POPULARITY
If the Ponemon study were a horror flick, it'd be titled "The Login Came from Inside the System." This week's episode dives into the alarming trend of organizations handing out privileged access like Halloween candy — only to forget who's still got it long after the party's over. With 59% of breaches linked to insiders or third parties, and executives confidently sailing past the iceberg of reality, we explore what happens when no one's really sure who can still get into the network. Spoiler alert: it's not good. So grab your flashlight and audit logs — we're heading into the haunted house of unrevoked access. More info at HelpMeWithHIPAA.com/507
I'm always asked the same question when talking to customers about the threats of quantum computing and the move to post-quantum cryptography. What are similar companies doing about it? It's only been half a year since the NIST standards were published, but we're starting to see some traction. Join host Konstantinos Karagiannis for a chat with Samantha Mabey from Entrust about an interesting study on migration, along with some tactical advice for getting your PQC journey underway. For more information on Entrust, visit www.entrust.com/. Read the PKI and PQ study here: www.entrust.com/cybersecurity-institute/reports/2024-pki-and-post-quantum-trends-study. Visit Protiviti at www.protiviti.com/US-en/technology-consulting/quantum-computing-services to learn more about how Protiviti is helping organizations get post-quantum ready. Follow host Konstantinos Karagiannis on all socials: @KonstantHacker and follow Protiviti Technology on LinkedIn and Twitter: @ProtivitiTech. Questions and comments are welcome! Theme song by David Schwartz, copyright 2021. The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by, Protiviti Inc., The Post-Quantum World, or their respective officers, directors, employees, agents, representatives, shareholders, or subsidiaries. None of the content should be considered investment advice, as an offer or solicitation of an offer to buy or sell, or as an endorsement of any company, security, fund, or other securities or non-securities offering. Thanks for listening to this podcast. Protiviti Inc. is an equal opportunity employer, including minorities, females, people with disabilities, and veterans.
It's the dirty little secret among healthcare cyber professionals -- they don't know where all their ePHI is; not even close. And while those professionals are not to blame (healthcare workflows and, thus, data flows are messy business); they do have to get their arms around the problem. The first step? Understand it. In this unique webinar, we'll explore the results of a Ponemon study on the state of ePHI in healthcare to learn just how bad the problem is and where the data might be. Then, we'll explore ways to secure it and, in the process, hopefully give cyber professionals one less reason to be up at night. Source: Exploring the ePHI Cyber Crisis & How to Fix It on healthsystemcio.com - healthsystemCIO.com is the sole online-only publication dedicated to exclusively and comprehensively serving the information needs of healthcare CIOs.
When logging into devices and applications that hold the key to a user's identity, how can that user tell who is at the other end of the line? When it comes to internet safety and securing a user's identity online, Phil Dunkelberger, President and CEO of Nok Nok Labs, shares that the future of online security is cybersecurity that can be simplified through public private key cryptography. On this episode, Phil explains what that means, plus the purpose of FIDO and how it can create frictionless security for users logging into their devices and applications.Tune in to learn:What FIDO is designed to do for users (9:55)Why public private keys used for authentication benefits the customer (14:00)How pass keys have evolved to render the need for two devices for personal and work purposes unnecessary (28:00)About Nok Nok's Study on the IT Support side of the problem with authentication (35:36)Mentions:Vanguard Totem TechAlli Bey, CEO of Totem TechDr. Larry Ponemon, Founder and Chairman of Ponemon InstitutePYMNTSKaren Webster, CEO of PYMNTSKaren webster's study“Shoe Dog: A Memoir by the Creator of Nike” by Phil KnightXerox Phil ZimmermannSymantecIT Visionaries is brought to you by Salesforce. With Salesforce's low-code app dev tools, you can be more efficient, more productive and save money by reducing development time by up to 90%. Get Salesforce's Low-Code Playbook and increase time to value for your team and your customers. Download the free playbook today.Mission.org is a media studio producing content for world-class clients. Learn more at mission.org.
More and more the healthcare industry is using connected medical devices that do cool things, like creating efficiencies in the delivery of patient care and automating tasks for healthcare providers and their staff. But, what about the security of these connected devices? Has anyone thought about that? Well, Ponemon and Cynerio did a study on just that topic and the results are very concerning. More info at HelpMeWithHIPAA.com/377
We follow a lot of the Ponemon studies. They help us see changes and trends and make better recommendations to our clients. We are going to cover their annual cost of an insider breach study. This global study covers insider incidents and provides five signs your organization is at risk. More info at HelpMeWithHIPAA.com/374
Guest post by Lee Bristow, Chief Technology Officer at Phinity Integrated Risk Management As the value of personal data increases, so too does the consequence of data breaches. The responsibility of ensuring client and supplier data is kept safe, has become tantamount to a bank securely holding our cash. This is an ethical Catch-22. The business case for ethics and robotics Most businesses, from global giants to SMEs, are more reliant on third parties to provide core business services. This is dependent on the sharing of essential client data with these parties. Hence, as a user, when signing away your data, you could be handing it over to unknown entities. Who is responsible for this data? A client signs a deal with the contracting company, and it's up to them to take ethical and legal responsibility to protect their clients' information. It's also the contracting business that will shoulder the dire consequences of resulting bad press and reputational damage for compromised data. It's no longer time that's money Data leads to money, one way or another. The old chestnut that ‘data is the new oil' springs to mind. As data value increases, so too does its desirability. More people want it. And more people are willing to go to criminal lengths to get it. The convenience that the internet offers to us average users has also created leverage for scoundrels, who don't even need to organise a getaway car anymore. Bonnie and Clyde robbing banks have been replaced with scammers and hackers hidden deep within the internet. Data is less secure than ever April 2020 saw an unusually high increase in cyber-attacks as people worked remotely, thanks to Covid. In that year, there was a general upsurge in data security breaches in the EU and UK of 10% (Lexology). A survey in 2021 by the Ponemon Institute found that 51% of organisations experienced a data breach caused by third parties, resulting in the misuse of sensitive data. There's no doubt that using third parties massively increases risk. And as more operations are outsourced, the complexity of relationships intensifies. So you've got a wobbly combination of greater relationship complexity and increased risk. Third party risk management (TPRM) Historically, the procurement department was responsible for third party contracts. Made sense. But as the convolutions of these relationships become ever more intricate, and the risks spread their tendrils across the organisation, does it still do so? An example of this was one of South Africa's largest banks, Nedbank. Using the services of SMS marketing provider, Computer Facilities, it experienced a data breach affecting 1.7 million of Nedbank's clients. While the press pointed at Netbank, it wasn't in fact the bank's information security provision that was at fault. However, Nedbank had engaged the supplier. This begs the question: who was accountable? IT? Procurement? Marketing? Client services? The list goes on. It's no longer just one division's problem. From an information security issue, TPRM has become a privacy issue. Large organisations tend towards rigidity in managing third parties. Their size simply doesn't allow for flexibility in dealing with smaller start-ups. The only mitigation here, really, is for a more ethical attitude towards TPRM, and the use of automation. More than just the law While legal contracts are essential to third party relationships, they won't repair the damage when the horse has bolted. There are a few considerations when looking at mitigation strategies for data breaches: organisation size, jurisdiction, and types of service being supported. Organisations must do thorough due diligence on third party vendors, which it seems they're not. In the Ponemon survey, it was found that 51% of companies had not been assessing security and privacy practices and processes before granting access to sensitive and confidential data. Deloitte ran some research on the current approaches to TPRM and the findings are grim. Fo...
A new Ponemon Institute study reveals that, as cloud adoption grows across diverse environments, 60% of IT and security leaders aren't confident that their organization can ensure secure access to cloud environments. Dr. Larry Ponemon, the institute's founder and chairman, illuminates key findings from the Global Study on Zero Trust Security for the Cloud including factors that make cloud security complex and how Zero Trust security can mitigate distributed infrastructure risks and accelerate cloud transformation objectives.Get a copy of the Global Study on Zero Trust Security for the Cloud here.Guest:Larry Ponemon, Chairman and Founder of the Ponemon InstituteModerator:George Wilkes, VP of Demand Generation, Appgate
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends, and industry-leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: IBM's and Ponemon's annual Cost of a Data Breach Report summary, analysis, and implications for healthcare Updated NIST guidance on HIPAA compliance approaches and expected practices Facebook (Meta) and healthcare providers targeted with multiple lawsuits over health data privacy practices GAO report warns of catastrophic financial loss due to cyber insurers backing out of covering damages from cyberattacks $100m cost reported for Tenet Healthcare's 2022 cyberattack Major breaches with healthcare vendors OneTouchPoint and Avamere impacting more than 1.5m people Cloud Security Alliance weighs in on third-party risk management in healthcare Large-scale cyberattack campaign targeting over 10,000 organizations in phishing and financial fraud scheme HHS Health Sector Cybersecurity Coordination Center alert about an increase in web application attacks on the healthcare sector New ransomware task force report targeting government interventions to disrupt ransomware attacks OCR issues 11 new financial penalties over HIPAA Right of Access failures
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Largest ransomware attack on record impacts 1,500 businesses via third-party Kaseya supply chain breach over the holiday weekend Several large ransomware providers call it quits due to increased scrutiny and pressure Ransomware attack on Ireland health system exceeds $600m in costs and remains active six weeks into the attack Ukrainian police arrest members of CLOP ransomware gang NIST releases draft guidance for Ransomware Risk Management & CISA releases a ransomware self-assessment tool President Biden's summit with Vladimir Putin and directive for a “no hack” list of US critical infrastructure DOJ charges network security executive with hacking a Georgia health system for personal gain One billion CVS records exposed in cloud configuration error breach Details of the Ponemon Institute's new third-party cloud compromise report OIG and FDA updates on medical device security guidance and new GAO cybersecurity recommendations Bipartisan data breach notification bill drafted which includes a 24-hour breach notification requirement Meditology Services was ranked the #1 healthcare security and privacy consulting firm according to a new survey reported by Becker's and Healthcare IT Security magazines
Join ATARC for a robust discussion on how agencies are innovating to stay ahead of advisories. Hear from Dr Larry Ponemon of the Ponemon institute as he shares the latest results of a 2021 Government Breach Trends Study that examines the problems and what innovation is happening across government to move to a more proactive security posture. Then learn what our panel of experts are doing to improve breach detection and response in a landscape where they are inundated by new, rapidly-evolving challenges as well as lessons learned.
In this episode Dr. Larry Ponemon discusses the the Ponemon Institute's latest findings in the growing Cybersecurity and Data Privacy treats associated with COVID-19. COVID-19 has dramatically changed the workplace and has created new cybersecurity risks and exacerbated existing risks. The purpose of this research, sponsored by Keeper Security, is to understand the new challenges organizations face in preventing, detecting and containing cybersecurity attacks in what is often referred to as “the new normal”. In the new era of a remote workforce, organizations worry most about the lack of physical security in the remote worker’s work space. Almost half (47 percent) of respondents say it is the inability to control risks created by the lack of physical security in remote workers’ homes and other locations that is a significant concern for their organizations. Show Links Cybersecurity guidance for executives to stay ahead of COVID-19 risks Rethinking cybersecurity priorities amid the coronavirus pandemic Bringing to focus SMB cybersecurity needs 3 keys to a successful cybersecurity plan for the new year NCX Group Free Cybersecurity Assessment
MONEY FM 89.3 - Prime Time with Howie Lim, Bernard Lim & Finance Presenter JP Ong
According to a Ponemon study, the average organizational cost of a data breach in ASEAN is US$2.62 million, and each breach results in an average of 22,500 records being compromised. In Mind Your Business, Howie Lim spoke to Joanne Wong, Vice President of International Markets at LogRhythm to find out what more e-commerce players must do to safeguard their data during the shopping season. See omnystudio.com/listener for privacy information.
Colin Bell, Rob Cuddy and Kris Duer from HCL Software bring you another discussion Application Security, DevSecOps and AppScan. This episode includes all the latest AppScan news, tips around Mobile cryptography, early Snow in the north , Close wild fires in the south and Irish Samhain (Sawin) traditions. Our guest this week is Dr Larry Ponemon from the Ponemon Institute who recently publish a report of Application Security in Devops. He talks to us about the report and some of the fascinating findings.For a free copy of the Ponemon report that we discussed in this episode, please visit: https://www.hcltechsw.com/wps/portal/products/appscan/ponemon-report
All links and images for this episode can be found on CISO Series (https://cisoseries.com/i-need-resources-to-free-up-my-resources) Automation sounds wonderful and I'd love to have some free time, but geez, who do I need to hire to make that happen? This episode is hosted by me, David Spark (@dspark), producer of CISO Series and founder of Spark Media Solutions and Mike Johnson. Our sponsored guest this week is Aaron Ansari (@theanswar), VP, Cloud One, Trend Micro. Thanks to this week's podcast sponsor Trend Micro. Trend Micro Incorporated, a global leader in cybersecurity solutions, helps to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses, and governments provide layered security for data centers, cloud environments, networks, and endpoints. For more information, visit www.trendmicro.com. On this week's episode There’s got to be a better way to handle this How well has the cybersecurity automation gambit played itself out? Last year, Ericka Chickowski wrote a piece on Dark Reading about the cybersecurity automation paradox. She said that "security teams find that a lack of automation expertise keeps them from getting the most out of cybersecurity automation." According to a Ponemon study, that accounts for 56% of organizations. That's the number one obstacle. It's more than legacy IT challenges, lack of budget, and interoperability issues. 40% of respondents say they'll need to hire more people to support security automation. Everyone speaks of wanting automation, but is it more of an aspiration and a marketing pitch? Has it specifically alleviated any pain over the past year. And if so, what? What annoys a CISO? For my co-host MIke Johnson, the annoyance is the "single panes of glass" that so many security vendors offer. Our guest, Aaron Ansari is ready to challenge Mike on his grand distaste for "the single pane of glass" as the window to your security status/infrastructure/whatever you like it to be. "What's Worse?!" What's worse, failure but honesty, or success and deception? Please, Enough. No, More. Topic is "cloud configuration." What have we heard enough about with cloud configuration, and what would we like to hear a lot more? Ummm. Maybe you shouldn’t have done that We're talking about vendor lock-in. It makes recurring sales for vendors super easy. But it makes exit strategies very difficult. On Quora, the question was asked, "How do huge companies like Netflix avoid vendor lock-in with a cloud computing provider?" So I ask the question to both of you, what safeguards can you setup to prevent vendor lock-in or at least make an exit from a cloud provider as painless as possible? Creative Commons photo attribution to Alden Jewell (CC BY 2.0)
Welcome! Craig discusses the Cost of Data Breaches and IBM/Ponemon Institute Study and why Credential theft is a pre-eminent form of Cybercrime. For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: Average Cost of a Data Breach: $3.86 Million The Future's Biggest Cybercrime Threat May Already Be Here Election Interference: Google Purges Breitbart from Search Results Google Has Been Purging Breitbart Content from Search Results Since the 2016 Election Heads roll at Intel after 7nm delay Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness Three people have been charged for Twitter’s huge hack, and a Florida teen is in jail Remote Work Isn’t Working? Maybe Your Company Is Doing It Wrong FBI Releases Flash Alert on Netwalker Ransomware Electric car startup Lucid is challenging Tesla’s anti-lidar stance --- Automated Machine-Generated Transcript: [00:00:00] Welcome back, everybody we're talking right now about IBM's latest data breach report. What does it mean to businesses and you as a home user? Of course, this is Craig Peterson that you're listening to. You can get my weekly report by just going online. I have a newsletter. We have a whole ton of great information available for you. So check that out, make sure you subscribe and I've got well, it's like four different free gifts. One of them is the most coveted gift that I've given out. I've had so many great compliments on it and that's your security reboot guide, but you'll get that. If you sign up Craig Peterson.com/subscribe, I think you're really, really going to like it. So we were talking about the IBM report before the break. [00:01:00] Let's complete that. Now, this is the cost of a data breach report, 2020, and it was done by the Ponemon Institute. And then IBM did some analysis on it. So let's look at the average total cost by security automation level. Fully deployed 2.4, $5 million. So if you fully deploy your security, if you have everything, your security team tells you. Yeah, you need a breach is going to cost you about two and a half million dollars. If you've partially deployed like My customer here who had the breach coming in via Mexico. And so we had some stuff there, but not everything that we had recommended. And there is actually required by the federal regulations he's supposed to be abiding by partially deployed the cost jumps from 2.4, 5 million [00:02:00] to 4.1, $1 million, the cost of a breach. So let me see right there. You save yourself almost $2 million, which is more than what it would cost you to do this, right? If you're a small business and then not deployed at all, a breach is going to cost you about $6.03 million. Absolutely incredible. Now, where are the main parts of this cost while the customers personally identifiable information. So that's things like there, their name, their email address, their phone number, a bank account numbers, maybe social security numbers maybe credit cards. Right? All of that is called PII and it's the stuff that should not ever be disclosed. So if you're a consumer, you kind of expect the business to keep that information confidential, right? Well, Oh, [00:03:00] here we go. Breaches that have customer identifiable information account for 80% of all of the breaches. Isn't that sad? So 80% of the time when there's a breach, somebody's personal information is stolen. And the average cost per record customer record in a malicious attack is about $175 in case you're not aware of it. If you're a retailer. A retailer is to find incredible amounts. I think right now it's a minimum of $125 per credit card that they've taken. If it's breached and they have credit card information on their systems. That's a lot of money, but on average it costs about $175 per customer record. That's stolen next up here on the screen green, and you'll find this online [00:04:00] again by searching for IBM and their 2020 data breach report, compromised credentials, and cloud misconfiguration. Lead the way, well, compromised credentials. Hmm. What would those be? But how about you or username and password more and more businesses are moving to the cloud. And if you are using the same email address and you're using the same password yet, you knew what I was going to say. Didn't you for your accounts? You're in trouble. And that's why I keep reminding people that they should go to have I been poned.com to check and see if their email address has been stolen and a breach I'm playing around, by the way, I almost guarantee it has unless you've got a very, very current email [00:05:00] address. So 19% had these breaches came in through compromised credentials, other ways to do that. Obviously nowadays fishing is a very, very big way that does some of this data is stolen, but these were the most expensive initial tech vectors, compromised credentials, and cloud misconfiguration. Now, you know how much I hate VPNs right now, there is a need for them. Don't get me wrong. But. Almost always, it's more of a problem than the problem you're trying to solve using a VPN. So one of the things we were talked about here just a couple of weeks ago was how the VPN data from, I think it was eight different VPN providers. Was found online, like 1.2 terabytes [00:06:00] worth of personal information. Now, these are all VPN services that said we don't log we're not logging. Don't worry. We're great. Here. You can trust us. We're secure and we're not logging. We're not selling your data. What was discovered online in a misconfigured cloud server? All of the places you had been your password in the clear text your username. So they, they now, now that data are stolen anybody that was using one of them is free VPN services. And I caution you against the paid ones as well, but anyone that was using one of these free VPN services is out of luck because the bad guys have your username that you use and your password. So again, that's why I keep stressing, get one password. It's the best bar, none one password. I don't make a dime off of this. Right. Uh, but one password [00:07:00] and make sure you use different passwords every time and have one password generate them for you. I have one password generate passwords that are usually four or five words along. And then I have special characters between each one of the words, and those are almost impossible to crack. It would take over a hundred years in most cases unless I'm using one of these VPN services that doesn't bother encrypting my password. My day, wasn't doing some sort of a Shaw hash or an MD hash or anything? No, no, no, no clear text. Okay. Uh, so 19% were from compromised credentials. 19% were from cloud misconfiguration and 16%. We're from vulnerability in third-party software. So the costliest initial attack, vectors compromised credentials, number one. So keep that in mind, everybody on you, with your home [00:08:00] user, you're a business user on that rudder heaven forbid you're using a consumer router and firewall in a business. Don't do it. And in most cases, people never bothered to change the default username and password on their firewall. So bad guys get in 4.7, 7 million in dollars is the average cost with compromised credentials, amazing vulnerability and third party software, four and a half million dollars. And what does that tell you? Patch. Remember when you're talking about Microsoft and you've turned on the automatic updates on windows, all it's going to update is windows and the core windows utilities. It's not going to update your Adobe software, uh, you know, your photoshop and whatever third party. You know, engineering [00:09:00] software, drafting, software, whatever. It's not going to automatically update them. And then it's so many businesses are saying, well, okay, you have to run Windows XP or have to run windows seven because I can't and get the latest version of the software. The company went out of business or it's too expensive. And then number three, cloud misconfiguration. So both vulnerability and third-party software. And club misconfiguration accounts for about a four and a half million dollar breach each real big deal. So stick around, we're going to go through some more here. I enjoy being with you. Thanks for being with me. We will be right back. You're listening to Craig Peterson. --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553
Welcome! Craig discusses the Cost of Data Breaches and the IBM/Ponemon Institute Study. For more tech tips, news, and updates visit - CraigPeterson.com --- Read More: Average Cost of a Data Breach: $3.86 Million The Future's Biggest Cybercrime Threat May Already Be Here Election Interference: Google Purges Breitbart from Search Results Google Has Been Purging Breitbart Content from Search Results Since the 2016 Election Heads roll at Intel after 7nm delay Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness Three people have been charged for Twitter’s huge hack, and a Florida teen is in jail Remote Work Isn’t Working? Maybe Your Company Is Doing It Wrong FBI Releases Flash Alert on Netwalker Ransomware Electric car startup Lucid is challenging Tesla’s anti-lidar stance --- Automated Machine-Generated Transcript: [00:00:00] We got a lot to cover as per usual. We're going to talk about data breaches today. We're gonna talk about cybercrime today. Election interference. What's going on with the big social media sites. This is Craig Peterson. I'm so glad you guys have decided to join me today. I am doing a little bit more with video today. So if you are online, you might be able to find me. I am not putting this video up until later on, you get to hear me first here on all of our radio stations and affiliates throughout the Northeast, which is really kind of cool. Now we keep expanding. Yes. And we're doing more in the Facebook realm and the YouTube realm. I got to start out with a little bit of an apology here. we were going back and looking at all of our numbers. We're trying to figure out what's going on because I was getting dozens and dozens and dozens of emails from listeners saying, why did you send me this email? [00:01:00] Cause I've been opening all your emails. And they were really confused. Well, here's, here's what goes on. Okay. If you don't open my emails for a few weeks, then I'm kind of figuring that maybe you're really busy. Something's going on. Maybe you don't like the sorts of things that I've been saying or doing. Maybe you want off the list and stuff. And so I sent out all of those emails to people. Well, it turns out we hadn't sent out an email since June 13th. And you might remember that's when one of my daughters got married and we went out to Kentucky then everything happened with the family is just been crazy. Then I've been trying to get all of this video stuff together and that's been a lot of work. Two. So my apologies to you, if I sent you that email, and you're wondering why, why is he doing this to me? Cause he knows, I like him. So I think I was able to restore everybody back to proper balance here as synergy. [00:02:00] We'll see how this all goes. And then the other thing that was messing up, this is what I get for not paying enough attention to some of these things is. All of our podcasts are definitely going out. We've been posting those and they're going out by the podcast mechanism. We've even still been including a transcript of the entire podcast. Craig Peterson: So you can go back and search and everything. Well, they had not been. Going up onto my website since also about June 13th. So I don't know that we're going to catch up on those on the website. You can definitely get them by you're going to my podcast feed, which you'll find online as well. Craig peterson.com. Slash podcast. And yeah, if you're an iTunes user, go to Craig peterson.com/itunes, uh, slash you know, wherever you'll find me on all your favorite podcast mediums. So it's there, it's not on my way website and the [00:03:00] emails didn't go out. Yes. It has been one of those summers. And then, yeah, what happened this week? We had our tornado. Two towns over from me from this, uh, latest storm. I F it's, it's a different name on, I can't remember what it is. Uh, it's like I say, uh, there are other, and, uh, we, so I ran outside. I was in a meeting. I said, Hey, listen, guys, I got to go. And I grabbed some straps and I wrapped them around the beehives and around the pallets the beehives are sitting on because I do keep rocks on top. Take help them from blowing over in the light wind, but we get wind. We lost power. I had to bring all of the equipment back up in my studio, all of the computers and stuff. It, it just, wasn't a pleasant experience. Anyhow. That was my week, Hell. How was yours? [00:04:00] Hey, I want to start by talking again about this new report that was put together by the Ponemon Institute. Now you may be familiar with these guys. You may not be familiar with these skies, but it was put together for IBM and IBM has published it. So I'm going to bring it up on the screen. For those of you who are watching this as a video. Uh, this is the cost of a data breach report for 2020. And this I'm showing here for those people who are watching for those that aren't. If you want to look it up, just go and do a search for the Cost of a Data Breach Report 2020 IBM and you'll find it. So they did a study on over 500 data breaches. Very, very big. And, and this study was done by the Institute and then it was analyzed and published by IBM securities that say right there, the data breach costs are absolutely huge when you get right down to it, right. [00:05:00] What kind of business are you with? You know, are you doing just a little guy and the data breach costs, won't be a lot while it could easily put you out of business. Most small businesses, really small businesses just fold within six months. It's bad. So this is showing us here. Yeah. That the global average total cost of a database is 3.86. Million dollars. Now that's down a little bit from last year, one and a half percent. And what is really saving people, what's really saving businesses is automation. See one of the biggest mistakes businesses make when it comes to the computer security network security VPN security is they've got a veritable plethora. [00:06:00] Of different pieces of equipment and software. So you've got what are called panes of glass. So you've got you whole five, 10 different systems that your analysts have to look at to figure out what's going on. Are the computers up to date? Did someone try to break in, is someone trying to break in right now? Did they get in what data did they have access to any data exfiltrated did we catch it right? All of those types of questions. So. Automation, where you have one pane of glass, allows you to have all of these what's from your advanced malware prevention, the intrusion detection, intrusion prevention systems, the endpoint. [00:07:00] Anti-malware that's sending on your computers, the, uh, the DNS that allows you to monitor where people are going and stop places as well as stop ransomware from getting out. Think about all of these different points inside your network. And then if you're a slightly bigger company, you know, small businesses, according to the small business administration go up to 500 employees, that is a lot of data to analyze. Yeah. A lot of data to look at false reports, false negatives, real positives that you have to drill into. Well, you don't want to have to go to half a dozen. Different pieces of glass to figure out what happened. You don't want to have to go and look at the antivirus software, which failed too, by the way, because it always does. Uh, and then look, and hopefully you can look at the firewall logs. Hopefully, you've got it. Detection, intrusion prevention. Oh, hopefully, you've got it all tied in. So it automatically, that's our fun machine. That's been compromised from the network. You know how many people have that. But what is being sent here in this IBM study is that there was a reduction in dramatic reduction when security automation was put in place. [00:08:00] So that's what I'm talking about here, where it notices something that detects something and shuts it down. So we've got a client that has a location down in Mexico and they have their networks, or I should say, had their networks tied together. Now they didn't want to separate the networks because they had people in Mexico that were VPN in and then they could get on a server locally up here in the Northeast and then do all of the work from there. And that way they don't have to keep these local servers up to date. Hopefully. Which they weren't, but, um, try and keep them up to date and control them through one exchange server. So all of the accounts and stuff would just be in one place. And, uh, what happened is one of these workstations in Mexico got infected and it hopped right, right through the network. [00:09:00] Up to here in the Northeast here in the US that happens all the time. I've done pieces of training on VPNs and the right way to configure them and the right way to use them. Obviously, this was all wrong, but we had very advanced firepower. The firewall in there that was doing intrusion detection and prevention, and it noticed data starting to be taken out exfiltrated is what it's called via this link to Mexico. And after a few megabytes, Of data going out. It might've been a gigabyte or so, uh, saying, wait, wait, wait, wait, wait. This isn't normal. And this isn't something that should be going on through to Mexico. Now they are in a different time zone. So the firewall was automatically taking that into account and figuring out how to tie it all together. [00:10:00] Uh, so it shut it down, just bam and it no longer love that machine. Any access to the network up here in the U S. Now since then we have tightened things up even more. They said, Oh, okay. Well, we'll do what you told us to do 18 months ago. And it is now really quite secure, but that is because we had a fully integrated system. That's why we use Cisco. Cisco was the only a company right now that has a soup to nuts platform and system that you can use that meat. All federal regulatory requirements. The only one, no, you look at Symantec, they got some really fun stuff. They've got some nice stuff. Doesn't meet the federal requirement. You can look at SonicWall and they, man, it's like outcomes raiser, right? They, they really walk that fine tight line in what they say and what they provide. But. Having this type of automation in place, according to IBM study here now reduced the average total cost 3.5, $8 million from somebody trying to get in or getting in. [00:11:00] Now we like to make sure they never get it in the first place, but typically all of these automated systems that we're using and that you could be used as well. We'll detect it almost immediately and we'll shut it down. So stick around. We've got more to talk about here. When it comes to this report, there are so many great stats about what's been happening. So stick around. We'll be right back. Thanks for listening and visit me online. Make sure you sign up. Craig peterson.com/subscribe and I promise, promise, promise. Just started sending out that newsletter again. We'll be right back. --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553
The CyberPHIx Roundup is your quick source for keeping up with the latest cybersecurity news, trends and industry leading practices, specifically for the healthcare industry. In this episode, our host Brian Selfridge highlights the following topics trending in healthcare cybersecurity this week: Review of the key healthcare cybersecurity findings in the 2020 IBM Cost of a Data Breach Report (formerly known as the Ponemon Data Breach Report) Average healthcare breach costs, top sources of data breaches, and most effective security interventions for reducing breach costs and impact Analysis and recommendations for healthcare security CISOs and programs to adjust based on this new data and related trends Details of a presidential executive order issued this week to promote rural telehealth access and incentives for Medicare populations $53m federal stimulus proposed to improve cybersecurity and protect COVID-19 research data
All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-prevention-vs-detection-and-containment/) We agree that preventing a cyber attack is better than detection and containment. Then why is the overwhelming majority of us doing detection and containment? Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and sponsored guest Steve Salinas (@so_cal_aggie), head of product marketing, Deep Instinct. Thanks to this week's podcast sponsor, Deep Instinct. Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play. On this episode of Defense in Depth, you’ll learn: A recent Ponemon study notes that most security professionals agree that prevention is a better security strategy than detection and containment. Even with the acceptance that prevention is a better security posture, most security spending goes into detection and containment. By implementing firewalls, patching, and security training, many of us are already doing prevention, but may not classify it as such. Prevention is not nearly as expensive as creating a detect and respond security program. The two halves work in concert together. No prevention program can be perfect, and that's why you always need a detect and contain program as well. The reason you don't only go with detect and respond without prevention is that the flood of valid information will be too much for a security program to handle. There was a strong argument for detect and respond because it shows the products you spent money on are actually working. This is not just to humor the security professional, but also to give some "evidence" to the senior executives. A lot of prevention comes down to the individual. But since it's so tough to get people to change behavior, there's less friction to just purchase another prevention tool to protect people from their own behavior. Prevention tools won't stop the attackers who sit dormant on a network waiting to attack. Their behavior has to be spotted with the use of detection and containment.
Today's episode of the Seamless Podcast kicks off our latest partner series with Dr. Larry Ponemon, CEO/Founder of the Ponemon Institute. Darin & Mike outline the format of this new show series which will include expert guests discussing the hottest topics in CyberSecurity & Privacy. The Ponemon Institute conducts independent research on data protection and emerging information technologies. Show topics will include data collection, management and tips for enterprises on safeguarding of information assets.
Brian Haugli: Livin’ La Vida CISO According to our friends at Ponemon… in a 24 month period, a business has a 1 in 4 chance of being hit with a significant threat. A separate study shows that nearly 75% of businesses do NOT have an established incident response strategy that is applied consistently across their organization. In a Crisis Situation, the most scarce and precious resource a CISO has is time. How a CISO implements his or her OODA Loop can make or break a company and a career. What if you are a Small or Medium business who does not have a traditional C-Suite structure or security team? What if you are a CISO and all eyes are on you? Will you be ready? Are you ready now? What if we told you that there are companies out there who can help your organization deal with these crisis situations without the process and expense of hiring a full time CISO? In this episode of the InSecurity Podcast, Matt Stephenson with Side-Channel Security co-founder and former CISO Brian Haugli. Brian has been around the CISO block more times than most and is the host of the #CISOLife series on YouTube. He is leading the charge to bring Enterprise Level CISO talent to mid-market companies in order to protect their business and keep the bad guys out. About Brian Haugli Brian Haugli (@BrianHaugli) is a Co-Founder and Partner at SideChannel Security. He is also the creator and host of #CISOLife on YouTube. Viewed as a "full stack CISO", he is an executive security leader and mentor focused on building high performance security teams, deploying effective operating models, and delivering risk management capabilities for global, domestic, and local enterprises. Brian has held senior advisory & practitioner roles within DoD, the Intelligence Community and Fortune 1000 companies. He has been recognized as a NIST expert, specifically with the Cyber Security Framework (CSF) and 800-53, and for industrial control systems & operational technologies. Brian is a firm believer that the small & mid-market companies deserve security guidance and realistic capabilities just the same as large organizations. About SideChannel Security Side Channel Security specializes in consulting organizations who need CISO advice to protect their digital assets. They offer CISO & advisory services to the C suite, their boards, and those accountable for security across their operations or their products. SideChannel Security has engaged in military operations under the DoD and consulted the largest companies in the world in Big 4 consulting. About Matt Stephenson Insecurity Podcast host Matt Stephenson (@packmatt73) leads the Security Technology team at Cylance, which puts him in front of crowds, cameras, and microphones all over the world. He is the regular host of the InSecurity podcast and host of CylanceTV Twenty years of work with the world’s largest security, storage, and recovery companies has introduced Stephenson to some of the most fascinating people in the industry. He wants to get those stories told so that others can learn from what has come Every week on the InSecurity Podcast, Matt interviews leading authorities in the security industry to gain an expert perspective on topics including risk management, security control friction, compliance issues, and building a culture of security. Each episode provides relevant insights for security practitioners and business leaders working to improve their organization’s security posture and bottom line. Can’t get enough of Insecurity? You can find us at ThreatVector InSecurity Podcasts, Apple Podcasts and GooglePlay as well as Spotify, Stitcher, SoundCloud, I Heart Radio and wherever you get your podcasts! Make sure you Subscribe, Rate and Review!
The SecureWorld Sessions is a new cybersecurity podcast that gives you access to people and ideas that impact your career and help you secure your organization. Our featured interview is with Dr. Larry Ponemon, Founder and Chairman of the Ponemon Institute, which does IT and cybersecurity research around the globe. Topics include: AI in security, cost of a data breach, burnout, insider threat, security awareness, and code breaking! LINKS: • Ponemon Institute: https://www.ponemon.org • Free training - SecureWorld web conferences: https://www.secureworldexpo.com/resources?cat=web-conferences • Trend Micro research on the Risks of Open Banking: http://bit.ly/TM_OpenBanking • SecureWorld conference calendar: https://www.secureworldexpo.com/events
For the third consecutive year, small and medium-sized businesses (SMBs) have reported a significant increase in targeted cybersecurity breaches. A newly released global survey found that attacks against the U.S., U.K., and European companies are growing in both frequency and sophistication. Further, nearly half (45%) of the 2,000 respondents described their organization's IT posture as ineffective, with 39% reporting they have no incident response plan in place. The 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses report underscores growing cybersecurity concerns best illustrated through the year-over-year trends dating back to 2016. The survey, commissioned by Keeper Security, measured responses from 2,391 IT and IT security practitioners in the U.S., U.K., DACH, Benelux, and Scandinavian. "Cybercriminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their crosshairs," said Dr. Larry Ponemon, chairman and founder, The Ponemon Institute. "More businesses are experiencing highly-targeted, sophisticated, and severe cyberattacks than ever before, yet the results of our study show they aren't doing enough to close the gap," said Darren Guccione, CEO, and co-founder of Keeper Security. "We sponsor this annual research with Ponemon because we want SMBs to understand that no target is too small for cybercriminals, and it's not enough to simply be aware of the cyber threats that exist. It's critical that these businesses take the next step toward cybersecurity preparedness and get a strong prevention strategy in place." Continue the conversation with Neil Hughes, Darren Guccione, and Larry Ponemon for an informative webinar where you'll learn about the biggest threats to SMEs in EMEA and the three easy actions you can take to protect your company. US (Oct. 30) - https://www.keeper.io/2019-ponemon-webinar-us UK & Europe (Oct 31) - https://www.keeper.io/2019-ponemon-webinar-emea
Gerry and Matt dig into the proposed federal regulation ‘Mind Your Own Business Act’ and how it could shape privacy. They examine how to build a cybersecurity culture at your organization, and reflect on the recently released Ponemon global report on SMB cybersecurity. As always they end with One Cool Thing. Show Notes Resources: Mind […] The post Federal Privacy Legislation, Cybersecurity Culture Best Practices, SMB Still Struggling appeared first on MUSC Podcasts.
Welcome Back! Businesses are being targeted by Cybercriminals more and more in fact cyberattacks against US businesses are up 75%. Listen in to find out more. For more tech tips, news, and updates visit - CraigPeterson.com --- Related Articles: More Than Three-Quarters of US Businesses Are CyberAtttack Targets --- Automated Machine-Generated Transcript: Craig 0:07 Hello, welcome back, Craig Peterson here on WGAN. And of course live streaming as well. We're on tune in, we're on iTunes, we're on Soundcloud all of the audio places that you might want to listen to the podcast. And hey, if you're a podcast fan, I'd love it if you would give me a five star rating, just go to Craig Peterson dot com slash iTunes. And that will take you right to iTunes, still the 800 pound gorilla out there. And on iTunes, it will tell you right away, hey, here's Craig's podcast and you can rate me hopefully, as I said, five stars. leave a note about what you learn every week. And if you could, I love to hear from you. Tell me what it is you'd like me to to cover on the show or maybe one of my trainings. And I would love you just to email it to me at Craig Peterson dot com. But putting in a five star review on iTunes is going to help us get this show out to a lot more people. And we continue to grow every week, I really appreciate that. We have a lot of people who have signed up for my weekly emails that I've been doing for years now. I've got about 3200 articles posted at Craig Peterson. com. Let me tell you, there's articles about almost everything there, including all of my latest, my latest podcast. So you'll find all of that there on my website, Craig Peterson calm. Also, if you sign up this week, for my email list, I'm going to provide you with that 10 page, password special report. And that's where I go through all kinds of details about passwords. And what you should be doing with passwords, I debunk the myth of the random passwords. It's a link that matters. But I go into all the statistics, all of the new findings. And you know, some places are still going to require you to have those random passwords. And we take care of that for you as well with the password managers and things. So it is an absolute must have would love it if you signed up. And you can do that by just going to Craig Peterson dot com. Also, I send out reminders about the show via text message, I take questions there. And you can always text me now, if you want to be on that list where I'm sending out emergency alerts about emergency patches and things, you can just go ahead and text WGAN to 855-385-5550 three, this is my special insider SMS list. There are about 1000 people on it. And I'm glad to have you on that list. But I tell you about my latest newsletters when they come out, you can listen because I'll send you pointers to my podcast. And I will let you know when there's a major security vulnerability that you need to know about. So again, just text, you can send your email address, you can send your questions, but if you send WGAN add you right to my list, just send WGAN to 855-385-5553. And you'll see this as well. On the bottom of my screen, I got a lower third up that is going through and talking about some of this stuff. Anyhow, that makes that simple. Let's talk about businesses for a minute. Our businesses, of course, are the backbone of the economy, right? A without business, there would be no economy out there. And when we get right down to it small business is really where things happen. big businesses, let's face it, they are rarely innovating anymore. Most of these big businesses, and this even includes Apple by companies. So what they do is they let these poor schmucks like me, who are going to invest every dime that we have that maybe we shouldn't be investing the poor schmucks like me figure out, Okay, what works, what doesn't work, what is the market going to accept or not accept, and they may let us get take some Angel money, some venture capital money, by that point, the founder of the company, is basically a slave working for nothing anymore. Because by the time that company is sold, all of the equity is going to be totally gone. It's a terrible, terrible process to go through. And I know guys that have gone through it. And one woman I know, well, who has gone through this, but you know, it's a real problem. And it's a real problem when these smaller businesses that are the backbone of the economy, were the ones that create the most jobs, were the ones that innovate, were the ones that hope that maybe we'll get bought out, or maybe we'll have a cash cow, right. This is where we are betting our retirement is on our own businesses. And we the small business person are the major target of the bad guys. These hackers don't you just want to kill them. The these hackers out there, who are killing our businesses, who are taking away our retirement savings, that money that we needed, so we're not going to be out on the street, Heaven knows if Social Security is going to survive. And if we get one of these socialists in power, then man who knows what's going to happen, it's not going to be good, that's for sure. But we've got everything tied up in our businesses. And we have the bad guys coming after us. We were just talking a little bit earlier here. This one with the first two articles and showing them to the camera right now. business email compromise attacks, Spike 269%, over the last quarter, why you should lie in your password recovery questions, passwords, passwords, passwords, right? very big deal, because we're being attacked. business email compromise is about businesses. So now we've got an article from ZD net, that you'll find out by Craig peterson.com. And it's saying that 76% of us businesses, I'll pull this up on the screen for those people who who are watching live or on in replay, but 76% of us businesses have experienced this cyber attack in the last years. And small medium businesses, small medium enterprises in the US are a favorite attack target for the cyber criminals. This is absolutely huge. The Parliament Institute, these are guys that study these trends in the computer world, they study these trends when it comes to cyber security. But they have the 2019 Global state of SMB cyber security report, I have a copy of that myself. And it's saying that 66% of small medium businesses worldwide have reported a cyber attack within the past 12 months. And 76% of those included in the survey are based in the United States. That is absolutely huge. 76% of us businesses have experienced a cyber attack, have you? Do you know, if you have experienced one, you know, most businesses don't know for about six months that they've have been attacked? And by then, how are you going to be able to determine what was stolen, what they did, how they got in, right? Nothing's left, right, your logs are all gone. versus when when we're doing this for companies that have requirements, federal government requirements and others right for whether they're military or financial or medical practices. We know usually within six hours, and it is not just do we know within six hours that they've been attacked, but we if they've been penetrated, we know it. And we've backed out any viruses or other malware that's penetrated in all within six hours versus six months, which is the norm in the US. So it's six months when you're using some of this, you know, the Norton software, some of these other pieces of antivirus software, they just don't work. So this research was based on responses gathered from 2300 participants in the IT and cyber security industry, based in the US, UK and some other countries. So they're saying that for the third year in a row, SM bees are reporting a significant increase in cyber incidents. This is absolutely amazing. 69% of businesses in the US 69%. So let's say 70%, let's rounded on 70% of businesses in the US say that they have lost sensitive corporate or customer information within the last 12 months. 63%. That is huge. And I can tell you that that it's got to be true, because we are seeing more and more businesses coming to us that need help because they have lost their intellectual property, or they've lost their customer information. Now that 69% of businesses that have lost sensitive corporate customer information that's used to 9% figure, it is an increase of 50% from four years ago. So it is going up, it is getting worse. And unfortunately most people don't know what to do. And I understand it right? Because are you're hearing these ads, you're seeing these ads you're being told that you've been taken care of. But you're not. It's a very, very big deal. So you know, if you had your suspicions about whether or not your security was good enough, I can say with a fairly high degree of certainly certainty it is not okay, okay, your security probably needs some help. So 45% of respondents said that their organizations it posture is in effective. And 40% said there's no formal incident response in place to deal with the aftermath of a breach. So if you're one of those companies that does not have an effective cyber security policy in place, which means multiple layers of security, it means logging, it means people looking at these alerts while you're not abnormal, because 45% of the respondents said they know they don't either. And you know what? The 55% that said that they did have an effective cyber security policy and procedures in place. They're lying, right? Many of those are lying, it's just not true. So keep that in mind. Right? You're not alone there. You can get started. You can take care of these sort of things. The most common forms of cyber attacks that SMEs are facing this is again according to the part of my Institute. Fishing right we talked about that this already this show compromised or stolen devices and credential theft. So stolen devices in particular problem in that a lot of employees are BYO Dean bring their own devices to work. And smaller companies probably aren't investing in the handsets for employees. So you can't ring fences security there's you know, there's a lot to talk about. If you have questions about this as always, you can just email me at Craig Peterson calm, be more than glad to talk to you about this stuff. send you a couple emails, send you some of the reports who might have etc. Just me at Craig Peterson calm. And of course you'll find me online at Craig bitter som calm and sign up right now this week. And you will get my cyber security special report on passwords a 10 page special report on what to do and comparing password managers. You're listening to me on WGAN radio online, Craig Peterson. com slash YouTube or even Facebook Transcribed by https://otter.ai --- More stories and tech updates at: www.craigpeterson.com Don't miss an episode from Craig. Subscribe and give us a rating: www.craigpeterson.com/itunes Follow me on Twitter for the latest in tech at: www.twitter.com/craigpeterson For questions, call or text: 855-385-5553
Our latest NCHICA Healthcare IT Trends Buzz Podcast features Ryan Witt, Managing Director of the Healthcare Industry Practice at Proofpoint. Ryan discusses the the current state of cybersecurity, including: the alarming new trend in more targeted phishing attacks; a recent Ponemon study showing the average cost to recover from a breach is twice as much for the healthcare industry; and why people are the weakest link in an attack. Proofpoint is an email security vendor and provides their clients with an email gateway and employee training on safe email practices. At their upcoming session at the NCHICA annual conference, you will learn what job titles in healthcare are the most "attacked" by cyber criminals, and what you can do to mitigate the risk. Our podcast host is Janet Kennedy of Get Social Health.
On average, according to the 2019 Cost of a Data Breach Report, it takes 279 days to contain a data breach, up from 266 days last year. "I think it's true we're getting better identifying data breaches," says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. However, at the same time as organizations improve their security postures, cybercriminals are becoming stealthier. While factors such as a lack of preparedness or third-party risk can amplify the cost of a data breach, the good news is that, according to the findings in this year's report, incident response strategy, encryption technology, and other factors can mitigate the financial impact of a breach. In fact, the combination of having an incident response team and testing that plan can save $1.2 million for a business. Dr. Ponemon returns to the podcast to discuss the lifecycle of a data breach, variations by industry and region, and why organizations are increasingly sensitive to privacy and data protection. For more security stories, visit SecurityIntelligence.com or follow IBM Security on Twitter and LinkedIn. Explore the 2019 Cost of a Data Breach Report at databreachcalculator.mybluemix.net.
Gerry and Steve discuss Zoom and Apples response and actions from the Zoom fallout of silent local webservers on endpoints. The guys discuss the Ponemon report on third party risk management in the healthcare industry. Finally they discuss the academic conference Gerry is currently attending in Charleston and feature a talk on Adversarial Attack Sampling […] The post Zoom Vulnerability Responses, Ponemon Report on 3rd Party Vendor Risk in Healthcare, Data and Privacy Security Academic Conference appeared first on MUSC Podcasts.
Jay Prassl: Patch Your $#!% Are ALL of Your Apps and OSes up to date? Are you sure? How can you tell? An American Dental Association study in 2008 found that if you don’t brush your teeth you COULD DIE. The ADA recommends brushing your teeth twice a day for 4 minutes each time. What the hell does that have to do with anything? Stick around… According to Ponemon, nearly half of all companies they surveyed had suffered a breach. 57% of those companies were breached due to an unpatched vulnerability. A third of those companies KNEW they were vulnerable before the breach. The average company spends 321 labor hours a week managing their vulnerability response process. How’s that compare to spending 4 minutes, twice a day brushing your teeth? Starting to feel the connection there? In 2017, WannaCry affected over 200,000 machines in 150 countries over a weekend. The attack weapon was developed using NSA tools built to exploit Windows vulnerabilities. What I told you that Microsoft had released a patch for this vulnerability over a month before WannaCry hit? Speaking of Microsoft… our good friends at TripWire offer the following tell us that, in 2015, Microsoft alone issued 2804 patches. That’s roughly 56 patches every Tuesday… and that’s JUST Windows OS & applications Noodle on those numbers a bit… In this week’s episode of InSecurity, Matt Stephenson spoke with Automox CEO Jay Prassl about the role that patching plays in every business’s cybersecurity hygiene. He founded Automox based on one simple maxim: Patch Your $#!% When most of us think of key components in cybersecurity, we tend to think of things like ransomware attacks, security solutions that bog down your network or terrible things in TV and movies that sound technical but are actually ridiculous. What if you had a way to keep your network clean and up to date by doing something as simple and boring as keeping your Operating Systems and applications up to date… Take a walk with Jay Prassl and see what you think. About Jay Prassl Jay Prassl (@jprassl) is the Founder and CEO of Automox. Jay founded Automox founded to pursue a vision: the complete automation of endpoint configuration, patching, management and inventory. Prior to Automox, Jay led the marketing efforts at SolidFire. Before that, he was employee number five at LeftHand Networks, where he spent 10 years breaking new ground in the storage market with the company's distributed SAN solution. He led multiple parts of the LeftHand business through its acquisition by HP. Somehow… when not saving the world through his pursuit of cyber hygiene… Jay finds time to bike, swim and surf. Some of these hobbies are required by state law in order to live in Boulder, Colorado. About Automox Automox (@AutomoxApp) was founded to pursue a disruptive new vision: the complete automation of endpoint configuration, patching, management and inventory. They are the only cloud endpoint management solution capable of remediating Windows, OS X, and Linux endpoints from a single platform. Automox's Dynamic Policy Engine allows IT managers to customize and group policies that ensure that every endpoint and software, regardless of location, meets regulatory and operational security requirements. About Matt Stephenson Insecurity Podcast host Matt Stephenson (@packmatt73) leads the Security Technology team at Cylance, which puts him in front of crowds, cameras, and microphones all over the world. He is the regular host of the InSecurity podcast and host of CylanceTV Twenty years of work with the world’s largest security, storage, and recovery companies has introduced Stephenson to some of the most fascinating people in the industry. He wants to get those stories told so that others can learn from what has come Every week on the InSecurity Podcast, Matt interviews leading authorities in the security industry to gain an expert perspective on topics including risk management, security control friction, compliance issues, and building a culture of security. Each episode provides relevant insights for security practitioners and business leaders working to improve their organization’s security posture and bottom line. Can’t get enough of Insecurity? You can find us at ThreatVector InSecurity Podcasts, iTunes/Apple Podcasts and GooglePlay as well as Spotify, Stitcher, SoundCloud, I Heart Radio and wherever you get your podcasts! Make sure you Subscribe, Rate and Review!
Under this directive, agencies are continuing to prioritize cloud computing initiatives as part of their IT modernization plans. n partnership with Ponemon, Forcepoint surveyed cloud influencers within federal agencies to find out more about current cloud adoption trends across federal government to find out where agencies are having successes and what problems they are encountering, especially as it relates to securing the cloud. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e31
What does it take to be cyber resilient? In the words of Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, a cyber resilient enterprise is "one that can prevent, detect, contain, and recover from a myriad of serious threats against data applications and IT infrastructure." Dr. Ponemon joins co-hosts Pam Cobb and David Moulton to discuss findings of the 2019 Study on the Cyber Resilient Organization. He explains why Germany stands out as a case study for cyber resilience and how automation and support from senior-level executives go hand-in-hand with high performance. Plus, our hosts get into the ins and outs of sports ball (as it relates to cybersecurity, naturally). For more security stories, visit SecurityIntelligence.com or follow IBM Security on Twitter and LinkedIn.
A new survey by Ponemon and ServiceNow of nearly 3,000 cybersecurity professionals reveals that in the past 2 years, 48% of companies have experienced a data breach. Clearly companies can’t afford to forge blindly ahead, doing the same old “business as usual.” In this episode Bob Bragdon, Senior Vice President and Publisher of CSO, and Piero DePaoli, Sr. Director for Security and Risk at ServiceNow, explore the cost of conducting “business as usual.” Sponsored by ServiceNow
A new global survey by Ponemon and ServiceNow of nearly 3,000 cybersecurity professionals reveals that more than half the companies have experienced a breach in the past year. In this session Bob Bragdon, Senior Vice President and Publisher of CSO, and Piero DePaoli, Sr. Director for Security and Risk, ServiceNow, explore how respondents in 2 specific industries – financial services and healthcare – are handling threats. The survey found that both sectors had similar responses regarding breaches: 45% of financial services companies have had one or more breach in the last 2 years, and 50% of healthcare organizations. But the survey also revealed that financial services organizations appear better at handling those breaches. Why is this the case? “First, [financial services organizations] are less dependent on the manual processes,” says Bragdon. “Only 55% of financial service firms use email and spreadsheets to manage their patch process versus 63% of healthcare organizations. Secondly, financial services firms are also more aware of known patch-related risks. Forty-seven percent of them were breached due to an unpatched known vulnerability versus 58% for healthcare organizations. Neither are stellar, but there’s a clear difference.” What’s more, financial services has significantly more resources dedicated to cybersecurity. The average headcount, for example, is 48, versus 22 in healthcare. “It’s really clear that financial services institutions are significantly better funded for this,” says DePaoli. “Security organizations in financial institutions tend to be more mature and they’re also earlier adopters of newer technologies as they’re really – they’re likely to get targeted more than others and they really want to stay ahead of it.” Sponsored by ServiceNow
A new global survey by Ponemon and ServiceNow of nearly 3,000 cybersecurity professionals reveals that more than half the companies have experienced a breach in the past year. In this session Bob Bragdon, Senior Vice President and Publisher of CSO, and Cliff Huntington, head of global sales for governance, risk, and compliance at ServiceNow, explore how high-performing security teams prevent breaches and what other teams can do to emulate their success. One particular area deserves a close look: unpatched enterprise software. The survey revealed that a majority of cyber-attack victims say their breaches could have been prevented by installing patches – and the survey also found that organizations can reduce their breach risk by 20% by scanning. “I think the survey absolutely exposed that there’s a lot of low hanging fruit for adversaries,” says Huntington. “That’s said, the same low hanging fruit for those adversaries could be an opportunity for these organizations to make themselves more secure.” “The patching paradox usually applies to a few things,” says Huntington. “So first of all, just throwing more resources at this problem doesn’t necessarily solve it when you take a prioritized approach. It also refers to the fact that sometimes the simplest and most basic countermeasures, while not the sexy work that everyone wants to be doing, they will actually provide the most risk reduction for the organization.” “So if we can start to break down these siloes of process and ownership between IT and security, this will go a long ways towards unwinding this paradox,” he notes. Sponsored by ServiceNow
A new global survey by Ponemon and ServiceNow of nearly 3,000 cybersecurity professionals reveals that more than half the companies have experienced a breach in the past year. Compounding this issue: the volume of cyberattacks continue to increase, and the industry is facing a shortage of qualified security pros. But experts agree that hiring more people isn’t necessarily the answer to solving this cyber threat puzzle. In this session Bob Bragdon, Senior Vice President and Publisher of CSO, and Myke Lyons, Security Transformational Leader at ServiceNow, explore the answers. Sponsored by ServiceNow
Want to know how to save money in a data breach? You have to have a plan before you have the data breach to keep you from making costly mistakes. Everyone knows a data breach can be expensive but there are studies that show us what makes them more expensive and what helps you save money. The annual Ponemon cost of a data breach study has been published. IBM sponsors the study each year and it is one of the best tools for us to prepare for the cost of a data breach. If you have any valuable data at all you should review the report to get an estimate of what the cost of a data breach would be for your organization. Let’s dig into some numbers and add a bit of perspective, shall we? Go to HelpMeWithHIPAA.com/164 for more details.
The 2018 Cost of a Data Breach Study from Ponemon Institute, released earlier this month, breaks down precisely what lost and stolen records could cost companies this year. So, there's no better time to chat with Dr. Larry Ponemon, founder of the Ponemon Institute, about historical highlights of the annual study, how things have changed in the last decade, and what's next for corporate data breaches and cybersecurity overall. To learn more, read the blog [https://ibm.co/2v8MnV1] and download the complete 2018 Cost of a Data Breach Study [https://ibm.co/2NDPVGc].
In what countries do businesses have the most mature encryption strategies? Which ones are encryption strategy laggards? Do the countries that are lagging in encryption strategy maturity strategy also have weak encryption technologies? Or, do they actually have stronger encryption solutions? And what types of personal data are encrypted most often by organizations, and which are more rarely encrypted? Financial data? Healthcare data? Something else? In this episode I discuss these, and many more, worldwide encryption trends with Dr. Larry Ponemon, who has done many years of extensive research about encryption trends. Dr. Ponemon covers some of the major findings and points from his 2018 Global Encryption Trends Study sponsored by Thales. Plus, I provide five important and compelling reasons why putting in backdoors into encryption solutions, as many lawmakers still are trying to require, is a bad idea for security and privacy, and how it can also harm national economy.
Mike Meikle, CEO of SecureHIM, brings us up to date on the latest on medical device cybersecurity. This issue (11:48) Just how vulnerable are medical devices and how common are hacks? Recent hacks including St. Jude and Airway Oxygen Results of the Ponemon Synopsys survey Are there products you can buy to mitigate these vulnerabilities? What other steps can healthcare providers take to shore up their medical device security?
本期节目的有奖互动问题是:西门子维护工业信息安全分哪三步走?节目中有答案哦~听创新故事,赢Apple Watch!喜马拉雅“西门子调频1847”开启创新风暴。9月1日至20日,重磅节目旋风来袭,将数字化创新、人工智能、大数据分析、机器人、信息安全等前沿话题一网打尽。奖品一等奖2名(AppleWatch或美图手机任你选);二等奖5名(Beats耳机或富士Instax相机任你选);三等奖10名(摩卡移动电源)。如何参与*上喜马拉雅, 订阅“西门子调频1847”的专辑《西有故事》和《科技不怕问》。*收听9月1日至20日节目,通过留言回答节目中主播提出的问题。将节目分享到微信朋友圈会有加分哦!*我们将综合考虑答案质量、数量和微信朋友圈分享数量,依次送出奖品。备注1. 最终获奖名单将在9月22日的节目中揭晓。2. 将音频节目分享到微信朋友圈的听友,请将分享截图私信发给主播“西门子调频1847”;或添加微信好友“siemensfm1847”,并发送分享截图(记得告知你的喜马拉雅账户名哦)。3. 本次活动的最终解释权归西门子中国所有。今年五月,WannaCry蠕虫病毒肆虐全球。它感染计算机后进行勒索,受害者必须支付价值相当于2000多人民币的比特币才能解锁计算机中被锁定的文件。据了解,WannaCry的这次攻击至少波及150个国家,导致数十万台计算机受到侵害。风波虽过,余悸犹存。小编向西门子中国研究院信息安全部总监胡建钧求证,是否有西门子办公和生产环境中的计算机感染该病毒。结果是令人欣慰的:并没有任何感染迹象!但胡建钧也提醒,如果说2010年的“震网”病毒事件拉开了保卫工业信息安全的序幕,那么WannaCry则再次拉响了保卫工业信息安全的警报。”震网”病毒是第一个专门定向攻击真实世界中基础(能源)设施的”蠕虫“病毒,比如核电站、水坝和电网等等。截止2011年,全球超过45000个网络以及60%的个人电脑感染了这种病毒。而WannaCry作为另一个里程碑事件,则打开了一个以经济利益为驱动,与地下黑色产业链对接的潘多拉魔盒。它将对工业企业带来更大的威胁。今年年初,专注于安全领域的研究中心Ponemon发表了一份美国石油天然气行业网络安全调查报告,超过2/3的受访者都表示在过去的一年里遭受过至少一次安全损害,导致关键信息丢失或生产中断。而胡建钧认为,这种情况还算是好的。“至少他知道有人在发起攻击。其实我们很多客户面临的现状是不清楚他的网络里发生了什么,完全对自己的网络和数字资产没有感知能力,这是更加可怕的。一个常见的例子是,在很长一段时间里,企业可能觉得网络和系统不稳定,但不知道是产品质量问题,还是网络系统感染了病毒,或者有异常流量攻击。”他解释说。工业安全从来不是一蹴而就的。西门子以”评估、实施、持续监控”的理念保障客户和西门子内部的工业信息安全。“评估”是第一步,即了解现状,就像我们要保持健康,需要先做个体检一样。西门子会根据IEC62443,国家信息安全等级保护、行业最佳实践等进行评估对标,找出差距,定义下一步行动项。第二步”实施”,即按照纵深防御的理念,设计实施信息安全方案,从管理与技术两个方面将信息安全提升至目标水平,就像我们生了病要对症下药一样。以往的工业信息安全保护到这里就停止了,但这只能达到静态的安全,无法实现持续的安全。西门子在此基础上延伸了自己的理念,加入了”持续监控”,利用大数据关联的技术,将工厂的运行状态和外界环境的变化结合起来,持续保障客户的安全水平。这就像我们会佩戴可穿戴设备持续监测自己的健康水平一样。西门子利用领先的技术和管理水平让客户是关键数字资产可感知、可控制、可管理。位于苏州的西门子工业信息安全运营中心已经取得了国家信息安全等级保护三级证书,西门子是中国第一个获得这项资质的外资企业。“适度安全”是企业维护工业信息安全普遍认同的概念。企业不需要达到绝对的安全,只需要满足生产需要即可。我国将信息安全保护划分为五个等级,其中大部分企业信息安全保护的需求处在二级或三级。位于苏州的西门子工业信息安全运营中心已经取得了国家信息安全等级保护三级证书,这意味着西门子至少能够为对工业信息安全等级保护需求为三级及其以下的企业提供工业信息安全保护。西门子是中国第一个获得这项资质的外资企业。
The Total Tutor Neil Haley will interview Tom Kemp, Centrify CEO. About Tom Kemp: Tom Kemp is co-founder and CEO at Centrify. Under his leadership, the company has become one of the fastest growing security vendors in the industry with over 5,000 customers, including more than half of the Fortune 50. Prior to Centrify, Kemp held various executive, technical and marketing roles at NetIQ Corporation, Compuware Corporation, EcoSystems Software, and Oracle Corporation. Mr. Kemp was also an Entrepreneur in Residence at leading venture capital firm Mayfield. He holds a Bachelor of Science degree in Computer Science and History from the University of Michigan. Centrify redefines security from a legacy static perimeter-based approach to protecting millions of scattered connections in a boundaryless hybrid enterprise. As the only industry-recognized leader in both Privileged Identity Management and Identity-as-a-Service, Centrify provides a single platform to secure each user's access to apps and infrastructure through the power of identity services. This is Next Dimension Security in the Age of Access. Centrify is enabling over 5,000 customers, including over half the Fortune 50, to defend their organizations. The Ponemon study surveyed 448 individuals in IT operations and information security, 334 senior level marketing professionals and 549 consumers. The Security Effectiveness Score (SES) is determined by utilizing the Ponemon Institute's proprietary benchmark database, which consists of 2,012 separate data breach cases occurring over the past 12 years. The SES is derived from the rating of numerous security features or practices. This method has been validated from more than 50 independent studies conducted for more than a decade.
Linn Freedman, Partner at Robinson+Cole and Adjunct Professor of the Practice in Computer Science at Brown University, talks about the Ponemon Institute report, "Data Risk in the Third-Party Ecosystem". This episode is part of the Brown University Cybersecurity News Podcast. For program information, visit brown.edu/cybersecurity
Description A discussion of the findings in the recently released study concerning healthcare breaches in 2014. Glossary A managed service provider (MSP) is a third-party contractor that is under contract (usually a monthly fee) to provide on-going technology support to other organizations. Links Fourth Annual Benchmark Study on Patient Privacy and Data Security Criminal Attacks: The New Leading Cause of Data Breach in Healthcare FindHealthcareIT HIPAAforMSPS.com Kardon Compliance Notes Represented in this study are 90 CE and 88 BAs. This year is the first time BAs were added to the study data. Previous fours years only CEs were included. A security incident is defined as a violation of an organization’s security or privacy policies involving protected information such as social security numbers or confidential medical information. A data breach is an incident that meets specific legal definitions per applicable breach law(s). Data breaches require notification to the victims and may result in regulatory investigation, corrective actions, and fines. Points to note: There has been a 125% increase in breaches due to criminal attacks on healthcare data over last 5 years. Only 40% of healthcare organizations and 35% of BAs are concerned about cyber attackers even though it is now the number one reason for breaches and increasing rapidly. Security incidents that aren’t breaches are also primarily criminal attacks: 78 percent of healthcare organizations and 82 percent for BAs security incidents. 87% of BAs had multiple security incidents in the past 2 years involving the exposure, theft or misuse of electronic information. 70% say they have had between 11 and 30 electronic information-based security incidents. Most involved the exposure of less than 100 PHI records. Medical identity theft has nearly doubled in five years, from 1.4 million adult victims to over 2.3 million in 2014. Employee negligence remains a top concern when it comes to exposing patient data inappropriately. Many victims of medical identity theft report they spent an average of $13,500 to: Restore their credit, Reimburse their healthcare provider for fraudulent claims and Correct inaccuracies in their health records. According to the findings of this research, the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million. No healthcare organization, regardless of size, is immune from data breach. The average cost of a data breach to BAs represented in this research is more than $1 million. Even though organizations are slowly increasing their budgets and resources to protect healthcare data, they continue to believe not enough investment is being made to meet the changing threat landscape. Interesting question details:
In this episode... A join Ponemon Institute & IBM Security study shows that, surprise surprise, developers are "neglecting security" The study only looked at mobile apps and app developers Less than half (of their study) test the mobile apps they build About 33% never test their apps http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.html Illinois Bill SB1833 expands the definition of PII to include almost everything Requires notification in the event of a breach of... Online browsing history, online search history, or purchasing history Is this absurd, or just protecting our privacy? http://www.eweek.com/developer/ibm-study-shows-mobile-app-developers-neglecting-security.html The DOJ has jumped in and issued some sound fundamental breach guidance! 4 sections: what to do before, during and after a breach plus what NOT to do after a breach Fantastic fundamentals... great idea The push to fundamentals is critical! http://www.alstonprivacy.com/doj-issues-data-breach-guidance/ http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/criminal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyber_incidents.pdf Mozilla is phasing out non-secure HTTP HTTPS only is the way forward, so Mozilla (champions of liberty and all that) are leading the way https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ First foreign hacker is convicted in the US Canadian kid who hacked and stole trade secrets and other sensitive info from video game companies He pled guity in September 2014, maximum of 5yr prison sentence http://blogs.orrick.com/trade-secrets-watch/2015/04/30/first-foreign-hacker-is-convicted-in-the-united-states-of-hacking-crimes-involving-theft-of-trade-secrets-from-american-companies/
Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat. With the exception of Germany, companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year. Will these costs continue to escalate? Are there preventive measures and controls that will make a company more resilient and effective in reducing the costs? Nine years of research about data breaches has made us smarter about solutions. Critical to controlling costs is keeping customers from leaving. The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers. As a preventive measure, companies should consider having an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breach significantly. Other measures include having a CISO in charge and involving the company's business continuity management team in dealing with the breach.In most countries, the primary root cause of the data breach is a malicious insider or criminal attack. It is also the most costly. In this year's study, we asked companies represented in this research what worries them most about security incidents, what investments they are making in security and the existence of a security strategy. An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance. Global companies also are worried about malicious code and sustained probes, which have increased more than other threats. Companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Unauthorized access incidents have mainly stayed the same and companies estimate they will be dealing with an average of 10 such incidents each month. When asked about the level of investment in their organizations' security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company. About the speaker: Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy, data protection and information security practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. Security Magazine has named Dr. Ponemon as one of the "Most Influential People for Security."Dr. Ponemon was appointed to the Advisory Committee for Online Access & Security for the United States Federal Trade Commission. He was appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. Dr. Ponemon was also an appointed to two California State task forces on privacy and data security laws. He serves as chairman of the Government Policy Advisory Committee and co-chair of the Internet Task Force for the Council of American Survey and Research Organizations (CASRO).Dr. Ponemon was a senior partner of PricewaterhouseCoopers, where he founded the firm's global compliance risk management group. Prior to joining Price Waterhouse as a partner, Dr. Ponemon served as the National Director of Business Ethics Services for KPMG Peat Marwick, and was appointed Executive Director of the KPMG Business Ethics Institute.Dr. Ponemon has held chaired (tenured) faculty positions and published numerous articles and learned books. He has presented hundreds of keynote speeches or learned presentations at national or international conferences on privacy, data protection, information security, corporate governance, and responsible information management. Dr. Ponemon is an active member of the International Association of Privacy Professionals, serving as founding member of the Certified Information Privacy Professional (CIPP) Advisory Board. Dr. Ponemon earned his Ph.D. at Union College in Schenectady, New York. He has a Master's degree from Harvard University, Cambridge, Massachusetts, and attended the doctoral program in system sciences at Carnegie Mellon University, Pittsburgh, Pennsylvania. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona, Tucson, Arizona. He is a Certified Public Accountant and a Certified Information Privacy Professional.
Throughout the world, companies are finding that data breaches have become as common as a cold but far more expensive to treat. With the exception of Germany, companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year. Will these costs continue to escalate? Are there preventive measures and controls that will make a company more resilient and effective in reducing the costs? Nine years of research about data breaches has made us smarter about solutions. Critical to controlling costs is keeping customers from leaving. The research reveals that reputation and the loss of customer loyalty does the most damage to the bottom line. In the aftermath of a breach, companies find they must spend heavily to regain their brand image and acquire new customers. Our report also shows that certain industries, such as pharmaceutical companies, financial services and healthcare, experience a high customer turnover. In the aftermath of a data breach, these companies need to be especially focused on the concerns of their customers. As a preventive measure, companies should consider having an incident response and crisis management plan in place. Efficient response to the breach and containment of the damage has been shown to reduce the cost of breach significantly. Other measures include having a CISO in charge and involving the company’s business continuity management team in dealing with the breach. In most countries, the primary root cause of the data breach is a malicious insider or criminal attack. It is also the most costly. In this year’s study, we asked companies represented in this research what worries them most about security incidents, what investments they are making in security and the existence of a security strategy. An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance. Global companies also are worried about malicious code and sustained probes, which have increased more than other threats. Companies estimate that they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Unauthorized access incidents have mainly stayed the same and companies estimate they will be dealing with an average of 10 such incidents each month. When asked about the level of investment in their organizations’ security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company.
CFO’s Russ Banham discusses data security and cyber breaches with Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute, a research organization focused on privacy, data protection, and cyber security. Hear Dr. Ponemon talk about his previous work with technology and security risks, how his organization identifies data issues and opportunities across the globe, and what cost effective measures can be taken to protect against breaches.
Dr. Larry Ponemon, is a pioneer in the development of privacy audits, privacy risk management and ethical information management. He is the chairman and founder of The Ponemon Institute. Based upon his vast experience in the fields of corporate governance, privacy compliance, data protection and business ethics, he consults with leading multinational organizations on global privacy management programs. Dr. Ponemon was appointed to the Advisory Committee for Privacy for the United States Federal Trade Commission and to two California State task forces on privacy and data security laws. He was recently appointed by the Governor of Arizona to serve as public member of State Board of Optometry. He has held chaired faculty positions at Babson College and SUNY Binghamton and he's published dozens of articles and five learned books. He is a frequent media commentator on privacy and other business ethics topics for CNN, Fox News, CBS, CNBC, MSNBC, The Wall Street Journal, New York Times, Washington Post, USA Today, Financial Times, Business 2.0, Newsweek, Business Week, U.S. News & World Report, Computerworld, CIO Magazine, Industry Standard, Boston Globe, InfoWorld, InformationWeek, Forbes, Fortune, CFO Magazine, Red Herring, Dow Jones News and others. His research studies are well respected and have a profound impact on the manner in which corporations are changing their approach to important privacy issues. You can learn more at www.ponemon.org
SecuraBit Episode 79: Back to the basics with Marcus Carey!April 6, 2011 Hosts:Christopher Mills – @thechrisamJason Mueller – @securabit_jayTony Huffman – @myne_us Guests:Marcus J Carey- @iFailhttp://hackersforcharity.org/ General topics: NEWS:Epsilon:http://www.pcworld.com/businesscenter/article/224192/epsilon_data_breach_expect_a_surge_in_spear_phishing_attacks.htmlhttp://www.eweek.com/c/a/Security/Epsilon-Data-Breach-Highlights-Cloud-Computing-Security-Concerns-637161/http://threatpost.com/en_us/blogs/list-companies-hit-epsilon-breach-040511https://threatpost.com/en_us/blogs/epsilon-data-breach-expands-include-capital-one-disney-others-040411http://www.epsilon.com/News%20&%20Events/Press_Releases_2011/Epsilon_Notifies_Clients_of_Unauthorized_Entry_into_Email_System/p1057-l3 "On March 30th, an incident was detected where a subset of Epsilon clients' customer data were exposed by an unauthorized entry into Epsilon's email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway," the statement said. LizaMoon:http://threatpost.com/en_us/blogs/counterspin-lizamoon-web-attacks-no-big-deal-040511In a post on Cisco's security blog, senior security researcher Mary Landesman said that data from the company's ScanSafe Web security infrastructure suggests that just over 1,000 Web domains have been compromised using the SQL injection attack, not the 500,000 to 1.5 million cited in published reports. https://threatpost.com/en_us/blogs/widespread-lizamoon-web-attacks-push-rogue-antivirus-040111“Websense researchers wrote on Thursday that a Google search for Web sites hosting the malicious URLs identified over 1.5 million Web sites hosting the code” Pandora.com data leak:http://threatpost.com/en_us/blogs/pandora-mobile-app-transmits-gobs-personal-data-040611?utm_source=Home+Page&utm_medium=Top+Graphic+Bar&utm_campaign=Position+3“The data included both the owner's GPS location and tidbits the owners gender, birthday and postal code information. There was evidence that the app attempted to provide continuous location monitoring - which would tell advertisers not just where the user accessed the application from, but also allow them to track that user's movement over time. “ RSA attack:http://threatpost.com/en_us/blogs/rsa-securid-attack-was-phishing-excel-spreadsheet-040111“"The attacker in this case sent two different phishing emails over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read '2011 Recruitment Plan," Uri Rivner, head of new technologies in the identity protection division of RSA wrote in a post on the attack”http://www.nsslabs.com/research/analytical-brief-rsa-breach.html ¾ Energy Firms Had Data Breach over last year:http://threatpost.com/en_us/blogs/study-three-four-energy-firms-had-data-breach-last-year-040511Long perceived to be beyond the attention of hackers, energy firms and utilities now report that they are being targeted. In the Ponemon study, 76% of the IT security staff interviewed reported that their organization had experienced "one or more data breaches" in the last 12 months. A similar number - 69% - said they felt a data breach was likely to occur in the next 12 months, Ponemon said. Comodo what really happened:https://threatpost.com/en_us/blogs/phony-ssl-certificates-issued-google-yahoo-skype-others-032311http://pastebin.com/uSdKNDN5“ I found out that TrustDll.dll takes care of signing. It was coded in C#.Simply I decompiled it and I found username/password of their GeoTrust and Comodo reseller account. “ FBI asks for help on cracking code:http://www.h-online.com/security/news/item/FBI-asks-for-help-cracking-a-code-in-unsolved-murder-case-1220007.html Other Stories:http://www.techdirt.com/articles/20110401/13241213732/exploit-hadopi-site-turns-it-into-pirate-bay-supporter.shtmlhttp://news.softpedia.com/news/Google-Chrome-to-Block-Malicious-Downloads-193386.shtml Use our discount code "Connect_SecuraBit" to get $150.00 off of ANY training course. The discount code is good for all SANS courses in all formats. Upcoming events:ThotCon (15 Apr 2011)#BSidesChicago (16 - 17 Apr 2011)#BSides London, (20 Apr 2011)CEIC Orlando (15 – 18 May 2011)#BSidesROC Rochester, NY (21 May 2011)#BSidesDetroit (3 - 4 Jun 2011)#BSidesStJohns St. John's, NL (10 Jun 2011)#BSidesCT Meriden, CT (11 Jun 2011)FIRST Austria (12 - 17 June 2011)#BSidesVienna(18 June 2011)Toorcon (18 - 19 June 2011)#BSidesLasVegas (3-4 August 2011)BlackHat Vegas (3 - 4 August 2011)DEFCON 19 (4 - 7 August 2011)#BSidesLA Los Angeles, CA (18 - 19 August 2011)#BSidesMO(21 Oct 2011)#BSidesNewDelhi (22 - 23 October 2011)VB Barcelona October 2011 Links:http://www.securabit.comChat with us on IRC at irc.freenode.net #securabitiTunes Podcast - http://itunes.apple.com/us/podcast/securabit/id280048405iPhone App Now Available - http://itunes.apple.com/us/app/securabit-mobile/id382484512?mt=8
Join Daniel for a Thanksgiving Special with Janet Attwood, Chris Attwood, Debra Ponemon and Marci Shimoff – “Discover Your Destiny” Find out what is takes from some of he best names in the industry how you can open your heart to a new and exciting and connected life! This will be a 90 minute live show and we will welcome your calls so mark your calendars and join us for a day of Thanksgiving and discovering your destiny!
Dr. Larry Ponemon, is a pioneer in the development of privacy audits, privacy risk management and ethical information management. He is the chairman and founder of The Ponemon Institute. Based upon his vast experience in the fields of corporate governance, privacy compliance, data protection and business ethics, he consults with leading multinational organizations on global privacy management programs. Dr. Ponemon was appointed to the Advisory Committee for Privacy for the United States Federal Trade Commission and to two California State task forces on privacy and data security laws. Dr. Ponemon was recently appointed by the Governor of Arizona to serve as public member of State Board of Optometry. Dr. Ponemon has held chaired faculty positions at Babson College and SUNY Binghamton and he's published dozens of articles and five learned books He is a frequent media commentator on privacy and other business ethics topics for CNN, Fox News, CBS, CNBC, MSNBC, The Wall Street Journal, New York Times, Washington Post, USA Today, Financial Times, Business 2.0, Newsweek, Business Week, U.S. News & World Report, Computerworld, CIO Magazine, Industry Standard, Boston Globe, InfoWorld, InformationWeek, Forbes, Fortune, CFO Magazine, Red Herring, Dow Jones News and others. His research studies are well respected and have a profound impact on the manner in which corporations are changing their approach to important privacy issues. You can learn more at our website and Dr. Ponemon's website at www.ponemon.org
Dr. Larry Ponemon, is a pioneer in the development of privacy audits, privacy risk management and ethical information management. He is the chairman and founder of The Ponemon Institute. Based upon his vast experience in the fields of corporate governance, privacy compliance, data protection and business ethics, he consults with leading multinational organizations on global privacy management programs. Dr. Ponemon was appointed to the Advisory Committee for Privacy for the United States Federal Trade Commission and to two California State task forces on privacy and data security laws. Dr. Ponemon was recently appointed by the Governor of Arizona to serve as public member of State Board of Optometry. Dr. Ponemon has held chaired faculty positions at Babson College and SUNY Binghamton and he's published dozens of articles and five learned books. He is a frequent media commentator on privacy and other business ethics topics for CNN, Fox News, CBS, CNBC, MSNBC, The Wall Street Journal, New York Times, Washington Post, USA Today, Financial Times, Business 2.0, Newsweek, Business Week, U.S. News & World Report, Computerworld, CIO Magazine, Industry Standard, Boston Globe, InfoWorld, InformationWeek, Forbes, Fortune, CFO Magazine, Red Herring, Dow Jones News and others. His research studies are well respected and have a profound impact on the manner in which corporations are changing their approach to important privacy issues. You can learn more at www.ponemon.org.
Attention: Women “Manifest Your Deepest Most Heart-Felt Desires and Embrace Your True Purpose In Just 48 Hours.....With 13 of the Most Powerful, Like minded and Awakened Women On the Planet” This is your exclusive and personal invitation to discover your true inner secret to success... attract more money, enjoy greater satisfaction, work shorter hours, and banish stress, worry and that niggling feeling that you’re not living up to your true potential... once and for all. Even though these are all women mentors, make no mistake, men, you are invited too!
Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research ?think tank? dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. Ponemon Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a various industries. In addition to Institute activities, Dr. Ponemon is an adjunct professor for ethics and privacy at Carnegie Mellon University?s CIO Institute. He is a founding board member of the Unisys Corporation?s Security Leadership Institute. Dr. Ponemon consults with leading multinational organizations on global privacy management programs. He has extensive knowledge of regulatory frameworks for managing privacy and data security including financial services, health care, pharmaceutical, telecom and Internet. Dr. Ponemon was appointed to the Advisory Committee for Online Access & Security for the United States Federal Trade Commission. He was recently appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. Dr. Ponemon was also an appointed to two California State task forces on privacy and data security laws. Dr. Ponemon is a member of the National Board of Advisors of the Eller College of Business and Public Administration, University of Arizona. He serves as Chairman of the Government Policy Advisory Committee and Co-Chair of the Internet Task Force for the Council of American Survey and Research Organizations (CASRO). Dr. Ponemon was a senior partner of PricewaterhouseCoopers, where he founded the firm?s global compliance risk management group. Prior to joining Price Waterhouse as a partner, Dr. Ponemon served as the National Director of Business Ethics Services for KPMG Peat Marwick, and was appointed Executive Director of the KPMG Business Ethics Institute. Dr. Ponemon has held chaired (tenured) faculty positions and published numerous articles and learned books. He has presented more than 500 keynote speeches or learned presentations at national or international conferences on privacy, data protection, information security, corporate governance, and responsible information management. Dr. Ponemon is an active member of the International Association of Privacy Professionals, serving as founding member of the Certified Information Privacy Professional (CIPP) Advisory Board. Dr. Ponemon is column editor for Computerworld, CSO Magazine, BNA, Dark Reading and other leading publications. He is a frequent commentator on privacy and business ethics for CNN, Fox News, MSNBC, The Wall Street Journal, New York Times, Washington Post, USA Today, Financial Times, Business 2.0, Newsweek, Business Week, U.S. News & World Report, CIO Magazine, Industry Standard, Boston Globe, InfoWorld, InformationWeek, Forbes, Fortune, CFO Magazine, Red Herring, Dow Jones News and others. Dr. Ponemon earned his Ph.D. at Union College in Schenectady, New York. He has a Master?s degree from Harvard University, Cambridge, Massachusetts, and attended the doctoral program in system sciences at Carnegie Mellon University, Pittsburgh, Pennsylvania. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona, Tucson, Arizona. He is a Certified Public Accountant (active license in Texas). Dr. Ponemon is a veteran (Vietnam War era) of the United States Navy. He is married and has two sons.
Dr. Larry Ponemon, is a pioneer in the development of privacy audits, privacy risk management and ethical information management. He is the chairman and founder of The Ponemon Institute. Based upon his vast experience in the fields of corporate governance, privacy compliance, data protection and business ethics, he consults with leading multinational organizations on global privacy management programs. Dr. Ponemon was appointed to the Advisory Committee for Privacy for the United States Federal Trade Commission and to two California State task forces on privacy and data security laws. Dr. Ponemon was recently appointed by the Governor of Arizona to serve as public member of State Board of Optometry. Dr. Ponemon has held chaired faculty positions at Babson College and SUNY Binghamton and he's published dozens of articles and five learned books. He is a frequent media commentator on privacy and other business ethics topics for CNN, Fox News, CBS, CNBC, MSNBC, The Wall Street Journal, New York Times, Washington Post, USA Today, Financial Times, Business 2.0, Newsweek, Business Week, U.S. News & World Report, Computerworld, CIO Magazine, Industry Standard, Boston Globe, InfoWorld, InformationWeek, Forbes, Fortune, CFO Magazine, Red Herring, Dow Jones News and others. His research studies are well respected and have a profound impact on the manner in which corporations are changing their approach to important privacy issues.You can learn more at www.ponemon.org Susan Jayson Susan Jayson is executive director and co-founder of Ponemon Institute, LLC. In this role, Susan is responsible for managing the Institute's operations, including research on privacy and information management issues. Susan's background includes marketing, investor relations and corporate communications for such leading organizations as KPMG Peat Marwick, Arthur Andersen and the Financial Relations Board.
Dr. Lawrence A. Ponemon is the Chairman and Founder of the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy risk management and the development of the Responsible Information Management or RIM framework. Ponemon Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a various industries. In addition to Institute activities, Dr. Ponemon is an adjunct professor for information ethics and privacy at Carnegie Mellon University's CIO Institute and is faculty of CyLab. He serves on the Unisys Corporation?s Security Leadership Institute Board and the IBM Privacy Management Council. Dr. Ponemon is a member of the National Board of Advisors of the Eller College of Business and Public Administration, University of Arizona. He serves on the Government Policy Advisory Committee and Co-Chair of the Internet Task Force for the Council of American Survey and Research Organizations (CASRO). Dr. Ponemon earned his Ph.D. at Union College in Schenectady, New York. He has a Master?s degree from Harvard University, Cambridge, Massachusetts, and attended the doctoral program in system sciences at Carnegie Mellon University, Pittsburgh, Pennsylvania. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona, Tucson, Arizona. Please visit Dr. Ponemon's web site: www.ponemon.org Susan Jayson Susan Jayson is executive director and co-founder of Ponemon Institute, LLC. In this role, Susan is responsible for managing the Institute's operations, including research on privacy and information management issues. Susan's background includes marketing, investor relations and corporate communications for such leading organizations as KPMG Peat Marwick, Arthur Andersen and the Financial Relations Board.
Dr. Lawrence A. Ponemon is the Chairman and Founder of the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy risk management and the development of the Responsible Information Management or RIM framework. Ponemon Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a various industries. In addition to Institute activities, Dr. Ponemon is an adjunct professor for information ethics and privacy at Carnegie Mellon University's CIO Institute and is faculty of CyLab. He serves on the Unisys Corporation?s Security Leadership Institute Board and the IBM Privacy Management Council. Dr. Ponemon is a member of the National Board of Advisors of the Eller College of Business and Public Administration, University of Arizona. He serves on the Government Policy Advisory Committee and Co-Chair of the Internet Task Force for the Council of American Survey and Research Organizations (CASRO).
David Bender has extensive experience in contracting, litigation and counseling. He co-chairs the Privacy Practice Group and has been active in counseling on matters regarding privacy and data protection. He and negotiates and drafts all types of agreements relating to Internet, computer software and hardware matters. He also litigates computer related disputes and directs privacy audits and intellectual property due diligence investigations. Susan Jayson is executive director and co-founder of Ponemon Institute, LLC. In this role, Susan is responsible for managing the Institute's operations, including research on privacy and information management issues. Susan's background includes marketing, investor relations and corporate communications for such leading organizations as KPMG Peat Marwick, Arthur Andersen and the Financial Relations Board. Dr. Lawrence A. Ponemon is the Chairman and Founder of the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy risk management and the development of the Responsible Information Management or RIM framework.
Dr. Lawrence A. Ponemon is the Chairman and Founder of the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy risk management and the development of the Responsible Information Management or RIM framework. Ponemon Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a various industries. In addition to Institute activities, Dr. Ponemon is an adjunct professor for information ethics and privacy at Carnegie Mellon University's CIO Institute and is faculty of CyLab. He serves on the Unisys Corporation?s Security Leadership Institute Board and the IBM Privacy Management Council. This interview focuses on recent surveys of Americans' perceptions of surveillance, outsourcing, and workplace privacy.