All posts by Michelle Drolet

Watch webinar: Countdown to GDPR

Click Here to Watch the Webinar Now >

 
 

About the Webinar

The deadline for the new European General Data Protection Regulation (GDPR) is four months away, and it is likely to affect most companies around the world in one way or another – even ones not based in Europe. Join our friends from Sophos in this session to learn more about the GDPR and get suggestions for what to look out for in your preparations. Register now for this webinar brought to you by Twinstate Technologies, Towerwall and Sophos!
 

Watch webinar – Armis: Eliminate the IoT Security Blind Spot featuring Nadir Izrael

Click Here to Watch the Webinar Now >

 
 

About the Webinar

Webinar featuring Nadir Izrael Co-founder & CTO of Armis Security and Michelle Drolet Founder & CEO of Towerwall

Would you put a new endpoint in your environment without securing it? Of course, not. But businesses are being inundated by unmanaged, unprotected IoT devices every day. Devices you can’t put an agent on. Our research shows businesses can’t see 40% of the devices around them. Devices that are designed to connect, yet don’t have protection.

The fact is that the current security architecture is broken. We need a new approach to address the new endpoint (IoT devices) in the workplace. Join Armis CTO Nadir Izrael as he discusses:

  • How the current security architecture is broken
  • What the next-generation IoT security architecture should look like
  • How to address vulnerabilities found in IoT devices and unmanaged endpoints

 

Contact us to discuss Armis Solutions today >

 


The Cost of a Data Breach in 2018

58 data records are stolen every second at an average cost of $141 each.

Trading in intellectual property and personal data is so widespread that someone invented a calculator that can estimate the potential harm to your own business.

Nearly 5 million data records are lost or stolen worldwide every single day, according to the Breach Level Index. That’s a staggering 58 records every second. High profile data breaches hit the headlines with worrying frequency. Just last year there were notable incidents at Equifax, Verizon, and Kmart, to name just the three biggest.

Smaller breaches go unreported, and it’s not unusual for exposure to be grossly underestimated in the initial aftermath. Example: the real depth of Yahoo’s 2013 breach only came to light last October. It was a revelation that proved very costly, immediately wiping out $350 million off Verizon’s acquisition payment.

All of that comes before we consider the undiscovered data breaches lurking in the shadows of server stacks waiting to unseat executives, tank stock prices and damage reputations.

Data breaches have the power to cause enormous disruption, because they can, and often do, end up costing a huge amount of money to sort out. But the cost varies wildly depending on the country, the industry, and a host of other specifics.

 

What’s the cost of a data breach?

The 2017 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, puts the global average cost at $3.6 million, or $141 per data record. That’s a reduction on the average cost in 2016, but the average size of data breaches has increased. It’s also worth noting that the average cost of a data breach in the United States is much higher at $7.3 million.

You can use the data breach calculator to arrive at a good estimate for your business. It allows you to factor in, not just by location and industry, but also lots of pertinent extras like compliance considerations, third-party involvement, insurance protection, and a whole lot more.

The size of the breach is also, obviously, an important factor in determining the overall cost. For a breach that results in less than 10,000 records being compromised, the average total cost is $1.9 million, but for 50,000 or more that rises to $6.3 million.

As the General Data Protection Regulation (GDPR) comes into effect in May, the cost of non-compliance could be about to skyrocket. It’s also worth remembering the potential for reputational damage to cause a downswing in any company’s fortunes. An interesting assessment of British telecoms company TalkTalk by Alva shows the impact of data breaches on reputation, and highlights how reputational risks grow more damaging when they aren’t successfully managed.

 

How you react has a big impact

Breaches will happen, but how you act to mitigate them has a very real impact on the bottom line. While the initial data breach is certain to cost money to fix, things get a great deal more expensive when they’re mishandled. For example, Equifax made a bad situation a lot worse by delaying disclosure, misdirecting potential victims, and failing to patch known vulnerabilities.

Putting a good security awareness program in place isn’t just a preventative measure, it also trains people in how to act when a suspected data breach does occur. Ponemon found that an incident response team can reduce the cost of a breach by up to $19 per record. If you want to keep costs down, having a solid response plan in place and taking the right action quickly is vital.

It stands to reason that the faster a data breach is uncovered and contained, the less it will cost, but most organizations still have a lot to do in this area. Ponemon found the average time to identify was around 191 days last year, with another 66 days on average required to contain the breach. These times could be reduced if every organization would keep up to date with NIST’s Cybersecurity Framework, keep tighter control of its data, and consider scanning the dark web for threat intelligence.

There’s no doubt that the potential cost of a large data breach should be enough to give many executives a sleepless night. But that fear should be leveraged by CISO’s and other InfoSec professionals to persuade organizations to do the right thing and invest properly in cybersecurity. It might not be possible to completely prevent breaches, but the right preparation can dramatically reduce the resulting cost.

 

This article was originally posted in CSOOnline >

Armis Webinar: Eliminate the IoT Security Blind Spot featuring Nadir Izrael – 2/13

Eliminate the IoT Security Blind Spot

Webinar featuring Nadir Izrael Co-founder & CTO of Armis Security and Michelle Drolet Founder & CEO of Towerwall

When:

Tuesday, February 13, 2018
12:00 – 1:00 PM EST

About the Webinar

Would you put a new endpoint in your environment without securing it? Of course, not. But businesses are being inundated by unmanaged, unprotected IoT devices every day. Devices you can’t put an agent on. Our research shows businesses can’t see 40% of the devices around them. Devices that are designed to connect, yet don’t have protection.

The fact is that the current security architecture is broken. We need a new approach to address the new endpoint (IoT devices) in the workplace. Join Armis CTO Nadir Izrael as he discusses:

  • How the current security architecture is broken
  • What the next-generation IoT security architecture should look like
  • How to address vulnerabilities found in IoT devices and unmanaged endpoints

 

Click here to to register >

 


Check out Armis eBooks & Tools

 

Armis Security Tools

 

 

Towerwall to join Sophos and Twinstate in GDPR Webinar – 1/24

Countdown to GDPR: Get the Competitive Edge

Webinar featuring Sophos, Twinstate and Towerwall

When:

Wednesday, January 24, 2018
12:00 – 1:00 PM EST

About the Webinar

The deadline for the new European General Data Protection Regulation (GDPR) is four months away, and it is likely to affect most companies around the world in one way or another – even ones not based in Europe. Join our friends from Sophos in this session to learn more about the GDPR and get suggestions for what to look out for in your preparations. Register now for this webinar brought to you by Twinstate Technologies, Towerwall and Sophos!

Click here to to register >

 

Join us for a Dinner Seminar with Darktrace – Wednesday, January 17, 2018

Towerwall & Darktrace Dinner Seminar

Hosted by Towerwall

When:

Wednesday, January 17, 2018
6:00 PM to 8:00 PM

Where:

Il Capriccio
888 Main St, Waltham, MA 02453

To Register:

Contact Kelley Gallo atkelleyg@towerwall.com

About DarkTrace

Darktrace is the world’s leading machine learning company for cybersecurity. Created by mathematicians from the University of Cambridge, the Enterprise Immune System uses AI algorithms to automatically detect and take action against cyber-threats within all types of networks, including physical, cloud and virtualized networks, as well as IoT and industrial control systems. A self-configuring platform, Darktrace requires no prior set-up, identifying advanced threats in real time, including zero-days, insiders and stealthy, silent attackers. Headquartered in San Francisco and Cambridge, UK, Darktrace has 24 offices worldwide.

 

Meetup: ARMIS IoT Security – Thursday, January 11, 2018

Join us for our next InfoSec at Your Services Meetup:

“ARMIS IoT Security”

Hosted by Michelle Drolet

When:

Thursday, January 11, 2018
6:30 PM to 8:00 PM

Where:

Skyboxx,
319 Speen Street, Natick

We will discuss:

Internet of Things – IoT – the latest buzzwords conjour up images of toasters and refrigerators being controlled by iPhones and automatically adding milk to your shopping list when you run low. However, IoT is a big issue in the enterprise. Aside from the traditional user based systems, there are thousands of new devices – purpose-built computers – that are attaching to your enterprise networks. Smart TV’s, Security Cameras, Lighting Systems, Building Management Systems, Amazon Echo’s, card readers, etc… These devices are part of your network fabric, they are highly vulnerable to compromise, and they are being targeted aggressively by the hacker community.

Click here for more information and to register >

 

Application security is maturing, but independent testing is crucial

Skills shortage is making shift to continuous appsec testing challenging.

While application security (appsec) is firmly on the radar, most organizations still have a way to go before they can be confident about how secure their apps are. Devops is accelerating the speed of development and, coupled with the shift to the cloud, it’s creating many challenges for appsec. Breaking down walls between security, development and business units is easier said than done and the security skills shortage persists.

A world of continuous development requires continuous testing, but that’s far from a reality for most organizations. In fact, 10% of respondents to the SANS 2017 State of Application Security report admit they aren’t doing any security testing at all, 24% are relying on testing once a year or less, and just 12% are testing on a continuous basis. This has to change.

The security landscape is shifting

While organizations can easily find foundational best practices, such as OWASP (Open Web Application Security Project) they are just a foundation. The potential attack surface for most companies is growing rapidly and security teams are struggling to keep up with the pace of change. A wave of new public-facing web applications and cloud services must be balanced with existing custom and legacy apps.

The SANS report found that 15% of organizations had experienced a breach in the past two years, and, alarmingly, 21% don’t know whether they experienced a breach where applications were the source. We know how costly data breaches can be, so it’s vital to address appsec properly to prevent it from becoming the weak link in your defences.

Mitigating the skills shortage

It’s clear that there’s a shortage of skilled cybersecurity professionals. As many as 45% of organizations claim to have a problematic shortage of cybersecurity skills, according to ESG research, and 49% of cybersecurity professionals are solicited to consider other cybersecurity jobs at least once per week.

This has led many organizations to shift the security testing burden onto development teams. In fact, the number of development teams tasked with security testing has increased from 22% in 2015, to 51% in 2017, according to the SANS report. Deeper analysis reveals that teams with the most rapid development procedures are finding fewer vulnerabilities. The worry is that this is because their testing is superficial, so as not to interfere with fast feedback cycles.

Without proper training and under pressure to deliver code quickly, there’s a real risk that developers are failing to test application security as thoroughly as they should. Temporary hires, such as virtual CISOs, should be considered as a way to plug the gap and train internal staff properly. But third-party testing by experts is still vital for proper appsec and should not be dispensed with lightly.

Trust and verify

Without proper testing your security program is a wish list. If you want to fold security into the devops mix and achieve devsecops, then you must build cross-functional teams, apply security principles from day one of development, and foster a culture of genuine collaboration. Security cannot take a back seat because of deliverable deadlines or fear that modifying code will break the app.

It’s important to consider whether training overloaded development and engineering teams and making them more responsible for security is really the best route to take. Even if you do take that path, you still need to engage an external third-party with no vested interest in your app to verify your security measures are working as intended. There’s simply no substitute for the kind of expert, cutting edge penetration testing that a dedicated, external cybersecurity firm can provide.

Appsec improving

While the pursuit of speed in development has thrown up some fresh challenges, there are also some welcome advantages with regards to remediation. The SANS report found that 41% of serious or critical vulnerabilities are now fixed within a week and 75% are fixed within a month. In 2016, only 66% were fixed within a month, so that’s a positive trend.

As siloes are pulled down, collaboration increases, and more security testing is automated, we should see tangible improvements in application security, but third-party testing will remain a vital piece of the puzzle for the foreseeable future.

 

This article was originally posted in CSOOnline >

8 Cybersecurity Trends to Watch for in 2018

New challenges and threats will face IT departments in the year ahead.

As we stand on the threshold of another year, the war for our cybersecurity rages on. There have been many data breaches in 2017, most notably for Equifax, Verizon, and Kmart. But if you seek a silver lining in the cloud, perhaps you’ll be glad of the news that the global average cost of a data breach is down 10 percent over previous years to $3.62 million, according to the Ponemon Institute.

Sadly, the average size of a data breach increased nearly two percent. Clearly there’s still plenty of work to do. Here are some of the trends, challenges and threats that await us all in 2018. 

1. Ready for the General Data Protection Regulation (GDPR)?

If your preparations for the European Union’s new GDPR, explaining how companies should process, store, and secure the personal data of EU citizens are not complete, or at least well underway, then you better get moving. The GDPR will be enforced from May 25, and infringements can provoke fines of up to 20 million euros ($23.6 million at the time of writing) or 4% of the total worldwide annual turnover of the preceding financial year.

There’s speculation about what will happen when the regulation comes into force, but the question of precisely how much non-compliance with the GDPR will cost will be answered soon. There’s every chance the first few transgressions will result in punitive examples. We expect many organizations to be scrambling to adapt before May.

2. AI and machine learning can boost cyber defenses

As artificial intelligence and machine learning gathers pace, and starts to impact more and more industries, it’s sure to play a bigger role in cybersecurity. Because the battle with cyber criminals moves so quickly, machine learning models that can predict and accurately identify attacks swiftly could be a real boon for InfoSec professionals. In the year ahead, these models need to be trained and honed. However, there is also a risk that AI and machine learning may be exploited by attackers.

3. Be proactive about ransomware

Ransomware has been a growing threat for the last few years, but it continues to claim high profile victims. It’s not yet clear what everyone learned from the WannaCry ransomware attacks, but we hope that it highlighted the need to back up regularly, keep patching and updating systems, and strengthen your real-time defenses. If organizations took these simple steps, we could dramatically reduce the impact of ransomware.

4. Handling data breaches gracefully

It may prove impossible to eradicate data breaches completely, but every organization has the power to lessen the blow by handling the aftermath correctly. Equifax gave us a masterclass in how not to handle a data breach earlier this year. By delaying disclosure, misdirecting potential victims, and failing to patch a known vulnerability, it made a bad situation much worse. We can only hope this proves instructive for others in the year ahead.

5. The IoT is a weak link

We’re rolling out more and more sensor-packed, internet-connected devices, but the Internet of Things remains a major weak point for defenses. All too often these devices lack basic security features, or they aren’t properly configured and rely upon default passwords that can give attackers easy access. This in turn is giving rise to botnets, which can be used for volumetric attacks, to exfiltrate stolen data, to identify further vulnerabilities, or for brute force attacks. We need to properly secure the IoT or it will continue to be a big issue in 2018.

6. There’s still a skills shortage

The dearth of skilled cybersecurity professionals continues to be a major problem for many organizations. Even with average InfoSec salaries soaring, there are thousands of vacant positions. This is leading many companies to engage external cybersecurity services and virtual CISOs. We expect to see more outsourcing as employers try to find a way to fill the skills gap.

7. Developing a common language

While the specter of multiple threats looms, there are also positive developments in the cybersecurity realm, not least the creation and adoption of things like NIST’s Cybersecurity Framework. As more organizations and cybersecurity experts come together to develop a common language, our collective defenses grow stronger.

8. Patching and application testing

It’s not shiny or new or exciting, but it should still be top of mind. The number of data breaches in 2017 that were made possible by known vulnerabilities and a sluggish approach to patching is horrifying. It’s not enough to identify problems – you must act. Application testing falls into the same bucket, in that it’s too often ignored. If you don’t test your security, then you don’t know how secure your application is. If everyone put a fresh effort into patching and app testing in the coming year, we would see a dramatic drop in data breaches.

This article was originally posted in CSOOnline >