Eagle Eye Networks shared the trends that will have the biggest impact on video surveillance, security, and use of analytics to drive business intelligence and improvement in 2021. Customers are asking for cloud The shift to the benefits of cloud in the video surveillance space are powerful and undeniable, including major cost savings, heightened data security, remote access and maintenance, flexible storage and retention, scalability, increased stability, and disaster recovery. Analytics and AI turn security … More
The biggest security concerns facing businesses are data leaking through endpoints (27%), loss of visibility of user activity (25%) and maintaining compliance with regulatory requirements (24%), DTEX Systems reveals. These concerns are followed by access from outside the perimeter (23%) and remote access to core business apps (18%) such as email and collaboration. Few companies prepared to secure and support a shift to remote work The report also found that only 30% of companies surveyed … More
The post Only 30% prepared to secure a complete shift to remote work appeared first on Help Net Security.
More than 45 million medical images – including X-rays and CT scans – are left exposed on unprotected servers, a CybelAngel report reveals.
The analysts discovered millions of sensitive images, including personal healthcare information (PHI), were available unencrypted and without password protection.
No need for a username or password
The analysts found that openly available medical images, including up to 200 lines of metadata per record which included PII (personally identifiable information; name, birth date, address, etc.) and PHI (height, weight, diagnosis, etc.), could be accessed without the need for a username or password. In some instances login portals accepted blank usernames and passwords.
“The fact that we did not use any hacking tools throughout our research highlights the ease with which we were able to discover and access these files,” says David Sygula, Senior Cybersecurity Analyst at CybelAngel.
“This is a concerning discovery and proves that more stringent security processes must be put in place to protect how sensitive medical data is shared and stored by healthcare professionals. A balance between security and accessibility is imperative to prevent leaks from becoming a major data breach.”
Todd Carroll, CybelAngel CISO further commented, “Medical centers work with a vast, interconnected web of third-party providers and the cloud is an essential platform for sharing and storing data. However, gaps in security, such as this, present a huge risk, both for the individuals whose data is compromised and the healthcare institutions that are governed by regulations to protect patients’ data.
“The health sector has faced unprecedented challenges this year, however the security and privacy of their patients’ most personal records must be protected, to prevent highly confidential data falling into the wrong hands.”
Security risks of publicly accessible images
The report highlights the security risks of publicly accessible images containing highly personal information including ransomware and blackmail. Fraud is a particular risk, as this type of imagery fetches a premium on the dark web.
Simple steps that healthcare facilities can take to safeguard the way they share and store data including to:
- Determine if pandemic response exceeds your security policies: Ad hoc NAS devices, file-sharing apps and contractors may take data beyond your ability to enforce access controls.
- Ensure proper network segmentation of connected medical imaging equipment: Minimize any exposure critical diagnostic equipment and supporting systems have to wider business or public networks.
- Conduct real-world audit of third-party partners: Assess which parties may be unmanaged or not in compliance with required policies and protocols.
Two weeks ago, the Supreme Court heard oral arguments in Van Buren vs. United States, the landmark case over the Computer Fraud and Abuse Act (CFAA). Nathan Van Buren, the petitioner in the case, is a former police officer in Georgia who used his lawful access to a police license plate database to look someone up in exchange for money. Van Buren was indicted and convicted of violating the CFAA for using his legal access to the database in a way it was not intended.
The fundamental question presented to the Supreme Court is whether someone who has authorized access to a computer violates federal law if he or she accesses the same information in an unauthorized way. While the question may seem trivial, this is a welcome and long overdue court case that could have a major impact on security researchers, consumers, and corporations alike.
Intended as the United States’ first anti-hacking law, the CFAA was enacted almost thirty-five years ago, long before lawyers and technologists had any sense of how the Internet would proliferate and evolve. In fact, the Act is outdated enough that it specifically excludes typewriters and portable hand-held calculators as a type of computer.
Since its inception, it has been robustly applied for basic terms and services breaches, like the infamous case of Aaron Swartz downloading articles from the digital library JSTOR, to indicting nation-state hackers and extraditing Julian Assange.
The core of the problem lies in the vague, perhaps even draconian, description of “unauthorized” computer use. While the law has been amended several times, including to clarify the definition of a protected computer, the ambiguity of unauthorized access puts the average consumer at risk of breaking federal law. According to the Ninth Circuit, you could potentially be committing a felony by sharing subscription passwords.
The stakes are particularly high for security researchers who identify vulnerabilities for companies without safe harbor or bug bounty programs. White-hat hackers, who act in good faith to report vulnerabilities to a company before it is breached, face the same legal risks as cybercriminals who actively exploit and profit from those vulnerabilities. Say, for example, that a security researcher has identified a significant vulnerability in the pacemaker that a healthcare company produces. If the healthcare company hasn’t published a safe harbor agreement, that security researcher could face up to ten years in prison for reporting a vulnerability that could potentially save someone’s life.
On the less drastic side, security researchers who work with companies to protect their systems face legal risk in their day-to-day activities. During a penetration test, for example, a client will list assets that are “in scope” for testing, as well as state what tests are prohibited (e.g., any action that causes a denial of service and crashes a server). A penetration tester could face legal liability and prison time for inadvertently testing the wrong asset that is “out of scope”—or accidentally executing a test that breaches authorized use. Arguably, engineers could face the same legal liability if they access the wrong database or push the wrong code.
On one hand, the broad and ambiguous language of the CFAA provides robust legal protection for companies and facilitates federal resources, like the FBI, if a significant breach occurs. Some companies have argued that narrowing the scope of the CFAA would not be damaging to security programs if companies are already contracting security services, including crowdsourced programs like bug bounty. One company received pushback from the information security community when it accused MIT security researchers of acting in “bad faith” by identifying vulnerabilities in its mobile app. Some companies have argued that the difficulty of attribution, meaning the ability to accurately identify a threat actor, makes it difficult to distinguish good actors from cybercriminals.
Yet the CFAA is a reactive measure that would be enforced following an incident. Companies should ideally be focused on preventative measures to protect against a breach before it occurs. It is arguably to the detriment of companies like Voatz, which serves the public through its voting app, that the CFAA is so broad, since security researchers may choose not to investigate or report vulnerabilities due to the possibility that they could be reported to the FBI. While attribution can be incredibly difficult, good faith security researchers will always identify themselves when they report a vulnerability. Unlike malicious actors, who will exploit vulnerabilities for their own gain, security researchers act to increase the security posture of a company and protect citizens from harm.
All companies should use security services, like penetration testing, bug bounty programs, and safe harbor, to quickly identify and triage vulnerabilities. However, security researchers all have different methods for testing and may not be able to cover all of the assets that a company owns. For example, an ethical hacker may be focused on exploiting a SQL injection in a database, he or she may miss exposed credentials on the Internet that allow access into a protected server. With the rapid pace of DevSecOps, engineers could be pushing changes a dozen times—or more—in a single day.
Revolutionary changes in the structure and pace of the Internet and the software that fuels it means that ad-hoc or occasional security testing is not enough to protect against vulnerabilities. We need the full force of security researchers, and all companies should encourage and protect their work.
Should the Supreme Court affirm van Buren’s conviction, the legal landscape will remain largely the same. Security researchers and consumers alike will face liability despite acting in good faith, and the federal government will continue to exercise broad power over trivial and ambiguous breaches of authorized computer use.
Yet the Supreme Court now has the opportunity to limit the scope of the CFAA and restrict what the federal government can prosecute. Doing so will enhance the security of the Internet, protect security researchers, and limit the legal liability of daily Internet users who clicked through terms of services without reading them.
A lot has changed since the CFAA was first enacted in 1984. While the Supreme Court’s decision could drastically change the information security landscape, it is still not enough. As we’ve seen with the Internet of Things bill that was recently passed through the House, the United States needs modern legislation to secure the rapidly changing technology of the twenty-first century.
In short, security researchers who act in good faith are exposing themselves to huge legal risk because of the broad interpretation of CFAA. This is to the detriment of anyone who values the protection of their information. We are in dire need of reform in the United States, but in the meantime, there is hope that the Supreme Court will narrow the scope of the CFAA to protect consumers and security researchers alike.
Third-party SaaS apps (and extensions) can significantly extend the functionality and capabilities of an organization’s public cloud environment, but they can also introduce security concerns. Many have permission to read, write, and delete sensitive data, which can have a tremendous impact on security, business, and compliance risk.
Assessing the risk of these applications is the key to maintaining a balance between safety and productivity. How can organizations take advantage of these apps’ convenience while also maintaining a secure environment?
Understanding the risk
In an ideal world, each potential application or extension would be thoroughly evaluated before it is introduced into the environment. However, with most employees still working remotely and administrators having limited control over their online activity, reducing the risk of potential data loss is just as important after the fact. In most cases, the threats from third-party applications from two different perspectives:
- The third-party application may try to leak your data or contain malicious code
- The application may be legitimate but be poorly written, leading to security gaps – poorly coded applications can introduce vulnerabilities that lead to data compromise
Google takes no responsibility for the safety of the applications on Marketplace, so any third-party app or extension downloaded by your employees becomes your organization’s express responsibility.
Application security best practices
While Google has a screening process for developers, users are solely responsible for compromised or lost data. Businesses must take hard and fast ownership of screening third-party apps for security best practices. What are the best practices that Google outlines for third-party application security?
- Properly evaluate the vendor or application
- Screen gadgets and contextual gadgets carefully
Google notes that you should evaluate all vendors and applications before using them in your Google Workspace environment. To analyze whether or not a vendor or application is acceptable to use from a Google Workspace security perspective before you install the application:
- Look at reviews left by customers who have downloaded and installed the third-party application. Reviews are listed for all Google Workspace Marketplace apps
- Contact the third-party application vendor directly regarding grey areas that may be questionable
The process of analyzing hundreds of applications across a large environment can create a situation that’s nearly impossible to manage. Administrators need a solution that can allow them to see all the apps on their environment in one place and assess the riskiness of each, allowing them to easily take action on those with the most vulnerabilities.
Employee risk factors
Beyond the typical concern of unsanctioned app downloads, other security issues can occur in conjunction with employee actions.
- Sensitive data transfer – an employee installs an app that connects to the Google Workspace environment and starts migrating sensitive data from a corporate account to their personal private cloud storage account. This commonly happens when an employee decides to leave a company.
- Employee termination – When a company fires an employee, IT admins usually suspend the user account. When you suspend a Google Workspace account, all the apps still have access to sensitive data accessible by the user. This can potentially lead to a data breach.
- Compromised third-party apps – An app can be hacked by cybercriminals. Developers may not be able to quickly identify the breach before the attackers start downloading or migrating an abnormal amount of data or change the scope of permissions, which constitutes strange behavior.
As you can see, the risk of downloading external apps extends even beyond an employee’s tenure at the organization.
Automated security vs. manual analysis
The number of threats, variants, complexities, hybrid networks, BYOD, and many other factors makes it nearly impossible for organizations to rely on manual efforts for adequate security. Computers are simply more effective and efficient at parsing logs and correlating activities.
Humans tend to be much less detail-oriented when it comes to repetitive, monotonous tasks such as crunching numbers and examining data. Additionally, computers don’t get fatigued and can work on an ongoing basis.
Machine learning takes advantage of technology and leverages complex mathematical algorithms to learn about an environment and linked applications and recognize deviations from “normal.”
Finding a security solution powered by machine learning that includes an application assessment component is the best way for administrators to protect their cloud environments from third-party threats effectively.
A proactive technology refresh strategy and a well-integrated tech stack are, according to a recent Cisco report, two security practices that are more likely than many others to help organizations achieve goals such as keeping up with business, creating security culture, managing top risks, avoiding major incidents, and so on.
A well integrated IT and security tech stack is a practice that is most conducive to retaining security talent, creating a security culture, and running cost-effectively, while a proactive tech refresh strategy will (most prominently) help achieve business goals, meet compliance regulations, avoid major incidents, and streamline IR processes.
Cisco’s report is based on a double-blind study that polled over 4,800 active IT, security, and privacy professionals from 25 countries around the world.
The analysis of the results revealed many expected and unexpected things:
- Identifying top cyber risks and having someone in the company who “owns” the compliance function (i.e., has “compliance” in the job title) does not correlate with any of the wanted outcomes.
- A well-integrated tech stack improves recruitment and retention of security talent.
- A strong security culture embraced by all employees depends on good equipment, a clearly communicated and sound security strategy, and timely fixes when things break.
- Major incidents and losses can be avoided by proactively refreshing the technology used and by learning from prior incidents, through prompt disaster recovery, sufficient security tech, timely incident response and accurate threat detection.
- The effective use of automation helps companies keep up with business, run cost-effectively, minimize unplanned work, retain security talent and streamline IR processes, but does not correlate with meeting compliance regulation or avoiding major incidents.
- Organizations that successfully minimized the impact of COVID-19 on operations maintained a modern IT and security infrastructure, had adequate security staffing levels and invested in role-based training, and kept top executives informed.
- Meeting and maintaining compliance is the goal that’s easiest to achieve, while minimizing unplanned work is the hardest.
The most important success factors
In general, proactive tech refresh, well-integrated tech timely incident response and prompt disaster recovery significantly contribute to nearly every security outcome. Other practices may correlate to one or two specific outcomes or to all, but to a lesser extent.
“Beyond adherence to specific practices, we also asked respondents about where their security programs place the greatest priority in terms of investment, resources, and effort. We used the high-level security functions defined in the NIST Cybersecurity Framework (CSF) for this,” the company noted.
“While the CSF’s Protect function isn’t at the bottom for every outcome, it ranks next to last for contributing to the overall success of the security program (Identify ranks #1). That’s certainly counterintuitive, but we don’t see this as suggesting protection isn’t important. Rather, it indicates that the best programs invest in a well-rounded set of defenses to identify, protect, detect, respond, and recover from cyber threats. The field has long been protection-heavy; this says that protection alone is not the most effective strategy.”
The company has also published individual reports that cover various regions and the healthcare and financial services sectors
Designed to ensure that all companies securely transmit, store or process payment card data correctly, compliance to the Payment Card Industry Data Security Standard (PCI DSS) serves a critical purpose.
Failure to comply increases the risk of a data breach, which can lead to potential losses of revenue, customers, brand reputation and customer trust. Despite this risk, the 2020 Verizon Payment Security Report found that only 27.9% of global organizations maintained full PCI DSS compliance in 2019, marking the third straight year that PCI DSS compliance has declined.
In addition to the continued decline in compliance, the current iteration of PCI DSS (3.2.1) is expected to be replaced by PCI DSS 4.0 in mid-2021, with an extended transition period.
But as we enter the busiest shopping season of the year, in the midst of a global pandemic that has upended business practices, organizations cannot risk ignoring compliance to the existing PCI DSS 3.2.1 standard. Failure to achieve and maintain compliance creates gaps in securing sensitive cardholder data, making easy targets for cyber criminals. And with the holiday season historically known for rises in cyber-attacks, organizations that fail to stay focused on compliance will represent the highest risk amongst any organization that handles card data.
So, what do organizations need to know about PCI DSS 4.0 and how can they proactively prepare for this update?
Rising risks and what’s new
The financial services industry has always been a prime target for hackers and malicious actors. Last year alone, the Federal Trade Commission received over 271,000 reports of credit card fraud in the United States. As consumers continue to prefer online payments and debit and credit card transactions, the prevalence of card fraud will continue to rise.
The core principle of the PCI DSS is to protect cardholder data, and with PCI DSS 4.0, it will continue to serve as the critical foundation for securing payment card data. As the industry leader in payment card security, the Payment Card Industry Security Standards Council (PCI SSC) will continue evaluating how to evolve the standard to accommodate changes in technology, risk mitigation techniques, and the threat landscape.
Additionally, the PCI SSC is looking at ways to introduce greater flexibility to payment card security and compliance, in order to support organizations using a broad range of controls and methods to meet security objectives.
Overall, PCI DSS 4.0 will set out to:
- Ensure PCI DSS continues to meet the security needs of the payments industry
- Add flexibility and support of additional methodologies to achieve security
- Promote security as a continuous process
- Enhance validation methods and procedures
As consumers and organizations continue to interact and conduct more business online, the need for enforcement of the PCI DSS regulations will continue to become apparent.
Consumers are sharing Personally Identifiable Information (PII) with every transaction, and as that information is shared across networks, consumers require organizations to provide assurance that they are handling such data in a secure manner.
Once implemented, PCI DSS 4.0 will place a greater emphasis on security as a continuous process with the goal of promoting fluid data management practices that integrate with an organization’s overall security and compliance posture.
While PCI DSS 4.0 continues to undergo industry consultation prior to its final release, potential changes for organizations to keep in mind include:
- Authentication, specific consideration for the NIST MFA/password guidance
- Broader applicability for encrypting cardholder data on trusted networks
- Monitoring requirements to consider technology advancement
- Greater frequency of testing of critical controls – for example, incorporating some requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI DSS requirements
The second request for comment (RFC) period is still ongoing, it is expected that PCI DSS 4.0 will become available in mid-2021. To accommodate the budgetary and organizational changes necessary to achieve compliance, an extended transition period of 18 months and an enforcement date will be set by the PCI SSC after PCI DSS 4.0 has been published.
Making good use of this time will be critical, so organizations should develop a thorough implementation plan that updates reporting templates and forms, and any ongoing monitoring and recurring compliance validation to meet the updated requirements.
Tips for achieving PCI DSS compliance
The best piece of advice is to first ensure full compliance with the current version of the standard. This will ensure a solid baseline to work from when planning for future updates to PCI DSS. When the regulation takes effect in 2021, organizations can begin internal assessment and preparation of their network for any new requirements.
PCI DSS is already known as being one of the most detailed and prescriptive data security standards to date, and version 4.0 is expected to be even more comprehensive than its predecessor.
With millions of transactions occurring each day, organizations are already collecting, sharing and storing massive amounts of consumer data that they must protect. Even for organizations currently in compliance with PCI DSS 3.2.1, it is critical to establish a holistic view of their data management strategies to assess potential lapses, gaps and threats. To achieve this holistic view and ensure readiness for version 4.0, organizations should take the following steps:
- Conduct a data discovery sweep – By conducting a thorough data discovery sweep of all data storage across the entire network, organizations can eliminate assumptions from their data management practices. Data discovery provides organizations with greater visibility in the strengths and vulnerabilities of the network as well as a better sense of how PII flows through all repositories including structured data, unstructured data, on premise storage and cloud storage, to ensure proper data management techniques.
- Enact strategies that promote smart data decisions – Once an organization understands how data flows through its environment and where it’s located, they can use these fact-based insights to enact policies and strategies that prioritize data privacy. Data privacy depends on employees, so organizations must take the time to educate employees on the role they play in organizational security. This includes training and continued network data audits to ensure no customer data slips through the cracks or is forgotten.
- Appoint a leader to drive compliance – With the average organization already adhering to 13 different compliance regulations, compliance can be overwhelming. Organizations should look to appoint a security compliance officer or internal lead to oversee ongoing compliance initiatives. This person should seek to become an expert in PCI DSS, generally including progress towards 4.0 and all other forms of compliance. Furthermore, they can become the go-to person on ensuring proper data management practices.
It’s been nearly 15 years since PCI DSS was first released, and since then, consumers and businesses have substantially increased the amount of transactions and business activities conducted online using payment cards. For this reason, the importance of the PCI DSS remains just as critical for securing data as it ever was.
The organizations that leverage the PCI DSS as a baseline to achieve ongoing awareness on the security of their data and look for proactive ways to secure their networks will be the most successful moving forward, gaining consumer and employee trust through their compliance actions.
To stay connected with patients, healthcare providers are turning to telehealth services. In fact, 34.5 million telehealth services were delivered from March through June, according to the Centers for Medicare and Medicaid Services. The shift to remote healthcare has also impacted the roll out of new regulations that would give patients secure and free access to their health data.
The shift to online services shines a light on a major cybersecurity issue within all industries (but especially healthcare where people have zero control over their data): consent.
Hand over data control
Data transparency allows people to know what personal data has been collected, what data an organization wants to collect and how it will be used. Data control provides the end-user with choice and authority over what is collected and even where it is shared. Together the two lead to a competitive edge, as 85% of consumers say they will take their business elsewhere if they do not trust how a company is handling their data.
Regulations such as the GDPR and the CCPA have been enacted to hold companies accountable unlike ever before – providing greater protection, transparency and control to consumers over their personal data.
The U.S. Department of Health and Human Services’ (HHS) regulation, which is set to go into effect in early 2021, would provide interoperability, allowing patients to access, share and manage their healthcare data as they do their financial data. Healthcare organizations must provide people with control over their data and where it goes, which in turn strengthens trust.
How to earn patients’ trust
Organizations must improve their ability to earn patients’ confidence and trust by putting comprehensive identity and access management (IAM) systems in place. Such systems need to offer the ability to manage privacy settings, account for data download and deletion, and enable data sharing with not just third-party apps but also other people, such as additional care providers and family members.
The right digital identity solution should empower the orchestration of user identity journeys, such as registration and authentication, in a convenient way that unifies configuring security and user experience choices.
It should also enable the healthcare organization to protect patients’ personal data while offering their end-users a unified means of control of their data consents and permissions. Below are the four key steps companies should take to earn trust when users hand over data control:
- Identify where digital transformation opportunities and user trust risks intersect. Since users are becoming more skeptical, organizations must analyze “trust gaps” while they are discovering clever new ways to leverage personal data.
- Consider personal data as a joint asset. It’s easy for a company to say consumers own their own personal data, but business leaders have incentives to leverage that data for the value it brings to their business. This changes the equation. All the stakeholders within an organization need to come together and view data as a joint asset in which all parties, including end-users, have a stake.
- Lean into consent. Given the realities of regulations, a business often has a choice to offer consent to end-users rather than just collecting and using data. Seek to offer the option – it provides benefits when building trust with skeptical consumers, as well as when proving your right to use that data.
- Take advantage of consumer identity and access management (CIAM) for building trust. Identity management platforms automate and provide visibility into the entire customer journey across many different applications and channels. They also allow end-users to retain the controls to manage their own profiles, passwords, privacy settings and personal data.
Providing data transparency and data control to the end-user enhances the relationship between business and consumer. Organizations can achieve this trust with consumers in a comprehensive fashion by applying consumer identity and access management that scales across all of their applications. To see these benefits before regulations like the HHS regulations go into effect, organizations need to act now.
It is a mathematical certainty that data is more protected by communication products that provide end-to-end encryption (E2EE).
Yet, many CISOs are required to prioritize regulatory requirements before data protection when considering the corporate use of E2EE communications. Most Fortune 1000 compliance and security teams have the ability to access employee accounts on their enterprise communications platform to monitor activity and investigate bad actors. This access is often required in highly regulated industries and E2EE is perceived as blocking that critical corporate access.
Unfortunately for enterprise security and compliance teams in most companies, unsanctioned communications platforms like WhatsApp are being used outside to conduct sensitive business in contravention of corporate policies. Just recently Morgan Stanley executives were removed from the firm for using WhatsApp.
Employees have come to understand that their IT, compliance and security teams are not the only ones who have special access to their communications. They know that Slack, Microsoft, Google, etc., can also access their data and communications. As such, many have turned to consumer E2EE products because they are not comfortable conducting sensitive business on systems where the service provider is both listening and responsible for security.
Why consumer apps running rampant is bad for business
Taking sensitive business to consumer products is risky. These consumer-grade platforms are not purpose-built for secure and compliant communications. They prioritize engagement and entertainment resulting in an ongoing pattern of security flaws, like person-in-the-middle attacks and remote code execution vulnerabilities. WhatsApp users have borne the brunt of these security vulnerabilities for years.
CISOs have been left to choose between turning a blind eye to employees using consumer E2EE products like WhatsApp or, worse yet, relenting and creating policy exceptions that they hope will placate regulators. Yet this approach is an endorsement of long-term use of non-compliant and insecure consumer products.
End-to-end encryption is more flexible than you think
Corporate security teams have operated under the misconception that E2EE is rigid. That not having a backdoor implies that there is only a one-size-fits-all implementation of the world’s most reliable cryptography. In reality, E2EE is flexible and can be deployed in concert with corporate policies and industry regulations.
CISOs don’t need to choose between compliance and strong encryption. Organizations, regardless of industry, can use E2EE that adheres to regulations, internal policies and integrates with IT workflows. This means that the corporate decision to use E2EE can be focused on protecting data from adversaries, competitors and service providers, instead of a fear of breaking the rules.
Choosing an E2EE-enabled communications platform
When it comes to choosing an E2EE-enabled communications platform, security professionals need to assess vendors’ claims, capabilities and motivations. While some mainstream platforms advertise E2EE, they only encrypt the traffic from endpoint to server. This is called Client-to-Server encryption (C2S). This happened most notably with Zoom earlier this year when they sold their product as E2EE.
Most reasonable security professionals agree this was not a malicious attempt to trick end users, rather a genuine lack of cryptographic understanding and sophistication. The company decided that a green lock symbol would make end users feel good – despite a C2S architecture that was prone to person-in-the-middle attacks.
Providers who are not in the business of securing critical user information will almost certainly make claims they do not understand and ship solutions that “don’t suck” rather than serious security technology.
CISOs who embrace E2EE will benefit from the certainty of math. It’s important to ensure that the service provider is capable of, and committed to, providing true E2EE.
There are three important pillars to a strong E2EE solution:
- Both the cryptographic protocols and results from third-party security reviews are public
- Their servers do not store data; and
- The service provider’s business model isn’t reliant upon access to customer data
This is to say that the CISO’s zero trust security policy should be extended to the service provider. If your Unified Communications service provider can access, mine and analyze your data, then they are an attack surface. We know that this access can lead to unauthorized access. Strong E2EE eliminates the service provider risk with mathematical certainty.
Compliance-ready E2EE is a relatively new phenomenon. But it is more important than ever for CISOs to weigh the risk of giving service providers access to all of their company’s data and the unparalleled benefits of taking control of their data while adhering to corporate compliance requirements.
When it comes to providing no-compromise security for enterprise communications, E2EE is a must-have for organizations, and now implementing it can be done without breaking the rules. Further, when organizations deploy enterprise E2EE with forethought they can pull end users off dangerous products like WhatsApp, We Chat and Telegram by giving their employees the security and privacy they need and deserve.
A recent survey revealed that, on average, organizations must comply with 13 different IT security and/or privacy regulations and spend $3.5 million annually on compliance activities, with compliance audits consuming 58 working days each quarter.
As more regulations come into existence and more organizations migrate their critical systems, applications and infrastructure to the cloud, the risk of non-compliance and associated impact increases.
To select a suitable compliance solution for your business, you need to think about a variety of factors. We’ve talked to several cybersecurity professionals to get their insight on the topic.
Rupert Brown, CTO, Evidology Systems
There are no easy answers to selecting a compliance solution, and complexity is likely to increase due to both technology and political factors.
It’s probably best to tackle the problem along these lines while keeping in mind a few essential questions:
- What are you having to show compliance with – legal, process, behaviour, standard, policy, etc.?
- When do you need to show compliance? Is it a single date, a regular cycle or continuous assessment?
- How do you need to show compliance – is it a fixed formal calculation (position/balance sheet, etc.) or some sort of proof of effective surveillance/record keeping, or something else?
- Where is the compliance assessed – remotely by a regulatory authority or “on-premise” by an inspection/audit, or a technical “test”?
- Who is responsible for demonstrating compliance in the organization – designated officers/board members or just general operational roles?
- Why do you need to show compliance – is it due to a legal statute or is it for a business need, to gain access to a particular market or accreditation?
Once you have worked through these dimensions of the problem it will probably become apparent that “one size” doesn’t fit all and a portfolio of solutions will be required, as well as a significant adoption/”culture change” effort.
John Lee, President, CSS
Financial firms need a trusted partner that understands their top compliance challenges – from regulatory change to data management, TCO, risk and scalability. As the regulatory landscape evolves, keeping pace with change means having an effective and automated enterprise compliance management program.
Complementary technology, data analytics, regulatory expertise and managed services is also critical. Vendor risk can create a single point of failure in a compliance strategy. Multiple single vendors can add complexity and costs. When you’re integrating multiple data sources, you also need a reliable vendor to keep that data secure.
With the complexities of global compliance, do you have the right in-house technical capabilities and policies to future-proof your organization? Conduct a gap analysis and map out an end-to-end, integrated compliance solution instead of operating with disparate point solutions or large in-house teams that rely on manual processes.
To mitigate both operational and regulatory risk, look for an agile partner of size and depth that is credible and understands global regulation to respond quickly to changing requirements. Compliance rules should be managed in a dynamic way, and you need a higher quality of intelligence, global support and coverage.
Look to a managed service provider with the regulatory expertise to take preemptive measures and optimize your compliance vision – delivering tactical solutions to regulatory requirements while supporting your strategic growth expectations.
Haywood Marsh, General Manager, NAVEX Global
Risk and compliance professionals must constantly assess the unique and ever-changing factors that impact their ability to remain compliant, like regional and national regulatory requirements, security and IT risks, and risks from third parties.
They should look for an integrated risk and compliance solution that seamlessly supports this ongoing effort by aggregating the various external and internal compliance-related and operational risk information into a single, SaaS source that can remain flexible with changing variables and helps them build a more resilient and higher performing business.
Flexible, SaaS solutions can, for example, be configured to adhere to new data privacy laws and international mandates that are constantly being updated. This functionality is key for global companies operating in multiple locations, so they can ensure compliance with regional regulations.
Integrated solutions with a unified view of information are vital because they help all departments – from risk and compliance to legal and HR professionals – work together to better understand the challenges inherent in their business, and streamline risk and compliance management and reporting.
Risk and compliance solutions are arguably the most important part of managing and maintaining a high performing business. Given each program is unique to the organization that it belongs to, the solution should be configurable and equipped to encompass each compliance and risk management need.
SafeGuard Cyber announced the results of a survey of 600 senior enterprise IT and security professionals, conducted to understand how businesses rate their own security and compliance risks in the new digital reality of the workplace brought by the COVID-19 pandemic.
Rate security risks
Respondents were asked to effectively grade their adaptations to date, articulate what gaps still exist, and explain how they’re planning for the future. One-third of respondents reported their entire business process has changed and is still evolving, while 26% said they’ve rushed certain projects that were scheduled for later.
The study revealed the need to harden unconventional attack vectors in cloud, mobile, and social media technologies.
“Everyone in business understands the pandemic has had a seismic impact, but we were still surprised to learn how vulnerable organizations feel about the digital technologies they’ve adopted,” said Jim Zuffoletti, CEO, SafeGuard Cyber.
“Bad actors typically migrate to where the action is, so it makes sense digital communication channels are more likely to be targets. Surprisingly, marketing technologies moved up on the list, and we’re seeing more and more concern for executive leaders.”
- A significant disconnect and tension between the perceived security and compliance needs and the level of organizational planning. Despite perceived digital risk around unsanctioned apps, ransomware attacks, and varying tech stacks, only 18% of respondents reported cybersecurity as being a board-level concern.
- 57% of those surveyed cited internal collaboration platforms – like Microsoft Teams and Slack – as the tech stack representing the most risk, followed closely by marketing technologies at 41%.
- 1 in 4 respondents reported Executives’ personal social media as being an area of risk.
- The biggest security and compliance challenge is the use of unsanctioned apps (52%), followed by trying to monitor business communications in multi-regional environments (43%), suggesting global enterprises are seeing more friction in scaling technologies for the digital workspace.
- When it comes to purchasing new technology, 59% cite budget as the top concern, followed very closely by “impact on business outcomes” like revenue growth and agility (56%).
Davis Hake, Co-Founder of Resilience and Arceo.ai, concurred, “Incidents of business email compromise skyrocketed last year according to the FBI, with losses doubling from 2018 to reach $1.3B, but we know that with a move to remote work during the pandemic, cyber criminals aren’t just targeting email, they are increasingly targeting the digital collaboration platforms that are keeping our economy afloat.”
Enterprises are juggling the twin demands of budget constraints and the need to drive business outcomes.
“Simply saying ‘no’ to channels like WhatsApp or Slack is no longer an option. It’s the way business gets done today. As business leaders look to 2021, they will need security controls that enable rather than block new communication channels in order to sustain growth.”
Like most American businesses, middle market companies have been forced to rapidly implement a variety of work-from-home strategies to sustain productivity and keep employees safe during the COVID-19 pandemic. This shift, in most cases, was conducted with little chance for appropriate planning and due diligence.
This is especially true in regard to the security and compliance of remote work solutions, such as new cloud platforms, remote access products and outsourced third parties. Many middle market companies lacked the resources of their larger counterparts to diagnose and address potential gaps in a timely manner, and the pressure to make these changes to continue operations meant that many of these shortcomings were not even considered at the time.
Perhaps more important than the potential security risks that could come with these hastily deployed solutions is the risk that an organization could realize later that the mechanisms they deployed turned out to lack controls required by a variety of regulatory and industry standards.
Take medical and financial records as an example. In a normal scenario, an organization typically walls off systems that touch such sensitive data, creating a segmented environment where few systems or people can interact with that data, and even then, only under tightly controlled conditions. However, when many companies set up work-from-home solutions, they quickly realized that their new environment did not work with the legacy architecture protecting the data. Employees could not effectively do their jobs, so snap decisions were made to allow the business to operate.
In this situation, many companies took actions, such as removing segmentation to allow the data and systems to be accessible by remote workers, which unfortunately exposed sensitive information directly to the main corporate environment. Many companies also shifted data and processes into cloud platforms without determining if they were approved for sensitive data. In the end, these workarounds may have violated any number of regulatory, industry or contractual obligations.
In the vast majority of these circumstances, there is no evidence of any type of security event or a data breach, and the control issues have been identified and addressed. However, companies are now in a position where they know that, for a period of time (as short as a few days or months in some cases), they were technically non-compliant.
Many middle market companies now face a critical dilemma: as the time comes to perform audits or self-attestation reports, do they report these potential lapses to regulatory or industry entities, such as the SEC, PCI Council, HHS, DoD or FINRA, knowing that could ultimately result in significant reputational and financial damages and, if so, to what extent?
A temporary regulatory grace period is needed, and soon
The decision is a pivotal one for a significant number of middle market companies. To date, regulators have not been showing much sympathy during the pandemic, and a large segment of the middle market finds itself in a no man’s land. If they had not made these decisions to continue business operations as best they could, they would have gone out of business. But now, if they do report these violations, the related fines and penalties will likely result in the same fate.
A solution for this crucial predicament is a potential temporary regulatory grace period. Regulatory bodies or lawmakers could establish a window of opportunity for organizations to self-identify the type and duration of their non-compliance, what investigations were done to determine that no harm came to pass, and what steps were, or will be, taken to address the issue.
Currently, the concept of a regulatory grace period is slowly gaining traction in Washington, but time is of the essence. Middle market companies are quickly approaching the time when they will have to determine just what to disclose during these upcoming attestation periods.
Companies understand that mistakes were made, but those issues would not have arisen under normal circumstances. The COVID-19 pandemic is an unprecedented event that companies could have never planned for. Business operations and personal safety initially consumed management’s thought processes as companies scrambled to keep the lights on.
Ultimately, many companies made the right decisions from a business perspective to keep people working and avoid suffering a data breach, even in a heightened environment of data security risks. Any grace period would not absolve the organization of responsibility for any regulatory exposures. For example, if a weakness has not already been identified and addressed, the company could still be subject to fines and other penalties at the conclusion of the amnesty window.
Even a proposed grace period would not mean that middle market companies would be completely out of the woods. Companies often must comply with a host of non-regulatory obligations, and while a grace period may provide some relief from government regulatory agencies, it would not solve similar challenges that may arise related to industry regulations, such as PCI or lapses in third-party agreements.
But a grace period from legislators could be a significant positive first step and potentially represent a blueprint for other bodies. Without some kind of lifeline, many middle market companies that disclose their temporary compliance gaps would likely be unable to continue operations and a significant amount of jobs subsequently may be lost.
2020 presented us with many surprises, but the world of data privacy somewhat bucked the trend. Many industry verticals suffered losses, uncertainty and closures, but the protection of individuals and their information continued to truck on.
After many websites simply blocked access unless you accepted their cookies (now deemed unlawful), we received clarity on cookies from the European Data Protection Board (EDPB). With the ending of Privacy Shield, we witnessed the cessation of a legal basis for cross border data transfers.
Severe fines levied for General Data Protection Regulation (GDPR) non-compliance showed organizations that the regulation is far from toothless and that data protection authorities are not easing up just because there is an ongoing global pandemic.
What can we expect in 2021? Undoubtedly, the number of data privacy cases brought before the courts will continue to rise. That’s not necessarily a bad thing: with each case comes additional clarity and precedent on many different areas of the regulation that, to date, is open to interpretation and conjecture.
Last time I spoke to the UK Information Commissioner’s Office regarding a technicality surrounding data subject access requests (DSARs) submitted by a representative, I was told that I was far from the only person enquiring about it, and this only illustrates some of the ambiguities faced by those responsible for implementing and maintaining compliance.
Of course, this is just the GDPR. There are many other data privacy legislative frameworks to consider. We fully expect 2021 to bring full and complete alignment of the ePrivacy Regulations with GDPR, and eradicate the conflict that exists today, particularly around consent, soft opt-in, etc., where the GDPR is very clear but the current Privacy and Electronic Communication Regulation (PECR) not quite so much.
These are just inside Europe but across the globe we’re seeing continued development of data localization laws, which organizations are mandated to adhere to. In the US, the California Consumer Privacy Act (CCPA) has kickstarted a swathe of data privacy reforms within many states, with many calls for something similar at the federal level.
The following year(s) will see that build and, much like with the GDPR, precedent-setting cases are needed to provide more clarity regarding the rules. Will Americans look to replace the shattered Privacy Shield framework, or will they adopt Standard Contractual Clauses (SCCs) more widely? SCCs are a very strong legal basis, providing the clauses are updated to align with the GDPR (something else we’d expect to see in 2021), and I suspect the US will take this road as the realization of the importance of trade with the EU grows.
Other noteworthy movements in data protection laws are happening in Russia with amendments to the Federal Law on Personal Data, which is taking a closer look at TLS as a protective measure, and in the Philippines, where the Personal Data Protection Act 2021 (PDPA) is being replaced by a new bill (currently a work in progress, but it’s coming).
One of the biggest events of 2021 will be the UK leaving the EU. The British implementation of the GDPR comes in the form of the UK Data Protection Bill 2018. Aside from a few deregulations, it’s the GDPR and that’s great… as far as it goes. Having strong local data privacy laws is good, but after enjoying 47 years (at the time of writing) of free movement within the Union, how will being outside of the EU impact British business?
It is thought and hoped that the UK will be granted an adequacy decision fairly swiftly, given that historically local UK laws aligned with those inside the Union, but there is no guarantee. The uncertainty around how data transfers will look in future might result in the British industry using more SCCs. The currently low priority plans to make Binding Corporate Rules (BCR) easier and more affordable will come sharply to the fore as the demand for them goes up.
One thing is certain, it’s going to be a fascinating year for data privacy and we are excited to see clearer definitions, increased certification, precedent-setting case law and whatever else unfolds as we continue to navigate a journey of governance, compliance and security.
Organizations are struggling to keep up with IT security and privacy compliance regulations, according to a Telos survey.
Annual compliance cost
The survey, which polled 300 IT security professionals in July and August 2020, revealed that, on average, organizations must comply with 13 different IT security and/or privacy regulations and spend $3.5 million annually on compliance activities, with compliance audits consuming 58 working days each quarter.
As more regulations come into existence and more organizations migrate their critical systems, applications and infrastructure to the cloud, the risk of non-compliance and associated impact increases.
Key research findings
- IT security professionals report receiving an average of over 17 audit evidence requests each quarter and spend an average of three working days responding to a single request
- Over the last 24 months, organizations have been found non-compliant an average of six times by both internal and third party auditors resulting in an average of eight fines, costing an average of $460,000
- 86 percent of organizations believe compliance would be an issue when moving systems, applications and infrastructure to the cloud
- 94 percent of organizations report they would face challenges when it comes to IT security compliance and/or privacy regulations in the cloud
Compliance teams are overwhelmed
“Compliance teams spend 232 working days each year responding to audit evidence requests, in addition to the millions of dollars spent on compliance activities and fines,” said Dr. Ed Amoroso, CEO of TAG Cyber. “The bottom line is this level of financial and time commitment is unsustainable in the long run.”
“As hammer, chisel and stone gave way to clipboard, paper and pencil, it’s time for organizations to realize the days of spreadsheets for ‘checkbox compliance’ are woefully outdated,” said Steve Horvath, VP of strategy and cloud at Telos.
“Automation can solve numerous compliance challenges, as the data shows. It’s the only real way to get in front of curve, rather than continuing to try and keep up.”
99 percent of survey respondents indicated their organization would benefit from automating IT security and/or privacy compliance activities, citing expected benefits such as increased accuracy of evidence (54 percent), reduced time spent being audited (51 percent) and the ability to respond to audit evidence requests more quickly (50 percent).
Increasingly demanded by consumers, data privacy laws can create onerous burdens on even the most well-meaning businesses. California presents plenty of evidence to back up this statement, as more than half of organizations that do business in California still aren’t compliant with the California Consumer Privacy Act (CCPA), which went into effect earlier this year.
As companies struggle with their existing compliance requirements, many fear that a new privacy ballot initiative – the California Privacy Rights Act (CPRA) – could complicate matters further. While it’s true that if passed this November, the CPRA would fundamentally change the way businesses in California handle both customer and employee data, companies shouldn’t panic. In fact, this law presents an opportunity for organizations to change their relationship with employee data to their benefit.
CPRA, the Californian GDPR?
Set to appear on the November 2020 ballot, the CPRA, also known as CCPA 2.0 or Prop 24 (its name on the ballot), builds on what is already the most comprehensive data protection law in the US. In essence, the CPRA will bring data protection in California nearer to the current European legal standard, the General Data Protection Regulation (GDPR).
In the process of “getting closer to GDPR,” the CCPA would gain substantial new components. Besides enhancing consumer rights, the CPRA also creates new provisions for employee data as it relates to their employers, as well as data that businesses collect from B2B business partners.
Although controversial, the CPRA is likely to pass. August polling shows that more than 80% of voters support the measure. However, many businesses do not. This is because, at first glance, the CPRA appears to create all kinds of legal complexities in how employers can and cannot collect information from workers.
Fearful of having to meet the same demanding requirements as their European counterparts, many organizations’ natural reaction towards the prospect of CPRA becoming law is fear. However, this is unfounded. In reality, if the CPRA passes, it might not be as scary as some businesses think.
CPRA and employment data
The CPRA is actually a lot more lenient than the GDPR in regard to how it polices the relationship between employers and employees’ data. Unlike for its EU equivalent, there are already lots of exceptions written into the proposed Californian law acknowledging that worker-employer relations are not like consumer-vendor relations.
Moreover, the CPRA extends the CCPA exemption for employers, set to end on January 1, 2021. This means that if the CPRA passes into law, employers would be released from both their existing and potential new employee data protection obligations for two more years, until January 1, 2023. This exemption would apply to most provisions under the CPRA, including the personal information collected from individuals acting as job applicants, staff members, employees, contractors, officers, directors, and owners.
However, employers would still need to provide notice of data collection and maintain safeguards for personal information. It’s highly likely that during this two-year window, additional reforms would be passed that might further ease employer-employee data privacy requirements.
Nonetheless, employers should act now
While the CPRA won’t change much overnight, impacted organizations shouldn’t wait to take action, but should take this time to consider what employee data they collect, why they do so, and how they store this information.
This is especially pertinent now that businesses are collecting more data than ever on their employees. With companies like the workplace monitoring company Prodoscore reporting that interest from prospective customers rose by 600% since the pandemic began, we are seeing rapid growth in companies looking to monitor how, where, and when their employees work.
This trend emphasizes the fact that the information flow between companies and their employees is mostly one-sided (i.e., from the worker to the employer). Currently, businesses have no legal requirement to be transparent about this information exchange. That will change for California-based companies if the CPRA comes into effect and they will have no choice but to disclose the type of data they’re collecting about their staff.
The only sustainable solution for impacted businesses is to be transparent about their data collection with employees and work towards creating a “culture of privacy” within their organization.
Creating a culture of privacy
Rather than viewing employee data privacy as some perfunctory obligation where the bare minimum is done for the sake of appeasing regulators, companies need to start thinking about worker privacy as a benefit. Presented as part of a benefits package, comprehensive privacy protection is a perk that companies can offer prospective and existing employees.
Privacy benefits can include access to privacy protection services that give employees privacy benefits beyond the workplace. Packaged alongside privacy awareness training and education, these can create privacy plus benefits that can be offered to employees alongside standard perks like health or retirement plans. Doing so will build a culture of privacy which can help companies ensure they’re in regulatory compliance, while also making it easier to attract qualified talent and retain workers.
It’s also worth bearing in mind that creating a culture of privacy doesn’t necessarily mean that companies have to stop monitoring employee activity. In fact, employees are less worried about being watched than they are by the possibility of their employers misusing their data. Their fears are well-founded. Although over 60% of businesses today use workforce data, only 3 in 10 business leaders are confident that this data is treated responsibly.
For this reason, companies that want to keep employee trust and avoid bad PR need to prioritize transparency. This could mean drawing up a “bill of rights” that lets employees know what data is being collected and how it will be used.
Research into employee satisfaction backs up the value of transparency. Studies show that while only 30% of workers are comfortable with their employer monitoring their email, the number of employees open to the use of workforce data goes up to 50% when the employer explains the reasons for doing so. This number further jumps to 92% if employees believe that data collection will improve their performance or well-being or come with other personal benefits, like fairer pay.
On the other hand, most employees would leave an organization if its leaders did not use workplace data responsibly. Moreover, 55% of candidates would not even apply for a job with such an organization in the first place.
With many exceptions for workplace data management already built-in and more likely to come down the line, most employers should be able to easily navigate the stipulations CPRA entails.
That being said, if it becomes law this November, employers shouldn’t misuse the two-year window they have to prepare for new compliance requirements. Rather than seeing this time as breathing space before a regulatory crackdown, organizations should instead use it to be proactive in their approach to how they manage their employees’ data. As well as just ensuring they comply with the law, businesses should look at how they can turn employee privacy into an asset.
As data privacy stays at the forefront of employees’ minds, businesses that can show they have a genuine privacy culture will be able to gain an edge when it comes to attracting and retaining talent and, ultimately, coming out on top.
COVID-19 has accelerated the push toward digital business transformation for most businesses, and legal and compliance leaders are under pressure to anticipate both the potential improvements and possible risks that come with new legal technology innovations, according to Gartner.
Legal technology innovations
To address this challenge, Gartner lists the 31 must watch legal technologies to allow legal and compliance leaders to identify innovations that will allow them to act faster. They can use this information for internal planning and prioritization of emerging innovations.
“Legal and compliance leaders must collaborate with other stakeholders to garner support for organization wide and function wide investments in technology,” said Zack Hutto, director in the Gartner Legal and Compliance practice.
“They must address complex business demand by investing in technologies and practices to better anticipate, identify and manage risks, while seeking out opportunities to contribute to growth.”
Analysts said enterprise legal management (ELM), subject rights requests, predictive analytics, and robotic process automation (RPA) are likely to be most beneficial for the majority of legal and compliance organizations within a few years. They are also likely to help with the increased need for cost optimization and unplanned legal work arising from the pandemic.
Enterprise legal management
This is a multifaceted market where several vendors are trying to consolidate many of the technologies on this year’s Hype Cycle into unified platforms and suites to streamline the many aspects of corporate governance.
“Just as enterprise resource planning (ERP) overhauled finance, there is promise for a foundational system of record to improve in-house legal operations and workflows,” said Mr. Hutto. “Legal leaders should take a lesson from ERP’s evolution: ‘monolithic’ IT systems tend to lack flexibility and can quickly become an anchor not a sail.”
Legal application leaders and general counsel must begin with their desired business outcomes, and only then find a technology that can help deliver those outcomes.
Subject rights requests
The demand for subject rights requests (SRRs) is growing along with the number of regulations that enshrine a data subject’s right to access their data and request amendment or deletion. Current regulations include the CCPA in the U.S., the EU’s GDPR and Brazil’s Lei Geral de Proteção de Dadosis.
Many organizations are funneling their subject access requests (SARs) through internal legal counsel to limit the potential exposure to liability. This is costing, on average, $1,406 per SAR.
“In the face of rising request volumes and significant costs, there is great potential for legal and compliance leaders to make substantial savings and free up time by using technology to automate part, if not most, of the SRR workflow,” said Mr. Hutto.
This is a well-established technology and the market is mature, so it can be relatively simple to use “out-of-the-box” or via a cloud service. Typically, the technology can examine data or content to answer the question, ”What is likely to happen if…?”
“Adoption of this technology in legal and compliance is typically less mature than other business functions,” said Mr. Hutto. “This likely means untapped use cases where existing solutions could be used in the legal and compliance context to offer some real benefits.
“While analytics platforms may make data analysis more ‘turnkey’ extracting real insights may be more elusive. Legal and compliance leaders still should consider and improve the usefulness of their data, the capabilities of their teams, and the attainability of data in various existing systems.”
Robotic process automation (RPA)
RPA’s potential to streamline workflows for repetitive, rule-based tasks is already well-established in other business functions. Typically, RPA is best suited to systems with a standardized — often legacy — user interfaces for which scripts can be written.
“Where legal departments already use these types of systems it is likely that RPA can drive higher efficiency,” said Mr. Hutto. “However, not all legal departments use such systems. If not, it could make sense to take a longer view and consider investing in systems that have automation functionality built in.”
Gartner advice is to consider these four technologies is not solely based on their position on the Hype Cycle. Legal and compliance leaders should focus on the technologies that have the most potential for driving the greatest transformation within their own organizations in the near to medium term; the position on the Hype Cycle is part of that but not the whole story.
For example, Mr. Hutto said blockchain is a technology that has the potential to make a successful journey to the Plateau of Productivity within five years. But for now, its application will likely be limited to quite a narrow set of use cases, and it is unlikely to be transformational for corporate legal and compliance leaders.
Information security policies (ISP) that are not grounded in the realities of an employee’s work responsibilities and priorities expose organizations to higher risk for data breaches, according to a research from Binghamton University, State University of New York.
The study’s findings, that subcultures within an organization influence whether employees violate ISP or not, have led researchers to recommend an overhaul of the design and implementation of ISP, and to work with employees to find ways to seamlessly fit ISP compliance into their day-to-day tasks.
“The frequency, scope and cost of data breaches have been increasing dramatically in recent years, and the majority of these cases happen because humans are the weakest link in the security chain. Non-compliance to ISP by employees is one of the important factors,” said Sumantra Sarkar, associate professor of management information systems in Binghamton University’s School of Management.
“We wanted to understand why certain employees were more likely to comply with information security policies than others in an organization.”
How subcultures influence compliance within healthcare orgs
Sarkar, with a research team, sought to determine how subcultures influence compliance, specifically within healthcare organizations.
“Every organization has a culture that is typically set by top management. But within that, you have subcultures among different professional groups in the organization,” said Sarkar. “Each of these groups are trained in a different way and are responsible for different tasks.”
Sarkar and his fellow researchers focused on ISP compliance within three subcultures found in a hospital setting – physicians, nurses and support staff.
The expansive study took years to complete, with one researcher embedding in a hospital for over two years to observe and analyze activities, as well as to conduct interviews and surveys with multiple employees.
Because patient data in a hospital is highly confidential, one area researchers focused on was the requirement for hospital employees to lock their electronic health record (EHR) workstation when not present.
“Physicians, who are dealing with emergency situations constantly were more likely to leave a workstation unlocked. They were more worried about the immediate care of a patient than the possible risk of a data breach,” said Sarkar.
“On the opposite end, support staff rarely kept workstations unlocked when they were away, as they felt they were more likely to be punished or fired should a data breach occur.”
Researchers concluded that each subculture within an organization will respond differently to the organization-wide ISP, leaving organizations open to a higher possibility of data breaches.
Their recommendation – consult with each subculture while developing ISP.
“Information security professionals should have a better understanding of the day-to-day tasks of each professional group, and then find ways to seamlessly integrate ISP compliance within those job tasks,” said Sarkar. “It is critical that we find ways to redesign ISP systems and processes in order to create less friction.”
In the context of a hospital setting, Sarkar recommends touchless, proximity-based authentication mechanisms that could lock or unlock workstations when an employee approaches or leaves a workstation.
Researchers also found that most employees understand the value of ISP compliance, and realize the potential cost of a data breach. However, Sarkar believes that outdated information security policies’ compliance measures have the potential to put employees in a conflict of priorities.
“There shouldn’t be situations where physicians are putting the entire hospital at risk for a data breach because they are dealing with a patient who needs emergency care,” he said. “We need to find ways to accommodate the responsibilities of different employees within an organization.”
Global organizations continue to put their customers’ cardholder data at risk due to a lack of long term payment security strategy and execution, flags the Verizon report.
With many companies struggling to retain qualified CISOs or security managers, the lack of long-term security thinking is severely impacting sustained compliance within the Payment Card Industry Data Security Standard (PCI DSS).
Cybercriminals still mostly targeting payment data
Payment data remains one of the most sought after and lucrative targets by cybercriminals with 9 out of 10 data breaches being financially motivated, as highlighted by the report. Within the retail sector alone, 99 percent of security incidents were focused on acquiring payment data for criminal use.
On average only 27.9 percent of global organizations maintained full compliance with the PCI DSS, which was developed to help businesses that offer card payment facilities protect their payment systems from breaches and theft of cardholder data.
More concerning, this is the third successive year that a decline in compliance has occurred with a 27.5 percentage point drop since compliance peaked in 2016.
“Unfortunately we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,” said Sampath Sowmyanarayan, President, Global Enterprise, Verizon Business.
“The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information.
“Payment security has to be seen as an on-going business priority by all companies that handle any payment data, they have a fundamental responsibility to their customers, suppliers and consumers.”
Few organizations successfully test security systems
Additional findings shine a spotlight on security testing where only 51.9 percent of organizations successfully test security systems and processes as well as unmonitored system access and where approximately two-thirds of all businesses track and monitor access to business critical systems adequately.
In addition, only 70.6 percent of financial institutions maintain essential perimeter security controls.
“This report is a welcome wake-up call to organizations that strong leadership is required to address failures to adequately manage payment security. The Verizon Business report aligns well with Omdia’s view that the alignment of security strategy with organizational strategy is essential for organizations to maintain compliance, in this case with PCI DSS 3.2.1 to provide appropriate levels of payment security.
“It makes clear that long-term data security and compliance combines the responsibilities of a number of roles, including the Chief Information Security Officer, the Chief Risk Officer, and Chief Compliance Officer, which Omdia concurs with,” comments Maxine Holt, senior research director at Omdia.
Difficulty to maintain PCI DSS compliance impacts all businesses
SMBs were flagged as having their own unique struggles with securing payment data. While smaller businesses generally have less card data to process and store than larger businesses, they have fewer resources and smaller budgets for security, impacting the resources available to maintain compliance with PCI DSS.
Often the measures needed to protect sensitive payment card data are perceived as too time-consuming and costly by these smaller organizations, but as the likelihood of a data breach for SMBs remains high it is imperative that PCI DSS compliance is maintained.
The on-going CISO challenge: Security strategy and compliance
The report also explores the challenges CISOs face in designing, implementing and maintaining an effective and sustainable security strategy, and how these can ultimately contribute to the breakdown of compliance and data security management.
These problems were not found to be technological in nature, but as a result of organizational weaknesses which could be resolved by more mature management skills including creating formalized processes; building a business model for security as well as defining a sound security strategy with operating models and frameworks.
There’s an overwhelming support for mainstreaming the mainframe, new strategic priorities, and a resurgence of next generation mainframe talent, according to a BMC survey.
The study queried over 1000 executives and practitioners on their priorities, challenges, and growth opportunities for the platform. High-level insights include:
- 90% of respondents see the mainframe as a platform for growth and long-term applications.
- 68% expect MIPS, the mainframe’s measure of computing performance, to grow.
- 63% of respondents say security and compliance were their top mainframe priorities.
- More than half of survey respondents increased mainframe platform data and transaction volume by 25% or more, signaling its ongoing importance in the digital business environment.
“The Mainframe Survey validates that businesses see the mainframe as a critical component of the modern digital enterprise and an emerging hub for innovation,” says Stephen Elliot, Program VP, Management Software and DevOps, IDC.
“They’re putting it to work more and more to support digital business demands as they strive to achieve greater agility and success across the enterprise.”
Top mainframe priorities
With mainframe enterprises competing to bring new, digital experiences to market to delight customers, the survey’s themes are resoundingly strong: adapt, automate, and secure.
Adapt – responses indicated that enterprises’ need to adapt spanned several areas:
- New processes to keep up with digital demand.
- Technology demands such as application development/DevOps across the mainframe; 78% of respondents want to be able to update mainframe applications more frequently than currently possible.
- Changing workforce, as the number of next generation mainframe talent increases along with the number of women working on the platform.
Automate – mainframe modernization continues to play a key role in priorities among respondents with the need to implement AI and machine learning strategies jumping by 8% year over year.
Secure – while the mainframe has a reputation of being a naturally secure platform, respondents are seeing the growing need to fortify its “walls.” Security trumped cost optimization as the leading mainframe priority among respondents for the first time in the 15-year history of the survey.
“Early results were shared with leading industry analysts and key customers from our Mainframe Executive Council in order to validate findings with market sentiment,” states John McKenny, SVP of Mainframe Innovation and Strategy at BMC.
“These conversations further solidified the study’s findings that the platform’s positive outlook and growth is largely due to the need to create intuitive, customer-centric digital experiences. The mainframe continues to shine as innovative, agile, and secure and is a vital component to digital success.”
Workforce demographic shifts
The survey revealed the demographic shifts in mainframe operations, as younger, less experienced staff replaces departing senior staff, and a higher proportion of women respondents than last year.
Organizations are building confidence that their cybersecurity practices are headed in the right direction, aided by advanced technologies, more detailed processes, comprehensive education and specialized skills, a research from CompTIA finds.
Eight in 10 organizations surveyed said their cybersecurity practices are improving.
At the same time, many companies acknowledge that there is still more to do to make their security posture even more robust. Growing concerns about the number, scale and variety of cyberattacks, privacy considerations, a greater reliance on data and regulatory compliance are among the issues that have the attention of business and IT leaders.
Two factors – one anticipated, the other unexpected – have contributed to the heightened awareness about the need for strong cybersecurity measures.
“The COVID-19 pandemic has been the primary trigger for revisiting security,” said Seth Robinson, senior director for technology analysis at CompTIA. “The massive shift to remote work exposed vulnerabilities in workforce knowledge and connectivity, while phishing emails preyed on new health concerns.”
Robinson noted that the pandemic accelerated changes that were underway in many organizations that were undergoing the digital transformation of their business operations.
“This transformation elevated cybersecurity from an element within IT operations to an overarching business concern that demands executive-level attention,” he said. “It has become a critical business function, on par with a company’s financial procedures.”
As a result, companies have a better understanding of what do about cybersecurity. Nine in 10 organizations said their cybersecurity processes have become more formal and more critical.
Two examples are risk management, where companies assess their data and their systems to determine the level of security that each requires; and monitoring and measurement, where security efforts are continually tracked and new metrics are established to tie security activity to business objectives.
IT teams foundational skills
The report also highlights how the “cybersecurity chain” has expanded to include upper management, boards of directors, business units and outside firms in addition to IT personnel in conversations and decisions.
Within IT teams, foundational skills such as network and endpoint security have been paired with new skills, including identity management and application security, that have become more important as cloud and mobility have taken hold.
On the horizon, expect to see skills related to security monitoring and other proactive tactics gain a bigger foothold. Examples include data analysis, threat knowledge and understanding the regulatory landscape.
Cybersecurity insurance is another emerging area. The report reveals that 45% of large companies, 41% of mid-sized firms and 37% of small businesses currently have a cyber insurance policy.
Common coverage areas include the cost of restoring data (56% of policy holders), the cost of finding the root cause of a breach (47%), coverage for third-party incidents (43%) and response to ransomware (42%).
After several months of working from home, with no clear end in sight, financial risk and regulatory compliance professionals are struggling when it comes to collaborating with their teams – particularly as they manage increasingly complex global risk and regulatory reporting requirements.
According to a survey of major financial institutions conducted by AxiomSL, 41% of respondents said collaborating with teams remains a challenge while working remotely.
“Indeed, businesses might never return to the ‘old normal’, and that has made building data- and technology-driven resilience much more pressing than before the crisis. Our clients have been experiencing heightened regulatory pressures,” he continued.
“Throughout the crisis, we enabled them to respond rapidly to changes in reporting criteria, the onset of daily liquidity reporting, and the Federal Reserve’s emerging risk data collection (ERDC) initiative – that required FR Y–14 data on a weekly/monthly basis instead of quarterly.”
These data-intensive, high-frequency regulatory reporting requirements will continue in the ‘new normal.’ “To future-proof, organizations should continue to establish sustainable data architectures and analytics that enable connection and transparency between critical datasets,” Tsigutkin commented.
“And, as a priority, they should transition to our secure RegCloud to handle regulatory intensity efficiently, bolster business continuity, and strengthen their ability to collaborate remotely,” he concluded.
Key research findings
Remote collaboration is a top operational challenge for financial risk and regulatory pros: For all the talk of work-from-anywhere policies becoming the future of financial services, 41% of the risk and compliance professionals surveyed said collaborating with colleagues while working remotely has been their biggest challenge during the COVID-19 crisis.
This was the most frequently cited challenge, followed by accessing data from dispersed systems (18%), reliance on offshore resources (15%), and reliance on locally installed technology (15%).
Liquidity reporting expected to get harder: New capital and liquidity stress testing requirements are expected to present a much heavier burden on financial firms, with 18% of respondents citing increased capital and liquidity risk reporting as a major challenge they will face over the next two years.
Cloud adoption gets its catalyst: After years of resisting cloud adoption, many North American financial institutions are finally gearing up to make the move. When it comes to regulatory technology spending over the next two years, enhanced data analytics is the top area of focus among 29% of survey respondents. But cloud deployment rose to second place (23%) followed by data lakes (22%) and artificial intelligence and machine learning (20%).
Reduction of manual processes is an operational focus for the next two years: The top risk and regulatory compliance challenge firms see on the road ahead is continuing to eliminate manual processes (29%), followed by improving the transparency of data and processes (21%), and fully transitioning to a secure cloud (13%).
RegTech budgets largely intact heading into 2021: A total of 83% indicated their near-term projects as virtually unimpacted or mostly going forward. And similarly, 81% said their budgets for 2021 remain intact (70%) or will increase (11%).