Connect with us

Cyber Security

Home working increases cyber-security fears ~ Breaking News from around the UK

Peter says that the cyber-attacks on his company are relentless. “We see tens of different hacking attacks every single week. It is never ending.” A

Published

on

Peter says that the cyber-attacks on his company are relentless.

“We see tens of different hacking attacks every single week. It is never ending.”

A senior computer network manager for a global financial services company, Peter (who did not want to give his surname, or the name of his employer, due to his firm’s anxieties surrounding cyber-security), says they are bombarded from all directions.

“We see everything,” he says. “Staff get emails sent to them pretending to be from the service desk, asking them to reset their log-in passwords.

“We see workers being tricked into downloading viruses from hackers demanding ransoms, and we have even had employees sent WhatsApp messages pretending to be from the CEO, asking for money transfers.

“And having staff working from home during the lockdowns has just made it worse, as it is much harder to keep an eye on everyone.”

With one in three UK workers currently based exclusively at home, and the same level in the US, this remote working on a vast scale continues to be a major headache for the IT security bosses of companies large and small around the world.

And studies shows that many firms are not taking the issue as seriously as they should. For example, one in five UK home workers has received no training on cyber-security, according to a recent survey by legal firm Hayes Connor Solicitors.

The report also found that two out of three employees who printed potentially sensitive work documents at home admitted to putting the papers in their bins without shredding them first.

Meanwhile, a separate UK study last year found that 57% of IT decision makers believe that remote workers will expose their firm to the risk of a data breach.

“In the rush and panic to set remote working practices up, even simple data protection practices were ignored,” says Christine Sabino, a senior associate at Hayes Connor.

“Companies did not provide additional security relating to computers, electronic communication, phone communication.”

So what can both companies and home working staff do to make things as safe and secure as possible?

Ted Harrington, a San Diego-based cyber-security specialist, and author of Hackable: How To Do Application Security Right, says firms should have started by giving all home workers a dedicated work laptop. While many larger companies may well have done this, not all smaller firms necessarily have the resources to do so, but Mr Harrington stresses its importance.

“Supply staff with laptops and other equipment that are owned, controlled and configured by the company,” he says. “This alleviates the burden on your people to set things up right, and ensures they follow the security controls the company wants.”

Definitely don’t have staff using their personal computers for work, says Sam Grubb, an Arkansas-based cyber-security consultant, and author of forthcoming book How Cybersecurity Really Works.

“The main problem with using your own computer to do work is that you are not limited in what you can do on it, nor are you necessarily the only one that uses it,” he says.

“So while you might not be visiting a shady website to download movies for free, your teenage son could be doing that exact thing on your home laptop without you even knowing.

“This makes it much easier for malware or other attacks to happen. This might affect the work you are doing, or in a worst-case scenario, lead to the compromise of co-workers’ devices, or other company devices such as servers.”

Mr Harrington says that the next step is that companies must set up a VPN or virtual private network, so that remote computers have secure and encrypted connections with the firm’s servers and everyone else in the company.

Mr Grubb uses a transport and wildlife analogy to explain how VPNs work. “A VPN is like a tunnel between two cities,” he says.

“Instead of driving through the dark forest full of tigers, lions and bears, you drive through the underground tunnel, where no one can see you driving until you reach your destination on the other side.”

However, even with work laptops, VPNs and the latest cyber-security software systems in place, staff can still make damaging mistakes, such as falling prey to a “phishing” email – a malicious email pretending to be a legitimate one in order to trick someone into handing over sensitive data.

Currently such scam emails doing the rounds include some that are pretending to be informing the targeted person that they have been exposed to Covid-19, or invited to have the vaccine. They ask the recipient to clink on the link, which then tries to download malware onto his or her computer.

New Tech Economy is a series exploring how technological innovation is set to shape the new emerging economic landscape.

For this reason, both Mr Harrington and Mr Grubb say that it is essential that businesses give staff proper cyber-security training.

“Firms should be providing training to help their employees understand the threats they face,” says Mr Grubb.

Ms Sabino adds that both staff and their bosses need to do their bit. She says, for example, that employees should avoid talking about work on social media, while firms should give shredders to home workers who need to print things out.

With even the most cyber-security aware home workers just one click away from making a mistake, Mr Harrington says that firms need policies in place so that staff know who to immediately report a threat to.

“If an employee falls victim to an attack, make sure that they know a) who to contact, and b) that their outreach is welcome and won’t result in termination,” he says. “You don’t want people afraid of repercussions and thus covering up mistakes.”

Tsedal Neeley, a professor of business administration from Harvard Business School who is an expert on remote working, agrees that home workers should know exactly who to report cyber-security problems to. “Engaging with their firm’s IT/cyber-security experts is crucial,” she says.

Peter, the computer network manager, says this engagement should be frequent. “Users should be suspicious of anything that they are not 100% confident about, and it does not hurt to ask your IT department. It is better to check than be compromised.”

Source: https://insightnewsreport.com/2021/02/01/home-working-increases-cyber-security-fears/

Cyber Security

Biden cybersecurity leaders back incident reporting legislation as ‘absolutely critical’

Senior officials supported fines for companies that don’t comply with proposed cyber reporting regulations.

Published

on

Senior Biden administration officials are backing congressional efforts to enact new cyber incident reporting requirements for critical infrastructure operators and other companies, as well as other efforts to further entrench the Cybersecurity and Infrastructure Security Agency at the center of the civilian executive branch’s digital security apparatus.

During a Senate Homeland Security and Governmental Affairs Committee hearing today, CISA Director Jen Easterly and National Cyber Director Chris Inglis offered support for incident reporting legislation put forth by Chairman Gary Peters (D-Mich.) and Ranking Member Rob Portman (R-Ohio). The bill would require critical infrastructure operators to report significant cyber incidents on their networks to CISA.

Easterly said incident reporting is “absolutely critical” and called CISA’s “superpower” its ability to share cyber threat information across agencies and critical infrastructure sectors.

“What we could do with this information is not only render assistance to the victim and help them remediate and recover from the attack, but we can use that information, we can analyze it, and then we could share it broadly, to see whether in fact evidence of such intrusions were found across the sector, or across other sectors or across the federal civilian executive branch,” she said.

The Peters-Portman bill would also give CISA subpoena authority in the event a company refuses to comply with the reporting requirements. But Easterly said a subpoena “is not an agile enough mechanism to allow us to get the information that we need to share it as rapidly as possible to prevent other potential victims from threat actors.”

Instead, Easterly said lawmakers should look at using fines to enforce compliance.

“I just came from four and a half years in the financial services sector, where fines are a mechanism that enable compliance and enforcement,” she said.

White House National Cyber Director Chris Inglis also backed the idea of fines, but said there should additionally be incentives for reporting incidents to the government.

“We of course don’t want to impose an unfair burden on the victims,” Inglis said. “But this information is essential for the welfare of the whole. There should be rewards for good behavior. If you’ve performed well and thoughtfully in this, the benefit should be obvious, which is that we can provide better services both in response and preventing this in the future.”

In addition to Peters and Portman’s legislation, members of the Senate Intelligence Committee have introduced a cyber incident reporting bill that would mandate a tighter 24-hour window for reporting incidents. The Peters-Portman bill would establish a 72-hour reporting timelines as a minimum.

The bill endorsed by members of the intelligence committee would also cover a broader range of both incidents and reporting entities, including critical infrastructure, federal contractors, agencies, and cybersecurity service providers.

Meanwhile, House Homeland Security Cybersecurity Subcommittee Chairwoman Yvette Clarke (D-N.Y.) has successfully attached an incident reporting bill to the defense authorization bill. Clarke’s legislation is similar to the Peters-Portman bill in that it only applies to critical infrastructure operators and offers a 72-hour timeline as a starting point.

Lawmakers are also eyeing potential updates to the Federal Information Security Modernization Act of 2014. The FISMA reforms are aimed at sorting out roles and responsibilities for cybersecurity across the federal government.

Easterly said she hopes lawmakers will formally establish CISA as the “operational lead for federal cybersecurity” as part of FISMA reform legislation. She also advocated for making agencies “accountable” for investing in cybersecurity, as well as moving beyond “box checking” compliance to what she described as “true operational risk management.”

“I think instantiating all of that in FISMA reform will be incredibly important and helpful for our role,” Easterly added.

President Joe Biden may also issue a directive to clarify the role of the National Cyber Director and other cyber officials across government, according to Inglis, whose office is only a few months old.

“We’re actually taking our time, not because we’re complacent in any way, shape, or form, but taking our time to actually let experience, a modest amount of experience, drive our efforts to then clarify in writing what we believe is the right and proper way to describe that [organizational] chart in action,” he said.

Meanwhile, agencies are continuing to implement Biden’s May executive order on cybersecurity. CISA and the Office of Management and Budget have already released a federal definition for “critical software,” as well as new requirements for storing and sharing data, according to Chris DeRusha, federal chief information security officer at OMB.

OMB and the Department of Homeland Security have also developed recommendations for “new contract clauses that will enhance how the federal government and industry work together to address cyber threats,” according to DeRusha’s written testimony.

“These clauses will streamline the sharing of threat intelligence and notification of incidents,” he added.

During the hearing, DeRusha said OMB is additionally preparing new guidance for agencies on supply chain risk management.

Agencies are also likely to request new funding from Congress to implement the new cyber mandates. After Congress flushed the Technology Modernization Fund with $1 billion as part of the American Rescue Plan, agencies submitted more than 100 project proposals worth a collective $2.3 billion, with 75% of the proposals focused specifically on cybersecurity, according to DeRusha.

“We are focused and made a lot of progress already on baseline hygiene measures,” DeRusha said regarding the executive order. “We’ve also set in place a multi-year strategy and plan. And what we’re going to need from Congress is… some new resources to implement this plan.”

The Peters-Portman bill would also give CISA subpoena authority in the event a company refuses to comply with the reporting requirements. But Easterly said a subpoena “is not an agile enough mechanism to allow us to get the information that we need to share it as rapidly as possible to prevent other potential victims from threat actors.”

Source: https://federalnewsnetwork.com/cybersecurity/2021/09/biden-cybersecurity-leaders-back-incident-reporting-legislation-as-absolutely-critical/

Continue Reading

Cyber Security

U.S. to work with Big Tech, finance sector on new cybersecurity guidelines

Market News

Published

on

WASHINGTON, Aug 25 (Reuters) – The U.S. government on Wednesday said it would work with industry to hammer out new guidelines to improve the security of the technology supply chain, as President Joe Biden appealed to private sector executives to “raise the bar on cybersecurity.”

At White House meetings with Biden and members of his Cabinet, executives from Big Tech, the finance industry and infrastructure companies said they would do more about the growing threat of cyber attacks to the U.S. economy.

“The federal government can’t meet this challenge alone,” Biden told the masked executives in the East Room, telling them, “You have the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity.”

After the meeting, the White House said the National Institute of Standards and Technology (NIST) would work with industry and other partners on new guidelines for building secure technology and assessing the security of technology, including open source software.

Microsoft (MSFT.O), Google (GOOGL.O), Travelers (TRV.N), and Coalition, a cyber insurance provider, among others, committed to participating in the new NIST-led initiative.

Cybersecurity has risen to the top of the agenda for the Biden administration after a series of high-profile attacks on network management company SolarWinds Corp (SWI.N), the Colonial Pipeline company, meat processing company JBS (JBSS3.SA) and software firm Kaseya. The attacks hurt the United States far beyond just the companies hacked, affecting fuel and food supplies. read more

“We have a lot of work to do,” Biden said, citing both ransomware attacks and his push to get Russian President Vladimir Putin to hold Russian-based cyber gangs responsible, and the need to fill nearly half a million public and private cybersecurity jobs.

The guest list included Amazon.com Inc (AMZN.O) CEO Andy Jassy, Apple Inc (AAPL.O) CEO Tim Cook, Microsoft CEO Satya Nadella, Google’s parent Alphabet Inc CEO Sundar Pichai and IBM (IBM.N) Chief Executive Arvind Krishna.

After the meeting, Amazon said it would make its cybersecurity training available to the public for free, and it would give multi-factor authentication devices to some cloud computing customers, starting in October.

Microsoft said it will invest $20 billion over five years, a four-fold increase from current rates, to speed up its cyber security work, and make available $150 million in technical services to help federal, state and local governments to help keep their security systems up to date.

IBM said it will train more than 150,000 people in cybersecurity skills over three years and will partner with historically black colleges and universities to create a more diverse cyber workforce.

Google said it was devoting $10 billion to cybersecurity over the next five years, but it was not immediately clear what if any of the figure represented new spending. It also said it would help 100,000 Americans earn industry-recognized digital skills certificates that could lead to high-paying jobs.

Vishaal Hariprasad, CEO of Resilience Cyber Insurance Solutions, told Reuters his company would work with the government on setting clear standards for cybersecurity, and would require policy holders to meet those standards.

“So, if a company is willing to adhere to the minimum standards, they’ll have insurance, and if not, they’ll have to identify those gaps so they can get to that baseline,” he said.

“It’s not just about getting our companies safer, but also ensuring that we’re doing something to address the bad guys.”

Congress is weighing legislation on data breach notification laws and cybersecurity insurance industry regulation, historically viewed as two of the most consequential policy areas within the field.

Executives for energy utility firm Southern Co (SO.N) and JPMorgan Chase & Co (JPM.N) also attended the event.

The event featured top cybersecurity officials from the Biden administration, including National Cybersecurity Director Chris Inglis and Secretary of Homeland Security Alejandro Mayorkas.

Reporting by Andrea Shalal and Christopher Bing; additional reporting by Jeffrey Dastin and Stephen Nellis in San Francisco; Editing by Lisa Shumaker and Grant McCool

Disclaimer: The views expressed in this article are those of the author and may not reflect those of Kitco Metals Inc. The author has made every effort to ensure accuracy of information provided; however, neither Kitco Metals Inc. nor the author can guarantee such accuracy. This article is strictly for informational purposes only. It is not a solicitation to make any exchange in commodities, securities or other financial instruments. Kitco Metals Inc. and the author of this article do not accept culpability for losses and/ or damages arising from the use of this publication.

Source: https://www.kitco.com/news/2021-08-26/U-S-to-work-with-Big-Tech-finance-sector-on-new-cybersecurity-guidelines.html

Continue Reading

Cyber Security

HIMSSCast: Cybersecurity, patient experience and public health dominate HIMSS conversation

HIMSS Media editors sat down in Las Vegas to discuss key takeaways from HIMSS21.

Published

on

This week the HIMSS global conference was back in person after the COVID-19 pandemic sidelined last year’s event. After a week packed with hundreds of educational sessions, scores of vendor demonstrations and new meet and greets, the HIMSS Media editors sat down for a debrief.

Cybersecurity, patient experience and public health were some of the top themes running throughout the conference.

With data breaches and ransomware attacks on the rise, health systems are looking for ways to secure their data from the get-go.

“It needs to be baked in. It can’t be an afterthought, because the stakes are just too high. It’s not just an issue of data breaches anymore. It’s not just an issue of bad press. It is an issue of patient safety, truly,” said Mike Milliard, executive editor of Healthcare IT News.

Speakers also discussed the importance of listening to patients when it comes to innovating new tools.

“What I heard again and again is that healthcare wants to know what the patient wants,” Sue Morse, managing editor of Healthcare Finance News, said. “They don’t want to give them something they don’t want, and they are trying to find out what they want through technology, and reaching them how they want to be reached.”

Discussions of the COVID-19 pandemic ran throughout the show. There were several discussions about the role of digital in public health.

“The pandemic has shown us how hugely important social media, and texting and WhatsApp are to how governments communicate with people, how people communicate with each other,” said Jonah Comstock, editor-and-chief of HIMSS Media.

Talking points:

  • The mood and feel at HIMSS21.
  • New cyberattacks require innovations in cybersecurity.
  • More attention paid to the voice of the patient.
  • Public health infrastructure gaps exposed by the pandemic.
  • More work still needed on interoperability.
  • Incorporating health equity and clinical trial diversity into the conversation.
  • AI/ML in a low-key, but foundational role.
  • Star Trek and the Jetsons – models for healthcare
  • Some keynote highlights
  • COVID lessons, positive and negative
  • The telehealth explosion and its aftermath

Show notes:

ONC, CDC want to fix the fragmented public health system COVID-19 exposed

HIMSS21 tech news: cloud, analytics and interoperability developments

Updates and lessons learned from AstraZeneca, MGH’s AMAZE platform

Govs. Chris Christie and Terry McAuliffe trade jabs at HIMSS21

COVID-19 shined light on new opportunities for public health on social media

AI is the new paradigm in forecasting infectious disease risk

Former ONC head Rucker: APIs will ‘empower totally new business models’

Rainn Wilson makes us grateful for being number two

DHA director: Information and technology drive effective pandemic response

Speakers also discussed the importance of listening to patients when it comes to innovating new tools.

Source: https://www.healthcareitnews.com/news/himsscast-cybersecurity-patient-experience-and-public-health-dominate-himss-conversation

Continue Reading

Trending