Researchers break Intel SGX by creating $30 device to control CPU voltage

Researchers at the University of Birmingham have managed to break Intel SGX, a set of security functions used by Intel processors, by creating a $30 device to control CPU voltage.

break Intel SGX

Break Intel SGX

The work follows a 2019 project, in which an international team of researchers demonstrated how to break Intel’s security guarantees using software undervolting. This attack, called Plundervolt, used undervolting to induce faults and recover secrets from Intel’s secure enclaves.

Intel fixed this vulnerability in late 2019 by removing the ability to undervolt from software with microcode and BIOS updates.

Taking advantage of a separate voltage regulator chip

But now, a team in the University’s School of Computer Science has created a $30 device, called VoltPillager, to control the CPU’s voltage – thus side-stepping Intel’s fix. The attack requires physical access to the computer hardware – which is a relevant threat for SGX enclaves that are often assumed to protect against a malicious cloud operator.

The bill of materials for building VoltPillager is:

  • Teensy 4.0 Development Board: $22
  • Bus Driver/ Buffer * 2: $1
  • SOT IC Adapter * 2: $13 for 6

break Intel SGX

How to build Voltpillager Board

This research takes advantage of the fact that there is a separate voltage regulator chip to control the CPU voltage. VoltPillager connects to this unprotected interface and precisely controls the voltage. The research show that this hardware undervolting can achieve the same (and more) as Plundervolt.

Zitai Chen, a PhD student in Computer Security at the University of Birmingham, says: “This weakness allows an attacker, if they have control of the hardware, to breach SGX security. Perhaps it might now be time to rethink the threat model of SGX. Can it really protect against malicious insiders or cloud providers?”

Guide: Security measures for IoT product development

The European Union Agency for Cybersecurity (ENISA) released its Guidelines for Securing the IoT, which covers the entire IoT supply chain – hardware, software and services.

guide security iot

Supply chains are currently facing a broad range of threats, from physical threats to cybersecurity threats. Organisations are becoming more dependent than ever before on third parties.

As organisations cannot always control the security measures of their supply chain partners, IoT supply chains have become a weak link for cybersecurity. Today, organisations have less visibility and understanding of how the technology they acquire is developed, integrated and deployed than ever before.

“Securing the supply chain of ICT products and services should be a prerequisite for their further adoption particularly for critical infrastructure and services. Only then can we reap the benefits associated with their widespread deployment, as it happens with IoT,” said Juhan Lepassaar, Executive Director, ENISA.

In the context of the development of the guidelines, ENISA has conducted a survey that identifies the existence of untrusted third-party components and vendors, and the vulnerability management of third-party components as the two main threats to the IoT supply chain. The publication analyses the different stages of the development process, explores the most important security considerations, identifies good practices to be taken into account at each stage, and offers readers additional resources from other initiatives, standards and guidelines.

As in most cases pre-prepared products are used to build up an IoT solution, introducing the concept of security by design and security by default is a fundamental building block to protect this emerging technology. The agency has worked with IoT experts to create specific security guidelines for the whole lifespan of IoT devices.

These guidelines to help tackle the complexity of IoT focus on bringing together the key actors in the supply chain to adopt a comprehensive approach to security, leverage existing standards and implement security by design principles.

Most UK businesses using Oracle E-Business Suite are running old systems

The majority of UK businesses using Oracle E-Business Suite (EBS) are running on old versions of the business critical ERP system, according to a Claremont study.

Oracle E-Business Suite

Of the 154 IT professionals polled, 64% revealed they are running on an earlier version that the current R12.2. With Oracle cutting off premier support to EBS 12.1 in December 2021, this leaves these businesses facing potential legislative and security issues if they fail to upgrade prior to the deadline.

58% of the businesses polled claimed they did intend on making the upgrade to R12.2.

“Businesses intent on upgrading to EBS R12.2 face a race against the clock in order to get it done in time. There is now just 14 months until the deadline, and while that may seem like a long time, given that the survey indicates almost two-thirds of businesses are currently looking to upgrade, there is likely to be resource scarcity in the marketplace. With upgrades taking 6-12 months to complete, vendor selections to be made and business cases to be raised, now is the time to act,” said Mark Vivian, CEO at Claremont.

The study also revealed that the majority of EBS users are currently hosting EBS on physical servers. 69% said they were still using physical servers, compared to just 31% hosting EBS on a cloud platform. 60% of businesses claimed they had no intention of migrating to the cloud, while 26% said they were planning a migration, and just 14% said their migration was underway.

The survey also revealed the reasons why those businesses using cloud platforms to host EBS had chosen their cloud provider. 53% of businesses cited price as the main reason they had chosen their cloud provider, while 40% cited greater agility and flexibility, and just 36% cited better support from the cloud vendor.

Mark Vivian added: “It’s surprising to see that so many businesses are still running Oracle E-Business on physical servers. Moving to cloud infrastructure means a shift towards greater agility, crucial for organisations to survive and thrive in response to the accelerating pace of change in today’s marketplace.”

Data protection predictions for 2021

2020 presented us with many surprises, but the world of data privacy somewhat bucked the trend. Many industry verticals suffered losses, uncertainty and closures, but the protection of individuals and their information continued to truck on.

data protection 2021

After many websites simply blocked access unless you accepted their cookies (now deemed unlawful), we received clarity on cookies from the European Data Protection Board (EDPB). With the ending of Privacy Shield, we witnessed the cessation of a legal basis for cross border data transfers.

Severe fines levied for General Data Protection Regulation (GDPR) non-compliance showed organizations that the regulation is far from toothless and that data protection authorities are not easing up just because there is an ongoing global pandemic.

What can we expect in 2021? Undoubtedly, the number of data privacy cases brought before the courts will continue to rise. That’s not necessarily a bad thing: with each case comes additional clarity and precedent on many different areas of the regulation that, to date, is open to interpretation and conjecture.

Last time I spoke to the UK Information Commissioner’s Office regarding a technicality surrounding data subject access requests (DSARs) submitted by a representative, I was told that I was far from the only person enquiring about it, and this only illustrates some of the ambiguities faced by those responsible for implementing and maintaining compliance.

Of course, this is just the GDPR. There are many other data privacy legislative frameworks to consider. We fully expect 2021 to bring full and complete alignment of the ePrivacy Regulations with GDPR, and eradicate the conflict that exists today, particularly around consent, soft opt-in, etc., where the GDPR is very clear but the current Privacy and Electronic Communication Regulation (PECR) not quite so much.

These are just inside Europe but across the globe we’re seeing continued development of data localization laws, which organizations are mandated to adhere to. In the US, the California Consumer Privacy Act (CCPA) has kickstarted a swathe of data privacy reforms within many states, with many calls for something similar at the federal level.

The following year(s) will see that build and, much like with the GDPR, precedent-setting cases are needed to provide more clarity regarding the rules. Will Americans look to replace the shattered Privacy Shield framework, or will they adopt Standard Contractual Clauses (SCCs) more widely? SCCs are a very strong legal basis, providing the clauses are updated to align with the GDPR (something else we’d expect to see in 2021), and I suspect the US will take this road as the realization of the importance of trade with the EU grows.

Other noteworthy movements in data protection laws are happening in Russia with amendments to the Federal Law on Personal Data, which is taking a closer look at TLS as a protective measure, and in the Philippines, where the Personal Data Protection Act 2021 (PDPA) is being replaced by a new bill (currently a work in progress, but it’s coming).

One of the biggest events of 2021 will be the UK leaving the EU. The British implementation of the GDPR comes in the form of the UK Data Protection Bill 2018. Aside from a few deregulations, it’s the GDPR and that’s great… as far as it goes. Having strong local data privacy laws is good, but after enjoying 47 years (at the time of writing) of free movement within the Union, how will being outside of the EU impact British business?

It is thought and hoped that the UK will be granted an adequacy decision fairly swiftly, given that historically local UK laws aligned with those inside the Union, but there is no guarantee. The uncertainty around how data transfers will look in future might result in the British industry using more SCCs. The currently low priority plans to make Binding Corporate Rules (BCR) easier and more affordable will come sharply to the fore as the demand for them goes up.

One thing is certain, it’s going to be a fascinating year for data privacy and we are excited to see clearer definitions, increased certification, precedent-setting case law and whatever else unfolds as we continue to navigate a journey of governance, compliance and security.

Why developing cybersecurity education is key for a more secure future

Cybersecurity threats are growing every day, be they are aimed at consumers, businesses or governments. The pandemic has shown us just how critical cybersecurity is to the successful operation of our respective economies and our individual lifestyles.

developing cybersecurity education

The rapid digital transformation it has forced upon us has seen us rely almost totally on the internet, ecommerce and digital communications to do everything from shopping to working and learning. It has brought into stark focus the threats we all face and the importance of cybersecurity skills at every level of society.

European Cybersecurity Month is a timely reminder that we must not become complacent and must redouble our efforts to stay safe online and bolster the cybersecurity skills base in society. This is imperative not only to manage the challenges we face today, but to ensure we can rise to the next wave of unknown, sophisticated cybersecurity threats that await us tomorrow.

Developing cybersecurity education at all levels, encouraging more of our students to embrace STEM subjects at an early age, educating consumers and the elderly on how to spot and avoid scams are critical to managing the challenge we face. The urgency and need to build our professional cybersecurity workforce is paramount to a safe and secure cyber world.

With a global skills gap of over four million, the cybersecurity professional base must grow substantially now in the UK and across mainland Europe to meet the challenge facing organisations, at the same time as we lay the groundwork to welcome the next generation into cybersecurity careers. That means a stronger focus on adult education, professional workplace training and industry-recognised certification.

At this key moment in the evolution of digital business and the changes in the way society functions day-to-day, certification plays an essential role in providing trust and confidence on knowledge and skills. Employers, government, law enforcement – whatever the function, these organisations need assurance that cybersecurity professionals have the skills, expertise and situational fluency needed to deal with current and future needs.

Certifications provide cybersecurity professionals with this important verification and validation of their training and education, ensuring organisations can be confident that current and future employees holding a given certification have an assured and consistent skillset wherever in the world they are.

The digital skills focus of European Cybersecurity Month is a reminder that there is a myriad of evolving issues that cybersecurity professionals need to be proficient in including data protection, privacy and cyber hygiene to name just a few.

However, certifications are much more than a recognised and trusted mark of achievement. They are a gateway to ensuring continuous learning and development. Maintaining a cybersecurity certification, combined with professional membership is evidence that professionals are constantly improving and developing new skills to add value to the profession and taking ownership for their careers. This new knowledge and understanding can be shared throughout an organisation to support security best practice, as well as ensuring cyber safety in our homes and communities.

Ultimately, we must remember that cybersecurity skills, education and best practice is not just a European issue, and neither is it a political issue. Rather, it is a global challenge that impacts every corner of society. Cybersecurity mindfulness needs to be woven into the DNA of everything we do, and it starts with everything we learn.

GAIA-X to strenghten European digital infrastructure sovereignity

The GAIA-X Initiative announced that it is one step closer to its goal of a trustworthy, sovereign digital infrastructure for Europe, with the official signing of incorporation papers for GAIA-X AISBL, a non-profit association that will take the project to the next level.

GAIA-X Europe

GAIA-X: A vision for Europe

The initiative’s twenty-two founding members signed the documents in Brussels to create an association for securing funding and commitment from members to fulfill the initiative’s vision for Europe.

“We are deeply motivated to meet the challenges of the European digital economy,” said Servane Augier, COO at 3DS OUTSCALE.

“Through GAIA-X, we are building, all together, a sovereign and reliable digital infrastructure and an ecosystem for innovation in Europe. In this way, we will strengthen the digital sovereignty of businesses, research and education, governments and society as a whole.”

Seeking active participation and membership

While final incorporation is pending, the founding members of GAIA-X AISBL are seeking active participation and membership from national and multi-national, European and non-European companies, as well as partners in the worlds of science and politics, who share European standards and values.

The association views its members as the primary drivers of progress and innovation, working closely together to define standards and prototype implementations from both provider and user perspectives.

“The BMW Group sees the future of automotive software in the cloud, whether it is about pioneering IT solutions for the development and production of premium vehicles, new digital services for our customers or innovative features in the car,” said Marco Görgmaier, Head of DevOps Platform and Cloud Technologies, The BMW Group.

”Participation in the GAIA-X project is a logical step in our intention to further expand our innovative strength. The goals of the GAIA-X project—striving for data sovereignty, reducing dependencies, establishing cloud services on a broad scale and creating an open ecosystem for innovation—are fully in line with our own efforts. “

Setting-up head office in Brussels

As the incorporation process is moving forward, the association will continue to set-up its head office in Brussels and establish key organizational structures.

Overall, the GAIA-X founders aim to establish a culture of trust, knowledge exchange and transparency. They anticipate that as the membership of GAIA-X grows, it will be able to have an increasing impact on innovation and collaboration in the development of technical solutions and standards for business, science and society across Europe.

Security analysis of legacy programming environments reveals critical flaws

New research from Trend Micro highlights design flaws in legacy languages and released new secure coding guidelines. These are designed to help Industry 4.0 developers greatly reduce the software attack surface, and therefore decrease business disruption in OT environments. The layers of the software stack (including automation task programs) and what their respective vulnerabilities could affect Conducted jointly with Politecnico di Milano, the research details how design flaws in legacy programming languages could lead to … More

The post Security analysis of legacy programming environments reveals critical flaws appeared first on Help Net Security.

4 in 10 organizations punish staff for cybersecurity errors

New research has found that 42% of organizations are taking disciplinary action against staff who make cybersecurity errors. To examine the prevalence of punishment in businesses and the impact of this on staff, a team of researchers led by Dr John Blythe, Head of Behavioral Science at CybSafe, conducted a survey of cybersecurity awareness professionals as well as an experimental lab study, designed to mimic real-world outcomes when employees click simulated phishing emails. The survey … More

The post 4 in 10 organizations punish staff for cybersecurity errors appeared first on Help Net Security.

Employees often overlooked when companies adopt new technology

Companies are placing business and shareholder goals above employee needs when they adopt new technology, according to Lenovo.

companies adopt new technology

The research, conducted among 1,000 IT managers across EMEA, found that just 6% of IT managers consider users as their top priority when making technology investments. This approach to IT adoption is ultimately leading to productivity being stifled.

When businesses implement new technologies without considering the human impact, many employees become overwhelmed due to the complexity and pace of change, with 47% of IT managers reporting that users struggle to embrace new software.

With all industries having to adapt to the ‘next normal’ and take stock of their responsibility – to employees, to the environment and to the wider world – businesses are encouraged to place the needs of their people at the heart of IT decisions.

Untapped potential

There is an understandable desire for businesses to embrace transformational technologies, such as Artificial Intelligence, and the Internet of Things, as soon as possible.

The benefits these promise – innovation, improved productivity, reducing cost and greater customer experience most importantly – are tantalizing for any organization, but their true potential is completely untapped if adoption is purely led by business goals.

While successfully implemented technology should act as an enabler for employees and businesses to achieve greater things, a poor strategy can see technology become an inhibitor – hampering users whose needs have not been carefully considered and catered for.

48% of respondents reported a negative outcome where technology implementations have actively inhibited their teams’ ability to operate.

Businesses need to focus on people, offering everything from comprehensive training, to change management, while ensuring leadership KPIs, robust policy and strategy and thorough rollout analyses are aligned with a people-first ethos.

Businesses should also ask people-centric questions during any adoption process – is this technology intuitive, will it solve rather than create challenges for employees, will users get a good experience.

By taking these steps, businesses can realize the benefits new tools promise, seeing greater productivity and driving innovation. In fact, 52% of IT managers are optimistic about emerging tech’s ability to deliver improved productivity.

However, with 21% of users reporting new technology has actually slowed down processes, it is imperative for businesses to embrace the right technology at the right time. It’s also vitally important businesses consider everyone in the organization – from those who use it every day, to the IT teams implementing it, to the boardroom decision makers.

The goal should be to adopt smarter technology that is always connected, seamless, agile, flexible, easy to collaborate, adaptive to needs, reliable, high performance and with enhanced security and privacy. Not only that, but it should be suited to the needs of everyone in an organization.

Responsible business in the ‘next normal’

Organizations are currently re-evaluating how they operate in order to thrive in the next normal. Being a responsible business must now be a priority – placing human impact on the same level as achieving business goals. With 62% of IT managers reporting their investment decisions are entirely business-centric, it will require a fundamental mindset shift for many businesses.

However, as flexible working policies are embraced in order to provide more support to employees during the COVID-19 outbreak, a people-first approach is beginning to emerge, with 70% of respondents seeing more emphasis within their organization on responsible business.

Giovanni Di Filippo, President of Lenovo’s Data Center Group, EMEA, says: “Times are changing rapidly, not only for businesses, but the technology industry as a whole. Stripped of office walls, we are seeing organizations place greater emphasis on the wellbeing of their employees, and it’s heartening to see this shift in priorities from being all about the bottom line. But the study shows that this is only the beginning.”

“If there is a change of heart and mind within the industry, taking a people-first approach to IT adoption, we will see positive change for both organizations and wider society. Happier employees, greater productivity and a faster pace of innovation – these are the benefits of placing people at the centre of IT decisions.”

Companies adopt new technology: Time to think human

IT vendors whose portfolio can empower businesses to think human, will help employees embrace change and enable them to be more productive. Such vendors do this by having an open mindset in working with other organizations, thinking about customer outcomes, not just adoption, reducing the burden on customers as well as the IT department nad by helping put usability and experience first.

Giovanni Di Filippo says, “For too long IT decisions have placed pure cost above a business’s most valuable asset: people. It’s people that change the world, and we know that data and technology cannot be transformative without humans bringing it to life and giving it purpose.”

“We want businesses to think human by investing in ‘Smarter Technology for All’. As for vendors – it’s time to think beyond what they make and consider who they make it for. If people are put first, we know the benefits and desired company outcomes will be great.”

Organizations are creating the perfect storm by not implementing security basics

European organizations have a false sense of security when it comes to protecting themselves, with only 68% seeing themselves as vulnerable, down from 86% in 2018, according to Thales.

implementing security basics

Problems with implementing security basics

This confidence flies in the face of the findings of the survey of 509 European executives which reveals 52% of organizations were breached or failed a compliance audit in 2019, raising concerns as to why 20% intend to reduce data security spend in the next year.

The findings come as workers across Europe are working from home due to COVID-19, often using personal devices which don’t have the built-in security office systems do, significantly increasing risk to sensitive data.

Across the board, companies are racing to digitally transform and move more applications and data to the cloud; 37% of European countries stated they are aggressively disrupting the markets they participate in or embedding digital capabilities to enable greater enterprise agility.

A key aspect of this transformation is in the cloud becoming the leading data environment. 46% of all data stored by European organizations is now stored in the cloud, and with 43% of that data in the cloud being described as sensitive, it is essential that it is kept safe.

As more sensitive data is stored in cloud environments, however, data security risks increase. This is of particular concern given that 100% of businesses surveyed report that at least some of the sensitive data they are storing in the cloud is not encrypted.

Only 54% of sensitive data in the cloud is protected by encryption and even less (44%) is protected by tokenisation, highlighting the disconnect between the level of investment companies are making into cybersecurity and the increasing threats they face.

Multi-cloud adoption complicates data security

Despite the multitude of threats, businesses feel that the complexity (40%) of their environments is holding their data security capabilities back.

Multi-cloud adoption is the main driver of this complexity; 80% of businesses are using more than one IaaS (Infrastructure as a Service) vendor, whilst 29% have more than 50 SaaS (Software as a Service) applications to manage.

Businesses also identified a lack of budget (30%), staff to manage (28%) and organization buy-in/low priority (25%) as other top blockers.

“Businesses are continuing to race towards digital transformation and many are increasingly reliant on complex cloud environments, without taking a zero-trust approach. Data is more at risk than ever, whilst organizations are unwittingly creating the perfect storm for hackers by not implementing the security basics,” commented Rob Elliss, EMEA Vice President for Data Security solutions at Thales.

“Unfortunately, this will result in increasing problems, particularly in a world where working remotely will be part of the new-normal, unless companies can step up to the plate when it comes to keeping data safe.”

implementing security basics

Quantum(fying) the problem

Whilst organizations continue to look at the threat of today, many are starting to turn their attention to peril that the acceleration of computing power, quantum, could bring to them. In fact, 93% respondents are concerned quantum computing will lead to exploits being created that could expose the sensitive data they hold.

What’s more, 69% European organizations expect quantum to affect their cryptographic operations in the next five years.

As a result, most organizations are reacting, with 31% planning to offset quantum computing threats by switching away from static encryption or symmetric cryptography. Furthermore, a similar amount (30%) plans to implement key management that supports quantum safe random number generator.

“It is clear that businesses are aware of evolving threats they face and it’s reassuring to see them acknowledging some of the key steps they need to take – including moving away from static encryption and implementing quantum-proof key management.

“It’s critical, though, that organizations don’t just look at threats years away, but invest in their cybersecurity processes now and see it as an integral part of their digital transformation,” Elliss concluded.

GDPR enforcement over the past two years

Two years after the GDPR went into effect, official data show that Data Protection Authorities (DPAs), crippled by a lack of resources, tight budgets, and administrative hurdles, have not yet been able to create adequate GDPR enforcement.

GDPR enforcement

Worse, some public authorities have grossly misused the GDPR to undermine other fundamental rights such as the right to free expression and freedom of the press, Access Now reveals.

The GDPR’s first two years have been marked by crisis, whether internal, external, political, geopolitical, or administrative. Beyond enforcement challenges, the report explores how these crises have impacted the protection of personal data in the EU, taking a close look at both Brexit and the COVID-19 outbreak.

“Through this report, we raise the alarm to the EU institutions and Data Protection Authorities that it’s high time to act to enforce the GDPR and condemn its misuses,” said Estelle Massé, Senior Policy Analyst and Global Data Protection Lead at Access Now.

“The European Union may have the best law in the world for the protection of personal data, but if it is not enforced, it risks being as useful as a chocolate teapot.”

The GDPR remains a strong framework, and if authorities take urgent action, it can go a long way in defending people’s fundamental rights.

GDPR around the world

From May 2018 to March 2020, authorities levied 231 fines and sanctions while as many as 144,376 complaints were filed between May 2018 and May 2019.

Out of 30 DPAs from all 27 EU countries, the United Kingdom, Norway, and Iceland, only nine said they were happy with their level of resourcing. The inadequate budget provided to DPAs means that our rights may not be effectively protected. In fact, it may create a negative incentive for DPAs investigating large tech companies to agree on settlements that may be more favorable to the companies. This is reinforced by the huge disparity of resources between data protection authorities and companies they oversee.

In Poland, Romania, Hungary, and Slovakia, courts and authorities have been abusing the GDPR to curtail investigative journalism or target civic tech NGOs by trying to force outlets to reveal their sources.

The GDPR is a robust tool to guide officials and public health authorities in the response to the COVID-19 crisis. Access Now condemns Hungary’s disproportionate decision to limit the application of GDPR rights during the COVID-19 crisis as it gravely endangers people’s right to data protection at a time when our personal information, including our health data, is being collected perhaps more than ever.

Enforcement challenges and the UK’s insistence on lowering current standards through the Brexit talks have implications for any future negotiations of a so-called adequacy decision between the EU and the UK that would authorize the transfer of data between the two jurisdictions.

GDPR enforcement

Key recommendations

Governments across the EU must increase the financial and human resources allocated to Data Protection Authorities, including technical staff, so that they can function properly and be able to address the large number of complaints.

The European Commission should launch infringement procedures against EU states:

  • When they do not provide sufficient resources to Data Protection Authorities, or
  • When they do not guarantee the Data Protection Authority independence in status and in practices, or
  • Where Data Protection Authorities or courts misuse the GDPR to restrict freedom of the press or stifle civil society’s work.

Data Protection Authorities must not misuse the GDPR, as they hold much of the responsibility for the GDPR’s success or failure. It is absolutely unacceptable that DPAs misuse the GDPR to undermine civil society, restrict freedom of the press, or otherwise violate human rights.

Is the future of information security and tech conferences virtual?

The COVID-19 pandemic has brought about many changes to our personal and work lives. Among the latter are the forced work from home shift and the inability to travel far and attend in-person meetings, industry-specific workshops, events and conventions.

virtual events

And while RSA Conference USA – the largest information security conference in the world – managed to take place mere weeks before the World Health Organization declared COVID-19 a pandemic, European countries started closing borders and airlines started suspending routes and grounding planes, most infosec and tech events scheduled to take place after it were doomed.

One by one, they were postponed, canceled or went virtual. While it’s still impossible to tell whether the conferences postponed until the already-crowded (northern hemisphere) fall season will actually take place, we’ve asked some people who are involved in organizing them to give their opinion on the future of large information security and tech gatherings.

Smaller, more local in-person events

Jack Daniel, one of the co-founders of Security BSides, thinks that, long term, a lot of events will not resume and others will be scaled back.

“The economic fallout from the pandemic will limit funding for events large and small, and caution over transmission of illness will continue for a while,” he told Help Net Security.

When it comes to events that are organized under the BSides banner by different organizers in various corners of the world, he expects their number to diminish and those that do take place to be smaller.

“I think this will be true for events in general, but for BSides my hope is that it will drive focus to local events, local communities, and local opportunities – places where BSides have the most profound impact,” he added.

Michael Hiskey, Chief Strategy Officer at Data Connectors, a company that has been conducting cybersecurity conferences in cities across the US and Canada for the last 20 years or so, says they believe that, post-pandemic, conferences and trade shows will be far more “down to business.”

“Regional relationship teams, meeting directly with accounts in their area, is where the action will increasingly be,” he opined.

“For the purposes of educating cybersecurity professionals and connecting them with solutions with a presence in their region, smaller conferences will grow in their importance. They cost less, which will appeal to the bottom-line professionals, they will connect regional account executives with prospects (ask any account executive who’s had to hand off a prospect at a big trade show to the appropriate regional connection, and you’ll see the frustration), and will enable the 20% of job seekers who attend any conference to focus on the next opportunity in their area.”

The pros and cons of virtual events

While virtual events are – currently and generally – the most effective way of gathering people who are otherwise restricted from traveling, they will not become the only (or even predominant) method of conferencing, Hiskey says.

“Replacing an all-day conference with an hours-long webinar will not meet the needs of conference-goers,” he noted.

“We have found that immersive, live virtual event platforms, offer the opportunity for interacting with exhibitors, solution providers and peer-to-peer networking. Surprisingly, with respect to otherwise introverted attendees, we’ve found they’re more likely to reach out for networking than at a physical event. While the ‘happy hour’ might not be quite the same, virtual event platforms have thought through almost every facet of the physical event experience.”

Twitter discussions on what kind of virtual conferences eager attendees would prefer have brought to light disparate needs, wants and limitations.

Many say that, while working from home, attending a whole-day virtual event is nearly impossible due to more immediate and pressing obligations – both work-related and personal.

And while those who would otherwise be prevented from attending a specific conference – whether due to the lack of a visa, funds, free time, physical mobility or psychological/social capacity – have mostly welcomed the diversity of virtual event offerings, most say that the networking aspect on in-person conferences is difficult to recreate.

For one, it is difficult to replicate the serendipitous aspect of real-life introductions that happen just because someone is sitting/standing physically beside you at an after-conference party or while waiting for a talk to start.

Secondly, even if there is a virtual space (“hallway”) that simulates an informal gathering, chit-chatting and discussing things there – whether over Zoom, Twitch, Slack or chat rooms – is far more tasking than in-person.

All in all, most agree that virtual “conferences” are a good enough option when there is no other option, but that they prefer the offline versions.

As Daniel noted, people attend and participate in events for a lot of reasons, and virtual events satisfy some, but come up short for many things.

“Virtual events will never have the same impact as far as connecting people, whether for community building, or for sales and support. Virtual events also don’t have the social bonds that in-person events have,” he opined.

Things to keep in mind when switching to a virtual venue

While some organizers keep hoping the situation will return to normal soon and they will be able to reboot their events, others have decided to cut their losses here and now.

O’Reilly Media is one of the latter. In late March 2020, after having previously postponed or cancelled some of their Strata conferences, the company announced they would be closing down the live conferences portion of their business.

“Without understanding when this global health emergency may come to an end, we can’t plan for or execute on a business that will be forever changed as a result of this crisis,” Laura Baldwin, President at O’Reilly Media, explained at the time, and said that they will concentrate their efforts on delivering quality on-line events.

“We believe that global tech events are going to be permanently changed because of COVID-19. We were already seeing a trend towards larger user events for specific tools or platforms, instead of conferences that represented the full ecosystem within a technology practice area,” she told Help Net Security.

“At our own events, the fastest-growing, most popular portion of our conferences had been the two training days ahead of the events themselves. Additionally, O’Reilly started delivering on-line training events in 2016, and has worked hard to perfect the delivery and efficacy of our live-trainers. The attendance at these events has proven that this type of focused learning can be delivered online and made even better with easy access to our interactive learning platform. This has been bolstered by the accelerated rate of technology over the past few years, which means attendees find it more difficult to be out the office for a week to attend an event. People who had traditionally attended our in-person events started showing up more at our live trainings and other interactive learning events on our platform.”

Organizers of online events must not make the mistake of switching the “venue” but not the form.

As open source developer and community manager Michael Hall recently explained, there are a number of problems that have to be solved for a newly virtual event to be successful in the long run. His opinions based on experiences while helping Canonical turn the Ubuntu Developer Summit into an online affair should be required reading for organizators looking to make the switch.

Baldwin also agrees that virtual events are going to be different – and that’s ok.

“While networking may be made more difficult, there are so many aspects of in-person events that can be improved upon and we’re already starting to see that,” she noted.

“Within 10 days of cancelling our Strata Data & AI conference, we had recreated it as a two-day virtual event through our learning platform and had 4,600 registered attendees. That in itself is a huge benefit because rather than planning an event a year out to secure venue space and give speakers time to travel, we can produce more nimble, timely and relevant events. The audience can register with little lead time because there’s no need to clear their calendars for a week, organize time away from the office and families, and book travel.”

She also says that they were ultimately impressed with the audience engagement: in just the first hour of the virtual conference, they had more than 160 questions asked of the initial presenter. “There’s no opportunity for that level of engagement during an in-person session,” she added.

Lastly, she says, shorter, more focused online events should also be taken into consideration.

“We’ve been doing live events that we call ‘Meet the Experts’ through our platform long before COVID-19 was ever an issue and had great results. It’s about 15 minutes of presentation and then 45 minutes of Q&A. While not necessarily networking, it does connect technology practitioners with innovators to get a better understanding of timely topics,” she concluded.

Most IT leaders believe remote workers are a security risk

57 percent of UK IT decision makers still believe that remote workers are a security risk, and that they will expose their organization to the threat of a data breach, according to a survey by Apricorn.

remote workers security risk

This figure has inclined steadily from 44 percent in 2018 and 50 percent in 2019. The rise could reflect a corresponding increase in the number of remote workers, or an enhanced awareness of the risks of doing so as the UK’s workforce began to follow government guidelines to work from home.

In 2019, 47 percent admitted that their remote workers had already knowingly put corporate data at risk of a breach in the last year; this has now dropped slightly to 44 percent.

Remote workers security risk: Apathy still a major problem

Apathy continues to be a major problem, with 34 percent of IT leaders saying their remote workers simply don’t care about security – exactly the same percentage as last year – which suggests organizations are struggling to get employees to buy into the security strategy.

“This year, the need for organizations to facilitate effective and secure remote working has been cast into the spotlight to an extent no-one could have anticipated,” said Jon Fielding, Managing Director EMEA, Apricorn.

“Our survey shows that while progress has been made in some key areas since 2019, some of the same risks – such as employee apathy or error – remain a problem. In these currently challenging times, when UK workers are being urged to work from home, it’s all the more important that security is a priority for everyone.”

The importance of endpoint control

Organizations have increasingly recognized the importance of endpoint control as remote working has become more prevalent. Nearly all (96 percent) mitigate the risks of BYOD (bring your own device) with a security strategy that covers employees’ use of their own IT equipment out of the office. Of those, 42 percent only allow the use of devices that have been provisioned or approved by IT, and enforce this with strict security measures. This is a significant rise on 2019, when just over 1 in 10 (11 percent) did so.

“Strengthening endpoint controls allows organizations to trust in the integrity of their data and systems wherever the employee is accessing them, and whatever device they’re using. The fact that businesses are recognizing and enforcing this is a positive step,” comments Fielding.

This change is crucial given that lost or misplaced devices is now the second biggest cause of a data breach – cited by almost a quarter of respondents (24 percent), up from 17 percent a year ago. Employees unintentionally putting data at risk remains the leading cause (33 percent), with third parties mishandling corporate information cited as one of the main causes by 23 percent.

Mobile working and GDPR compliance

Despite this, 87 percent of UK IT decision makers agree that their organizations’ remote workers are aware of cybersecurity risks and practices, and follow required policies at all times.

Remote working is not a new concept, but with so many employees now having had a taste for home working, it might be hard for businesses to put that particular lid back on – so they need to figure out where their vulnerabilities lie now, and address them,” adds Fielding.

When it comes to the challenges of implementing a cybersecurity plan for remote working, almost a fifth of IT decision makers (19 per cent) say managing all the technology employees need is the biggest problem, a drop from 30 percent in 2019, which suggests that organizations are getting a handle on the complexity involved in the technology aspect.

In addition, fewer IT leaders believe that difficulties with GDPR compliance is the biggest problem with mobile working: 16 percent agreed, compared with 20 percent in 2019, suggesting that this aspect may have been less of a challenge than they originally anticipated.

Handbook: Cyber-Risk Oversight 2020

The Internet Security Alliance (ISA) and the European Confederation of Directors’ Associations (ecoDa) released Cyber-Risk Oversight 2020, a handbook on cyber-risk management for corporate boards of directors in Europe.

Cyber-Risk Oversight 2020

Improving cybersecurity and risk management

“A cyberattack is not what a Board of Directors wants to face in the midst of the Corona crisis. Our handbook will help prevent such a scenario”, said Béatrice Richez-Baum, Director General at ecoDa.

“The COVID-19 virus is a catalyst for expanded digital transformation. We are already seeing substantial adaptation by organizations who are being forced to operate in an increasingly on-line fashion,” said ISA President Larry Clinton.

“As enterprises move ever more quickly to adopt online mechanisms, it is easy to forget that these needed innovations also can create increased cyber risk. This handbook provides a roadmap for organization’s leaders to follow and increase the resiliency of their systems in this new environment.”

Cyber-Risk Oversight 2020: The features

The new handbook, is co-branded by ISA, AIG and ecoDa, will be based on the Cyber Risk Handbooks ISA has previously developed for the US National Association of Corporate Directors.

“The increased risks of cyber-attacks are a reality that companies have to cope with. Business resilience depends on the capacity of board members to embed cybersecurity in all aspects of their strategy.”, said Béatrice Richez-Baum.

The process to develop the version of the Cyber Risk Handbook for Europe included multiple workshops and webinars with European corporate directors which led to making several adaptations to the unique cultural, legal, and business differences in Europe.

“The prescriptions found in these handbooks have been tested in global surveys and found to significantly improve cybersecurity budgeting and enhance cyber risk management by better connecting business goals with cyber security and creating a culture of security,” said Clinton.

“Working with the ecoDa community and AIG has enabled us to adapt the principles and toolkit in these handbooks to the unique European cultures and perspectives. While this handbook is uniquely European, it is also consistent with the global trend toward understanding cybersecurity as more than just an IT issue but as an enterprise-wide risk management issue,” said Clinton.

The handbook is built around five core principles enlightened by a practical toolkit. The substance is summarized in a short and straight-forward version that helps the reader to navigate among the essential elements.

Researchers develop data exchange approach with blockchain-based security features

An IT startup has developed a novel blockchain-based approach for secure linking of databases, called ChainifyDB.

ChainifyDB

“Our software resembles keyhole surgery. With a barely noticeable procedure we enhance existing database infrastructures with blockchain-based security features. Our software is seamlessly compatible with the most common database management systems, which drastically reduces the barrier to entry for secure digital transactions,” explains Jens Dittrich, Professor of Computer Science at Saarland University at Saarbrücken, Germany.

How does ChainifyDB work?

The system offers various mechanisms for a trustworthy data exchange between several parties. The following example shows one of its use cases.

Assume some doctors are treating the same patient and want to maintain his or her patient file together. To do this, the doctors would have to install the Saarbrücken researchers’ software on their existing database management systems. Then, they could jointly create a data network.

In this network, the doctors set up a shared table in which they enter the patient file for the shared patient. “If a doctor changes something in his table, it affects all other tables in the network. Subsequent changes to older table states are only possible if all doctors in the network agree,” explains Jens Dittrich.

Another special feature: If something about the table is changed, the focus is not on the change itself, but on its result. If the result is identical in all tables in the network, the changes can be accepted. If not, the consensus process starts again.

“This makes the system tamper-proof and guarantees that all network participants’ tables always have the same status. Furthermore, only the shared data in the connected tables is visible to other network participants; all other contents of the home database remain private”, emphasizes Dr. Felix Martin Schuhknecht, Principal Investigator of the project.

Advantages for security-critical situations

The new software offers advantages especially for security-critical situations, such as hacker attacks or when business partners cannot completely trust each other. Malicious participants can be excluded from a network without impairing its functionality.

If a former participant is to be reinstated, the remaining network participants only have to agree on a “correct” table state. The previously suspended partner can then be set to this state. “As far as we know, this function is not yet offered by any comparable software,” adds Dittrich.

In order to bring ChainifyDB to market, the German Federal Ministry of Education and Research is supporting the Saarbrücken researchers’ start-up, which is currently being founded, with 840,000 euros.

Europe’s Gaia-X cloud service faces a difficult future

In January, Microsoft reported its fiscal 2020 second quarter results. Among the company’s many impressive accomplishments is a 62% growth (yeay-over-year) of its Azure cloud service. This secures the company’s spot as a dominant player in the cloud space for yet another quarter.

Gaia-X

The leaderboard in the cloud wars saga has remained stagnant, with a few powerhouses dominating market share: US-based companies AWS (47.8%), Azure (15.5%) and Google Cloud (4%), as well as China’s Alibaba (7.7%). In the absence of European cloud companies emerging as top contenders, concerns arise around the lack of data sovereignty and self-determination as European companies increasingly rely on foreign cloud services.

In response, the European Commission, France, Germany and hundreds of companies have announced their own cloud initiative – Gaia-X. Gaia-X will ostensibly help European providers not only compete with the US and Chinese tech giants, but also ensure they have more control over their own data.

The announcement of the Gaia-X project has already caused backlash throughout the cloud space, with some US companies warning that this move will impose unnecessary national restrictions on a global economy.

Regardless of any company’s perspective on the project, the creation of Gaia-X has broad implications for the cloud space on an international scale. But given the domination of these established tech giants, will Gaia-X succeed in its goals?

European companies want their data back

To answer that question, it’s critical to understand the primary motivation behind the project. Gaia-X is not necessarily aiming to birth the next hyperscale cloud provider — it’s looking to retain more European control over European data.

As of now, European companies using US cloud providers are subject to US legal restrictions. Under the conditions of the Cloud Act, which went into effect last year, local authorities can order US providers to turn over any company’s data stored on servers regardless of where that company is based. Similar compliance laws exist in China.

It’s easy to see why European companies are dissatisfied with this arrangement. Factors like growing geopolitical concerns, trade disputes, political uncertainties and broad suspicion of near-monopolies like Amazon Web Services contribute to the drive to bring European data back home. As the majority of enterprises shift to the cloud, European brands balk at the idea that an increasing volume of sensitive data (such as intellectual property, research findings, public health information and more) is subject to the whims of foreign authorities.

Not to mention, European companies are rightfully concerned about the competitive advantages they lose without control over this data. As AI-powered strategies like machine learning become key differentiators for companies across verticals, US legal restrictions could hamper brands’ ability to access and leverage the data at the core of these initiatives.

That said, an ambitious project like Gaia-X is not easy to execute.

Gaia-X aims to shake up a field of few players

There’s a reason US providers (especially Amazon, which boasts close to half the total cloud market share) excel — and why many aren’t worried about a threat from a project like Gaia-X. For one, big players make financial sense. Hyperscalers like AWS and Alibaba offer highly competitive prices that emerging competitors can’t easily match. As companies scale, these price differences become even more dramatic.

Price considerations play an even more important role given the nature of most contractual agreements between brands and cloud providers. With attractive benefits like discounts and rebates tied to long-term agreements, companies risk huge penalty costs if they try to migrate to a new cloud provider.

Additionally, hyperscalers offer a high level of personalization and customer-specific service that is difficult to match. These big players have the resources to create and iterate features based around their clients’ hyper-specific needs. Many companies don’t have much wiggle room to even consider smaller providers that can’t keep up with these functionalities.

On top of that, security concerns strengthen the case to use a big cloud provider for many companies. With the minimum technical requirements of Gaia-X’s infrastructure still undefined, it’s hard to say whether leaders behind the push can convince small- to medium-sized enterprises that it offers the same level of security as its industry-leading competitors.

The presence of Gaia-X illustrates a changing cloud future

The bottom line is that Gaia-X faces major challenges. For Gaia-X to become a viable player, it needs to compete on a practical scale. At this point, most European companies on the cloud can’t afford to switch from a hyperscaler if their options aren’t as functional or financially feasible. The success of Gaia-X requires cooperation from players across Europe, as well as both public and private funding.

On a broader note, the emergence of Gaia-X highlights the fact that, though only few names have powered the cloud computing boom, there’s still room for innovation. If Europe wants a greater share of the cloud market, leaders will need to invest in more cloud computing projects like Gaia-X, drive efforts to improve security and develop the right regulations to gain ground in a new cloud-powered future.

The current landscape for supporting innovation in cybersecurity in the EU

Innovation in cybersecurity is a key enabler to facilitate progress in the NIS industry, boost employment in the cybersecurity sector and growth of EU GDP. ENISA published a report that analyses the current landscape for supporting innovation in cybersecurity in the EU.

cybersecurity innovation eu

The study presents good practices and challenges from the Member States whilst trying to execute innovation as a strategic priority of their National Cyber Security Strategies (NCCS).

“The CSA, the NIS Directive and the GDPR incentivised innovation in relevant areas of cybersecurity and data protection. To encounter current and emerging cybersecurity risks and threats, EU Member States need to strengthen and adjust their national capabilities by developing innovative solutions and objectives under their NCSS,” said Juhan Lepassaar, Executive Director of ENISA.

Different approaches to innovation

Member States follow different approaches to support innovation in the context of National Cyber Security Strategies. In some cases, Member States promote the creation of new skills and capabilities around digital competences.

In other cases, they create networks of stakeholders giving them a mandate on innovation. These networks are either government driven, such as INCIBE, the National Cybersecurity Agency in Spain or industry driven, such as Cyber Ireland. Innovation activities are also driven by national institutions and research centres such as NASK Poland.

Governments should align with industry needs

There is difficulty for governments to understand the needs of the industry, as well as to develop expertise in dealing with Public Private Partnerships.

To align with industry needs and identify opportunities for adopting or commercialising research outcomes, Member States need to involve industry directly in research and innovation activities.

Sector specific innovation priorities are needed

Dedicated funding mechanisms and initiatives often focus on varied research and innovative objectives rather than being specific on cybersecurity. Supporting and developing sector specific innovation priorities is important for coordinating alternative funding mechanisms and develop a sectorial approach to innovation in cybersecurity.

It is necessary to take into account different cybersecurity needs across sectors and develop sector specific innovation priorities both at National and EU level.

Lengthy procurement processes

Lengthy procurement processes prevent SMEs and innovative companies such as start-ups to offer their services to the public sectors. Supporting adequate level of funding and providing economic incentives such as tax incentives may accelerate the adoption of new technologies, products and services.

The Swedish Innovation Agency allocates a large amount of funds for innovation in cybersecurity.

Geographical clusters support innovation

Geographical clusters are important mechanisms that support innovation. There are several initiative that bring people together, such as the Brussels initiative on Cybersecurity Innovation.

How to enhance trust for users

Promoting EU level certification of services/products would enhance trust for users within the EU and provide a stamp of approval for international markets.

UN hacked: Attackers got in via SharePoint vulnerability

In summer 2019, hackers broke into over 40 (and possibly more) UN servers in offices in Geneva and Vienna and downloaded “sensitive data that could have far-reaching repercussions for staff, individuals, and organizations communicating with and doing business with the UN,” The New Humanitarian reported on Wednesday.

UN hacked

The UN, unfortunately, did not share that discovery with the authorities, the public, or even the potentially affected staff, and we now know about it only because TNH reporters got their hands on a confidential report by the UN.

How was the UN hacked?

According to the report, the attack started in July 2019, when the attackers managed to compromise a server located at the UN Office in Vienna through CVE-2019-0604, a security hole in Microsoft SharePoint patched by Microsoft in February 2019 and subsequently widely exploited by attackers to hit a variety of targets worldwide.

The hole should have been patched by the UN IT staff within a month of the release of the patch, but wasn’t.

The attackers then moved through UN’s networks and ultimately reached systems at the UN Office in Geneva and the UN Office of the High Commissioner for Human Rights (OHCHR), also in Geneva.

“The compromised servers included 33 in the UN Office at Geneva, three at OHCHR in Geneva, and at least four in the Vienna office,” TNH reported.

“According to the report, the breach also grabbed ‘active directories’, with each likely to list hundreds of users as well as human resources and health insurance systems, other databases, and network resources. The three affected offices have in total about 4,000 staff.”

The affected staff wasn’t notified that their data might have been compromised, but were just instructed to change their passwords.

The breach might not have happened if the SharePoint security vulnerability had been patched, but it’s possible and likely that the attackers would have found another way in.

After all, UN officials are targeted by attackers daily and some attacks are bound to be successful – especially when past security audits of UN systems, websites, applications, policies, etc. found them full of holes.

Why hasn’t the UN notified anyone about this?

The UN has confirmed that it had decided not to publicly disclose the breach because “the exact nature and scope of the incident could not be determined.”

As a matter of fact, the UN – as an international organization that is above national laws – does not have to report data breaches to anyone.

It is still unknown who’s behind the attack.

“In a tense geo-political climate, nation-state attacks are on the rise, and this comes as no surprise,” commented Craig Hinkley, CEO of WhiteHat Security.

“While security teams investigate which country may have launched this attack, our job as security professionals is to recognize that the threats are bigger than just one country. This is a global problem that we’re contending with, and staying ahead of nation-state attacks is fundamentally a matter of proactively taking steps and using vigilance to limit the impact of an attack.”

Oz Alashe, CEO of CybSafe, says that the unintentional disclosure of this cyber attack on such an important institution last year is concerning.

“This delay, and the fact that the UN did not report this attack to any governing authority – or even their own staff – may have put victims at unnecessary risk. Not only were staff passwords stolen, system controls and security firewalls were compromised too which could have led to the critical confidential reports falling into criminal hands,” he pointed out.

This attack could end up undermining trust in the UN – trust that they are able to keep sensitive information safe and trust that they will notify affected individuals when they fail.

Top 10 policy trends to watch for globally in 2020

The 10 top trends that will drive the most significant technological upheavals this year have been identified by Access Partnership.

policy trends 2020

“Shifts in tech policy will disrupt life for everyone. While some governments try to leverage the benefits of 5G, artificial intelligence, and IoT, others find reasons simply to confront Big Tech ranging from protectionism to climate urgency.

“Techlash trends highlighted in our report lay bare the risks of regulatory overreach: stymied innovation and economic growth for some and an unfair advantage for others,” said Greg Francis, Managing Director at Access Partnership.

Report highlights: Top policy trends for 2020

  • AI regulation taking shape in the EU and the U.S.
  • EU-based Digital Services Act (DSA) as the newest power grab since the GDPR
  • New wave of tech protectionism in Europe
  • China as a supply chain liability; other Asian nations filling in
  • Spectrum sharing likely to become more mainstream with 5G
  • 5G security to take an important position with shift to control functions
  • U.S. privacy laws taking bipartisan note from California’s CCPA
  • Data sharing regs to heat up, as balance with innovation becomes more critical
  • IoTs, SIMs and eSIMs: who’s responsible for setting regulation?
  • Rise of ‘green’ technology policy: another balancing act with industry emissions vs. the industry’s potential ability to solve climate change

Francis continued: “In just one year, we’ve seen dramatic changes in the regulatory and policy landscape for technology companies, originating in Europe but deeply affecting U.S. and other major global players.

“The report notes that while divisive impeachment proceedings in America create a blockage in new legislation pipelines, there is surprising bipartisan agreement on tech policy — Republicans are moving to protect companies from growth-killing regulation, and Democrats are seeking to pre-empt state-level measures.

“We expect to see new regulatory models emerging in the U.S. and other nations in reaction to the EU’s push for digital sovereignty.”

Enterprise WLAN market revenue declines year over year

The combined enterprise and consumer wireless local area network (WLAN) market segments fell 3.6% year over year in the third quarter of 2019 (3Q19) with worldwide revenues of $3.8 billion.

WLAN market fell

According to IDC, he enterprise segment fell 1.1% year over year in 3Q19 to $1.62 billion. The market is in a state of transition as a new wireless standard comes to market, but the continued demand for wireless access technologies, combined with new advanced software management and automation capabilities are expected to drive growth in this market moving forward.

The entrance of the 802.11ax wireless standard, also known as Wi-Fi 6, in the market took some share from shipments of previous generation 802.11ac products. 802.11ac products accounted for 84.8% of dependent access point shipments in the enterprise segment and 86.2% of dependent access point revenues. 802.11ax products made up 3.1% of dependent access point shipments and 6.1% of revenues.

Meanwhile, the consumer WLAN market fell 5.3% year over year to $2.18 billion. Shipments of 802.11ac products accounted for 57.0% of units shipped, and 78.1% of revenues. The previous-generation 802.11n standard accounted for 42.8% of shipments, but only 20.8% of revenues.

“The enterprise WLAN market is transitioning as vendors and customers begin to adopt the latest Wi-Fi standard. In the third quarter of 2019, IDC tracked the initial shipments of 802.11ax, also known as Wi-Fi 6, which includes numerous features for enterprises and Internet of Things use cases,” said Brandon Butler, senior research analyst, Enterprise Networks.

IDC expects the continued adoption of Wi-Fi 6 to be a major driver of growth for the enterprise WLAN market in the fourth quarter of 2019 and throughout 2020.”

The WLAN market by region

Results in the enterprise WLAN market were mixed across the globe. The Asia/Pacific region, excluding Japan, was up 3.3% annually in 3Q19, with China growing 6.9% year over year while the Korean market fell 16.2%. Japan’s market dropped 19.8% compared to a year earlier.

Growth slowed across Europe in the third quarter. The Central and Eastern Europe region was off 1.7% compared to a year earlier, with Russia dropping 6.6%. Romania was a bright spot in the region with 11.9% growth.

The Western Europe region fell 4.5% year over year. Germany fell 3.5% while the United Kingdom was down 10.0%. The Middle East and Africa region grew 8.0% year over year with growth of 6.7% from the United Arab Emirates and 25.5% from Qatar.

The Latin America region fell 12.1% with Mexico off 17.3% year over year. The U.S. market rose 0.1% on an annualized basis and was up 0.5% sequentially from the second quarter of 2019.

“The enterprise WLAN market saw mixed results regionally, in part influenced by macro-economic conditions that continue to disrupt the broader information technology sector,” said Petr Jirovsky, research manager, Worldwide Networking Trackers.

“Most notable has been the continued trade standoffs between the United States and China, along with the unresolved Brexit situation and political unrest in Latin America. These macro-economic and political situations create uncertainty for global businesses, which can in turn lead to pausing or scaling back of investments.”

Enterprise WLAN company highlights

  • Cisco‘s worldwide enterprise WLAN revenue fell 4.9% year over year, but grew 1.9% compared to the previous quarter. The company’s market share dropped slightly from 44.9% in 2Q19 to 44.2% in 3Q19.
  • HPE-Aruba‘s revenues increased 1.3% year over year and rose 4.6% sequentially. The company’s market share grew to 14.1% in 3Q19 from 14.0% a quarter earlier.
  • Ubiquiti‘s revenues rose 9.4% annually and 8.6% sequentially, with the company’s market share growing to 7.1%, from 6.8% a quarter earlier.
  • Huawei‘s quarterly revenues rose to 11.2% year over year and were up 3.7% sequentially, giving the company 5.4% market share.
  • CommScope (formerly ARRIS/Ruckus) was off 20.3% year over year and was down 6.7% compared to 2Q19. That caused the company’s market share to drop from 5.8% in the second quarter to 5.2% in 3Q19.

Exploring the proper use of pseudonymisation related to personal data

In the light of the General Data Protection Regulation (GDPR), the challenge of proper application of pseudonymisation to personal data is gradually becoming a highly debated topic in many different communities, ranging from research and academia to justice and law enforcement and to compliance management in several organizations across Europe.

pseudonymisation personal data

Pseudonymisation and personal data challenges

The ENISA “Pseudonymisation techniques and best practices” report, amongst other, especially discusses the parameters that may influence the choice of pseudonymisation techniques in practice, such as data protection, utility, scalability and recovery.

It also builds on specific use cases for the pseudonymisation of certain types of identifiers (IP address, email addresses, complex data sets).

pseudonymisation personal data

There is no easy solution

One of the main outcomes of the report is that there is no single easy solution to pseudonymisation that works for all approaches in all possible scenarios.

On the contrary, it requires a high level of competence in order to apply a robust pseudonymisation process, possibly reducing the threat of discrimination or re-identification attacks, while maintaining the degree of utility necessary for the processing of pseudonymised data.