Larry Ponemon

The Seventh Annual Study: Is Your Company Ready for a Big Data Breach? sponsored by Experian Data Breach Resolution and conducted by Ponemon Institute tracks the steps companies are taking, or not taking, to respond to a data breach. According to the findings, since 2017 significantly more organizations are having data breaches, highlighting the importance of being prepared.

This year, we surveyed 650 professionals in the United States 456 in EMEA[1]. A comparison of the US and EMEA findings are presented in Part 3 of this report. All respondents work in IT and IT security, compliance and privacy and are involved in data breach response plans in their organizations. In the context of this research, we define a data breach as the loss or theft of information assets, including intellectual property such as trade secrets, contact lists, business plans and source code. Data breaches happen for various reasons including human errors and system glitches. They also happen as a result of malicious attacks, hactivism or criminal attacks that seek to obtain valuable data, disrupt business operation or tarnish reputation.

Organizations are challenged to respond to the loss or theft of confidential business information and intellectual property. Sixty-seven percent of respondents say their organizations are most concerned about the loss or theft of intellectual property. However,  since 2017 the ability to respond to a data breach involving this type of information has not improved significantly. Organizations are better able to respond to breaches that require notification to victims and regulators.

In this year’s research, we introduced the following new topics:

• The maturity of organizations’ privacy and data protection program
• The frequency, consequences and preparedness to deal with spear phishing attacks
• The frequency, consequences and preparedness to deal with ransomware
• The impact of the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) on data breach preparedness

The following findings describe organizations’ abilities to respond to a big data breach

Investments in security technologies are increasing to improve the ability to determine and respond quickly to a data breach. More data breaches are occurring. As a result, 68 percent of respondents say their organizations have increased their investments in security technologies in order to be able to detect and respond quickly to a data breach.

C-suite executives are more knowledgeable than the board of directors about data breach preparedness plans. The C-suite’s knowledge about the data breach preparedness plans is much higher than the board of directors (55 percent of respondents vs. 40 percent of respondents).

Most training and awareness programs are conducted when employees are hired. Seventy-two percent of respondents have a privacy and training program for employees and other stakeholders who have access to sensitive or confidential information. Almost half (49 percent of respondents) say training is conducted during the on-boarding of new employees.

Cyber insurance coverage is focused on attacks by cyber criminals and malicious or criminal insiders. About half of respondents (49 percent) say their organizations have a data breach and cyber insurance policy. Of the 51 percent of respondents who currently do not have a cyber insurance policy, 58 percent will purchase one within the next two years. Eighty-three percent of respondents say it covers incidents caused by cyber criminals and 65 percent of respondents say it covers malicious or criminal insiders. Only 38 percent of respondents say it covers human error, one of the major causes of a data breach.

Since 2017, the coverage of identity protection services to victims has increased significantly. The top areas of coverage are legal defense costs and identity protection and notification costs to data breach victims. Seventy-two percent of respondents say identity protection services are covered, an increase from 64 percent in 2017.

The primary benefit of sharing information about data breach experiences and incident response plans is collaborating with peers. Fifty-seven percent of respondents currently or are planning to participate in a sharing program about data breaches and incident response plans. The primary benefit is that it fosters collaboration among peers and industry groups.

Effectiveness of data breach response plans continues to improve. Since 2017, more respondents say their data breach response plans are very or highly effective. An increase from 49 percent of respondents to 57 percent of respondents. However, 66 percent of respondents say their organizations have not reviewed or updated the plan since it was put in place or have not set a specific time to review and update the plan. Only 26 percent of respondents say it is reviewed annually.

The majority of organizations practice responding to a data breach. Seventy-five percent of respondents say they practice their ability to respond to a data breach. Of these, 45 percent of respondents say they do this twice per year.

More organizations are regularly reviewing physical security and access to confidential information. The primary steps being taken to prepare for a data breach are regular reviews of physical security and access to confidential information (73 percent of respondents) and conducting background checks on new full-time employees and vendors (69 percent of respondents).

Organizations are not confident in their ability to minimize reputational consequences and prevent the loss of customers. To prevent the loss of customers, 62 percent of respondents believe credit monitoring protection for victims is the best protection for consumers and the most effective in keeping customers. However, only 23 percent of respondents say their organization is confident in its ability to minimize the financial and reputational consequences of a material data breach and only 38 percent of respondents say they are effective at doing what needs to be done following a material data breach to prevent the loss of customers’ and business partners’ trust and confidence.

Spear phishing attacks are pervasive and confidence in dealing with them is declining. Sixty-nine percent of respondents had one or more spear phishing attacks and 67 percent of respondents say the negative consequences of these attacks was very significant or significant. Despite the frequency of these attacks, 50 percent of respondents do not train their employees to recognize and minimize spear phishing incidents. Since 2017, respondents who say their organizations are very confident or confident in their ability to deal with spear phishing attacks has declined from 31 percent to 23 percent.

Respondents are even less confident in their ability to deal with ransomware. Only 20 percent of respondents are very confident in their ability. Thirty-six percent of respondents say their organizations had a ransomware attack. The average ransom was $6,128 and 68 percent of respondents say it was paid.

More breaches are international or global in scope and only 34 percent of respondents say they are confident in their organizations’ ability to respond to these breaches. As discussed previously, 63 percent of respondents say their organization had a data breach in the past two years. Forty-five percent of respondents say one more of these breaches were global. Since 2017, respondents reporting that their incident response plan includes processes to manage an international data breach increased significantly from 54 percent to 64 percent. Fifty-seven percent say the plan is specific to each location it operates.

Now that the General Data Protection Regulation (GDPR) has been in effect for more than a year, organizations have improved their ability to comply with it. Fifty-four percent of respondents say they have a high or very high ability to comply with the regulation (an increase from 36 percent) and 50 percent of respondents have a high or very high effectiveness in complying with the data breach notification rules (an increase from 23 percent). Having the necessary security technologies in place to detect the occurrence of a data breach quickly is the number one reason for being effective.

CCPA results in organizations having to make comprehensive changes in business practices. Fifty-six percent of respondents say they are aware of the CCPA and of these respondents, 47 percent of respondents say they are subject to the Act. The top two challenges to compliance with the CCPA are similar to achieving compliance with the GDPR, which are the need to change business practices and not enough budget to hire additional staff.

Lessons learned from organizations with a mature privacy and data protection program

The report presents a special analysis on how the maturity of organizations’ privacy and data protection programs can affect data breach preparedness. Nineteen percent of respondents self-reported that their organization have a mature program, which means that activities are fully defined, maintained across the enterprise and measured with KPIs. In addition, C-level executives are regularly informed about the program’s effectiveness. The following findings are persuasive in showing how making the needed investments to achieve maturity will improve data breach preparedness.

• Mature privacy and data protection programs have fewer data breaches. Fifty-five percent of respondents in mature programs say their organizations had a data breach in the past two years. In contrast, a minimum of 60 percent of respondents in the other levels of maturity report having a data breach.
• Mature programs are more adept at preventing negative public opinion and media coverage. Fifty-five percent of respondents say they are effective in managing the risk of negative opinions and media coverage following a material data breach. In contrast, only 37 percent of respondents in programs that are in the middle stage say they are effective.
• More mature programs represented in this study are increasing investments in security technologies to be able to detect and respond quickly to a data breach.
• Mature programs are more likely to participate in sharing information about their data breach and incident response experiences with government and industry peers.
• Mature programs are better prepared to manage an international data breach. Seventy-one percent of respondents in mature programs say their incident response plan includes processes to manage an international data breach.

 For the full results, visit Experian’s website 

Bob Sullivan

Since the 1973 oil embargo, and the nearly concurrent coining of the term “gridlock,” Americans have mused about telecommuting as the solution to many modern ills. When high-speed Internet began making its way into homes in the late 1990s, telecommuting seemed on the verge of a breakout. Why waste time in traffic jams when email can get to your home office just as quickly?  The promise of returning 10 or so hours each week to workers — not to mention dramatic potential savings in office rental costs — sounded irresistible.

Instead, managers seemed too attached to the physical presence of their employees, and some employees wondered if their stay-at-home co-workers were really getting much done in their jammies.  A bit of a backlash emerged after the turn of the century, reaching its apex when Yahoo CEO Marissa Meyer effectively killed that company’s work from home program.

So much for leaving rush-hour traffic behind.

Today, a scant 3 percent of Americans telecommute most of the time, according to FlexJobs. That means just about as many Americans will suffer through daily “extreme commutes” — lasting more than 90 minutes, each way — as will take advantage of full-time telecommuting.

The Coronavirus might finally change that.

In reaction to the outbreak’s foothold in Seattle, big tech companies in the Pacific Northwest have quickly adopted telecommuting plans.  Microsoft, Amazon, Facebook, and Google have all told employees to work from home whenever possible, and to stay there for most of March.  So has King County, the local government in the Seattle area.  Fred Hutchinson Cancer Research Center told many of its employees they have no choice — they must work at home.

Early 2020 might turn into a forced social experiment that could finally answer the question: Do we need rush hour any more?

“While about 50% of people work from home at least half the week on a regular basis, we still see that only about 3-4% work from home full-time. Now, because of the coronavirus, we’re seeing a real focus on remote work that may very well be a tipping point in terms of wider-spread adoption of full-time remote work,” said Brie Weiler Reynolds, Career Development Manager and Coach at FlexJobs. “It seems that, in this latest situation, companies have more easily jumped to remote work as one big solution to keep employees safe, maintain continuity of operations, and handle the uncertainty day by day.”

Of course, not everyone can work from home. Bus drivers and security workers, for example, must remain at their posts. The Seattle Times has an important story about this newly and rapidly forming digital divide.  That group cannot be ignored in this social experiment.

But it’s hard not to imagine Seattle companies might get used to all those empty desks, not to mention emptier highways, and with new work patterns in place, find a way to continue their ad-hoc work-from home arrangements long-term. It’s a stretch to look for silver linings in today’s climate, but climate researchers have found one when looking at China. Air pollution has plummeted there during the crisis.   It’s easy to imagine that kind of unintended consequence in Seattle as well, as thousands of cars are taken off the road and gridlock is reduced.

Widespread adoption of telecommuting holds out big promises, FlexJobs says: 124 billion fewer car miles driven annually, 8 billion fewer trips, an $8 billion reduction in auto accident costs, 54 million tons less greenhouse gas emissions.

While most companies are sensibly making only short-term plans right now, Weiler expects virus-related work-from-home arrangements will probably last well past the end of March.

“Because the virus’s threat is ongoing and it’s hard to predict how long things may stay this way, we may see companies using remote work daily for the coming weeks or months, and realizing that it’s actually a productive, effective way to work over a long term basis,” she said.

Larry Ponemon

The Ponemon Institute is pleased to present the findings of Data Protection and Privacy Compliance in the Cloud, sponsored by Microsoft. The purpose of this research is to better understand how organizations undergo digital transformation while wrestling with the organizational impact of complying with such significant privacy regulations as the GDPR. This research explored the reasons organizations are migrating to the cloud, the security and privacy challenges they encounter in the cloud, and the steps they have taken to protect sensitive data and achieve compliance.

The Ponemon research qualified 1,049 IT and IT security participants from the United States and the European Union (EU). All of them were familiar with their organization’s approach to privacy and data protection compliance and responsibility for ensuring that personal data is protected in  the cloud environment. Fifty five percent of respondents operate a cloud infrastructure with one primary cloud service provider; 45 percent operate in multiple or hybrid cloud environments.

Privacy concerns are not slowing the adoption of cloud services. The importance of the cloud in
reducing costs and speeding time to market seem to override privacy concerns. Only one-third of US respondents and 38 percent of EU respondents say they have stopped or slowed their adoption of cloud services because of privacy concerns,

Most privacy-related activities are easier to deploy in the cloud. These include such governance practices as conducting privacy impact assessments, classifying or tagging personal data for sensitivity or confidentiality, and meeting legal obligations, such as those of the GDPR. However, managing incident response is considered easier to deploy on premises than in the cloud.

However, most organizations lack confidence in, visibility into, and a clear delineation
of responsibility for managing privacy in the cloud.

• Despite the anticipated increase in the importance of the cloud in meeting privacy and data protection objectives, 53 percent of US and 60 percent of EU respondents are not confident that their organization currently meets their privacy and data protection requirements. This lack of confidence may be because most organizations are not vetting cloud-based software for privacy and data security requirements prior to deployment.
  • Organizations are reactive and not proactive in protecting sensitive data in the cloud. Specifically, just 44 percent of respondents are vetting cloud-based software or platforms for privacy and data security risks, and only 39 percent are identifying information that is too sensitive to be stored in the cloud.
  • Just 29 percent of respondents say their organizations have the necessary 360-degree visibility into the sensitive or confidential data collected, processed, and/or stored in the cloud. Organizations also lack confidence that they know all the cloud applications and platforms that they have deployed.
  • In most organizations, the IT security and compliance teams are not responsible for ensuring
  security safeguards and compliance with privacy and data protection regulations. Thirty six percent of respondents expect the cloud service provider to ensure the security of SaaS applications. In contrast, 46 percent of respondents say the organization is responsible. Further, privacy and data protection teams are rarely involved in evaluating cloud applications or platforms when they are under consideration. Almost half of respondents (49 percent) rarely or never determine if certain cloud applications or platforms meet data protection and privacy requirement.

Part 1: Privacy concerns are not slowing migration to the cloud, but organizations struggle to ensure the protection of data

Cloud services or platforms are used to achieve faster deployment and reduce costs.
The top two reasons for using cloud services and platforms are faster deployment
time and lower costs.

Cost savings, scalability, and faster time to market are the top reasons for migrating
to the cloud — 67 percent of respondents agree that migration results in cost savings and 64 percent of respondents agree that it enables scalability and faster time to market. More than half (54 percent) of the respondents believe migration will improve security and privacy protections.

There is no consensus about who is responsible for addressing privacy and data
protection requirements. Respondents were asked who in their organization would be most responsible for ensuring that SaaS and PaaS applications meet privacy and data protection requirements. Some assigned this responsibility to the cloud service provider; some state that the company and the cloud service provider share the responsibility; others allocate the responsibility within the company among end users and IT.

The importance of both SaaS and PaaS in meeting privacy and data protection
objectives will increase significantly —  64 percent of respondents say that deploying SaaS will be essential or very important in meeting privacy and data protection objectives over the next two years. Fifty-three percent of respondents say using PaaS will be essential or very important.

Respondents are not confident that their current use of SaaS and PaaS meets privacy
and data protection requirements. Currently the majority of respondents are not confident that their SaaS applications and PaaS resources meet privacy and data protection requirements. More respondents (60 percent) lack confidence in the privacy and data protection capabilities of PaaS.

Confidence in SaaS and PaaS applications is low because most organizations are not
vetting them for privacy and data security requirements prior to deployment.
As discussed previously, there is a lack of confidence in the ability of SaaS and PaaS applications to protect and secure data. Why? Fifty percent of respondents say their organizations are not
vetting their SaaS applications before deployment and 58 percent say PaaS resources are not being vetted.

To read the rest of this study, visit Microsoft’s website.

Bob Sullivan

When the Center for Facial Restoration announced it had been hit by ransomware recently, the hack attack might have sounded like just another expensive cyber incident for a small business. But the hack of the rhinoplasty practice near Miami included another, darker threat. The criminals added another potential revenue stream to their enterprise — extorting patients by threatening release of potentially embarrassing photos.

So in addition to worrying about restoring data that had been encrypted with malware, Dr. Richard E. Davis had to worry about the publication of before and after photos that might humiliate patients.

This dual threat — criminal hackers stealing data before they scramble it with ransomware — parallels the recent global incident involving currency exchange company Travelex.  It’s a disturbing new trend among computer criminal gangs.

When the Center for Facial Restoration announced on its website recently that it had been hit by ransomware, the firm’s website had to add this chilling warning.

“(Hackers) demanded a ransom negotiation, and as of November 29, 2019, about 15-20 patients have since contacted (the firm) to report individual ransom demands from the attackers threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met,” the warning said, “I filed a formal complaint with the FBI Cyber Crimes Center and two days later met with the FBI where they recorded detailed information regarding the cyberattack and ransom demands. The investigation is currently ongoing.”

It’s easy to imagine the seriousness of that kind of threat. On its website, the center says it specializes in repairing other rhinoplasty — or “nose job” — surgeries that left patients unsatisfied.

“Do you avoid cameras or social situations? Let cosmetic rhinoplasty restore your self confidence with a natural-looking, attractive nose that suits your face,” the website says. “Get ready to look at the camera and smile.”

The firm has not immediately responded for comment, so it’s unclear if more patients have been threatened with extortion. But Davis told HealthITSecurity.com that he hopes the damage was limited by recent security upgrades.

“While upgrading my defenses clearly won’t help those individuals whose data has already been stolen, there is reason to suspect that the theft of patient photographs may be limited to only a very small number of individuals – mostly those patients who used email to send or receive their photographs – so the upgrades may prove useful,” Davis said.

But the trend has security professionals worried.

“At least one other ransomware group is also routinely stealing data prior to encrypting it: Maze,” said Brett Callow, a threat analyst who studies ransomware for security firm Emsisoft. “This is a recent and concerning development, especially given how susceptible the public and private sectors seem to be ransomware attacks.”

The double-whammy of ransomware and data breach can leave victim firms scrambling to respond.

“An organization whose data is stolen has no good options available,” Callow said. “Refusal to pay will probably result in the data being published; payment will get them a pinky promise that the data will be deleted. And, as that pinky promise is being made by a criminal enterprise, it carries very little weight.”

Emisoft’s 2019 report about ransomware victims found that nearly 1,000 government agencies, non-profits, and medical organizations were victims of such criminal attacks last year — and there no indication the attacks are slowing down. The dual threat gives small organizations something else to worry about.

“I am dismayed to report (our office)… was the victim of a criminal cyberattack,” Davis says on his website.  “I deeply regret that individuals currently or formally under my care have been victimized by this criminal act, and I urge you to monitor your financial information closely. … . I am sickened by this unlawful and self-serving intrusion, and I am truly very sorry for your involvement in this senseless and malicious act.”

Larry Ponemon

While all industries must ensure appropriate data protection safeguards are in place, the financial services industry must be especially vigilant for a variety of reasons. These include the value of the data to attackers, the need to comply with difficult regulations and prevent costly fines and the importance of maintaining the trust and confidence of consumers. The purpose of this research is to understand the threats to financial technology and software and steps taken to minimize the risks.

Sponsored by Synopsys, Ponemon Institute surveyed 414 IT and IT security practitioners in all sectors of the financial services industry including banking, insurance, mortgage lending/processing and brokerage.

All participants in this research are involved in assessing the security of financial applications within their organizations. Their roles include installation and implementation of financial applications, development and manufacture of financial applications, provider of services to the financial industry.

(Visit Synopsys for the full study; the results are summarized here.)

Financial service companies worry about the third-party risk. We asked respondents to rate their concern about the cybersecurity posture of financial software systems developed by their organization or supplied by a third party from a scale of 1 = not concerned to 10 = very concerned. Figure 1 shows the most concerned responses (7+ on the ten-point scale).

According to respondents, 74 percent of respondents are very concerned about the security of financial software and systems supplied by a third party. However, only 43 percent of respondents require contractors, business parties and other third parties to adhere to their cybersecurity requirements. Fewer respondents (62 percent) are very concerned about the financial software and systems developed by their organizations.

Part 2. Key findings

In this section, we provide a deeper dive into the findings of the research. The complete audited findings are presented in the Appendix of the report. We have organized the research into the following topics.

• The cybersecurity posture of financial services companies
• Risks to financial software and applications
• Security practices in the design and development of financial service software and technologies

The cybersecurity posture of financial services companies

Most companies are effective in detecting and containing cyberattacks. Respondents were asked to rate their effectiveness in preventing, detecting and containing cyberattack from a scale of 1 = ineffective to 10 = very effective. The majority of respondents are confident in their effectiveness in detecting (56%) and containing (53%) attacks but less so in preventing an attack (only 31%).

Most organizations have a cybersecurity program or team. Sixty-seven percent of respondents say their organizations have a cybersecurity program or team. Some  60 percent of respondents say cybersecurity is part of the traditional IT cybersecurity team and more than half (51 percent of respondents) say the cybersecurity team is decentralized, with cybersecurity experts attached to specific product development teams. Only 23 percent of respondents say cybersecurity is the responsibility of product development.

Pen testing and dynamic security testing/DAST are considered the most effective in reducing cybersecurity risks. Some 65 percent of respondents say pen testing and 63 percent of respondents say dynamic security testing/DAST are the most effective activities in reducing cybersecurity risks. Also effective are security patch management, system debugging and threat modeling.

Organizations need more resources and in-house expertise to mitigate cybersecurity risks. Only 45 percent of respondents say they have adequate budget to address cybersecurity risks and only 38 percent of respondents say their organizations have the necessary cybersecurity skills.

Respondents are more concerned about the cybersecurity posture of the financial services industry than the difficulty in complying with regulations. Respondents were asked to indicate their concern about cybersecurity risks on a scale of 1 = no concern to 10 = very concerned. Some 65 percent of respondents are very concerned about the cybersecurity posture of the financial services industry. Despite new regulations, such as NYDFS, 61 percent of respondents say regulatory requirements in the financial services industry are not keeping pace with changing financial technologies.

Risks to financial software and applications

Cloud migration tools pose the greatest cybersecurity risk. Of the software and technologies that pose the greatest cybersecurity risk to financial services companies, 60 percent of respondents say cloud migration tools followed by blockchain tools (52 percent of respondents) create the greatest risk.

The threat of malicious actors is motivating companies to apply cybersecurity-related controls in financial software and technologies.  Some 84 percent of respondents say their organizations are very concerned (7+ on a scale of 1 = not concerned to 10 = very concerned) that a malicious actor may target the financial software and technology developed by or used by their organizations. As a result, 83 percent of respondents say there is a very high urgency (7+ on a scale of 1 = low urgency to 10 = high urgency) to apply cybersecurity-related controls in financial software and systems. Only 25 percent of respondents are confident that security vulnerabilities in financial software and systems can be detected before going to market (7+ on a scale of 1 = not confident to 10 = very confident).

To read the rest of the results, and more comprehensive analysis, visit the Synopsys website.

Click to read the report (in English)

Bob Sullivan

Earlier this week, Bernie Sanders told The New York Times that he had no apps on his smartphone, citing a semi-anonymous but militant cybersecurity staffer named “Melissa” who keeps him safe.  There’s fresh evidence this week that we should all listen to Melissa.

Two separate studies have found that seemingly harmless beauty and dating apps are repeatedly violating users’ privacy, sharing intimate details of their lives — including granular location data — with a vast network of commercial firms looking to exploit it.

As I’ve mentioned in our So, Bob podcast “No Place to Hide,” the privacy-violating arena exists because of a “big fish eat little fish” ecosystem. The big money for surveillance capitalism — AdTech — wouldn’t exist if large companies didn’t support it. Here, you’ll see how it works.

The first report, published by a Norweigian government consumer agency, alleges that the makers of Grindr, Tinder, OkCupid, and several other similar apps packages up user data and sells it to third-party advertisers without user consent or knowledge, a violation of European privacy laws. The report, titled Out of Control, claims “a large number of shadowy entities that are virtually unknown to consumers are receiving personal data about our interests, habits, and behavior.” The 10 apps studied sent data to at least 135 companies, the report found.

For example: “The dating app Grindr shared detailed user data with a large number of third parties that are involved in advertising and profiling. This data included IP address, Advertising ID, GPS location, age, and gender,” the report says. “Twitter’s adtech subsidiary MoPub was used as a mediator for much of this data sharing, and was observed passing personal data to a number of other advertising third parties including the major adtech companies AppNexus and OpenX. Many of these third parties reserve the right to share the data they collect with a very large number of partners.”

The report also studied a makeup app named Perfect360, accusing it of sharing GPS and other data with at least 70 partners.

A separate study, published by a new Lithuanian-based security news site named Cybernews.com, focused entirely on makeup and selfie enhancement apps and found similarly troubling results.

The so-called beauty app category is immensely popular, especially with young women and girls — individual apps boast of as many as 300 million downloads. Cybernews found many of the apps request permissions they don’t need to perform the simple task of fine-tuning selfies.  Among the findings, according to Cybernews:

● Three seemingly separate developers seem to be run by the same group, and may be connected to apps previously found to contain a widely-dispersed Trojan
● One app developer was found to install malware through its software
● Unnecessary permissions include recording audio, using GPS, and seeing users’ phone statuses
● While only a few permissions are required for the app function, one app includes a whopping 40 total permissions
● More than half (16) of these apps are based in Hong Kong or China

In other words, Chinese app developers know an awful lot about the whereabouts of many teen-age Western girls.

“So why does a beauty and filter camera app needs to record audio, track your GPS location, or read through your contacts list? The apps may be free, but they are selling your data and the more they know about you, the more valuable your details become,” the report says. It sites a Buzzfeed article claiming that app makers can earn $4 a month for every 1,000 app users from tracking companies looking for location data. “If they have 1 million active users, they can get $4,000 a month.”

U.S. consumer groups reacted strongly to the report out of Norway; a coalition of nine urged the Federal Trade Commission to open an investigation on Monday.

 “The illuminating report by our EU ally the Norwegian Consumer Council highlights just how impossible it is for consumers to have any meaningful control over how apps and advertising technology players track and profile them,” said Susan Grant, Director of Consumer Protection and Privacy, Consumer Federation of America. “That’s why Consumer Action is pressing for comprehensive U.S. federal privacy legislation and subsequent strong enforcement efforts. Enough is enough already! Congress must protect us from ever-encroaching privacy intrusions.”

The coalition also asked attorneys general in California, Texas, and Oregon to investigate.

Larry Ponemon

Ponemon Institute is pleased to present the results of the 2019 State of Cybersecurity in Global Small and Medium Size Businesses sponsored by Keeper Security. This is the third annual study that focuses exclusively on organizations with a headcount of less than 100 to 1,000.

We surveyed 2,176 individuals in companies in the United States, the United Kingdom and for the first time DACH (Germany, Austria, Switzerland), Benelux (Belgium, Netherlands, Luxemburg) and Scandinavia (Denmark, Norway and Sweden).

In addition to tracking trends in cyberattacks and data breaches, this year’s study reveals how SMBs are unprepared to deal with risks created by third parties and Internet of Things (IoT).

“Cybercriminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their crosshairs,” said Dr. Larry Ponemon, chairman and founder, The Ponemon Institute. “The 2019 Global State of Cybersecurity in SMBs report demonstrates cyberattacks are a global phenomenon- and so is the lack of awareness and preparedness by businesses globally. Every organization, no matter where they are, no matter their size, must make cybersecurity a top priority.”

A key takeaway from this research is that over the past three years there has been a significant increase in SMBs experiencing a data breach. In addition, 66 percent of respondents say their organization experienced a cyberattack in the past 12 months.

In the aftermath of these incidents, these companies spent an average of $1.2 million, an increase from $1.03 million in 2017, because of damage or theft of IT assets and infrastructure. In addition, disruption to normal operations cost an average of $1.9 million, an increase from $1.21 million in 2017.

Key findings:

Phishing and web-based attacks are the top two cyberattacks. Seventy-two percent of respondents say that they have experienced at least one cyberattack.  Phishing/social engineering is the number one attack SMBs experience (53 percent of respondents). Other frequent attacks are web-based attacks and general malware (50 percent and 39 percent of respondents, respectively).

The financial consequences of security compromises and business disruptions to SMBs are severe. The average cost of recovering from business disruption has increased significantly since 2017.  The average cost of dealing with damage or theft of IT assets and infrastructure declined from $1.43 million in 2018 to $1.24 million in 2019.

The time to respond to a cyberattack has increased or not improved. According to Figure 4, only 26 percent of respondents (16 percent + 10 percent) say their organizations have been able to decrease the time it takes to respond to a cyberattack.

Cyber threats against SMBs are becoming more targeted. Since 2017, SMBs report that cyber threats are more targeted, an increase from 60 percent to 69 percent of respondents in 2019. Most respondents say cyberattacks against their companies are severe and sophisticated (61 percent and 60 percent, respectively) and this has not changed since 2017 as shown in Figure 5.

More SMBs say the laptop is the most vulnerable endpoint or entry point to networks and enterprise systems. Mobile devices and laptops are considered, by far, the most vulnerable endpoint or entry point to respondents’ companies’ networks and enterprise systems. Since 2017, respondents who believe laptops are vulnerable increased from 43 percent of respondents to 56 percent of respondents.

More mobile devices will be used to access business-critical applications and IT infrastructure. On average, companies represented in this research have 120 business-critical applications and an average of 48 percent of these business-critical applications are accessed from mobile devices such as smartphones and tablets. This is an increase from 45 percent in last year’s research.  Nearly half (49 percent) of respondents say these devices diminish their companies’ security posture.

SMBs continue to struggle with insufficient personnel and money. Only 30 percent of respondents rate their organization’s IT security posture in terms of its effectiveness at mitigating risks, vulnerabilities and attacks across the enterprise as very high.

The biggest problem is not having the personnel to mitigate cyber risks, vulnerabilities and attacks (77 percent of respondents). The next biggest challenges are insufficient budget (55 percent of respondents) and no understanding of how to protect against cyberattacks (45 percent of respondents). Since 2017, the challenge of not having sufficient enabling security technologies has decreased from 43 percent of respondents to 36 percent of respondents.

Sixty-five percent of respondents say their budget for achieving a strong security posture is inadequate or unsure and 42 percent of respondents say they have an appropriate level of in-house expertise. Only an average 13 percent of the IT budget is dedicated to IT security activities and an average of 37 percent of the IT personnel support IT security operations.

Leadership in determining IT security priorities is lacking. As shown in Figure 10, 34 percent of respondents say no one person is responsible for determining IT security priorities, an increase from 30 percent of respondents in 2017. According to the findings, responsibility for companies’ IT security strategy is dispersed throughout the company.

To access the full report. visit Keeper Security’s website

Bob Sullivan

Amy Boyer, I sometimes say, was the first person murdered by the Internet.  Twenty years ago this fall, she was gunned down in cold blood by stalker Liam Youens. He found Amy by hiring a data broker, and told everyone about that on his website.

“It’s actually obscene what you can find out about a person on the Internet,” he wrote.

It still is.

Back then, Amy’s family launched a memorial website, and urged people to think long and hard about what this new technology is doing to our world.

Alia Tavakolian and I have spent the past 7 months talking to every privacy expert we could get into to studio.  We even interviewed the private investigator who tracked down the data brokers involved in Amy’s death. And this week, we launched a 6-part series on the state of privacy in America. The series is produced by Spoke Media, my partner in Breach and So, Bob. Intel, the chipmaker, sponsored the series but has no editorial control over it. The name No Place to Hide is a tip of the cap to a great book by that name published by Washington Post reporter Robert O’Harrow in 2006.

Episode One confronts the chilling reality that privacy isn’t a first-world problem, a luxury — for violence victims on the run, privacy can be a matter of life and death.  But if we build a tech world that respects these victims, a world that presumes everyone might have a safety risk from privacy violations, we’ll all be better off.

I’m really proud of the result, and I hope you’ll give it a listen. I know there are a lot of big issues facing our time — the environment, cyberwar, extremism — but I think privacy ranks right among them as a crisis that deserves our focus and attention. What’s more, most people — even those on politically opposite sides of the spectrum — generally seem to agree on privacy.  Still, it’s getting away from us. Technology is running ahead of our laws, ethics and institutions.  Just this week, the Baltimore Sun reported on a proposal to have surveillance aircraft in the skies, taking 24-hour-a-day footage of the city, to fight crime.  It’s not science fiction. In fact, the city already tested the idea back in 2016.  It’s a tactic borrowed from war zones. Maybe, if crime was bad enough on your block, you’d agree to this kind of surveillance.  But we’ve barely begun to discuss how to control the images, who gets to see them and why, and if this is really the world we want to live in.

Privacy is very hard to define. You’ll hear in the podcast that I struggle with this, even after writing about privacy for 25 years. I hope this series helps kick-start the discussion.

(Listen to this podcast at Stitcher, or at iTunes)

Larry Ponemon

It doesn’t take the stealth and sophistication of a cyber attacker to cause a data breach. A careless employee leaving a sensitive document in a communal printing tray or a malicious insider intent on stealing information in documents that have not been properly destroyed can result in the loss or theft of critical information assets.

Sponsored by Shred-it, the research reveals the inadequacies in organizations’ policies regarding the protection of confidential documents in the workplace. Ponemon Institute surveyed 650 individuals who work in both IT security and non-IT positions in North American organizations. All respondents are knowledgeable about their organization’s strategy for the protection of confidential and sensitive information.

“The report reveals two key factors about information security in North American businesses– employee negligence, intentional or not, can be a leading contributor to data breaches and that businesses should equally consider the needs for cybersecurity and physical information security within their organization,” said Ann Nickolas, Senior Vice President, Stericycle, the provider of Shred-it information security solutions. “Although cybersecurity is no doubt an important element of protection, businesses should look to strike a balance between investing in physical security and cybersecurity, as well as integrating better communication with employees on risk factors, to best arm themselves against potential breaches”

Many data breaches involve the loss or theft of information contained in paper documents and electronic devices. According to the findings, 68 percent of respondents say their organization experienced a data breach in the past 12 months. Of these respondents, 69 percent say one or more of these data breaches involved the loss or theft of paper documents or electronic devices containing sensitive or confidential information.

Why documents containing sensitive and confidential information are at risk:

There is a security disconnect in the protection of confidential documents. The chief information security officer and chief security officer are most responsible for protecting confidential information, according to 21 percent and 18 percent of respondents. However, they rarely have responsibility for granting access to paper documents or electronic devices containing sensitive or confidential information.

Most companies are not training employees about secure disposal. Only 45 percent of respondents say their organizations have a process for disposing of paper documents containing sensitive or confidential information after they are no longer needed. Less than half (46 percent of respondents) say their organizations are training employees about the steps they should be taking to ensure documents are appropriately disposed of. Furthermore, very few respondents say their organizations automate restrictions to print from specific devices and to print specific files, 29 percent and 27 percent, respectively.

Organizations are not taking basic precautions to prevent the loss or theft of confidential documents. Confidential documents are not secure because few organizations are requiring employees and contractors to lock their desks and file cabinets (38 percent of respondents). Only 33 percent of respondents say they prevent unauthorized access to document storage facilities and 31 percent of respondents say a clean desk policy is enforced.

The lack of policies and training for the secure disposal is having an effect on respondents’ confidence in keeping confidential documents secure. Only one-third of respondents have confidence in their organizations’ ability to govern the use, protection and disposal of paper documents. Fewer respondents (26 percent) have confidence in having visibility into what employees are doing with confidential documents.

Organizations are unable to restrict employees’ access to paper documents they should not see. Most respondents (61 percent) are unsure or disagree that the protection of paper documents is just as important as the protection of electronic records. As a result, 60 percent of respondents strongly agree or agree that employees, temporary employees and contractors have access to paper documents that are not pertinent to their role or responsibility.

Only 37 percent of respondents strongly agree or agree that it is convenient for employees and contractors to destroy paper documents with sensitive and confidential information. The fact that only 41 percent of respondents agree employees and contractors recognize the types of information that are sensitive or confidential demonstrates the lack of training in organizations.

Confidential documents are left in plain sight. Sixty-five percent of respondents are concerned that employees or contractors have printed and left behind a document that could lead to a data breach. Even more respondents (71 percent) admit they have picked up or seen a paper document in a public space that contained sensitive or confidential information.

More than half (51 percent of respondents) say they either keep the document or throw it in the garbage. Only 33 percent of respondents say they shred the document after reviewing it.

Sensitive or confidential information is exposed because of sending and receiving emails not intended for the recipient. Seventy-seven percent of respondents admit to sending emails containing sensitive or confidential information to the wrong person. Eighty-eight percent of respondents say they have received such emails.

In the report, we provide a deeper dive into the key findings. The complete audited findings are presented in the Appendix. We have organized the report according to the following themes:

• Steps taken to protect confidential information in paper documents and electronic devices
• Reasons for the insecurity of confidential documents in the workplace
• The practices of organizations that are confident in their ability to protect sensitive information in paper documents

Read the full report at Shred-It’s website.

Bob Sullivan

It was a shock in August when Twitter CEO Jack Dorsey’s Twitter account started sending out racist Tweets.  He’d been hacked, of course, but perhaps the biggest shock of all was how easy it was — @Jack was the victim of simple SIM card swapping.

SIM “hacking” isn’t new — basically cell phone hijacking — but it’s become much more important of late, for a whole host of reasons. The biggest: Our smartphones have become our new passwords, so criminals who can control the gadgets can control our digital lives.  We’ve spent years (rightly) pushing consumers towards two-factor authentication, but as so often happens in the world of security, we’ve traded one problem for another. We all agree that Social Security numbers make terrible passwords, so we’ve switched to phone numbers now.  And the fallout is just beginning.

Everyone who’s ever upgraded their cell phone at home knows what a SIM card swap is.  You tell your mobile provider to send your calls and texts to your new phone, rendering the old one useless.  This can involve literal swapping of a SIM (subscriber identification module) card. Today, it often happens via software and over-the-air updates. Easy enough.

The problem occurs when a criminal convinces a mobile provider to “upgrade” your phone to a phone they control. That means the criminal is now able to intercept all calls and text messages headed to you.  Big problem. If your bank is looking to authenticate you with a 6-digit code at login, well, there goes that security method.  And if you are the CEO of Twitter, a SIM card swap hack can give criminals a chance to publicly embarrass you.

It should also make you think: Wouldn’t Twitter Jack have pretty tight controls on his account?  Yet still criminals were able to access it? Can you think of anyone else with a high-profile account that would make a juicy target for hackers?

You are a juicy target, too. I’ve written a lot about theft from Zelle and other P2P payment accounts recently. Some victims have no idea how it happened, leading me to imagine that in some cases, SIM card swapping could be at play.  Really any account that relies on an SMS text message for login could be a target.

If you are a smartphone owner, this should make you personally nervous. Think of all the things criminals could do if they could access your text messages.

Mobile providers are trying to fix this problem, but they are a long way from having a great solution, In the meantime, you have to act to protect yourself. I’m really glad Liz Weston wrote about this recently for the Associated Press and NerdWallet. You should read her story in the Washington Post, which includes a few thoughts from me. But here’s my need-to-know information for you.

RED TAPE WRESTLING TIPS

• Know the signs: If you are the victim of a SIM Swap, your handset suddenly won’t work. Texts won’t go through. That might look to you like you just hit a spot with no cell signal, but your phone won’t show a weak signal: It’ll show no signal.  If this happens, be on heightened alert. Maybe it’s a false alarm. But now you know that maybe it’s a sign you’ve been hacked. Now, time is of the essence. Criminals aren’t doing this for fun, they are doing this to steal money.
• Have an emergency plan: If your phone is hacked, it won’t work. So you can’t count on calling customer service to ask what’s wrong.  Your phone won’t work! Do you have a second phone, or quick access to one? Do you know how to Tweet at / email customer service, or use Skype from a laptop?  When a SIM hack happens, you need to reach out to your mobile provider fast. Have a plan for that.
• Teach customer service: When you reach an operator at your mobile provider, don’t count on him or her knowing what’s going on. SIM Swapping is still new to some of them.  You might have to teach them what it is. Keep this story handy, or Liz Weston’s story. Send them to my website.  The quicker you get past front-line customer service to a knowledgable operator, the less time hackers will have to root around your digital life.
• Use Authenticator, not SMS: Two-factor authentication is good. But using SMS/text messages as that second factor isn’t great.  Many sites allow use of a token generator, like Google’s Authenticator app. That’s a much safer way to protect your accounts than text messages.  Make the switch now, while you’re thinking about it.
• Consider adding a PIN code. Yes, another one. To your mobile account.