

LW: Should we be more concerned about cyber exposures than classic military threats?

Romanoff: Classic military threats will always merit significant concern due to their direct impact on life. But for most Americans, cyberattacks are a lot more likely to happen. They can cause severe economic or social disruptions and impact a broad crosscut of our society.

Incidents of nations using cyberattacks as an extension of military operations to disrupt or destabilize targets are on the rise. As part of criminal enterprises or economic warfare, nation-states using cyber-attacks can inflict damage without firing a shot and extend power beyond their borders.

Our report connects the threats from particular nation-states and showcases how this can accelerate risks for non-military organizations.

LW: Regulation hasn’t seemed to help much; data security rules have been highly fragmented, i.e., Europe vs. the U.S. and even state-by-state in the U.S.

Romanoff: Concerns about data privacy and cybercrime are fast-tracking the push for regulations.  In the U.S., tech has enjoyed “permissionless innovation” for much of its industrial existence.

As Congress continues to debate the role of Big Tech, increased state-level regulations, and worldwide regulations, policymakers are increasingly pressured to do something to increase data protections.

Romanoff

California is leading the effort at the state level and has passed the California Consumer Privacy Act (CCPA). Similar bills, including many data privacy bills, follow California’s lead. For example, Colorado, Connecticut, Utah and Virginia  have all signed privacy laws in the last few years, and fifteen other states are considering privacy laws.

The push for a national data privacy law would have an immediate and quantifiable impact, but sadly progress is stalled. Without a national data privacy law or laws, we are left with a fragmented regulatory landscape.

The EU is moving much faster to regulate digital security.  Between the General Data Protection Regulation (GDPR), Digital Services Act (DSA), the Digital Markets Act (DMA), and the emerging ePrivacy Regulation, the EU is framing the data security debate worldwide.

The overall impact of regulations has been on how businesses collect, process, and protect personal data. There will continue to be a push to increase transparency and accountability around data handling practices.  For example, the recent FTC complaint regarding GoodRX and the Illinois case against White Castle for violations of the Biometric Information Privacy Act (BIPA)  show that the norm is trending toward increased oversight.

LW: So what difference can regulation actually make in the next few years?

Romanoff: We should expect the government to break from the self-governance/marketplace regime that has been in place and move away from incentive-based cyber compliance. I expect to see more penalties for data leaks or non-compliance.

DMA and other EU regulations will come online, creating compliance hurdles for American companies.

We can also expect the U.S. government to work toward more oversight mechanisms by finding authorities that can be interpreted through a data-security lens.

LW: It’s certainly not a surprise that nightmare breaches keep happening; your report calls out lagging corporate governance as a major variable.

Romanoff: Cybersecurity in many organizations is considered a cost, not an investment. Too often, cyber leaders are not included in board discussions or c-suites, and thus cybersecurity isn’t integrated into business decisions. This will continue to be a challenge until security is built into the business model or product from the beginning.

For example, one of our working group members talked about the need to create software development teams that knew cybersecurity just as well as UX/UI. Traditionally these are different teams- one team builds the software product, and another one tests it for vulnerabilities.

When you have a team that builds a product with cybersecurity as part of its functionality, that’s when you have full integration. It’s the same for corporate governance- when cyber is built into a product, we know this risk is being meaningfully addressed.

LW: Will infrastructure threats and/or disruptions be a catalyst?

Romanoff: Infrastructure and utility disruptions pull cybersecurity from the abstract into reality for most Americans. These sectors continue to be targeted, and events like the Colonial Pipeline shutdown pushed government agencies and companies to prepare for attacks.

No system, no matter how well protected, is 100 percent safe from attack. What is important to highlight is the resilience and contingency planning that organizations should build into their strategy before being the disruption case study.

I commend the work that CISA and DHS are doing to help organizations build out that resiliency. By partnering with cyber leaders in these sectors, CISA is working to mitigate risks before they become disruption events.

LW: What is an optimistic scenario for shrinking the trajectory of cybersecurity risks, as laid out in this report?

Romanoff: Hopefully, some of these risks will be addressed and become part of standard resilience and contingency planning.  However, eight of the risks we identified are not new. They have been a concern for some time.

We hope that the framing of this report will spur action, especially at the policy level, to allocate the necessary time and resources. Our report is a baseline for 2023, and we hope to update it as new risks emerge or as risks are addressed meaningfully, mitigating their impact.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

This year has kicked off with a string of high-profile layoffs — particularly in high tech — prompting organizations across all sectors to both consider costs and plan for yet another uncertain 12 or more months.

Related: Attack surface management takes center stage.

So how will this affect chief information security officers (CISOs) and security programs? Given the perennial skills and staffing shortage in security, it’s unlikely that CISOs will be asked to make deep budget or staffing cuts, yet they may not come out of this period unscathed.

Whether the long anticipated economic downturn of 2023 is a temporary dip lasting a couple quarters or a prolonged period of austerity, CISOs need to demonstrate that they’re operating as cautious financial stewards of capital, a role they use to inform their choices regardless of the reality — or theater — of a recession.

This is also a time for CISOs to strengthen influence, generate goodwill, and dispel the perception of security as cost center by relieving downturn-induced burdens placed on customers, partners, peers, and affected teams.

For CISOs to achieve these goals, here are five recommended actions:

Tie security to the cost of doing business. CISOs should not allow their board or executive team to continue believing that cybersecurity exists solely as a cost center. In other words, they shouldn’t detail how cybersecurity spending drives revenue and that cuts to the security program directly affect relationships and requirements with three key constituencies: customers, insurers, and regulators.

Instead, they should defend their security budget by quantifying investments in required security controls — and how much revenue is generated from the systems those controls protect. Ultimately, cybersecurity can become a profit center when customers, insurers, and regulators require it.

Demonstrate secure practices to customers. Your customers’ security teams are navigating the same downturn pressures. They still need to collect audit and security information from vendors and they may have fewer employees to complete the work. CISOs should prioritize security initiatives that drive the top line and increase customer stickiness, such as bot management solutions that improve customer experience, then they should inform customers of the steps taken to thwart costly application attacks.

These include such initiatives as monitoring for denial of wallet attacks in serverless functions, minimizing bot fraud, and keeping an eye on bug bounty program costs. Lastly, CISOs should automate processes such as security questionnaire responses and software bill of materials generation to give customers what they need before they ask for it.

•Support (as you influence) peers in other functions. Now is the time for CISOs to focus on key corporate objectives and ensure that their security initiatives demonstrate traceable alignment. If you didn’t start this practice in your early days as a security leader, take the time now to schedule regular meetings with peers across functions to stay current on their challenges, security needs, and points of friction.

From there, develop joint initiatives that further corporate objectives and provide services, resources, or assistance in the form of partial funding or staffing and friction-remediation efforts. This ethical politicking will make funding or resource allocation discussions more amicable. It will also extend goodwill toward the security organization in the future, when CISOs may need allies and evangelists to push through policy or process changes.

•Stop backfilling open positions (for now). No security leader wants to ask an already overwhelmed team to do more with less. Not backfilling certain roles, however, reduces costs voluntarily and minimizes the need for future involuntary cuts. For CISOs, this requires excellent communication and management skills when explaining to their teams why these roles will stay vacant.

Burn

This should include succession planning, associated upskilling, and job shadowing efforts for those who stick around. Provide an expected duration for the hiring freeze and work with regional nonprofits to bring on cost-effective cybersecurity apprentices — relieving some of the pressure while creating a pipeline of experienced talent at the ready when the freeze lifts.

•Resist the temptation to consolidate your partner ecosystem. Although cutbacks in this area may appear to be a practical cost-saving strategy, overcorrection in key areas such as cybersecurity, risk, and compliance could increase concentration risk, expose firms to disruption, and severely affect your operations. Given economists’ estimates that modern recessions last 10 months, CISOs should consider in their decision-making the time it takes to fully onboard a strategic supplier — typically six months or more — so they can ensure that they don’t miss out on opportunities when the economic pendulum swings in the opposite direction.

The outlined actions must be executed deftly at a time when instilling and maintaining trust with customers, employees, and partners is a business imperative. They also become crucial when factoring in how current geopolitical events and technology innovations continue to fuel a highly sophisticated and evolving threat landscape.

About the essayist: Jess Burn is a Forrester senior analyst who covers CISO leadership & security staffing/talent management, IR & crisis management, and email security.

Of the numerous security frameworks available to help companies protect against cyber-threats, many consider ISO 27001 to be the gold standard.

Related: The demand for ‘digital trust’

Organizations rely on ISO 27001 to guide risk management and customer data protection efforts against growing cyber threats that are inflicting record damage, with the average cyber incident now costing $266,000 and as much as $52 million for the top 5% of incidents.

Maintained by the International Organization for Standardization (ISO), a global non-governmental group devoted to developing common technical standards, ISO 27001 is periodically updated to meet the latest critical threats. The most recent updates came in October 2022, when ISO 27001 was amended with enhanced focus on the software development lifecycle (SDLC).

These updates address the growing risk to application security (AppSec), and so they’re critically important for organizations to understand and implement in their IT systems ASAP.

Updated guidance 

Let’s examine how to put the latest ISO guidance into practice for better AppSec protection in enterprise systems. Doing so requires organizations to digest what the ISO 27001 revisions mean for their specific IT operations, and then figure out how best to implement the enhanced SDLC security protocols.

The new guidance is actually spelled out in both ISO 27001 and ISO 27002 – companion documents that together provide the security framework to protect all elements of the IT operation. The focus on securing the SDLC is driven by the rise in exploits that target security gaps in websites, online portals, APIs, and other parts of the app ecosystem to exfiltrate data, install ransomware, inflict reputational damage, or otherwise degrade enterprise security and the bottom line.

The revised ISO standard now stipulates more-robust cybersecurity management systems that reach all the way back into the SDLC to ensure that applications are inherently more secure as developers build them. In fact, for the first time, security testing within the SDLC is specifically required. And ISO 27001 specifies this testing should go beyond traditional vulnerability scanning toward a more multi-level and multi-methodology approach.

Achieving compliance

In seeking to secure the SDLC for ISO compliance, organizations will likely need to rely on a spectrum of testing tools working together to identify and prioritize the most critical threats. Here are 3 strategic priorities to help guide these efforts:

•Take a comprehensive, multi-level and multi-methodology approach – This includes employing multiple types of security testing in a single scan; setting up secure version control with formal rules for managing changes to existing systems; and applying security requirements to any outsourced development.

•Promote secure and agile coding practices – This includes subjecting deployed code to regression testing, code scanning, penetration, and other system testing; defining secure coding guidelines for each programming language; and creating secure repositories with restricted access to source code.

•Infuse security into application specifications and development workflow – This includes defining security requirements in the specification and design phase; scanning for vulnerable open-source software components; and employing tools that detect vulnerabilities in code that is deployed but not activated.

Comprehensive scanning

At the CTO and CIO level, these principles help guide the enterprise-wide strategy for ISO compliance. At the developer level, they will fundamentally reshape how programmers do their work day in and day out – including employing more project management tools and secure system architecture frameworks to track and mitigate risks at any stage in the SDLC.

Sciberras

The key throughout is to adopt a more holistic and comprehensive testing approach that aligns with the ISO 27001 requirements, since traditional vulnerability scanning is not powerful or proactive enough to secure the SDLC. The easiest way for organizations to mature their capabilities along these lines is to integrate a range of advanced AppSec testing protocols.

For example, the right AppSec partner can empower security teams with a blend of dynamic application security testing (DAST), interactive application security testing (IAST), and software composition analysis (SCA) together in a single scan. These combined testing approaches help secure all stages of development, as well as production environments, without negatively impacting delivery times.

Recent updates to the ISO 27001 standard bring a much-needed focus to securing the entire SDLC. In working to comply with the revised standard, security and development teams are realizing that a blend of multiple, complementary testing protocols is needed to catch and even prevent issues far earlier in the development process.

These efforts will help elevate security right alongside achieving the designed functionality as the ultimate goals in every DevOps project.

About the essayist: Matthew Sciberras, CISO, VP of Information Security, at Invicti Security, which supplies advanced  DAST+IAST (dynamic+interactive application security testing) solutions that helps organizations of all sizes meet ISO 27001 compliance.

The United States will soon get some long-awaited cybersecurity updates.

Related: Spies use Tik Tok, balloons

That’s because the Biden administration will issue the National Cyber Strategy within days. Despite lacking an official published document, some industry professionals have already seen a draft copy of the strategic plan and weighed in with their thoughts. Here’s a look at some broad themes to expect and how they will impact businesses:

•New vendor responsibilities.  Increased federal regulation puts more responsibility on hardware and software vendors compared to the customers who ultimately use their products.

Until now, people have primarily relied on market forces rather than regulatory authority. However, that approach often leads to bug-filled software because makers prioritize new product releases over ensuring they’re sufficiently secure.

These changes mean business representatives may see more marketing materials angled toward what hardware and software producers do to align with the new regulations. Product labeling may also become easier to understand, acting somewhat like food nutrition labels, except centered on security principles.

Coverage of the strategic security program from people with firsthand knowledge of the draft document suggests congressional action or executive authority will regulate how all critical sectors handle cybersecurity. It’s still unclear what that looks like in practice, but it certainly signifies a major change.

•Expanded cybersecurity budgets. Statistics suggest almost 50 percent of employees have never received cybersecurity training. It’s also easy to find research elsewhere highlighting how workers frequently make errors that might seem meaningless but ultimately expose files or corporate networks to cyberattacks and other risks.

The heightened awareness as more people became aware of the Biden administration’s plan helped spur a change that caused elevated stock market activity for several cybersecurity companies. This may have happened because people at more companies recognized the need for such products. After all, cybersecurity awareness training for employees is vital, but it can only go so far. Businesses must also invest in specialized tools for network monitoring and security.

However, those familiar with the content of the strategic cybersecurity program say not to expect uniform standards to apply across industries. Previous U.S. presidents have tried that without getting the desired effects. That means it’s best to wait and see Biden’s intentions before increasing cyber investments.

•Critical infrastructure revisions. Analysts also believe part of Biden’s strategy for cybersecurity will rewrite a policy from President Obama’s era that provides stipulations for keeping essential infrastructure secure. It may also include details about which types of companies fall into that category. If so, entities like cloud providers might need to take additional steps to maintain security. The same would likely be true for utility, telecommunications and transportation businesses.

Flynn

However, it’ll take a while to implement even once the Biden administration’s plan is officially published. That gives all affected companies time to make any necessary adjustments, regardless of whether they’re categorized as critical infrastructure providers.

People working at businesses highly likely to need stronger cybersecurity under the new strategy should consider consulting with cybersecurity experts. Those parties can advise them about where gaps remain and how the business is already doing well by following best practices for security.

Big changes lie ahead for U.S. cybersecurity policies and practices. The previewed content of cybersecurity plans from the Biden administration indicates people should expect significant shifts from what past leaders have tried. However, even once the details of this cybersecurity strategic plan are publicized, it’ll take a while before whatever’s different is widely adopted. Business leaders should be ready to act but refrain from making any relevant decisions before getting the details straight from the source.

About the essayist: Shannon Flynn is managing editor of ReHack Magazine. She writes about IoT, biztech, cybersecurity, cryptocurrency & blockchain, and trending news.

When a company announces layoffs, one of the last things most employees or even company owners worry about is data loss.

Related: The importance of preserving trust in 2023

Valuable or sensitive information on a computer is exposed to theft or to getting compromised. This can happen due to intentional theft, human error, malware, or even physical destruction of servers. But it’s a real and growing risk to be aware of.

In 2020, Forbes reported that pandemic layoffs and remote work served to increase the risk of company data loss. Tesla, for example, suffered two cybersecurity events after layoffs back in 2018.

Data loss isn’t necessarily spiteful. Imagine an employee creates a spreadsheet showing all your clients and the main points of contact for each. She updates this sheet, but forgets to share it internally.

She gets laid off, and she takes the spreadsheet with her because she believes that the work she created at her job belongs to her. This may sound like an edge case, but a survey by Biscom found that 87 percent of employees took data that they themselves had created from their last job.

Data theft can also be deliberate and malicious. That same employee might use that spreadsheet as a bargaining chip in securing a new job with your competitor.

Data theft can also happen as a result of hackers. In the infamous 2014 Sony hack, an employee moving from Deloitte to Sony allegedly took sensitive data with him when he left. It is believed that the employee was storing employee information from both Sony and Deloitte in his computer, leading to the salaries of 30,000 Deloitte employees being leaked.

Data loss prevention is a concept that’s been around since the ‘90s, but in the age of AI, machine learning, natural language processing, and all those other fun new buzzwords, it’s taken on new relevance and significance.

With relaxed security measures due to remote work, disgruntled employees due to sudden mass layoffs, and logistical oversights due to reorganization, company data can fall through the cracks. To keep up, companies need to use technology to ensure their most important asset, their information, is safe.

Consolidated visibility

Eisdorfer

The first step is to know what you have. Then you can work on protecting it.

That’s why the first step in any layoff-proof data loss prevention strategy has to be the collection and categorization of all the company data that exists. This is both easier and harder thanks to a distributed system of information.

Data might be in spreadsheets, on Slack, on OneDrive, in custom databases, or any other number of off-premises cloud systems.

The best way to consolidate all that info is to use machine learning and artificial intelligence. First, identify all potential sources of data. You might also want to ensure you’re scanning all emails going in and out of the company.

Then, companies need to set up rules to determine what the AI identifies as what kind of data. For example, one priority is identifying personally identifiable information of your customers. You don’t want that leaving your data warehouses.

Another example is any kind of proprietary algorithm or system. For instance, if you’re Equifax, you don’t want any employee able to leave with your credit score algorithm.

Using a combination of AI and ML, you should be able to put together a comprehensive catalog of all company data.

Spotting anamolies

The next step is to train the AI to spot suspicious-looking behavior. For example, you might set it up so that when an employee starts downloading massive amounts of data, that gets flagged as suspicious.

You might also need to use technology that can use optical character recognition (OCR). For example, imagine instead of sharing that customer spreadsheet, our laid-off employee just takes a screenshot of it and emails it to herself.

Unless your data loss prevention strategy has OCR to read what screenshots are, you’d never be able to know that she walked off with that spreadsheet unless you manually went through every single one of her emails.

You also have to take steps to stop data loss from happening. For example, your system should include a rule to automatically log out any users downloading a high number of files. It should also limit access for any soon-to-be laid off employees to sensitive material.

And finally, in the case of non-malicious theft, you should be able to quickly scan any employee-generated data to ensure files like comprehensive customer databases don’t get lost just because nobody knows they exist.

One major component of data loss prevention is to map the organization’s critical information. With a map of who has access to what, the knowledge is less likely to get lost when employees move on. This enables companies to classify the information and prevent data loss, or at least educate employees not to take data with them to their next job.

You should also have set up your system to flag suspicious events, such as the mass downloading of files, laid-off employees sending lots of emails, or people logging in from unusual locations.

Your final step is to patch those holes. With AI on the case, it will auto-recognize suspicious events and take care of them. You can also be assured that important or sensitive information won’t fall through the cracks of mass layoffs.

Data loss is a real threat. Make sure your company is up to the job of handling it.

About the essayist: Guy Eisdorfer, is the co-founder and CEO of Cognni, a supplier of AI-powered data classification systems  and other security products to enterprises and SMBs.

When a company announces layoffs, one of the last things most employees or even company owners worry about is data loss.

Related: The importance of preserving trust in 2023

Valuable or sensitive information on a computer is exposed to theft or to getting compromised. This can happen due to intentional theft, human error, malware, or even physical destruction of servers. But it’s a real and growing risk to be aware of.

In 2020, Forbes reported that pandemic layoffs and remote work served to increase the risk of company data loss. Tesla, for example, suffered two cybersecurity events after layoffs back in 2018.

Data loss isn’t necessarily spiteful. Imagine an employee creates a spreadsheet showing all your clients and the main points of contact for each. She updates this sheet, but forgets to share it internally.

She gets laid off, and she takes the spreadsheet with her because she believes that the work she created at her job belongs to her. This may sound like an edge case, but a survey by Biscom found that 87 percent of employees took data that they themselves had created from their last job.

Data theft can also be deliberate and malicious. That same employee might use that spreadsheet as a bargaining chip in securing a new job with your competitor.

Data theft can also happen as a result of hackers. In the infamous 2014 Sony hack, an employee moving from Deloitte to Sony allegedly took sensitive data with him when he left. It is believed that the employee was storing employee information from both Sony and Deloitte in his computer, leading to the salaries of 30,000 Deloitte employees being leaked.

Data loss prevention is a concept that’s been around since the ‘90s, but in the age of AI, machine learning, natural language processing, and all those other fun new buzzwords, it’s taken on new relevance and significance.

With relaxed security measures due to remote work, disgruntled employees due to sudden mass layoffs, and logistical oversights due to reorganization, company data can fall through the cracks. To keep up, companies need to use technology to ensure their most important asset, their information, is safe.

Consolidated visibility

Rittman

The first step is to know what you have. Then you can work on protecting it.

That’s why the first step in any layoff-proof data loss prevention strategy has to be the collection and categorization of all the company data that exists. This is both easier and harder thanks to a distributed system of information.

Data might be in spreadsheets, on Slack, on OneDrive, in custom databases, or any other number of off-premises cloud systems.

The best way to consolidate all that info is to use machine learning and artificial intelligence. First, identify all potential sources of data. You might also want to ensure you’re scanning all emails going in and out of the company.

Then, companies need to set up rules to determine what the AI identifies as what kind of data. For example, one priority is identifying personally identifiable information of your customers. You don’t want that leaving your data warehouses.

Another example is any kind of proprietary algorithm or system. For instance, if you’re Equifax, you don’t want any employee able to leave with your credit score algorithm.

Using a combination of AI and ML, you should be able to put together a comprehensive catalog of all company data.

Spotting anamolies

The next step is to train the AI to spot suspicious-looking behavior. For example, you might set it up so that when an employee starts downloading massive amounts of data, that gets flagged as suspicious.

You might also need to use technology that can use optical character recognition (OCR). For example, imagine instead of sharing that customer spreadsheet, our laid-off employee just takes a screenshot of it and emails it to herself.

Unless your data loss prevention strategy has OCR to read what screenshots are, you’d never be able to know that she walked off with that spreadsheet unless you manually went through every single one of her emails.

You also have to take steps to stop data loss from happening. For example, your system should include a rule to automatically log out any users downloading a high number of files. It should also limit access for any soon-to-be laid off employees to sensitive material.

And finally, in the case of non-malicious theft, you should be able to quickly scan any employee-generated data to ensure files like comprehensive customer databases don’t get lost just because nobody knows they exist.

One major component of data loss prevention is to map the organization’s critical information. With a map of who has access to what, the knowledge is less likely to get lost when employees move on. This enables companies to classify the information and prevent data loss, or at least educate employees not to take data with them to their next job.

You should also have set up your system to flag suspicious events, such as the mass downloading of files, laid-off employees sending lots of emails, or people logging in from unusual locations.

Your final step is to patch those holes. With AI on the case, it will auto-recognize suspicious events and take care of them. You can also be assured that important or sensitive information won’t fall through the cracks of mass layoffs.

Data loss is a real threat. Make sure your company is up to the job of handling it.

About the essayist: Dr. Danny Rittman, is the CTO of GBT Technologies, a solution crafted to enable the rollout of IoT (Internet of Things), global mesh networks, artificial intelligence and for applications relating to integrated circuit design.

Massively interconnected digital services could someday soon save the planet and improve the lives of one and all.

Related: Focusing on security leading indicators

But first, enterprises and small businesses, alike, must come to grips with software vulnerabilities that are cropping up – and being exploited – at a blistering pace.

Innovative vulnerability management solutions are taking shape to meet this challenge. One the newest and most promising spins out of the emerging discipline of machine learning operations, or MLOps.

One supplier in the thick of this development is a Seattle-based start-up, Protect AI.

Guest expert: D Dehghanpisheh, co-founder and CRO, Protect AI

I had the chance recently to visit with Daryan Dehghanpisheh, whose professional experience prior to co-founding Protect AI includes four years as the Global Leader of AI/ML Solution Architects at Amazon Web Services.

Protect AI launched in December 2022 with a  $13.5 million seed round stake, co-led by Acrew Capital and boldstart ventures, on the basis of  developing advanced tools to protect AI systems and machine learning models.

We discussed how the fledgling field of MLSecOps parallels the arrival and maturation of DevSecOps. “DevSecOps is putting security at the heart of everything you do from a DevOps perspective,” Dehghanpisheh told me. “We want to do the same thing with MLOps . . . treat security as an integral part of development, not just as an afterthought”

For a full drill down on how Protect AI hopes to mainstream MLSecOps – and how that could accelerate the arrival of massively interconnected digital systems — please give the accompanying podcast a listen.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

To get network protection where it needs to be, legacy cybersecurity vendors have begun reconstituting traditional security toolsets.

The overarching goal is to try to derive a superset of very dynamic, much more tightly integrated security platforms that we’ll very much need, going forward.

Related: The rise of security platforms

This development has gained quite a bit of steam over the past couple of years with established vendors of vulnerability management (VM,) endpoint detection and response (EDR,) and identity and access management (IAM) solutions in the vanguard.

And this trend is accelerating as 2023 gets underway. DigiCert’s launch today of Trust Lifecycle Manager, is a case in point. I had the chance to get briefed about this all-new platform, which provides a means for companies to comprehensively manage their Public Key Infrastructure (PKI) implementations along with the associated digital certificates.

I visited with Brian Trzupek, DigiCert’s senior vice president of product. As a leader of digital trust, DigiCert is best known as a Certificate Authority (CA) and a supplier of services to manage PKI. We drilled down on why getting a much better handle on PKI has become vital in a massively interconnected operating environment. DigiCert’s new solution is designed to “unify PKI services, public trust issuance and CA-agnostic certificate lifecycle management,” he told me.

Here are the main takeaways from our discussion:

PKI sprawl

Where would we be without PKI, the framework used to issue and manage digital certificates? We’ve come to rely on PKI to validate and authenticate all connections on websites and mobile apps – as well as all of the internal IT activity, company-to-company, that supports the digital services we now take for granted.

PKI is robust and ubiquitous; and it’s destined to serve that same essential role — as a linchpin validation and authentication mechanism – the further we progress into massively interconnected, highly interoperable digital services.

First, however, PKI sprawl must be mitigated, Trzupek argues. The problem looks something like this, he says: In today’s operating environment, PKI payloads arrive moment-to-moment from myriad sources: to and from web portals and mobile apps; in between cloud vs. on-premises IT infrastructure; up and down the software development supply chain. What’s more, digital certificates can get issued by different CAs, or by components manufacturers, or even internally by the enterprise itself.

Trzupek

“You’ve got this big, dynamic spaghetti of stuff coming into the network and interacting, using PKI to authenticate and there is very little the enterprise actually controls,” Trzupek observes. “Often times, the company doesn’t even realize all of these PKI interactions are taking place until something breaks and there’s an outage.”

Outages and attacks

DigiCert’s newest service, Trust Lifecycle Manager, tackles this connections chaos head on, by establishing a hub into which all PKI validation routines can get inventoried and continually managed.

The reduced risk of a major outage caused by an expiring digital certificate alone should grab attention. Just ask Epic Games. An expired certificate triggered an outage that caused Fortnite, its cash-cow video game, to go dark for several hours.

And then there’s the risk of ransomware purveyors or a nation state-backed spy flushing out and exploiting a weak seam in an obscure PKI connection, instigating a nightmare scenario. Just ask SolarWinds.

The SolarWinds attackers, believed to be Russian-backed, had to have subverted PKI at multiple levels. They were able to gain control of the build process that SolarWinds used to create and automatically issue software updates to its bread-and-butter Orion network management tool. This enabled the attackers to subsequently breach the networks of 18,000 Orion users.

PKI outages and attacks happen much more often than gets publicly disclosed, Trzupek says. The fundamental reason, he says, is the non-existence, at this point in time, of a practical way to compile a comprehensive PKI inventory across a typical enterprise.

“The guy who’s running identity access management is different than the guy in charge of encryption or the guy running DevOps,” he says. “And they’re not talking to each other . . . the encryption guys might be well-versed in PKI management policy, but the DevOps guys probably aren’t –and even if they were, they’re focused on getting code out and moving workloads a fast as possible.”

Taking a platform approach

With Trust Lifecyle Manager, DigiCert is making a lane change from a product company to a platform company. This new offering is something truly unique – a comprehensive service designed to foster centralized monitoring and management of all digital certificates throughout an enterprise. To start, DigiCert is partnering with Microsoft Azure, Amazon Web Services and Google Cloud to integrate PKI telemetry generated by those top-tier cloud infrastructure providers.

On the horizon, Trust Lifecycle Manager will be able to receive and process PKI-related telemetry originating from just about any private or public source, Tzupek told me.

“We already have about 100 integrations and later this year we’ll be opening up publicly so that anybody can come in and ride on top of the system,”  Trzupek says.

By leveraging APIs, DigiCert intends to make it possible to “glue in without any help from us,” he says. “The idea is to create a centralized hub where you can see all those digital trust assets across the environment, regardless of where they are.”

The Internet of Everything lies ahead — and brims with promise. A radical new approach, supported by bold new security platforms, coming at it from several angles, must take hold. That’s how we’ll be able to protect company networks, and preserve individual privacy, in a massively interconnected, highly interoperable digital world.

I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

As the world becomes more digital and connected, it is no surprise that data privacy and security is a growing concern for small to medium sized businesses — SMBs.

Related: GDPR sets new course for data privacy

Large corporations tend to have the resources to deal with compliance issues. However, SMBs have can struggle with the expense and execution of complying with data security laws in many countries.

Organizations with 500 or fewer employees have many positive attributes, such as their ability to make fast decisions and avoid bureaucracy that can slow down larger enterprises. But this same characteristic can also be a disadvantage, as SMBs often lack the resources and expertise to keep up with complex regulations.

Let’s look at some of the challenges faced by SMBs in today’s data privacy landscape.

Scarce resources

It’s often difficult for small businesses to invest significantly in data privacy compliance or security measures because they don’t have large budgets. In fact, many SMBs have to choose between investing in new technology and making payroll. This can make it difficult for them to keep up with the latest security measures and technologies that could protect their data or prevent a breach.

Damodaran

An SMB may not have the time or resources to properly implement the robust security policies and procedures needed to comply with numerous regulations. That means there will likely be gaps in their data protection measures that could leave them vulnerable to cyberattacks.

It should be no surprise that data security regulations are on the rise. There is increasing regulatory pressure on SMBs to protect their employees’ and customers’ sensitive data. For instance, any direct contact with European suppliers, partners or customers requires taking steps towards complying with GDPR regulations.

DPIA starting point

A  Data Privacy Impact Assessment, or DPIA, is a formal assessment of the privacy risks of your data processing activities. The purpose of conducting a DPIA is to identify and assess the potential impact of these risks on individuals’ rights and freedoms from your proposed processing operations.

A DPIA requires a thorough review of any personal data collected and stored, including who specifically controls the data and who has access at any given time. It also takes into consideration the reasons why the data was collected in the first place, and examines the reasons why personal data is stored; in short it examines  numerous parameters related to collecting and holding personal data.

Paths to compliance

By performing this type of assessment, businesses can better understand their responsibilities for protecting personal information, as well as assess their ability to do so. This should naturally lead to an SMB putting plans in motion  to achieve compliance —  by embracing robust cyber hygiene policies and procedures.

There are many kinds of tools and services that can help any SMB down this paths. The core idea is to help the company continually improve how it monitors  data flow and trains staff to be alert to cyber threats in order to identify suspicious network  activity — before it becomes a problem.

Data protection is an ongoing process. DPIAs can get an SMB off to a good start. But maintaining a security posture that not just meets compliance but effectively protects the organization over the long run is a never ending task. It’s important to continually assess security posture and take corrective action when necessary.

Neumetric helps organizations perform DPIAs as well as numerous other types of cybersecurity and cyber risk assessments, in addition to security awareness training for employees. Our services revolve around helping organizations achieve security compliances and certifications such as EU GDPR Compliance.

About the essayist: Bipin Damodaran is a Certified Ethical Hacker and a member of the security team at Neumetric, a cybersecurity vendor that helps organisations bolster  their information security by creating a secure  operating environment.