ITO in Chennai: Balancing (US) client requirements and (India) employees

Is your ITO helpdesk / Network and App/Dev team’s answering? Chances are slower than normal but hopefully Disaster Recovery planning/investment is paying off…
During the past several weeks, continued rain fall (near cyclone levels) in Chennai has forced local/home evacuations, transportation mayhem, and relocation of employees to keep IT Outsourcing afloat.  But the numbers are no joking matter, with counts over 400,000 displaced, 70,000 rescued and 122 died, and costing $1 Billion of damages.  Floodlist.com for details and pictures  Life will forever be affected, and we'll soon know what it may have cost organizations (for outage and interruption of services and perhaps business relationships).

Can you spell contingency plans (DRP/BCP) during these challenging times?
With approx. 15% or 3 Million IT workforce in Chennai, many US companies are resorting to back up location in India for companies including Cognizant, Infosys, and other “India's top IT firms — Infosys, Tata Consultancy Services, Wipro and HCL Technologies — said they swiftly engaged their contingency measures as the weather in Chennai deteriorated.” according to businessinsider.in:

• US-based Cognizant, which has a significant number of its 219,000 employees in Chennai, said it moved several employees to other centres within the city as well as to other cities and asked some to work from home to provide support to clients
• TCS, the country's largest software exporter that has more than 65,000 employees in Chennai, managed operations and client interactions without having to move people but gave employees the option to work from home or from offices near them
• India's third-largest IT firm, Wipro, gave its 18,000 employees in Chennai the option of working from home for most of last week

So, when it comes to Outsourcing, what considerations have been accounted for, tested and successfully executed:

• Proximity of physical location and availability of works
• Alternate means of transportation
• Vetted outsourcing employees
• Hard copy in addition to soft copies of disaster recovery procedures/contacts
• Tested procedures and systems e.g hot standby of equipment/terminals/systems/networking gear
• Communication and notification plan for recovery and service delivery
• Sustained protection for commingling of dedicated personal, sensitive data, facility/room and persistent desktop configuration

Weather forecast for this week continues to be 80-100% thunderstorms.  Be safe all!

The New Internal Audit Model

Internal Audit (IA) Department is being challenged like all organizations. IA is typically chartered to provide financial statement assurance, evaluate internal controls, assess operational effectiveness, compliance to laws, regulations and company policies.  But the challenge is the expansion of the audit universe, new regulations, increased technology risks, and of course, budget constraints. It is the chief audit executives role to continuous review company risk profiles and determine best and agile operating model for best effectiveness and efficiency.
The 3 IA model is:

• In-house or employees – which including recruiting staff / talent and conducting all audits, planning and maintenance of technology and methodology
• Cosourced function – blend of employees and supplemented 3rd-party providers to address gap in skill or resources while taking advantage of 3rd-party investment in technology, methodology and knowledge
• Fully outsourced – where providers are held responsible from planning to execution / audits with the direction of the audit committee and executive IA management

No one solution fits all, and really depends on various constituents and their expectations, according to Crowe Horwath: Audit Committee (plan / risk management), Executive Management (plan / financial risk / business value), External Auditors (emerging market growth / changing regulations), Internal Auditors (skills/training), and Functional  Management (understanding business / major program assistance)
IA maturity categories: Basic, Evolving, Established, Advance, and Leading.  The spectrum from basic to Leading involve, for example, Basic solely focusing on compliance risk and auditors skills not aligned with organizational audit needs, risk assessments not aligned with other risk functions or does not reflect company profiles, and use of technology is fairly limited.  Conversely an Advance focuses on compliance risk, cost reduction, and risk that affect business objectives.
An IA transformation is founded on the 3 practices:

1. Using others’ work to leverage other compliance, financial, and operating reports which will allow focus on other problems and reduce costly audits
2. Hold process owners accountable is key to being most effective and when IA is evaluating the controls, monitoring performance, and providing recommendation 
3. Providing continuous coverage based the 4 principles below to ensure resources/time is focused on the key items while maintaining demand.

4 IA Principles:

1. Compliance – implementation of periodic checks (of managers, employees, 3rd-parties) and implementing risk indicators for actionable results/reports
2. Assurance – increased focus on nonfinancial areas including IT Security, customer data, and intellectual property
3. Performance Improvement – shift of audit plans to expectations and more tangible value to organization to provide and recommend best practices through mixture of internal controls, automated processing and value-add activities within processes
4. Risk Identification – leveraging enterprisewide perspective that identify emerging risk and vulnerabilities while linking to strategic objectives, and through integrated risk assessments 

Article source: Crowe Horwath

Yahoo CEO under fire: did say it would be a LONG road ahead

But it might be taking too long for some.  With a number of executives leaving, others been ask to sign multi-year contract to stay, and now scorecard that isn’t so promising…Interesting read from WSJ.com 

• Turnaround of online-ad market = not good. Global shares down in major yahoo businesses except mobile advertising but considerably lower than Facebook and Twitter
• Growth in core business = not good.  Sales continue to fall throughout the shifts in strategies (Mobile, Video, Search)
• Growth to 1 Billion monthly unique visitors = mostly yes.  Users have grown to over 1 Billion in 18 months but new measures have been implemented during this period so comparable baseline is in question
• Online video popularity growth = unlikely.  Yahoo Screen has not shown the numbers it predicted and spent of $100 Million in producing film content
• Show $100 Million in Tumblr review for 2015 = unclear.  Apparently no update has been provided
• Mobile revenue growth over 1.2 Million in 2015 = close.  Total after 3 quarters is $1.197 Billion fro mobile
• Growth in display review in 2015 = unlikely.  Might be growth from 1.34 to 1.47 Billion in 9 months however, Yahoo is paying partners to click on sites so might be lower overall
• Mavens revenue to be $1.5 billion in 2015 = likely.  $1.184 Billion after 9 months so its expected to be on track

That all said, how about the implementation of stack ranking of employees? Works well for college scenarios, but probably not so well in business.  Employees were ranked excelling through under performance comparatively, resembling a bell shape curve of employee scores.  That ultimately, (according to experts) promoted unhealthy / unproductive competition between employees.

Net-net, is it Mayer’s 3 years at the helm or is it just Yahoo since multiple chief executives have tried already?

Put stress in its place and stop worrying

The right mental attitude brings peace and happiness... So, putting stress in its place by living your life and stopping yourself from worrying can be cultivated by doing the following:

• Start by thinking peace, happiness and courage instead of fear and hopelessness…remember, you are what you think you are
• Create joy in others and focus on helping rather than worrying about your problems
• Revenge is not a virtue so abstain from having thoughts and timeless worries about such ideas
• Expect others not to show gratitude each and every time…we’re only human so give for yourself and the pleasure of doing so
• Look beyond what’s in front of you and see the beauty / blessings that you have instead of hurdles 
• Make the best of what you have and can do, without being fake to others or yourself
• Learn from your mistakes and better yourself with each misstep or loss

Your energy and spirits need to be feed adequately so remember to get enough rest at home and be able to relax at work.  Prioritization is key – via being organized, thinking of the future / solution rather than the past, and addressing problems immediately with facts that shape your decision.  Another series in Dale Carnegie’s Golden Book

Artificial Intelligence - like, for Insider Threat

Fortscale Security Ltd. now based in San Mateo, California, was started in 2012 in Israel and has since raised $4 Million in additional funding via CME Ventures and UST Global, bringing the totaling to $16 Million.  The system performs data crunching through user behavioral analytics and delivers context-based alerting.  The launch of Fortscale 2.0 helped propel the company into the forefront of cybersecurity for endpoints – with strong establishment in marketing strategy, growth in sales organization, and top-tier backing.  Revenue continued to climb in 2015 and hopes to capture the market for insider threat detection and elimination.  Since "virtually all enterprise data breaches can be traced to a compromise of an insider's credentials to obtain access to enterprise IT systems" [eweek.com], Fortscale software algorithms will simplify analysis e.g. big-data in SIEM (Security Information and Event Management) and much need end-user data collection, to provide SOC (Security Operations Center) insights and faster reaction time for malicious and rogue users.  With a good showing at RSA 2015, the company made the top 10 to watch according to networkworld.com

Worldwide Travel Alert just issued

Only a matter of time...

http://travel.state.gov/content/passports/en/alertswarnings/worldwide-travel-alert.html

The State Department alerts U.S. citizens to possible risks of travel due to increased terrorist threats. Current information suggests that ISIL (aka Da’esh), al-Qa’ida, Boko Haram, and other terrorist groups continue to plan terrorist attacks in multiple regions.  These attacks may employ a wide variety of tactics, using conventional and non-conventional weapons and targeting both official and private interests.  This Travel Alert expires on February 24, 2016.

Insider threat is weighing heavy on IT

Survey said
• 37% of companies expect incident data breach 1 year and 67% believe a breach to occur within 2 years
• 72% of security professionals say the board should be more concerned with internal treat than external threat
     o 40% indicate increase trend in internal breach, 43% indicate it will stay the same and 17% say it will decrease
• 92% of the organizations have experienced a data breach within the last 12 months
     o Source of these breach from 40% employees, 22% third-parties, 12% ex-employees and 26% outside the organization (or unknown parities)
     o Internal breach associated with: 67% reputational damage, 62% financial penalties, 42% reduced employee morale
• 37% of employees believe individuals have access that they should not have – and types of data employees have access to:
    o 69% Customer – contract data, purchase history
    o 57% Financial – shareholder information, accounts
    o 56% Product/Services – patent, technical specifications
    o 56% Employee – salary, medical records
    o 46% Supply chain – pricing
    o 44% Transactional – payment, card numbers
• 29% of critical data is perceived as at risk for internal breach
• 37% say it is difficult to identify the source of an internal breach while only 16% say they can identify unusual network activity
• 58% does not know what a security breach would be
• 50% admitted disregarding company data protection policies
• 75% of employees believe they do not get enough information about security policies
So, is perception reality?

Source of insider threat:
• 55% personal devices with access and/or with virus and malware
• 49% portable storage device / USB
• 47% users not abiding by data protection protocol / policy
• 40% use on non-authorized applications
• 38% email links
• 31% sharing of credentials
• 18% lost of device with sensitive information
• 24% ex-employees or old supplies / customers with access
• 12% post / sharing on social media
Reasons for increased internal threats:
• 52% increase in cloud applications / usage
• 48% lack of awareness / understanding
• 48% Lack of communication between IT and employees and/ or lack of clear security policy
• 37% increased virus / malware
• 31% increased personal devices
• 26% increase use of contractors / temporary employees
Ways to minimize insider threats:
• 72% education in safeguarding sensitive data
• 57% clearly identify precaution and understanding of ramifications
• 50% tools for Data Loss Prevention
• 45% proper access management or increased levels of access
• 41% updating acceptable us policies regularly
• 39% impose penalty for disclosure
• 35% limit user workstation / devices
Clearswift Insider Threat Survey of 500 IT decision makers and 400 employees in US, UK, Australia and Germany by Loudhouse/Clearswift

It’s the fire within that makes one influential

Your continued pursuit and passion for excellence is directly related to your ability to persuade and influences others. The successful habits behind this strategy include:
• Form you own opinion based on facts which can change depending on what you carefully learn from others / environment but don’t be persuade by trends
• Seeking to genuinely understand the “why” and “what if” in order to enhance your knowledge in a way that is not disruptive or challenging to someone else
• Facilitate 2-way conversation that explore new concepts and ideas or thinking out of the box
• Narrow the distance between degree of separation – by getting to your network / connections and there’s as well in order to collaborate and leverage knowledge
• Dispel distractions and focus on insightful dialog and dismissing matters that are not of importance
• Entertain healthy / productive debate as to further your understanding in pursuit of the right and holistic conclusion instead of merely proving a point
• Being proactive by anticipating options and next steps, then sharing with everyone else
• Think before you act when responding to ensure the correct / appropriate message is conveyed without allowing emotions to overreact
• Believe – that you can make the difference no matter how high that feat might be
#Forbes on 9 Habits of Profoundly Influential People

Aftermath of breaches, with connect devices on the up swing

...and it's only a sign of what's to come

The increase in connectivity of (mobile) devices direct parallel spike in vulnerabilities and exploits that will be impactful to the way we will handle data breaches.  Already an increase in extortion and blackmail, the Ashley Madison 30 Million record incident lead to downstream affect of lives/suicide; and fueling the interest in healthcare data was pronounced with the 4+ Million records stolen at the UCL Health Systems.  Yet the underlying threat that might be even more compelling in the secondary or chain reaction of attacks that result; for example, vulnerabilities with applications, flash player and Zero-Day exploits that are dropped in environments upon penetration.  

Read about the technical specs in TrendMirco's analyzed of Q3.

These exploits are also vendor agnostics as iOS suffered from vulnerabilities just like Androids last quarter, affecting over 50% of the Android for every instance of vulnerabilities identified.  Another popular/notable aim is taken with PoS (Point-of-Sale) in form of botnet, malware and Angler Exploit Kit, hence 3rd-parties are not necessarily the target source.  Finally, in the list of exploits, Pawn Storm (renown for targeting government agencies) set eyes on MH17 investigation teams that reached multiplied countries in Dutch, Malaysia, Australia, Belgium, and Ukraine.

The ecosystem of detection and prevention must be integrated and spectrum / coverage can be strengthened by external data analysis or broader threat intelligence.

The Negotiation Dance

It’s about the ability to shift back and forth in Collaborative, Cautious and Competitive strategy during negotiation that will allow you to get the most of what you want and the other person feeling the same. The Mind Gym negotiation workshop focuses on core competencies, related strategy and help work out your blockers to release your success… Key tactics include:

• Exploring and understanding the other persons interest or need

• Knowing the surrounding facts from various perspective can be very powerful

• Comfort in the best alternative / option and knowing when to stand tall or just walk away

• Apply urgency to bring clarity and apply pain to allow others to consider alternatives

• Be creative in extending or incenting related features, quality or perhaps non-tangible items to bear

• Knowing good compromise and saying yes for future / alternate gain i.e. winning the war not the battles might be more compelling

• Establish boundaries by saying no in order to discover and truly / further probe the root of the issue and the why's

• Showing compassion or demonstrating vulnerabilities can release the other person's tendency to be guarded and being less adversarial 

Preparation is always key and is no different in negotiation so have a plan for how and where (options) the conversation may lead to - and don't negotiate something you're not willing to 

Can you spot a phish?

Numbers consistently show, majority cannot without repeated testing...

1. Message containing poor grammar or poor spelling is sure way to email scam
2. Mismatched URL, when you hover over the hyperlink addressed, it does not match the address displayed or the actual website displays an IP address
3. Misleading URL of a non-affiliate whereby, the domain name is often misspelled in comparison to the actual company name, misspelling, and sometimes other content is appending prior to the actual DNS naming structure, for example, this_is_a_scam.company.com
4. Containing attachment that entices you to click for reward or content that will provide explanation or more information
5. Request for personal information – via email including security question regardless if all the other information supplied is valid
6. Letter of intimidation, usually from law enforcement, collection credit agency, etc. preying on your urgency before other ramifications e.g. loss of coverage
7. Alluring message or unsolicited action – including wining a prize or receiving a package when you haven’t ordered any
8. Solicitation of money before you receive items or further information 
9. Threatening message that calls for action otherwise you may suffer risk e.g. request from your CEO whom you have never had communication in the past
10. Combined efforts such as Vishing or Smishing, whereby, secondary methods (voicemail or text message) is sent to you to corroboration with phishing

Social engineering audit is a key measure for how well prepared your organization is, test strength of policy/procedure adherence, and a reminder to all, from top-down to bottom-up, since security is both top-down as well as bottom-up. So, identification/success is best when phishing test is conducted regularly – rate of testing success is:  19% when done quarterly, 12% when every other month, and 5% when done monthly.
Anything too good to be true or just doesn’t look like, is likely a scam.

Tis the season for online gifts

Whether it’s employees, clients or service provides, showing signs of appreciation for the hard work, commitment and loyalty is key, so make it personable as possible.  Apparently cash is king and likely to be best received by majority otherwise, gift cards or perhaps wine, seedlings, cheese/crackers – but don’t over spend. Inclusion and consistency is important and beware of religious beliefs.
Or perhaps the best gift of all is cybersecurity awareness - NIST Cyber Framework.  And, say you're shopping online, keep in mind:
• HTTPS (and lock icon) on your browser at ALL times when sending personal/credit card data, login and checkout
• Strong passwords when creating accounts
• Know the seller/website by doing some research - use multiple browsers to compare website, stay clear of advertisements
• Use PayPal if you can; but certainly say no to debit cards
• Use a trusted PC (anti-virus, anti-malware, etc.)
• Don’t use public Wi-Fi networks - your probably being monitored
• Validate charges on your card / statements
Remember, applies to nearly everything, but if it seems too good to be true, it is

Slight improvement in Cybersecurity based on 18th Annual GISS by EY

EY Survey Participants: 1,755 Survey respondents | 67 counties worldwide | 25 industry sections | 21% of participating company revenue (majority) is between 500 Million – 2 Billion | 26% were Banking/Capital Markets and Technology industry sectors | 31% were organization with less than 1000 employees | 30% were CISO, 19% Information Security Executive and 17% CIO

Key stats:

• Main obstacles for information security operation’s contribution and value to the organization: 62% budget constraints | 57% lack of skilled resources | 32% lack of executive awareness or support | 28% lack of quality tools for managing information security | 28% management and governance issues and 23% fragmentation of compliance/regulation
• Reported source for threat: 59% criminal syndicates vs. 53% last year | 56% employee (although ranks as medium priority) | 54% hacktivists vs. 46% prior | 43% lone wolf hacker | 36% external contractor onsite | 35% state-sponsored attacker vs. 27% prior
• Highest priority for information security over the next 12 months include: 56% data leakage and data loss prevention | 55% business continuity and disaster recovery resilience | 47% identify and access management | 44% security awareness and training | 44% incident response capability | 41% security operations e.g. anti-virus, encryption, patch
• Significant drops including: 18% do NOT have Identity and Access Management (IAM) program vs. 12% prior | 47% do NOT have a Security Operations Center (SOC) vs. 42% prior
• 81% of senior executives agree that data should be at the heart of all decision-making
• 88% say information security do NOT meet organizational needs vs. 89% last year
• 37% do NOT have data protection program (of which 27% has an information data protection or is ad-hoc)

Threat Intelligence is a important piece in being able to identify threats/incidents since spotting small anomalies that are indicative of a long-term breach can be difficult to discern – specially based on sophistication of attacks, constantly change tactics, lack of skill resources, collaboration and mechanism to adapt to change.

• 59% say SOC do not have a paid subscription to cyber threat intelligence feeds
• 36% do not have threat intelligence program vs. 34% prior
• 66% of organizations that have a SOC did not discover the cybersecurity incident and didn’t have a cyber threat feed
• 54% do not have a role or department in their Information Security function focusing on emerging technology or its impact – includes 36% with no plan one
• 34% rank there security monitoring as mature / very mature vs. 30% prior
• 53% would rate there network security mature / very mature vs. 52% prior
• 57% say lack of skill resources is a challenge vs. 53% last year

Vulnerability identification and threat management: 24% do not have a vulnerability identification program| 63% say threat and vulnerability management is medium or low priority vs. 66% prior | 34% have an informal vulnerability identification program and regularly test.
In 2014, top risks were around unaware/careless employees and outdate information security controls/architecture.  The 2015 results show a 10-20% reduction but an increase in Phishing and Malware.

Top Vulnerability that increase risk over last 12 months

• 18% highest is careless or unaware employees
• 15% outdated information security controls and architecture
• 10% related to cloud computing use
• 10% unauthorized access
• Others include: use of social media (50% ranked as low priority) and mobile computing 

Top Threat that increase risk over last 12 months

• 19% phishing
• 16% zero-day attacks
• 16% malware e.g. viruses
• 15% cyber attacks to steal financial information
• 15% cyber attacks to disrupt or deface the organization
• 13% cyber attacks to steal intellectual property or data
• Others include: natural disasters, espionage, internal attack/disgruntled employees, fraud and spam

Finally, EY’s AAA model helps building an “Active Defense” starts with analysis by a Cyber Threat Intelligence professional, then having a defined, iterative and operational cycle that integrates and enhances enterprise security:

• ACTIVATE requires: assessment, roadmap, board-level support, standards, SOC, BCP and IRP testing, cybersecurity controls and implementation. Addition in 2015 will be: define organization’s ecosystem and cyber awareness training
• ADAPT requires: transformation program to design/implement emerging technology and improve cybersecurity maturity, decision on in-house and outsource, and RACI (Responsible Accountable Consulted Informed) matrix for cybersecurity 
• ANTICIPATE requires: design/implement cyber threat intelligence strategy, define/encompass organization cyber ecosystem, use forensic data analysis, involve everyone for understanding, an prepare for the worst by having breach response strategy

Closing the gap between current state today and future to-be state was reported to be: Awareness (largest), Architecture, Data infrastructure (events /alerts/logs), Identity and access management, Metrics and reporting, and network security.

Country with most content blocked by Facebook

Based on the request of South Asian nation’s government (reported by WSJ), Facebook in India blocks more content than any other nation from January – June 2015.  That’s over 15K pieces of content restricted and a surge of three-times more than last year for platforms that included Messager, Instagram and WhatsApp.  It totals 75% of overall restriction for 93 countries – purpose primarily related to religious and state criticism...

India ranks #2 with 130 Million monthly users behind the U.S. and is also #2 ranked for government requesting Facebook data, totaling just over 5,000 (an increase of 12% from last year).  #1 is U.S. with over 17,000 requests in the first half of the year and up 14% from last year.
What would numbers be for China?

Government Agencies has persistent weaknesses in security

U.S. GAO (Government Accountability Office) conducted an audit of 24 federal agencies’ (during 2013-2014) that revealed weaknesses in security practices, requiring remediation and strengthening cybersecurity based on past recommendations/requirements.
• Problems in securing access controls or prevalent inappropriate access
• Configuration management issues with properly tested software or updates
• Over 50% allow excessive access or SOD (segregation of duties) issues
• 75% did not have continuity planning to address disruptive events
• None had agency-wide security program to identify, resolve and manage risks
The report also looked back through 2006 which  showed consistent trends with increased security incidents and in some cases, totals doubled in compromised personal information.  In cases such as the breach of 21.5 million sensitive personal information by OPM federal agency, a 30-Day Cybersecurity Sprint was enacted in June 2015 to immediate tightening of policies and patching/vulnerabilities in order to help improve security posture.  Additionally a call to implement security plans to be conducted and to address risk identified and remediation in accordance to FISMA (Federal Information Security Management Act of 2002).  Hence, it’s 2015 and almost 2/3 of the agencies had not accessed risks at this point.  Numbers show agencies spend on cybersecurity has been relatively flat from $12 million in 2010, highest in 2012 at $14.6, lowest in 2013 at $10.3 and in $12.7 million in 2014.
by the numbers...

Cybersecurity is just beginning

…for colleges and employers.  With over 1.5 million open positions globally and only a handful of colleges that offer cybersecurity careers, the gaps need to be tightened. That challenge can be exponential considering the pace in which technology varies and skills required advances.  A creative way for awareness has been through hacking contests.  The contestants can complete with others in a challenging opportunity that is sure to lure candidates and close in on the skills gap.

But for industries that need it now, the managed security services space has risen passed $15 billion dollars worldwide in 2014 and nothing is standing in its way over the next 5 years.  Having SMEs (subject matter experts) virtually at bay alleviates not only the resource constraints and emerging tools/technology needed, but also the dedicated focus and integration / collaboration of the broader industry.

Being challenged with cyber threat resolution and effectiveness can be daunting task and a mission critical one.  According to the U.S. cybersecurity progress stalled report by report by PwC, priorities in cyber spending are:

·         47% new technologies

·         40% audits and assessments

·         33% new skills and capabilities

·         24% redesign in strategy

·         15% process redesign

·         15% knowledge transfer participation

Another renown area of threat is third parties and so the financial services industry in leading the numbers for due diligence of:

·         62% third-party

·         57% contractors

·         52% software

·         42% suppliers

·         40% procurements

Interestingly enough, 19% of the C-suites was not worried about third-party risk and deferring it to an IT matter yet CSO/CISO typically report directly to the CIO...(but not CSOs, CFOs or CCOs).  So, perhaps a full circle in shortage and need vs. investment and ownership.  How does your organization stack?

Win friends and influence people

The key is enhancing relationships and becoming a friendlier person.  Often starts with a welcoming smile that set a warm tone and rapport.  Being genuinely interested in another person and truly making them feel important is mutually beneficial.  In conjunction, it promotes good listening skills and true sense of admiration / respect.  When giving feedback, be honest and show sincere appreciation since everyone’s contribution is important. Remember to never criticize or complain which only damages the relationship.  When you are able to arouse an eager want from the other person, motivation comes from within when completing goals and achieving success. Finally, saying the person’s name spells harmony and particularly, remembering their name is greatly satisfying…another excerpt from Dale Carneige

Only as strong as the weakest link - Medical/Healthcare numbers

When comparing security posture and stats for business sectors, does medical/healthcare lag behind other sectors?
The largest increase in theft since 2010 has been medical records and in 2014, 43% of the all data stolen had medical data. Community Health Systems’ breach of 4.5 million patient data help bring this to the forefront, making medical information to be 10 times more valuable - according to ITRC data.  Healthcare data exploits are not immediately apparent / exploited and with persistent growth in EMR (Electronic Medical Records) and voluminous medical device endpoints, risk is expansive/high.

In the past 10 years, there have been approx. 5,500 total breaches and 829 million number of records breached.  ITRC (Identity Theft Resource Center) labels them into 5 categories: business, financial/credit, educational, government/military and medical/healthcare. Comparing some of the sectors over that last decade showed a trend from Educational in 2005 being the largest target to Business in 2007-2011 and now Health/Medical in 2012-2014:
• Health/Medical: #of Breaches was 16 in 2005 vs. 333 in 2014; representing 10% vs. 43% of overall year volume respectively (and so Health is the largest volume in 2014 comparatively)
• Financial/Credit: # of Breaches was 20 in 2005 vs. 43 in 2014; representing 13% vs. 6% overall year volume respectively (making Financial drop to the lowest volume in 2014 comparatively)
• Business: # of Breaches was 25 in 2005 vs. 258 in 2014; representing 16% vs. 33% of overall year volume respectively (hence, Business is 2nd largest volume in 2014 comparatively)

ITRC started tracking type of incidents in 2007 which showed nearly 50% resulted from Data on the Move and Accidental Exposure; but in 2014, that altogether to be Hackers and Subcontractors:
• Data on the move accounted for 123 or 28% overall in 2007 vs. 62 or 8% overall in 2014
• Hacking accounted for 63 or 14% overall in 2007 vs. 227 or 29% (now highest incident category)
• Subcontractor accounted for 52 or 12% in 2007 vs. 118 or 15% (runner up for 2014)

These stats make for good eye candy charts and one might wonder what totals would be if today's breach notification were applied 10 years ago; and all breaches reported.

Competitive Edge to Standout

Five drivers for success are interconnected and require skills and attitude.  First, is building great self-confidence by stretching our comfort zone that opens great opportunities.  People skills is key to success by building on trust and integrity.  Building our professional relationship and having clear vision of our success will resonate with others. This is represented by our communication skills through small to large groups, in one-on-one situations, and being able to think on our feet (by clearly and effectively expressing our thoughts and ideas). Seeking out higher levels of performance will ensure development of our leadership skills so,  gaining enthusiastic cooperation in activities performed and with individuals involved is essential.  Lastly, reducing stress and improving our attitude will allow us to be more focused and directed manner…snippets from Dale Carnegie

Setback for Internet Privacy on Do Not Track

Websites such as Google, Facebook, LinkedIn, etc. do NOT have to honor your “Do Not Track” option based on FCC’s (Federal Communication Commission) dismissal of a petition filed by the Consumer Watchdog.  The proposed rule would have prevented websites from requiring consumers to consent to being tracked and personal information shared for analytics, ads, etc.  Contrary to the commitment FCC has established with broadband providers, AT&T and Comcast (on the basis it's only involved in transmission); and all the while, the FTC (Federal Trade Commission) has advocated your “Do Not Track” option since 2010.

Closing in on Bullseye: breach | loss | downsize

The Minnesota retail giant, Target, is closing 13 stores in January due to declining profits…which follows closing of 133 Canada stores, laying off approx. 17,000 people around the same time a year ago.  But let's recap the late 2013 data breach which likely did not help the big brand:
• 40 Million credit cards,
• 70 Million personal records,
• 46% drop in profits in 2013 Q4,
• $10 Million in settlements,
• $100 Million in replacement/issuance for banks and credit unions,
• $100 Million in payment terminal upgrades / Chip-and-PIN (which likely would not have prevented the breach anyway),
• No security lead / responsible and of course,
• Replacement of CEO and new CISO role within 6 months after breach.

Business model, marketing, culture, etc. has a lot to do with company's success but let's focus on IT Security lessons learned:
• Know your threats, risks, and leverage threat intelligence and improved collaboration,
• Triage capability to know when to ignoring noise vs. addressing real issues promptly,
• Security must be part of the business equation with security executive level accountability,
• Expeditious communication to respond accordingly (containment, eradication, resiliency) but also transparency and PR for customers and industry,
• Interconnection of networks require proper segmentation, third party due diligence, and proper account (de)provisioning
• Realize liability from banks, for example, looking to recoup cost of re-issuance
• No silver bullet e.g. EMV (Europay, MasterCard, Visa) will not solve/prevent all threats
• Do address weakest link, your brand depends on it

Jamming personal Wi-Fi

First Marriott, now Hilton. Several complaints has been linked to Hilton hotels blocking personal Wi-Fi and hotspots so guests would be required to pay the exorbitant hotel internet access.  Upon 1 year of the FCC requesting information for its U.S. brand Wi-Fi practices, they are being charged $25K (for starters). Investigation unfolding...
Other related fines on the topic include: Marriott paid $600K to the FCC for a similar case settlement, Smarty City Holdings telecom firm fined $750K, and another to be fined $718K is M.C. Dean at Baltimore Convention Center (for actually deploying deauthentication devices).  There is some level of truth (as asserted in Marriott's response) that interference and signal degradation; or rogue hotspots could be a security issue, but the FCC was crystal clear in its message. But maybe not so clear, as opponents cited, is the established policy around blocking, jamming, etc. of wi-fi...  Hence, isn't there instances when jamming wi-fi could be a benefit or cases of necessity.

Hooray for the Communications Act that prohibit interference with Wi-Fi communications. However, that shouldn’t stop hotels, etc. from snooping your searches or reading anything you transmit over there wi-fi network (excluding encrypted/VPN traffic) which you agree to the terms upon signup. Download any sniffer or port analyzer e.g. Wireshark, then turn on and surf the web.  You’ll be able to capture/see communication exchanges between your machine and destination.  Now picture your machine connected to a switch trunk-port like network administrators or anyone in the wiring closet/Data Center have access to and see the population of connected ports/PCs and traffic generated - which is sometimes logged/archived.

Interestingly enough the FCC standard minimum broadband is 4 Mbps but its Chairman advocates 25 Mbps to be the goal (while current U.S. download averages 11.5 Mbps, according to Akamai). Maybe you stream movies constantly...or perhaps your typing skills is just that fast.  Show me the associated cost!

Say good-bye to email – App for everything

It’s called Slack – email with instant messaging integrated, file storage/sharing capability, and social media app with plenty of emojis.

In nearly 1 year, approx. 500,000 daily active users and 135 paid accounts (according to venturebeat.com article).  Organizations including Walmart, eBay, Sony, Yelp, New York Times, and NBCUniversal are already on board.  So, will it be that desktop and mobile friendly app that replaces corporate email.  Or, just a collaboration application / chat / IM that runs side by side with Google Docs, Sharpoint, Twitter, etc. on your desktop – capable of notification, indexing, in a Twitter venue but 2-way?  All communication is visible, though option to create private group threads or channels is available, making sharing of information available to all via groups (but address book basically visible).  That being the case, be sure to check your corporate communication and privacy policy, since dialog will be archived and accessible by admins.  The servers are hosted in Amazon’s AWS data centers, and application security features include: alternative password entry using web browser, 1-way hashing for passwords, available two factor authentication, password kill switch for team owners,  uses 256-bit AES and support TLS 1.2 for messages.  Not that any of these would have prevented a database breach earlier this year - good time the data was encrypted...

Slack managed to raise $160 million of funding this year (after $43 million a year ago) and isn’t turning over a profit yet but currently offering additional features for $6.50 per month.  Maybe another form of HipChat or Dropbox trendy app but users are diverse and not just Millennials.