Cybersecurity is failing due to ineffective technology

A failing cybersecurity market is contributing to ineffective performance of cybersecurity technology, a Debate Security research reveals.

cybersecurity market failing

Based on over 100 comprehensive interviews with business and cybersecurity leaders from large enterprises, together with vendors, assessment organizations, government agencies, industry associations and regulators, the research shines a light on why technology vendors are not incentivized to deliver products that are more effective at reducing cyber risk.

The report supports the view that efficacy problems in the cybersecurity market are primarily due to economic issues, not technological ones. The research addresses three key themes and ultimately arrives at a consensus for how to approach a new model.

Cybersecurity technology is not as effective as it should be

90% of participants reported that cybersecurity technology is not as effective as it should be when it comes to protecting organizations from cyber risk. Trust in technology to deliver on its promises is low, and yet when asked how organizations evaluate cybersecurity technology efficacy and performance, there was not a single common definition.

Pressure has been placed on improving people and process related issues, but ineffective technology has become accepted as normal – and shamefully – inevitable.

The underlying problem is one of economics, not technology

92% of participants reported that there is a breakdown in the market relationship between buyers and vendors, with many seeing deep-seated information asymmetries.

Outside government, few buyers today use detailed, independent cybersecurity efficacy assessment as part of their cybersecurity procurement process, and not even the largest organizations reported having the resources to conduct all the assessments themselves.

As a result, vendors are incentivized to focus on other product features, and on marketing, deprioritizing cybersecurity technology efficacy – one of several classic signs of a “market for lemons”.

Coordinated action between stakeholders only achieved through regulation

Unless buyers demand greater efficacy, regulation may be the only way to address the issue. Overcoming first-mover disadvantages will be critical to fixing the broken cybersecurity technology market.

Many research participants believe that coordinated action between all stakeholders can only be achieved through regulation – though some hold out hope that coordination could be achieved through sectoral associations.

In either case, 70% of respondents feel that independent, transparent assessment of technology would help solve the market breakdown. Setting standards on technology assessment rather than on technology itself could prevent stifling innovation.

Defining cybersecurity technology efficacy

Participants in this research broadly agree that four characteristics are required to comprehensively define cybersecurity technology efficacy.

To be effective, cybersecurity solutions need to have the capability to deliver the stated security mission (be fit-for-purpose), have the practicality that enterprises need to implement, integrate, operate and maintain them (be fit-for-use), have the quality in design and build to avoid vulnerabilities and negative impact, and the provenance in the vendor company, its people and supply chain such that these do not introduce additional security risk.

“In cybersecurity right now, trust doesn’t always sell, and good security doesn’t always sell and isn’t always easy to buy. That’s a real problem,” said Ciaran Martin, advisory board member, Garrison Technology.

“Why we’re in this position is a bit of a mystery. This report helps us understand it. Fixing the problem is harder. But our species has fixed harder problems and we badly need the debate this report calls for, and industry-led action to follow it up.”

“Company boards are well aware that cybersecurity poses potentially existential risk, but are generally not well equipped to provide oversight on matters of technical detail,” said John Cryan, Chairman Man Group.

“Boards are much better equipped when it comes to the issues of incentives and market dynamics revealed by this research. Even if government regulation proves inevitable, I would encourage business leaders to consider these findings and to determine how, as buyers, corporates can best ensure that cybersecurity solutions offered by the market are fit for purpose.”

“As a technologist and developer of cybersecurity products, I really feel for cybersecurity professionals who are faced with significant challenges when trying to select effective technologies,” said Henry Harrison, CSO of Garrison Technology.

“We see two noticeable differences when selling to our two classes of prospects. For security-sensitive government customers, technology efficacy assessment is central to buying behavior – but we rarely see anything similar when dealing with even the most security-sensitive commercial customers. We take from this study that in many cases this has less to do with differing risk appetites and more to do with structural market issues.”

How tech trends and risks shape organizations’ data protection strategy

Trustwave released a report which depicts how technology trends, compromise risks and regulations are shaping how organizations’ data is stored and protected.

data protection strategy

Data protection strategy

The report is based on a recent survey of 966 full-time IT professionals who are cybersecurity decision makers or security influencers within their organizations.

Over 75% of respondents work in organizations with over 500 employees in key geographic regions including the U.S., U.K., Australia and Singapore.

“Data drives the global economy yet protecting databases, where the most critical data resides, remains one of the least focused-on areas in cybersecurity,” said Arthur Wong, CEO at Trustwave.

“Our findings illustrate organizations are under enormous pressure to secure data as workloads migrate off-premises, attacks on cloud services increases and ransomware evolves. Gaining complete visibility of data either at rest or in motion and eliminating threats as they occur are top cybersecurity challenges all industries are facing.”

More sensitive data moving to the cloud

Types of data organizations are moving into the cloud have become increasingly sensitive, therefore a solid data protection strategy is crucial. Ninety-six percent of total respondents stated they plan to move sensitive data to the cloud over the next two years with 52% planning to include highly sensitive data with Australia at 57% leading the regions surveyed.

Not surprisingly, when asked to rate the importance of securing data regarding digital transformation initiatives, an average score of 4.6 out of a possible high of five was tallied.

Hybrid cloud model driving digital transformation and data storage

Of those surveyed, most at 55% use both on-premises and public cloud to store data with 17% using public cloud only. Singapore organizations use the hybrid cloud model most frequently at 73% or 18% higher than the average and U.S. organizations employ it the least at 45%.

Government respondents store data on-premises only the most at 39% or 11% higher than average. Additionally, 48% of respondents stored data using the hybrid cloud model during a recent digital transformation project with only 29% relying solely on their own databases.

Most organizations use multiple cloud services

Seventy percent of organizations surveyed were found to use between two and four public cloud services and 12% use five or more. At 14%, the U.S. had the most instances of using five or more public cloud services followed by the U.K. at 13%, Australia at 9% and Singapore at 9%. Only 18% of organizations queried use zero or just one public cloud service.

Perceived threats do not match actual incidents

Thirty-eight percent of organizations are most concerned with malware and ransomware followed by phishing and social engineering at 18%, application threats 14%, insider threats at 9%, privilege escalation at 7% and misconfiguration attack at 6%.

Interestingly, when asked about actual threats experienced, phishing and social engineering came in first at 27% followed by malware and ransomware at 25%. The U.K. and Singapore experienced the most phishing and social engineering incidents at 32% and 31% and the U.S. and Australia experienced the most malware and ransomware attacks at 30% and 25%.

Respondents in the government sector had the highest incidents of insider threats at 13% or 5% above the average.

Patching practices show room for improvement

A resounding 96% of respondents have patching policies in place, however, of those, 71% rely on automated patching and 29% employ manual patching. Overall, 61% of organizations patched within 24 hours and 28% patched between 24 and 48 hours.

The highest percentage patching within a 24-hour window came from Australia at 66% and the U.K. at 61%. Unfortunately, 4% of organizations took a week to over a month to patch.

Reliance on automation driving key security processes

In addition to a high percentage of organizations using automated patching processes, findings show 89% of respondents employ automation to check for overprivileged users or lock down access credentials once an individual has left their job or changed roles.

This finding correlates to low concern for insider threats and data compromise due to privilege escalation according to the survey. Organizations must exercise caution when assuming removal of user access to applications to also include databases, which is often not the case.

Data regulations having minor impact on database security strategies

When asked if data regulations such as GDPR and CCPA impacted database security strategies, a surprising 60% of respondents said no.

These findings may suggest a lack of alignment between information technology and other departments, such as legal, responsible for helping ensure stipulations like ‘the right to be forgotten’ are properly enforced to avoid severe penalties.

Small teams with big responsibilities

Of those surveyed, 47% had a security team size of only six to 15 members. Respondents from Singapore had the smallest teams with 47% reporting between one and ten members and the U.S. had the largest teams with 22% reporting team size of 21 or more, 2% higher than the average.

Thirty-two percent of government respondents surprisingly run security operations with teams between just six and ten members.

Is poor cyber hygiene crippling your security program?

Cybercriminals are targeting vulnerabilities created by the pandemic-driven worldwide transition to remote work, according to Secureworks.

vulnerabilities remote work

The report is based on hundreds of incidents the company’s IR team has responded to since the start of the pandemic.

Threat level is unchanged

While initial news reports predicted a sharp uptick in cyber threats after the pandemic took hold, data on confirmed security incidents and genuine threats to customers show the threat level is largely unchanged. Instead, major changes in organizational and IT infrastructure to support remote work created new vulnerabilities for threat actors to exploit.

The sudden switch to remote work and increased use of cloud services and personal devices significantly expanded the attack surface for many organizations. Facing an urgent need for business continuity, many companies did not have time to put all the necessary protocols, processes and controls in place, making it difficult for security teams to respond to incidents.

Threat actors—including nation-states and financially-motivated cyber criminals—are exploiting these vulnerabilities with malware, phishing, and other social engineering tactics to take advantage of victims for their own gain. One in four attacks are now ransomware related—up from 1 in 10 in 2018—and new COVID-19 phishing attacks include stimulus check fraud.

Additionally, healthcare, pharmaceutical and government organizations and information related to vaccines and pandemic response are attack targets.

The issue with dispersed workforces

Barry Hensley, Chief Threat Intelligence Officer, Secureworks said: “Against a continuing threat of enterprise-wide disruption from ransomware, business email compromise and nation-state intrusions, security teams have faced growing challenges including increasingly dispersed workforces, issues arising from the rapid implementation of remote working with insufficient consideration to security implications, and the inevitable reduced focus on security from businesses adjusting to a changing world.”

Most US states show signs of a vulnerable election-related infrastructure

75% of all 56 U.S. states and territories leading up to the presidential election, showed signs of a vulnerable IT infrastructure, a SecurityScorecard report reveals.

election infrastructure

Since most state websites offer access to voter and election information, these findings may indicate unforeseen issues leading up to, and following, the US election.

Election infrastructure: High-level findings

Seventy-five percent of U.S. states and territories’ overall cyberhealth are rated a ‘C’ or below; 35% have a ‘D’ and below. States with a grade of ‘C’ are 3x more likely to experience a breach (or incident, such as ransomware) compared to an ‘A’ based on a three-year SecurityScorecard study of historical data. Those with a ‘D’ are nearly 5x more likely to experience a breach.

  • States with the highest scores: Kentucky (95) Kansas (92) Michigan (92)
  • States with the lowest scores: North Dakota (59) Illinois (60) Oklahoma (60)
  • Among states and territories, there are as many ‘F’ scores as there are ‘A’s
  • The Pandemic Effect: Many states’ scores have dropped significantly since January. For example, North Dakota scored a 72 in January and now has a 59. Why? Remote work mandates gave state networks a larger attack surface (e.g., thousands of state workers on home Wi-Fi), making it more difficult to ensure employees are using up-to-date software.

Significant security concerns were observed with two critically important “battleground” states, Iowa and Ohio, both of which scored a 68, or a ‘D’ rating.

The battleground states

According to political experts, the following states are considered “battleground” and will help determine the result of the election. But over half have a lacking overall IT infrastructure:

  • Michigan: 92 (A)
  • North Carolina: 81 (B)
  • Wisconsin: 88 (B)
  • Arizona: 81 (B)
  • Texas: 85 (B)
  • New Hampshire: 77 (C)
  • Pennsylvania: 85 (B)
  • Georgia: 77 (C)
  • Nevada: 74 (C)
  • Iowa: 68 (D)
  • Florida: 73 (C)
  • Ohio: 68 (D)

“The IT infrastructure of state governments should be of critical importance to securing election integrity,” said Alex Heid, Chief Research & Development Officer at SecurityScorecard.

“This is especially true in ‘battleground states’ where the Department of Homeland Security, political parties, campaigns, and state government officials should enforce vigilance through continuously monitoring state voter registration networks and web applications for the purpose of mitigating incoming attacks from malicious actors.

“The digital storage and transmission of voter registration and voter tally data needs to remain flawlessly intact. Some states have been doing well regarding their overall cybersecurity posture, but the vast majority have major improvements to make.”

Potential consequences of lower scores

  • Targeted phishing/malware delivery via e-mail and other mediums, potentially as a means to both infect networks and spread misinformation. Malicious actors often sell access to organizations they have successfully infected.
  • Attacks via third-party vendors – many states use the same vendors, so access into one could mean access to all. This is the top cybersecurity concern for political campaigns.
  • Voter registration databases could be impacted. In the worst-case scenario, attackers could remove voter registrations or change voter precinct information or make crucial systems entirely unavailable on Election Day through ransomware.

“These poor scores have consequences that go beyond elections; the findings show chronic underinvestment in IT by state governments,” said Rob Knake, the former director for cybersecurity policy at the White House in the Obama Administration.

“For instance, combatting COVID-19 requires the federal government to rely on the apparatus of the states. It suggests the need for a massive influx of funds as part of any future stimulus to refresh state IT systems to not only ensure safe and secure elections, but save more lives.”

A set of best practices for states

  • Create dedicated voter and election-specific websites under the domains of the official state domain, rather than using alternative domain names which can be subjected to typosquatting
  • Have an IT team specifically tasked and accountable for bolstering voter and election website cybersecurity: defined as confidentiality, integrity, and availability of all processed information
  • States should establish clear lines of authority for updating the information on these sites that includes the ‘two-person’ rule — no single individual should be able to update information without a second person authorizing it
  • States and counties should continuously monitor the cybersecurity exposure of all assets associated with election systems, and ensure that vendors supplying equipment and services to the election process undergo stringent processes

New research shows risk in healthcare supply chain

Exposures and cybersecurity challenges can turn out to be costly, according to statistics from the US Department of Health and Human Services (HHS), 861 breaches of protected health information have been reported over the last 24 months.

healthcare supply chain

New research from RiskRecon and the Cyentia Institute pinpointed risk in third-party healthcare supply chain and showed that healthcare’s high exposure rate indicates that managing a comparatively small Internet footprint is a big challenge for many organizations in that sector.

But there is a silver lining: gaining the visibility needed to pinpoint and rectify exposures in the healthcare risk surface is feasible.

Key findings

The research and report are based on RiskRecon’s assessment of more than five million of internet-facing systems across approximately 20,000 organizations, focusing exclusively on the healthcare sector.

Highest rate

Healthcare has one of the highest average rates of severe security findings relative to other industries. Furthermore, those rates vary hugely across institutions, meaning the worst exposure rates in healthcare are worse than the worst exposure rates in other sectors.

Size matters

Severe security findings decrease as employees increase. For example, the rate of severe security findings in the smallest healthcare providers is 3x higher than that of the largest providers.

Sub sectors vary

Sub sectors within healthcare reveal different risk trends. The research shows that hospitals have a much larger Internet surface area (hosts, providers, countries), but maintain relatively low rates of security findings. Additionally, nursing and residential care sub-sector has the smallest Internet footprint yet the highest levels of exposure. Outpatient (ambulatory) and social services mostly fall in between hospitals and nursing facilities.

Cloud deployment impacts

As digital transformation ushers in a plethora of changes, critical areas of risk exposure are also changing and expanding. While most healthcare firms host a majority of their Internet-facing systems on-prem, they do also leverage the cloud. We found that healthcare’s severe finding rate for high-value assets in the cloud is 10 times that of on-prem. This is the largest on-prem versus cloud exposure imbalance of any sector.

It must also be noted that not all cloud environments are the same. A previous RiskRecon report on the cloud risk surface discovered an average 12 times the difference between cloud providers with the highest and lowest exposure rates. This says more about the users and use cases of various cloud platforms than intrinsic security inequalities. In addition, as healthcare organizations look to migrate to the cloud, they should assess their own capabilities for handling cloud security.

The healthcare supply chain is at risk

It’s important to realize that the broader healthcare ecosystem spans numerous industries and these entities often have deep connections into the healthcare provider’s facilities, operations, and information systems. Meaning those organizations can have significant ramifications for third-party risk management.

When you dig into it, even though big pharma has the biggest footprint (hosts, third-party service providers, and countries of operation), they keep it relatively hygienic. Manufacturers of various types of healthcare apparatus and instruments show a similar profile of extensive assets yet fewer findings. Unfortunately, the information-heavy industries of medical insurance, EHR systems providers, and collection agencies occupy three of the top four slots for the highest rate of security findings.

“In 2020, Health Information Sharing and Analysis Center (H-ISAC) members across healthcare delivery, big pharma, payers and medical device manufacturers saw increased cyber risks across their evolving and sometimes unfamiliar supply chains,” said Errol Weiss, CSO at H-ISAC.

“Adjusting to the new operating environment presented by COVID-19 forced healthcare companies to rapidly innovate and adopt solutions like cloud technology that also added risk with an expanded digital footprint to new suppliers and partners with access to sensitive patient data.”

Major gaps in virtual appliance security plague organizations

As evolution to the cloud is accelerated by digital transformation across industries, virtual appliance security has fallen behind, Orca Security reveals.

virtual appliance security

Virtual appliance security

The report illuminated major gaps in virtual appliance security, finding many are being distributed with known, exploitable and fixable vulnerabilities and on outdated or unsupported operating systems.

To help move the cloud security industry towards a safer future and reduce risks for customers, 2,218 virtual appliance images from 540 software vendors were analyzed for known vulnerabilities and other risks to provide an objective assessment score and ranking.

Virtual appliances are an inexpensive and relatively easy way for software vendors to distribute their wares for customers to deploy in public and private cloud environments.

“Customers assume virtual appliances are free from security risks, but we found a troubling combination of rampant vulnerabilities and unmaintained operating systems,” said Avi Shua, CEO, Orca Security.

“The Orca Security 2020 State of Virtual Appliance Security Report shows how organizations must be vigilant to test and close any vulnerability gaps, and that the software industry still has a long way to go in protecting its customers.”

Known vulnerabilities run rampant

Most software vendors are distributing virtual appliances with known vulnerabilities and exploitable and fixable security flaws.

  • The research found that less than 8 percent of virtual appliances (177) were free of known vulnerabilities. In total, 401,571 vulnerabilities were discovered across the 2,218 virtual appliances from 540 software vendors.
  • For this research, 17 critical vulnerabilities were identified, deemed to have serious implications if found unaddressed in a virtual appliance. Some of these well-known and
    easily exploitable vulnerabilities included: EternalBlue, DejaBlue, BlueKeep, DirtyCOW, and Heartbleed.
  • Meanwhile, 15 percent of virtual appliances received an F rating, deemed to have failed the research test.
  • More than half of tested virtual appliances were below an average grade, with 56 percent obtaining a C rating or below (15.1 percent F; 16.1 percent D; 25 percent C).
  • However, due to a retesting of the 287 updates made by software vendors after receiving findings, the average grade of these rescanned virtual appliances has increased from a B to an A.

Outdated appliances increase risk

Multiple virtual appliances were at security risk from age and lack of updates. The research found that most vendors are not updating or discontinuing their outdated or end-of-life (EOL) products.

  • The research found that only 14 percent (312) of the virtual appliance images had been updated within the last three months.
  • Meanwhile, 47 percent (1,049) had not been updated within the last year; 5 percent (110) had been neglected for at least three years, and 11 percent (243) were running on out of date or EOL operating systems.
  • Although, some outdated virtual appliances have been updated after initial testing. For example, Redis Labs had a product that scored an F due to an out-of-date operating system and many vulnerabilities, but now scored an A+ after updates.

The silver lining

Under the principle of Coordinated Vulnerability Disclosure, researchers emailed each vendor directly, giving them the opportunity to fix their security issues. Fortunately, the tests have started to move the cloud security industry forward.

As a direct result of this research, vendors reported that 36,259 out of 401,571 vulnerabilities have been removed by patching or discontinuing their virtual appliances from distribution. Some of these key corrections or updates included:

  • Dell EMC issued a critical security advisory for its CloudBoost Virtual Edition
  • Cisco published fixes to 15 security issues found in the one of its virtual appliances scanned in the research
  • IBM updated or removed three of its virtual appliances within a week
  • Symantec removed three poorly scoring products
  • Splunk, Oracle, IBM, Kaspersky Labs and Cloudflare also removed products
  • Zoho updated half of its most vulnerable products
  • Qualys updated a 26-month-old virtual appliance that included a user enumeration vulnerability that Qualys itself had discovered and reported in 2018

Maintaining virtual appliances

For customers and software vendors concerned about the issues illuminated in the report, there are corrective and preventive actions that can be taken. Software suppliers should ensure their virtual appliances are well maintained and that new patches are provided as vulnerabilities are identified.

When vulnerabilities are discovered, the product should be patched or discontinued for use. Meanwhile, vulnerability management tools can also discover virtual appliances and scan them for known issues. Finally, companies should also use these tools to scan all virtual appliances for vulnerabilities before use as supplied by any software vendor.

SaaS adoption prompting concerns over operational complexity and risk

A rise in SaaS adoption is prompting concerns over operational complexity and risk, a BetterCloud report reveals.

SaaS adoption risk

Since 2015, the number of IT-sanctioned SaaS apps has increased tenfold, and it’s expected that by 2025, 85 percent of business apps will be SaaS-based. With SaaS on the rise, 49 percent of respondents are confident in their ability to identify and monitor unsanctioned SaaS usage on company networks—yet 76 percent see unsanctioned apps as a security risk.

And when asked what SaaS applications are likely to hold the most sensitive data across an organization, respondents believe it’s all apps including cloud storage, email, devices, chat apps, password managers, etc.

Concerns when managing SaaS environments

Respondents also highlighted slow, manual management tasks as a prime concern when managing SaaS environments. IT organizations spend over 7 hours offboarding a single employee from a company’s SaaS apps, which takes time and energy from more strategic projects.

“In the earlier part of the year, organizations around the world were faced with powering their entire workforces from home and turned to SaaS to make the shift with as little disruption to productivity as possible,” said David Politis, CEO, BetterCloud.

“Up until this point, most companies were adopting a cloud-first approach for their IT infrastructure — that strategy has now shifted to cloud only. But SaaS growth at this scale has also brought about challenges as our 2020 State of SaaSOps report clearly outlines.

“The findings also show increased confidence and reliance on SaaSOps as the path forward to reigning in SaaS management and security.”

SaaS adoption risk: Key findings

  • On average, organizations use 80 SaaS apps today. This is a 5x increase in just three years and a 10x increase since 2015.
  • The top two motivators for using more SaaS apps are increasing productivity and reducing costs.
  • Only 49 percent of IT professionals inspire confidence in their ability to identify and monitor unsanctioned SaaS usage on company networks—yet more than three-quarters (76 percent) see unsanctioned apps as a security risk.
  • The top five places where sensitive data lives are: 1. files stored in cloud storage, 2. email, 3. devices, 4. chat apps, and 5. password managers. But because SaaS apps have become the system of record, sensitive data inevitably lives everywhere in your SaaS environment.
  • The top two security concerns are sensitive files shared publicly and former employees retaining data access.
  • IT teams spend an average of 7.12 hours offboarding a single employee from a company’s SaaS apps.
  • Thirty percent of respondents already use the term SaaSOps in their job title or plan to include it soon.

For the report surveyed nearly 700 IT leaders and security professionals from the world’s leading enterprise organizations. These individuals ranged in seniority from C-level executives to front-line practitioners and included both IT and security department roles.

Technologies that enable legal and compliance leaders to spot innovations

COVID-19 has accelerated the push toward digital business transformation for most businesses, and legal and compliance leaders are under pressure to anticipate both the potential improvements and possible risks that come with new legal technology innovations, according to Gartner.

legal technology innovations

Legal technology innovations

To address this challenge, Gartner lists the 31 must watch legal technologies to allow legal and compliance leaders to identify innovations that will allow them to act faster. They can use this information for internal planning and prioritization of emerging innovations.

“Legal and compliance leaders must collaborate with other stakeholders to garner support for organization wide and function wide investments in technology,” said Zack Hutto, director in the Gartner Legal and Compliance practice.

“They must address complex business demand by investing in technologies and practices to better anticipate, identify and manage risks, while seeking out opportunities to contribute to growth.”

Analysts said enterprise legal management (ELM), subject rights requests, predictive analytics, and robotic process automation (RPA) are likely to be most beneficial for the majority of legal and compliance organizations within a few years. They are also likely to help with the increased need for cost optimization and unplanned legal work arising from the pandemic.

Enterprise legal management

This is a multifaceted market where several vendors are trying to consolidate many of the technologies on this year’s Hype Cycle into unified platforms and suites to streamline the many aspects of corporate governance.

“Just as enterprise resource planning (ERP) overhauled finance, there is promise for a foundational system of record to improve in-house legal operations and workflows,” said Mr. Hutto. “Legal leaders should take a lesson from ERP’s evolution: ‘monolithic’ IT systems tend to lack flexibility and can quickly become an anchor not a sail.”

Legal application leaders and general counsel must begin with their desired business outcomes, and only then find a technology that can help deliver those outcomes.

Subject rights requests

The demand for subject rights requests (SRRs) is growing along with the number of regulations that enshrine a data subject’s right to access their data and request amendment or deletion. Current regulations include the CCPA in the U.S., the EU’s GDPR and Brazil’s Lei Geral de Proteção de Dadosis.

Many organizations are funneling their subject access requests (SARs) through internal legal counsel to limit the potential exposure to liability. This is costing, on average, $1,406 per SAR.

“In the face of rising request volumes and significant costs, there is great potential for legal and compliance leaders to make substantial savings and free up time by using technology to automate part, if not most, of the SRR workflow,” said Mr. Hutto.

Predictive analytics

This is a well-established technology and the market is mature, so it can be relatively simple to use “out-of-the-box” or via a cloud service. Typically, the technology can examine data or content to answer the question, ”What is likely to happen if…?”

“Adoption of this technology in legal and compliance is typically less mature than other business functions,” said Mr. Hutto. “This likely means untapped use cases where existing solutions could be used in the legal and compliance context to offer some real benefits.

“While analytics platforms may make data analysis more ‘turnkey’ extracting real insights may be more elusive. Legal and compliance leaders still should consider and improve the usefulness of their data, the capabilities of their teams, and the attainability of data in various existing systems.”

Robotic process automation (RPA)

RPA’s potential to streamline workflows for repetitive, rule-based tasks is already well-established in other business functions. Typically, RPA is best suited to systems with a standardized — often legacy — user interfaces for which scripts can be written.

“Where legal departments already use these types of systems it is likely that RPA can drive higher efficiency,” said Mr. Hutto. “However, not all legal departments use such systems. If not, it could make sense to take a longer view and consider investing in systems that have automation functionality built in.”

Gartner advice is to consider these four technologies is not solely based on their position on the Hype Cycle. Legal and compliance leaders should focus on the technologies that have the most potential for driving the greatest transformation within their own organizations in the near to medium term; the position on the Hype Cycle is part of that but not the whole story.

For example, Mr. Hutto said blockchain is a technology that has the potential to make a successful journey to the Plateau of Productivity within five years. But for now, its application will likely be limited to quite a narrow set of use cases, and it is unlikely to be transformational for corporate legal and compliance leaders.

Most enterprises struggle with IoT security incidents

The ongoing global pandemic that has led to massive levels of remote work and an increased use of hybrid IT systems is leading to greater insecurity and risk exposure for enterprises.

IoT security incidents

According to new data released by Cybersecurity Insiders, 72% of organizations experienced an increase in endpoint and IoT security incidents in the last year, while 56% anticipate their organization will likely be compromised due to an endpoint or IoT-originated attack with the next 12 months.

The comprehensive survey of 325 IT and cybersecurity decision makers in the US, conducted in September 2020, represented a balanced cross-section of organizations from financial services, healthcare and technology to government and energy.

IoT and enpoint security challenge

Alongside headline data that the majority experienced an endpoint and IoT security incident over the last 12 months, the top 3 issues were related to malware (78%), insecure network and remote access (61%), and compromised credentials (58%).

Perhaps more concerning was that 43% of respondents expressed “moderate to unlikely means to discover, identify, and respond to unknown, unmanaged, or insecure devices accessing network and cloud resources.”

“It is clear from this new research that the challenge of securing IoT and endpoints has escalated considerably as employees have been forced to work remotely while organizations try to rapidly adapt to the situation,” said Scott Gordon, CMO at Pulse Secure.

“The threat is real and growing. Yet, on a positive note, the survey shows that organizations are investing in key initiatives and adopting zero trust elements such as remote access device posture checking and Network Access Control (NAC) to address some of these issues.“

The negative impact of an endpoint or IoT security issue

The research found that 41% will implement or advance on-premise device security enforcement, 35% will advance their remote access devices posture checking, and 22% will advance their IoT device identification and monitoring capabilities.

For those that have been victim of an endpoint or IoT security issue, the most significant negative impact was a reported loss of user (55%) and IT (45%) productivity, followed by system downtime (42%).

Holger Schulze, CEO at Cybersecurity Insiders added, “The diversity of users, devices, networks, and threats continue to grow as enterprises take advantage of greater workforce mobility, workplace flexibility, and cloud computing opportunities.

“Not only do organizations need to ensure endpoints are secure and adhering to usage policy, but they must also manage appropriate IoT device access. New zero trust security controls can fortify dynamic device discovery, verification, tracking, remediation, and access enforcement.”

IoT security incidents

Additional key findings

  • Respondents rated the biggest endpoint and IoT security challenges as #1 insufficient protection against the latest threats (49%), #2 high complexity of deployment and operations (47%), and #3 inability to enforce endpoint and IoT device access/usage policy (40%).
  • Respondents rated the most critical capabilities required to mitigate endpoint and IoT security as #1 monitoring endpoint or IoT devices for malicious or anomalous activity (54%), #2 blocking or isolating unknown or at-risk endpoint and IoT devices’ network access (51%), and #3 blocking at-risk devices’ access to network or cloud resources (46%).
  • When asked about anticipated investments to secure remote worker access and endpoint security technology, most organizations (61%) anticipate an increase, or significant increase, while few expect a decrease (6%).

Why are certain employees more likely to comply with information security policies than others?

Information security policies (ISP) that are not grounded in the realities of an employee’s work responsibilities and priorities expose organizations to higher risk for data breaches, according to a research from Binghamton University, State University of New York.

information security policies

The study’s findings, that subcultures within an organization influence whether employees violate ISP or not, have led researchers to recommend an overhaul of the design and implementation of ISP, and to work with employees to find ways to seamlessly fit ISP compliance into their day-to-day tasks.

“The frequency, scope and cost of data breaches have been increasing dramatically in recent years, and the majority of these cases happen because humans are the weakest link in the security chain. Non-compliance to ISP by employees is one of the important factors,” said Sumantra Sarkar, associate professor of management information systems in Binghamton University’s School of Management.

“We wanted to understand why certain employees were more likely to comply with information security policies than others in an organization.”

How subcultures influence compliance within healthcare orgs

Sarkar, with a research team, sought to determine how subcultures influence compliance, specifically within healthcare organizations.

“Every organization has a culture that is typically set by top management. But within that, you have subcultures among different professional groups in the organization,” said Sarkar. “Each of these groups are trained in a different way and are responsible for different tasks.”

Sarkar and his fellow researchers focused on ISP compliance within three subcultures found in a hospital setting – physicians, nurses and support staff.

The expansive study took years to complete, with one researcher embedding in a hospital for over two years to observe and analyze activities, as well as to conduct interviews and surveys with multiple employees.

Because patient data in a hospital is highly confidential, one area researchers focused on was the requirement for hospital employees to lock their electronic health record (EHR) workstation when not present.

“Physicians, who are dealing with emergency situations constantly were more likely to leave a workstation unlocked. They were more worried about the immediate care of a patient than the possible risk of a data breach,” said Sarkar.

“On the opposite end, support staff rarely kept workstations unlocked when they were away, as they felt they were more likely to be punished or fired should a data breach occur.”

The conclusion

Researchers concluded that each subculture within an organization will respond differently to the organization-wide ISP, leaving organizations open to a higher possibility of data breaches.

Their recommendation – consult with each subculture while developing ISP.

“Information security professionals should have a better understanding of the day-to-day tasks of each professional group, and then find ways to seamlessly integrate ISP compliance within those job tasks,” said Sarkar. “It is critical that we find ways to redesign ISP systems and processes in order to create less friction.”

In the context of a hospital setting, Sarkar recommends touchless, proximity-based authentication mechanisms that could lock or unlock workstations when an employee approaches or leaves a workstation.

Researchers also found that most employees understand the value of ISP compliance, and realize the potential cost of a data breach. However, Sarkar believes that outdated information security policies’ compliance measures have the potential to put employees in a conflict of priorities.

“There shouldn’t be situations where physicians are putting the entire hospital at risk for a data breach because they are dealing with a patient who needs emergency care,” he said. “We need to find ways to accommodate the responsibilities of different employees within an organization.”

Cyber teams are getting more involved in M&A

Despite ongoing economic uncertainty amidst a global pandemic, many dealmakers remain optimistic about the outlook for the year ahead as they increasingly pursue alternative merger and acquisition (M&A) methods to navigate the crisis and pursue new disruptive business growth strategies.

virtual dealmaking

According to a Deloitte survey of 1,000 U.S. corporate M&A executives and private equity firm professionals, 61% of survey respondents expect U.S. M&A activity to return to pre-COVID-19 levels within the next 12 months.

Soon after the WHO declared COVID-19 a pandemic on March 11, deal activity in the U.S. plunged — most notably during April and May.

Responding M&A executives say they tentatively paused (92%) or abandoned (78%) at least one transaction as a result of the pandemic outbreak. However, since March 2020, possibly aiming to take advantage of pandemic-driven business disruptions, 60% say their organizations have been more focused on pursuing new deals.

“M&A executives have moved quickly to adapt and uncover value in new and innovative ways as systemic change driven by the pandemic has resulted in alternative approaches to transactions,” said Russell Thomson, partner, Deloitte & Touche LLP, and Deloitte’s U.S. merger and acquisition services practice leader.

“We expect both traditional and alternative M&A to be an important lever for dealmakers as businesses recover and thrive in a post-COVID economy.”

Alternative dealmaking on the rise

For many, alternative deals are quickly outpacing traditional M&A activity as the search for value intensifies in a low-growth environment.

When asked which type of deals their organizations are most interested in pursuing, responding corporate M&A executives’ top choice was alternatives to traditional M&A, including alliances, joint ventures, and Special Purpose Acquisition Companies (45%) — ranking higher than acquisitions (35%).

Private equity investors plan to remain more focused on traditional acquisitions (53%), while simultaneously pushing pursuit of M&A alternatives — including private investment in public equity deals, minority stakes, club deals and alliances (32%).

“As businesses prepare for a post-COVID world, including fundamentally reshaped economies and societies, the dealmaking environment will also materially change,” said Mark Purowitz, principal, Deloitte Consulting LLP, with Deloitte’s mergers and acquisitions consulting practice, and leader of the firm’s Future of M&A initiative.

“Companies were starting to expand their definition of M&A to include partnerships, alliances, joint ventures and other alternative investments that create intrinsic and long-lasting value, but COVID-19 has accelerated dealmakers’ needs to create more optionality for their organizations’ internal and external ecosystems.”

Virtual dealmaking to continue playing large role post-pandemic

87% of M&A professionals surveyed report that their organizations were able to effectively manage a deal in a purely virtual environment, so much so that 55% anticipate that virtual dealmaking will be the preferred platform even after the pandemic is over.

However, virtual dealmaking does not remain without its own challenges. Fifty-one percent noted that cybersecurity threats are their organizations’ biggest concern around executing deals virtually.

“When it comes to cyber in an M&A world — it’s important to develop cyber threat profiles of prospective targets and portfolio companies to determine the risks each present,” said Deborah Golden, Deloitte Risk & Financial Advisory, cyber and strategic risk leader, Deloitte & Touche LLP.

“CISOs understand how a data breach can negatively impact the valuation and the underlying deal structure itself. Leaving cyber out of that risk picture may lead to not only brand and reputational risk, but also significant and unaccounted remediation costs.”

Other virtual dealmaking concerns included the ability to forge relationships with management teams (40%) and extended regulatory approvals (39%). When it comes to effectively managing the integration phase in a virtual environment, technology integration (16%) and legal entity alignment or simplification (16%) are surveyed M&A executives’ largest and most prevalent hurdles.

“It may be too early to assess the long-term implications of virtual dealmaking as many of the deals currently in progress now are resulting from management relationships that were formed pre-COVID. We also expect integration in a virtual setting will become much more complex a few months from now,” said Thomson.

virtual dealmaking

“Culture and compatibility issues should be given greater attention on the diligence side, as they pose major downstream integration implications.”

International dealmaking declines, focus on domestic-only deals

Interest in foreign M&A targets declined in 2020 as corporate executives reported a significant shift in their approach to international dealmaking, with 17% reporting no plans to execute cross-border deals in the current economic environment, an 8 percentage point increase from 2019.

In addition, 57% of M&A executives say less than half of their current transactions involve acquiring targets operating primarily in foreign markets.

Notably, the number of survey respondents interested in pursuing deals with U.K. targets dropped by 8 percentage points, while Chinese targets declined by 7 percentage points. Interest in Canadian (32%) and Central American (19%) targets remained highest.

Review: Practical Vulnerability Management: A Strategic Approach to Managing Cyber Risk

review practical vulnerability management

Andrew Magnusson started his information security career 20 years ago and he decided to offer the knowledge he accumulated through this book, to help the reader eliminate security weaknesses and threats within their system.

As he points out in the introduction, bugs are everywhere, but there are actions and processes the reader can apply to eliminate or at least mitigate the associated risks.

The author starts off by explaining vulnerability management basics, the importance of knowing your network and the process of collecting and analyzing data.

He explains the importance of a vulnerability scanner and why it is essential to configure and deploy it correctly, since it gives valuable infromation to successfully complete a vulnerabilty management process.

The next step is to automate the processes, which prioritizes vulnerabilities and gives time to work on more severe issues, consequently boosting an organization’s security posture.

Finally, it is time to decide what to do with the vulnerabilities you have detected, which means choosing the appropriate security measures, whether it’s patching, mitigation or systemic measures. When the risk has a low impact, there’s also the option of accepting it, but this still needs to be documented and agreed upon.

The important part of this process, and perhaps also the hardest, is building relationships within the organization. The reader needs to respect office politics and make sure all the decisions and changes they make are approved by the superiors.

The second part of the book is practical, with the author guiding the reader through the process of building their own vulnerability management system with a detailed analysis of the open source tools they need to use such as Nmap, OpenVAS, and cve-search, everything supported by coding examples.

The reader will learn how to build an asset and vulnerability database and how to keep it accurate and up to date. This is especially important when generating reports, as those need to be based on recent vulnerability findings.

Who is it for?

Practical Vulnerability Management is aimed at security practitioners who are responsible for protecting their organization and tasked with boosting its security posture. It is assumed they are familiar with Linux and Python.

Despite the technical content, the book is an easy read and offers comprehensive solutions to keeping an organization secure and always prepared for possible attacks.

Securing mobile devices, apps, and users should be every CIO’s top priority

More than 80% of global employees do not want to return to the office full-time, despite 30% employees claiming that being isolated from their team was the biggest hindrance to productivity during lockdown, a MobileIron study reveals.

securing mobile devices apps

The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees are increasingly using their own personal devices to access corporate data and services.

Adding to the challenges posed by the new “everywhere enterprise” – in which employees, IT infrastructures, and customers are everywhere – is the fact that employees are not prioritizing security. The study found that 33% of workers consider IT security to be a low priority.

Mobile devices and a new threat landscape

The current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks. These attacks range from basic to sophisticated and are likely to succeed, with many employees unaware of how to identify and avoid a phishing attack. The study revealed that 43% of global employees are not sure what a phishing attack is.

“Mobile devices are everywhere and have access to practically everything, yet most employees have inadequate mobile security measures in place, enabling hackers to have a heyday,” said Brian Foster, SVP Product Management, MobileIron.

“Hackers know that people are using their loosely secured mobile devices more than ever before to access corporate data, and increasingly targeting them with phishing attacks. Every company needs to implement a mobile-centric security strategy that prioritizes user experience and enables employees to maintain maximum productivity on any device, anywhere, without compromising personal privacy.”

The study found that four distinct employee personas have emerged in the everywhere enterprise as a result of lockdown, and mobile devices play a more critical role than ever before in ensuring productivity.

Hybrid Henry

  • Typically works in financial services, professional services or the public sector.
  • Ideally splits time equally between working at home and going into the office for face-to-face meetings; although this employee likes working from home, being isolated from teammates is the biggest hindrance to productivity.
  • Depends on a laptop and mobile device, along with secure access to email, CRM applications and video collaboration tools, to stay productive.
  • Believes that IT security ensures productivity and enhances the usability of devices. At the same time, this employee is only somewhat aware of phishing attacks.

Mobile Molly

  • Works constantly on the go using a range of mobile devices, such as tablets and phones, and often relies on public WiFi networks for work.
  • Relies on remote collaboration tools and cloud suites to get work done.
  • Views unreliable technology as the biggest hindrance to productivity as this individual is always on-the-go and heavily relies on mobile devices.
  • Views IT security as a hindrance to productivity as it slows down the ability to get tasks done. This employee also believes IT security compromises personal privacy.
  • This is the most likely persona to click on a malicious link due to a heavy reliance on mobile devices.

Desktop Dora

  • Finds being away from teammates and working from home a hindrance to productivity and can’t wait to get back to the office.
  • Prefers to work on a desktop computer from a fixed location than on mobile devices.
  • Relies heavily on productivity suites to communicate with colleagues in and out of the office.
  • Views IT security as a low priority and leaves it to the IT department to deal with. This employee is also only somewhat aware of phishing attacks.

Frontline Fred

  • Works on the frontlines in industries like healthcare, logistics or retail.
  • Works from fixed and specific locations, such as hospitals or retail shops; This employee can’t work remotely.
  • Relies on purpose-built devices and applications, such as medical or courier devices and applications, to work. This employee is not as dependent on personal mobile devices for productivity as other personas.
  • Realizes that IT security is essential to enabling productivity. This employee can’t afford to have any device or application down time, given the specialist nature of their work.

“With more employees leveraging mobile devices to stay productive and work from anywhere than ever before, organizations need adopt a zero trust security approach to ensure that only trusted devices, apps, and users can access enterprise resources,” continued Foster.

“Organizations also need to bolster their mobile threat defenses, as cybercriminals are increasingly targeting text and SMS messages, social media, productivity, and messaging apps that enable link sharing with phishing attacks.

“To prevent unauthorized access to corporate data, organizations need to provide seamless anti-phishing technical controls that go beyond corporate email, to keep users secure wherever they work, on all of the devices they use to access those resources.”

37% of remote employees have no security restrictions on corporate devices

ManageEngine unveiled findings from a report that analyzes behaviors related to personal and professional online usage patterns.

security restrictions devices

Security restrictions on corporate devices

The report combines a series of surveys conducted among nearly 1,500 employees amid the pandemic as many people were accelerating online usage due to remote work and stay-at-home orders. The findings evaluate users’ web browsing habits, opinions about AI-based recommendations, and experiences with chatbot-based customer service.

“This research illuminates the challenges of unsupervised employee behaviors, and the need for behavioral analytics tools to help ensure business security and productivity,” said Rajesh Ganesan, vice president at ManageEngine.

“While IT teams have played a crucial role in supporting remote work and business continuity during the pandemic, now is an important time to evaluate the long-term effectiveness of current strategies and augment data analytics to IT operations that will help sustain seamless, secure operations.”

Risky online behaviors could compromise corporate data and devices

63% of respondents report that their organization has provided them with a corporate device to utilize while working remotely.

Interestingly, 37% of those respondents also say that there are no security restrictions on these corporate devices. Therefore, risky online activities such as visiting unsecured websites, sharing personal information, and downloading third-party software could pose potential threats.

For example, 54% said they would still visit a website after receiving a warning about potential insecurities. This percentage is also significantly higher among younger generations – including 42% of people 18-24 years and 40% of 25-34 years.

Remote work has its hiccups, but IT teams have been responsive

79% of respondents say they experience at least one technology issue weekly while working from home. The most common issues include slowed functionality and download speeds (40%) and reliable connectivity (25%).

However, IT teams have been committed to solving these challenges. For example, 75% of respondents say it’s been easy to communicate with their IT teams to resolve these issues. Chatbots, AI, and automation are becoming increasingly more effective and trusted.

76% said their experience with chatbot-based support has been “excellent” or “satisfactory,” and 55% said their issue was resolved in a timely manner. As it relates to artificial intelligence, 67% say they trust these solutions to make recommendations for them.

The increasing comfort with automation technologies can help IT teams support both front and back-end business functions, especially during times of increased online activities due to the pandemic.

Is passwordless authentication actually the future?

While passwords may not be going away completely, 92 percent of respondents believe passwordless authentication is the future of their organization, according to a LastPass survey.

passwordless authentication

Passwordless authentication reduces password related risks by enabling users to login to devices and applications without the need to type in a password.

Technologies such as biometric authentication, single-sign-on (SSO) and federated identity streamline the user experience for employees within an organization, while still maintaining a high level of security and complete control for IT and security teams.

Organizations still have a password problem

Problems with passwords are still an ongoing struggle for organizations. The amount of time that IT teams spend managing users’ password and login information has increased year over year.

In fact, those surveyed suggest that weekly time spent managing users’ passwords has increased 25 percent since 2019. Given this, 85 percent of IT and security professionals agree that their organization should look to reduce the number of passwords that individuals use on a daily basis.

Additionally, 95 percent respondents surveyed say there are risks to using passwords which could contribute to threats in their organization, notably human behaviors like password reuse or password weakness.

Security priorities are at odds with user experience

When it comes to managing an organization, security is a core challenge for IT teams. However, it is the lack of convenience and ease of use that employees care about. Security is the main source of frustration for the IT department, particularly when issues are often derived from user behavior when managing passwords.

The top three frustrations for IT teams include users using the same password across applications (54 percent), users forgetting passwords (49 percent) and time spent on password management (45 percent).

For employees, the issues lie in convenience. Their top three frustrations are changing passwords regularly (56 percent), remembering multiple passwords (54 percent) and typing long, complex passwords (49 percent).

Primary benefits of passwordless authentication

Better security (69 percent) and eliminating password related risk (58 percent) are believed by respondents to be the top benefits of deploying a passwordless authentication model for their organization’s IT infrastructure. Time (54 percent) and cost (48 percent) savings are also noted benefits of going passwordless.

Meanwhile, for employees a passwordless authentication model would help to address efficiency concerns. 53 percent of respondents report that passwordless authentication offers the potential to provide convenient access from anywhere, which is key given the shift towards remote work that is likely here to stay.

Top challenges of passwordless deployment

While going passwordless can provide a more secure authentication method, there are challenges in the deployment of a passwordless model.

Respondents report the initial financial investment required to migrate to such solutions (43 percent), the regulations around the storage of the data required (41 percent) and the initial time required to migrate to new types of methods (40 percent) as the biggest challenges for their organization to overcome.

There are also some concerns around resistance to change. Three quarters of IT and security professionals (72 percent) think that end users in their organization would prefer to continue using passwords, as it is what they are used to.

passwordless authentication

Passwords are not going away completely

When it comes to identity and access management, 85 percent do not think passwords are going away completely. Yet, 92 percent of respondents believe that delivering a passwordless experience for end-users is the future for their organization.

There is a clear need to find a solution that combines passwordless authentication and password management in today’s organizations.

“As many organizations transition to a long-term remote work culture, giving your employees the tools and resources to be secure online in their personal lives as well as in the home office is more important now than ever,” said Gerald Beuchelt, CISO at LogMeIn.

“This report shows the continued challenge that organizations face with password security and the need for a passwordless authentication solution to enable both IT teams and employees to operate more efficiently and securely in this changing environment.”

60% of IT pros list improving security as a top priority today

Kaseya announced the results of its sixth annual IT operations benchmark report, consisting of two distinct survey audiences: IT practitioners (the IT managers and technicians working daily with technology) and IT leaders (IT directors and above).

improving security top priority

The study surveyed 878 SMB respondents, 543 of whom were IT practitioners and 335 were IT leaders. The differences in priorities and concerns between the two audiences understandably center around aspects of their roles impacted most by COVID-19: IT leaders are currently more focused on maintaining operations while keeping IT budgets in check, whereas one of IT practitioners’ greatest struggles is maintaining productivity using limited resources.

However, many similarities also emerged for both groups, including an emphasis on IT security, data protection and the interplay between automation and productivity in 2020.

Improving security is a top priority

Although 63% of IT practitioners said they had not experienced a security breach or ransomware attack in the past three years, the increase in cyberattacks during the pandemic has cemented cybersecurity and data protection as a top priority for both groups.

More than half of IT practitioners and 60% of IT leaders listed “improving IT security” as their top priority in 2020, and more than half of respondents from both groups named “cybersecurity and data protection” as their top challenge.

But managing and working with limited budgets makes securing their company during this time difficult for IT teams. Although 73% of IT leaders are optimistic that their IT budgets will remain the same or increase in 2021, nearly one-third are still concerned about having inadequate IT budgets or resources to meet demands — a similar consideration for 32% of practitioners.

As a result of limited budgets, less than a third of practitioners are actually able to patch remote, off-network devices. This potentially exposes the entire company’s networks to higher security risks given the increase in remote workforces using personal devices or connecting to unsecured Wi-Fi connections during the pandemic.

Investing in IT automation improves productivity and reduces costs

In addition to potentially making companies vulnerable to security risks, slashed budgets can also impact an IT team’s productivity. Luckily, both IT practitioners and leaders are on the same page about the solution to this problem in 2020: automation.

IT practitioners who listed “increasing IT productivity through automation” and IT leaders who named “reducing IT costs” are simply pursuing the same goal, since higher productivity ultimately reduces operating costs.

When asked about the technologies IT leaders are planning to invest in for 2021, 60% said “IT automation.” Likewise, 38% of practitioners named “automation of IT processes” as a top use case for their endpoint management solution.

How vital is cybersecurity awareness for a company’s overall IT security?

The benefits of cybersecurity awareness programs are currently the subject of broad discussion, particularly when it comes to phishing simulations. Nowadays, companies not only invest in IT security solutions, but also in the training of their employees with the goal of making them more conscious of security issues.

benefits cybersecurity awareness

Already 96 percent of companies conduct security awareness trainings. This is one of the results of a study among qualified, international security experts, conducted by Lucy Security.

Security awareness covers various training measures which sensitize a company’s employees to IT security issues. The goal of these measures is to minimize the risks to IT security caused by employees.

Companies do not exploit employees’ potential

81 percent of the companies surveyed carry out phishing simulations. It is noteworthy, however, that only slightly more than half of the companies already include their employees in their security arrangements. For example, only 51 percent of the companies use a phishing alarm button.

49 percent do not use this function and thus do not exploit the full potential of their staff. The so-called “human firewall” is not activated. “The lack of use of a phishing incident button wastes a lot of protection potential and user motivation,” comments Palo Stacho, Head of Operations at Lucy Security.

In 92 percent of the companies, cybersecurity awareness has increased in recent months. 96 percent also agree that cybersecurity awareness has led to a higher level of security in their company. 98 percent are also convinced that security awareness measures make attacks by cyber criminals more difficult.

Phishing simulations strengthen trust in superiors

The measures also strengthen the confidence in the management. Almost 89 percent of the survey participants “fully”, “largely” or “rather agree” that trust in management is not called into question by phishing campaigns.

73 percent also confirm that the security awareness measures do not cause any fear among employees. In fact, the measures have the opposite effect: 95 percent of the respondents say that the phishing simulations have a positive effect on the working atmosphere. 100 percent also claim that the measures have a positive effect on their company’s error culture.

Security awareness makes companies more secure

Finally, 92 percent of the survey participants denied that the same level of IT security could be maintained in the company if the existing funds and resources were invested exclusively in technical security measures, such as firewalls and virus scanners.

“At Lucy Security, internal analyses have shown that correctly implemented awareness programs make a company up to ten times more secure,” says Palo Stacho. “But the benefits of cybersecurity awareness go far beyond fewer security incidents and better trained employees. The trainings and increased attention to IT security also have a positive effect on the corporate culture.”

Rising reports of fraud signal that some COVID-related schemes may just be getting started

As the economic fallout of the COVID-19 crisis continues to unfold, a research from Next Caller, reveals the pervasive impact that COVID-related fraud has had on Americans, as well as emerging trends that threaten the security of contact centers, as we head towards what may be another wave of call activity.

COVID-related fraud

The company’s latest report found that 55% of Americans believe they’ve been a victim of COVID-related fraud, up more than 20% from when the company conducted a similar study in April.

Perhaps even more worrisome is the fact that 59% of Americans claim they haven’t taken any additional precautions to protect themselves from these attacks.

“Even with massive amounts of PII circulating the dark web and so many new opportunities for criminals to exploit because of the pandemic, it’s still alarming that over half of the country thinks they’ve been targeted by COVID-related fraud,” said Ian Roncoroni, CEO, Next Caller.

“Compounding the problem is COVID’s unique ability to distract and disengage people from carefully monitoring their accounts. Criminals who are already well-equipped to bypass security can now operate longer without detection, worsening the impact exponentially.”

Data has shown the clear correlation between the economic fallout of the crisis – specifically stimulus related events – and the meteoric spikes in overall call volumes and the number of high-risk calls taking place inside contact centers across today’s biggest brands.

Fraudsters eager to replicate their initial success

A pending second stimulus package, combined with a clear urgency from Americans around receiving it, indicates that another wave of activity from customers and criminals is on the horizon.

In regards to the latest findings, Roncoroni said, “We have to prepare for a more sophisticated criminal strategy this time around. Rising reports of fraud activity signal not only that fraudsters are eager to replicate their initial success, but that some of those early schemes may just be getting started.

“The phony mailing address unceremoniously added to a bank account in April is likely just the trojan horse for a scheme ready to be set in motion under the cover of the next stimulus package.”

COVID-related fraud

Key findings

  • 55% of Americans believe they’ve been targeted by COVID-related fraud
  • Despite that, 59% of Americans claiming that they have not taken any additional precautions to protect themselves from attacks
  • Almost 1-in-3 Americans are more worried about becoming a victim of fraud than they are about contracting the virus
  • 56% believe brands are equally responsible for providing flexible and accommodating customer service and protecting personal information
  • When asked about their view of the next stimulus checks, 41% of Americans said “I really need another check”
  • 53% of Americans say that they have already sought out information related to the next round of checks

Financial risk and regulatory compliance pros struggling with collaboration

After several months of working from home, with no clear end in sight, financial risk and regulatory compliance professionals are struggling when it comes to collaborating with their teams – particularly as they manage increasingly complex global risk and regulatory reporting requirements.

financial risk and regulatory compliance

According to a survey of major financial institutions conducted by AxiomSL, 41% of respondents said collaborating with teams remains a challenge while working remotely.

“During the pandemic, financial firms quickly adapted to major changes, although not without some operational and technology weaknesses emerging,” said Alex Tsigutkin, CEO AxiomSL.

“Indeed, businesses might never return to the ‘old normal’, and that has made building data- and technology-driven resilience much more pressing than before the crisis. Our clients have been experiencing heightened regulatory pressures,” he continued.

“Throughout the crisis, we enabled them to respond rapidly to changes in reporting criteria, the onset of daily liquidity reporting, and the Federal Reserve’s emerging risk data collection (ERDC) initiative – that required FR Y­–14 data on a weekly/monthly basis instead of quarterly.”

These data-intensive, high-frequency regulatory reporting requirements will continue in the ‘new normal.’ “To future-proof, organizations should continue to establish sustainable data architectures and analytics that enable connection and transparency between critical datasets,” Tsigutkin commented.

“And, as a priority, they should transition to our secure RegCloud to handle regulatory intensity efficiently, bolster business continuity, and strengthen their ability to collaborate remotely,” he concluded.

Key research findings

Remote collaboration is a top operational challenge for financial risk and regulatory pros: For all the talk of work-from-anywhere policies becoming the future of financial services, 41% of the risk and compliance professionals surveyed said collaborating with colleagues while working remotely has been their biggest challenge during the COVID-19 crisis.

This was the most frequently cited challenge, followed by accessing data from dispersed systems (18%), reliance on offshore resources (15%), and reliance on locally installed technology (15%).

Liquidity reporting expected to get harder: New capital and liquidity stress testing requirements are expected to present a much heavier burden on financial firms, with 18% of respondents citing increased capital and liquidity risk reporting as a major challenge they will face over the next two years.

Cloud adoption gets its catalyst: After years of resisting cloud adoption, many North American financial institutions are finally gearing up to make the move. When it comes to regulatory technology spending over the next two years, enhanced data analytics is the top area of focus among 29% of survey respondents. But cloud deployment rose to second place (23%) followed by data lakes (22%) and artificial intelligence and machine learning (20%).

Reduction of manual processes is an operational focus for the next two years: The top risk and regulatory compliance challenge firms see on the road ahead is continuing to eliminate manual processes (29%), followed by improving the transparency of data and processes (21%), and fully transitioning to a secure cloud (13%).

RegTech budgets largely intact heading into 2021: A total of 83% indicated their near-term projects as virtually unimpacted or mostly going forward. And similarly, 81% said their budgets for 2021 remain intact (70%) or will increase (11%).

GRC teams have a number of challenges meeting regulatory demands

Senior risk and compliance professionals within financial services company’s lack confidence in the security data they are providing to regulators, according to Panaseer.

GRC regulatory demands

Results from a global external survey of over 200+ GRC leaders reveal concerns on data accuracy, request overload, resource-heavy processes and lack of end-to-end automation.

The results indicate a wider issue with cyber risk management. If GRC leaders don’t have confidence in the accuracy and timeliness of security data provided to regulators, then the same holds true for the confidence in their own ability to understand and combat cyber risks.

41% of risk leaders feel ‘very confident’ that they can fulfill the security-related requests of a regulator in a timely manner. 27.5% are ‘very satisfied’ that their organization’s security reports align to regulatory compliance needs.

GRC leaders cited their top challenges in fulfilling regulator requests, as:

  • Getting access to accurate data (35%)
  • The number of report requests (29%)
  • The length of time it takes to get information from security team (26%)

The limitations of traditional GRC tools

The issue has been perpetuated by the limitations of traditional GRC tools, which rely on qualitative questionnaires to provide evidence of compliance. This does not reflect the current challenges from cyber.

92% of senior risk and compliance professionals believe it would be valuable to have quantitative security controls assurance reporting (vs qualitative) and 93.5% believe it’s important to automate security risk and compliance reporting. However, only 11% state that their risk and compliance reporting is currently automated end to end.

96% said it is important to prioritize security risk remediation based on its impact to the business, but most can’t isolate risk to critical business processes composed of people, applications, devices. Only 33.5% of respondents are ‘very confident’ in their ability to understand all the asset inventories.

GRC regulatory demands

Charaka Goonatilake, CTO, Panaseer: “Faced with increasing requests from regulators, GRC leaders have resorted to throwing a lot of people at time-sensitive requests. These manual processes combined with lack of GRC tool scalability necessitates data sampling, which means they cannot have complete visibility or full confidence in the data they are providing.

“The challenge is being exacerbated by new risks introduced by IoT sensors and endpoints, which rarely consider security a core requirement and therefore introduce greater risk and increase the importance of controls and mitigations to address them.”

Andreas Wuchner, Panaseer Advisory Board member: “To face the new reality of cyberthreats and regulatory pressures requires many organizations need to fundamentally rethink traditional tools and defences.

“GRC leaders can enhance their confidence to accurately and quickly meet stakeholder needs by implementing Continuous Controls Monitoring, an emerging category of security and risk, which has just been recognised in the 2020 Gartner Risk Management Hype Cycle.”