The implementation deadline of May 25, 2018 has come and gone, and now enterprises across the globe are grappling with how GDPR affects their IT security strategies and operations.

In some ways, the new data privacy law is a wake-up call for many enterprises. Excluding some heavy regulated industries, like healthcare and finance, the penalties for improperly handling user data typically have boiled down to some bad press, some customer defections and the cost of getting back in their good graces.

Now that GDPR is in full effect, failing to safeguard private user data can mean step fines, even if the offending company isn’t based in Europe. Nobody wants to be the CIO who makes headlines for legal problems or millions in fines because their user data management and security strategies weren’t up to snuff. In fact, Facebook and Google are already making headlines for triggering first-day lawsuits under GDPR.

Ideally, companies have already audited their systems and technology platforms, and now possess a comprehensive understanding of exactly “where customer data is held and how it is managed,” said Mark Baker, Field Product Manager at Canonical, the firm behind Ubuntu Linux. After assessing their controls, IT leaders and compliance officers may come to realize that they need a little help wrangling and securing that data.

Security vendors step up with GDPR solutions

Not surprisingly, security vendors have stepped up to offer GDPR compliance solutions, often by repositioning data privacy and security technologies that aid regulatory compliance in general. Here are some of the ways security companies have repackaged their offerings into GDPR compliance solutions.

McAfee: McAfee Enterprise – now under the Trellix name after merging with FireEye – has come a long way from its antivirus roots and has positioned itself as a provider of GDPR-friendly products and services. Fittingly, the company is focused on the cybersecurity aspects of complying with the regulation, like the 72-hour breach notification requirement, which customers can meet with the help of its security operations solutions.

Symantec: Also famous for its malware-busting technology, Symantec has branched out into regulatory compliance with its aptly-named Symantec Control Compliance Suite. Supporting a range of regulations, including GDPR, the offering automates compliance assessments and reveals security gaps that can pose risks. Meanwhile, Symantec Data Loss Prevention and Information Centric Security help organizations keep a tight lid on personally identifiable information (PII).

TrustArc: Formerly TRUSTe, and known for its online security offerings, the company now provides a variety of products and services that can be used to ensure that a company’s data management, security and compliance policies abide by GDPR. TRUSTe’s portfolio includes solutions that aid enterprises in building and implementing a GDPR compliance program, and ultimately verifying compliance.

Bitdefender: Although GDPR doesn’t explicitly mandate the use of encryption, it’s considered an effective way of meeting many of the regulation’s security requirements. Bitdefender’s agentless GravityZone Full-Disk Encryption solution piggybacks on the encryption technologies built into Windows and macOS, BitLocker and FileVault, respectively, providing an essential layer of protection should a PC storing sensitive data go missing.

Sophos: While also banking on encryption as a GDPR-compliance tool, Sophos is focused on preventing breaches by blocking attackers that are wielding data-extracting malware and targeting servers and endpoint systems. To protect networks, the company’s XG Firewall appliances unmask attempts to steal data with the use of AI, or deep learning neural networks, to be exact.

Bitglass: Nowadays, there’s a strong chance that enterprises are keeping at least some sensitive information on third-party cloud services and applications. Bitglass’ Cloud access security broker (CASB) technology enables businesses to see where that data is being stored, control how it’s shared and ensure that they adhere to GDPR’s data residency and sovereignty provisions.

Forcepoint: The cybersecurity software provider, formerly Websense, is known for cloud and networking security solutions such as CASB, NGFW, web gateway and UEBA. Forcepoint has expanded beyond web monitoring and security and now offers solutions that aid businesses in identifying and mapping the personal data they have been entrusted with by automatically detecting PII that falls outside an organization’s data classification system. Wagering that not all personal information is stored in electronic documents, Forcepoint’s technology goes a step further by using optical character recognition (OCR) to find PII that may be lurking within the pixels of image files.

LogRhythm: Supplementing the wealth of data collected and analyzed by its Security Information and Event Management (SIEM) product, LogRhythm released a GDPR Compliance Module in early 2018. It offers users a set of alerts, rules and reports that are tailored to the regulation, helping IT security and compliance teams validate their compliance efforts and quickly address problems before they catch the attention of EU regulators.

The post Top GDPR Compliance Security Companies & Solutions appeared first on eSecurity Planet.

Many attacks are stopped by firewalls, endpoint security products and advanced threat protection solutions, but somehow scammers keep getting past these and other defenses. As frustrating as it is to see expensive, enterprise-grade security solutions fail to completely protect a company’s data and its workers, technology is not entirely at fault. A 2017 survey from Wombat Security Technologies revealed that nearly a third (30 percent) of employees don’t know what phishing is. To make matters worse, ransomware is an unknown concept to nearly two-thirds of workers.

Who’s to blame for this sorry state of affairs? Employers are, to an extent.

A few years ago, Enterprise Management Associates (EMA) conducted a survey that found that more than half (56 percent) of employees, not counting IT staffers and security professionals, had not received security awareness training. And when they did get training, there was no guarantee that it would take hold. Only about half (48 percent) of organizations said they measured the effectiveness of the training.

According to eSecurity Planet‘s 2019 State of IT Security survey, email security and employee training are the top problems faced by IT security pros, making this an important area to double down on your efforts.

So we’ve put together some advice that can help businesses implement an effective IT security awareness training program for employees. First, though, more on the hazards today’s typical office worker faces to get a sense of where your greatest vulnerabilities lie.

See our picks for the best cybersecurity awareness training products.

Phishing and ransomware top employee security concerns

As a productivity tool, the email inbox has proven to be both a blessing and a curse.

Among the types of attacks that workers often fall for, “phishing, spear-phishing and/or whaling” is number one, according to Dan Lohrmann, CSO at security awareness training provider Security Mentor.

“Remember that phishing can happen with people clicking on links in emails, but also via social media and even phone calls,” Lohrmann said. Also, people are still opening attachments from strangers, he added. Social engineering essentially involves running a con, using email or a phone call, to gain access to a protected system or information through deception, often via spoofing. In the case of spear-phishing or whaling, both terms for more targeted attempts at scamming important high-value individuals, a considerable amount of effort can go into fooling victims.

Lance Spitzner, director of Security Awareness at the SANS Institute, cautioned that scammers like to use social engineering to make their victims jump to attention and get hearts racing.

“The most common tactic cyber attackers use is creating a sense of urgency, pressuring or rushing people into making a mistake,” Spitzner said. “This can be a phone call where the attacker pretends to be the IRS stating your taxes are overdue and demanding you pay them right away, or pretending to be your boss, sending you an urgent email tricking you into making a mistake.”

Research from Cofense, home to the PhishMe simulation program, shows that workers tend to lower their guard when money is involved.

During the first half of 2018, the company’s active threat simulations revealed that that ‘attached invoices’ requesting payment, ‘payment confirmation’ and ‘document sharing’ remain difficult for users to avoid, said John “Lex” Robinson, anti-phishing and information security strategist at Cofense. “All these models involve the exchange of money, an emotionally charged topic that elicits strong responses,” he said.

Some attackers don’t care much for stealing valuable information. Instead, they use malware that encrypts a victim’s files and holds them hostage without ever transferring the data. They demand a ransom for the encryption key that restores access to those files, hence the term ransomware.

More than a quarter (26 percent) of ransomware attacks hit business users in 2017, according to a report from Kaspersky Lab. Between the second quarter of 2016 and second quarter of 2017, small and midsized businesses paid over $300 million to ransomware attackers, according to a survey from data backup specialist Datto.

“Ransomware and phishing continue to be the most common attacks users are falling for,” observed Rob Clyde, chair of ISACA and executive chair of White Cloud Security. “Moreover, attackers often find that it is easier to make money using ransomware attacks.”

Good data protection practices, particularly maintaining regular backups, makes ransomware more of an inconvenience than a cripplingly expensive cybersecurity incident, although IT security teams and administrators will likely have their hands full sanitizing affected systems.

Employee security awareness tactics that work

It may seem like an uphill battle, but there are ways businesses can arm their employees against these and other devious methods attackers use to scam businesses out of sensitive information or their cash.

Here’s what to consider while evaluating a security training awareness vendor or creating a program of your own.

1. Start on Day One

When a new employee comes onboard, security training typically takes a back seat to filling out HR paperwork, being assigned to a work area and getting issued a laptop. Brandon Czajka, virtual chief information officer at Switchfast Technologies, believes in getting employees ready for the cybersecurity threats they’ll encounter during any given workday from the moment they accept a job offer.

“There are several security training vectors available out on the market that can easily be incorporated into an organization’s new hire onboarding process or used as a frequent means of keeping these threats front of mind,” Czajka said, noting that many are similar in this regard.

2. Watch emerging threats

The cybersecurity landscape can change drastically in no time at all, that’s why it’s important to use a security training awareness vendor or service that keeps its finger on the pulse of the market so that employees don’t wind up blindsided by the latest scam.

“Ultimately, it is best to select a training platform that not only defines past data breaches and how organizations responded to them – learning from past mistakes – but also one that keeps the training material up to date with new breaches as they occur in real time,” Czajka said.

3. Practice makes perfect

Simulations are used to sharpen the reflexes of air pilots and military personnel in challenging situations and to teach them how to respond. Similar information security training can expose employees to the latest deceptions and attacks, helping them guard against risky behaviors that can lead to data breaches.

Cofense’s Robinson advocates a similar “learning by doing” approach to block security threats that workers may encounter during the course of their jobs.

“This is best accomplished through the use of active threat simulations that provide the end user an experience they will remember and a new action to take; in the case of phishing, the new action is reporting [the threat],” said Robinson. Organizations that fail to instill this mindset lose the ability “to address and mitigate threats in real time,” he added.

4. Explain why

Learning with the immediate feedback provided by security simulations can help concepts stick, but companies can go further by making it clear why the training is important.

“User engagement is further driven by transparency within an organization,” Robinson said. “To that end, awareness and training materials need to clearly outline why security is important both at work and at home. In other words, make the training personal.”

5. Fix the password problem

Weak, reused and easily guessed passwords continue to be a major security weak spot. A 2017 study from F-Secure found that 30 percent of CEOs had a service linked to their company email hacked and the password leaked. Another survey from Dashlane found that nearly half (46 percent) of employees use personal passwords to protect company data.

Enforcing password policy is one step enterprises should take, combined with multi-factor authentication.

Making employee security training engaging

If you want employee security awareness training to work, you need to learn how to engage your audience. Here’s how.

Know your audience

Messaging matters, and effective training programs tailor their content to their audiences.

“The message is different for a group of government internal auditors than for a room full of COs from large companies,” Security Mentor’s Lohrmann said. Other factors to consider include jargon, current hot-button issues, the order in which speakers or instructors appear and topics to broach, along with preparing for questions that are likely to be raised.

Motivate for change

“This is all about understanding culture, communication and emotion,” said ISACA’s Spitzner. “Unfortunately, a lot of technical people are not strong in this area; this is where you need communications or marketing majors.”

Unleash your inner storyteller

Droning on about the technical aspects of a cyberattack is a surefire way to lose an employee’s interest. “Audiences love cyberwar stories,” Lohrmann advised. “People remember stories much more than facts and figures.”

Make learning interactive

Get the crowd involved to help employees retain the material presented to them. At the very least, ask for a show of hands and pepper sessions with questions for a more engaged audience, said Lohrmann.

Stay relevant

Ever walk out of a training session without learning something new? Avoid this by presenting content “in a fresh way with a new twist, facts, figures, stories, etc.,” Lohrmann advised. “Offer fresh insights or practical tips that the audience can implement right away to help at home and work.”

Quantify results

What is the point of raising staff security awareness if a program falls short on the “awareness” part?

“You need the ability to measure those changes in behavior and the overall impact those changes are having to your organization,” cautions Spitzner.

Effective online training

The secret to good and effective online training is keeping it “brief, frequent and focused on a single topic,” Lohrmann said. Additionally, it should be ongoing to help users keep up with the latest trends. Echoing some of the themes above, it should also be engaging, entertaining and interactive.

Employee security awareness training vendors

Here are some vendors that can help you implement an employee security awareness training program:

• PhishMe
• KnowBe4
• Wombat Security
• Symantec Security Awareness
• Rapid7
• Digital Defense
• Inspired eLearning
• Barracuda PhishLine
• Terranova
• SANS
• MediaPro
• Global Learning Systems
• InfoSec Institute
• Security Innovation
• Security Mentor

The post Security Awareness Training for Employees for 2021 appeared first on eSecurity Planet.

In just one month, the European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect. Businesses that aren’t prepared for the May 25 deadline — and Gartner estimates that more than half won’t be even by the end of the year — are in for a rude awakening if they mismanage data belonging to users in the EU.

The stringent new rules on user data privacy and security not only apply to EU-based organizations, but also to companies that do business in the region, which includes countless web applications and online services with European customers. Penalties for mishandling user data can reach as high as four percent of an organization’s global annual revenue.

After settling on a GDPR compliance strategy, it’s time to look for technology vendors and software solutions that are up to the challenge. Here’s some advice on what to look out for while assessing your organization’s GDPR readiness and evaluating products that can help.

Jump to:

• Automated data protection
• Managed file transfer
• Data mapping
• Privacy impact assessments
• Individual rights compliance
• Pseudonymization technologies
• GRC solutions

Automated data protection processes

When it comes to meeting GDPR security requirements, Bogdan “Bob” Botezatu, senior security threat analyst at Bitdefender, said it’s time to pawn off the manual labor to machines.

“Use a solution that automates manual data protection processes and offers better visibility of data flowing in and out of your company. Your solution of choice should also be a layered one that yields protection against data loss, data theft, including targeted attacks, and offers enhanced visibility into data breaches,” advised Botezatu.

For effective GDPR compliance, IT and business leaders should be prepared to set new security standards for their organizations, perhaps high ones.

“Define procedural and technological controls you deem sufficient to protect personal data. Pay special attention to securing unstructured data, e.g. by encrypting it,” added Botezatu.

When it comes time to implement GDPR-friendly processes and IT solutions, it’s up to data protection officers to ensure that they all work in tandem to safeguard user data.

“Data governance should be a result of business functions cooperating with teams focused on information, data, and security architecture,” Botezatu said. “The best leader to facilitate this is the Data Protection Officer. When choosing technical and procedural controls, special attention should be paid to the products and services that improve data security posture.”

Automated data protection vendors

• SAS: The company’s solutions enable secure access to personal data and enable organizations to implement suitable safeguards and avoid improperly casting too wide a net for personal information.
• Gemalto: Helping address GDPR’s security obligations with encryption and multi-factor authentication, Gemalto’s SafeNet products help businesses keep sensitive user information under wraps.
• CA Technologies: Running an IBM z Systems mainframe? CA Data Content Discovery can help classify and protect sensitive data on big iron.
• Qualys: Helps businesses sniff out vulnerabilities that can lead to breaches of personal data.
• WatchGuard: WatchGuard Dimension, part of the company’s Total Security Suite, uses a novel pseudonymization approach to shield users’ identities in its network security monitoring dashboards and reports.

Managed file transfer

Peter Merkulov, chief technology officer of GlobalSCAPE, a secure data integration and movement software provider, also advocates the use of data protection software. Another good idea is to explore the world of governance, risk and compliance technology (GRC) services and reporting tools.

There’s also a lot to be said about managed file transfer (MFT) solutions that ensure the secure collection, movement and eventual usage of sensitive personally identifiable data.

“What makes something like MFT a good fit to achieve compliance mandates is that it provides organizations with a holistic view of their data movement processes. It is essentially one centralized hub that customers can use to build the process that takes care of everything, from movement, to storage, to processing sensitive information at all points of an organization,” Merkulov said. “MFT provides clear visibility into data flow, whereas if you use separate technologies or tools they would only really give a partial picture of the process and can make compliance much harder to achieve for that reason.”

Security-enhancing capabilities to look for in an MFT solution include data encryption, access rights management and full audit trails, Merkulov said.

Managed file transfer vendors

• Cleo: The company’s managed file transfer products allow businesses to wrangle their various file sharing systems, providing visibility and auditability as data is wends its way across and outside an organization.
• Citrix: Citrix ShareFile sports various integrations that help businesses and keep track of how data is shared and can help businesses meet GDPR’s sovereignty requirements by using the ShareFile EU control plane.
• HelpSystems: The firm’s GoAnywhere MFT solution enables encrypted data transfers and auditing, among other GDPR-friendly capabilities.
• Ipswitch: Ipswitch MOVEit offers encryption, both in transit and at rest, along with file transfer activity logs and integrations with security solutions.
• BMC: In addition to its secure file transfer capabilities, BMC’s Control-M Managed File Transfer product features automated auditing and compliance reporting capabilities helping businesses demonstrate compliance.

Data mapping

The new compliance rules established by GDPR can be punishing to organizations with less than exacting data management practices. Data mapping solutions can help eliminate potentially costly blind spots, said Darren Abernethy, senior global privacy manager at TrustArc.

“A large part of the new GDPR accountability regime is being able to justify the type and scope of data that is being collected, and to demonstrate compliance in a timely manner,” explained Abernethy. “Using technology solutions that facilitate data mapping allows companies to know exactly what data they’re collecting, where it’s being stored, and who has access to it.

“It also helps organizations understand where they are acting as a data controller versus a data processor, and thus which additional obligations may apply based on sensitivity, geography or other factor,” Abernethy added.

Data mapping vendors

• TrustArc: Offers a variety of GDPR-compliant solutions, including a data flow manager that map how sensitive data flows throughout an organization.
• Veritas: Best known for its backup technologies, the company’s data inventory and analysis capabilities piggyback on its NetBackup product to provide visibility into where personal user information is stored and who has access to it.
• Check Point: Although it primarily prevents data leaks, Check Point Data Loss Prevention (DLP) Software Blade can discover and “fingerprint” files that contain sensitive information.
• BigID: And a new name to add to the list – BigID was named most innovative startup at the recent RSA security conference.

Privacy impact assessments

Under GDPR, it’s not enough to take user privacy seriously. Organizations must also weigh the potential impact their business decisions will have on their users’ data privacy.

Abernethy suggests investigating solutions that enable businesses to conduct privacy assessments that clue companies into potential trouble, preventing a tussle with regulators down the line.

“Businesses must understand the privacy risks that can result from new product launches, geographic expansions and mergers and acquisition activity. To do this, companies are looking to tools deployable across the organization that help identify high-risk data being collected as it pertains to new regulations, and create an audit trail to show they have thought through privacy issues proactively with multiple stakeholders,” Abernethy said.

“Companies can then assess where they have gaps in compliance efforts and the steps involved to remediate any areas of concern,” he added.

Privacy impact assessments vendors

• AvePoint: Partnering with the International Association of Privacy Professionals (IAPP), AvePoint offers a free, automated privacy impact assessment (PIA) offering.
• OneTrust: OneTrust’s automated privacy impact assessments, along with data protection impact assessments, provide self-service tools and role-based templates to help organizations prioritize privacy.
• Privaon: This Finnish firm offers PIA as a service with optional workshops conducted by the company’s privacy specialists.

Individual rights compliance

Weighing a privacy management solution? Don’t neglect the fact that GDPR grants users rights over how businesses use their data, reminded Abernethy.

“GDPR Articles 15-23 on individual rights require companies to provide customers the right to access their data, the right to restrict or object to the processing of their data, and the right to data portability,” he said. “The use of technology solutions that are able to create custom individual rights request forms and provide notifications and automated reporting will help companies meet individual rights requirements without interfering with their business model.”

And businesses don’t want to be caught dragging their feet after a user request is submitted.

“These tools, when combined with data mapping, allow companies to quickly identify the storage locations of the data requested by customers and fill that request within the required timeframe of 30 days,” said Abernethy.

Individual rights compliance vendors

• TrustArc: In addition to the data-mapping solution, the company also offers an individual rights manager, along with cookie consent and direct marketing consent tools that help ensure compliance.
• LogicGate: The LogicGate platform’s individual rights request portal helps offers businesses prebuilt landing pages for personal data correction request and erasure, or “right to be forgotten” request, along with tools that help manage responses.
• Pillar: The Pillar Wallet for Business serves as a “personal data locker” that users control and allows organizations to comply with the GDPR’s right to be informed, right of access, right to restrict processing and other provisions.

Pseudonymization technologies

Pseudonymization is a data-masking tactic that is referenced in the text of the regulation itself.

By storing portions of a user’s data in separate locations, it makes it tough for potential attackers to reassemble personally identifiable information. “Simply put, pseudonymization means storing an individual’s information in many separate files, under many different names, so that no hacker could ever grab one file and have anyone’s full information,” said Kory Willis, senior director of IT at partner relationship management (PRM) provider Impartner.

“If your information isn’t pseudonymized, you’re not compliant, and you could face huge consequences [when GDPR goes into effect],” he added.

Pseudonymization vendors

• Anonos: The Anonos BigPrivacy platform can transform data into a pseudonymized format.
• IRI: IRI FieldShield, a classification and masking tool for personally identifiable information stored in databases and files,  supports multiple methods of protecting user data, including pseudonymization.
• Protegrity: The data protection specialist’s tokenization technology enables data pseudonymization.
• Oracle: Oracle recommends that customers use Oracle Data Redaction policies and Oracle Database Vault to pseudonymize data stored in its database products.
• Striim: The data integration and streaming analytics provider has added data pseudonymization to its platform.

GRC solutions

Governance, risk and compliance (GRC) solutions have long been an enterprise IT staple for managing the myriad of compliance regulations. GRC vendors claim their solutions pay for themselves in fines avoided — and with more than $300 billion in fines levied in the decade since the global financial crisis, they may have a point.

A good GRC solution will cover a range of needs, starting with risk management and analytics, regulatory compliance, and auditing and reporting. Here are our picks for top GRC vendors, with links for more information about each vendor.

GRC vendors

• RSA Archer
• LogicManager
• Riskonnect
• SAP
• ACL
• SAI
• MetricStream
• BWise
• Rsam
• Enablon

The GDPR implementation deadline is also a good time for companies to review their overall security posture.

The post Technologies that Can Help with GDPR Compliance appeared first on eSecurity Planet.

Pseudonymization is one strategy that could help businesses struggling to comply with the European Union’s General Data Protection Regulation (GDPR).

GDPR goes into effect on May 25, bringing with it stringent new data privacy protections for companies with European customers – and steep penalties for failing to comply with those regulations.

One recent report found that a quarter of U.S. companies aren’t sure if they’re ready to meet GDPR compliance standards. “The challenge is due in part to confusion on behalf of many companies, primarily because there is not one software solution to buy that can help each corporation comply with the standard,” said Kory Willis, senior director of IT at partner relationship management (PRM) provider Impartner. “Rather, it is up to each company to make sure that each technology vendor they use can comply with the standard.”

Indeed, there are a number of technologies that can help companies comply with GDPR, among them data protection, managed file transfer, data mapping, privacy impact assessments, and individual rights compliance tools.

But Willis says the key to complying with GDPR is pseudonymization.

What is pseudonymization?

Pseudonymization is a form of data masking. It refers to a safeguard that can render a user’s personally identifiable data, well, less personally identifiable.

The term can be found within the text of the law itself. Here’s how Article 4 of the GDPR defines pseudonymization:

“‘[P]seudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”

It’s a mouthful, but what does it mean for data controllers and IT teams?

“Simply put, pseudonymization means storing an individual’s information in many separate files, under many different names, so that no hacker could ever grab one file and have anyone’s full information,” Willis said. “If your information isn’t pseudonymized, you’re not compliant, and you could face huge consequences in just a few short months.”

If a user’s data record is pseudonymized, one file would not yield an attacker enough information to complete the user’s record. Data must be stored in more than one data repository so an individual’s total set of details would be protected if one file of information is ever breached, Willis said.

Pseudonymized data is different from anonymized data in some crucial respects.

Anonymous data is irreversibly altered so that the “data subject is not or no longer identifiable,” states GDPR Recital 26, one of 173 such sections outlining the thinking behind the law. In short, there is no way of reassembling a user record if it’s anonymized and therefore GDPR does not apply to the processing of such information used for research purposes. Pseudonymized data, however, may be reassembled with the use of a key or other additional information.

It seems fairly straightforward, but Willis cautions that organizations that aren’t already pseudonymizing user data will face some added complexity implementing the privacy-enhancing procedure. It’s not completely foolproof; there’s still the risk of a persistent attacker being able to piece together a record if lax safeguards and security policies expose pseudonymization keys. But if properly used alongside data encryption, it can go a long way toward ensuring GDPR compliance.

How to implement pseudonymization

Pseudonymization involves much more than masking data on a technical level, Willis said. Here are some tips for IT teams looking to implement pseudonymization.

• Examine what kinds of data you’re storing: Identify how and where you’re storing personal data. Take a thorough inventory of the databases and systems where affected records are kept before even considering pseudonymizing them.
• Do you need the data that you think you need? If you’re hanging on to personal data that doesn’t add value or your organization simply doesn’t need, consider getting rid of it, Willis said. Pseudonymization comes at a cost and adds complexity to your enterprise data management and governance operations. Why incur those burdens if the data isn’t worth it to your organization?
• Enact good privacy policies: Clear and unambiguous privacy policies will not only help your European users know where they stand in terms of their personal data, it governs how your organization protects that data. Pseudonymization can help give those policies some much-needed bite.
• Target your databases: Look at your database and talk to your engineers, Willis advised. Besides making the case for data pseudonymization as it applies to GDPR, you’ll need the expertise of your IT experts and database administrators to implement pseudonymization techniques.

Pseudonymization vendors

There are several database vendors and data-masking specialists that can help businesses pseudonymize sensitive data. Here’s a sampling:

• Anonos: The company’s BigPrivacy platform can be used to transform data into a pseudonymized format.
• IRI: IRI FieldShield is a classification and masking tool for personally identifiable information stored in databases and files. It supports various methods of protecting user data, including pseudonymization.
• Protegrity: The data protection specialist’s tokenization technology enables data pseudonymization for organizations that value data privacy.
• Oracle: Oracle suggests that customers use Oracle Data Redaction policies and Oracle Database Vault to pseudonymize data stored in its business database products.
• Striim: The data integration and streaming analytics provider announced in January 2018 that it had added data pseudonymization to its platform. Striim 3.8 includes built-in data masking functionality that the company claims can be easily implemented using the solution’s interface.

The post How Pseudonymization Can Help You Comply with GDPR appeared first on eSecurity Planet.

That’s where a data protection impact assessment, often shortened to DPIA, can help. We’ll get more into what a DPIA is and how to conduct one in a minute — after a reminder of just how sweeping the new GDPR regs are and just how many businesses they’ll affect.

GDPR’s rules on user data management, privacy and security don’t just apply to European firms. Any company, regardless of where it’s based, is affected if it has customers in the region. That includes vendors that ship goods to European customers, along with online services, cloud products and web applications that are available to European users.

Mishandling user data can come at a steep cost under GDPR. The penalty for playing it fast and loose with personally identifiable information and other sensitive data can be as high as four percent of a company’s global annual revenue.

By now, it’s apparent that enterprises need a solid EU GDPR strategy. Hopefully, they have updated their data management and compliance policies and invested in products that enable GDPR readiness.

Also key to that readiness and assuring your organization’s risk management policies cover all the bases is a data protection impact assessment (DPIA).

Here’s what Article 35(1) of GDPR on the DPIA states:

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

An example of the activities that require a DPIA include automated processing that involves evaluating or profiling a user’s personal data. When carrying out an assessment, the law specifies seeking out the advice of a data protection officer, if one is appointed. After it is determined that a DPIA is indeed required, it’s time to get started.

How to conduct a GDPR data protection impact assessment

Although approaches may differ slightly, DPIA templates typically hit a few major points. For those curious, Article 35(7) spells out what an assessment should contain at the very minimum. The Article 29 Working Party’s guidelines on DPIA are also worth a download.

It is important to note that if your organization has already run privacy impact assessments (PIAs), there are differences between the two despite some overlap. Traditional privacy risk assessments may fall short of satisfying the GDPR requirement, although elements may carry over and help inform a DPIA.

Here’s a handy DPIA checklist:

• Determine the circumstances in which a DPIA is requiredConsult the regulation. Aside from Article 35, Articles 5 through 11 provide important guidelines placing limits on personal data collection and processing. Chances are that your business will need a DPIA. And while you’re at that link, read all 99 articles of the regulation — because you can’t afford not to. The first 50 articles all concern handling of personal data.

  Can’t tell if DPIA applies to your business? Seek out the expertise of your data protection officer and compliance teams to determine what types of personal data are collected and how. Don’t have the expertise in house? Consultants and external experts may be called for.

• Detail how information is processed and circulates while conducting businessIt’s time to take stock of the types of information collected by your organization, how it is processed and the purposes behind the data processing practices of the data controller, which is how the GDPR describes entities that determine how data is processed. Keep in mind how information flows, not only regarding your own systems, but also between third parties and whether it crosses in and out of the EU’s borders.

  Having trouble with this step? It’s time to catalog how and where user data is processed and the privacy policies governing the management of that data. Your chief data officer and IT department will play a critical role here.

• Identify the risksThis requires a risk assessment that determines the impact that the forms of data processing employed by an organization has on the “rights and freedoms of data subjects,” the law decrees. Are they at risk of being undermined by lax privacy programs and security controls? Investigate and record your findings.
• Determine the appropriate safeguards Establish the personal data protection and security solutions and procedures required to counteract the risks you identified in the previous step.

  Having trouble? Now is a good time to tap into the expertise of both your compliance and IT security teams.

• Draw up your DPIA and live by itCreate a formal report that contains the above elements and implement the personal data protection controls, security mechanisms and procedures that will help your organization comply with GDPR. A good faith effort is critical if you want to avoid becoming a GDPR cautionary tale.

Pedro Hernandez is a contributing editor at eSecurity Planet. Follow him on Twitter?@ecoINSITE.

The post How a Data Protection Impact Assessment Helps You Comply with GDPR appeared first on eSecurity Planet.

Artificial intelligence is already redefining cybersecurity, exposing sophisticated attacks and adding a level of Terminator-style relentlessness to threat detection tools and anti-malware software. AI is even being used by a startup to scour the dark web for evidence that its customers have been hacked and their sensitive data is being peddled on illicit marketplaces.

But what does the future hold for AI in cybersecurity?

eSecurity Planet asked industry experts how the technology will be used to help enterprise IT and security teams shore up their defenses, thwart attackers and keep a tight lid on valuable data.

Here’s what they had to say.

AI teaches self-defense, cures industry-specific pain points

“The future will see self-healing and self-defending networks, which can leverage AI to take steps to fight and defend the network,” said Tom McAndrew, COO of Coalfire, a provider of cyber risk management and compliance services.

The best use of AI will come in community clouds, where similar challenges and threats are experienced, he added. “Healthcare and financial services are two big areas where AI will bring huge leaps.”

Augmenting security staff with AI

The bad news: there’s a dire cybersecurity skills gap, stretching IT security teams to their limit. The good news: AI is coming to the rescue, said Jacob Sendowski, senior product manager at automated threat management specialist Vectra.

“The task facing security teams, even large teams in well-funded security programs, is herculean. There is a scarcity of qualified security analysts, and the current education and career pipeline has nowhere near the amount of people necessary to meet the current and projected need. Managed service providers will help some, but they are subject to the same talent shortage,” Sendowski said.

Combining human intelligence with AI security tools will help IT organizations cut through the noise and focus their energies on high-value activities.

“AI-enabled security solutions will become integral components of the security team as they can birddog high-threat hosts to a human analyst team,” added Sendowski. “Skilled human analysts will be critical in the incident response process, reviewing evidence and directing an investigation based on the indications that AI tools provide.”

Supercharging the SOC

Distractions mount and attention spans wane, even for the most disciplined security experts as the workday drags on. AI isn’t affected by these human foibles and will therefore help prevent potential security issues from slipping through the cracks.

“We will continue to see artificial intelligence deployed in the security operations center (SOC). Most SOC jobs are checklist-driven, particularly for first- and second-tier analysts who review logs for indicators of compromise (IoCs),” said Kayne McGladrey, an IEEE member and director of information security services at cybersecurity consultancy Integral Partners.

“This is challenging in a retail environment due to the combination of low margins and a tight labor market, as companies struggle to train and retain analysts for this dull but necessary role,” continued McGladrey. It’s a big concern, particularly in light of a recently-patched point-of-sale vulnerability like the one found by ERPScan researchers that affects over 300,000 Oracle MICROS terminals.

“The promise of an AI SOC analyst is that it will not get bored and skip a step in a checklist, missing an IoC. Companies can then pivot from the current struggle of train and retain to allow analysts to apply human judgment and experience to current and emerging threats,” McGladrey said.

Spy vs. AI

Deceptive technology is emerging as a critical defense strategy for businesses that don’t mind engaging in a little cloak-and-dagger behavior to observe an attacker’s behavior without tipping them off. AI is particularly suited for this type of cyber-espionage.

“These solutions deploy decoy virtual machines simulating the client’s actual computers, but overlay sophisticated analytics,” McGladrey said. “When a third-party attacker is lured into interacting with a decoy, the AI can work backwards to find the initial compromise, and alert a human analyst to make a judgment call for when to end the third-party attacker’s connection.” This will allow threat hunters to gain real-time visibility into the tools and techniques used by their adversaries without risking a larger compromise.

Securing the cloud

Cloud computing has reshaped how businesses deploy, deliver and invest in IT services, mostly for the better. One of the downsides of migrating workloads to the cloud is how it can complicate IT security.

“AI is absolutely critical to the security of today’s cloud-based IT environments. AI can be the power behind the automation of security processes that enables security teams to keep up with the velocity and scale of what’s being deployed in the cloud,” said Sanjay Kalra, co-founder and chief product officer at Lacework, a Mountain View, Calif. cloud security vendor.

“For example, a cloud environment made of thousands of transient containers might generate billions of events per hour. If a breach occurs, then somewhere in these events, there will be anomalies, i.e. abnormal activities deviating from the normal behavior of your cloud that the attack triggered by intruding in your environment,” Kalra added.

Even the most talented security professionals can’t keep up under these conditions.

“No manual process will be able to single out these anomalies,” said Kalra. “AI can automatically detect suspicious behaviors much faster and with much more accuracy than a manual process.”

The future will see self-healing and self-defending networks, which can leverage AI to take steps to defend the network.

Beware of ‘unexpected outcomes’

Look before leaping, advocates Steve Durbin, managing director of the Information Security Forum.

He warns that “the use of increasingly mature AI solutions in automated systems will produce outcomes that go beyond the expectations and understanding of IT managers, developers, security pros and system managers.”

Organizations that embrace AI solutions without a firm grasp of their inner workings risk creating a black-box situation. Everything may seem to be working properly, but left unchecked, AI can introduce unknown, and unknowable, problems down the line.

Examples of unexpected outcomes includes compromised decision making due to wrong or incomplete information and introducing vulnerabilities via insecure external networks. AI can also misinterpret commands, a problem that Alexa, Google Assistant, Siri and Cortana users are intimately familiar with.

“To prevent these unexpected outcomes from creating new vulnerabilities, business and security leaders must give full scrutiny and consideration to information security requirements and take steps to ensure the content and accuracy of the data feeds from which AI systems learn, conducting pilots to understand how systems react to inputs before scaling to a full deployment and putting into place contingency plans should AI systems fail,” Durbin advised.

“With so many factors beyond direct business controls, security leaders should prepare to address these threats through considered risk assessments; open and honest negotiations with communications providers; legal counsel to understand the effects of new regulations; and building a sufficiently skilled workforce to oversee the technology,” concluded Durbin.

The post AI’s Future in Cybersecurity appeared first on eSecurity Planet.

By practically every measure, cybersecurity threats are growing more numerous and sophisticated each passing day, a state of affairs that doesn’t bode well for an IT industry struggling with a security skills shortage.

In a recent ESG and ISSA survey, 70 percent of cyber security professionals felt the cybersecurity skills gap had an effect on their organization. The Center for Cyber Safety and Education and (ISC)2 predicted a shortfall of 1.8 million cybersecurity professionals by 2022 after quizzing 19,000 security experts.

With less security talent to go around, there’s a growing concern that businesses will lack the expertise to thwart network attacks and prevent data breaches in the years ahead. Fortunately for CISOs, one of today’s hottest technology trends is helping make up for some of the security skills they lack.

Artificial intelligence (AI) is steadily creeping into nearly all facets of IT, including security.

Gartner has predicted that AI will somehow feature in nearly every new software product released by 2020. Major cloud providers, including Amazon Web Services (AWS), Microsoft, Google and IBM, offer developers a growing number of machine-learning services that they can incorporate into their IT solutions.

In 2017, a banner year for cybersecurity funding, startups like ThreatQuotient, Recorded Future and Darktrace raised millions of dollars for security platforms that use AI to strengthen an enterprise’s IT defenses. Even industry veterans like Symantec have jumped on the bandwagon.

As for how the industry is using AI to keep networks, users and their data safe, here are some examples.

AI for threat detection

On average, security analysts review between 10 and 20 critical security incidents each day, according to IBM. A thorough evaluation can take hours, time that attackers can use to gain a stronger foothold on a network.

Meanwhile, there’s a good chance that an organization’s IT personnel spent many of those precious hours focused on false alarms while real dangers linger, awaiting their turn under the microscope.

IBM, whose Watson suite of AI technologies has become the posterchild of intelligent IT systems, believes there a way that machines and humans can work together to find threats faster and more accurately than before.

The company integrated its Watson Discovery Service with its security analytics offering, QRadar Advisor. The result, is a system that helps security analysts uncover sophisticated threats and enables businesses to properly prioritize their remediation efforts.

“IBM QRadar Advisor with Watson combines insights from structured information (from X-Force) and insights from unstructured data (from IBM Watson Discovery Service) to collate millions of individually logged IT events including breach reports and best practice guidelines,” blogged George Mina, program director of IBM Watson for Cyber Security.

“Using its industry knowledge corpus of cybersecurity information, threats that are hidden or go unnoticed by manual investigations are easily uncovered, like finding a need in a haystack, all day, every day,” continued the executive.

AI that shines a light on the dark web

The nefarious-sounding dark web lives up to its name. Top search engines don’t index it and folks must resort to software tools like Tor to access it.

Inside, the dark web’s illicit marketplaces are a cybercriminal’s paradise. Exploits, malware code and stolen data, much of it personally identifiable information that can facilitate identity theft, are all available for the right price.

Although considered a small sliver of the deep web, is it still large enough to overwhelm manual attempts to draw security intelligence from it. That’s where AI comes in.

Baltimore-based cybersecurity startup Terbium Labs uses machine learning techniques in its dark web data monitoring and threat intelligence system, Matchlight. The automated system scours the dark web for evidence of data leaks that may affect a business and its users, generating incident reports the moment it detects employee or customer data, or other forms of sensitive information that companies don’t want to float around in cyberspace.

And there’s a good chance that information will be used for malevolent purposes when it lands in the wrong hands.

In June 2017, Terbium Labs researchers decided to see if the fraud guides that litter the dark web are a waste of time or the real deal. As the term suggests, a fraud guide instructs readers on how to exploit “processes, products, and people for profit,” according to the company.

In its analysis of over 1,000 guides, Terbium Labs found that a whopping 89 percent were actionable, meaning that they serve as roadmaps to potential criminal activity, more often than not. Add a dash of stolen personal information, and these guides can bring its buyers one major step closer to a successful scam and some ill-gotten gains.

AI that unravels stealthy malware

It’s inevitable. Folks visit websites that spew malware using their work PCs or an overworked employee hastily clicks on a link that was seemingly sent by the boss.

In short order, a company’s systems are hit with ransomware, rootkits and other forms of malware.

Signature-based detection used to provide a formidable defense against infections, but the sheer volume and variety of malware that is coursing through the internet nowadays—an estimated 250,00 new malware strains pop up each day—makes it tough for signature-based systems to provide comprehensive protection, particularly against zero-day threats.

Comodo is using machine learning to study the behavior and intent of malicious code, even if it appears benign when it is first encountered.

VirusScope, a component of the company’s Advanced Endpoint Protection (AEP) product, employs neural networks and other AI technologies to monitor a system’s running processes, slamming the brakes on activity that signals an imminent attack.

Unrecognized applications are run within a container that prevents them from accessing other processes and successfully infecting an endpoint. VirusScope can identify escape attempts, and if appropriately configured, alert users of suspicious activity across an entire system.

AI is not a cybersecurity cure-all yet

Although it’s encouraging to think that vigilant, always-on AI sentries can provide 24/7 protection, it’s no reason to throw caution to the wind.

Machine learning still has some ways to go before it can stop each and every hacker, piece of malware or data breach attempt.

In the thick of the 2017 holiday shopping season, Comodo’s security researchers noticed a disturbing uptick in malware activity. During the week of Dec. 6, they detected 17 million malware files, a 33 percent jump from the prior week (13 million).

Buried in this mountain of malware was evidence that attackers were using unconventional methods to not only bypass traditional antivirus solutions, but also AI-powered ones.

“The limitations of machine-based analysis have also emerged. While machines can detect known malware executables and simple unknown ones, they cannot analyze complex unknown malware files, which numbered almost 75,000 last week,” wrote the researchers in a Dec. 16 advisory. “Complex unknown files require expert human analysis.”

Sometimes the simple solutions are the best. To keep these and similar threats at bay, the company recommended using URL filters and personal firewalls on endpoint systems, which despite their comparatively low-tech methods of blocking threats, can still provide effective protection.

The post How AI Is Redefining Cybersecurity appeared first on eSecurity Planet.

EiQ Networks now has millions of dollars in fresh capital and a new name, Cygilant.

The firm announced on Sept. 19 that it had raised $7 million in an investment round headed by Arrowroot Capital. To date, the company has raised $38 million. Cygilant plans to use the funds to hire more security engineers to support its security-as-a-service offering and advance its SOCVue platform, which uses a combination of technology and human expertise to provide customers with continual security monitoring.

And many times, those customers are serious about security but may not have the IT security talent in place to mount a suitable defense against today’s threats.

“Our typical customer tends to be an organization of about 250 to 10,000 employees that is serious about protecting customer data, PII/PHI [personally identifiable information/protected health information] data, trade secrets and intellectual property from cyber-attacks and/or needs to comply with regulations such as PCI-DSS, HIPAA, FFIEC, GLBA, SOX, NIST and more,” said Vijay Basani, CEO and founder of Cygilant.

“Our customers have lean IT teams that are tasked with continually improving their cybersecurity and compliance posture affordably. Our global SOC [security operations center] teams work as an extension to our customer’s lean IT teams, providing around the clock human intelligence to detect, analyze and respond to incidents,” continued Basani.

With one less thing to worry about, IT departments can get back to running a tight ship.

“In a market where there is, by some accounts, a shortage of more than 1 million cybersecurity professionals we bring stability and expertise to all organizations, even very large ones such as Equifax,” Basani said. “We provide continuous monitoring and human expertise that allows companies to manage their IT resources more effectively and allows their IT teams to sleep better at night.”

Earlier this month, Equifax disclosed that it had been hit with a massive data breach affecting 143 million U.S. consumers. Hackers accessed a trove of sensitive personally identifiable information including names, addresses, birthdates and Social Security numbers. The credit card numbers of 209,000 consumers were also accessed.

Having a security company like Cygilant keeping an eye on things could have averted the Equifax scandal, Basani.

“If Equifax had been using our SOCVue services then Cygilant’s SOC team would have alerted Equifax of unusual and anomalous activity on their servers along with remediation guidance, detected vulnerabilities through SOCVue’s continuous vulnerability management service, and worked with them to plug vulnerabilities,” said the executive. “We would also have identified missing patches and provided an auditable work flow to apply patches in a timely manner to prevent the breach in the first place.”

The post EiQ Networks, Now Called Cygilant, Nabs $7 Million in Funding appeared first on eSecurity Planet.

The SANS Institute has updated its Phishing Training solution, offering organizations new tools that help them determine how susceptible their workforces are to phishing attacks.

SANS Phishing Training now features email templates that are updated on a regular basis, ensuring that security awareness professionals can keep up with the latest tactics used by scammers. It also includes a practice mode for phishing simulations and dashboards that help measure the effectiveness of phishing awareness programs.

For a more granular approach, the product allows users to target campaigns at specific user groups using varying degrees of complexity. SANS Phishing Training also integrates with Advanced Cybersecurity Learning Platform (ACLP) security training product from SANS.

“The new SANS Phishing Training is a turnkey solution for today’s time-starved security awareness professional,” said Lance Spitzner, director of the SANS Security Awareness program, in a statement. “SANS phishing training makes it easier to measure and manage a program and ultimately change behavior.”

Phishing is a growing concern for businesses, and they are right to worry.

A recent survey from Wombat Security Technologies revealed that 30 percent of workers in the U.S. and the U.K. don’t know what phishing is. Ten percent couldn’t even hazard a guess.

Given that most folks aren’t well-versed in today’s cyber-threats, businesses may need to take it upon themselves to educate their workers about the dangers that phishing can pose to their organization’s sensitive and valuable information.

“We often find that those of us who work in cyber security overestimate the knowledge the general public has on cyber security risks and basic secure behaviors. Wombat vice president of marketing Amy Baker said in a statement. “This could be giving security professionals false confidence and may be the reason why just fewer than half of organizations have a security awareness training program for their employees,” said Amy Baker, Wombat’s vice president of marketing.

Once used to scam victims out of account information or other personal details, many phishing emails now carry an insidious payload.

In the third quarter of 2016, more than 97 percent of phishing emails delivered some form of ransomware, according to a PhishMe study. “The rapid awareness and attention on ransomware has forced threat actors to pivot and iterate their tactics on both payload and delivery tactics,” said PhishMe CEO and co-founder Rohyt Belani, in a statement.

The post SANS Updates Phishing Awareness Training Offering appeared first on eSecurity Planet.

Cybersecurity firm AlienVault today took the wraps off a new AlienApp for its USM (Unified Security Management) Anywhere platform that alerts organizations to the presence of stolen credentials on the dark web.

The company’s appropriately-named AlienApp for Dark Web Monitoring solution seeks out all the email addresses associated to a given domain. Additionally, users can specify 10 email addresses for top executives and other high-profile targets whose username and passwords wield a lot power on their corporate networks.

Leaked passwords aren’t just a big headache for corporate IT security teams, they can also imperil many other parts of an enterprise organization.

“According to the 2017 Verizon Data Breach Investigations Report, 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords,” reminded AlienVault product manager Jeff Olen. “In other words, if an organization is going to get breached, it’s likely to be due to compromised user credentials. Once an attacker gets access to the network using these credentials, they can take any number of actions,” including stealing intellectual property, financial information and other sensitive corporate data.

And that’s just the start. Stolen credentials can lead to the installation and spread of malware on a network and enables an attacker to move laterally across a network. To add insult to injury, attackers commonly use a compromised credentials to stage “spear phishing attacks on other employees or externally,” said Olen.

Once leaked passwords start making the rounds, the danger extends well beyond their home networks and accounts, thanks to the widespread reuse of username and password pairs across other online and cloud services. Earlier this year, a Gemalto survey revealed that 90 percent of IT professionals worry about password reuse.

Powered by SpyCloud, the solution queries the security intelligence breach-discovery company’s database every 24 hours. Austin, Texas-based SpyCLoud emerged from stealth and launched its eponymous exposed records detection platform in June.

“With the AlienApp for Dark Web Monitoring, USM Anywhere customers are alerted immediately when corporate credentials are being actively trafficked in the dark web so that they can take immediate protective action with those accounts,” said Olen.

If credentials are discovered in the dark corners of the online underground, AlienApp for Dark Web Monitoring notifies security teams, alerting them to the email addresses of exposed credentials. The solution can also inform users and if credentials have been detected in prior breaches or if exposed passwords were hashed or stored as cleartext, among other circumstances.

The AlienApp for Dark Web Monitoring is available now at no extra cost to existing USM Anywhere customers.

The post AlienVault Scours the Dark Web for Compromised Credentials appeared first on eSecurity Planet.