Written by Colin Wood Dec 30, 2019 | STATESCOOP

After months of escalating cyberattacks against state and local governments dotted around the United States, North Dakotas technology agency is setting out to build a shared infrastructure in hopes of rallying a unified defense.

North Dakota Chief Information Officer Shawn Riley told StateScoop the Information Technology Department he leads is developing a suite of technologies and meeting with top technology officials in other states with the goal of developing a shared security operations center that can adapt to threats wherever they occur, calling on those with security resources and intelligence to help those who need it.

Theres a lot of conversations going on with this, Riley said. Part of what we have to work through is as we look at the potential of states supporting each other, how can we make sure there are no political overtones? Were doing assessments of multiple states and how that applies to the ability of all of us to really truly to work together.

North Dakota may seem an unlikely origin of such a project its the fourth-smallest state by population, and hasnt endured many high-profile cyberattacks, like the Aug. 16 ransomware incident that struck 23 communities across Texas but North Dakotas unique organizational structure combined with Rileys affinity for collaboration make it a fitting launchpad.

North Dakotas technology agency earlier this year assumed cybersecurity operations for all government offices throughout the state more than 252,000 users riding on the state network who come from state agencies, schools, courts and the state legislature. This unique arrangement presented Rileys office with an unprecedented level of responsibility and drove officials to begin thinking more holistically about how they can secure not only their own networks, but everyones.

More than 125 public institutions are known to have been hit by ransomware in 2019 and they were organizations at all levels of government and of all sizes. When word got out that North Dakota was working on this problem, Riley said he started getting calls from all around the country. Small communities and K-12 districts have a notoriously difficult time defending against cyberattacks, but its going to be a challenge for organizations of all sizes and sophistication levels, he said.

I think a good example is on one hand weve got a community of 48 people, 48 humans in the entire town where the mayor, city auditor and bus driver are all the same person and then you have a school district with 35,000 kids in it, Riley said. This technology can scale across that entire environment.

Riley said hes not yet ready to reveal which states will participate only that assisting local government offices and K-12 districts is a challenge widely shared by state governments. Tim Bottenfield, the CIO in neighboring Montana, told StateScoop he is among those talking to North Dakota, but Riley said this effort wont be limited to a particular geographic region.

There are already organizations that help to widely distribute strategic advice and information on cyberthreats, such as the Multi-State Information Sharing and Analysis Center, or MS-ISAC, which is operated by the nonprofit Center for Internet Security and funded by the U.S. Department of Homeland Security. But North Dakota Chief Information Security Officer Kevin Ford said this project, rather, will focus more heavily on cybersecurity operations.

While we will obviously ingest ISAC information to help prioritize operational responses, we are also offering improved operational capabilities, Ford said. We will be able to provide members the availability to respond to their own security issues as well as, when desired, pool resources to help each other respond to security emergencies. Our tech stack is heavily automated, and the more data we have flowing into it, the better the efficiencies will be for everyone involved.

Details such as whether its appropriate for the governors office of one state to see the security logs for another state run by a governor of an opposing party still need to be answered, Riley said. There are also complex regulatory and technical hurdles to overcome. In North Dakota alone, there are more than 300 privacy laws that could potentially bear on the projects implementation. But Riley says these challenges are trivial compared to the threat government is now facing.

The reality is, individually, we are all screwed, Riley said.

Read the original post:
North Dakota's building a cybersecurity operations center and everyone's invited - StateScoop

By Rudra Srinivas

Most people in India have never accessed the Internet through a computer. In fact, their encounter with the Internet is only through smartphones. As Indias consumers lap up Internet services, social media and other apps, they gladly submit their personal details to service providers in exchange for free use of their services. And these details are usually stored on servers outside Indias boundaries. That got the Government of India worried about data privacy concerns.

So, in July 2017, the Government of India formed a committee of experts to study the issues related to data protection in the country. The committee was led by retired Supreme Court Justice BN Srikrishna. After working on it for a year, the committee submitted a draft of the Personal Data Protection (PDP) Bill in July 2018 and requested feedback from the public, Ministers, stakeholders, and other industry experts.

A revised draft of the Bill was submitted in the Parliaments lower house, the Lok Sabha, on December 11, 2019, and has been sent to a joint parliamentary committee (JPC) for further deliberations before being taken up for passing. There was widespread anticipation for the passing of the Bill in 2019, however that has now been deferred. The Bill is expected to become a law or an Act in 2020.

What the Bill could achieve

The Personal Data Protection Bill (PDP Bill) is Indias first attempt to domestically legislate the mechanisms for the protection of personal data and aims to set up a Data Protection Authority in the country. The Bill regulates the processing of citizens personal data by government, companies incorporated in India, and foreign companies that are dealing with personal data of customers in India. Through the proposed law, the Government of India is rooting for data sovereignty by mandating certain class of data to be stored within Indian borders.

The proposed Bill also allows processing of data by fiduciaries with the consent of the individual. A data fiduciary is an individual or entity that decides the purpose of processing personal data. However, the Bill also permits personal data processing without consent in some cases like, when the government providing benefits to the individual, for legal proceedings, and in medical emergencies.

Kinds of Personal Data, according to the proposal

The proposed Bill forces companies dealing with peoples personal data to reconsider their data management practices. The Bill regulates three categories of data Personal Data, Sensitive Personal Data, and Critical Personal Data.

The Bill defines Personal Data as any information thats collected online or offline which can be used to identify a person, like name, address, phone number, location, shopping history, photographs, telephone records, food preferences, movie preferences, online search history, messages, devices users own, and social media activity.

Sensitive Personal Data includes health care data (like private information you share with a doctor or healthcare apps), financial data (banking and payments information), sexual orientation, biometrics (facial images, fingerprints, iris scans), caste or tribe, religious and political beliefs.

Critical Personal Data has not yet defined by the government.

Advantages to Citizens

The proposed Bill gives high priority for individual rights on data protection. As per the Bill, citizens personal information cant be collected, processed, and shared without their consent. Only the necessary data will be collected and can be used for pre-defined purposes only.

The companies are required to be clear and concise on what data is collected, its purpose, how its used, and for how long the data will be retained. The Bill also permits customers to move their data from one provider to another and allows users to know the number of companies with whom the data is shared.

Impact on Private Organizations

Private entities are required to place limits on data collection, processing, and storage of their customers data. Theyre subjected to report any instances of security incidents to the regulator.

Additional responsibilities are also imposed on companies based on the volume of data they collect from customers. This includes periodic security audits, appointment of a data protection officer, and performing data protection assessments defined by the regulator. Social media platform providers will also be mandated to enable customers to verify their accounts.

Penalties

Tough penalties have been proposed for failing to comply with the data protection requirements. According to the Bill, any organization sharing customers data without their consent will entail a fine of INR 15 crores (around US$ 2.1M) or 4 percent of its global turnover. Data breach and delay to address/report the same will result in a fine of INR 5 crores (US$ 0.7M) or 2 percent of global turnover. Individuals representing the companies can also be sentenced to term in prison.

Data Localization Requirements

In terms of data localization, the Bill allows transfer of personal data across borders without any limitations. However, restrictions are placed on sensitive personal data which needs to be stored in India. Sensitive personal data can also be processed outside the country if the regulator approves it. For critical personal data, the government will notify on its own, which needs to be stored and processed within the country.

Criticism on the Revised Bill

The Bill landed in controversy for being different from what was proposed by the expert group in its first draft in July 2018. The Indian government, through the proposed law, wants to allow law enforcement agencies and authorized third parties to have access to citizen data, to investigate crimes faster. In other words, it will exempt any government agency from legal obligations. This, of course, has led to a resistance, and delayed the passing of the bill. Justice BN Srikrishna, the chief architect of the draft law, also has concerns and said the law can turn India into an Orwellian State.

Several industry experts have opined that unaccounted access to personal data of customers might lead to data -misuse. The Bill provides an exempt to any agency of government from the application of Act in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order. The unrestricted government access is like a two-sided coin scenario. On one hand, the privacy bill is a part of the governments efforts to have more control of data and help it track unlawful activities by using digital footprints. On the other hand, the users access may give the government unaccounted access to personal data of customers in the country leading to data -misuse and unauthorized access, said Jaspreet Singh, cybersecurity leader at EY told CISO MAG.

Several privacy concerns have also been raised by experts over the revised draft Bill. The Bill states that personal and non-personal data may be processed without obtaining consent from the concerned user to help in the delivery of government services.

The changes that were made

Justice B.N. Srikrishna, who led the committee that drafted the 2018 PDP Bill, stated that there is no oversight on government agencies on accessing citizens data. Sharing his thoughts on the same, Pavan Duggal, the Advocate Supreme Court specialized in Cyberlaw and the Chairman of the International Commission on Cybersecurity law, said, The chapter on exemptions under the Data Protection Bill represents a massive dilution of the bill by giving these exemptions to governmental agencies. However, we also need to be mindful of the fact that governments would want certain access to personal data for sovereign and governance reasons. But the way the current exemptions came out is independent. It is the classical piece of legislation which is going two steps forward and six steps backward.

Impact on International Trade

Data protection discussions often revolve around discussions of transfer of data. In this regard, the proposed Bill has received a lot attention from global tech tycoons as well as Indian firms that work for international companies.

Theres no denying that this bill, if becomes a law, will have a significant impact on foreign companies as well as trade between India and other nations. He stressed that the bill takes a U-turn from the stance the Reserve Bank of India (RBI) took in April 2018. The RBI in its notifications stated that all data relating to banking must be physically in India and cannot leave Indian soil and that continues to be the position till today. However, the proposed Bill is a complete walk down on the RBI stance as it allows sensitive data to be stored outside India, Pavan Duggal told CISO MAG.

The bill is a ground-breaking step for the nation towards building the significant base of trusted digital India. It will change the way privacy is perceived and practiced by various businesses. Global organizations based in India and/or providing services will be particularly impacted. Considering the data transfer mandates, as most global firms which process personal data of Indians store their data at remote locations will face challenges in-terms of increased compliance costs, suggested Jaspreet Singh.

Where the Bill Stands Today

The much-awaited Bill, which was expected to be passed by the end of 2019, has been put on hold for now following severe concerns raised about changes in the proposal. The proposed Bill was recently referred to a JPC in consultation with various groups for further analysis. The joint committee, with 20 members from the Lok Sabha or lower house, and 10 from the Rajya Sabha (upper house), will be headed by Meenakshi Lekhi, Member of Parliament. The committee is expected to submit their views before the end of the upcoming budget session.

The PDP Bill lays down provisions for thwarting misuse of personal data in the country. It mandates data processing activities like data protection, storage, and management. On the flipside, the Bill, if passed, could bring major implications for national security, foreign investment, and international trade.

Rudra Srinivas is part of the editorial team at CISO MAG and writes on cybersecurity trends and news features.

Originally posted here:
All You Need to Know About Indias First Data Protection Bill - CISO MAG

Cheetah Mobile (NYSE:CMCM) was downgraded by Zacks Investment Research from a hold rating to a sell rating in a research note issued on Friday, Zacks.com reports.

According to Zacks, Cheetah Mobile Inc. engages in developing Internet security software. The Company operates a platform that offers mission critical applications for its users and global content distribution channels. Its mission critical applications include Clean Master; Battery Doctor; Duba Anti-virus; Cheetah Browser; Photo Grid and Antutu Benchmark. Cheetah Mobile Inc. is headquartered in Beijing, the Peoples Republic of China.

Separately, ValuEngine upgraded shares of Cheetah Mobile from a hold rating to a buy rating in a research report on Friday. Three analysts have rated the stock with a sell rating, one has assigned a hold rating and one has given a buy rating to the company. The stock currently has a consensus rating of Hold and a consensus target price of $3.17.

Shares of NYSE:CMCM opened at $3.68 on Friday. The company has a market cap of $531.75 million, a PE ratio of 2.92 and a beta of 1.78. Cheetah Mobile has a 52 week low of $2.90 and a 52 week high of $8.00. The firm has a 50 day simple moving average of $3.43 and a 200 day simple moving average of $3.60.

Cheetah Mobile (NYSE:CMCM) last issued its quarterly earnings results on Wednesday, November 13th. The software maker reported $0.45 EPS for the quarter. The business had revenue of $128.70 million during the quarter. Cheetah Mobile had a net margin of 28.98% and a return on equity of 22.27%. As a group, sell-side analysts predict that Cheetah Mobile will post 0.43 EPS for the current year.

A number of institutional investors have recently added to or reduced their stakes in the business. California Public Employees Retirement System increased its stake in Cheetah Mobile by 5.8% in the 3rd quarter. California Public Employees Retirement System now owns 129,400 shares of the software makers stock valued at $463,000 after buying an additional 7,100 shares during the period. Tower Research Capital LLC TRC increased its stake in Cheetah Mobile by 97.1% in the 2nd quarter. Tower Research Capital LLC TRC now owns 16,333 shares of the software makers stock valued at $58,000 after buying an additional 8,047 shares during the period. GSA Capital Partners LLP increased its stake in Cheetah Mobile by 24.1% in the 2nd quarter. GSA Capital Partners LLP now owns 53,100 shares of the software makers stock valued at $189,000 after buying an additional 10,309 shares during the period. Grantham Mayo Van Otterloo & Co. LLC increased its stake in Cheetah Mobile by 24.8% in the 2nd quarter. Grantham Mayo Van Otterloo & Co. LLC now owns 61,900 shares of the software makers stock valued at $220,000 after buying an additional 12,300 shares during the period. Finally, Coatue Management LLC acquired a new position in Cheetah Mobile in the 2nd quarter valued at approximately $47,000. Hedge funds and other institutional investors own 4.44% of the companys stock.

About Cheetah Mobile

Cheetah Mobile Inc operates as a mobile Internet company worldwide. The company's utility products include Clean Master, a junk file cleaning, memory boosting, and privacy protection tool for mobile devices; Security Master, an anti-virus and security application for mobile devices; Battery Doctor, a power optimization tool for mobile devices; Cheetah Browser, a Web browser for PCs and mobile devices; CM Browser, a mobile browser to protect users from malicious threats; and CM Launcher, which provides personalized experience in using smart phones.

Recommended Story: Book Value Of Equity Per Share BVPS Explained

Get a free copy of the Zacks research report on Cheetah Mobile (CMCM)

For more information about research offerings from Zacks Investment Research, visit Zacks.com

Receive News & Ratings for Cheetah Mobile Daily - Enter your email address below to receive a concise daily summary of the latest news and analysts' ratings for Cheetah Mobile and related companies with MarketBeat.com's FREE daily email newsletter.

Excerpt from:
Cheetah Mobile (NYSE:CMCM) Stock Rating Lowered by Zacks Investment Research - Riverton Roll

Also introduced is the new TravelMate P2, a modern device for an increasingly mobile workforce

Editor's Summary

LAS VEGAS, Jan.5, 2020 /PRNewswire/ -- Acer today announced its latest TravelMate P6 andTravelMate P2 commercial notebooks for modern, mobile, security-conscious customers. The powerful and robust 14-inch and 15-inch notebooks feature up to 10th Gen Intel Core i7 processors, comply with MIL-STD-810G U.S. military standards and run Windows 10 Pro.

"Durable yet thin-and-light, the latest TravelMate P6 provides mobile professionals with performance they can rely on," said James Lin, General Manager, Notebooks, IT Products Business, Acer Inc. "We're confident they'll appreciate the ability to work for two days without having to recharge, in addition to the notebook's military standard compliant chassis and enhanced security."

Acer TravelMate P6: For Professionals On-the-Go

The new Acer TravelMate P6 sports a premium quality magnesium-aluminum alloy chassis that is stronger and lighter than standard aluminum alloys at the same thickness. It also gives the laptop a sleek and modern aesthetic. Weighing just 2.4 pounds (1.1 kg)[3] and measuring only 0.6 inches (16.6 mm), it's easy to take on the road. With up to 23 hours[1],[2] of battery life, professionals can stay productive on transcontinental flights or work through two full days on the go without having to recharge. This high-performance notebook can also be charged up to 50% in less than 45 minutes. Optional eSIM-enabled 4G LTE connectivity enables users to work and collaborate on-the-go. Certified for Microsoft Teams, the TravelMate P6 delivers crystal-clear videoconferencing via a four-mic array that picks up vocals from up to 6.5 feet away.

Co-engineered with Intel as part of Intel's innovation program codenamed "Project Athena", the TravelMate P6passed rigorous testing to achieve the program's experience targets[4] and hardware specifications, ensuring it consistently delivers the responsiveness[5], instant wake[6], and battery life[5],[7],[8] that ambitious people need to focus from anywhere.

"Acer's TravelMate P6 showcases the exceptional co-engineering efforts driven by Acer and Intel through the Project Athena program. Our Intel Core processor performance and the vPro platform provides standout capability for businesses and matches the ambition of on-the-go professionals," said Josh Newman, Vice President, Client Computing Group, Intel.

The new Windows 10 Pro notebooks are packed with up to 10th Gen Intel Core i7 processors, up to 24 GB DDR4 memory, up to NVIDIA GeForce MX250 graphics, and up to 1 TB of responsive Gen 3 x4 PCIe SSD using NVMe technology for speeding through editing large spreadsheets, and creating presentations. The TravelMate P6 makes sharing and collaborating easy with a 180-degree hinge design, enabling it to lay flat so the display can be shared with others.

Tough, Tested and Reliable

The Acer TravelMate P6 was designed for mobile professionals, and part of that is being able to handle real-life situations that might come up in and outside the office. Made to be MIL-STD-810G and 810F compliant, a set of military durability tests[9], the TravelMate P6 can survive the bumps from airport security, accidental drops and other mishaps. Other tests check the laptop's resistance to rain, humidity and extreme temperatures.

Solid Security

In addition to keeping data safe, companies want devices that are easy to deploy and manage remotely. Outfitted with Windows 10 Pro, the TravelMate P6 offers powerful security features to help safeguard data. Customers can log in using Windows Hello via the fingerprint reader on the power button, or through the IR webcam that leverages biometric facial recognition. Both methods eliminate the need to remember and use a password. When the webcam is idle, the camera shutter can be physically closed for additional security. An integrated Trusted Platform Module (TPM) 2.0 chip delivers hardware-based protection for passwords and encryption keys. The pre-loaded Acer ProShield includes a suite of security and management tools that help safeguard sensitive data, while Acer Office Management lets IT professionals deploy security policies and monitor assets from one interface.

Acer TravelMate P2: A Versatile Device for the Modern Workforce

The Acer TravelMate P2 is a response to an ever diversifying and modernizing world, where employees are expected to wear several hats and work in a variety of locations. The ability to connect to not only Wi-Fi but also 4G LTE[10] ensures that users can work from anywhere, and a wide host of customization options enables the TravelMate P2 to adapt to work on anything.

High-Speed Connectivity and All-day Power

The Acer TravelMate P2 is built with connectivity at the forefront, making it a reliable and pain-free choice for mobile workers. Intel Wireless Wi-Fi 6 (802.11ax) technology ensures users have a smoother wireless experience with up to three times faster[11] speeds than standard Wi-Fi 5 (802.11ac). The Nano SIM and/or eSIM-enabled 4G LTEsaves users the hassle of finding a local data plan if Wi-Fi isn't available. The TravelMate P2 has up to 13 hoursof battery life[1],[12] and a MIL-STD-810G compliant, impact-resistant chassis, allowing users to work uninterrupted for the whole day in a wide range of work environments.

Robust, Secure and Easy to Manage

The TravelMate P2 combines accessibility, manageability and ease of use and is ready-to-go at a moment's notice with optimized, pre-configured device settings and multilingual capabilities for quick, pain-free device rollouts. A TPM 2.0 module ensures secure authentication and safeguards company data, while additional security features, such as the fingerprint reader andWindows Hello gives users easy yet more secure access via fingerprint or face recognition.

Powerful Productivity

With up to 10th Gen IntelCore i7 processorsand an optional NVIDIAGeForceMX230 GPUfor powerful computing and graphics performance, the TravelMate P2 features up to 32 GB of rapid DDR4 memory,a configurable dual-drive system featuring a 1 TB high-capacity HDD and a super-responsive 512 GB 4-lane PCIe SSD. The TravelMate P2 comes with a full range of ports such as VGA, HDMI and USB Type-C, while available ports can be easily expanded through an Acer USB Type-C Dock.

Pricing & Availability

The TravelMate P6 will be available in North America in February, starting at USD 1149.99; in EMEA in Februarystarting at EUR 1,099; and in China in January, starting at RMB 9,999.

The TravelMate P2 will be available in North America in February, starting at USD 699.99; in EMEA in Januarystarting at EUR 599; and in China in January, starting at RMB 4,499.

Exact specifications, prices, and availability will vary by region. To learn more about availability, product specifications and prices in specific markets, please contact your nearest Acer office via http://www.acer.com.

[1]Listed battery life is based on MobileMark 2014productivity mode testing with wireless on. Details of MobileMark 2014 testing are available at http://www.bapco.com. Battery life rating is for comparison purposes only. Actual battery life varies by model, configuration, application, power management settings,operating conditions, and features used. A battery's maximum capacity decreases with time and use.

[2]Up to 23 hours for 4-cell model, and up to 18 hours for 3-cell model

[3]1.1 kg for 3-cell model, 1.164kg for 4-cell model

[4]Minimum Program Key Experience Indicator (KEI) Targets and Claims- Wake from sleep in less than a second[6]- consistent responsiveness, and >9 hours' battery life during real, intensive use, plugged in or on the go[5]- >16 hours of battery life in local video playback mode[7]- and 4 hours' battery charged in less than 30 minutes[8]

[5]Testing as of 30 September 2019. For systems with FHD displays. Simulated to replicate typical scenario on wireless web browsing workload: shipped HW/SW configuration running multiple background applications and open web pages; on 802.11 wireless Internet connection, DC battery power, and 250nit screen brightness

[6]From button press, lid open, or voice, to display on and ready for authentication

[7]Testing as of 30 September 2019. For systems with FHD displays. Simulated to replicate in-transit local video FHD playback scenario: 150nit screen brightness, in airplane mode

[8]For systems with Full HD (FHD) displays, when used for wireless web browsing. When powered off, from OEM default shutdown level

[9]The testing follows stringent procedures such as dropping 26 times from a height of approximately 48 inches (122 cm) on various parts of its frame-- landing on 2 inches of plywood placed on concrete.

[10]Specifications may vary depending on model or configuration

[11] 802.11ax 2x2 160MHz enables 2402Mbps max theoretical data rates, 3X faster than 802.11ac 2x2 80MHz (867Mbps) as documented in IEEE 802.11 wireless standard spec and require the use of similarly configured 802.11ax wireless network routers

[12]Up to 13 hours for 14-inch model, and up to 12 hours for 15-inch model

About Acer

Established in 1976, Acer is a hardware + software + services company dedicated to the research, design, marketing, sale, and support of innovative products that enhance people's lives. Acer's product offerings include PCs, displays, projectors, servers, tablets, smartphones and wearables. It is also developing cloud solutions to bring together the Internet of Things. Acer celebrated its 40th anniversary in 2016 and is one of the world's top 5 PC companies. It employs 7,000 people worldwide and has a presence in over 160 countries. Please visit http://www.acer.comfor more information.

2020 Acer Inc. All rights reserved. Acer and the Acer logo are registered trademarks of Acer Inc. Other trademarks, registered trademarks, and/or service marks, indicated or otherwise, are the property of their respective owners. All offers subject to change without notice or obligation and may not be available through all sales channels. Prices listed are manufacturer suggested retail prices and may vary by location. Applicable sales tax extra.

SOURCE Acer Incorporated

http://www.acer.com

Read the original post:
Acer Introduces New TravelMate P6, a Durable and Thin-and-Light Notebook for Mobile Professionals - PRNewswire

Getty

As of January 1, 2020, Californias new Consumer Privacy Act goes into effect, and with it a series of new requirements about how your company protects information. Those protection requirements include, among other things, something called reasonable security when handling that information. Fail to provide that reasonable security, and you could find your company hit with significant fines.

You need to make a data driven decision that having a human firewall is a really good idea.

Whats reasonable security, and how do you achieve it? The California Attorney General lists compliance with the Center for Internet Security list of 20 controls and resources as recommendations as being reasonable security. Whats notable about the CIS list is that theres no specific technology solution. Instead, the means of complying with the CIS Controls is primarily a management process.

Human Firewalls

The danger is thinking that theres going to be a silver bullet, but it never arrives, said Stu Sjouwerman, CEO of KnowBe4, a security training company. As a community in IT, you need to make a data driven decision that having a human firewall is a really good idea.

Getty

The idea of a human firewall is that a company thats properly managed will have employees that wont fall for the social engineering that precedes most data breaches. This means that your employees must be instilled with what Sjouwerman calls a security culture. With a proper security culture, your employees will know not to open phishing emails, theyll know not to send out the company phone book or the CEOs contact information. Theyll also know when to report suspected intrusion attempts to the CISO staff.

Security Culture

Getting a security into your company isnt necessarily the easiest thing in the world, because it requires that your employees not take the easy way out when it comes to protecting your organization. It means they must choose long complex passwords, they must not let people follow them into secure areas and they must not answer questions over the phone unless their role in the organization is that they communicate with the public.

Youre better off hiring the right people and training them, Sjouwerman said. Youre hiring for a security culture. They have a security awareness level so that they can be trained.

Getty

To accomplish this, you need to have buy-in from your board so that you can have the boards backing when you institute security controls and limit your hiring to people who understand why security is important, even if they have to be trained.

Getting your employees motivated to be part of the security culture will take some effort. Youll need an internal sales and marketing campaign, but everyone needs to be sold on the fact that security is important. Sjouwerman said.

Sjouwerman noted that having data breaches covered in the media on a near daily basis helps drive home the need to prevent them. A boatload of those data breaches are caused by human error, he said.

The Management Approach

But if you look at the 20 CIS Controls, youll see that they are management tasks, not technological solutions. A few of the tasks can use technology to implement part of the solution, but in most of the cases there is no hardware or software solution available.

Getty

For example, the requirement for malware protection can use anti-malware software or devices, but the requirement for controlled access based on need to know is purely a management task. Likewise, the task to implement a security awareness and training program requires management desire and the appropriate funding.

No doubt youre aware of the many companies selling products that they claim will solve all of your security problems if only you put them to work in your organization. The problem with these products is that theyre not totally effective. Even the best of the appliances or software packages will let miss some threats, if only because the attackers are very good at finding ways to get past those products you bought.

This doesnt mean that you shouldnt buy these products, because you should. Even though they may miss 5 to 10 percent of the bad stuff thats trying to breach your network, Thats still a lot less than youd have otherwise.

But for your security to be effective, your employees helped by your management approach, need to discover and block the rest.

Employee Focus

To make all of this work, your employees need to see that their management encourages their security awareness. This could mean a bonus for finding and reporting a threat. It could mean the backing of management for reporting a poor security practice in the workplace. It could even mean praise for finding a new and better security practice.

Whats key is that your employees are willingly and even enthusiastically part of the security solution. This should not appear to them to be a burden or to require unreasonable difficulties. The bottom line is that they should want to be part of the security solution.

See the rest here:
Staying Out Of Trouble In 2020 With New Security Practices And Human Firewalls - Forbes