Monthly Archives: February 2020

Privacy worries not slowing shift to the cloud (but concerns linger)

Larry Ponemon

The Ponemon Institute is pleased to present the findings of Data Protection and Privacy Compliance in the Cloud, sponsored by Microsoft. The purpose of this research is to better understand how organizations undergo digital transformation while wrestling with the organizational impact of complying with such significant privacy regulations as the GDPR. This research explored the reasons organizations are migrating to the cloud, the security and privacy challenges they encounter in the cloud, and the steps they have taken to protect sensitive data and achieve compliance.

The Ponemon research qualified 1,049 IT and IT security participants from the United States and the European Union (EU). All of them were familiar with their organization’s approach to privacy and data protection compliance and responsibility for ensuring that personal data is protected in  the cloud environment. Fifty five percent of respondents operate a cloud infrastructure with one primary cloud service provider; 45 percent operate in multiple or hybrid cloud environments.

Privacy concerns are not slowing the adoption of cloud services. The importance of the cloud in
reducing costs and speeding time to market seem to override privacy concerns. Only one-third of US respondents and 38 percent of EU respondents say they have stopped or slowed their adoption of cloud services because of privacy concerns,

Most privacy-related activities are easier to deploy in the cloud. These include such governance practices as conducting privacy impact assessments, classifying or tagging personal data for sensitivity or confidentiality, and meeting legal obligations, such as those of the GDPR. However, managing incident response is considered easier to deploy on premises than in the cloud.

However, most organizations lack confidence in, visibility into, and a clear delineation
of responsibility for managing privacy in the cloud.

  • Despite the anticipated increase in the importance of the cloud in meeting privacy and data protection objectives, 53 percent of US and 60 percent of EU respondents are not confident that their organization currently meets their privacy and data protection requirements. This lack of confidence may be because most organizations are not vetting cloud-based software for privacy and data security requirements prior to deployment.
    • Organizations are reactive and not proactive in protecting sensitive data in the cloud. Specifically, just 44 percent of respondents are vetting cloud-based software or platforms for privacy and data security risks, and only 39 percent are identifying information that is too sensitive to be stored in the cloud.
    • Just 29 percent of respondents say their organizations have the necessary 360-degree visibility into the sensitive or confidential data collected, processed, and/or stored in the cloud. Organizations also lack confidence that they know all the cloud applications and platforms that they have deployed.
    • In most organizations, the IT security and compliance teams are not responsible for ensuring
    security safeguards and compliance with privacy and data protection regulations. Thirty six percent of respondents expect the cloud service provider to ensure the security of SaaS applications. In contrast, 46 percent of respondents say the organization is responsible. Further, privacy and data protection teams are rarely involved in evaluating cloud applications or platforms when they are under consideration. Almost half of respondents (49 percent) rarely or never determine if certain cloud applications or platforms meet data protection and privacy requirement.

Part 1: Privacy concerns are not slowing migration to the cloud, but organizations struggle to ensure the protection of data

Cloud services or platforms are used to achieve faster deployment and reduce costs.
The top two reasons for using cloud services and platforms are faster deployment
time and lower costs.

Cost savings, scalability, and faster time to market are the top reasons for migrating
to the cloud — 67 percent of respondents agree that migration results in cost savings and 64 percent of respondents agree that it enables scalability and faster time to market. More than half (54 percent) of the respondents believe migration will improve security and privacy protections.

There is no consensus about who is responsible for addressing privacy and data
protection requirements. Respondents were asked who in their organization would be most responsible for ensuring that SaaS and PaaS applications meet privacy and data protection requirements. Some assigned this responsibility to the cloud service provider; some state that the company and the cloud service provider share the responsibility; others allocate the responsibility within the company among end users and IT.

The importance of both SaaS and PaaS in meeting privacy and data protection
objectives will increase significantly —  64 percent of respondents say that deploying SaaS will be essential or very important in meeting privacy and data protection objectives over the next two years. Fifty-three percent of respondents say using PaaS will be essential or very important.

Respondents are not confident that their current use of SaaS and PaaS meets privacy
and data protection requirements. Currently the majority of respondents are not confident that their SaaS applications and PaaS resources meet privacy and data protection requirements. More respondents (60 percent) lack confidence in the privacy and data protection capabilities of PaaS.

Confidence in SaaS and PaaS applications is low because most organizations are not
vetting them for privacy and data security requirements prior to deployment.
As discussed previously, there is a lack of confidence in the ability of SaaS and PaaS applications to protect and secure data. Why? Fifty percent of respondents say their organizations are not
vetting their SaaS applications before deployment and 58 percent say PaaS resources are not being vetted.

To read the rest of this study, visit Microsoft’s website.

Plastic surgeon’s patients extorted by hackers, as ransomware gangs ramp up dual-threat hacks

Bob Sullivan

When the Center for Facial Restoration announced it had been hit by ransomware recently, the hack attack might have sounded like just another expensive cyber incident for a small business. But the hack of the rhinoplasty practice near Miami included another, darker threat. The criminals added another potential revenue stream to their enterprise — extorting patients by threatening release of potentially embarrassing photos.

So in addition to worrying about restoring data that had been encrypted with malware, Dr. Richard E. Davis had to worry about the publication of before and after photos that might humiliate patients.

This dual threat — criminal hackers stealing data before they scramble it with ransomware — parallels the recent global incident involving currency exchange company Travelex.  It’s a disturbing new trend among computer criminal gangs.

When the Center for Facial Restoration announced on its website recently that it had been hit by ransomware, the firm’s website had to add this chilling warning.

“(Hackers) demanded a ransom negotiation, and as of November 29, 2019, about 15-20 patients have since contacted (the firm) to report individual ransom demands from the attackers threatening the public release of their photos and personal information unless unspecified ransom demands are negotiated and met,” the warning said, “I filed a formal complaint with the FBI Cyber Crimes Center and two days later met with the FBI where they recorded detailed information regarding the cyberattack and ransom demands. The investigation is currently ongoing.”

It’s easy to imagine the seriousness of that kind of threat. On its website, the center says it specializes in repairing other rhinoplasty — or “nose job” — surgeries that left patients unsatisfied.

“Do you avoid cameras or social situations? Let cosmetic rhinoplasty restore your self confidence with a natural-looking, attractive nose that suits your face,” the website says. “Get ready to look at the camera and smile.”

The firm has not immediately responded for comment, so it’s unclear if more patients have been threatened with extortion. But Davis told that he hopes the damage was limited by recent security upgrades.

“While upgrading my defenses clearly won’t help those individuals whose data has already been stolen, there is reason to suspect that the theft of patient photographs may be limited to only a very small number of individuals – mostly those patients who used email to send or receive their photographs – so the upgrades may prove useful,” Davis said.

But the trend has security professionals worried.

“At least one other ransomware group is also routinely stealing data prior to encrypting it: Maze,” said Brett Callow, a threat analyst who studies ransomware for security firm Emsisoft. “This is a recent and concerning development, especially given how susceptible the public and private sectors seem to be ransomware attacks.”

The double-whammy of ransomware and data breach can leave victim firms scrambling to respond.

“An organization whose data is stolen has no good options available,” Callow said. “Refusal to pay will probably result in the data being published; payment will get them a pinky promise that the data will be deleted. And, as that pinky promise is being made by a criminal enterprise, it carries very little weight.”

Emisoft’s 2019 report about ransomware victims found that nearly 1,000 government agencies, non-profits, and medical organizations were victims of such criminal attacks last year — and there no indication the attacks are slowing down. The dual threat gives small organizations something else to worry about.

“I am dismayed to report (our office)… was the victim of a criminal cyberattack,” Davis says on his website.  “I deeply regret that individuals currently or formally under my care have been victimized by this criminal act, and I urge you to monitor your financial information closely. … . I am sickened by this unlawful and self-serving intrusion, and I am truly very sorry for your involvement in this senseless and malicious act.”