How can your organisation demonstrate that it has taken the appropriate steps toensure data management is under control and customer data and third-party information is secure?

For an increasing number of companies worldwide, the first step is to adopt internationally recognised standards such as ISO 27001, whichoutlines the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). The ever-growing cyber threat to organisations worldwide is behind the increasing trend towards adopting a robust ISMS.

ISO 27001 is an international compliance framework set by the International Organisation for Standardisation (ISO), the world's largest developer of voluntary international standards, and the International Electrotechnical Commission (IEC).

ISO 27001 is designed to help organisations manage their information security processes in line with international best practice while optimising costs. It provides the specification for managing information security through working arrangements, policies, procedures and other controls involving people, processes and technology to help organisations protect and manage all their data.

Certification to standards such as ISO 27001 bring a wide range of benefits above and beyond simple certification.According to theISO 27001 Global Report 2018, 81 percent of organisations implementing an ISMS are doing so to meet growing client demands for increased data security, while 62 percent reported improved staff awareness of information security as one of the key benefits of implementing an ISMS.

Over the past 10 years, the deployment of ISO 27001 has spread significantly.

ISO 27001 certifications have grown the highest in New Zealand (286%), Australia (203%) and China (78%). The top countries in Asia Pacific with the highest growth in volume are China, Japan, India, Australia and the Philippines.

Citadel-IX and ISO 27001

The Citadel Group provides a range of highly secure information management systems to support organisations in complying with international standards for information security.

Citadels Content Manager as a Service platform, Citadel-IX, is fully certified to ISO 27001, the international standard for Information Security.

Citadel-IXs unique value proposition is that it is ISO 27001 certified from end-to-end, whereas many other vendors are claiming ISO 27001 compliance simply by hosting their application on an underlying hosting platform that is ISO 27001 certified.

Popular global cloud hosting platforms specifically exclude applications hosted on their platform from the scope of their ISO 27001 certification. In order to achieve full compliance, vendors must be certified and implement and maintain a rigorous Information Security Management System that addresses all security risks associated with hosting an application in a secure manner.

The security features of Citadel-IX include:

For further information visit https://citadelgroup.com.au/citadel-ix/ or contact us at https://citadelgroup.com.au/contact-us/

View original post here:
Improving Information Security with ISO 27001 - IDM.net.au

Today is Data Protection Day, and for the majority of businesses, data is becoming an integral part of day-to-day strategies.

With regulations like GDPR ensuring that companies meet high standards of data protection, its vital that business leaders integrate secure measures into their systems, and train employees to be on the lookout for any threats. Data Protection Day acts as a reminder for all businesses to follow these processes, and Verdict spoke to six technology experts for their advice on how best to do this.

One of the biggest challenges created by the ever-increasing amount of data being produced and stored is how to keep it safe. Agata Nowakowska, AVP at Skillsoft, explains how businesses must ensure that their cybersecurity and the employees implementing it are up to scratch:

Mobile platforms, Big Data and cloud-based architectures are creating significant challenges for data protection, but no challenge is higher up the corporate agenda than IT security. Even the most careful organisation is vulnerable. A smartphone or laptop inadvertently left on a train, or a well-intentioned lending of access privileges to an unauthorised user can have far-reaching consequences.

Security is the number one IT priority in nearly every business sector today, but the scarcity of security-savvy IT experts means many companies can no longer rely on hiring their way to a robust solution. Fortunately, there are a wealth of sophisticated education and training strategies now available that allow organisations to reward and retain employees whilst simultaneously improving corporate security from within. From expert-led instruction to continuous hands-on experiential learning, organisations are putting in place complete frameworks for training and certification that can tighten corporate IT security, making them less vulnerable to both external attacks and insider threats.

This is something that Andy Swift, Head of Offensive Security at Six Degrees also encourages:

Two areas Id like to highlight this Data Protection Day are your users and your backups. Security ends with your users when all other technical controls have failed, they are the final control you should have in place to filter out malicious content. Investing in training to help users spot common phishing, smishing and other human-facing attack vectors is highly valuable, and helps promote buy-in from all users when your organisation introduces tighter technical controls.

You should also consider the architecture of your file share and backup environments. Far too often we see backup servers configured without any segregation from the regular network, resulting in ransomware attacks infecting backups and rendering them useless. Ransomware is constantly getting smarter if an attack can access your backups it has the potential to seriously damage your data integrity.

Having security training in place is crucial across all sectors including the public sector, as Sascha Giese, Head Geek at SolarWinds, highlights:

Public sector IT professionals are working every day to ensure the data their department holds is kept securegovernment and healthcare organisations store vast amounts of very sensitive data, and therefore the risks posed by a potential data breach are extensive. Whats interesting is how theres been a change in value in credit card information, for example, which is lower, compared to personal information and identities, which has become more valuable to cybercriminals. U.K. government IT professionals are entrusted with keeping citizens personal data secure, so organisations must implement, and then adhere to, strict security policies. The key point organisations should take into 2020 is its everyones responsibility to keep data safe.

While technology is of course the most solid defence against security threats, senior public sector IT professionals should also consider how leading by example, training their teams, and ensuring policies are updated regularly can make a huge impact on how well their organisation prevents any security headaches.

With so many different solutions available, Eltjo Hofstee, Managing Director at Leaseweb UK, reveals how businesses concerned about uncertainty in the future should consider multiple approaches to data protection:

Get the Verdict morning email

Data protection is an issue that has gone mainstream over the last few years, particularly with the implementation of the GDPR. For businesses in the UK, Brexit has added some uncertainty around data protection in terms of legal compliance and disaster recovery processes. Based on the current conversations between the EU and UK, nothing will change with regard to data protection laws after Brexit, however, it may be good business practice for organisations that have not reviewed their position before now to evaluate their data, assessing potential risks associated with current storage processes and locations, as well as DR practices and hosting options.

Any uncertainty relating to hosting sites can be minimised by setting up a cloud hosting platform in a hybrid way, where data can be stored, protected and managed using at least two different locations and jurisdictions (i.e. EU + UK). Having said this, it might be a bit too early to already make these kinds of changes, and while we dont believe the UK will move away from GDPR, its certainly top of mind for many of our customers. And, while the uncertainty remains, being prepared for any eventuality is probably the most sensible approach.

As well as advising our clients on how to best make data-driven decisions, says Matt Aldridge, Co-Founder and CEO at Mango Solutions, we also provide recommendations regarding best practice for securing their personal data when their processes may not be fit for purpose. So, by creating and supporting fit for purpose processes, our clients can operate effectively and consistently without needing to panic about whether they are GDPR compliant one of the biggest obstacles companies have been facing in the past couple of years when it comes to ensuring data protection. This means that none of our clients have encountered GDPR incidents and other data protection regulations at all, and also any data required for know your customer projects is anonymised on principle in order to ensure regulatory compliance.

Tried and tested data protection is crucial to ensure a positive customer experience, as Gary Cheetham, CISO at Content Guru, concludes.

The General Data Protection Regulation is approaching its two-year anniversary and beyond the ubiquitous privacy notice pop ups and the need to give consent we now face online, we have seen some real changes in the way businesses are approaching data protection. With this, consumer expectations have also risen trustworthiness and transparency are becoming priority considerations for consumers, who increasingly want to form long term relationships with brands they trust. With customer experience now the key differentiator for many businesses, demonstrating the proper handling of customer data and information has to be front of mind.

One area where this is particularly important is in the contact centre, which is often the front line for organisations when it comes to engaging directly with customers. A whole range of personal information is shared, stored and acted on during a contact centre engagement including sensitive information such as payment and medical data and this is necessary to give agents the ability to deliver an experience todays consumers expect. However, its not enough for your contact centre to deliver a great customer experience, it must also provide the highest levels of data protection and comply with the increasing regulation in this area.

Now that almost every aspect of peoples lives is mapped out in a data trail, businesses cannot afford to let data protection fall down the list of priorities. For 2020 to be successful, businesses must ensure that all data both customer- and business-focused is kept fully secure and out of harms reach.

Read more: Why 2020 is the year of the data protection officer and how to deal with the skills shortage

Continue reading here:
Data Protection Day: Why protection is better than a cure - Verdict

As the new year (and new decade) begins, one thing is certain: cybersecurity will continue to have an increasing impact on business, for better or worse. In this episode, we hear from Stephanie Balaouras, a cybersecurity expert who has spoken to thousands of customers over her 15 years at Forrester Research. She is the vice president and group director of security and risk research, as well as infrastructure and operations research.

Balaouras makes the case that all businesses should have a chief information security officer, or CISO, as the world of cyberthreats becomes more intricate and perilous. "Even companies that have a CISO should take a hard look at how high in the organization they report," Balaouras says. "Do they have the right budget? Do they have enough staff? Have you given them the right span of control?"

Balaouras also reviews some of the biggest cybersecurity trends in 2019 and makes predictions for 2020.

Business Lab is hosted by Laurel Ruma, director of Insights, the custom publishing division of MIT Technology Review. The show is a production of MIT Technology Review, with production help from Collective Next. Music is by Merlean, from Epidemic Sound.

Cybersecurity isnt only about stopping the threats you see. Its about stopping the ones you cant see. Thats why Microsoft Security employs over 3,500 cybercrime experts, and uses AI to help anticipate, identify, and eliminate threats. So you can focus on growing your business, and Microsoft Security can focus on protecting it. Learn more at Microsoft.com/Cybersecurity.

Show notes and links

Forrester Research: Cybersecurity

A CISOs Guide to Leading Change by Jinan Budge, Forrester Research

Stephanie Balaouras

The Need for Complete Cloud Security, an interview with Stephanie Balaouras, on YouTube

Full transcript

Laurel Ruma: From MIT Technology Review, I'm Laurel Ruma and this is Business Lab, the show that helps business leaders make sense of new technologies coming out of the lab and into the marketplace.

Security threats are everywhere. That's why Microsoft Security has over 3,500 cybercrime experts constantly monitoring for threats to help protect your business. More at microsoft.com/cybersecurity.

Our topic today is cybersecurity and more specifically the role of the chief information security officer, the CISO. We'll also review cybersecurity news from 2019 and look ahead to cybersecurity trends for 2020. One word for you: Deepfakes. My guest is Stephanie Balaouras who is a cybersecurity analyst and has spoken with thousands of customers in her nearly 15 years at Forrester research. Stephanie is the vice president and group director of security and risk research as well as infrastructure and operations research. Stephanie, thank you so much for talking with me on Business Lab.

Stephanie Balaouras: Thanks.

Laurel: So just to start, in 2017 Forester published a report by Jeff Pollard, a member of your team, about the career paths of CISOs, chief information security officers. And I particularly like talking about this role because it is so new to the C-suites in the business. If Citibank just appointed the first CISO ever, in 1995, that's really recent history. But if every company is also a technology company, why doesn't every company have a CISO?

Stephanie: If you look at the history of other roles, like I think the first CMO, chief marketing officer was in the 1950s you still had companies 20, 30 years later without a CMO. So when these emerging roles first start out, it does take some time for it to become the norm. But I will say every company really should have a CISO. Publicly traded companies are required to have a CISO. But what we will often find is, depending on the size of the company, sometimes they'll get away with calling the CIO also the CISO or some other IT executive the CISO as well. So that's pretty common with smaller companiesthey'll get away without having a standalone role.

But what you'll also find is if they have a breach or some sort of major cybersecurity issue or even a major compliance violation that's data security-related, the first thing that they'll do is name a dedicated CISO. And then even companies that have a dedicated CISO, when they have a breach, a lot of times what happens is they realize the CISO didn't report up high enough in the organization or didn't have the right span of responsibilities or enough budget or enough people. So then they'll fix that. Name CISO should be requirement, but I would say even companies that have a CISO should take a hard look at how high in the organization they report. Do they have the right budget? Do they have enough staff? Have you given them the right span of control?

Laurel: Because that's an expensive fix, isn't it?

Stephanie: Yes, exactly.

Laurel: Only after an attack, do we have looking at the roles and responsibilities in a new light, in a more responsible light?

Stephanie: Exactly.

Laurel: So if the perfect CISO is a bit of both a businessperson who can talk directly to the CEO, explain the necessity for security and risk mitigation, but then also talk to customers perhaps as well as other employees and talk about security and how that role is important to the company. Where are these people coming from? Where are they getting all of this education?

Stephanie: When we looked at CISO career paths, we did find most of them did come up through the security ranks. So typically they did start off as security professionals. They gained decades of experience in the role. But what we often found is the majority of them often would go back for graduate degrees, and they would actually go after a business degree. They would often get MBAs, and it was because they needed to satisfy both of those requirements, which is, yes, I'm a technology executive, but at the same time I'm a technology executive that in a large company reports to the board on a quarterly basis or reports directly to the CIO or directly to the CEO. So it's definitely a combination of education and experience.

I would say universities are doing a better job of providing undergraduate and graduate degrees in information security. There's some areas where they're incredibly weak, like application security is not taught well at the undergraduate level, if at all. It's done really poorly. The other thing I'll pick on universities about is they're not doing a good job of recruiting women into undergraduate and graduate programs. There is a huge skills gap as well as a staffing issue in security, and at Forrester we like to say it's largely self-inflicted because we're not recruiting from half of the population, and we're not recruiting people from diverse backgrounds. We've got this one mold of individual that we recruit from, and then we're shocked when we can't find enough people with this very narrow skill set, so.

Laurel: Yeah, the report said nine out of 10 CISOs are male.

Stephanie: Exactly, exactly. We haven't looked at the end of 2019 yet, but the last couple of years that's been true. And if you look at the staff as well, it's worse than the general security industry. It's at about 11% of security staff are female. It's worse than general IT. General IT also has a problem, but it's more somewhere between 20% to 30%, so security is even worse.

Laurel: So when we talk about lack of diversity in security in general, how are companies trying to respond to that? Are you seeing any particular companies showing best practices?

Stephanie: There are definitely some best practices. Actually, I've seen a lot of vendors, like large technology vendors, they're actually partnering with universities and they're actually even partnering at the high school level. For example, with the Girl Scouts of America, to actually foster programs that get girls excited and interested in cybersecurity from a very young age and then want to continue to pursue it at an undergraduate and graduate level. At a number of universities, there's pretty aggressive scholarship programs.

And then also there's just a lot of introspection that's happening at the corporate level where we kind of look at the culture of security teams. We look at a lot of the traditional routes from where we recruit from, which is conferences that are male-dominated or again, we have these job descriptions that emphasize a lot of military experience as an example. So it's sort of like broadening the aperture of people that will recruit into the security industry, a willingness to develop their skill set as well as doing a much better job of actually filling the funnel, filling the actual pipeline over the long term.

But to your point, diverse teams make better decisions, and in the long run they're higher-performing. And then the second thing I would say is there are so many open jobs in security, not just in the US, but also globally. It's also a math problem. We are not going to fill these open positions if we're not recruiting from half the population.

Laurel: Also, it seemed like not a lot of security talent was necessarily promoted from within. In the reports from Forrester, it sounded like you had more likelihood to be given a promotion if you went to a different company. Are companies now re-examining their own talents?

Stephanie: That's actually true at kind of the individual level as well as the CISO level. So we've found amongst the Fortune 500 that first-time CISOs were rare, and they weren't promoted from within. So they'd like to hire externally for CISOs, and they wanted CISOs that had prior experience as a CISO. And actually if you are somebody in security, so that means if you want to be promoted into CISO, your best opportunity is actually to look externally, outside your company. And we also found that when companies hired CISOs externally as opposed to promoting them from within, they were more likely to have them report higher up in the organization. So yeah, at the CISO level, companies could do a better job of looking within and giving those individuals the right opportunity to report higher in the organization.

But we also found things similar again at manager levels and individual contributor levels, which is they weren't hiring from within the company or when they did hire individuals, they weren't giving them good career paths and ongoing skills development. So again, if those individuals really wanted to further their career, most of them ended up leaving. So that's why we say so much of the skills and the staffing challenges are completely self-inflicted.

Laurel: So it's a bit of a blind spot that probably everyone could do a little bit better on, right?

Stephanie: Exactly. Yeah.

Laurel: I was reading this Ponemon Institute report, and this particular phrase jumped out at me and as we were talking about the CISO and what kind of person would do that role in the first place and the experience they had, more than just a resume, it's also your attitude and ability to act really quickly and really smartly and also communicate very well. But the quote was, and I'm paraphrasing a bit here, technology has transformed the internet age into a period of cruel miracles for security professionals. All of our cruel miracles are that we have devices in every pocket. We can go anywhere, we can talk to anybody at anytime, and we can do it at the speed of a lightning bolt, but at the same time if you're a CISO, how do you secure it all?

Stephanie: Right. Yeah. All of these devices that extend the four walls of the company, they are basically extending the attack surface of the organization. So for CISOs, it's been sort of this march away from a traditional perimeter-based approach to security and actually taking more of a data-centric and application-centric, and I would even say identity-centric approach to security.

Not that the network's not important, network security is hugely important, but it's more of the perimeter-based approach to security that's changed dramatically. So again, where there's no true four walls of the corporation. The perimeter is actually much smaller. So we tend to think of secure enclaves. How do I build a micro perimeter around our most important assets?

When we talk about an extended network of all kinds of devices like you mentioned or the computing environment itself, which could be a combination of on-premise, cloud, hosted private cloud, and every variation thereof and any kind of user population that interacts with the company systems and data. That could be your own employees, it could be consumers and customers, it could be third-party partners. So when you think about devices, user populations and different computing models, there is no perimeter. So the focus becomes on protecting the data itself regardless of where it travels and regardless of the hosting model or the location. Really, really taking a hard look at identity. So limiting and strictly enforcing access, both human and nonhuman. So it does kind of flip the traditional security paradigm on its head. You move away from perimeter-centric to data- and identity-centric.

That's what we typically recommend to CISOs. And we call that the zero-trust model of security, which is you assume you already have a breach, and you never assume trust in your environment. You just always assume that something's going wrong somewhere, but it works. It perhaps is not the most positive spin in the world, like, oh, zero trust, but it works. It's very effective.

The other thing I would say is I would really encourage manufacturers of all these devices, IoT sensors, IoT devices, everything that you can think of to really do a better job of building security into the device itself from the beginning. That would definitely make the CISO's job much easier. It's just so frustrating. It's largely out of their control as well.

Laurel: Right? Well, especially

Stephanie: Except for the CISOs that actually work at product companies. You should be involved in product development. You should be advising the organization.

Laurel: And it's interesting because security doesn't always come first, does it?

Stephanie: No.

Laurel: Especially when you're doing product design. So do you see that happening often though? CISOs actually actively involved in product design?

Stephanie: Not to date, unfortunately, but it is something that we do recommend. And I would say some CISOs don't necessarily see it as their traditional role, like their traditional role has been to secure the back-end systems of record and infrastructure and the company's data and not necessarily get involved in development, but we actually actively encourage CISOs to get involved in product design and product development to really help the organization secure what you sell. So whatever it is you sell, whatever service it is you're delivering to a consumer, a patient, a citizen, another corporation, if you're a B2B organization, actively being involved in securing what you sell.

Laurel: And that's certainly a competitive differentiator, isn't it?

Stephanie: Yeah, absolutely. Absolutely. We found security, as well as privacyand those aren't synonymous, but sometimes they do go hand in handdoes create competitive differentiation for companies.

Laurel: Yeah. And that's an important differentiator, and all the noise that you have coming out. So if there's something very specific that you can market, that would be a good one. But we're also kind of talking about the CISO really taking an active role in everything. So you have to be this multi-talented person who can talk and understand product as well as be out and about in the community, right? All at the same time sharing, but not sharing, company secrets and how you defend the data because there is this idea, especially in the tech community, where you do share your best practices and what you've learned from. And I was just wondering a bit about that, how do CISOs actually share but not share everything?

Stephanie: Yeah, there is that challenge. A lot of CISOs are very loathe to talk about specifics about their deployments, and I don't necessarily see that changing anytime soon. Sometimes in smaller groups though, there are a lot of communities that support CISOs. Actually at Forester, we have a peer networking group of about a 100 CISOs. There's all kinds of ISACs and intelligence sharing communities amongst like CISOs that are industry specific. So often in tightknit communities where there's an understanding that everything's under NDA, where there's candidness, where there's some personal relationships, CISOs will share a lot more. But I have found CISOs willing to talk about overall strategy. When I mentioned moving from perimeter-based approaches to data- and identity-centric. Talking about culture. Culture is actually hugely important, not just at the CISO but for the rest of the security organization as well.

Because you need an organization that has the right kind of staff that can actually talk to developers and be part of secure application development, that can work with infrastructure and operations teams to secure cloud deployments. That could actually work with marketing teams to help them understand privacy implications of how they might be personalizing services and data and ads to consumers. So you need also the security team itself, not just the CISO, the security team itself to be vocal and outspoken, collaborative and willing to insert themselves into core business and IT processes throughout the organization. So they'll talk about culture, they'll talk about staffing, they'll talk about the kind of skills that are required as well. We definitely see some change there.

Laurel: And also the business has to be willing to allow security kind of come full circle on this idea but not just product but then also everyone else. So marketing, thinking, again, security first or security at some point. How do you then have this conversation, so everyone is a bit educated? You don't have to be an expert in security if you're in marketing, but you have to be willing to listen.

Stephanie: A lot of times CISOs would kind of tell the stories and everything was doom and gloom. I think taking a much more risk-based approach where you're helping the business understand future risks and helping them just understand both probability and impact and advising them on making the right decisions, like moving from that department of no to more of that consultative role I think helps. The more you become that consultative subject matter expert more, I think you can bring along the rest of the organization with you. I think that that's a big help and it sort of varies by CISO skill set as to how good they are at doing that. I think anytime you can put things in a positive business terms as well, that helps.

There was an analyst on my team that wrote this report, it was called security for profit, and in it he outlined ways that security could potentially be a revenue generator for the company. Again, it could be value-added features that people were willing to pay more, or it becomes a competitive differentiator in a product or service that you offer. So it could actually contribute to the top line. And then he also outlined all the ways that can actually save the company money beyond breach avoidance and avoidance of compliance fines.

There's all kinds of ways where if you do security right, it can actually dramatically improve employee experience and reduce operational costs within the company. Identity is one of the biggest examples, when you think about onboarding an employee and the ability to automate all the ways that you give them access to the systems that they need. Resetting passwords. I mean, there's so many just low-hanging fruit where you can make employees lives easier, but then you're actually really reducing hard costs.

Laurel: Yeah. And that's certainly something you don't think about, but you are certainly frustrated when you have to redo your password and it takes forever and/or you have to go on a different system and blah, blah, blah. But that kind of streamlining is not just from a security perspective, but as you said, it's from everyone's perspective to just make their lives easier, which is what ultimately every employee wants.

Stephanie: Yep.

Laurel: So how do CISOs stay on top of the latest trends? I mean, conferences, those small groups that they talk to?

Stephanie: Yeah, I think they do do their own research, whether it's publications like yours, firms like Forrester, the other big kind of strategy consulting firms as well. They do do their own research though. They'll often send their staff to a lot of the conferences. And then I do think those peer-networking groups help dramatically as well. But it is hard to stay on top of every single possible trend. So I do think it always helps to have some sort of external advice as well, to give you a heads up on emerging threats, on emerging risks, emerging compliance and regulations that are happening all over the globe.

Laurel: Yeah, and then just like you said, having that peer group to establish trust and some kind of transparency with sharing best practices and just hearing various stories, even if it's from a friend I've heard, to kind of get those warnings out to various organizations and people. Speaking of that, other than in these peer groups, is there much cooperation between government and business? Are you seeing more of it or do people pretty much pretty stay in their lane because there are other conflicts to worry about with businesses and governments?

Stephanie: Yeah. In the US and actually other countries like the UK, if you're considered a critical infrastructure industry, you will need to have close relationships with federal government officials. If you're in critical infrastructure, I mean, there's going to be industry-specific cybersecurity regulations that you have to follow, you know, if you're in energy. I mean, even financial services is considered critical infrastructure. So then you'll have to follow NIST guidelines, as an example. Anybody doing business with the federal government will have to follow NIST.

You don't want to wait to form relationships with the federal government or specific agencies, like the FBI. You don't want to wait until you suspect something or have a breach. Or in a lot of cases, it's the reverse which is, they've detected something, they're alerting you to it. Sometimes, they can't offer you specifics because their hands are tied as part of a larger investigation. So you can actually develop relationships with a lot of the US federal government agencies ahead of time, so that you can share threat intelligence. Or again, should something actually really occur, you already have those pre-existing relationships in place.

Laurel: Yeah, and speaking of something already occurring and preparation plans, are you seeing more companies develop those preparation plans for, again, not if, but when they are hacked or a cyberattack happens and they need to go public with it?

Stephanie: So with incident response, there's sort of the internal incident response, which is sort of all of the processes that you need to detect, then remediate, and then respond. And a lot of the responding is more of what we call kind of a forensic level responding: determining exactly what happened, remediating it, potentially collecting forensic evidence if you decided that you were actually going to pursue legal action, depending on who it was afterwards. Then there's the external response, and you really need both. You really need a sophisticated incident response, process and initiative within the company with dedicated experts, particularly if you're a large enterprise.

But I think where companies often really fall down is on external breach response. And again, regulations require that if it's consumer-related, if it's affected individuals, you are required to notify them within specific days. In many cases, it's 30 days. Under GDPR in Europe, it's 72 hours or less. And we have seen companies royally botch the external breach response, meaning that they were cagey about offering information to consumers.

I don't want to pick on companies because victim blaming often isn't all that helpful, but I've seen companies kind of blame the consumer, in a way, saying, "Oh, if you had better password hygiene, if you were monitoring your own accounts much more closely, this wouldn't be as big of an impact." No. You need to show empathy with your customers. Put them first. Do everything you can to protect them. Don't be cagey about sharing information because of CYA kinds of concerns. And in some cases, if you do it right, it's an opportunity to not lose their trust, but potentially even to reinforce it and build it up, if you've put them first. But you can really botch it and make the breach so much worse than it needed to be.

Laurel: And that just cost the company even more money.

Stephanie: Exactly.

Laurel: When you look back at 2019 and there's a lot to talk about cybersecurity wise, if we kind of look at three specific areas, first off is just cyberattacks, but very specifically on cities and municipalities. So New Orleans was the most recent, as of the end of the year, that we know of, but it was also on the heels of the State of Louisiana having a cybersecurity attack. We know it's happening across the country. So to ask a very loaded question, why are cities and municipalities being targeted for cyberattacks when they're not necessarily the most well-funded outfits?

Stephanie: Yeah. So that's why, because they're easy targets. So if they've been underfunding their security efforts for years, then they're much easier to penetrate and then ask for a ransom, even if the ransom if small.

Laurel: It's better than nothing.

Stephanie: It's better than nothing. That's actually the consensus of a lot of the team, is so many of these local, city, and state governments and municipalities are just such easy targets because they have been underfunded and understaffed for years. And most of the time, there is financial motivation, but there are other types of motivation. It could be political, social. If you get to a larger kind of states or federal agency, you might even get into geopolitical and even military in some of the nature.

Actually, the City of New Orleans, what was interesting about that is the attackers didn't ask for a ransom. So they used ransomware to disable them. Everything was encrypted and forced them. I think they were replacing tons of computer infrastructure. It can be really difficult to recover from backups. We say that so flippantly, like, "Oh, just recover from your backups." Most backups complete with errors and the ability to recover from a backup at scale is actually very, very difficult. And who knows when the ransomware was actually introduced? So then you're just reinstalling the ransomware.

Laurel: Interesting.

Stephanie: But yeah. From my understanding, they didn't actually ask for a ransom. So their motivation wasn't financial. So it could've been ...

Laurel: Just disruption.

Stephanie: ... just disruption for the sake of it.

Laurel: To see if they could do it, yeah.

Stephanie: Or interestingly enough, I read this article where it's forced the city to replace a ton of computer infrastructure, laptops, desktops, server infrastructure. So theres a part of me that's wondering, "Oh, it could be city employees. I know how to get the city to upgrade."

Laurel: Right, right. Force them.

Stephanie: Force them.

Laurel: By ruining everything.

Stephanie: Yeah. So they're easy targets and the motivations for the attack are much varied, I think, when it comes to critical infrastructure and then city, state, and local government.

Laurel: And that's not necessarily when a ransom is asked for that you ever find out where they're coming from or who they are or if they are foreign state actors.

Stephanie: Yeah, you don't necessarily know.

Laurel: You'll never know. It's just a guess.

Stephanie: Yeah. We actually put out a controversial report this year that said, in some cases, organizations might want to consider paying the ransom. I'll be honest, I think for city, state, and local governments they might be prohibited from paying the ransom. I don't know. I would have to look into that, but private-sector companies, even though I'm sure FBI and other law enforcement agencies would prefer that they not do so, in some cases, it might actually make sense. And cyber insurers would even say that it might make sense in some cases. And there are actually firms that specialize in helping companies pay the ransom. Sometimes, you can actually negotiate for a lower ransom. It's like bartering. They'll act as the go-between between the various characters in the company. Obviously, you're paying them in a cryptocurrency. You're not just transferring cash.

Laurel: Of course.

Stephanie: So they can facilitate that, as well. I mean, if you look at the City of Baltimore, what they ended up spending to recover from the ransomware attack was probably a hundred times more than the actual ransom. I forget the numbers, but the difference was ridiculous.

Laurel: So some advice to cities and municipalities would be to actually look at your systems an try to get them up to date and protected, in some way.

Stephanie: Yeah. Certainly with ransomware, make sure all your systems are up to date, patched. If you look at most successful attacks, external attacks, they're taking advantage of vulnerabilities and other types of software exploits. It's nothing fancy. Everybody always loves to use advanced attacks or state-sponsored attacks. The reality is most of these attacks are pretty low budget, but yet still effective.

The other thing is take a close look at your backups. I can't emphasize it enough. People always overlook their backups. It becomes this rote IT process that nobody ever looks twice at or people demean it and call it not important. It could be more important today if you don't want to pay the ransom.

****

Laurel: Cybersecurity isn't only about stopping the threats you see. It's about stopping the ones you can't see. That's why Microsoft Security employs over 3,500 cybercrime experts and uses AI to help anticipate, identify, and eliminate threats so you can focus on growing your business and Microsoft Security can focus on protecting it. Learn more at microsoft.com/cybersecurity.

****

Laurel: So another interesting topic coming out of 2019 were just general data breaches. So 2019, it did really seem like, every other day, some company or someone was announcing a data breach. And then, according to Risk Based Security, 2019 saw more than seven billion records exposed. So when we get back to CISOs, how are CISOs and company executives really responding to that if 2019 was sort of this year where we [have seen so many] breaches, in one year?

Stephanie: Yeah. I do think 2019 was finally the year of breach fatigue. I mean, it was even difficult for us to keep up with every breach that hit the news. I do think it helps to put it in perspective. Not every one of these breaches was an attack. A lot of them actually were the result of accidental exposures. So if, for example, you misconfigured cloud storage, that's actually considered a breach, even though there's not necessarily any proof that any kind of third party or external attacker or organization actually misused or abused the data. Just the fact that somebody either internally or, oftentimes, it's the security researcher actually who discovers that all the information was less exposed. That is considered a breach.

But yeah. If you look at breaches, themselves, 51% of companies had at least one breach in the past year. And that number is probably higher because a lot of organizations don't know about it immediately. But then, there are a large percentage of them, actually the majority, are internal, a result of internal incidents, third-party incidents, or just lost or stolen devices. And if you do look at true external breaches, where it was an external party that attacked you and gained access to your sensitive data, getting back to a lot of it's low budget, the top three attack vectors were a direct attack on your application, taking advantage of a software vulnerability, or compromised user credentials.

See original here:
Cybersecurity in 2020: The rise of the CISO - MIT Technology Review

The UK Home Office has reinforced its commitment to using Amazon Web Services (AWS) by signing a four-year,100m deal with the public cloud provider.

News of the deal was made public on 7 January 2020 following the publication of the award notice on the governments Contract Finders website.

Although details of the procurement have only just emerged, the award notice confirms that the contract officially started on 12 December 2019, and will run until 11 December 2023.

In a statement to Computer Weekly, the Home Office confirmed that the deal is effectively a renewal of a pre-existing contract between the two entities.

The award of the public cloud hosting services contract to Amazon is a continuation of services already provided to the Home Office, a departmental spokesperson told Computer Weekly. The contract award provides significant savings for the department of a four-year term.

The Home Office is renowned for being a heavy user of cloud technologies, and is according to the governments own Digital Marketplace IT spending league table by far the biggest buyer of off-premise services and technologies via the G-Cloud procurement framework.

According to its data, the Home Office has an evidenced spend of 772.63m on cloud services procured via G-Cloud, with 123.41m of this occurring during the 2019/2020 financial year so far. AWS appears to account for about 45.5m of the total spent by the Home Office to date.

In second place is the Department for Work and Pensions, which has spent about half of the Home Offices total through G-Cloud since the inception of the framework in 2012, having bought 345.23m of services through it to date.

The Home Office recently published a case study outlining the steps it is taking to ensure its increasing use of off-premise technologies is proceeding in a cost and performance-efficient way.

As reported by Computer Weekly, the department released details of how its Immigration Technology team had embarked on a programme of IT resource optimisation-focused work that had already generated savings of 40% during the previous year.

This work included ramping up its use of discounted cloud compute capacity during off-peak periods or by purchasing resources up-front for a lower price, and ensuring that systems were only running as and when needed to keep running costs down.

By continuing these techniques, the team is confident it can increase cloud cost savings by at least another 20% as it continues to experiment, the department said at the time.

Follow this link:
Home Office reinforces commitment to AWS with 100m cloud hosting deal - ComputerWeekly.com

With Windows 2004 in the final run-up to launch, what's happening to Microsoft's Linux tools?

It's been a while since Microsoft unveiled the re-architecture of its Windows Subsystem for Linux (WSL) at its Build conference. Since then it's been tested as part of the 20H1 series of Insider previews and will launch as part of Windows 10's next major update, which will be called Windows 2004.

That update is now close to feature complete, with only bug fixes expected between now and its likely April launch date. The long delay between completion and launch is part of Microsoft's new approach to Windows 10 updates, giving it longer in the Slow and Release Preview rings to identify and fix bugs and issues. That provides an opportunity to experiment with WSL 2 and look at how it will fit into your toolchain.

There's a big change at the heart of WSL 2. Instead of using a translation layer to convert Linux kernel calls into Windows calls, WSL 2 now offers its own isolated Linux kernel running on a thin version of the Hyper-V hypervisor. The WSL 2 hypervisor is similar to that used by the Windows Sandbox, letting Windows and Linux share the same timers to avoid one OS dominating the other. That allows Linux files to be hosted in a virtual disk with a Linux native ext4 file system using the 9p protocol for interactions between Windows and Linux.

It's important to note that using WSL 2 and the Windows hypervisor platform can affect using other virtualisation tools with Windows. Make sure you have one that can work with Hyper-V before you switch to WSL 2.

You're not getting the latest and greatest Linux kernel with WSL 2. Microsoft has made the decision to base it on the Kernel.org long-term support releases. Initially that means using Linux 4.19, with plans to rebase on new releases as they enter LTS. Microsoft has made its own modifications, keeping memory use to a minimum and only supporting specific devices. You shouldn't expect Microsoft to add additional device support -- it's not building a Linux desktop, only providing a way of running Linux binaries in Windows with a focus on developers building applications for cloud-hosted Linux systems.

With a WSL 2 install the virtual disk is initially limited to 256GB. If you need more space, you have to use Windows' DiskPart tool to resize the VHD manually. Once the disk has been resized, you then need to use Linux's filesystem tools to resize its file system. In practice, 256GB should be enough for most purposes -- especially if you're passing files to and from Windows, and using Windows tools alongside Linux.

Running in a thin hypervisor gives WSL 2 some advantages over traditional virtual machines. Microsoft can preload much of the OS in memory before starting up, giving it a very fast boot time. The intent is to give WSL 2 the feel of an integrated Windows command-line application, and by booting quickly it's possible to go from startup to working in only a few seconds.

WSL 2, here running Ubuntu 18.04.3 on Windows 10, now uses an isolated Linux kernel running on a thin version of Hyper-V.

Image: Simon Bisson/TechRepublic

Microsoft has significantly extended the utility of the underlying WSL management tooling by adding more features to the wsl command that manages the WSL service, bringing in commands that were previously part of wslconfig. You can now use it to switch a distribution downloaded from the Windows Store between WSL 1 and WSL 2, as well as defining which is the default WSL distribution. There's no change to the wsl.conf files used to manage WSL 1 installs, so you can use the same configuration files to mount drives and setup network configurations.

SEE:Windows 10: A cheat sheet(TechRepublic)

Moving from a translation layer to a virtual machine does affect how WSL 2 works with networking, and that can disrupt using tools like X410 for X-based graphical applications. Currently shared loopback addresses are only shared one way, from Windows to WSL. Internally WSL has its own IP address, and if you're configuring X you need a script to automatically set the DISPLAY environment variable before launching any X application in WSL 2.

Microsoft's new Terminal is another part of the WSL 2 story. It's a big update on the old Windows command-line experience, with support for it, for PowerShell, for Azure's Cloud Shell, and for all your WSL installs, both WSL 1 and WSL 2. Reworking the Windows Terminal adds support for console text effects, so you can use more Linux applications without worrying about display compatibility. Some features, like graphical backgrounds, show how customisable the Terminal is, while others, like the ability to split terminals into multiple panes, add features that mimic classic Unix features.

The Windows Terminal brings a new monospaced console font to Windows, Cascadia Code. It's an important update to the original Windows terminal fonts, making consoles easy on the eye. While not yet the default, it's actually well worth switching your terminal configurations to use the new font. Cascadia is installed alongside the Windows Terminal, although if you want to manage your own installs you can find the font on GitHub.

One important development has been the release of remote editing for Visual Studio Code, available in both WSL 1 and WSL 2. Using the WSL release of Ubuntu, type 'code' to launch Visual Studio Code. The first time you do this it'll download the server components into your WSL install. Now when you need to edit a file in WSL all you need to do is type 'code ' and it will open in a Windows-hosted Visual Studio Code window, saving automatically into WSL. Remoting into WSL from Windows allows you to use compilers and debuggers inside Linux, keeping your code where it belongs.

If you're using the new Docker Desktop tools with WSL 2, you can use this integration to work directly with your Linux containers from the Windows desktop. While it's still very much in beta, Docker Desktop shows promise, if only to indicate that enterprise software platforms are looking very closely at WSL, and at the benefits of a hybrid operating system.

Microsoft's switch to hosting WSL on Hyper-V is a step forward; it allows it to quickly support changes to the Linux kernel without having to modify its Windows integration layer and offering complete API support to Linux binaries. The result is an effective hybrid of the two operating systems, especially once you get WSL 2 working with X. But don't expect it to be a complete Linux desktop for every user: WSL remains targeted at developers who want to bring existing macOS- and Linux-based UNIX toolchains to Windows to build containers for cloud-native applications.

Be your company's Microsoft insider with the help of these Windows and Office tutorials and our experts' analyses of Microsoft's enterprise products. Delivered Mondays and Wednesdays

More:
WSL 2: Where is it, and where is it going? - TechRepublic