Larry Ponemon

While all industries must ensure appropriate data protection safeguards are in place, the financial services industry must be especially vigilant for a variety of reasons. These include the value of the data to attackers, the need to comply with difficult regulations and prevent costly fines and the importance of maintaining the trust and confidence of consumers. The purpose of this research is to understand the threats to financial technology and software and steps taken to minimize the risks.

Sponsored by Synopsys, Ponemon Institute surveyed 414 IT and IT security practitioners in all sectors of the financial services industry including banking, insurance, mortgage lending/processing and brokerage.

All participants in this research are involved in assessing the security of financial applications within their organizations. Their roles include installation and implementation of financial applications, development and manufacture of financial applications, provider of services to the financial industry.

(Visit Synopsys for the full study; the results are summarized here.)

Financial service companies worry about the third-party risk. We asked respondents to rate their concern about the cybersecurity posture of financial software systems developed by their organization or supplied by a third party from a scale of 1 = not concerned to 10 = very concerned. Figure 1 shows the most concerned responses (7+ on the ten-point scale).

According to respondents, 74 percent of respondents are very concerned about the security of financial software and systems supplied by a third party. However, only 43 percent of respondents require contractors, business parties and other third parties to adhere to their cybersecurity requirements. Fewer respondents (62 percent) are very concerned about the financial software and systems developed by their organizations.

Part 2. Key findings

In this section, we provide a deeper dive into the findings of the research. The complete audited findings are presented in the Appendix of the report. We have organized the research into the following topics.

• The cybersecurity posture of financial services companies
• Risks to financial software and applications
• Security practices in the design and development of financial service software and technologies

The cybersecurity posture of financial services companies

Most companies are effective in detecting and containing cyberattacks. Respondents were asked to rate their effectiveness in preventing, detecting and containing cyberattack from a scale of 1 = ineffective to 10 = very effective. The majority of respondents are confident in their effectiveness in detecting (56%) and containing (53%) attacks but less so in preventing an attack (only 31%).

Most organizations have a cybersecurity program or team. Sixty-seven percent of respondents say their organizations have a cybersecurity program or team. Some  60 percent of respondents say cybersecurity is part of the traditional IT cybersecurity team and more than half (51 percent of respondents) say the cybersecurity team is decentralized, with cybersecurity experts attached to specific product development teams. Only 23 percent of respondents say cybersecurity is the responsibility of product development.

Pen testing and dynamic security testing/DAST are considered the most effective in reducing cybersecurity risks. Some 65 percent of respondents say pen testing and 63 percent of respondents say dynamic security testing/DAST are the most effective activities in reducing cybersecurity risks. Also effective are security patch management, system debugging and threat modeling.

Organizations need more resources and in-house expertise to mitigate cybersecurity risks. Only 45 percent of respondents say they have adequate budget to address cybersecurity risks and only 38 percent of respondents say their organizations have the necessary cybersecurity skills.

Respondents are more concerned about the cybersecurity posture of the financial services industry than the difficulty in complying with regulations. Respondents were asked to indicate their concern about cybersecurity risks on a scale of 1 = no concern to 10 = very concerned. Some 65 percent of respondents are very concerned about the cybersecurity posture of the financial services industry. Despite new regulations, such as NYDFS, 61 percent of respondents say regulatory requirements in the financial services industry are not keeping pace with changing financial technologies.

Risks to financial software and applications

Cloud migration tools pose the greatest cybersecurity risk. Of the software and technologies that pose the greatest cybersecurity risk to financial services companies, 60 percent of respondents say cloud migration tools followed by blockchain tools (52 percent of respondents) create the greatest risk.

The threat of malicious actors is motivating companies to apply cybersecurity-related controls in financial software and technologies.  Some 84 percent of respondents say their organizations are very concerned (7+ on a scale of 1 = not concerned to 10 = very concerned) that a malicious actor may target the financial software and technology developed by or used by their organizations. As a result, 83 percent of respondents say there is a very high urgency (7+ on a scale of 1 = low urgency to 10 = high urgency) to apply cybersecurity-related controls in financial software and systems. Only 25 percent of respondents are confident that security vulnerabilities in financial software and systems can be detected before going to market (7+ on a scale of 1 = not confident to 10 = very confident).

To read the rest of the results, and more comprehensive analysis, visit the Synopsys website.

Click to read the report (in English)

Bob Sullivan

Earlier this week, Bernie Sanders told The New York Times that he had no apps on his smartphone, citing a semi-anonymous but militant cybersecurity staffer named “Melissa” who keeps him safe.  There’s fresh evidence this week that we should all listen to Melissa.

Two separate studies have found that seemingly harmless beauty and dating apps are repeatedly violating users’ privacy, sharing intimate details of their lives — including granular location data — with a vast network of commercial firms looking to exploit it.

As I’ve mentioned in our So, Bob podcast “No Place to Hide,” the privacy-violating arena exists because of a “big fish eat little fish” ecosystem. The big money for surveillance capitalism — AdTech — wouldn’t exist if large companies didn’t support it. Here, you’ll see how it works.

The first report, published by a Norweigian government consumer agency, alleges that the makers of Grindr, Tinder, OkCupid, and several other similar apps packages up user data and sells it to third-party advertisers without user consent or knowledge, a violation of European privacy laws. The report, titled Out of Control, claims “a large number of shadowy entities that are virtually unknown to consumers are receiving personal data about our interests, habits, and behavior.” The 10 apps studied sent data to at least 135 companies, the report found.

For example: “The dating app Grindr shared detailed user data with a large number of third parties that are involved in advertising and profiling. This data included IP address, Advertising ID, GPS location, age, and gender,” the report says. “Twitter’s adtech subsidiary MoPub was used as a mediator for much of this data sharing, and was observed passing personal data to a number of other advertising third parties including the major adtech companies AppNexus and OpenX. Many of these third parties reserve the right to share the data they collect with a very large number of partners.”

The report also studied a makeup app named Perfect360, accusing it of sharing GPS and other data with at least 70 partners.

A separate study, published by a new Lithuanian-based security news site named Cybernews.com, focused entirely on makeup and selfie enhancement apps and found similarly troubling results.

The so-called beauty app category is immensely popular, especially with young women and girls — individual apps boast of as many as 300 million downloads. Cybernews found many of the apps request permissions they don’t need to perform the simple task of fine-tuning selfies.  Among the findings, according to Cybernews:

● Three seemingly separate developers seem to be run by the same group, and may be connected to apps previously found to contain a widely-dispersed Trojan
● One app developer was found to install malware through its software
● Unnecessary permissions include recording audio, using GPS, and seeing users’ phone statuses
● While only a few permissions are required for the app function, one app includes a whopping 40 total permissions
● More than half (16) of these apps are based in Hong Kong or China

In other words, Chinese app developers know an awful lot about the whereabouts of many teen-age Western girls.

“So why does a beauty and filter camera app needs to record audio, track your GPS location, or read through your contacts list? The apps may be free, but they are selling your data and the more they know about you, the more valuable your details become,” the report says. It sites a Buzzfeed article claiming that app makers can earn $4 a month for every 1,000 app users from tracking companies looking for location data. “If they have 1 million active users, they can get $4,000 a month.”

U.S. consumer groups reacted strongly to the report out of Norway; a coalition of nine urged the Federal Trade Commission to open an investigation on Monday.

 “The illuminating report by our EU ally the Norwegian Consumer Council highlights just how impossible it is for consumers to have any meaningful control over how apps and advertising technology players track and profile them,” said Susan Grant, Director of Consumer Protection and Privacy, Consumer Federation of America. “That’s why Consumer Action is pressing for comprehensive U.S. federal privacy legislation and subsequent strong enforcement efforts. Enough is enough already! Congress must protect us from ever-encroaching privacy intrusions.”

The coalition also asked attorneys general in California, Texas, and Oregon to investigate.

Larry Ponemon

Ponemon Institute is pleased to present the results of the 2019 State of Cybersecurity in Global Small and Medium Size Businesses sponsored by Keeper Security. This is the third annual study that focuses exclusively on organizations with a headcount of less than 100 to 1,000.

We surveyed 2,176 individuals in companies in the United States, the United Kingdom and for the first time DACH (Germany, Austria, Switzerland), Benelux (Belgium, Netherlands, Luxemburg) and Scandinavia (Denmark, Norway and Sweden).

In addition to tracking trends in cyberattacks and data breaches, this year’s study reveals how SMBs are unprepared to deal with risks created by third parties and Internet of Things (IoT).

“Cybercriminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their crosshairs,” said Dr. Larry Ponemon, chairman and founder, The Ponemon Institute. “The 2019 Global State of Cybersecurity in SMBs report demonstrates cyberattacks are a global phenomenon- and so is the lack of awareness and preparedness by businesses globally. Every organization, no matter where they are, no matter their size, must make cybersecurity a top priority.”

A key takeaway from this research is that over the past three years there has been a significant increase in SMBs experiencing a data breach. In addition, 66 percent of respondents say their organization experienced a cyberattack in the past 12 months.

In the aftermath of these incidents, these companies spent an average of $1.2 million, an increase from $1.03 million in 2017, because of damage or theft of IT assets and infrastructure. In addition, disruption to normal operations cost an average of $1.9 million, an increase from $1.21 million in 2017.

Key findings:

Phishing and web-based attacks are the top two cyberattacks. Seventy-two percent of respondents say that they have experienced at least one cyberattack.  Phishing/social engineering is the number one attack SMBs experience (53 percent of respondents). Other frequent attacks are web-based attacks and general malware (50 percent and 39 percent of respondents, respectively).

The financial consequences of security compromises and business disruptions to SMBs are severe. The average cost of recovering from business disruption has increased significantly since 2017.  The average cost of dealing with damage or theft of IT assets and infrastructure declined from $1.43 million in 2018 to $1.24 million in 2019.

The time to respond to a cyberattack has increased or not improved. According to Figure 4, only 26 percent of respondents (16 percent + 10 percent) say their organizations have been able to decrease the time it takes to respond to a cyberattack.

Cyber threats against SMBs are becoming more targeted. Since 2017, SMBs report that cyber threats are more targeted, an increase from 60 percent to 69 percent of respondents in 2019. Most respondents say cyberattacks against their companies are severe and sophisticated (61 percent and 60 percent, respectively) and this has not changed since 2017 as shown in Figure 5.

More SMBs say the laptop is the most vulnerable endpoint or entry point to networks and enterprise systems. Mobile devices and laptops are considered, by far, the most vulnerable endpoint or entry point to respondents’ companies’ networks and enterprise systems. Since 2017, respondents who believe laptops are vulnerable increased from 43 percent of respondents to 56 percent of respondents.

More mobile devices will be used to access business-critical applications and IT infrastructure. On average, companies represented in this research have 120 business-critical applications and an average of 48 percent of these business-critical applications are accessed from mobile devices such as smartphones and tablets. This is an increase from 45 percent in last year’s research.  Nearly half (49 percent) of respondents say these devices diminish their companies’ security posture.

SMBs continue to struggle with insufficient personnel and money. Only 30 percent of respondents rate their organization’s IT security posture in terms of its effectiveness at mitigating risks, vulnerabilities and attacks across the enterprise as very high.

The biggest problem is not having the personnel to mitigate cyber risks, vulnerabilities and attacks (77 percent of respondents). The next biggest challenges are insufficient budget (55 percent of respondents) and no understanding of how to protect against cyberattacks (45 percent of respondents). Since 2017, the challenge of not having sufficient enabling security technologies has decreased from 43 percent of respondents to 36 percent of respondents.

Sixty-five percent of respondents say their budget for achieving a strong security posture is inadequate or unsure and 42 percent of respondents say they have an appropriate level of in-house expertise. Only an average 13 percent of the IT budget is dedicated to IT security activities and an average of 37 percent of the IT personnel support IT security operations.

Leadership in determining IT security priorities is lacking. As shown in Figure 10, 34 percent of respondents say no one person is responsible for determining IT security priorities, an increase from 30 percent of respondents in 2017. According to the findings, responsibility for companies’ IT security strategy is dispersed throughout the company.

To access the full report. visit Keeper Security’s website

Bob Sullivan

Amy Boyer, I sometimes say, was the first person murdered by the Internet.  Twenty years ago this fall, she was gunned down in cold blood by stalker Liam Youens. He found Amy by hiring a data broker, and told everyone about that on his website.

“It’s actually obscene what you can find out about a person on the Internet,” he wrote.

It still is.

Back then, Amy’s family launched a memorial website, and urged people to think long and hard about what this new technology is doing to our world.

Alia Tavakolian and I have spent the past 7 months talking to every privacy expert we could get into to studio.  We even interviewed the private investigator who tracked down the data brokers involved in Amy’s death. And this week, we launched a 6-part series on the state of privacy in America. The series is produced by Spoke Media, my partner in Breach and So, Bob. Intel, the chipmaker, sponsored the series but has no editorial control over it. The name No Place to Hide is a tip of the cap to a great book by that name published by Washington Post reporter Robert O’Harrow in 2006.

Episode One confronts the chilling reality that privacy isn’t a first-world problem, a luxury — for violence victims on the run, privacy can be a matter of life and death.  But if we build a tech world that respects these victims, a world that presumes everyone might have a safety risk from privacy violations, we’ll all be better off.

I’m really proud of the result, and I hope you’ll give it a listen. I know there are a lot of big issues facing our time — the environment, cyberwar, extremism — but I think privacy ranks right among them as a crisis that deserves our focus and attention. What’s more, most people — even those on politically opposite sides of the spectrum — generally seem to agree on privacy.  Still, it’s getting away from us. Technology is running ahead of our laws, ethics and institutions.  Just this week, the Baltimore Sun reported on a proposal to have surveillance aircraft in the skies, taking 24-hour-a-day footage of the city, to fight crime.  It’s not science fiction. In fact, the city already tested the idea back in 2016.  It’s a tactic borrowed from war zones. Maybe, if crime was bad enough on your block, you’d agree to this kind of surveillance.  But we’ve barely begun to discuss how to control the images, who gets to see them and why, and if this is really the world we want to live in.

Privacy is very hard to define. You’ll hear in the podcast that I struggle with this, even after writing about privacy for 25 years. I hope this series helps kick-start the discussion.

(Listen to this podcast at Stitcher, or at iTunes)

Larry Ponemon

It doesn’t take the stealth and sophistication of a cyber attacker to cause a data breach. A careless employee leaving a sensitive document in a communal printing tray or a malicious insider intent on stealing information in documents that have not been properly destroyed can result in the loss or theft of critical information assets.

Sponsored by Shred-it, the research reveals the inadequacies in organizations’ policies regarding the protection of confidential documents in the workplace. Ponemon Institute surveyed 650 individuals who work in both IT security and non-IT positions in North American organizations. All respondents are knowledgeable about their organization’s strategy for the protection of confidential and sensitive information.

“The report reveals two key factors about information security in North American businesses– employee negligence, intentional or not, can be a leading contributor to data breaches and that businesses should equally consider the needs for cybersecurity and physical information security within their organization,” said Ann Nickolas, Senior Vice President, Stericycle, the provider of Shred-it information security solutions. “Although cybersecurity is no doubt an important element of protection, businesses should look to strike a balance between investing in physical security and cybersecurity, as well as integrating better communication with employees on risk factors, to best arm themselves against potential breaches”

Many data breaches involve the loss or theft of information contained in paper documents and electronic devices. According to the findings, 68 percent of respondents say their organization experienced a data breach in the past 12 months. Of these respondents, 69 percent say one or more of these data breaches involved the loss or theft of paper documents or electronic devices containing sensitive or confidential information.

Why documents containing sensitive and confidential information are at risk:

There is a security disconnect in the protection of confidential documents. The chief information security officer and chief security officer are most responsible for protecting confidential information, according to 21 percent and 18 percent of respondents. However, they rarely have responsibility for granting access to paper documents or electronic devices containing sensitive or confidential information.

Most companies are not training employees about secure disposal. Only 45 percent of respondents say their organizations have a process for disposing of paper documents containing sensitive or confidential information after they are no longer needed. Less than half (46 percent of respondents) say their organizations are training employees about the steps they should be taking to ensure documents are appropriately disposed of. Furthermore, very few respondents say their organizations automate restrictions to print from specific devices and to print specific files, 29 percent and 27 percent, respectively.

Organizations are not taking basic precautions to prevent the loss or theft of confidential documents. Confidential documents are not secure because few organizations are requiring employees and contractors to lock their desks and file cabinets (38 percent of respondents). Only 33 percent of respondents say they prevent unauthorized access to document storage facilities and 31 percent of respondents say a clean desk policy is enforced.

The lack of policies and training for the secure disposal is having an effect on respondents’ confidence in keeping confidential documents secure. Only one-third of respondents have confidence in their organizations’ ability to govern the use, protection and disposal of paper documents. Fewer respondents (26 percent) have confidence in having visibility into what employees are doing with confidential documents.

Organizations are unable to restrict employees’ access to paper documents they should not see. Most respondents (61 percent) are unsure or disagree that the protection of paper documents is just as important as the protection of electronic records. As a result, 60 percent of respondents strongly agree or agree that employees, temporary employees and contractors have access to paper documents that are not pertinent to their role or responsibility.

Only 37 percent of respondents strongly agree or agree that it is convenient for employees and contractors to destroy paper documents with sensitive and confidential information. The fact that only 41 percent of respondents agree employees and contractors recognize the types of information that are sensitive or confidential demonstrates the lack of training in organizations.

Confidential documents are left in plain sight. Sixty-five percent of respondents are concerned that employees or contractors have printed and left behind a document that could lead to a data breach. Even more respondents (71 percent) admit they have picked up or seen a paper document in a public space that contained sensitive or confidential information.

More than half (51 percent of respondents) say they either keep the document or throw it in the garbage. Only 33 percent of respondents say they shred the document after reviewing it.

Sensitive or confidential information is exposed because of sending and receiving emails not intended for the recipient. Seventy-seven percent of respondents admit to sending emails containing sensitive or confidential information to the wrong person. Eighty-eight percent of respondents say they have received such emails.

In the report, we provide a deeper dive into the key findings. The complete audited findings are presented in the Appendix. We have organized the report according to the following themes:

• Steps taken to protect confidential information in paper documents and electronic devices
• Reasons for the insecurity of confidential documents in the workplace
• The practices of organizations that are confident in their ability to protect sensitive information in paper documents

Read the full report at Shred-It’s website.

Bob Sullivan

It was a shock in August when Twitter CEO Jack Dorsey’s Twitter account started sending out racist Tweets.  He’d been hacked, of course, but perhaps the biggest shock of all was how easy it was — @Jack was the victim of simple SIM card swapping.

SIM “hacking” isn’t new — basically cell phone hijacking — but it’s become much more important of late, for a whole host of reasons. The biggest: Our smartphones have become our new passwords, so criminals who can control the gadgets can control our digital lives.  We’ve spent years (rightly) pushing consumers towards two-factor authentication, but as so often happens in the world of security, we’ve traded one problem for another. We all agree that Social Security numbers make terrible passwords, so we’ve switched to phone numbers now.  And the fallout is just beginning.

Everyone who’s ever upgraded their cell phone at home knows what a SIM card swap is.  You tell your mobile provider to send your calls and texts to your new phone, rendering the old one useless.  This can involve literal swapping of a SIM (subscriber identification module) card. Today, it often happens via software and over-the-air updates. Easy enough.

The problem occurs when a criminal convinces a mobile provider to “upgrade” your phone to a phone they control. That means the criminal is now able to intercept all calls and text messages headed to you.  Big problem. If your bank is looking to authenticate you with a 6-digit code at login, well, there goes that security method.  And if you are the CEO of Twitter, a SIM card swap hack can give criminals a chance to publicly embarrass you.

It should also make you think: Wouldn’t Twitter Jack have pretty tight controls on his account?  Yet still criminals were able to access it? Can you think of anyone else with a high-profile account that would make a juicy target for hackers?

You are a juicy target, too. I’ve written a lot about theft from Zelle and other P2P payment accounts recently. Some victims have no idea how it happened, leading me to imagine that in some cases, SIM card swapping could be at play.  Really any account that relies on an SMS text message for login could be a target.

If you are a smartphone owner, this should make you personally nervous. Think of all the things criminals could do if they could access your text messages.

Mobile providers are trying to fix this problem, but they are a long way from having a great solution, In the meantime, you have to act to protect yourself. I’m really glad Liz Weston wrote about this recently for the Associated Press and NerdWallet. You should read her story in the Washington Post, which includes a few thoughts from me. But here’s my need-to-know information for you.

RED TAPE WRESTLING TIPS

• Know the signs: If you are the victim of a SIM Swap, your handset suddenly won’t work. Texts won’t go through. That might look to you like you just hit a spot with no cell signal, but your phone won’t show a weak signal: It’ll show no signal.  If this happens, be on heightened alert. Maybe it’s a false alarm. But now you know that maybe it’s a sign you’ve been hacked. Now, time is of the essence. Criminals aren’t doing this for fun, they are doing this to steal money.
• Have an emergency plan: If your phone is hacked, it won’t work. So you can’t count on calling customer service to ask what’s wrong.  Your phone won’t work! Do you have a second phone, or quick access to one? Do you know how to Tweet at / email customer service, or use Skype from a laptop?  When a SIM hack happens, you need to reach out to your mobile provider fast. Have a plan for that.
• Teach customer service: When you reach an operator at your mobile provider, don’t count on him or her knowing what’s going on. SIM Swapping is still new to some of them.  You might have to teach them what it is. Keep this story handy, or Liz Weston’s story. Send them to my website.  The quicker you get past front-line customer service to a knowledgable operator, the less time hackers will have to root around your digital life.
• Use Authenticator, not SMS: Two-factor authentication is good. But using SMS/text messages as that second factor isn’t great.  Many sites allow use of a token generator, like Google’s Authenticator app. That’s a much safer way to protect your accounts than text messages.  Make the switch now, while you’re thinking about it.
• Consider adding a PIN code. Yes, another one. To your mobile account.

Larry Ponemon

The ability to control access to critical information resources and prevent a data breach remains an elusive goal for many organizations.  In The 2019 Study on Privileged Access Security sponsored by Sila Solutions Group, Ponemon Institute presents four years of research findings on how individuals with the most access to high value information assets can be a serious insider risk.

For purposes of this research, privileged users are assigned privileged access based on their roles and responsibilities. Such access can be defined as broad or elevated access rights to IT networks, enterprise systems, applications and/or information assets. However, according to the findings of this study, these individuals often use their rights inappropriately and put their organizations’ sensitive information at risk. For example, the majority of respondents say privileged users feel empowered to access all the information they can view and although not necessary will look at an organization’s most confidential information out of curiosity.

The 659 respondents we surveyed self-reported that they have privilege access to IT resources. Seventy-seven percent of these respondents have access to a minimum of three IT resources and a maximum of more than six IT resources.

The expectation that the risk of privileged user abuse will increase has risen significantly since 2011. The survey found 56 percent of respondents say they expect privilege user abuse to increase in the next 12 to 24 months, a significant increase from 44 percent of respondents in the 2011 research. Further, more than half of respondents (53 percent) say their organization experienced a data breach or other access-related security incident within the past three years

The following are reasons new solutions and governance processes are needed to decrease the risk of privileged user abuse.

• Even if an employee or contractor has appropriate access to high-value information assets, they put their organizations at risk by accessing sensitive or confidential data without a business need and sometimes share their access credentials with other in the organization.
• The number of organizations that can’t monitor privileged user activities has increased since last year and a problem with access governance processes is that they don’t have a unified view of privileged user access across the enterprise.
• According to respondents, a lack of resources, in-house expertise and in-house technologies are challenges to improving the efficiency and security of their access governance processes. Specifically, organizations cannot keep pace with the number of access change requests, reduce the burdensome process for business users requesting access. Respondents also cite the lack of a consistent approval process for access and a way to handle exceptions as significant problems
• The increasing number of regulations is also contributing to the difficulty in managing access governance. It is also affected by the adoption of virtualization technologies or DevOps tooling.
• Too much reliance on manual processes for granting privileged user access and reviewing and certifying privileged user access hinders the ability to meet growing requests for access changes.
• To identify insider threats, organization continue to rely upon monitoring and reviewing log files and using non-PAM security technologies. Fewer organizations are deploying PAM tooling capabilities like session monitoring, performing endpoint monitoring and using big data analytics.

“The results of The 2019 Study on Privileged Access Security shed light on the fact that privileged access is more prevalent than people may realize. It touches every part of an organization and has far-reaching implications for an organization’s business objectives as well as its security,” said Tapan Shah, managing director at Sila. “Leaders need to step back and ask why individuals have the access they do, and how that aligns with the mission of their business – unnecessary privileged access puts data, employees, customers, and the overall business at risk.”

Part 2. Key Findings

Following is an analysis of the key findings. To understand trends in organizations’ abilities to manage privileged user access, whenever possible we compare the findings from 2011, 2014 and 2016 to this year’s research. The complete audited findings are presented in the Appendix of this report.

We have organized the findings according to the following topics:

• Why privileged user abuse is increasing
• The security risks created by not keeping up with the delivery and review of access rights
• New approaches to managing access, including collaboration between IT and lines of business, are needed

Why privileged user abuse is increasing

 According to 81 percent of respondents, privileged access rights are required to complete their current job assignments. However, 19 percent of respondents say they do not need privileged access to do their jobs but have it any way. The two primary reasons are everyone at his or her level has privileged access even if it is not required to perform a job assignment (46 percent of respondents) and the organization failed to revoke these rights when they changed their role and no longer needed access privileges (30 percent of respondents). Since 2011, more respondents report that their organization assigned privileged access rights for no apparent reason – from 15% in 2011 to 20% now.

Even if access rights are appropriate, privileged user abuse is prevalent. Some 70 percent of respondents say it is very likely or likely privileged users access sensitive or confidential data without a business need, such as curiosity. Sixty-two percent of respondents say privileged access rights that go beyond the individual’s role and responsibility, which indicates the difficulty organizations have in keeping up with access change requests and reviews of access rights. Many respondents (41 percent) say privileged users are sharing their access credentials with others in the organization.

To continue reading this report, visit Sila’s website.

Bob Sullivan

Is tech hacking your happiness?  And can you reverse that — can tech help make you happier?

This month we began the second season of the So, Bob podcast, hosted by me and Alia Tavakolian, and these are the questions Alia and I explore with Gretchen Rubin, author of The Happiness Project and numerous other best sellers.

Our interview with her was so powerful that we made it the first episode of this new So, Bob season, and our takes up the entire podcast.

I love podcasting because there’s time to dig deep into issues — much deeper than I can in a blog post that’ll you’ll scan for a minute or two.  And the question of tech and happiness is a big topic.

We focused on the key concept of another Gretchen book, The Four Tendencies– her schema that people generally fall into one of four categories: upholder, questioner, rebel, or obliger.  What are these groups? I think they are pretty self-evident, but you can take a quiz and learn more about them at Gretchen’s site.

I wanted Gretchen to talk with us about how gadgets, and particularly smartphones, impact our happiness. We pretty moved into the different ways people from each category react to tech. Do obligers feel obliged to answer every email in a way rebels do not? (Yes). And so on.

I must say I was pretty stunned at the conclusion Gretchen came to.   You are best off listening to the podcast and and letting Grethen explain in her own words. But if you want something to read/scan, here’s part of our conversation:

BOB: Into this Schema you have… ..drop a smartphone…that tings at you with a thousand times a day. 

G: Yes.

B: How do each of these characters react to that? 

G: Okay. So I think I’m very typical as an upholder, which is like, it’s very easy for me to turn it off.

G: It’s very easy for me to ignore it. If I’m like, I need to focus, I can’t look at my phone. That feels like something that I can ignore because my inner expectation, uh, is that I need to, I need to read, I need to, you know, uh, go for a walk, I need to, you know, whatever it is, I, so it’s easy for me to ignore it. And I remember talking, but it’s also a question, and this is true for all the tendencies, is people have different values and they have different kinds of belief systems. And that comes into play. So I was talking to a, actually a guy, uh, military guy who was an upholder and he was saying, oh, well, one of the reasons why I find, this was like three or four years ago, one of the reasons I find Facebook so burdensome is I have to like everything that everybody posts.

G: And I was like, no, you don’t. And like he had decided that was the rule. And so he felt an extreme like, like that he needed to meet that expectation for himself was I was just like, man, I don’t, I don’t feel that expectation. So part of it is that people have different ideas. Some people are like, you can’t leave dishes in the sink overnight. I’m like, you can totally leave dishes in the sink overnight. So I would meet the inner expectation if I had it but I just don’t have it, which is how you can get slacker upholders. It’s not upholders are type A, they can be slackers, they can meet their sta… they can meet every expectation for themselves, but they just have very low expectations. So.

A: Wow, I didn’t think about that. Okay. 

G: So questioners, questioners probably have an, they have an easier time with something like this cause it’s all about efficiency.

Does this work for me? Like, and they tend to like to customize things and hack things. So I would anticipate that many questioners would find it pretty easy to find ways to do workarounds. However questioners also are very drawn to data and research and information. And it might be that, and they can get analysis paralysis, which is where they want more and more information. And so for some questioners, something like the Internet is more of a burden where like if I’m gonna buy a tent, I want to do more and more and more research. So it’s sort of like the endless, the endless supply of information is very burdensome to them. But if they were like, I need to shut off the phone from 6:00 to 9:00 PM so I can spend quality time with my family, that probably wouldn’t be that hard for a questioner because they understand why they’re doing it.

And they do love to customize typically. They like to make things right for them. And so something like, I’m gonna change my notifications. That would make a lot of sense to a questioner. It’s like, just because notifications work for you, I don’t know that they’re going to work for me. Obligers, this is hard because if they feel like everyone’s clamoring for their attention, they’re going to find it very painful to ignore that because it’s like someone texted me, I have to text back. Somebody emailed me, I need to read that email right away. Somebody calling me, I have to pick up. Someone’s expecting me to like their Instagram post. I need to like it. Like these things add up.

A: I don’t know what you’re talking about. 

G: Yeah, yeah, yeah. But so here’s something that obligers can do. There’s many ways to create outer accountability. One of the quick things that obligers can always do is to remember if you say yes to someone, you have to say no to someone else. And so you could say, look, people are, you know, I’m getting all these texts and emails from the office between six and nine, but my family and I, we have talked about how it’s important for us to have quality time and therefore to say yes to my family, I’m going to say no to the office or like, you know, um, and so because part of the time obligers feel like I have to say yes, but it’s like no, you have to say no too, who do you say no to?

And a lot of times when they formulate it that way, it’s easier for them to make choices. But when the thing about tech is it feels, it feels kind of like, oh, you could just do this in 10 seconds. Why wouldn’t you just do this right now? Why wouldn’t you just do this right now? And like 10 seconds becomes five hours. We’ve all experienced that.

A: It’s deceptive. 

G: Yeah. And then for… rebels can do whatever they want to do. So like they want to do it, they’ll do it. They don’t want to do it, they don’t want to do it. It’s like, what do you want? And so if a rebel wants to change because often they get frustrated because they want to change something. But the minute they tried to make a rule from themselves, they want to break it. So in, a rebel would not do well doing something like from six to nine, I’m not going to be on my, on my phone because that’s scheduling that makes them feel trapped.

So what works for rebels is identity. What kind of person am I? How do I want to be in the world? And they are also very, uh, put a very high value on freedom and choice. So I things like I’m not a slave to my phone. I’m not controlled by email. You can’t make me answer your Instagram. I’m free. I need time to reflect. I need time to exercise. I had, I need time to rewatch, you know, Parks and Recreation. And so, you know, it’s just like, if I’m going to be who I am, like I just have to like, you know, put my phone down and walk away from it. Because when they tie it into their identity, it’s much easier for them to do something. Rules don’t work for them, whereas it rule might work really well for an obliger or for a questioner or an upholder.

A: So illuminating.

B: You have just made, um, the last five years of my life make sense. 

G: Oh good! Like, tell me why, tell me why. 

B: You have. Because I write about all of this overwhelmedness and technology, right,

G: Yeah.

B: And I don’t know, I’m gonna make up a number 67, 70% of the time people are like, thank God someone’s finally talking about this. The world is so complicated. I’m so overwhelmed. 

G: Yeah. 

B: But one third of the time ish, people were like, what are you talking about? 

G: Interesting.

B: Um, so I think I’m talking just to one set of people. 

G: Yeah. 

B: I’m talking just to obligers…

A: Wow.

B: I’m not talking to everybody. 

G: Yeah. 

B: Nobody else really seems to have much of a problem with this, whereas this, this one set of people…

G: But see, it’s interesting that you say that because obligers, because obliger is such a big group, people often assume that it’s everyone because, and the way, one of the reasons that I got the insight into the upholder tendency was I was speaking to a journalist and she said, why is it the busy parents like us can ever take time for ourselves?

G: And I said, actually I have no trouble taking time for myself. And she said, actually neither do I. And I’m like, well then why, what is the premise of your article? Because you and I are both busy parents and neither one of us have experienced this. 

A: Yeah.

G: So clearly it’s not a universal thing. So what’s going on there? And that’s when I was like, just because everybody feels something like it’s always you have to say, do I feel this? Now I think sometimes people conflate it. Like feeling overwhelmed by email is a shorthand for saying, I’m overwhelmed by all the tasks that people at work want me to do. It doesn’t matter if it’s email, like Instagram is an internet only problem. Tasks that being pestered at work for people who want you to do things and want your attention and what, yeah, that’s just inherent in work. And like it’ll just take whatever form it takes. It’s like that’s, that’s really a work problem. But then there are some things about being overwhelmed by technology that are truly created or so dramatically amplified that they’re changed by technology. Yeah.

Larry Ponemon

This is the follow-up study to last year’s research, The Race to GDPR. In this year’s study, we expanded the research, for the first time, to include China and Japan in addition to the United States and Europe. A total of 1,263 organizations are represented in this study.

 The uniquely demanding European Union (EU) General Data Protection Regulation (GDPR) came into force on May 25, 2018, virtually transforming how organizations in every industry handle personal data. This study reflects practical difficulties and regional differences in levels of adherence to GDPR across Europe, the US, China and Japan.

Sponsored by law firm McDermott, Will and Emery LLP and our strategic alliance MWE China Law Offices, this follow-up research tackles the ongoing challenges in the wake of GDPR and the practical difficulties organizations face despite their dedication to implementing the new requirements. Participants in this study work in a variety of departments including IT, IT security, compliance, legal, data protection office and privacy. All organizations represented in this research are subject to GDPR.

Executive Summary: GDPR Progress and Data Breach Management

GDPR work is ongoing as most organizations did not meet the May 25, 2018 deadline. Many organizations are renewing their GDPR budgets accordingly. Most organizations represented in this research report that GDPR took longer than they had anticipated (54 percent of respondents) and that it was equally or more difficult to implement than other data privacy and security requirements (80 percent of respondents). Most organizations have a GDPR budget (72 percent of respondents) About a third of these respondents say the budget will be renewed annually (35 percent of respondents) or continue indefinitely (24 percent of respondents).

About half of the respondents say their organizations had GDPR data breaches that must be reported to regulators. Forty-six percent of respondents say their organizations had an average of approximately two reportable data breaches since GDPR came into effect and about one in six received a follow-up inquiry or inspection from the Regulator. Thirty-nine percent of respondents in US organizations and 45 percent of respondents in European organizations say they reported a personal data breach to a Regulator.

Data breach reporting under GDPR continues to be a major challenge across the board for almost all organizations, regardless of region. Only 18 percent of respondents are highly confident in their organizations’ ability to communicate a reportable data breach to the relevant regulator(s) within 72 hours. This suggests that early breach awareness and identification, even on a preliminary basis, continues to be a major difficulty with more help needed.

More US organizations reported GDPR cyberattacks than other regions. Respondents in US organizations say they experienced more cyberattacks (45 percent) under GDPR than respondents in European (34 percent), Japanese (38 percent) and Chinese organizations (31 percent).

More US organizations than European and Chinese organizations engaged an external cybersecurity service to investigate GDPR security incidents. The use of outside forensic vendors to investigate cyberattacks is higher in the US (44 percent of respondents) than in European (40 percent of respondents) and Chinese (25 percent of respondents) organizations. Surprisingly, 47 percent of Japanese respondents used forensic vendors, which is more than US organizations. Greater use of external forensic organizations likely identifies cyberattacks earlier and more accurately than the use of internal IT resources alone. As Europe and China catch up with the US experience of data breach management, we would expect the reported percentage of GDPR data breaches due to cyberattacks and the use of outside forensic firms to increase.

Many respondents from the US, Europe and Japan engaged external cybersecurity services. Forty-seven percent of Japanese respondents and 44 percent of US respondents say their organizations used an external cybersecurity service provider to investigate GDPR data breaches or cyberattacks. Forty percent of EU and 25 percent of Chinese respondents say their organizations engaged such a service. Of these respondents, 65 percent of US, 56 percent of European and 55 Japanese respondents say the work was conducted under litigation or attorney-client privilege.

Cyber risk insurance was obtained by approximately a third of the organizations, and of those, less than half say that their insurance covers GDPR fines or penalties. Approximately a third of respondents report that their organizations have insurance that covers cyber risks, and 43 percent of those respondents say their cyber insurance policy covers GDPR fines or penalties. The types of incidents most often covered by cyber insurance policies are external attacks by a cyber criminal (62 percent of respondents), human error, mistakes and negligence (41 percent of respondents), and malicious or criminal insiders (38 percent of respondents). However, 10 percent of respondents do not know what their cyber risk insurance policy covers.

A surprisingly high percentage of respondents say their organizations appointed a Data Protection Officer (DPO) under the GDPR, and about half of the non-European respondents say they appointed an EU Representative. These high numbers are surprising because there are notably strict criteria for appointing DPOs and EU Representatives. These findings, however, may also include voluntary appointments for these positions.

United States and European Findings

More than half of respondents in US organizations apply GDPR data subject rights to both US and European employees. Fifty-seven percent of these respondents say their organizations do so because they want to take a global approach, while about half of these respondents (49 percent) believe it is required by the GDPR.

More US respondents than European respondents say compliance with GDPR will assist in their compliance with the California Consumer Privacy Act (CCPA). Forty-six percent of US respondents say compliance with GDPR has helped define the strategy and overall approach to their compliance with the forthcoming California Consumer Privacy Act (CCPA) and other US state privacy laws, while 30 percent of European respondents say this is the case. Forty-three percent of US respondents and 33 percent of European respondents say compliance with the CCPA and other US state privacy laws will cause their organizations to re-evaluate their compliance position under the GDPR.

China Findings

China has the lowest level of compliance with GDPR. Only 29 percent of the Chinese respondents say their organizations are fully compliant with the GDPR, more than 10 percent lower than what respondents in US and European organizations are reporting. Fifty percent of Chinese respondents say GDPR is as difficult to implement as other data privacy and security requirements.

Chinese respondents use internal resources to respond to data breaches, rather than external ones. Only 25 percent of Chinese respondents use external cybersecurity services to investigate data breaches, which is significantly less than other countries.

Chinese respondents’ means of compliance under the GDPR lags behind US and European respondents.  Fewer Chinese respondents take measures in several key areas to maintain GDPR compliance compared to US and European respondents, including localization, document retention and creating a data map showing data flow and process. Only 2 percent of Chinese respondents have evaluated their relationships with third-party vendors, in contrast to the 45 percent of respondents in US organizations and 30 percent of respondents in European and Japanese organizations. This is likely due to differences in data transfer rules and China’s data security laws.

Unlike US and European respondents, fewer Chinese organizations report they have purchased cybersecurity insurance.  Only one-in-five Chinese respondents (19 percent) report that their organizations have insurance covering cyber risks. Fifteen percent of these respondents are not sure what types of incidents their cyber insurance policies cover, which is higher than the percentages from the other jurisdictions.

Japan Findings

Most respondents say their organizations have not achieved full compliance with GDPR. Only 32 percent of Japanese respondents say their organizations have achieved full compliance with GDPR. Forty-one percent of Japanese respondents say the GDPR is as difficult to implement as other data privacy and security requirements (e.g., Japanese Data Protection Legislation or China’s cybersecurity law).

Japanese respondents adopt measures to prevent and respond to data breaches—but they are not as regular with assessments. Forty-seven percent of Japanese respondents say they use external cybersecurity services to investigate data breaches, which, as noted, is more than what respondents in US and European organizations report. Less than half of Japanese respondents (43 percent) regularly conduct testing, assessments or evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing.  In contrast, 65 percent of respondents in China and 54 percent of respondents in European organizations take such security actions.

Japanese respondents’ awareness in complying with the GDPR also lags behind US and European respondents. Japanese respondents say their organizations take measures in several key areas to maintain compliance compared to what respondents in the US and Europe report. These actions include introducing or updating document requirements (39 percent of respondents), creating a data inventory (46 percent of respondents) and investing in new technologies or services (39 percent of respondents), but this is less than reported for US, European and Chinese organizations.

Read the complete findings at the McDermott, Will and Emery website.

City of Denison press release

Bob Sullivan

Maybe you’re bored of reading about ransomware attacks, but plenty of local government agencies wish they were so bored. Organized bands of cybercriminals keep pounding away at smaller government IT systems with great success.  In the latest attack (that we know about), more than 20 agencies across Texas were hit last week, requiring an all-hands-on deck response from state authorities.  And in an important new-ish development, the attack negatively impacted an even wider set of agencies and citizens — as some leaders chose to disconnect systems pre-emptively.

“The evidence gathered indicates the attacks came from one single threat actor,” said the Texas Department of Information Resources in a statement. “Responders are actively working with these entities to bring their systems back online.”

The situation was dire enough that  Texas Gov. Greg Abbott ordered a “Level 2 Escalated Response” to the attacks, one step below the Texas Division of Emergency Management’s highest level of alert, according to KSAT.com.

It was also dire enough that other local governments are unplugging systems from the Internet even if they are not infected by the attack.  Denison, Texas, warned residents that city employees will have “little to no access to email during the outage” in a release published on its website. The city also cannot accept certain kinds of payments.

“Out of an abundance of caution, the City of Denison has disconnected its information systems
from the internet,” the release said. “While the City of Denison has not been directly affected by the attack,
precautionary measures are being taken to maintain the integrity of the city’s information
systems.”

Grayson County also unplugged, according to KXII.com. 

“We cannot email you, receive e-filings, issue birth, death or marriage records, or receive web-based inquiries,”  Emergency Management Director Sarah Somers told the TV station.

It’s probably wise for small agencies to disconnect during such incidents; it’s hard to imagine they can all afford top-notch information security professionals to fight back when there’s already a large shortage.  But the response shows that ransomware attacks are really taking a toll on smaller agencies, and their impact is being felt far beyond the institutions that are actually being forced to pay up.

This also suggests that citizens should keep fastidious records when dealing with any government agency, and don’t let bills wait until the last minute — lest your water provider or parking ticket agency be unable to process your electronic payment by the due date.