Google
Because of the substantial value they hold, financial services organisations have always been a prime target for cyber criminals. We have seen many data breaches and targeted attacks against networks, applications, websites and, most importantly, data and information. In recent years, organised crime has shown increasing sophistication. This has meant that in addition to the more traditional hacks used to ultimately perpetrate fraud, we have seen a surge in attacks targeted at disrupting business operations in order to extract ransom.
A blog about information security, payments, risk, fraud, digital innovation and social media... Connect on LinkedIn?
Showing posts with label risk management. Show all posts
Showing posts with label risk management. Show all posts
4 April 2013
A CONSOLIDATED VIEW ON DATA BREACHES IN 2012 - PART 2...
Google
It seems that many of you found my previous post of interest, so as promised, here’s the second part. But first, let’s all have a look at this 2min 48s video: Security Threats by the Numbers from the Cisco 2013 Annual Security Report. Unsurprisingly, the Trustwave GSR highlights that e-commerce sites were the most targeted asset, accounting for 48% of all investigations...
It seems that many of you found my previous post of interest, so as promised, here’s the second part. But first, let’s all have a look at this 2min 48s video: Security Threats by the Numbers from the Cisco 2013 Annual Security Report. Unsurprisingly, the Trustwave GSR highlights that e-commerce sites were the most targeted asset, accounting for 48% of all investigations...
27 February 2013
WILFUL BLINDNESS AND WISHFUL THINKING...
Google
Yesterday, an article on CBS Money Watch caught my eye: Businesses deluded about threat of cyber attack. The article was a short introduction to a recent survey conducted by Deloitte. And isn’t it spooky that the same old things keep cropping up everywhere?...
Unsurprisingly, the Deloitte report highlights that 88% of the businesses surveyed believe that they are not really at risk. As you would expect, they also identify lack of employee awareness and third party risks as top security vulnerabilities (46% of organisations don’t evaluate the security and privacy practices of vendors before sharing sensitive or confidential information, according to a recent Experian/Ponemon survey. If you’re not already fed up with trend predictions, see earlier blog post for my 2013 predictions.
But for me, these were not the most interesting points of the study...
Yesterday, an article on CBS Money Watch caught my eye: Businesses deluded about threat of cyber attack. The article was a short introduction to a recent survey conducted by Deloitte. And isn’t it spooky that the same old things keep cropping up everywhere?...
Unsurprisingly, the Deloitte report highlights that 88% of the businesses surveyed believe that they are not really at risk. As you would expect, they also identify lack of employee awareness and third party risks as top security vulnerabilities (46% of organisations don’t evaluate the security and privacy practices of vendors before sharing sensitive or confidential information, according to a recent Experian/Ponemon survey. If you’re not already fed up with trend predictions, see earlier blog post for my 2013 predictions.
But for me, these were not the most interesting points of the study...
28 January 2013
GAZING AT 2013: THE RIGHT FOCUS AND THE RIGHT LANGUAGE...
Google
Well, it’s the New Year, and I wish you all the best for a fantastic 2013! I can’t believe my last post was in November! And it’s already the end of January! So I thought I’d get in quickly with my two pennies worth of crystal ball gazing before it becomes unfashionable... What did we learn from 2012? Are there any interesting market trends? How does it affect security? What is the current state of information security and how is it shaping up? Are we getting any better? If any of these questions spark your interest of if you’d just like to see if my Nostradamus impression has something in it, read on...
Well, it’s the New Year, and I wish you all the best for a fantastic 2013! I can’t believe my last post was in November! And it’s already the end of January! So I thought I’d get in quickly with my two pennies worth of crystal ball gazing before it becomes unfashionable... What did we learn from 2012? Are there any interesting market trends? How does it affect security? What is the current state of information security and how is it shaping up? Are we getting any better? If any of these questions spark your interest of if you’d just like to see if my Nostradamus impression has something in it, read on...
24 July 2012
THE UNBEARABLE RISKINESS OF BEING... SOCIAL
Google
[Updated 4th August 2012]
The inevitability of social media in both our private and professional lives is undeniable. With social networks transforming the rules of business engagement, many businesses think the biggest risk of social media is the brand and reputational damage that could result from negative interactions or the potential disclosure of proprietary or sensitive information...
The inevitability of social media in both our private and professional lives is undeniable. With social networks transforming the rules of business engagement, many businesses think the biggest risk of social media is the brand and reputational damage that could result from negative interactions or the potential disclosure of proprietary or sensitive information...
15 July 2012
FAILING GRACEFULLY...
Google
Sometimes, despite our best endeavours, things just don't work out the way we planned...
You know the feeling: you think you have it all under control, you think you've engaged with the right people, you have buy in from those who matter, the right culture is in place, you're not struggling for investment and bang! you get hacked. Overwhelming sense of failure ensues. Where did it all go wrong?...
You know the feeling: you think you have it all under control, you think you've engaged with the right people, you have buy in from those who matter, the right culture is in place, you're not struggling for investment and bang! you get hacked. Overwhelming sense of failure ensues. Where did it all go wrong?...
20 May 2012
THE SOCIAL MEDIA SIDE OF INCIDENT RESPONSE...
Google
[For the February 2014 version of this post, see here]
Not impressed with LinkedIn's social media crisis response after more than 6M user passwords got leaked recently or non-plussed with Dropbox's handling of their own crisis? Read on... In one of my February posts, I wrote about incident response and the importance of addressing the media in a timely manner. Whilst the NIST report SP 800-61 gives really good guidelines on the positive aspects of fully and effectively communicating important information to the public, I feel there is some mileage to be had by exploring the use of social media when tackling incident response. After all, we've all seen how quickly news can spread on twitter here or here... So, should you be breached, you would no doubt have a crisis communication process already in place, but does it include social media?...
Not impressed with LinkedIn's social media crisis response after more than 6M user passwords got leaked recently or non-plussed with Dropbox's handling of their own crisis? Read on... In one of my February posts, I wrote about incident response and the importance of addressing the media in a timely manner. Whilst the NIST report SP 800-61 gives really good guidelines on the positive aspects of fully and effectively communicating important information to the public, I feel there is some mileage to be had by exploring the use of social media when tackling incident response. After all, we've all seen how quickly news can spread on twitter here or here... So, should you be breached, you would no doubt have a crisis communication process already in place, but does it include social media?...
22 April 2012
WHO ARE YOU PREACHING TO ANYWAY?...
Google
I recently was
privileged enough to be asked to present at a merchant forum in London. Interestingly,
the intended recipients had been very much in the driving seat since they had
selected the topics themselves. After my previous posts (Part 1 and Part 2) on
connecting the dots between information security, risk and fraud, you can
imagine my pleasure that I, alongside my fellow speakers, were asked to do just
that... A delightfully interactive audience, some very interesting chats at the
breaks and the recent buzz about the value of security conferences prompted me
to share some thoughts on how actively to engage with your stakeholders and get
the results you need...
18 March 2012
THE INFOSEC INVESTMENT EQUATION: CAN YOU SOLVE IT?...
Google
I can’t believe my last
post was on 4th March! I am positively thrilled that my most
popular entry so far is the one about incident
response... This means that we must be coming to terms with the fact that
data breaches are a statistical certainty and how we handle them is what
matters. Good news: this means we’ve got the attention we need. Now we need to
convert this attention into the investment it requires. External statistics may
give you the hook but, as abundant as they are, do not however make it relevant
to your business when trying to secure the infosec investment you require...
4 March 2012
MANAGE RISK BEFORE IT DAMAGES YOU: PART TWO...
Google
In the previous
post, I spoke about the importance of having an asset register and how
crucial asset classification is. After all, not many of us have unlimited
resources, therefore focusing investment where it matters most is the way to
go. Whilst I was thinking about this, the link between changing the CISO
traditional attitude and the necessity for risk management became even more
apparent and I would like to expand on the trinity of “Asset, Technical
Services and Business Need”...
26 February 2012
MANAGE RISK BEFORE IT DAMAGES YOU: PART ONE...
Neira Jones on Google+
After my part
1 and part
2 posts on incident response and the last post on cloud
computing security, a number of you requested I talk about risk assessments.
Since it’s currently my favourite topic, I am more than happy to oblige... First,
a few facts:
- Epsilon was breached in the first quarter of 2011. At the time, they built and hosted customer databases for 2,500 well-known brands and sent more than 40 billion emails a year on their behalf.
- Not long after, the Sony breach ended up compromising personally identifiable information for more than 100 million of its customers.
Obviously, for both organisations, customer information is a
key asset...
19 February 2012
UNDERSTANDING CLOUD SECURITY: FINDING THE BOUNDARIES...
Google
It
seems that my previous
post on compliance and third parties struck a chord with a few of you... So
I guess it’s about time I dedicated some time to “The Cloud” specifically! Over
the past couple of years, we have seen a lot of hype and confusion as to what
The Cloud really means and what it can do for you. I think we have now reached
the stage where there is perhaps a bit of disappointment that The Cloud, due to
inflated expectations, is perhaps not a miracle...
12 February 2012
COMPLIANCE IN THE DIGITAL ERA: WATCH OUT FOR THE 3rd PARTY...
Google
By 2015,
there will be more than more than 15 billion interconnected devices on the planet,
twice the world population. In that period, the total amount of global Internet
traffic will quadruple. (Cisco(R)
Visual Networking Index (VNI) Forecast (2010-2015), June 2011)
It is
estimated that every year in the UK, identity fraud costs more than £2.7
billion and affects over 1.8 million people (National
Fraud Authority, October 2010).
Every year,
we share more of ourselves online...
6 February 2012
INCIDENT RESPONSE & RISK MANAGEMENT GO HAND IN HAND...
Google
I was delighted with the level of interest generated by my last
post on incident response so I thought I’d continue on the same theme... My
thanks go yet again to the NIST
report previously mentioned as I will explore some aspects of
risk management and prioritisation that apply to incident response...
3 February 2012
INCIDENT RESPONSE – HAVE YOU GOT A PLAN?
Google
So, the National Institute of Standards and Technology (NIST)
announced a couple of days ago the release for comments of draft Special
Publication (SP) 800-61 Revision 2, Computer Security Incident
Handling Guide. How very timely that was! With 2011 dubbed the year
of the data breach, and the fact that it takes 3 to 8 months on average for an
organisation to discover they have been breached, what better New Year’s resolution
than to have an effective Incident Response Plan?...
31 January 2012
DATA PROTECTION AND ALL THAT – WHAT DO YOU THINK?...
Google
Well, January is nearly over and
it’s time to look at all the research that’s been produced over the past year to
try and draw meaningful and usable statistics...
I do this very selfishly before starting
in anger on the conference circuit as I like to have up-to-date figures and
stats in my presentations (and let’s face it, we all love numbers! ;-)
Today, I focus on the research
produced by the UK Information Commissioner's Office (ICO) in the two following
reports Report on Information
Commissioner's Office Annual Track 2011 - Individuals and Report on Information
Commissioner's Office Annual Track 2011 - Organisations.
29 January 2012
THE RISE OF THE NEW CISO: RISK MANAGEMENT vs COMPLIANCE
Google
For those who didn't attend PCI London on 25th January 2012, I reproduce here the article I wrote for their magazine, I hope you find it of some use... :)
THE RISE OF THE NEW
CISO: RISK MANAGEMENT VS COMPLIANCE
Last year at PCI London 2011, my article for this magazine
was about the need to move from Compliance to Risk Management and I hosted a panel
of industry experts from Visa Europe, MasterCard, the PCI SSC, IRM plc as well
as representatives from John Lewis plc and the Home Retail Group. It was
undeniable that retailers and merchants in general, have felt the need for some
while to invest where business value can be derived. The concept of risk management,
when it comes to looking at Payment Security, undeniably struck a chord!
Subscribe to:
Posts (Atom)