Technology is Transforming Business!

Technology is being leveraged for business but its rapid growth and capability is transforming it to competitive advantage in the workplace and global markets.
The Economist Intelligence Unit report interviewed: 608 business executives globally with over half $500 million or less in annual revenue and functions separated by: Finance, HR, Marketing & Sales, IT, and Other.  Big intelligent data compels rapid and complex analysis, global collaboration and equally expedient decision making.  This continuously changing environment reports that nearly 25% require continuous / annual  education to reskill based on demand.  As if being productive isn’t enough, being more efficient (over 30% reported they are able to do more with technology) coincides. However, extra time resulting should not translate to taking on more work – instead skills retention, for example.  Being multi-dimensional and acceptability of ambiguity for individuals and realizing real-time data is only as good as the founded/established analytics...

By the numbers according from the Economist Intelligence Unit reporting the trends with technology and business:
• 45% cite not having enough time to achieving goals, followed by 28% insufficient financial resources, 26% lack of opportunity
• Related to work load over the next 18 months, resulted in 49% say increase slightly, followed 25% increase significantly, 23% decrease slightly
• New technology is expected to: 49% do more in less time, 48% work remotely, 40% freed up for creativity and strategy
• Realization of professional goals is best served by which technology: 49% email, 25% mobile phones, 19% online collaborate tools
• 75% of respondents expected face-to-face meetings to continue as is and 77% expected travel to remain (again status quo)
• Educational / skills investment is essential in that prediction of 45% of jobs can be automated in the near future
• Pursuant to current career had 36% for more than 20 years, 20% for 10-15 years, 18% for 5-10 years
• Success in current career: 53% somewhat successful, 33% very successful, 9% neither successful nor unsuccessful
• Realization of potential: 56% largely realized, 20% halfway, 18% fully realized
• Optimistic in growth prospects in current career: 44% somewhat optimistic, 28% very optimistic, 21% neutral
• Top personal goals in the next 18 months: 41% improve relationships, 33% have more time for leisure, 30% spend more time with family

Refreshing Breach Notification - Legislation

About 33 states in 2015 introduced bill updates / addendums for security breach notifications to include reporting to attorney general or similar/central agency for items related to personal information such as biometric, medical and insurance data (and educational institutions to notify parents of breach occurrence).
This leaves only Alabama, New Mexico and South Dakota without breach notification.  Let’s take a peek at some notable states:

• For Illinois, data to include geolocation information and privacy policies to be posted as per HB 3188 (amends pending).  Additionally, pending HB 3652 Personal Information Protection Act to cover private contact information and it’s transfer – although SB 1833 failed due to veto in September
• California AB 259 requires breach notification related to SSN, driver’s license number or California card number to provide identity theft prevention and mitigation services for at least 12 months without fee.  AB739 (currently pending) cites breach notification if reasonably believed data has been acquired unless it was encrypted as per existing law according to AB 964.  And, SB 34 states proper protection / safeguards for the automated license plate recognition operators.  Finally, SB 570 expressing expedient breach notification upon compromised.
• Hawaii SB 1186 prevents notification via email if login credentials were compromised
• New York SB 4887 and Massachusetts SB  124 includes biometric information for security breach law
• Tennessee HB 193 requires comptroller of the treasury notification for unauthorized acquisition of computerized data related to security, confidentiality, or integrity of compute information system
• Virginia HB 2362 requires Chief Information Officer of the Commonwealth to develop protection and notification of confidential data maintained by state agencies for breach events / intrusion / unauthorized use / threats of electronic information
• Nevada SB 72 requires Division of Enterprise Information Technology Services to investigate and resolve breach attempts of information systems related to agency or elected officer

Bills, amendments and regulatory requirements are being updated to keep up with breaches lessons learned, so the latest/approved bills should be confirmed with each state such as NCSL.ORG

Juniper software backdoor led to government and private company spying??

Rogue and unauthorized code identified on Juniper Networks firewall software allows backdoor access to tap / packet capture and unencrypt VPN communication; and leaves no trace of compromise (since security logs are able to be deleted). The millions of code inserted would have to been doe by skilled hacker (internal or external to be confirmed) and worst yet, been existing for 3 years. FBI is engaged to investigate related communication intercept by non-government organizations such as China and Russia for top suspects.
Of course it's rival, Cisco Systems, has launched a code review of it’s own software...but security experts are quick to point out the code may not always be reviewed thoroughly.  Implying that code review and penetration testing is not always conducted due to the cost associated with effort.

Cost of security breach is expected to continuously spike much like college tuition which ironically, Juniper had projected cost to be 4x by 2019.  Current estimated totals of $2.1 trillion resulted from breaches in the last 5 years.  We’ll check back once details are confirmed/published…

The profits awakens - Disney

As movie goers shell out for Disney movies and come in numbers straight to the bank.  This already after acquisitions of Pixar and Marvel , racked in $14.1 million Thursday.  The companies included lighting, special effects and high-tech wizardry that is the foundation to any sci-fi / non-fiction which should topple merchandise sales to $5 billion in the short term (just a billion more than 2012’s Star Wars).  The movie open in over 4,000 theaters across the country starting at 7am EST Thursday and Wednesday overseas (starting in France, Italy, Philippines and Norway…then UK, Germany, Mexico, Australia, Russia and Brazil).  It has a good chance of breaking Jurassic World of 208.8 millions this weekend.
Gotta find my original lightsaber to bring with…
Oh, while rumors of spoilers surfaced, security was tight enough that results in no pre-release/breach

Why fly under the radar: financial, pharma, corporate, politics - Martin Shkreli arrested

Securities and wire fraud charges from prior employers, MSMB Capital Management (hedge funds out $7 million and prior compliant on file for misuse of funds) and Retrophin Inc. where he was displaced for reallocation of company funds / equity investment to payoff other business deals to the tunes of around $65 million.  Recall news regarding price gouging / hike from $13 to $750 (nearly $100,000 per year) for Daraprim, a life-saving pill – due in part, citing funding for drug research and development programs for the anti-parasite tablet.  He was able to gain control of KaloBios Pharmaceuticals Inc. as a result but of course, shares fall 50% in light news.
The savvy business entrepreneur with self-thought medical / biology knowledge and a keen financial eye had recently purchased license for benznidazole, a treatment for parasitic infection.  But this seems more made for TV, working-class roots of Brooklyn youngster to billion dollar financial wheeling-and-dealing executive and drug hiking CEO - with an arrogance that caught political notoriety and now, lawyered up.

Global IT Audit Practices and Benchmark

IT and Business transparency, collaboration and integration are key components for internal audit to help organizations identify, monitor and mitigate IT risks. ISACA along with Protiviti conducted it's 5th survey on Internal Audit organization that resulted in notable conclusions:

1. Emerging technology and cybersecurity challenges top the radar
2. Limited number of IT auditors with qualified skill sets available 
3. IT audit organizations not reporting to the CAE (chief audit executive) or equivalent/independent role threatens third line of defense strategy for IT
4. IT audit risk assessments still lacking by organizations and others in frequency
5. Only half of the IT audit organization are involved in IT projects from the get-go or early in the design stages
6. Strong interpersonal skills require the ability to translate complex IT issues to business risks for the non-technical audience

The questionnaire included: 1,200 executive and professionals completing online questionnaire (specifically, 14% were Chief Audit Executive or equivalent, 20% Audit Director and IT Audit Director, and 29% IT Audit Manager, etc.). And, predominately consisted of: 33% organization with $5+ billion in annual revenue and 50% from $1+ billion annual revenue spread over: 29% Financial Services, 15% Government/Education, 5% Retail, 2% Life Sciences/Biotechnology/Heathcare Payer, etc.  

By the numbers, the Audit Department total headcount consisted of: 18% 0-4; 21% 5-9, 19% 10-19, 16% 20-39, 10% 40-99 and amazingly 16% have 100+ Full Time Employees (FTE).  With regards to full-time IT auditors, 8% had zero, 23% has 1, 16% have 2, 11% have 3, 7% have 4, 16% have 5-9, 13% have 10-49 and 6% have 50+ FTE.  With those numbers, perhaps is why IT audits have been lagging over the years.  So, a comparison of total internal audit reports vs. IT audit reports for companies with $5+ billion in revenue: 24% issue greater than 20% IT audit reports; and 37% issue IT audit reports with process audit that contain underlying technology reviews.  Geographically, South America is ahead with 60% vs North American at 50%, Europe 43% and Asia 40%; overall recommendation is at least 20% of audit reports should be IT Audits.

Technology solutions cannot be without investment in human capital.  Given the lack of qualified resources reported, organizations of $5+ billion augment with outside resources: 24% via guest auditors, 5% outsource, 40% co-source providers, and 41% do not.  Geographically, North America did 69%, South America 50%, Europe 61% and Asia 57%.

• Reason for augment (by $5+ billion companies) include: 25% lack IT skill set, 19% variable resource modeling, 26% for outside perspective, 30% lack of resources, and 31% knowledge transfer/learning from outside parties.
• Cited effective auditor characteristics were: process analysis, data collection, interviewing, business writing, and project management skills – along with effective meeting and communicating results, conclusions and recommendation to all levels of management 

Key to staffing is person’s ability to translate complex issues to non-technical business audience and while this skill may be difficult to find in candidates according to 73% of the respondents, there is no notable increase in finding talent in the short-term (6% of $5+ billion company will increase by 20%).  Additionally, between 39%-46% of all respondents say the IT audit plan cannot be significant addressed based on lack of resources and/or skills.
• Companies with IT auditors that require the CISA (Certified Information Systems Auditor) certification are: North America 49%, South America 56%, Europe 52%, and Asia 59%.
• Tenure along with training required is: 6.7 for IT audit director | requiring 47 hours of training; 6.2 | requiring 52 hours of training For manager and 4.2 for staff | requiring 54 hours of training.
• Source for IT audit staff-level hires are from: 69% external hires, 14% internal IT departments and 11% are college/university.

Of course technology is always shifting and so, 60% of organization are going though IT transformation and 54% are expected to take over 1 year.  With that in motion, understanding cybersecurity threats is a key concern today.  Impacting business model viability is further heightened by disruptive changes in uncharted territory.  However, not embracing new technology such as IoT and wearable technology will significantly hamper business development and a sure loss in competitive advantage.  In connection, survey calls out a need for IT security audit improvements for the Chief Audit Executive (CAE) and overall cybersecurity risk management maturity to drive effective programs and acceptable level of risks.

With cyber being a boardroom agenda item, top organizational performers reflect a sound practice in security of information, protection of brand/reputation, regulatory compliance aware and security employee’s personal information.  These practices are supported by awareness through the board of directors, suitable policies with security reference architecture that protect the right information, and a cybersecurity practice that demonstrate confidence in the ability to prevent and react/mitigate both internal and external attacks e.g. 50% are not confident and only 29% are confident.  Of the 83% that rated cybersecurity as a top threat today, only 38% are prepared for a cyber attack.

Having an IT Audit Director reporting to CAE or equivalent position is best practice…yet this model is still lagging behind. Only 58% have IT audit director or equivalent position so when it comes to expertise during board meetings, 65% of CAE have the skills to convey IT risk otherwise 42% of IT audit directors attend board meetings.  That said, clearly 91% of organizations ($5+ billion revenue) have internal audit department with IT function (56% included and 35% IT is a separate).
To properly assure third layer of defense (management), the IT Audit Director is required to “Getting to Strong” approach set by regulatory authorities in the financial industry, as a model for example.  While IT Audit Directors have started to attend board meetings over the past 4 years, attendance and adoption globally is slow.  45% in North America has an IT audit director vs. 58% in South America, 45% in Europe and 44% in Asia – and attendance in board meeting respectively are the same but South America with 67% takes the lead vs. 42% in North American.

To ensure critical technology risk is included in the IT Audit Program, IT risk assessment must be performed.  Smaller organizations seem to lag in this area but the trend to conducting assessments is increasing.  Again, of the $5 billion above, 69% said IT audit risk assessment is conducted vs. 16% for $½-$1 billion revenue companies.  Regionally, Asia tops the percentage at 61% by Audit (60% by CIO) vs. North America at 38% by Audit (66% by CIO), South America at 53% by Audit (56% by CIO) and Europe at 46% by Audit (64% CIO).
• In terms of frequency for $5+ revenue company: 16% continually, 2% monthly, 14% quarterly, 10% semi-annually, 55% annually, and 4% less than annually.  And, 48% update IT audit risk assessments on a quarterly basis.

Trending in the right direction is engagement into IT projects (earlier on) and now auditing vendors although it had not been among top 5 of IT audit function responsibilities (but now, out of the bottom five).  Engagement with significant projects are occurring during various stages: Planning 30%, Design 10%, Testing 8%, Implementation 11%, Post-implementation 27%, and no involvement 14%. On the other hand, noticeable gaps lie in lack of focus on continuous auditing, whereby, effectiveness and efficiency can be gained by identifying issues and correcting them as soon as they arise.  Level of involvement IT audit has on technology projects ($5+ billion companies): 22% on significant, 41% on moderate, 30% on minimal and 7% on none….and regionally, 57% for the Americas, 52% for Europe and 60% for Asia.
A predominate effort for IT audit is SOX and percentage of time spent indicate: greater than 75% by 6% of the companies, 20%-50% by 35% of the companies and also notable 31% do not know or none.
IT Governance assessment activity results in: 42% completed CobIT and 34% completed IIA 2110.A2…and geographically, North America 36%, South America 68%, Europe 44%, and Asia 26%...and small organization were under 50% as well.  Of the respondents, approximately 20% will perform an assessment, hence, the rest will still not.  Related, companies with an Enterprise Risk Management (ERM) program  integrated with IT audit risk framework totaled 47% which is actually down from 50% last year and 58% from 2013. The net-net is striving for full engagement with various projects, development efforts and engaging in cross-functional organization; as well as usage of COBIT / IIA Stadnard 21|10.A2 for evaluation while ISACA CobIT framework for processes and leverage standards, techniques, etc. of ISAC ITAF.

Finally, IT audit function spend:

Source of article: ISACA

Healthcare Operations Center

Data-driven technology with big data modeling and always-on live wearable devices translates to ground breaking predictive patience care.  Picture a Pharmaceutical or Healthcare Operations Center (HOC) whereby, for example, your glucose levels, heart rate, or neurological activity [who knows] are monitored on big screens with heat maps and automated trigger alerts e.g. SNMP-like LED alerts.  With Level 1 practitioners through Level 3 and 4 specialists and MDs available 24/7.  Comparable conditions to individual profiles – based on big data ranging from demographic, geographic, “trending” in level, and endless series of behavioral patterns (based on circumstances or scenarios).
You picked up 3rd cup of coffee on your way to work due to increased stress from a roadside traffic accident and you forgot to get decaf (alerted via your store ”rewards” program and therefore triggers your healthcare application baseline activating your HOC set to maximum readiness.  Then, your wearable device automatically injects insulin to help you adjust sugar levels…okay perhaps that’s at least 12 months away.
Point being patient diagnose and treat of diseases no long can rely on 10 minute office visits with your description of what you feel (and perhaps your self-created diagnosis based on an article you just read).  Research and trials can be conducted live with expanded sample and real-time analytics. We have seen benefits of big data aggregation for IT threats and retail buying behaviors already, so why not DNA, tissue, cell, and other organisms that refine research, testing, and overall patient treatment.
As complex as science is, so is the inter-connectivity and inter-dependencies between business risk and cyber protection / capability – required for data integrity and confidentiality.  Cyber has received board level attention but no level of funding will be effective without clear focus on critical assets and data sensitivity usage agreement from the entire organization. The eco-system must also provide opportunity for enhance risk transfers or cyber insurance, regulatory that is prescriptive in implementation as well as penalties.  But the value and underlying matter is having a clear understanding of business’ behavior towards data that translate to effective build/leverage of infrastructure, creative/responsive protection the right data, scalable (amount of) resources, and agility to react based on trade-offs dance between business value and rapid technology changes.

Pharmas and Life-Sciences’ Digitalization – New Breed

Digital health investment of $6.5 billion in 2014 more than doubled from previous year and its only beginning.  Pharmaceuticals, biotechs and the likes of healthcare industries require strategic, cultural, and competitive transformation to survive in the new era.  Attention to client service delivery that is agile and leverages technology most effectively will be the ones to thrive.  Recognizing value will replace brand. This may mean a beginning-to-end solution attuned to details that is both predictive and reactive through intelligence and on-demand resources that shape treatment.
The culture of Millennials for instant gratification is upon us and delivered from wearable technology and the emergence of connected (cloud streaming) data analytics allow treatment virtually instantaneous or at the very least proactive awareness.  Combined with the resources of google-ing like solutions, new client facing applications require the ability to adapt to patient behavior that is measurable in quality of health and cost.  The paradigm shift is an emphasis / interpretation of data and predictive solutioning instead of numerous and fragmented tests.  IT plays a centerpiece but tight integration with legal / regulatory, privacy offices and sales organization is essential to building a new digital pharma model.   Both companies and industries will break new ground, and the road to better health will merge the traditional roles in pharma, providers, and payors such that end-results will be the focus regardless of the who and how it was achieved.

Article source: McKinsey & Company

IS a self-funded powerhouse of about $2 billion

First, something for Friday:  Online Group Anonymous Declares Friday 'ISIS Trolling Day'

Now, slight departure from cyber but let's look at the business and leadership perspective:

Out with the old, Al-Qaeda, and in with the new (Millennials), Islamic State.  Arabian Gulf donors are not the principle source any longer, but by diversification through oil fields, mineral mines, and territory banks.  The regime pays soldiers $400 - $1200 per month based on technical and engineering skills and provides bonuses for recruiting wives and children – almost parallels corporate / democratic way, right. 

The Islamic State of Iraq and al-Shams (ISIS) has dominated territories unmanageable by others but of course, rich minerals mines that account for $360 million in funding for 2014.  In that effort, taxing the 8 million living and working civilians and services/medication in the compound.  Of course, extortion is part of the equation too, from taxing elementary to college students; and bribery for passing through territories.  Better yet, the Iraqi government is even taxed… and numbers are said to be even higher for 2015, estimating $800 million.

Even without the oiling expertise and equipment, ISIS produced $500 million in oil production/profit from hijacking oil wells and refineries.  While sanctions didn’t help, they were still agile to still sell oil for one-fourth of the market price – to friends and foes alike, e.g. US-backed Syrian rebels to fuel their diesel engineers.  Of course, these efforts have been seriously hampered in the US earlier and allies bombing efforts (some via drones recently); post Paris attack coalition bombing of nearly 400 oil tanker trunks and storage tanks; but recently Russian lead bombing campaign.

With any territory takeover, the state banks get looted to the tune of $450 million in cash plus gold taken from a Mosul central back last year (and in which the same invasion, freed up almost 1,000 inmates from a prison and seizure of US-supplied military hardware).  The private banks however, are left in tacked so that clients still have the semblance an institution, but back end taxes replaces.

Apparently, gold is king.  Part of the theory is that trading, unlike paper currently, can’t be stop since it’s gold after all and evade sanctions from other government.  However, it said to be more of a ploy and recruitment tactic than real world economic power.

Finally, terrorists/terror isn’t without kidnapping and ransom.  We’ve seen the beheading and while most states align with the UN resolution not to payout, those who do (perhaps French, Italian and Spanish hostages that were freed), account for $20 - $45 million.  Yet, it’s local / civilian kidnapping also pay ransom e.g. in some cases for not being Sunni Muslim, for example.

While some would point to inequality for the ISIS buildup, judgment is still out since research indicate poor as well as rich people are susceptible or likely to join, level of education doesn’t seem to factor or be an influencer; so maybe it’s simply ideology.  This is already a departure from our norm so let’s bring it back a bit. 

There are counterintelligence officials and cyber specialist monitoring the Internet airwaves as they were able to arrest over a dozen terror suspects related to a Twitter account that had been intercepted by Ghost Security Group.  “…DigitaShadow says Ghost Security Group has taken down 149 Islamic State propaganda sites, 110,000 social media accounts, and over 6,000 propaganda videos since it formed”.  Other efforts, such as Telegram messaging app blocked 78 ISIS-related channels across 12 languages…

Article source: money.ccn.com

You can never get enough phishing time

We’ve mentioned phishing in past but spear phishing is a variant that aims to target specific individuals, typically after much research / preparation conducted on select recipients to-be.  So, much more directed /customized message to folks that have more or critical access to the crown-jewels AKA confidential data, technology and business secrets/IP.  With the proliferation of social media, your LinkedIn account along with your Facebook or Twitter and Google+ can be a gold mine for profiling you and the would-be downstream intended targets connected to you.  Reconnaissance is just the start and the digital trace of where you are, go, publish, and behavior on the Internet is key to your worth.
Rate of success has increased and more difficult to detect.  According to Symantec , the average number of spear phishing spiked 42 per day in January 2016 from 33 just last December (proportionally rising to 1 in every 1,004 emails).  Like phishing, these emails tend to be accompanied by an attachment and numbers show 46% were .doc files (up from 26% in December vs. January).  Additionally, the favorite targeted organization show to be 1-250 and 2500+ employees with respectively, 35% and 32% of the cases (with Finance, insurance and real estate leading the pack at 29% followed by manufacturing at 21% then, wholesale at 12% industries).

Good practices and safety extends beyond corporate compliance in an organization. Cyber safe practices must be carried through your personal / social forums by limiting what you post specifically about yourself and the organizations you work for, and remember what you post on-line can be shared and go viral particularly in the dark web. Organization can help build awareness by providing relevant security training (perhaps based on employee behavioral analysis), rewarding good behavior instead of punishing bad ones, soliciting/collaborating with marketing and sales team, and of course, routine penetration testing.
For a good overview of social engineering red flags, check out Knowbe4’s pictorial example.

Passport pages deadline is December 31, 2015

If you are running out of pages in your passport for Visas and entry/exit stamps, apply before the end of the year for additional 24 blank pages - and you will need to surrender your Passport with other require information. It's $82 fee and Form DS-4085.
Passport renewals now offer a 52-page (43 blank) option at no additional charge while the standard 28-page (17 blank) remains available.  Form DS-82 is used for renewal.  Of course visit travel.state.gov for official details - including latest update on processing time which can be weeks.
Another good link is passport.info.com 

Worldwide breach of customers/kids data: PlanetVTech, Learning Lodge, Kid Connect

The latest breach involves about 5 million customer/parent information and over 6 million kids profiles (names, emails, addresses, passwords, selfies/pictures, chat log, etc. but no SSN or card data) of Vtech toy company, a Hong Kong based manufacturer.  It said to have occurred on November 14 and identified 10 days later when an email was received from a journalist.  

Mandiant has been retained to provide forensics investigation and shore up security gaps.  VTech’s security posture has surfaced as questionable in terms of risk-based security implementation, and the likes of other gaming misfortune such as Sony PlayStation and Mattel’s Barbie.  While company will undergo close local government scrutiny and the Hong Kong Privacy Commissioner looking into data privacy compliance, the FTC has no jurisdiction for non-U.S. companies.  Certainly not good news for the holiday season gift shopping…with over 15 countries affected by this incident.

Interesting read, troyhunt.com for sequence of verification events/analysis

IT Change Strategy for 2016

Trends and predictions continue throughout the year, and organization attempt to keep pace but adoption / implementation will continue to lag but that does not mean complacency. CIO.com provides a few principles on technology strategy.

Multi-tenant infrastructure and resources pick up where outsourcing left off and is here to stay.  In order to scale as well as throttle back when demands change, cloud and something-as-a-service can provide that advantage.  Besides, collaborative environments and big data analytics is power. 

Software provides replacement to humans as robots in manufacturing plants.  The speed and accuracy is undeniable and when it comes to repeatable and mundane tasks, perhaps it should be that way.

Embedded technology is key to competitive advantage for products/services which is designed and coded by high sought talents.  Which means managers  just managing progress will soon disappear. It’s back to providing value and if you don’t design or write code, then you must revolutionize what leadership do / is.

Service integration is more than a buzz word, it’s your livelihood.  Without being agile and innovative in solutions that are will connected and maximizes performance, product or overall output, organizations / companies do not stand a chance is being successful.

Shadow IT needs to translate to competitive advantage.  When integration challenges are aloft, spend is scrutinized and centralization efforts become forefront.  So, make the IT process align early on with proper integration and setup tollgates to ensure acceptability and unity along the way.

APT stocks continue climbing - Report updated with same news

Updated APT study show same results – continued breach of conventional layered architecture.
The nuts and bolts of FireEye’s Maginot Revisited follow up from May 2014 – made up of 1,600 FireEye network and email sensors deployed in real-world networks.
First report Oct 2013 – Mar 2014 totaled 1,200 security deployments in 63 countries across 20 industries – and data from 1,614 appliances (PoV) trials of FireEye network and email appliances

• 97% organizations in study were breached with 24% attacked via APT, 66% had command-and-control exploited; and hacked more than once per week

Updated report Jan 2014 – Jun 2014:

• Attacks penetrate layer defenses and spike in advance malware attacks AKA Advance Persistent Threat (APT) attacks were consistent throughout industry (doubled totals), but 2 largest uptick were:
• Retail with 5% increase; 58 deployed were all breached with 17% by advanced malware
• Healthcare and Pharmaceuticals with 4% increase; 54 deployed were all breached with 37% by advanced malware

Hence, passive tools and non-integrated detection/reporting systems don’t cut it; and monitoring without pursuit / vigilance is a recipe for security breach

Bear down market // Security in 2016

Indication of a bearish market today with the precipice of first interest rate hike since 2006 and junk bonds looking more appetizing.  When stocks decline about 20% from peak or correction about 10%, we have a bearish market.  So, which is it this time? Wasn’t this predicted earlier in 2015 and again in the summer? We have had approx. 32 bear markets (or 1 per 3.5 years) since 1900 and correction about every year) typically lasting about 1 to 1.5 years…according to Ned Davis Research.  Of course the dynamic / root cause is complex but politics is a big player, the potential of a selling frenzy can have great impact, and some point to Feds for control of short-term rates.  While trading habits vary by age group, conservative older and riskier younger, analysts seem to indicate, weather the storm.

Humm...holding is probably not the best move for cybersecurity since trends are more frequent hacks, out pacing tools / zero-day, and outcome is never good with a breach.  But 2016 will be the trickery and shenanigans year.  

With multiple smart devices in our possession and IoT to pave the way for all things connected, large scan attacks will be from all corners including healthcare devices we wear and rely on, to the sky above in drones.  So, mobile malware will be pervasive and it’s estimated by Trendmicro that 3 in 4 apps in China are malware and exponential overall growth to be 20 million by end of 2016.  Recall the times of web defacement resulting from hacktivist…well now, that has shifted to lucrative ransom and incriminating information made public i.e. Sony and Ashley Madison breaches.  Add attack vector resulting from malware and malvertising, growth this year were in the likes of 41% spike.

Another segway will be in Data Protect role to support InfoSec officer to keenly focus on regulation laws and data integrity compliance… This should pave the way for more cybercrime legislation with global perspective since data sharing agreements and provisions continue to evolve / be in dispute i.e. SafeHarbor.  

Offered solution include: data security/encryption strategy, mobile policy and related infrastructure investment, relevant security training / testing, and dedicate role/focus to data protection.

Article source: Trendmicro

ITO in Chennai: Balancing (US) client requirements and (India) employees

Is your ITO helpdesk / Network and App/Dev team’s answering? Chances are slower than normal but hopefully Disaster Recovery planning/investment is paying off…
During the past several weeks, continued rain fall (near cyclone levels) in Chennai has forced local/home evacuations, transportation mayhem, and relocation of employees to keep IT Outsourcing afloat.  But the numbers are no joking matter, with counts over 400,000 displaced, 70,000 rescued and 122 died, and costing $1 Billion of damages.  Floodlist.com for details and pictures  Life will forever be affected, and we'll soon know what it may have cost organizations (for outage and interruption of services and perhaps business relationships).

Can you spell contingency plans (DRP/BCP) during these challenging times?
With approx. 15% or 3 Million IT workforce in Chennai, many US companies are resorting to back up location in India for companies including Cognizant, Infosys, and other “India's top IT firms — Infosys, Tata Consultancy Services, Wipro and HCL Technologies — said they swiftly engaged their contingency measures as the weather in Chennai deteriorated.” according to businessinsider.in:

• US-based Cognizant, which has a significant number of its 219,000 employees in Chennai, said it moved several employees to other centres within the city as well as to other cities and asked some to work from home to provide support to clients
• TCS, the country's largest software exporter that has more than 65,000 employees in Chennai, managed operations and client interactions without having to move people but gave employees the option to work from home or from offices near them
• India's third-largest IT firm, Wipro, gave its 18,000 employees in Chennai the option of working from home for most of last week

So, when it comes to Outsourcing, what considerations have been accounted for, tested and successfully executed:

• Proximity of physical location and availability of works
• Alternate means of transportation
• Vetted outsourcing employees
• Hard copy in addition to soft copies of disaster recovery procedures/contacts
• Tested procedures and systems e.g hot standby of equipment/terminals/systems/networking gear
• Communication and notification plan for recovery and service delivery
• Sustained protection for commingling of dedicated personal, sensitive data, facility/room and persistent desktop configuration

Weather forecast for this week continues to be 80-100% thunderstorms.  Be safe all!

The New Internal Audit Model

Internal Audit (IA) Department is being challenged like all organizations. IA is typically chartered to provide financial statement assurance, evaluate internal controls, assess operational effectiveness, compliance to laws, regulations and company policies.  But the challenge is the expansion of the audit universe, new regulations, increased technology risks, and of course, budget constraints. It is the chief audit executives role to continuous review company risk profiles and determine best and agile operating model for best effectiveness and efficiency.
The 3 IA model is:

• In-house or employees – which including recruiting staff / talent and conducting all audits, planning and maintenance of technology and methodology
• Cosourced function – blend of employees and supplemented 3rd-party providers to address gap in skill or resources while taking advantage of 3rd-party investment in technology, methodology and knowledge
• Fully outsourced – where providers are held responsible from planning to execution / audits with the direction of the audit committee and executive IA management

No one solution fits all, and really depends on various constituents and their expectations, according to Crowe Horwath: Audit Committee (plan / risk management), Executive Management (plan / financial risk / business value), External Auditors (emerging market growth / changing regulations), Internal Auditors (skills/training), and Functional  Management (understanding business / major program assistance)
IA maturity categories: Basic, Evolving, Established, Advance, and Leading.  The spectrum from basic to Leading involve, for example, Basic solely focusing on compliance risk and auditors skills not aligned with organizational audit needs, risk assessments not aligned with other risk functions or does not reflect company profiles, and use of technology is fairly limited.  Conversely an Advance focuses on compliance risk, cost reduction, and risk that affect business objectives.
An IA transformation is founded on the 3 practices:

1. Using others’ work to leverage other compliance, financial, and operating reports which will allow focus on other problems and reduce costly audits
2. Hold process owners accountable is key to being most effective and when IA is evaluating the controls, monitoring performance, and providing recommendation 
3. Providing continuous coverage based the 4 principles below to ensure resources/time is focused on the key items while maintaining demand.

4 IA Principles:

1. Compliance – implementation of periodic checks (of managers, employees, 3rd-parties) and implementing risk indicators for actionable results/reports
2. Assurance – increased focus on nonfinancial areas including IT Security, customer data, and intellectual property
3. Performance Improvement – shift of audit plans to expectations and more tangible value to organization to provide and recommend best practices through mixture of internal controls, automated processing and value-add activities within processes
4. Risk Identification – leveraging enterprisewide perspective that identify emerging risk and vulnerabilities while linking to strategic objectives, and through integrated risk assessments 

Article source: Crowe Horwath

Yahoo CEO under fire: did say it would be a LONG road ahead

But it might be taking too long for some.  With a number of executives leaving, others been ask to sign multi-year contract to stay, and now scorecard that isn’t so promising…Interesting read from WSJ.com 

• Turnaround of online-ad market = not good. Global shares down in major yahoo businesses except mobile advertising but considerably lower than Facebook and Twitter
• Growth in core business = not good.  Sales continue to fall throughout the shifts in strategies (Mobile, Video, Search)
• Growth to 1 Billion monthly unique visitors = mostly yes.  Users have grown to over 1 Billion in 18 months but new measures have been implemented during this period so comparable baseline is in question
• Online video popularity growth = unlikely.  Yahoo Screen has not shown the numbers it predicted and spent of $100 Million in producing film content
• Show $100 Million in Tumblr review for 2015 = unclear.  Apparently no update has been provided
• Mobile revenue growth over 1.2 Million in 2015 = close.  Total after 3 quarters is $1.197 Billion fro mobile
• Growth in display review in 2015 = unlikely.  Might be growth from 1.34 to 1.47 Billion in 9 months however, Yahoo is paying partners to click on sites so might be lower overall
• Mavens revenue to be $1.5 billion in 2015 = likely.  $1.184 Billion after 9 months so its expected to be on track

That all said, how about the implementation of stack ranking of employees? Works well for college scenarios, but probably not so well in business.  Employees were ranked excelling through under performance comparatively, resembling a bell shape curve of employee scores.  That ultimately, (according to experts) promoted unhealthy / unproductive competition between employees.

Net-net, is it Mayer’s 3 years at the helm or is it just Yahoo since multiple chief executives have tried already?

Put stress in its place and stop worrying

The right mental attitude brings peace and happiness... So, putting stress in its place by living your life and stopping yourself from worrying can be cultivated by doing the following:

• Start by thinking peace, happiness and courage instead of fear and hopelessness…remember, you are what you think you are
• Create joy in others and focus on helping rather than worrying about your problems
• Revenge is not a virtue so abstain from having thoughts and timeless worries about such ideas
• Expect others not to show gratitude each and every time…we’re only human so give for yourself and the pleasure of doing so
• Look beyond what’s in front of you and see the beauty / blessings that you have instead of hurdles 
• Make the best of what you have and can do, without being fake to others or yourself
• Learn from your mistakes and better yourself with each misstep or loss

Your energy and spirits need to be feed adequately so remember to get enough rest at home and be able to relax at work.  Prioritization is key – via being organized, thinking of the future / solution rather than the past, and addressing problems immediately with facts that shape your decision.  Another series in Dale Carnegie’s Golden Book

Artificial Intelligence - like, for Insider Threat

Fortscale Security Ltd. now based in San Mateo, California, was started in 2012 in Israel and has since raised $4 Million in additional funding via CME Ventures and UST Global, bringing the totaling to $16 Million.  The system performs data crunching through user behavioral analytics and delivers context-based alerting.  The launch of Fortscale 2.0 helped propel the company into the forefront of cybersecurity for endpoints – with strong establishment in marketing strategy, growth in sales organization, and top-tier backing.  Revenue continued to climb in 2015 and hopes to capture the market for insider threat detection and elimination.  Since "virtually all enterprise data breaches can be traced to a compromise of an insider's credentials to obtain access to enterprise IT systems" [eweek.com], Fortscale software algorithms will simplify analysis e.g. big-data in SIEM (Security Information and Event Management) and much need end-user data collection, to provide SOC (Security Operations Center) insights and faster reaction time for malicious and rogue users.  With a good showing at RSA 2015, the company made the top 10 to watch according to networkworld.com

Worldwide Travel Alert just issued

Only a matter of time...

http://travel.state.gov/content/passports/en/alertswarnings/worldwide-travel-alert.html

The State Department alerts U.S. citizens to possible risks of travel due to increased terrorist threats. Current information suggests that ISIL (aka Da’esh), al-Qa’ida, Boko Haram, and other terrorist groups continue to plan terrorist attacks in multiple regions.  These attacks may employ a wide variety of tactics, using conventional and non-conventional weapons and targeting both official and private interests.  This Travel Alert expires on February 24, 2016.

Insider threat is weighing heavy on IT

Survey said
• 37% of companies expect incident data breach 1 year and 67% believe a breach to occur within 2 years
• 72% of security professionals say the board should be more concerned with internal treat than external threat
     o 40% indicate increase trend in internal breach, 43% indicate it will stay the same and 17% say it will decrease
• 92% of the organizations have experienced a data breach within the last 12 months
     o Source of these breach from 40% employees, 22% third-parties, 12% ex-employees and 26% outside the organization (or unknown parities)
     o Internal breach associated with: 67% reputational damage, 62% financial penalties, 42% reduced employee morale
• 37% of employees believe individuals have access that they should not have – and types of data employees have access to:
    o 69% Customer – contract data, purchase history
    o 57% Financial – shareholder information, accounts
    o 56% Product/Services – patent, technical specifications
    o 56% Employee – salary, medical records
    o 46% Supply chain – pricing
    o 44% Transactional – payment, card numbers
• 29% of critical data is perceived as at risk for internal breach
• 37% say it is difficult to identify the source of an internal breach while only 16% say they can identify unusual network activity
• 58% does not know what a security breach would be
• 50% admitted disregarding company data protection policies
• 75% of employees believe they do not get enough information about security policies
So, is perception reality?

Source of insider threat:
• 55% personal devices with access and/or with virus and malware
• 49% portable storage device / USB
• 47% users not abiding by data protection protocol / policy
• 40% use on non-authorized applications
• 38% email links
• 31% sharing of credentials
• 18% lost of device with sensitive information
• 24% ex-employees or old supplies / customers with access
• 12% post / sharing on social media
Reasons for increased internal threats:
• 52% increase in cloud applications / usage
• 48% lack of awareness / understanding
• 48% Lack of communication between IT and employees and/ or lack of clear security policy
• 37% increased virus / malware
• 31% increased personal devices
• 26% increase use of contractors / temporary employees
Ways to minimize insider threats:
• 72% education in safeguarding sensitive data
• 57% clearly identify precaution and understanding of ramifications
• 50% tools for Data Loss Prevention
• 45% proper access management or increased levels of access
• 41% updating acceptable us policies regularly
• 39% impose penalty for disclosure
• 35% limit user workstation / devices
Clearswift Insider Threat Survey of 500 IT decision makers and 400 employees in US, UK, Australia and Germany by Loudhouse/Clearswift

It’s the fire within that makes one influential

Your continued pursuit and passion for excellence is directly related to your ability to persuade and influences others. The successful habits behind this strategy include:
• Form you own opinion based on facts which can change depending on what you carefully learn from others / environment but don’t be persuade by trends
• Seeking to genuinely understand the “why” and “what if” in order to enhance your knowledge in a way that is not disruptive or challenging to someone else
• Facilitate 2-way conversation that explore new concepts and ideas or thinking out of the box
• Narrow the distance between degree of separation – by getting to your network / connections and there’s as well in order to collaborate and leverage knowledge
• Dispel distractions and focus on insightful dialog and dismissing matters that are not of importance
• Entertain healthy / productive debate as to further your understanding in pursuit of the right and holistic conclusion instead of merely proving a point
• Being proactive by anticipating options and next steps, then sharing with everyone else
• Think before you act when responding to ensure the correct / appropriate message is conveyed without allowing emotions to overreact
• Believe – that you can make the difference no matter how high that feat might be
#Forbes on 9 Habits of Profoundly Influential People

Aftermath of breaches, with connect devices on the up swing

...and it's only a sign of what's to come

The increase in connectivity of (mobile) devices direct parallel spike in vulnerabilities and exploits that will be impactful to the way we will handle data breaches.  Already an increase in extortion and blackmail, the Ashley Madison 30 Million record incident lead to downstream affect of lives/suicide; and fueling the interest in healthcare data was pronounced with the 4+ Million records stolen at the UCL Health Systems.  Yet the underlying threat that might be even more compelling in the secondary or chain reaction of attacks that result; for example, vulnerabilities with applications, flash player and Zero-Day exploits that are dropped in environments upon penetration.  

Read about the technical specs in TrendMirco's analyzed of Q3.

These exploits are also vendor agnostics as iOS suffered from vulnerabilities just like Androids last quarter, affecting over 50% of the Android for every instance of vulnerabilities identified.  Another popular/notable aim is taken with PoS (Point-of-Sale) in form of botnet, malware and Angler Exploit Kit, hence 3rd-parties are not necessarily the target source.  Finally, in the list of exploits, Pawn Storm (renown for targeting government agencies) set eyes on MH17 investigation teams that reached multiplied countries in Dutch, Malaysia, Australia, Belgium, and Ukraine.

The ecosystem of detection and prevention must be integrated and spectrum / coverage can be strengthened by external data analysis or broader threat intelligence.

The Negotiation Dance

It’s about the ability to shift back and forth in Collaborative, Cautious and Competitive strategy during negotiation that will allow you to get the most of what you want and the other person feeling the same. The Mind Gym negotiation workshop focuses on core competencies, related strategy and help work out your blockers to release your success… Key tactics include:

• Exploring and understanding the other persons interest or need

• Knowing the surrounding facts from various perspective can be very powerful

• Comfort in the best alternative / option and knowing when to stand tall or just walk away

• Apply urgency to bring clarity and apply pain to allow others to consider alternatives

• Be creative in extending or incenting related features, quality or perhaps non-tangible items to bear

• Knowing good compromise and saying yes for future / alternate gain i.e. winning the war not the battles might be more compelling

• Establish boundaries by saying no in order to discover and truly / further probe the root of the issue and the why's

• Showing compassion or demonstrating vulnerabilities can release the other person's tendency to be guarded and being less adversarial 

Preparation is always key and is no different in negotiation so have a plan for how and where (options) the conversation may lead to - and don't negotiate something you're not willing to 

Can you spot a phish?

Numbers consistently show, majority cannot without repeated testing...

1. Message containing poor grammar or poor spelling is sure way to email scam
2. Mismatched URL, when you hover over the hyperlink addressed, it does not match the address displayed or the actual website displays an IP address
3. Misleading URL of a non-affiliate whereby, the domain name is often misspelled in comparison to the actual company name, misspelling, and sometimes other content is appending prior to the actual DNS naming structure, for example, this_is_a_scam.company.com
4. Containing attachment that entices you to click for reward or content that will provide explanation or more information
5. Request for personal information – via email including security question regardless if all the other information supplied is valid
6. Letter of intimidation, usually from law enforcement, collection credit agency, etc. preying on your urgency before other ramifications e.g. loss of coverage
7. Alluring message or unsolicited action – including wining a prize or receiving a package when you haven’t ordered any
8. Solicitation of money before you receive items or further information 
9. Threatening message that calls for action otherwise you may suffer risk e.g. request from your CEO whom you have never had communication in the past
10. Combined efforts such as Vishing or Smishing, whereby, secondary methods (voicemail or text message) is sent to you to corroboration with phishing

Social engineering audit is a key measure for how well prepared your organization is, test strength of policy/procedure adherence, and a reminder to all, from top-down to bottom-up, since security is both top-down as well as bottom-up. So, identification/success is best when phishing test is conducted regularly – rate of testing success is:  19% when done quarterly, 12% when every other month, and 5% when done monthly.
Anything too good to be true or just doesn’t look like, is likely a scam.

Tis the season for online gifts

Whether it’s employees, clients or service provides, showing signs of appreciation for the hard work, commitment and loyalty is key, so make it personable as possible.  Apparently cash is king and likely to be best received by majority otherwise, gift cards or perhaps wine, seedlings, cheese/crackers – but don’t over spend. Inclusion and consistency is important and beware of religious beliefs.
Or perhaps the best gift of all is cybersecurity awareness - NIST Cyber Framework.  And, say you're shopping online, keep in mind:
• HTTPS (and lock icon) on your browser at ALL times when sending personal/credit card data, login and checkout
• Strong passwords when creating accounts
• Know the seller/website by doing some research - use multiple browsers to compare website, stay clear of advertisements
• Use PayPal if you can; but certainly say no to debit cards
• Use a trusted PC (anti-virus, anti-malware, etc.)
• Don’t use public Wi-Fi networks - your probably being monitored
• Validate charges on your card / statements
Remember, applies to nearly everything, but if it seems too good to be true, it is

Slight improvement in Cybersecurity based on 18th Annual GISS by EY

EY Survey Participants: 1,755 Survey respondents | 67 counties worldwide | 25 industry sections | 21% of participating company revenue (majority) is between 500 Million – 2 Billion | 26% were Banking/Capital Markets and Technology industry sectors | 31% were organization with less than 1000 employees | 30% were CISO, 19% Information Security Executive and 17% CIO

Key stats:

• Main obstacles for information security operation’s contribution and value to the organization: 62% budget constraints | 57% lack of skilled resources | 32% lack of executive awareness or support | 28% lack of quality tools for managing information security | 28% management and governance issues and 23% fragmentation of compliance/regulation
• Reported source for threat: 59% criminal syndicates vs. 53% last year | 56% employee (although ranks as medium priority) | 54% hacktivists vs. 46% prior | 43% lone wolf hacker | 36% external contractor onsite | 35% state-sponsored attacker vs. 27% prior
• Highest priority for information security over the next 12 months include: 56% data leakage and data loss prevention | 55% business continuity and disaster recovery resilience | 47% identify and access management | 44% security awareness and training | 44% incident response capability | 41% security operations e.g. anti-virus, encryption, patch
• Significant drops including: 18% do NOT have Identity and Access Management (IAM) program vs. 12% prior | 47% do NOT have a Security Operations Center (SOC) vs. 42% prior
• 81% of senior executives agree that data should be at the heart of all decision-making
• 88% say information security do NOT meet organizational needs vs. 89% last year
• 37% do NOT have data protection program (of which 27% has an information data protection or is ad-hoc)

Threat Intelligence is a important piece in being able to identify threats/incidents since spotting small anomalies that are indicative of a long-term breach can be difficult to discern – specially based on sophistication of attacks, constantly change tactics, lack of skill resources, collaboration and mechanism to adapt to change.

• 59% say SOC do not have a paid subscription to cyber threat intelligence feeds
• 36% do not have threat intelligence program vs. 34% prior
• 66% of organizations that have a SOC did not discover the cybersecurity incident and didn’t have a cyber threat feed
• 54% do not have a role or department in their Information Security function focusing on emerging technology or its impact – includes 36% with no plan one
• 34% rank there security monitoring as mature / very mature vs. 30% prior
• 53% would rate there network security mature / very mature vs. 52% prior
• 57% say lack of skill resources is a challenge vs. 53% last year

Vulnerability identification and threat management: 24% do not have a vulnerability identification program| 63% say threat and vulnerability management is medium or low priority vs. 66% prior | 34% have an informal vulnerability identification program and regularly test.
In 2014, top risks were around unaware/careless employees and outdate information security controls/architecture.  The 2015 results show a 10-20% reduction but an increase in Phishing and Malware.

Top Vulnerability that increase risk over last 12 months

• 18% highest is careless or unaware employees
• 15% outdated information security controls and architecture
• 10% related to cloud computing use
• 10% unauthorized access
• Others include: use of social media (50% ranked as low priority) and mobile computing 

Top Threat that increase risk over last 12 months

• 19% phishing
• 16% zero-day attacks
• 16% malware e.g. viruses
• 15% cyber attacks to steal financial information
• 15% cyber attacks to disrupt or deface the organization
• 13% cyber attacks to steal intellectual property or data
• Others include: natural disasters, espionage, internal attack/disgruntled employees, fraud and spam

Finally, EY’s AAA model helps building an “Active Defense” starts with analysis by a Cyber Threat Intelligence professional, then having a defined, iterative and operational cycle that integrates and enhances enterprise security:

• ACTIVATE requires: assessment, roadmap, board-level support, standards, SOC, BCP and IRP testing, cybersecurity controls and implementation. Addition in 2015 will be: define organization’s ecosystem and cyber awareness training
• ADAPT requires: transformation program to design/implement emerging technology and improve cybersecurity maturity, decision on in-house and outsource, and RACI (Responsible Accountable Consulted Informed) matrix for cybersecurity 
• ANTICIPATE requires: design/implement cyber threat intelligence strategy, define/encompass organization cyber ecosystem, use forensic data analysis, involve everyone for understanding, an prepare for the worst by having breach response strategy

Closing the gap between current state today and future to-be state was reported to be: Awareness (largest), Architecture, Data infrastructure (events /alerts/logs), Identity and access management, Metrics and reporting, and network security.

Country with most content blocked by Facebook

Based on the request of South Asian nation’s government (reported by WSJ), Facebook in India blocks more content than any other nation from January – June 2015.  That’s over 15K pieces of content restricted and a surge of three-times more than last year for platforms that included Messager, Instagram and WhatsApp.  It totals 75% of overall restriction for 93 countries – purpose primarily related to religious and state criticism...

India ranks #2 with 130 Million monthly users behind the U.S. and is also #2 ranked for government requesting Facebook data, totaling just over 5,000 (an increase of 12% from last year).  #1 is U.S. with over 17,000 requests in the first half of the year and up 14% from last year.
What would numbers be for China?

Government Agencies has persistent weaknesses in security

U.S. GAO (Government Accountability Office) conducted an audit of 24 federal agencies’ (during 2013-2014) that revealed weaknesses in security practices, requiring remediation and strengthening cybersecurity based on past recommendations/requirements.
• Problems in securing access controls or prevalent inappropriate access
• Configuration management issues with properly tested software or updates
• Over 50% allow excessive access or SOD (segregation of duties) issues
• 75% did not have continuity planning to address disruptive events
• None had agency-wide security program to identify, resolve and manage risks
The report also looked back through 2006 which  showed consistent trends with increased security incidents and in some cases, totals doubled in compromised personal information.  In cases such as the breach of 21.5 million sensitive personal information by OPM federal agency, a 30-Day Cybersecurity Sprint was enacted in June 2015 to immediate tightening of policies and patching/vulnerabilities in order to help improve security posture.  Additionally a call to implement security plans to be conducted and to address risk identified and remediation in accordance to FISMA (Federal Information Security Management Act of 2002).  Hence, it’s 2015 and almost 2/3 of the agencies had not accessed risks at this point.  Numbers show agencies spend on cybersecurity has been relatively flat from $12 million in 2010, highest in 2012 at $14.6, lowest in 2013 at $10.3 and in $12.7 million in 2014.
by the numbers...

Cybersecurity is just beginning

…for colleges and employers.  With over 1.5 million open positions globally and only a handful of colleges that offer cybersecurity careers, the gaps need to be tightened. That challenge can be exponential considering the pace in which technology varies and skills required advances.  A creative way for awareness has been through hacking contests.  The contestants can complete with others in a challenging opportunity that is sure to lure candidates and close in on the skills gap.

But for industries that need it now, the managed security services space has risen passed $15 billion dollars worldwide in 2014 and nothing is standing in its way over the next 5 years.  Having SMEs (subject matter experts) virtually at bay alleviates not only the resource constraints and emerging tools/technology needed, but also the dedicated focus and integration / collaboration of the broader industry.

Being challenged with cyber threat resolution and effectiveness can be daunting task and a mission critical one.  According to the U.S. cybersecurity progress stalled report by report by PwC, priorities in cyber spending are:

·         47% new technologies

·         40% audits and assessments

·         33% new skills and capabilities

·         24% redesign in strategy

·         15% process redesign

·         15% knowledge transfer participation

Another renown area of threat is third parties and so the financial services industry in leading the numbers for due diligence of:

·         62% third-party

·         57% contractors

·         52% software

·         42% suppliers

·         40% procurements

Interestingly enough, 19% of the C-suites was not worried about third-party risk and deferring it to an IT matter yet CSO/CISO typically report directly to the CIO...(but not CSOs, CFOs or CCOs).  So, perhaps a full circle in shortage and need vs. investment and ownership.  How does your organization stack?

Win friends and influence people

The key is enhancing relationships and becoming a friendlier person.  Often starts with a welcoming smile that set a warm tone and rapport.  Being genuinely interested in another person and truly making them feel important is mutually beneficial.  In conjunction, it promotes good listening skills and true sense of admiration / respect.  When giving feedback, be honest and show sincere appreciation since everyone’s contribution is important. Remember to never criticize or complain which only damages the relationship.  When you are able to arouse an eager want from the other person, motivation comes from within when completing goals and achieving success. Finally, saying the person’s name spells harmony and particularly, remembering their name is greatly satisfying…another excerpt from Dale Carneige

Only as strong as the weakest link - Medical/Healthcare numbers

When comparing security posture and stats for business sectors, does medical/healthcare lag behind other sectors?
The largest increase in theft since 2010 has been medical records and in 2014, 43% of the all data stolen had medical data. Community Health Systems’ breach of 4.5 million patient data help bring this to the forefront, making medical information to be 10 times more valuable - according to ITRC data.  Healthcare data exploits are not immediately apparent / exploited and with persistent growth in EMR (Electronic Medical Records) and voluminous medical device endpoints, risk is expansive/high.

In the past 10 years, there have been approx. 5,500 total breaches and 829 million number of records breached.  ITRC (Identity Theft Resource Center) labels them into 5 categories: business, financial/credit, educational, government/military and medical/healthcare. Comparing some of the sectors over that last decade showed a trend from Educational in 2005 being the largest target to Business in 2007-2011 and now Health/Medical in 2012-2014:
• Health/Medical: #of Breaches was 16 in 2005 vs. 333 in 2014; representing 10% vs. 43% of overall year volume respectively (and so Health is the largest volume in 2014 comparatively)
• Financial/Credit: # of Breaches was 20 in 2005 vs. 43 in 2014; representing 13% vs. 6% overall year volume respectively (making Financial drop to the lowest volume in 2014 comparatively)
• Business: # of Breaches was 25 in 2005 vs. 258 in 2014; representing 16% vs. 33% of overall year volume respectively (hence, Business is 2nd largest volume in 2014 comparatively)

ITRC started tracking type of incidents in 2007 which showed nearly 50% resulted from Data on the Move and Accidental Exposure; but in 2014, that altogether to be Hackers and Subcontractors:
• Data on the move accounted for 123 or 28% overall in 2007 vs. 62 or 8% overall in 2014
• Hacking accounted for 63 or 14% overall in 2007 vs. 227 or 29% (now highest incident category)
• Subcontractor accounted for 52 or 12% in 2007 vs. 118 or 15% (runner up for 2014)

These stats make for good eye candy charts and one might wonder what totals would be if today's breach notification were applied 10 years ago; and all breaches reported.

Competitive Edge to Standout

Five drivers for success are interconnected and require skills and attitude.  First, is building great self-confidence by stretching our comfort zone that opens great opportunities.  People skills is key to success by building on trust and integrity.  Building our professional relationship and having clear vision of our success will resonate with others. This is represented by our communication skills through small to large groups, in one-on-one situations, and being able to think on our feet (by clearly and effectively expressing our thoughts and ideas). Seeking out higher levels of performance will ensure development of our leadership skills so,  gaining enthusiastic cooperation in activities performed and with individuals involved is essential.  Lastly, reducing stress and improving our attitude will allow us to be more focused and directed manner…snippets from Dale Carnegie

Setback for Internet Privacy on Do Not Track

Websites such as Google, Facebook, LinkedIn, etc. do NOT have to honor your “Do Not Track” option based on FCC’s (Federal Communication Commission) dismissal of a petition filed by the Consumer Watchdog.  The proposed rule would have prevented websites from requiring consumers to consent to being tracked and personal information shared for analytics, ads, etc.  Contrary to the commitment FCC has established with broadband providers, AT&T and Comcast (on the basis it's only involved in transmission); and all the while, the FTC (Federal Trade Commission) has advocated your “Do Not Track” option since 2010.

Closing in on Bullseye: breach | loss | downsize

The Minnesota retail giant, Target, is closing 13 stores in January due to declining profits…which follows closing of 133 Canada stores, laying off approx. 17,000 people around the same time a year ago.  But let's recap the late 2013 data breach which likely did not help the big brand:
• 40 Million credit cards,
• 70 Million personal records,
• 46% drop in profits in 2013 Q4,
• $10 Million in settlements,
• $100 Million in replacement/issuance for banks and credit unions,
• $100 Million in payment terminal upgrades / Chip-and-PIN (which likely would not have prevented the breach anyway),
• No security lead / responsible and of course,
• Replacement of CEO and new CISO role within 6 months after breach.

Business model, marketing, culture, etc. has a lot to do with company's success but let's focus on IT Security lessons learned:
• Know your threats, risks, and leverage threat intelligence and improved collaboration,
• Triage capability to know when to ignoring noise vs. addressing real issues promptly,
• Security must be part of the business equation with security executive level accountability,
• Expeditious communication to respond accordingly (containment, eradication, resiliency) but also transparency and PR for customers and industry,
• Interconnection of networks require proper segmentation, third party due diligence, and proper account (de)provisioning
• Realize liability from banks, for example, looking to recoup cost of re-issuance
• No silver bullet e.g. EMV (Europay, MasterCard, Visa) will not solve/prevent all threats
• Do address weakest link, your brand depends on it

Jamming personal Wi-Fi

First Marriott, now Hilton. Several complaints has been linked to Hilton hotels blocking personal Wi-Fi and hotspots so guests would be required to pay the exorbitant hotel internet access.  Upon 1 year of the FCC requesting information for its U.S. brand Wi-Fi practices, they are being charged $25K (for starters). Investigation unfolding...
Other related fines on the topic include: Marriott paid $600K to the FCC for a similar case settlement, Smarty City Holdings telecom firm fined $750K, and another to be fined $718K is M.C. Dean at Baltimore Convention Center (for actually deploying deauthentication devices).  There is some level of truth (as asserted in Marriott's response) that interference and signal degradation; or rogue hotspots could be a security issue, but the FCC was crystal clear in its message. But maybe not so clear, as opponents cited, is the established policy around blocking, jamming, etc. of wi-fi...  Hence, isn't there instances when jamming wi-fi could be a benefit or cases of necessity.

Hooray for the Communications Act that prohibit interference with Wi-Fi communications. However, that shouldn’t stop hotels, etc. from snooping your searches or reading anything you transmit over there wi-fi network (excluding encrypted/VPN traffic) which you agree to the terms upon signup. Download any sniffer or port analyzer e.g. Wireshark, then turn on and surf the web.  You’ll be able to capture/see communication exchanges between your machine and destination.  Now picture your machine connected to a switch trunk-port like network administrators or anyone in the wiring closet/Data Center have access to and see the population of connected ports/PCs and traffic generated - which is sometimes logged/archived.

Interestingly enough the FCC standard minimum broadband is 4 Mbps but its Chairman advocates 25 Mbps to be the goal (while current U.S. download averages 11.5 Mbps, according to Akamai). Maybe you stream movies constantly...or perhaps your typing skills is just that fast.  Show me the associated cost!