fbpx
Privacy Teams Helped Navigate the Pivot to Work-from-Home

Privacy Teams Helped Navigate the Pivot to Work-from-Home

Annual Cisco privacy study also reports that 90% of organizations say their customers won’t buy from them if they are not clear about data policy practices.

New research from Cisco found that most organizations over the past year turned to their privacy teams to help navigate and guide their shift to remote work in response to the COVID-19 pandemic.

“What we found was that roughly two years ago most companies barely had a privacy team; it was tucked away in a legal office,” says Robert Waitman, director of data privacy at Cisco. “But with the shift to remote work because of the pandemic, privacy has become more important, mainly because employees were uncomfortable with the privacy of the tools available and the need for companies to provide a safe workplace.”

The Cisco 2021 Data Privacy Benchmark Study, released ahead of Data Privacy Day on Jan. 28, found that privacy budgets doubled in 2020 to an average of $2.4 million. Overall return on investment was down slightly compared to 2019, but remained healthy with 35% of organizations reporting benefits at least two times their investments.

Here’s a snapshot of the ROI companies reaped from privacy investment:

  • Built customer trust (76%): Respondents say customers better understand what’s happening with their data and what the process is in the event of a breach;
  • Mitigated security losses (74%): Organizations spent less time and money responding to a breach.
  • Achieved operational efficiencies (74%): Data privacy controls resulted in more efficient operations. 
  • Reduced sales delays (68%): Customers now spend less time trying to figure out their privacy policies, which resulted in shorter and more efficient sales cycles.

“We found at Cisco that customers took up a lot of our time asking about how their data was used, which would slow down the sales cycle,” Waitman says. “We found that clear privacy policies streamline the sales cycle and also create transparency with the customers.”

Stacy Scott, managing director in Kroll’s Cyber Risk practice, says that companies were caught off-guard by the pandemic and had some business-critical questions to grapple with around data privacy, so it makes sense that companies leaned on their corporate privacy teams.

“This generation has never been through a pandemic, so there were a lot of questions to ask, such as: What type of privacy program we should set up? How do we keep employee data safe? And do we need to have monthly drive-bys at the homes of employees to pick up sensitive documents?” Scott says.

The rapid shift to more ecommerce also raised the privacy team’s profile.

“Individuals are doing more with ecommerce and companies are interacting more with their customers online and also doing more online trade shows and conferences,” Scott says. “All of this raised questions on how companies were going to keep all those communications and data private. And as people shifted their activities, the bad threat actors followed, which also put pressure on remote access systems and essential services, increasing privacy concerns.”

Consumer-Driven Privacy Movement

Consumers have also played a large role in the move by companies to take privacy seriously. According to the Cisco benchmark report, a top concern of individuals over the past few years has been the lack of transparency when it comes to what data gets being collected and how it’s used. Businesses and governments have not always been so clear on this front, and even when they strive for transparency, the complexity of the analytics, algorithms, insights, and inferences are often too complex for the general public to understand.

Waitman says many consumers have taken matters into their own hands: nearly one-third already have stopped buying from a company over their data policies or practices. Companies are increasingly recognizing this challenge, and 90% of organizations in this year’s benchmark survey say that their customers will not buy from them if they are not clear about data practices and protection.

Privacy legislation has also played an important role in offering assurances that governments and organizations are being held accountable for how they manage their data. More than 130 countries now have omnibus privacy legislation and the vast majority of them have been passed in the past few years. Among respondents to the benchmark survey, 79% say privacy regulations have had a positive impact, 16% were neutral, and only 5% said that privacy laws have a negative impact.

Another sign from the benchmark survey that privacy’s profile has risen: 93% of organizations now report at least one privacy metric to the board, with 14% reporting five or more privacy metrics. Among the most reported metrics are privacy program audit findings (36%), privacy impact assessments (32%), and data breaches (31%).

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

More Insights

Original Article

Mimecast: Recent Certificate Compromise Tied to SolarWinds Attacks

Mimecast: Recent Certificate Compromise Tied to SolarWinds Attacks

Yet another security firm hit in the sweeping attack campaign believed to be out of Russia.

Email security provider Mimecast today confirmed that the recently revealed compromise of a Mimecast-issued certificate for some of its products indeed stemmed from the SolarWinds attack campaign.

Mimecast earlier this month disclosed that an attacker had compromised a certificate provided to certain customers to authenticate Mimecast products to Microsoft 365 Exchange Web Services. The security vendor, which first learned of the breach from Microsoft, recommended that its affected customers delete the existing connection in their Microsoft 365 tenant and set up a new certificate-based connection with newly issued keys.

“Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor,” Mimecast said in blog post today.

“Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes,” the company said.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Original Article

BEC Scammers Find New Ways to Navigate Microsoft 365

BEC Scammers Find New Ways to Navigate Microsoft 365

Their techniques made use of out-of-office replies and automatic responses during the 2020 holiday season, researchers report.

Business email compromise (BEC) scammers targeted victims’ out-of-office replies and read receipts during the 2020 holiday season, when many took time off work and automatic replies were more prevalent, researchers report.

Attackers targeted victims by redirecting their own Microsoft 365 out-of-office messages back to them, Abnormal Security noticed. A scammer would write an extortion email and manipulate the email headers (“Reply-To”). If the target has an out-of-office reply turned on, the alert can be redirected to a second target within the organization — not back to the attacker, researchers report. 

“Even though the original extortion email was auto-remediated, the manipulated email header triggered an Out of Office reply to a second target that includes the text of the extortion,” they write in a blog post. 

Similarly, in a “read receipts” attack, the scammer would write an extortion email and change the email headers (“Disposition-Notification-To”) so the target would receive a read receipt notification from Microsoft 365 instead of the attacker. The manipulated email header would trigger a read-receipt notification back to the target, which includes the text of the extortion. 

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Recommended Reading:

More Insights

Original Article

Cartoon Caption Winner: Before I Go …

Cartoon Caption Winner: Before I Go …

And the winner of The Edge’s January cartoon caption contest is …

Our January 2021 has come to a close. Congratulations goes to The Edge reader Jonathan Boyett for his winning “Before I Go…” caption. Boyet is an IT auditor at Phillips 66. A $25 Amazon gift card is on its way.

Second-place winner, and recipient of a $10 Amazon gift card, is Bruce Lightsey, database manager at State of Mississippi Dept of ITS.

Thanks to everyone for their contributions. A new contest will be posted next week.

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron’s, and The Wall Street Journal.
Web site: … View Full Bio

Recommended Reading:

More Insights

Original Article

Fighting the Rapid Rise of Cyber Warfare in a Changing World

Fighting the Rapid Rise of Cyber Warfare in a Changing World

Global cyber warfare is a grim reality, but strong public-private relationships and security frameworks can safeguard people, institutions, and businesses.

Security experts have learned many lessons from 2016 about how cyber warfare not only impacts elections but also has the potential to disrupt everything from energy and education to government services and military operations. Whether it is nations such as China, Russia, Iran, and North Korea, guerrilla groups, or rogue actors, the danger grows as our dependency on digital tools continues to rise.

There are a host of reasons for nation-states and international organizations to engage in cyber warfare with the goal of causing physical or economic harm. They may want to gain a competitive advantage by stealing strategic business plans; cause catastrophic damage with a tactical strike on a local utility; access data from state and local governments to disrupt crucial industries such as the military, aviation, and education; or lock up hospital information systems to hurt patient care.

Addressing these dangers is imperative for the public and private sectors, as evidenced by recent high-profile attacks, presumably by Russia, that impacted multiple government agencies and corporations. When cybersecurity firm FireEye discovered aggressors had made off with the company’s red-team tools designed to find vulnerabilities, it immediately set off an investigation. The company uncovered a critical vulnerability in SolarWinds’ Orion software. Because this software is used by many public agencies, it became frighteningly clear that a vast breach of US government networks had also occurred. This attack against corporations’ and government networks is now known as Sunburst.

Build Strong Ties to Fortify Against Dangerous Attacks
All of these examples point to the increasing sophistication and frequency of cyber threats directed at the government and corporate sectors. To stand a chance against these attacks, it is clear that a more robust collaboration is required between these two groups.

  • Government agencies are not typically transparent due to concerns about national security, but intelligence exchanges help all stakeholders open conversations regarding threats and attacks to broaden the collective knowledge. For instance, while the SolarWinds damage is likely widespread, it could have gone much further if FireEye had not discovered and immediately shared it with government agencies and law enforcement.
  • The corporate world could learn from the government when it comes to cyber-awareness and security training conducted for federal employees. Additionally, government standards like the Federal Information Processing Standards (FIPS) and NIST Special Publication 800 Series can help nongovernmental organizations further enhance security.
  • On the flip side, the government can take a lesson from the private sector on how to react and adapt more quickly. A recent survey of government cybersecurity professionals found that 65% of respondents thought the pace of cybersecurity change was too slow compared with enterprise organizations, and 81% believed that collaboration with the private sector could hasten security processes.
  • Both sectors should explore how privacy-enhancing techniques could be used to develop more productive partnerships. Technologies such as cryptographic algorithms and data-masking techniques are increasingly used in banks to detect financial crimes through information sharing and analysis but without disclosing sensitive data.

Minimize Risk by Prioritizing Key Security Functions
Building strong public-private relationships is an important step in addressing cyber warfare. But without the right security framework in place, agencies and businesses will continue to operate at risk. Here are some key priorities:

  • Follow a DevSecOps approach when developing applications by having security in mind from the start and building security auditing and compliance into standard continuous integration/continuous development (CI/CD) processes.
  • Use best practices for application security found in the Open Web Application Security Project (OWASP) and its top 10 list of the most impactful web application security risks, including tips for logging and monitoring solutions to reduce response time.
  • Improve network security against man-in-the-middle attacks, wardriving, and other network attacks by educating employees on the risks of public Wi-Fi, requiring a virtual private network (VPN) for sensitive resources, and strengthening network authentication.
  • Identify and remedy code-injection vulnerabilities by regularly scanning code during development using tools like Burp Suite, OWASP ZAP, and other code-analysis tools in your build pipeline.
  • Secure vulnerable VPNs with aggressive patching and authentication. This is especially important for government agencies that are accustomed to fully closed networks but with remote work are subjected to the same security issues as commercial businesses.
  • Hire the best teams for the job. Cybersecurity is a multidiscipline practice, and building a solid framework requires advanced- to expert-level knowledge in each area, including application development and networking.

Plan for the Worst
Organizations can follow every protocol yet a breach can still occur, making developing a crisis response plan just as urgent as cybersecurity. In 2016, the average time that organizations needed to identify a breach was 191 days, and it took an average of 70 days to contain the breach. A crisis response plan requires logging and monitoring solutions that can respond to a breach more quickly. A response team should include forensic analysts, legal professionals, and potentially the public relations department to build a plan for consistently responding to incidents.

Global cyber warfare is a grim reality, and attacks will continue to escalate and get more sophisticated. There is no way to combat them completely, but building partnerships, identifying the right tools and technologies, employing teams that are up to the challenge, and creating a solid crisis plan will put the private and public sector in a better position, helping safeguard people, institutions, and businesses around the world.

Patrick Walsh is a Senior Vice President at SkillStorm, where he is responsible for the company’s technology training initiatives including developing coursework and curriculum and leading its immersive talent development program. View Full Bio

Recommended Reading:

More Insights

Original Article