How to make the CFO your best cybersecurity friend

I’m bad dinner company. As the CFO of a cloud technology provider, I like to speak about finance and cybersecurity, two topics entirely capable of putting my dinner guests to sleep. However, both topics are extremely important in today’s business world and are inextricably linked. Good cybersecurity is extremely expensive, and bad cybersecurity is, well… even more expensive.

If you are not a cybergeek, it can be very difficult to tell the difference between the good stuff and the bad stuff, until something bad happens. Therefore, it’s very important to be able to clearly illustrate the ROI of any cybersecurity project to your CFO so he or she can rationalize the level of spending that good security requires. Allow me to explain what information CFO’s are looking for before they write the check.

Spend more on management of cyber policy and less on high end CapEx

I’m often amazed at the amount of capital expended on high-end security appliances, with little thought of how those tools will be managed once installed. Essentially, this is what CFO’s call “ROI.” We see this often when we migrate clients onto our platform – we see so much technology go to the junk heap because of over-purchasing. Don’t bring a cannon to a fistfight.

This is not to say that all of the bells and whistles included in these offerings are not potentially useful and protective, but without a fully qualified pilot in the cockpit to operate and navigate all of the functionality, much of it ends up unused, or worse yet misused — resulting in false positives and corresponding organizational inefficiencies.

CFO’s would rather see fewer CapEx dollars spent on cyber investments, offset by more dollars spent on qualified professionals and organizational structure to manage those investments. Ultimately, this will yield a higher ROI.

If you are outsourcing your cloud services and security, it’s important to assess whether the provider has the financial and technical wherewithal to purchase the full menu of high end appliances, and more importantly employ a small army of engineers, whose sole purpose lies in the proper and efficient management of these devices on behalf of its clients.

Understand that your CFO looks at cybersecurity spending like corporate insurance

Cybersecurity investments often behave in a similar way to corporate insurance policies, although I think we can agree that these days, we are much more likely to have a data breach than a fire or earthquake. Just like with insurance, cyber investments are money spent to protect against an unlikely-to-happen threat. We can’t take that chance, however slim, so we allocate scarce dollars to protect or compensate us should the worst occur.

When we buy insurance, we make trade-off decisions because to completely insure our business against every event would cost us more than we make in revenue. The same goes for cyber tools. A technologist could literally spend the entire P&L on protecting against cyber attacks. So we must be selective. CISOs beware: CFOs look at cyber spending as they do insurance, which is to say: probabilistically. This is quite different from a technologist’s approach, which is to put as much firepower between the company and potential harm as possible.

Your CFO wants you to identify different types of cyber investments that might cover the same risks, or even be covered by implementing better policy. The already crowded space of vendors selling fear grows larger every day. Many of the technologies they are selling overlap with other technology that may already be in place. Be sure that your technology/security team can clearly articulate to the CFO what the various cyber investments are meant to defend against, and how they interact with one another.

Provide the CFO with a protocol for purchasing cyber defenses that follow a standard for the who, what, why, where, how, and how much for every solution you recommend. The blanket statement “because it will make us safer” is unacceptable given the dollars at stake, and should not be cause to write a blank check from the CFO.

More and more companies are spending significant dollars to protect against hackers. If you are one of these companies, and you also spend dollars on cyber E&O insurance, consider approaching your carrier or broker for a discount. Much like being a non-smoker may reduce your health insurance premiums, so should having a a robust cybersecurity program reduce your corporate premiums.

Make cybersecurity work for your HR managers

Be sure to illustrate to your CFO how useful cyber tools can be across the firm, thereby increasing utility and… that’s right, ROI.

Many people think that cybersecurity is a bunch of expensive appliances and intrusion detection software, and sometimes this is true. But the biggest mistake that firms make is to invest in these tools and then let them sit exclusively under the purview of the technology team, or worse yet, installed with no hands-on management at all.

While these tools generally have a passive role, scanning or waiting for an event before leaping into action, the data that they analyze can be extremely useful to other areas of your company, if translated, summarized and communicated to the right people. An example of this is web filtering through an advanced firewall. Ostensibly, the purpose is to prevent employees from accessing sites with malicious potential. But in the course of scanning and blocking these sites, firewalls collect information on traffic to all of the other sites that employees are visiting. Thus, if presented clearly to an HR manager, this data could result in useful business intelligence around employee productivity. Trust me, the employee juggling seven fantasy football teams is not a great contributor to your firm.

from Help Net Security – News

Most consumers worry about cybercrime, but are not aware of what can be done about it

There is a high level of concern among consumers about the risks associated with cybercrime from their smart devices, and one in four claims to be a victim of a cyberattack. Yet, the vast majority of consumers are unaware of what they can do to protect themselves or feel they’ve already taken sufficient safety measures, according to Grange Insurance.

consumers worry about cybercrime

“Our research suggests that while most consumers worry about the disruption cybercrime can cause in their lives, they are not fully aware of what can be done about it and too often don’t know where to turn for help,” said John North, Personal Lines President, Grange Insurance. “We hope this study will lead to more awareness and action, particularly as we mark Cyber Security Awareness Month.”

Smart device usage and cybercrime concerns

  • On average, households contain six devices that access the Internet. And the majority of consumers (65%) intend to add more devices in the future.
  • The vast majority (81%) use public Wi-Fi networks, with about half (48%) doing so once a week or more. Consumers are most likely to access public Wi-Fi networks from a mobile phone.
  • The vast majority (77%) are at least somewhat concerned about the risks of accessing the internet from their devices. 31% are very or extremely concerned.
  • Hacking and having personal information stolen are the most frequently mentioned top-of-mind risks. But, overall, there is a high level of familiarity and concern about all types of risks.

Key findings about cybercrime protection and resources

  • About a quarter (23%) have experienced a cyberattack, with hacking, viruses and identity theft the most common types.
  • Among those who have experienced a cyberattack, about three out of four say they had taken safety measures prior to the attack.
  • One in four have never taken safety measures against cybercrime.
  • Lack of awareness and believing their existing measures are sufficient are the top reasons consumers don’t take more safety measures to prevent cybercrime.
  • Consumers say they would most likely seek advice about cyber protection from an antivirus or cybersecurity company. About 1 in 10 say they don’t know where to go for advice.
  • Nearly one in five (17%) believe that doing more to protect themselves from cybercrime is too much of a hassle.
  • About seven in 10 have not purchased identity theft insurance coverage or home cyber insurance protection, but nearly a third have considered it.

“As the number of devices connected to the internet in our homes increases, it is more challenging than ever to keep information secure. Consumers must be proactive in learning about the risks around them – even from common items such as baby and pet monitors and smart toys – and take steps to adequately protect themselves,” said John North.

from Help Net Security – News

FireEye demonstrates email threat detection with no-cost cloud email evaluations

FireEye launched the new capability that allows organizations to evaluate email threat detection efficacy with a no-charge evaluation service powered by FireEye Email Security.

“Email continues to be the most prevalent attack vector, and adversaries are taking advantage. In fact, our recent study found that less than a third of email traffic was considered ‘clean’,” said Ken Bagnall, vice president of email security at FireEye.

“With the introduction of FireProof Email Threat Analysis, we provide the ability for organizations to assess their cloud email security – at no charge. The evaluation analyzes an organization’s delivered email to determine if advanced threats are getting past current defenses. And in the evaluations that we’ve run for organizations, we’ve found a significant amount of malware that had bypassed their existing security tools.”

FireProof Email Threat Analysis

Now available as part of FireEye’s new demo center – FireProof – Email Threat Analysis is designed to help organizations discover how they can better protect themselves against today’s email-based threats. The evaluation is free, with no software or hardware to deploy, and no email delivery interference.

According to the latest FireEye Email Threat Report, approximately one out of every 100 emails is of malicious intent. For organizations wondering if email is being used to target their employees, FireProof Email Threat Analysis offers a way to find out.

FireEye Email Security

FireEye Email Security protects customers from a range of email-based attacks – from commodity malware to the most sophisticated threats. Every day, FireEye is on the forefront of cyber attacks, conducting investigations, gathering intelligence, and tracking adversaries.

FireEye product teams build solutions based on this knowledge, and experts further refine these solutions in real-world situations. Through this innovation cycle, and technologies such as deep learning, artificial intelligence, analytics, and the FireEye Helix security operations platform, FireEye Email Security keeps pace with adversaries and emerging threats.

from Help Net Security – News

ID Analytics introduces solution to address multifaceted synthetic fraud challenges

ID Analytics released two new products designed to provide businesses with a solution to the disparate challenges of synthetic identities. The approach taken by both ID Score Synthetic and Credit Optics Intentional Misuse complements existing fraud and credit risk solutions and attacks a range of synthetic identity abuse. The solutions can help enterprises minimize losses associated with synthetic identities while minimizing friction for low-risk consumers.

Synthetic identity fraud has become a challenging issue as fraudsters become more sophisticated and build synthetic identities which appear valid to most fraud and credit assessments. Today synthetic identities are not always created using valid information from multiple consumers. Many are composed of invalid information with no ties to a known consumer – making them difficult to detect.

With no victim to report that their identity has been stolen, or conflicting personal identifying information (PII) to raise a red flag, fraudsters can operate undetected for years, building up credit with multiple institutions before busting out and vanishing without a trace.

“ID Analytics is tackling the problem of synthetics by focusing on the root cause – identity legitimacy,” said Ajay Nigam, CEO of ID Analytics.

“All forms of synthetic fraud are subject to this question. Only by leveraging an identity intelligent assessment can one form an opinion on legitimacy – our solutions were developed through an R&D process that included extensive consultation with our customers and partners and were designed from the ground up to maintain a high level of performance, as synthetic fraudsters shift their methodologies.”

Current synthetic identity solutions often fail in a number of ways. Clever synthetic fraudsters can pass many traditional identity fraud screens which aren’t optimized to the problem, and existing synthetic fraud detection solutions can miss the damage caused by fraudsters who do not engage in traditional “tricks of the trade” like credit piggybacking.

Likewise, existing credit risk solutions miss applications from synthetic identities who have developed profiles for large longer-term payoffs and limit lender’s ability to take adverse action if malicious intent is identified.

To address these challenges, ID Analytics developed two new products: ID Score Synthetic and Credit Optics Intentional Misuse. These products target the core issue of identity legitimacy and the typical outcomes of synthetic fraud:

ID Score Synthetic – Designed from the ground up to address the core challenge of synthetic identity fraud, while sparing low risk consumers from unnecessary friction, ID Score Synthetic attacks the root cause through a predictive assessment of identity legitimacy. It is predictive regardless of methodology or attack vector such as manufactured synthetic, manipulated synthetic and regardless of the length of time the synthetic identity has been in use. Beta testing with ID Analytics customers found that it identified more synthetic fraud risk than legacy systems in place at leading financial institutions.

Credit Optics Intentional Misuse – For organizations that view synthetics as a credit issue, Credit Optics Intentional Misuse is designed to address the net outcome of credit abuse – including synthetic identities and first payment default – by identifying applicants who may be plotting to misuse and abuse requested credit or services. As an FCRA solution, risk assessments from Credit Optics Intentional Misuse are adverse actionable – an important feature when dealing with applicants who intend to misuse credit, but who have passed through identity proofing screens. This solution was developed as a direct response to feedback from leading U.S. lenders and service providers to address the broader range of credit abuse, including synthetic identities. In a beta test with a major financial institution, the solution identified nearly 3x more risky consumers over a traditional credit risk model.

“Synthetic identities have emerged as one of the biggest challenges for businesses because they are so difficult to detect. In 2017, synthetic identity fraud resulted in $800 million in losses through credit cards alone, and that could reach $1.2 billion by 2020,” said Julie Conroy, research director for the retail banking & payments practice at Aite Group.

from Help Net Security – News

Zscaler extends Cloud DLP service with inline Exact Data Match for massive data sets

Zscaler released inline Exact Data Match (EDM) with native SSL inspection as part of its Cloud Data Loss Prevention (DLP) service. The inline EDM capability extends the Zscaler cloud platform to protect against the loss of sensitive information across all users and branches with more precision while reducing the number of false positives. This service is provided in the Zscaler cloud, providing the capacity of one billion data points per customer across 100 data centers globally.

Traditional DLP appliances that sit in the data center are expensive and resource-intensive, and their protection can be subpar, often failing to alert an organization until after data has been compromised.

Zscaler’s inline EDM with native SSL inspection blocks sensitive information before it leaves the network. In the first half of 2018, the Zscaler cloud platform blocked an average of 800,000 SSL-encrypted transactions per day containing advanced threats. Zscaler EDM with native SSL inspection and policy enforcement secures all application and user traffic, providing security and a business advantage.

“IT organizations need better visibility into potential risks of data leakage with granular control and actionable outcomes,” said Steve House, Vice President of Product Management, Zscaler. “With the addition of EDM, our customers, in real time, can more precisely identify and protect sensitive information that could potentially leave their network — keeping the good things in, and the bad things out.”

Inline inspection and enforcement

Inline inspection and enforcement are critical for acting quickly to block data from leaving the organization without affecting the user experience. With Zscaler DLP, EDM provides inline inspection of all network traffic, whether users are on or off the network, increasing the accuracy of data loss incidents and eliminating false positives. EDM with native SSL inspection and policy enforcement secures all application and user traffic, providing security and visibility.

Capacity of the Zscaler cloud

Because of the scalability of the Zscaler cloud, customers can fingerprint and match up to a billion cells of data at any time. We believe other solutions are limited by performance constraints due to the resource-intensive nature of the technology.

Granular Policy Control

With EDM and customizable policies, Zscaler Cloud DLP can detect and stop the transfer of an exact match to a particular record to unauthorized parties or services. This technique eliminates false positives and thus improves both security posture as well as administrator productivity.

from Help Net Security – News

Fraud and risk platform from Featurespace creates new opportunities for processors and acquirers

Featurespace has launched ARIC White Label, enabling multinational banks, payments companies, issuer processors and merchant acquirers to reduce risk and customer friction across all channels for their customers.

ARIC White Label delivers the full functionality of the ARIC Fraud and Risk platform – including adaptive behavioral analytics and biometrics – allowing processors and acquirers to offer their customers the fraud and risk prevention tools. Fully brandable, ARIC White Label easily integrates into clients’ systems to provide:

  • Multi-tenancy: Fraud detection strategies can be configured and simultaneously deployed, including rules and adaptive models at the individual merchant- and issuer-level, over specific groups and across entire portfolios;
  • Instant onboarding: Clients can set templates for the levels of access provided to tenants;
  • Full data segregation: Tenants cannot access data of other tenants;
  • Complete control over rules;
  • Model deployment – Featurespace’s or customer’s own; and
  • Reporting and Incident Management.

With ARIC White Label, clients can also incorporate and combine Featurespace’s Adaptive Behavioral Analytics with their existing models to build profiles of normal behavior for every consumer and then deliver custom risk scores of each interaction at every touchpoint, ensuring the accuracy when determining if an event is genuine or fraudulent.

“ARIC White Label is deployed and powerfully delivering for our customers,” said Dave Excell, founder and CTO at Featurespace. “Our technology will help to provide best-in-class fraud and risk protection for customers who might otherwise have not been able to benefit from the ARIC Fraud and Risk Hub.”

from Help Net Security – News

Z1 Global TrustPoint simplifies the exchange of email certificates

With the latest version of the online certificate portal Z1 Global TrustPoint, Zertificon Solutions has simplified and accelerated the publication of email certificates. This will make certificate-based email encryption more efficient for everyone involved.

With email encryption, the email certificates of the communication partners must be available and validated in real time. Z1 Global TrustPoint assumes responsibility for this process. Here you will find not only certificates from public certification authorities, but also those of authorities and companies with their own certificate-issuing offices such as the BSI (Germany’s Federal Office for Information Security), Volkswagen or Siemens. In addition, each certificate holder can publish their certificate online at Z1 Global TrustPoint.

As part of making the certificate portal GDPR compliant the manual review of individual certificates uploaded via the website has been replaced by an automated process. After the certificate has been uploaded, the certificate holder authorizes the publication of their certificate via a confirmation link in an email. With just a few clicks, certificates are made available almost in real time to communication partners throughout the world.

Zertificon business solutions, such as Z1 SecureMail Gateway, have always published user certificates at Z1 Global TrustPoint. Third parties can download these and start a confidential mail communication with companies using Z1 SecureMail Gateway.

Third parties can, in turn, upload their own certificates to the certificate portal, which are then available to all connected gateways for email encryption.

from Help Net Security – News