A zero-trust architecture aims to move defenses from static, networked-based perimeters to users, assets, and resources. Sponsored by Converge Technology Solutions Corp. and Check Point Software Technologies, Ponemon Institute conducted research to determine the status of zero-trust adoption in organizations. According to the research, 48 percent of respondents believe traditional perimeter-based security solutions such as VPNs, next-gen firewalls, and network access control (NAC) products are ineffective at securing distributed hybrid cloud infrastructures.

The research shows that zero-trust architecture improves the ability to manage vulnerabilities and user access. Unlike VPNs which permit secure access to an entire network, zero trust segments access and limits user permissions to specific applications and services. Zero trust assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location or asset ownership.

Ponemon Institute surveyed 694 IT and IT security, including cybersecurity practitioners, in the United States who are familiar with their organizations’ zero-trust strategy. As part of the screening process, practitioners invited to complete the survey were asked if their organizations had adopted a zero-trust strategy. Thirty-one percent of these practitioners whose organizations did not adopt zero trust were excluded from the research. The two primary reasons for these organizations not adopting zero trust are that the value is not understood (40 percent) or there is no executive buy-in (33 percent).

Respondents were asked to rate the effectiveness of their security practices before implementation and following implementation to determine the value of zero trust to organizations.

The following findings reveal the value of a zero-trust strategy 

• Zero-trust architecture improves vulnerability management because it segments access and limits user permissions to specific applications and services. The primary reasons for adopting zero-trust network architecture are: reducing connectivity issues; improving user experience; reducing difficulty in setting up, deploying, enrolling new users; and decommissioning departing users.

• Zero trust is considered to improve security practices. As a result, zero trust is regarded as important or very important in ensuring customer trust and retention.

• Controlling access is a critical objective of zero-trust architecture. Zero trust ensures attackers who gain access to users’ accounts can only access their specific tools and services and nothing else. Identity and access management and authorization are the primary components of a zero-trust architecture. Some organizations use behavioral analytics and threat intelligence to improve asset security.

• Identity management and authorization policies are important components in zero-trust security models. As shown in the research, the primary components of a zero-trust strategy are a single strong source of identity for users and non-person entities (NPEs) and authorization policies around application or resource access

• Zero trust is believed to reduce attacker “dwell time” in the network. Respondents also say zero trust is very or highly effective in eliminating all lateral movement between users and servers because users are isolated from the corporate network. Zero trust is also considered highly effective in authenticating, authorizing, and inspecting all traffic flow at all times to ensure malware and attacks don’t sneak in accidentally or maliciously.

According to the research, the following are steps to take to achieve a mature zero-trust strategy 

• Gain the support of senior leadership by regularly informing them about the effectiveness of the zero-trust program as measured by key performance indicators (KPIs). Such support can make the implementation of a zero-trust strategy more of a priority and, as a result, secure the necessary resources such as budget and in-house expertise.

• Quantify and track the benefits of zero trust. The top three metrics used by organizations represented in this study measure the reduction in the number of data breach incidents, the reduction in the number of known vulnerabilities and reduction in the number of threats.

• Identify existing security technologies that can be both cost-effective and aligned with the zero-trust strategy. Prioritize what new security technologies are needed as part of the organization’s zero trust implementation. A significant obstacle to achieving a strong zero-trust security posture is the continued use of legacy technologies.

• Other obstacles to successfully implementing a zero-trust strategy include the lack of in-house expertise and budget. According to the research, the average annual IT security budget is $32 million, with an average of $2.4 million dedicated to organizations’ zero-trust strategy.

To read the report’s full findings, please visit CBISecure.com at this link

 

North Carolina recently joined a growing list of states – more than 20 now — that have banned social media app TikTok from government-issued devices.  Gov. Roy Cooper issued an executive order after two state legislators threatened to pass a law enacting such a ban.

Duke University professor Ken Rogerson, from the Sanford School of Public Policy, joined me recently to explain what’s going on.  Here is a lightly edited version of our conversation, recorded for the Duke University Debugger podcast that I host..

Ken Rogerson: I think they’re taking a cue from the federal level proposals that are asking for the same thing. If you remember Bob, during the Trump administration, TikTok was banned entirely by an executive order for a little while.

Then it was rescinded by the Biden administration. And there’s another proposal even for that at the federal level to ban TikTok in the United States entirely. But there’s another proposal that I think maybe has a little bit of teeth — that’s to ban it at the federal level from any device that is federally distributed or given to an employee as part of their job.

And so I think they’re taking the cue from that federal-level proposal. But there are also some states that have already done this. Oklahoma, Nebraska,  have already done this at the state level through either executive orders or through legislative action of banning TikTok at that level.

So they’re not the first to do that, but, but they are certainly quite adamant and intense about trying to do this at North in North Carolina as well.

Bob: There certainly is a lot of discussion about TikTok lately, but what is the actual concern for legislators at the federal and state level about TikTok and government devices?

Ken Rogerson: Well, Bob, I think the concern is twofold. The first is a broader concern about the level of our personal information privacy on our devices. And, and that’s something that I applaud. I think it’s really great to be asking these kinds of questions and be worrying about how well our personal information is protected.

And as a subset of that, we are so interconnected. I’m not sure that a work phone is only a work phone anymore. We often use our work devices for personal things and our personal devices for work things. And so there’s an overlap there. And so there is a concern about access to personal information and the protection of information.

But in this particular case, it also seems that there’s a concern about China itself now. W can go back to the Cold War and there was … I’m a political scientist and hold that very dear to my heart. And there was something called “enemy imaging.” And that we actually found some pride in our country of looking at enemies in the world. And then post-Cold War, we had to find new enemies. There’s terrorists and terrorist organizations that filled that role. But China seems to also be filling that role at a federal level. We have a number of conversations about China. It’s interesting to me to see this trickle down at the state level. The letter that these two state legislators sent to the governor mentioned China specifically as a threat to our security and because of the kind of government that they have and, and the relationship between ByteDance, which owns TikTok, and the Chinese government. It’s just interesting to see that state-level legislators are looking at that as a potential threat at the state level.

Bob: So would these kinds of inquiries, these kinds of letters and legislation be coming up. TikTok wasn’t owned by a Chinese company, do you think?

Ken Rogerson: Oh, that’s such a good question. I actually am not quite sure of the answer to that, but I don’t think so. I’m not a foreign policy specialist, but certainly you can’t not pay attention to it if you’re interested in technology policy. There is a connection between Chinese companies and the Chinese federal-level government. Um, there have been a number of indicators over the past few years through, through stated policies and through small programs … I remember even five or six years ago, there was a little small order from the Chinese government that all games on phones had to register with the government. And so if you downloaded a game – Angry Birds, for example – you had to register that use with the government. And so, so there is some fear that the connection between the federal-level Chinese government and the public-sector companies who create things for phones is a little tighter than it is in other places.

At the same time, we see some companies there pushing back a little bit and negotiating a little more freedom so that they can make money. I mean, it’s a profit-based industry for sure, and, and the Chinese government wants to encourage that kind of capitalistic enterprise in its own way.

Bob: So TikTok is ragingly popular, particularly with young people, and there’s been a lot of stated public concerns that the Chinese government could use ByteDance… the data that TikTok collects in order to build this massive surveillance database of US citizens. Whatever one might think of that fear would an executive order or legislation like this, do you think that would really stop it or help with that concern? Is it effective?

Ken Rogerson: Is it effective? Another great question, Bob. Probably not. I’m a little .. concern isn’t the right word … I’m watching with bated breath to see if this particular type of conversation about TikTok itself can push us into a wider conversation about some regulation and potentially consumer-empowering regulation that gives us more leverage to control our own data. We can do that in the United States, but if something happens to us, what we don’t have is resources to go protect ourselves against either governments or big companies who have much greater resources than individuals do. So, no, I’m not sure that banning TikTok from government-distributed devices really will change anything. Because as you said, young people will still use TikTok and will still access TikTok.

Now, for the most part, young people are also not going to have access to national security information, either directly or maybe through some vulnerability that will allow really good hackers to get where they need to go.

So there is a piece of that, that is probably good from a government — whether state or federal level standpoint — to say we want to protect ourselves because our devices could potentially lead to some kind of problematic intervention into our data. But, I don’t see it at all for youth using it to share, you know, quick, quick videos of food.

Bob: Now, on the other hand, when I, I read what you said to the local media in North Carolina, it made me think, well, this conversation is certainly welcome. It’s high time somebody drew a bright line around something when it comes to gathering data, right?

Ken Rogerson: Oh yeah, for sure. Again, I’m not sad about the conversation that this is encouraging among policymakers, especially. I think there are a lot of privacy advocates out there who are trying to make their voices heard, and there’s actually privacy legislation at the federal level … serious privacy legislation that some people looking at and saying, ‘Oh, maybe something can happen here.’ For some it doesn’t go far enough. For some people it goes farther than it’s gone in the past. And so, so this is great to contribute to the conversation, but I think your earlier point is very well taken, which is what will it really do for those who are arguing that TikTok is a national security risk?

Well, I think that it could help in a really minimal sense, a small percentage sense for a few devices and a few people, but I don’t think it helps for those reasons. But let’s con continue to have this conversation and widen it to other kinds of platforms, other kinds of information-sharing platforms as well.

Bob: If it’s good enough to ban TikTok, maybe it’s good enough to ban other kinds of technologies as well?

Ken Rogerson: or the opposite way, right? That seems a little draconian to me to say that this is only about banning platforms who aren’t doing a good job with their data. And we can look at it from another direction as well, that we can create policy that makes personal information privacy collection-sharing much more transparent and much more user-controlled or, have some kind of oversight mechanism for people to be able to bring difficult situations to a third party to say, ‘You used my data in incorrect way.’ There needs to be some kind of penalty or punishment here.

 

 

 

The purpose of this research is to provide an update to the industry’s first study on the impact of ransomware on patient safety, titled The Impact of Ransomware on Healthcare During COVID-19 and Beyond, September 2021. That seminal study qualitatively demonstrated a correlation between ransomware and various impacts to patient care, including increased patient transfers/diversions, delays in procedures and tests, increased complications from medical procedures, and higher mortality rates. This updated study, according to survey respondents, shows ransomware continues to impact patient care, and seeks to understand how cybersecurity peer benchmarking can help healthcare organizations strengthen their cybersecurity posture to help reduce the risk of a ransomware attack and its potential impact on patient care.

Ponemon Institute and Censinet will present the details of the independent research report in an upcoming webinar, “The Impact of Ransomware on Patient Safety and the Value of Cybersecurity Benchmarking.” It will be presented live on January 24 at 12:00 PM ET and features myself and and Ed Gaudet.

As shown in the 2021 study sponsored by Censinet, 61 percent of respondents were not confident, or had no confidence, in their ability to mitigate the risks of ransomware. In this year’s study, also sponsored by Censinet, more organizations experienced a ransomware attack and an increasing number of these attacks are caused by poor cybersecurity controls internally and at third-party vendors and products. In addition to the impact of ransomware on patient safety, this study explores the importance of cybersecurity peer benchmarking and third party risk management to reduce cyber threats such as ransomware.

Our findings indicate that Hospital IT/Security personnel continue to believe ransomware has a broad and adverse impact on patient care. With ransomware growing exponentially and most organizations under constant threat, this report also explores how peer benchmarking improves an HDO’s cybersecurity program effectiveness, including its decision-making, hiring, and resource allocation.”

The two-year trend in ransomware attacks

This research is unique because it tracks how healthcare organizations and patient care have been impacted by ransomware attacks since 2021. The following findings demonstrate that ransomware continues to be a growing problem for the industry.

• Ransomware attacks are on the rise. Almost half of respondents (47 percent) say their organizations experienced a ransomware attack in the past two years, an increase from 43 percent in 2021. In the past two years, 93 percent of these respondents experienced at least one (65 percent) or between two and five ransomware attacks (28 percent).

• Third-party ransomware attacks have increased significantly. Of the 47 percent of respondents who reported a ransomware attack, 46 percent say it was caused by a third party, an increase from 36 percent in 2021. This finding indicates the importance of having policies and practices in place to proactively assess third party risk, remediate identified security gaps, and quickly respond to and recover from a third party-driven ransomware attack.

• More organizations are paying ransomware. Sixty-seven percent of respondents, an increase from 60 percent, say their organizations are paying ransom. The average ransom payment has increased from $282,675 to $352,541 in the past two years. The average duration of disruptions caused by ransomware attacks has not improved and can last more than one month (35 days). 

• More patients are adversely affected by ransomware attacks. Fifty-three percent of respondents in organizations that had a ransomware attack say it resulted in a disruption in patient care. Complications from medical procedures due to ransomware attacks increased significantly from 36 percent of respondents to 45 percent of respondents. The most prevalent impact was an increase in patients transferred or diverted to other facilities from 65 percent of respondents last year to 70 percent of respondents this year. In addition, 21 percent of respondents say ransomware has an adverse impact on patient mortality rates. 

• Business continuity plans are increasingly the most important step to preparing for a ransomware attack. Sixty percent of respondents say their organizations have a business continuity plan that includes a planned system outage in the event of a ransomware attack, an increase from 54 percent of respondents. Also, 33 percent of respondents say their organization is increasing funds to deal with a potential ransomware attack, an increase from 23 percent in the previous study. 

 

Benchmarking the effectiveness of cybersecurity programs is considered important and valuable.

 As ransomware attacks increase, an effective cybersecurity program is critical. According to the findings, respondents agree that peer benchmarking is both valuable and important.

• Benchmarking is very valuable in demonstrating cybersecurity program effectiveness, according to 78 percent of respondents. Benchmarking is also valuable when demonstrating cybersecurity framework coverage/compliance (61 percent of respondents) and improving cybersecurity programs (52 percent of respondents). 

• Benchmarking improves cybersecurity program decision making. Another important value of benchmarking is to make better, data-driven decisions (53 percent of respondents) followed by the ability to demonstrate effectiveness of benchmarking program investments (48 percent of respondents). 

• Benchmarking is important to making the business case for hiring cyber staff and purchasing technologies, according to 69 percent and 60 percent of respondents respectively. Fifty-seven percent of respondents say benchmarking is valuable when making investment decisions in the cybersecurity program. 

• Benchmarking is important when establishing cybersecurity program goals, according to 67 percent of respondents. These metrics are also helpful in responding to and recovering from ransomware attacks, according to 51 percent of respondents

“The findings in this year’s Ponemon report are, unfortunately, not surprising as ransomware continues to shut down hospital operations and disrupt care at an alarming rate,” said Ed Gaudet, CEO and Founder of Censinet. “With patient safety in jeopardy and ‘asymmetric warfare’ no longer hyperbole to describe the situation, this report highlights the continued threats while introducing new approaches to creating rigorous, robust, and continuous cyber programs that protect patients.”

To read the entire report, visit Censinet’s website

No one knows when an investment bubble will burst, but in retrospect, there’s often a single event that comes to symbolize the beginning of the end — as the Lehman Brothers implosion is now forever intertwined with the collapse of the housing bubble and the Great Recession.  It’s understandable that many see the recent collapse of cryptocurrency exchange FTX — and the ripple effects from that news — as the beginning of the end for a cryptocurrency bubble, and perhaps for cryptocurrency itself.  Or perhaps it’s just the end of the beginning?

I recently hosted a discussion with several crypto experts at my regular “In Conversation” column I publish with Duke University. You can read the entire threaded dialog at the In Conversation page, but I’ll give you highlights here:

From Lee Reiners, a Duke professor who formerly worked at the New York Fed:

“One can only hope that it is the end and we all move on to more productive things. Imagine how much better the world would be if all the money and human capital that has flooded into cryptocurrency over the past decade had instead gone into addressing climate change or curing cancer? But the allure of quick and easy riches is hard to resist for many people.

“As much as I wish it were so, I do not believe this is the “end” of crypto. … I see the industry increasingly embracing DeFi, or decentralized finance. DeFi represents traditional financial services offered on the blockchain without the need for any third-party intermediaries, all made possible by smart contracts. DeFi is particularly problematic from a regulatory standpoint, as regulation traditionally applies to legal entities. Who is responsible for compliance when the service is provided by open-source software?

“DeFi, and crypto more generally, are destined for the ash heap of history because they provide no genuine economic utility. But I do not believe it will be a swift death. At this point, crypto has taken on religious elements and there will always be a core group of true believers, no matter what happens. But as time passes and people realize crypto’s killer use case will never come, most people will move on to other things and twenty years from now, we’ll share a drink and remark: “remember when crypto was a thing, those were wild times.” Until then, good people must actively resist the crypto-con so that innocent people are not taken advantage of, national security is not undermined, and financial stability is maintained. It won’t be easy, but it is necessary.

From Shane Stansbury, Duke professor and former federal prosecutor with the SDNY

“It has been difficult to watch the celebrity marketing blitz in this industry over these last couple of years with the sinking feeling that the day would come when many average folks would lose their shirts (or, quite literally, their life savings).

“Will the likes of LeBron James and Tom Brady think twice in the future before placing their reputations on a product like this? I like to think so (and surely Taylor Swift is relieved that she passed on the opportunity).

“With all due respect to fans of Kim Kardashian, enforcement actions can serve as important deterrents. Although investor lawsuits can be an uphill climb (in part because of the difficulty of linking one’s loss to specific endorsements), the SEC did reach a $1.2 million settlement with Kardashian for failure to make proper disclosures when touting a crypto asset on her Instagram feed. Regardless of your net worth, that’s real money and few celebrities want to find themselves entangled in regulatory actions or, even worse, getting a knock on the door by criminal investigators. There are easier ways to make a buck, and none of this can be good for one’s brand.

“Like Lee, I don’t think crypto is going away anytime soon, at least absent some other major developments (always a possibility in this space). As bad as the SBF/FTX debacle was, it was no Lehman Brothers, in part because the scale and global financial impact are different by orders of magnitude. Most of the victims were institutional investors, and their losses, however painful, did not send shockwaves through the larger financial system. That matters for purposes of the level of accountability that the public will demand.”

Read the entire thread at this link