Building a Cyber Security Team from Within

Uploaded on 2015-04-02 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

f3b2fc701727fc40be4730a2194bf138.jpg

While building an in-house cyber security operations center can be resource-intensive, it can safeguard your data.
Hijacking technology used to be the favorite hobby of benign oddballs. The Max Headroom incident was inexplicable, but harmless. Gary McKinnon may have hacked the Pentagon, but he was hunting for evidence of UFOs. That’s sadly not the case anymore: cyberattacks can and do inflict real damage.

Sony Corporation has become a famous example. In the last few years, it’s suffered no fewer than three high-profile security breaches. The latest, a DDoS attack around Christmas, was an inconvenience, the fallout being five days of network outage and a few irate gamers. The 2011 PlayStation Network hack, however, resulted in a mass data harvest and a $15 million settlement for those affected. 

Hacking is an attack weapon, which has become a business-critical issue costing companies millions, which very much puts it in the domain of the CFO.

The argument from some quarters is that outsourcing your protection is the way forward. For CFOs, it’s easy to see the appeal of making the process of protecting your infrastructure another number on a balance sheet. Unfortunately, while it’s simpler in the short-term, it’s hard to know in advance that your managed service provider (MSP) will get cybersecurity right. With many data breaches occurring as a result of poor outsourcing decisions, it’s a risk that many boards aren’t prepared to take. We have also seen some situations in which a company has had to buy back its own data from a legacy MSP.
Building an in-house security operations center, or SOC as it’s more commonly known, can be a resource-intensive process. But managed correctly, it can safeguard your business-critical data and your bottom line.
The first decision a CFO should make is whether or not in-house security should be integrated with the rest of the IT department. For smaller businesses, this might be unavoidable: for medium-to-large enterprises, however, it’s worth thinking about.

A dedicated SOC has many benefits, chief among them that your business owns its data and knows what’s happening with it. It gives you in-depth control over your IT security and enables your company to make the best use of its application performance. 

The big challenge for CFOs is that security can be expensive. It’s possible to spend a lot of money, and there’s no guarantee you won’t be breached. The most important thing is that CFOs realize the role of the CISO is now a strategic one. IT security should be a business enabler, and the role of the CISO should be less focused on the technical and more on strategy and stakeholder management. Understanding how security can help a business achieve its objectives and overcome organizational challenges is key to the CISO role. 
CFO.com  http://bit.ly/1GLk9Qn
5 Ways to Use Virtual Reality in the Enterprise

 With the Microsoft's HoloLens headset, users can view virtual 3D images within the everyday real world. 

For enterprises trying to differentiate themselves from their competitors, trying to connect with customers, trying to better show off their products and even make potential customers feel like they're trying out everything from a new car to a new iPhone before they buy it, virtual reality is likely to be a game changer for the enterprise.
Virtual reality is getting a lot of attention this week because the keynote during the second day of Facebook's annual F8 developer conference was largely focused on Oculus, a company that has built a virtual reality headset. Facebook bought Oculus in March 2014, and now the social network has big plans on developing not only virtual reality games, but ways for Facebook users to communicate and share experiences using virtual reality.
Facebook executives want users to even create virtual reality experiences for their online friends. Google is also known to be developing virtual reality products, though it hasn't specified exactly what it's doing.
If Facebook's vision becomes a reality, that will mean big things for gamers flying virtual fighter jets or fighting in medieval times.
What might it mean for the enterprise, though? Well, it should mean better communications with customers, a better way to show off new products and even a better way to work with employees.
Here are a few examples of how the enterprise could use virtual reality in another five or 10 years.
1. Training
Trainers will use virtual reality extensively. Soldiers, for instance, would be able to train in a virtual middle-eastern village or in a snowy, remote environment without leaving their American base.
Financial managers would be able to train using a virtual office environment, so they could practice good communication and leadership skills.
2. Pulling in remote workers
Virtual reality also should make for better relationships between employees working remotely and their managers or working groups. Think about employees being able to work from home but at the same time, working from virtual offices, surrounded by their virtual peers. This could make the worker feel more like a part of the meeting or a part of the team, leading to possible productivity boosts.
Another plus if you are more tightly coupled, it can be instrumental to make your boss more confident that you actually are working and not just goofing off at home.
3. Less business travel
Today, when most workers need to attend an important meeting -- whether it's in another corporate location or at a client's office -- they head to the airport, work their way through security and endure a plain ride, sometimes squeezed in that dreaded middle seat.
Of course, some people use videoconferencing, but it's not widespread. And that experience still isn't quite like being in the same room and sitting down face-to-face with colleagues or clients.
A virtual reality meeting could make it seem like a manager is in an actual face-to-face meeting when he or she is actually alone in the office.
What companies will notice is a reduction in travel costs and in the administrative work it takes to make the travel arrangements and deal with the expenses. It also will reduce the amount of time workers are outside the office and unavailable. 
4. Sales
If someone is interested in comparing two different types of smartphones before buying one, testing them both out via virtual reality would be the perfect solution.
Salespeople could help their potential customers to virtually try before they buy. Customers could feel like they're sitting in a car. They'd see how it would steer and feel on the road and how the interior looks up close. They could see how roomy it is -- all before taking the time to drive to a dealer to see it in person.
5. Order up!
Kagan said one of the first uses of virtual reality may be at restaurants to allow customers to make their to-go food orders instead of calling in or using the Web.
Computerworld  http://bit.ly/1F2thLJ
Cyber Insurance: Well Worth it but Beware of Exclusions

It’s what all sensible people do to mitigate the risk of catastrophic financial damage: Buy insurance. There’s not even a choice when it comes to auto and health risks – insurance is a legal mandate. And most people would agree that anyone with a house who does not carry homeowner’s insurance is a fool or fabulously wealthy.

So, why not use cyber insurance? Indeed, the case for it is compelling. The costs of data breaches are in the millions and rising fast. As the Ponemon Institute put it in a synopsis of one of its recent reports on the issue, “data breaches have become as common as a cold, but far more expensive to treat.”

In another report sponsored by HP Enterprise Security, Ponemon found that, “the average annualized cost of cyber crime incurred by a benchmark sample of U.S. organizations was $12.7 million,” up 96% since five years ago. The average cost to resolve a single breach was $1.6 million. Most policies are nowhere near inclusive of all cost associated with breaches. So, as Wendi Rafferty, vice president of services at CrowdStrike, put it to CSO in an earlier interview, part of any prudent organization’s advance plan to respond to a data breach should include data breach insurance.

The biggest reason is that a general liability policy is no longer enough. It covers, “third-party claims of bodily injury or property damage, but the trend among insurance providers is to exclude electronic records and data,” said Jared Kaplan, executive vice president and CFO of Insureon.
Getting effective cyber insurance is not simple, however. Data breaches, in addition to being expensive, are notoriously complicated. They require a host of costly responses, including forensic investigation, notification of first and third parties, fulfillment of legal and compliance obligations, possible litigation, working with law enforcement, public relations, credit monitoring fees, crisis management – the list goes on.
As technology risks continue to evolve, many carriers are starting to pull back on the types of industries and risks they will cover.

Also different industries have different kinds of risks, health care is not the same as retail, which is not the same as buying for Education.
That means simply buying a “cookie-cutter, off-the-shelf” policy is asking for trouble since it will likely have exclusions for significant expenses.
According to a recent post in Dark Reading, many such policies exclude coverage for:
    - Breaches of protected information in paper files.
    - Claims brought by the government or regulators, including the Office of Civil Rights, the Department of Health and Human Services, and the Office of the Attorney General.
    
    -Vicarious liability, for data entrusted to a third-party vendor, when the breach occurs on the vendor’s system.

    -Unencrypted data.

Some damages, of course, cannot be measured exactly. But there are ways to close coverage gaps. One of the most obvious is to practice good security “hygiene,” including end-to-end encryption of data and keeping software up to date with all recent patches.
Common exclusions in “off-the-shelf” cyber insurance policies:
    - Breaches of protected information in paper files
    - Claims brought by the government or regulators
    - Vicarious liability, for data entrusted to a third-party vendor that is     breached
    - Unencrypted data
    - Negligence: Failure to install software updates or security patches
    - First-party notification expenses for disclosure of PII or PHI
- Many of the policies, with premiums ranging from $6,000 to $37,000, limit coverage to just $1 million, which in today’s world rarely comes close to covering the total expenses.
In short, cyber insurance can ease the pain, but it won’t eliminate it.  
Techpageone http://bit.ly/1F2utyL

« China Admits to Having Cyber Warfare Units
Battle for African Internet Users Stirs Fears »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Roka Security

Roka Security

Roka Security is a boutique security firm specializing in full-scale network protection, defending against advanced attacks, and rapid response to security incidents.

TZ-CERT

TZ-CERT

TZ-CERT is the National Computer Emergence Response Team of Tanzania.

Council of Europe - Cybercrime Programme Office (C-PROC)

Council of Europe - Cybercrime Programme Office (C-PROC)

The Cybercrime Programme Office of the Council of Europe is responsible for assisting countries worldwide in strengthening their legal systems capacity to respond to cybercrime

Forcepoint

Forcepoint

Forcepoint provide a unified, cloud-centric platform that safeguards users, networks and data while eliminating the inefficiencies of managing multiple point security products.

CalCom

CalCom

CalCom Hardening Solution (CHS) for Microsoft OMS is a security baseline-hardening solution designed to address the needs of IT operations and security teams.

Dell Technologies

Dell Technologies

Dell Technologies Consulting Services enables a highly resilient business amidst the proliferation of cloud-based IT services and constant threats to your most critical information.

Cyber Wales

Cyber Wales

Cyber Wales provides a focus and forum for everyone in the industry, helping businesses come together and collaborate both within Wales and internationally.

BI.ZONE

BI.ZONE

BI.ZONE creates high-tech products and solutions to protect IT infrastructures and applications, and provides services from cyber intelligence and proactive defence to cybercrime investigation.

Cysiv

Cysiv

Cysiv SOC-as-a-Service combines all the elements of an advanced, proactive, threat hunting SOC, with a managed security stack for hybrid cloud, network, and endpoint security.

Future Planet Capital

Future Planet Capital

Future Planet is the impact-led, global venture capital firm built to invest in high growth potential companies from the world's top research centres.

Centre for Cyber Security Research & Innovation

Centre for Cyber Security Research & Innovation

The Centre for Cyber Security Research & Innovation is Nepal's First Academic Research Institute to focus on understanding the overall Information Security of Nepalese Organizations.

Eden Data

Eden Data

Eden Data is on a mission to break the outdated mold of traditional cybersecurity consulting. We handle all of your security, compliance & data privacy needs.

Cyrex

Cyrex

Cyrex is a Web3 security and development company. Our mastery over decentralized applications, smart contracts and blockchain will keep you secure across Web3.

Accelerynt

Accelerynt

Accelerynt was founded with a singular purpose: help teams like yours build cybersecurity resilience.

Defence Innovation Accelerator for the North Atlantic (DIANA)

Defence Innovation Accelerator for the North Atlantic (DIANA)

The NATO DIANA accelerator programme is designed to equip businesses with the skills and knowledge to navigate the world of deep tech, dual-use innovation.

Tracer

Tracer

Tracer (formerly Appdetex) is a next-generation brand protection solution. It constantly finds, analyzes, and stops brand abuse across Web2 and Web3 digital channels.