There’s generally not much love being lost between credit card companies and providers of retail services that rely heavily on credit card transactions. The credit card companies recently began embedding chips in their cards that forced every retailer to upgrade their point-of-sale (PoS) systems at great expense. The theory is that credit cards embedded with chips will result in better security because the data on the card is encrypted. However, regardless of whether a credit card has a chip every card still has a magnetic stripe on the back of the card. This was intended to make it simpler for retailers make the required PoS system upgrades over an extended time. After all, not everyone could be issued a new card overnight. It also turned out the PoS upgrade process has been deeply flawed.
Ascribing a real cost to a cybersecurity breach is a major challenge because the impact goes well beyond any tangible cost. In addition to the value of the data stolen and the time and money spend on defending the environment, damage to a corporate brand can be substantial.
A new report from Oxford Economics that was commissioned by the cybersecurity form CGI does, however, estimate that billions of dollars in shareholder value has been erased directly because of cybersecurity attacks. Apparently, once an organization reveals it has been a victim of a cybersecurity attack investors tend to lose confidence. Before too long the company finds itself essentially being victimized again as the value of its shares fall.
Despite a material impact involving billions of dollars, organizations are still conflicted over who is responsible for IT security inside their organizations. A recent report published by BAE Systems found that a third of C-level executives believe responsibility for data breaches lies squarely on the IT organization. But 50 percent of the IT professionals participating in that same survey said responsibility for those breaches resides with senior managers.
With all the news and drama emanating from Washington these days, it’s easy to miss the fact that a major leader of the cyber security community in the healthcare sector tells Congress just how bad cyber security really is across that entire industry.
Testifying before the Subcommittee on Oversight and Investigations of the House Committee on Energy and Commerce this week, Terence M. Rice, Vice President and Chief Information Security Officer (CISO) at Merck & Co., Inc., called on Congress to implement a series of systematic actions to help mitigate a crisis affecting the entire healthcare industry. Those actions include:
IT security is always listed as the number one barrier to adoption when it comes to cloud computing. But despite those concerns adoption of cloud security services continues to grow at unprecedented rates. In fact, while there have been some major breaches virtually none of them have involved a provider of a cloud service being used to deliver application services.
That doesn’t mean IT security professionals don’t have legitimate concerns. But it can be argued that in the absence of any compelling example many of those concerns remain theoretical. This week Crowd Research partners published a survey of 1,900 cyber security professionals that participate in a Security Community hosted on LinkedIn that goes a long way towards detailing what the potential issues with cloud security really are.
Top concerns include protection against data loss (57%), threats to data privacy (49%), and breaches of confidentiality (47%). Organizations are also realizing that legacy security tools are not designed for the cloud (78%) and that lack of visibility into cloud infrastructure is the single biggest security management headache they have (37%).
The biggest beneficiary of any changes to rules and regulation pertaining to how Internet service providers (ISPs) can resell the data they collect about the browsing habits of their customers may very well turn on out to be providers of virtual private network (VPN) services.
The U.S. Congress recently voted along party lines to revoke rules created by the Federal Communications Commission (FCC) that if implemented would have required ISPs to get explicit permission before selling customer data to brokers that in turn sell that information to companies that want to better target their advertising.
That bill also goes a step further in that it prevents the FCC from making any similar regulations. Instead, all rulings relating privacy will now be in the hands of the Federal Trade Commission (FTC). That agency has been tasked with setting up privacy policies dating back to the 1970s. The similar bill to the one the Senate passed is now winding its way through the U.S. House of Representatives. If passed then a committee would meet to resolve any inconsistencies between the two versions, which would then be sent to the president for his signature. Assuming there is no veto, the law could be in place before the end of this year.
The fact that it was revealed this week that the breach of over 500 million user accounts at Yahoo was to one degree or another state-sponsored shouldn’t come as much of a surprise to most IT security professionals. The line between cyber criminals and cyber espionage has been blurring for years. Unfortunately, intelligence agencies that already operate outside of the law have few qualms about hiring cyber criminals to achieve their primary goal. It’s apparently only when some of those spies attempt to use those cyber criminals to enrich themselves or blackmail other government officials that any official form of outrage manifests itself.
Of course, it’s hard to say with absolute certainty who did what to whom first in the case of the Yahoo breach. One of the alleged masterminds of the attack is already supposedly in a Russian prison for also using the cybercriminal techniques to hack into both Russian commercial businesses and government agencies and then allegedly sharing those secrets with foreign intelligence agencies.
The fact that the Central Intelligence Agency (CIA) has a collection of exploits for hacking into anything connected to the Internet should not come as much of a surprise to IT security professionals. After all, intelligence agencies around the world have been developing and aggregating these exploits for years. Many of those exploits were also one way or another acquired from cyber criminals. Most of them are especially sophisticated and, in many cases, have already been addressed by IT technology vendors.