data Archives - Page 3 of 3 - Security IT Summit | Forum Events Ltd
Posts Tagged :


Biometrics and behaviour-based authentication on the rise

960 640 Stuart O'Brien

A new survey suggests our relationship with passwords to identify ourselves online is shifting.

For some of us, it’s shocking to consider single-factor authentication is even in use today, given that poor password habits and stronger computing power has led to an increase in hacking-related breaches involving either stolen or weak passwords.

But a Callsign survey has revealed that a knowledge-based approach, such as passwords, for accessing online accounts is now favoured by less than half of UK and US respondents (45% on both sides of the Atlantic).

Over the last few years, increased availability of biometric tools on laptops, tablets and smartphones has given consumers a taste for biometric identification, and in the survey 30% noted a preference for sharing and storing biometric information (32% in the UK and 27% in the US) for identification when accessing an online account or making a purchase.

Bit it’s clear there’s still a long way to go in shifting consumer attitudes away from solely relying on passwords. Callsign says biometric information as well as behavioural biometric data – such as the way a user swipes their screen or their unique keystroke pattern when entering their password – need to become the norm, so companies can more intelligently identify anomalies and apply additional layers of security.

With employees frequently cited as the weakest link in corporate cybersecurity enforcement, it is no surprise that traditional passwords are preferred at work, where people’s reluctance to embrace more innovative methods of identification over a presumed ease of access is commonplace.

Knowledge-based identification was the most favoured by 56% of workers (58% in the UK and 51% in the US), while biometric methods were preferred by a mere 15% of workers.

Other insights from this survey include:

  • Despite the high preference for knowledge-based identifiers at work (58% in the UK and 51% in the US), they are less favourable for personal use, where 46% noted they were preferred when logging in to check an account balance and 44% chose it for making a purchase or a balance transfer
  • The UK tends to be more receptive to biometrics compared to the US, with 32% to 27%, respectively, noting they’d prefer it overall
  • In the US, age is a significant factor as Baby Boomers (55+) are more receptive to passwords (46%) and biometric identifiers (31%) than younger respondents (aged 18-24), with 39% preferring passwords and 26% preferring biometric identifiers. Younger respondents (those 18 to 24) were more receptive to behavioural identifiers (12%) compared to those aged 55+ (4%)

“The study suggests we’re at a tipping point where our reliance on simple passwords is on a steady downward turn,” said Callsign CEO Zia Hayat. “Although two-factor and multi-factor authentication, along with biometrics, are an improvement, they are still flawed. Ultimately, we understand the privacy of users is paramount. Companies need to offer choice and control when it comes to the data that is collected and the identification methods used – another reason multi-factor identification is so limited.”

“However, there is a new realm of behavioural identification that is truly revolutionising and streamlining identification and improving customer experiences, all whilst minimising fraud. Here at Callsign, we’re creating a much more positive experience with greater protection and better privacy for the consumer or worker.”

Callsign commissioned YouGov Plc to conduct the survey. Total sample size was 2,131 adults in the UK and 1,160 adults in the US. Fieldwork was undertaken in August 2018.

UK cybersecurity skills concerns highlighted

960 640 Stuart O'Brien

Only 56 per cent of UK firms believe they have sufficient cybersecurity skills in-house to deal with the numerous threats they are facing, according to new research.

Databarracks questioned over 400 IT decision makers in the UK as part of its 10th annual, survey in order to understand their views on a series of issues relating to IT security and business continuity.

Certainly, it seems cybersecurity investment has grown – in 2016, 59 per cent of respondents said that they had invested in safeguards to help fight against cyber threats, with the figure rising to 67 per cent in 2018.

Likewise, in 2016 only 12 per cent of firms surveyed said that they had updated their cybersecurity policy in the past 12 months, while in 2018 26 per cent of those surveyed said they had done so.

Meanwhile, threat monitoring software is now used by 28 per cent of businesses, compared to just 13 per cent of businesses in 2016.

Plus, the number of organisations that employed a Chief Security Information Officer has increased massively from one per cent in 2016 to 14 per cent in 2018.

Peter Groucutt, Managing Director at Databarracks, said: “Investment in cyber security safeguards, should translate to improved confidence but the findings show it is yet to make a significant difference. We are in the midst of a rapidly accelerating arms race. Organisations are desperately trying to match criminals, by working hard to improve knowledge, training and investment in security defences, but are clearly concerned about keeping pace. Importantly, organisations shouldn’t become disheartened. While confidence levels are not where we hoped, businesses are making positive strides and acting on the front-foot to fight back, which makes us optimistic for the future.”

UK firms ‘overconfident’ on cybersecurity

960 640 Stuart O'Brien

Business are displaying a false sense of security when it comes to their IT security, flying in the face of evidence showing rising incidents of cyber attacks.

That’s the conclusion of a study conducted by Ovum on behalf of US-based analytics firm FICO, which found that three quarters of UK execs felt their firm was getter prepped than competitors for  a cyber attack.

What’s more, and 43 per cent said their firm was a top performer – second highest only to Canada out of the eight countries surveyed.

By comparison, 68 per cent of executives from US firms said their firm was better prepared than their competitors, and 37 per cent said their firm was a top performer.

Ovum conducted telephone surveys for FICO of security executives at 500 companies in the US and 10 other countries in order to compile its report.

Power and utilities providers respondents in the US were the most confident, or least realistic, with 86 per cent rating their firms above average or top performers.

Financial services respondents were the least confident, or most realistic, with 60 per cent rating their firms above average or top performers.

In the UK, financial services respondents were least realistic, with 96 per cent rating their firms above average or top performers, while retail and e-commerce respondents were most realistic, with 57 per cent rating their firms above average or top performers.

Only 36 per cent of organisations are carrying out more than a point-in-time assessment of what their cybersecurity risk is.

MPs concerned over hacking threat to critical national infrastructure

960 640 Stuart O'Brien

Two thirds of MPs consider the compromise of critical national infrastructure to be the biggest cyber security threat facing the UK.

A year on from the cyber attack on parliamentary emails, a YouGov survey commissioned by NCC Group has gauged the opinions of MPs in the House of Commons with regards to their personal cyber security, the cyber risks associated with national security and societal wellbeing, and the consequences of a successful attack on parliament.

The results revealed that 62% of MPs across all regions, including 70% of Conservatives and 57% of Labour MPs, consider a compromise of critical national infrastructure to be the biggest risk.

Despite this common ground between MPs across parties on the threat to critical national infrastructure, the survey indicated divides with regards to the severity of other cyber threats. 42% of Conservatives said that they consider a compromise of nuclear capabilities to be one of the top two threats, compared to just 14% of Labour MPs, while 44% of Labour MPs considered democratic interference to be a significant threat, compared to 16% of Conservative MPs.

Alongside this, the survey highlighted that 75% of all MPs are concerned that a breach of their personal email could negatively affect the cyber security of the House of Commons, highlighting that most MPs understand the crucial role they personally play in enhancing the UK Parliament’s security posture.

It was also revealed that, in the event of a successful cyber attack, 73% of all MPs considered the breach of constituents’ privacy to be their biggest concern, alongside a leak of sensitive information relating to parliamentary business (46%).

These results have been released ahead of a meeting at the House of Commons, which addressed the cyber threats challenging the UK political landscape and outlined how MPs can best contribute towards tackling this growing threat.

Ollie Whitehouse, global chief technical officer at NCC Group: “It’s very positive to see that a majority of MPs are aware of the different threats we face and realise the gravitas of a successful attack, particularly with regards to our resilience as a nation.

“In recent years, the government has been proactive in implementing initiatives to strengthen the UK’s stance against evolving technical and geopolitical threats which attempt to compromise the integrity of our nations. MPs play a significant role in these initiatives, so it’s important to maintain continued education around modern threats and informed dialogue amongst all stakeholders. This will ensure that parliamentary staff at all levels understand the steps they need to take, in both their professional and personal lives, in order to address cyber risk head on.”

Just a third of UK firms will be GDPR compliant by May 25

960 640 Stuart O'Brien

UK companies are hugely ill-prepared for this week’s General Data Protection Regulation (GDPR) enforcement deadline, according to new research.

Less than a third (29%) of organisations surveyed by USB drive specialist Apricorn felt confident they would comply, and when questioned further and asked whether there were any areas they might be likely to fail, 81% could think of some area of the new requirements that might cause them to fail when it comes to GDPR compliance.

Fifty per cent of organisations who know that GDPR will apply to them admit that a lack of understanding of the data they collect and process is their number one concern relating to non-compliance.

On top of this, almost four in ten (37%) believe they are most likely to fail because of gaps in employee training, and almost a quarter (23%) say their employees don’t understand the new responsibilities that come with the GDPR.

While one in ten still regard the GDPR as a mere tick box exercise, a substantial proportion do view it as being of some benefit to their organisation – for example 44% agree that the new regulation is a welcome opportunity to overhaul their organisation’s data handling and security processes.

The most commonly taken step so far, for those who say they will be at least somewhat prepared for the GDPR, is to review and update their security policies for mobile working (67%). However, 30% still worry they could fail to comply due to mobile working, and almost a quarter (22%) of respondents are concerned they may fail due to a lack of encryption.

“Data or personally identifiable information (PII) is at the heart of GDPR and mapping and securing it should be every organisation’s number one priority. By now, all employees, from the top down, should have an understanding of the importance of GDPR and the role they play in keeping this data safe,” said Jon Fielding, Managing Director, EMEA Apricorn. “While we know that many organisations have provided some form of employee training, clearly in some cases this hasn’t been effective and organisations should address these gaps urgently.”

NEW REPORT: 58% of organizations have more than 100,000 folders open to all employees

960 640 Stuart O'Brien

By Varonis

Like a wardrobe malfunction during a live broadcast, no one wants to be overexposed – especially when it comes to your data.

The surprising truth: most companies go about their business blithely unaware that some of their most sensitive data is wide open. And by “some” we mean a lot. In fact, our latest research shows that 41% of organizations had at least 1,000 sensitive files open to all employees.

As we know, it only takes one leaked file to cause a headline-making data breach. We’ve seen how one unpatched server can lead to a disaster; a single “unpatched” folder filled with sensitive files can be just as disastrous — and it doesn’t take an expert or sophisticated code to exploit it.

That’s where Varonis Data Risk Assessments come in. Every year, Varonis conducts thousands of risk assessments for companies around the globe. Using the Varonis Data Security Platform (DSP), we identify where sensitive and regulated data resides, show what’s overexposed and vulnerable, and provide actionable recommendations to increase your data security posture.

Think of a Data Risk Assessment as a reality check on your data – that friend who tells you you’ve got a button undone. And they’re free (but more on that later).

Click here to continue reading…

Varonis Data Apocalypse

8 tips to surviving the data security apocalypse

960 640 Stuart O'Brien

By Varonis

These days, working in data security can feel like surviving a zombie apocalypse – mindless hordes of bots and keyloggers are endlessly attempting to find something to consume. Just like in “The Walking Dead,” these zombies are an ancillary threat to other humans. The bots and keyloggers are pretty easy to defeat: it’s the human hackers that are the real threat.

How prepared are you to deal with the real threats out there?

Get Global Access Groups Under Control

Are you still using global access groups? That’s the dystopian equivalent of leaving your walls unmanned!  Giving the default “everyone” group access to anything is a hacker’s dream scenario.  They get a free pass to move from share to share, looking for anything and everything, and you’ll never know they were there.

Removing all permissions from the default global access groups is an easy way to improve data security. Varonis DatAdvantage highlights folders with Global Access Groups so that you can see who’s got access to what at-a-glance – and then you can use the Automation Engine to quickly remove those global permissions from your shares.  All you need to do is set the Automation Engine to remove Global Access Groups and it will move users out of those generic groups and into a new group that you can then modify.  The important thing is to stop using Global Access Groups, and keep your walls manned at all times!

Identify (and Lock Down) Your Sensitive Data

Effective survivors hide their resources and food stores from the prying eyes of outsiders. The most organized groups stash backup caches and keep records of their stores. Do you do the same with your PII and intellectual property data?  Can you, right now, tell me where every social security number or credit card string is stored on your file shares? If you can’t, then who knows what kind of treasures potential thieves will find as they poke around?

Knowing where your sensitive data is stored is vital to surviving the data security apocalypse – our Data Classification Framework quickly and easily identifies PII and intellectual property data in your unstructured files, so you know where your sensitive data is – and where you can lock it down.

Track Your Dangerous Data

Imagine that the guard on the North wall got eaten – and now the map with the weapons caches for the entire region is MIA.  Can another group of survivors find that map and steal your stuff? You might be leaving the same breadcrumbs on your network by leaving behind old files that have valuable information a hacker could use for profit.

Identifying and deleting or archiving this data is just as important as moving that cache of weapons to the safety of your base camp. DatAdvantage can report on stale data and give you visibility into what might be leaving you vulnerable to hackers. Managing stale data is an excellent strategy to limit exposure, and keeps you one step ahead.

Practice Good Password and Account Policy

Say you use a certain whistle to communicate with your group – and you’ve used that same whistle for the past 8 months. What are the chances that a rival group will ambush you by using that whistle?

It’s the same if you have passwords that never change, or accounts that are no longer active, which should have been removed or deactivated.  Hackers can use those accounts to try to access resources over and over again without setting off any alarms.

It’s always best to change the “whistle,” or password, on a consistent basis – and have a policy in place to revoke access privileges when people leave the group. Perhaps something less drastic than chopping their head off before they go full zombie.  With DatAdvantage, you can report on these kinds of accounts in your Active Directory so that you can take action and remove this threat without using an axe.

Fix Inconsistent Permissions

Once you have redundancies and processes to keep everything running smoothly, what happens when that one guy in your survivor group just can’t follow simple instructions?  What if they’re an important part of the plan, but can never quite complete their part?  You might say that part of the plan is broken, like when you have a share that is set to inherit permissions from the parent – but for some reason isn’t. In data security terms, you have inconsistent permissions, which can cause confusion as to exactly how the permissions on these folders are set.

Fixing all of these broken links in the fence will help keep the outsiders from getting into your data stores. You can automate the process of repairing inconsistent permissions with the Automation Engine – so that you’re maintaining a least privilege model and only the right people can access that data. Or get through that fence.

Identify Data Owners

If your survival group is going to be a self-sustaining society, you’ll need leaders to support your growth.  You wouldn’t want the horticulturist in charge of weapons, and you probably wouldn’t want the weapons master in charge of your vegetables.  The same holds true for your data and the data owners.

You need to be able to identify the owners of your data so that you know who’s responsible for managing permissions and access to those shares. When there’s one person in the Legal department who can grant access to the legal shares, you’re in a much better situation than if the IT department handles that for every department.

The first step is to identify data owners – and DatAdvantage provides reports and statistics to help you do just that. You can automate the process with DataPrivilege, and enable those data owners to approve and revoke permissions from their shares and audit permissions on their shares on a regular basis. Now that the data owners are in charge of who gets access to their data, things are starting to make a lot more sense – not to mention run much more smoothly.

Monitor File Activity and User Behavior

As your society of survivors grows into a full-fledged community, you want to make sure that everyone is contributing and utilizing the resources of the community correctly.  So you put in some monitoring systems.  Assign chain of commands and reporting structures and even make some rules.

And so, you need to do the same thing by monitoring your file and email servers. DatAdvantage gives you visibility on the file and email servers – even user behavior – which is paramount to data security: outsiders can sometimes get in, and once they get in they might look like they belong.  But when they start stealing extra bread or copying gigs of data to an external drive, we need to know.

Set Up Alerts and Defend Your Data

Alerts can warn you about a herd tripping a bell on the perimeter or that Jeff from marketing has started encrypting the file server with ransomware.  The faster and more that you know about potential threats, the better you can respond.  Conversely, the longer the outsiders have to do bad things, the worse it will be for us every time.

You can set those tripwires to automatically respond to specific types of threats with DatAlert, so that your security team can lessen the impact and get straight to the investigation phase. DatAlert establishes behavioral baselines for every user – so that you know when somebody’s acting out of the ordinary, or if their account has been hijacked. With DatAlert, you can monitor your sensitive data for unusual activity and flag suspicious user behavior so that you know when you’re under attack.

Want to check your own preparedness level for the data security apocalypse? Get a risk assessment to see how you measure up.  We’ll  check your environment for all of these potential threats and provide a plan of action to get you up to true survivor status.

Managed detection and response market worth $1.6bn by 2022

960 640 Stuart O'Brien

The major forces driving the growth of the Managed Detection and Response Market include the increase in the enterprise targeted cyber-attacks, shortage of cybersecurity practitioners, and need for compliance to various government regulations.

That’s according to a new report from MarketsAndMarkets, which predicts the market size is expected will grow from $419.7 million in 2017 to $1,658 million by 2022, equivalent to a Compound Annual Growth Rate (CAGR) of 31.6% during the forecast period.

Moreover, the report says technological advancement and increasing adoption of technologies such as Internet of Things (IoT) across various end-use applications are some of the other factors that are driving the market growth.

The endpoint security type segment is expected to hold the largest market share in the Managed Detection and Response Market during the forecast period.

Endpoints are usually network devices, such as servers, desktops, laptops, smartphones, tablets, and Point of Sale (POS) connected remotely to an enterprise server, making them vulnerable and creating an entry point for potential cyber threats.

Endpoint security type MDR services provide real-time control, visibility, and analytics of endpoints deployed across an organisation. Vendors are offering advanced endpoint MDR services that leverage technologies such as Artificial Intelligence (AI) and machine learning, to proactively detect attacks, malicious activities, and respond to them before they undesirably affect the enterprises’ business operations.

The cloud security type segment is expected to gain traction and grow at the highest CAGR, owing to the rising adoption of cloud computing across enterprises of different sizes and the increasing security vulnerabilities arising out of it.

Uber conceal massive data hack

960 640 Stuart O'Brien

Global transportation tech company Uber concealed a massive breach of personal information of over 57 million customers and drivers in October 2016, with the company acknowledging that it failed to notify individuals and regulators it has been revealed.

The company covered up the breach, and instead paid the hackers responsible $100,000 to delete data and keep the breach quiet.

Addressing the situation, new CEO Dara Khosrowshahi admitted that, while there was no excuse for the incident, he had “obtained assurances that the downloaded data had been destroyed”.

“None of this should have happened, and I will not make excuses for it,” Uber’s chief executive, Dara Khosrowshahi, said in a statement to The Guardian: “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.

“We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

It is thought the hackers managed to download data including names, email addresses and phone numbers, including driver license numbers of over 600,000 Uber drivers around the US.

Uber claims that other information, including credit card numbers, bank account details and birth dates were not compromised.

Khosrowshahi admitted that the breach had prompted him to take several measures, with the departure of two senior members of staff responsible fro the company’s 2016 response.




Employees are companies’ biggest data security risk

960 649 Stuart O'Brien

A consensus study commissioned by data security specialist HANDD Business Solutions (HANDD) has revealed that nearly a quarter of IT professionals believe that the behaviour of employees and their reactions to social engineering attacks – which can trick them into sharing user credentials and sensitive data – poses a big challenge to data security.

The survey of 304 IT professionals in the UK shows that 21 per cent of respondents say regulations, legislation and compliance will be one of the two greatest business challenges to impact data security. The General Data Protection Regulation (GDPR) is causing real concern among professionals in their bid to be compliant by the deadline, which is less than 12 months away. GDPR will not only raise the privacy bar for companies across the EU, but will also impose extra data protection burdens on them.

HANDD CEO and co-founder Ian Davin commented: “Companies must change their mindset and look at data, not as a fungible commodity, but as a valuable asset. Data is more valuable than a pot of gold, which puts companies in a challenging position as the stewards of that data. C-suite executives must understand the data protection challenges they face and implement a considered plan and methodical approach to protecting sensitive data.”

41 per cent of those surveyed assign the same level of security resources and spend for all company data, regardless of its importance. Analysing and documenting the characteristics of each data item is a vital part of its journey through an organisation. A robust data classification system will see all data tagged with markers defining useful attributes, such as sensitivity level or a retention requirement and ensuring that an organisation understands completely which data requires greater levels of protection.

“Employees are probably your biggest asset, yet they are also your weakest link, and so raising user awareness and improving security consciousness are hugely important for companies that want to drive a culture of security throughout their organisation,” commented Danny Maher, CTO at HANDD.