Blog

Tag: Ponemon Institue

Practical Advice At Buffalo NYDFS 23 NYCRR 500 Pathways to Compliance EventFollowing our successful event in Rochester, the second of the NYDFS 23 NYCRR 500 roadshow events at Phillips Lytle LLP in Buffalo, NY on May 17, 2017 brought together executives, insurance, legal, and security professionals in a great forum to discuss challenges for financial services organizations to meet the new cybersecurity regulations that went into effect on March 1, 2017.  A full house heard some practical advice designed to assist entities regulated by the New York Division of Financial Services (NYDFS) comply with the new regulations.

Jennifer Beckage of Phillips Lytle LLP started with her “Survival Guide to Navigating the NYDFS Cybersecurity Regulation”.  Jennifer talked about the challenges covered entities face not only developing their own cybersecurity programs, but how those spill over to their service providers.  Developing, implementing and monitoring vendor management programs will affect contracts, day-to-day operations and the technology used to secure and control information shared.

Dr. Larry Ponemon of the Ponemon Institute followed with a review of his latest survey, “Countdown to Compliance: Is the Financial Services Industry Ready for New York State’s Cybersecurity Regulations?”.  Sponsored by Fasoo, this survey gave great insight into the readiness of financial services organizations to comply with the new regulations.  One key statistic from the survey that picked up on Jennifer’s discussion on third party liability is that only about half the organizations think they can meet the two-year transitional period to implement a third-party services provider security policy.  One member of the audience mentioned that they may have to switch some service providers who can’t meet the requirements.  The discussion also talked about fourth-party service providers, since you as a covered entity can’t know who your service providers use for their business.  This gets complicated very quickly.

Dr. Ponemon’s keynote was followed by a panel discussion moderated by Kevin Cox from Brite Computers on meeting governance and security aspects of the regulation.  The panel included Dr. Ponemon, Jennifer Beckage, Dave Hansen from Freed Maxick, Reggie Dejean from Lawley Insurance, and Ron Arden from Fasoo.  Based on a number of questions from the audience, the panel had a lively discussion on incident response.  A key item is to engage your legal and insurance providers immediately if you suspect a negative cyber event.  How you characterize an event and your response to it is not only a technical and process issue, but a legal one too.  An event is not considered an incident until an attorney says so.

One key discussion was on data retention and protection.  Since the regulation talks about encrypting and limiting access to all nonpublic data, one way to minimize risk is to delete information that is no longer needed by the business.  If you don’t have it, you don’t need to protect it.  This not only helps with general security hygiene, but also helps satisfy other regulations, since eliminating unneeded information reduces a company’s general liability.  As in the earlier discussions, this lends itself to protection and revoking access to nonpublic information you share with your service providers.

Fasoo wants to thank all the Buffalo NYDFS 23 NYCRR 500 roadshow sponsors for all their support.  It was a great event and everyone said that got a lot of great information that will help them as they strive toward meeting the first deadline of August 28, 2017.

Ponemon Institute
Brite Computers
Lawley Insurance
Phillips Lytle LLP
Freed Maxick

Fasoo Sponsors NYDFS 23 NYCRR 500 RoadshowOn March 1, 2017 new sweeping cybersecurity regulations from the New York State Department of Financial Services (NYDFS) took effect.  The NYDFS 23 NYCRR 500 regulations affect thousands of regulated financial institutions that do business in New York as well as thousands of Third Party Service Providers that support those financial institutions, world-wide.  The regulations add to the complexity that financial institutions already face in developing and implementing their comprehensive information security programs.  They also bring with them challenges and uncertainty as organizations implement new tools and practices designed to protect customer and company information.

In response to this sea-change, Fasoo is sponsoring a roadshow across three major markets in New York (Rochester, Buffalo and NY city) to help affected organizations comply with the new regulations.  The highlight of the roadshow will be a keynote by Dr. Larry Ponemon of the Ponemon Institute reviewing a study sponsored by Fasoo to gauge industry readiness and reaction to the new regulations.

The roadshow brings together experts in cybersecurity, insurance, law, corporate governance, risk management and compliance to help audience members prepare for implementing and managing these new regulations that will surely expand to other states and industries.

If you are in one of these cities during the week of May 15, 2017, please join Fasoo and its partners (see below) for one of these exclusive events.

Rochester, NY – May 16, 2017  8:00 AM – 10:00 AM
Harter Secrest & Emery LLP, 13th Floor
1600 Bausch & Lomb Place
Rochester, New York 14604
To learn more and register, please click here.

Buffalo, NY – May 17, 2017  8:00 AM – 10:00 AM
Phillips Lytle LLP
One Canalside
125 Main Street
Buffalo, NY, 14203
To learn more and register, please click here.

New York, NY – May 19, 2017 8:00 AM – 2:00 pM
PwC
300 Madison Avenue
New York, NY 10017
To learn more and register, please click here.

NYDFS 23 NYCRR 500 roadshow sponsors
Ponemon Institute
Harter Secrest & Emery, LLP
Brite Computers
GreyCastle Security
Lawley Insurance
Phillips Lytle LLP
Freed Maxick
PwC
ForgeRock
Securonix

Top Four Cyber Security Predictions For 20172016 has been an epic year for cyber security and data breaches.  From recent hacks at Yahoo and LinkedIn to problems at the FDIC and stolen intellectual property from Glaxo-Smith Kline, this year has been a boon for data breaches large and small.

The past year has shown us that malicious attacks and inadvertent mistakes continue at an alarming rate and the consequences are legal, financial and brand reputation woes.

So how will 2017 fare?  Will we see more of the same or a change in the cyber security landscape?

Here are four security predictions for 2017.

1. Cyber Security Legislation will Change the Face of Business

In the US, cyber security legislation is already strengthening as states and the federal government are trying to force businesses to improve their security posture to prevent the next data breach.  One example is the new regulation by the New York State Division of Financial Services (NYS-DFS) that goes into effect on January 1, 2017 that requires organizations registered as banks, insurers, and other financial institutions in the state to implement comprehensive cyber security programs and policies.  The first bar is to encrypt non-public information.  Executives will be held personally responsible for failure to meet these requirements, so this will definitely cause some changes.

Europe is implementing the General Data Protection Regulation (GDPR) act and I can see other countries, including the US federal government, move toward more serious legislation.  As more governments realize there is a national security risk from these cyber attacks, they will implement tougher rules to help prevent the leaking of sensitive data.

 

2. Hackers Will Attack the Supply Chain

If a hacker wants to get access to sensitive information from a large company, the easiest approach is to go after a weak link in the supply chain.  This may be a service provider, an attorney or a small business partner.  The large company may have adequate security controls for data that is inside the company, but what about when it leaves the company?  Does the business partner have adequate security controls?

Unless organizations are protecting the data itself, there is no guarantee that it will remain secure and only accessible by an authorized user.  Until organizations persistently protect information at the data level, we will continue to see hacks on the supply chain, including more ransomware attacks, since hackers will exploit the weakest link in the chain.  That weak link may be a trusted insider who inadvertently clicks on a phishing email or accidentally sends sensitive information to the wrong email.

 

3. Organizations Will Impose Stricter Data Security on Contractors and Advisors

To meet stricter regulations and comply with data governance initiatives, organizations in 2017 will place stricter controls on how internal and outside partners access data and collaborate.  Internal contractors and other advisors are typically treated as insiders who have access to sensitive data.  These trusted insiders can pose serious security threats, since they do not work for the company and may not be subject to the same security standards as an employee.  Based on the recent Ponemon Institute survey Risky Business: How Company Insiders Put High Value Information at Risk, 70% of organizations do not know the location of confidential information and 73% believe they lost confidential information in the past 12 months.  There is a major risk that a contractor or advisor could steal intellectual property or other high value data and take it with them to their next client.

 

4. Enterprises Will Adopt a Data-Centric Security Approach Over Perimeter Security

Sensitive data moves in and out of organizations everyday and the volumes will only increase in 2017.  Globalization and an increasingly mobile workforce increase the risk of this data getting into the wrong hands.  While many organizations focus on securing the network, servers and endpoint devices, the data itself is what matters most.  This is especially true as more employees use a combination of work and personal devices and consumer versions of Enterprise File Synch and Share (EFSS) systems.

Organizations will shift their focus from protecting the perimeter to protecting the data itself by encrypting it and applying dynamic security policies that impose granular user access controls so that only authorized users can access it.  These security policies will travel with the data regardless of location or device and ensure that the enterprise is always in control of it, including having a comprehensive audit trail of all access.  These measures will allow executives, shareholders and other stakeholders to feel confident that business can continue without interruption and meet the governance needs of its constituents.

Cyber Security Takes Center Stage at Stevens Institute Of TechnologyFasoo and the New Jersey Technology Council sponsored “Closing the Threat Gap: Executive Perspectives on the Cybersecurity Landscape” at the Stevens Institute Of Technology in Hoboken, New Jersey on October 26, 2016.  The event featured cyber security leaders discussing the effects of internal and external threats to businesses.  There was a great turnout with some existing Fasoo customers, executives, attorneys, risk officers, CISOs, IT and security professionals from numerous organizations in the greater NY area.  Common feedback from the event was an appreciation for understanding the larger cyber security landscape and how everything from drones to DDOS attacks can affect their companies and personal lives.

Dr. Larry Ponemon, Chairman of the Ponemon Institute, was the first keynote speaker. He talked about the increased threat landscape and how trusted insiders are fast becoming one of the main threats to organizations.  Citing from the recent study “Risky Business: How Company Insiders Put High Value Information at Risk“, he emphasized how ill prepared many companies are to detect and prevent data breaches from trusted insiders with over 70 percent of companies not confident they can manage and control employee access to confidential files.  Dr. Ponemon also talked about results from “The Rise of Nation State Attacks” citing organizations’ lack of readiness to respond to nation state attacks due to an uncertainty as to what a nation state attack is and how to identify the key characteristics, methods and motives of these attacks.

Mark Lobel, US and Global TICE Cybersecurity Leader at PwC focused his keynote on results of the recent PwC “Global State of Information Security Survey 2017”.  Mark mentioned that spending on security is increasing in most organizations and many are realizing that they have to concede the perimeter.  With increasing threats and the landscape constantly shifting to include IoT devices and greater mobility of the workforce, the need for better threat intelligence, monitoring and protection of high value assets is greater than ever.  We still need perimeter security, but companies need to focus on preventing the exfiltration of sensitive information from either hackers or insiders through sophisticated means.  Mark used the analogy of cyber security being like a game of chess with the kings removed. You can never win and it’s a constant battle to keep ahead of the exploits and vulnerabilities.

A panel discussion moderated by Dr. Paul Rohmeyer, Associate PFasoo dinner with Dr. Larry Ponemon and Dr. Paul Rohmeyerrofessor Information Security Management, and Risk Assessment at Stevens, discussed recent cyber security events and some major trends going forward.  The panel consisted of Mark Lobel, Dr. Larry Ponemon, Michael Frank, President at Secure Business Strategies, and Mike Miracle, an executive at BlackRidge Technology. There was a lively discussion of the recent DDOS attack that crippled major websites, like Netflix and Twitter.  This lead to audience interaction as the panel and audience members discussed who is responsible for security related to a product. Should the manufacturer build security into the product or is it the responsibility of the organization implementing the product to ensure the network and access to the product and it’s data is secure?  Or in the case of DDOS is it up to the telecoms to block that traffic?

In the case of IoT devices, like those used for the DDOS attack, the consensus was the manufacturer needs to build security in, but in many cases there are no standards or certifications available to ensure security.  One panelist mentioned wanting something similar to the Underwriters Labs (UL) mark to ensure safety and security.  There were discussions about the increasing sophistication of attacks from hackers and how best to prevent taking down your systems or more commonly stop someone from stealing your most sensitive information.  It is most important to secure the data so that if it gets into the wrong hands, it is protected.

There was one question from the audience about legal responsibility when organizations share information on attacks with the goal of improving their security. The guidelines of what to share and how are still being developed and debated.  Numerous Information Sharing and Analysis Organizations (ISAO) do exist, but the sharing of attack and vulnerability information is still a work in progress. It may make sense technically to share, but if you are sharing sensitive data with a competitor that might potentially use it against you, you are less likely to share it.

There was also a lot of discussion on how process and policy needs to go hand in hand with technology. While the goal is to simplify security so that the user is unaware of it, the reality is that policy and process are needed to guide technology. I can have the best technology, but if it’s not used properly and people ignore security basics, they will ultimately get in trouble.  Organizations need a combination of good policy, process and technology.  While the goal is to improve our machine learning capabilities to take the human out of the cyber security decision tree, people are still at the heart of the problem and solution.

Stop Insider Threats from Defeating your BusinessThe headlines today still focus on hackers and other malicious outsiders trying to steal your sensitive data or disrupting your business, but the reality is that insider threats are the biggest challenge to enterprise security.

People with knowledge of your network and systems have a decided advantage when it comes to deliberately or accidentally sharing information with unauthorized users.  Whether it’s a dissatisfied employee looking to make a buck, a retiring worker copying files to take home or a busy executive sending a file to the wrong person, preventing data breaches from privileged insiders can be challenging.

Insiders understand how your business operates and have access codes, user credentials, and the ability to exploit or bypass security controls; especially if they are in senior positions.  Most of the time actions are not intended to do harm, but to quickly get things done.  A good example is the retiring FDIC employee who inadvertently copied sensitive data from 44,000 customers onto a USB drive to take home.  Not malicious, but a data breach none the less.

According to the recent study “Risky Business: How Company Insiders Put High Value Information at Risk” by the Ponemon Institute, C-level executives and Sales departments are the most likely candidates to inadvertently share sensitive information.  While there may be malicious intent for some, according to the Ponemon study, carelessness is the main cause of putting high value information at risk.  These people have access to sensitive company and customer information and with busy schedules come mistakes.

Two statistics from the Ponemon study are telling.  56 percent of those surveyed say company insiders are the primary cause of data breaches and 72 percent say they are not confident they can manage and control employee access to confidential files.

While carelessness is a major cause of data breaches, the lack of good security practices clearly contributes to problems by insiders.  If you can’t determine what is sensitive, you should treat all documents and correspondence as confidential and manage exceptions to the rule.

A good approach is to encrypt all files when you create them and assign permission controls to them, so that no one outside of your organization can access them.  This immediately stops the accidental or malicious act.  If a company outsider can’t access the information, having possession of the file is useless.  Then manage the exceptions where you need to share sensitive information legitimately with outside people.  Couple this with data handling education and overall security awareness training to create a culture that sees security as a business benefit.

As insider threats concern the motives and mistakes of real people, it’s impossible to ignore the human side of things.  An effective strategy requires the endorsement and active participation of the board of directors and senior management.  And most importantly, the rules must apply to them, so there is no sense of privilege being able to skirt the rues.

Here are a few ideas to help to detect and stop insider threats.

  • Discover and encrypt sensitive information
  • Prohibit unauthorized sharing of sensitive data outside the company
  • Monitor access to sensitive information to determine proper work patterns
  • Adjust security policies over time to ensure employees can do their jobs without going around security
  • Implement the fewest privileges and access rights so employees can do their jobs effectively
  • Ensure access rights are terminated as soon as an employee leaves the company
  • Monitor contractors’ access to sensitive information and terminate it as soon as it’s no longer needed

Many companies have a handle on protecting high value information from outsiders, but protecting it from insider threats is no different. Giving insider threats the same level of importance protects your business and ensures success and profitability.

 

Ron Arden article in Corporate Compliance Insights on protecting high-value corporate dataI recently wrote an article for Corporate Compliance Insights that focused on the importance of organizations taking proactive steps to safeguard high-value corporate data from internal and external vulnerabilities. High value information such as trade secrets, product designs, financial data and customer data can change hands often within an organization, including among people who may not need access to this confidential material. It is the sole responsibility of that organization to protect the data from employee error in the greater effort to protect the data from external malicious actors.

As our Ponemon study, “Risky Business: How Company Insiders Put High Value Information at Risk,” taught us, employees, particularly those in the sales department, C-level executives, and finance and human resources, pose the biggest security risk to their companies.  The IT security practitioners at these companies admittedly do not have the resources to prevent data leaking by employees. Not a calming thought for those who trust their information to be safe.

I offered four steps that make a significant impact in securing this information:

  • Encryption – documents and files that have sensitive data should always be encrypted, since it is the best line of defense. If an employee were to share one of these files, opening it up to external vulnerabilities, and it landed in the wrong hands, it would be rendered useless to that individual because of the encryption.
  • Employee access control – implementing rules, regulations, protocols and enforcing all of the above is key to minimizing human error.  Employees should be fully aware of their access rights and what they are allowed to do with any high valued information they access.  Regular training held by the organization can further support this effort.
  • Data-centric approach – while traditional security software can protect information inside an organization’s network, it cannot help if the information has been extracted from this environment. Placing a focus on protecting the data itself, and not just the network or systems that contain the data, will offer better security.
  • Data security framework – implementing a data security framework enables organizations to be the “big brother” of sensitive information. The framework can identify where the information is stored, control permissions for those accessing it, and monitor how they use the data.

Implementing these tactics will ensure better protection for all that an organization holds dear while boosting their employees’ ability to act as a stronger line of defense in the face of an attempted security breach.

 

Photo credit Kirsty Pitkin

Categories
Book a meeting