A new study notes that despite record spending on cybersecurity, overconfidence may be hurting companies’ ability to protect against data breaches.

Tech publication Information Week reports that the survey of IT professionals, by security firm Gemalto, showed that while 94 percent of respondents said their perimeter security was effective, nearly a third reported breaches within the last 12 months. Surprisingly, 14 percent said they would not trust their own organization to safeguard their personal data.

Why the disconnect? Experts interviewed by Information Week chalked it up to a lack of understanding of cybercrooks’ motivations, and a general lack of knowledge about cybersecurity in corporate C-suites. Click here to read the full story.

For small and medium-sized businesses, the most dangerous cyberthreat may come from within.

IT industry publication TechRepublic reports that a newly released study by Keeper Security and the Ponemon Institute suggests careless employees are at fault for the majority of data breaches at small and mid-sized businesses. The study surveyed 1,000 information technology professionals in the United Kingdom and North America. Some 54 percent listed employee negligence as the root cause of cybersecurity incidents, followed by insufficient password policies.

A stunning 50 percent said they had suffered ransomware attacks in the past year. Of those, 79 percent said ransomware entered via a phishing or social engineering attack.

Click here for TechRepublic’s full coverage of the study.

It wasn’t a good week for credit reporting agency Equifax, which admitted to a major data breach affecting more than 143 million people.

Consumers’ data was exposed over three months via a vulnerability in a web application, the company said in a press release announcing the breach.

The breach was covered by every major news outlet, but Data Breach Today‘s Jeremy Kirk raises some interesting questions about Equifax’s notification strategy in this piece.

For the latest in breach response protocol in all 50 states, download Data Breach 411, a free app developed by Fox Rothschild’s Privacy & Data Security practice, available in the iTunes Store.

Elizabeth Litten (Fox Rothschild Partner and HIPAA Privacy & Security Officer) and Mark McCreary (Fox Rothschild Partner and Chief Privacy Officer) will be presenting at the New Jersey Chapter of the Healthcare Financial Management Association on August 30, 2017, from 12:00-1:00 pm eastern time.  The presentation is titled: “Can’t Touch That: Best Practices for Health Care Workforce Training on Data Security and Information Privacy.”

This webinar is a comprehensive review of information privacy and data security training, with an emphasis on imparting practical know-how and a fluency with the terminology involving phishing, ransomware, malware and other common threats. We will cover best practices for sensitizing health care industry workers to these threats as part of their ongoing HIPAA compliance efforts and, more generally, for training workers in any business on the proper handling of sensitive data. We will cover the adoption of policies and a training regimen for the entire workforce, as well as tailored training for those in positions responsible for implementing security policies.

More information and a registration link can be found here.

Cybercrooks’ preferred path to critical data is through privileged accounts, those held by users who have broad access and powers within the target’s network.

That’s according to a recent survey conducted by the cybersecurity firm Thycotic at the recent Black Hat conference in Las Vegas, reported Infosecurity Magazine.  About a third of respondents named privileged accounts the fastest and easiest path to critical data, while user email accounts were a close second at 27 percent.

Some 85 percent said human error, not inadequate security or unpatched software, was most to blame for security breaches.

Hackers’ biggest headaches? Multifactor authentication and encryption, according to the survey.

 

 

 

 

 

Shata Stucky writes:

Username and password login fields, online securityThe United States National Institute for Standards and Technology (NIST) has issued new guidelines for creating secure passwords.  NIST guidelines, which are directed to “federal government systems,” often become best practice recommendations across the security industry.

The new guidelines are a significant break from previous rules.  Security experts previously recommended frequent password changes and using a mixture of upper case letters, symbols, and numbers.  The NIST guidelines acknowledge that users often work around these types of restrictions in a way that is counterproductive.  The most effective passwords are those that are easy for the user to remember so that it is less likely they will be written down or stored electronically in an unsafe manner.

Accordingly, NIST recommends dropping complexity requirements and requirements for frequent password changes.  Instead organizations should emphasize password length:  Passwords should be at least 8 characters in length, and users should be allowed a maximum length of at least 64 characters.

Additional recommendations can be found in the NIST guidelines, accessible on the NIST’s website.


Shata L. Stucky is an associate in the firm’s Privacy & Data Security practice, resident in its Seattle office.

Data privacy and securityFox Rothschild partner and firm Chief Privacy Officer Mark G. McCreary sees a trend: Law firms are increasingly recognizing that naming a lawyer to lead data security and privacy efforts is “an essential ingredient in good risk management.”

In an article for Law360 entitled “Notes From A Law Firm Chief Privacy Officer: CPO vs. CISO,” McCreary writes:

“To understand the role of the CPO — and why that person ought to be a lawyer — it’s important to distinguish the role they fill from that of the chief information security officer or CISO, who is typically a nonlawyer and leads the firm’s information technology department.”

We invite you to read his full article.

 

A German cybersecurity firm reports that manufacturers have become a top target of cybercriminals.

The NTT Security Global Threat Intelligence Center (GTIC) Quarterly Threat Intelligence Report for the second quarter of 2017 notes that manufacturers were targeted in 34 percent of incidents, the highest of any industry segment. About a third of those incidents involved “reconnaissance” which suggests the industry is still in hackers’ sights. “If trends from the past few years continue, this probably indicates that attacks and malware are likely to increase in manufacturing organizations in the second half of 2017,” according to the report.

The report also noted a 24 percent increase in attacks on NTT clients in the second quarter and that cyber criminals go-to attack vector has been “phishing emails with malicious attachments containing PowerShell commands in VBA macros.”

Read the full report.

A bipartisan group of Senators wants to make it more difficult for hackers to enlist smart thermostats, wireless security cameras and other connected devices in future cyberattacks.

ZDNet reports that Sens. Mark Warner (D-VA) and Cory Gardner (R-CO) have introduced legislation that would require suppliers of devices to the federal government to ensure connected items such as wearables and smart sensors can be patched with security fixes. The bill would also prohibit the use of hard-coded usernames and passwords, which are considered one of the primary paths malware use to hijack smart devices. In addition, the legislation offers new legal protections to cyber security experts testing connected devices’ digital defenses.

The growing universe of poorly secured smart devices, often referred to as the Internet of Things (IoT), was blamed for last years’ distributed denial of service attack that temporarily took down services such as Twitter, Netflix and Spotify. Click here to read the legislation.

 

One way to measure the increasing importance of cybersecurity to American businesses is to track how often the issue arises as a risk factor in corporate filings with the Securities and Exchange Commission.

A recent analysis by Bloomberg BNA charted a dramatic rise over the past six years, with only a tiny fraction of businesses citing cybersecurity risks in 2011 SEC filings compared to a substantial percentage in the first six months of 2017.

The report notes that a likely reason for the increase was SEC guidance issued in 2011 that clarified when cyber incidents should be disclosed in financial filings, leading to cybersecurity’s being “elevated into the general counsel’s office [and onto] the board’s agenda.”

Read more at Bloomberg BNA’s article Corporate Cyber Risk Disclosures Jump Dramatically in 2017.