Rincon India Solutions Pvt. Ltd.

Tag: Ransomware attack

  • Reblog: 2018 Technology Trends

    Find out what XMedius Executive Vice-President and Chief Technology Officer has to say about GDPR compliance, data security, and upcoming tech trends for 2018!

    GDPR is coming into effect in May, what are some of the biggest impacts you think it will have on organizations?

    The General Data Protection Regulation (GDPR) is probably the most transformational digital legislation to ever come into force. Obviously, organizations are racing to meet compliance, but beyond the craze, GDPR will have a long-lasting effect on organizational information architecture in Europe and around the world. Europe is trailblazing with GDPR and it is likely to become the de facto privacy standard for the whole world.

    GDPR solidifies a new fundamental right for European citizens: They have an unalienable right over their personal information. Organizations collecting European citizens are merely the custodian and cannot claim ownership of that information. In the digital world, this is the most significant human right.

    Organizations have traditionally considered information they collect as theirs, so GDPR is significantly changing that state of affairs regarding personal information. In fact, not only are organizations relegated to the role of custodians, but that role now carries significant responsibilities in terms of protecting that information. Much like doctors or engineers in regard to their work, all organizations now have an obligation to protect the personal information they collect.

    As such, organizations have little choice but build the foundation of an information security management system (ISMS), at least with a scope around personal information assets. This will do much to advance information security across the board. If done well, organizations can greatly benefit from the governance framework that will be in place to protect personal information.

    Another big change that GDPR will bring is that prior to GDPR, “digital” personal information had an extremely low “holding cost”. As such, information could be loosely managed, duplicated across several systems, kept for an indefinite period of time, etc. The new requirements around content, access, erasure and protections will create significant costs for collecting and holding personal information and will have a transformative effect on information architecture. With high holding cost, organizations tend to centralize information into a few, well protected & well-governed systems. This type of change will not come in the next 6 months, but is likely to be a long-term effect of GDPR.

    You were a panelist at a BrightTALK conference earlier this year after the prolific WannaCry ransomware attack that affected organizations worldwide. How can companies protect against ransomware in 2018?

    Ransomware protection is a great exemplification of the need for “defense in depth”. There is no silver bullet against ransomware. First, it’s important to understand that ransomware is here to stay, and likely to continue to increase in occurrence and intensity in the years to come.

    The rise of ransomware goes hand-in-hand with cryptocurrency becoming mainstream. Cryptocurrency provides a means to exchange cash equivalents in an untraceable fashion, allowing criminal organizations to expand their extortion business to the digital world with little means for authorities to hinder them.

    1. The economics of ransomware doesn’t make it effective to use zero day vulnerabilities to launch a ransomware attack – instead, they use well-known vulnerabilities. As such, the most effective protection measure against ransomware is aggressive patching practices. Patching is an ungrateful task. It interrupts users work, break systems in unexpected ways, requires testing and causes server downtime, but it is also one of the most effective ways to defend against ransomware by preventing breach and/or limiting its contagion. Take, for example, the two largest breaches of 2017: NHS and Equifax. Both would have been prevented and/or mitigated to a large extent if patching would have been done properly. You don’t need fancy technology, just hard work, commitment and thoroughness.
    2. Backups. If your data is taken hostage, backups will be your best friend. But backups may not be enough in themselves. Ransomware targeting businesses may also target your backup server and/or may encrypt network storage used to store your backup. Offline or offsite backup is the best way to make sure that bad agents cannot prevent you from using your backups to restore data encrypted by ransomware.
    3. Anti-virus & anti-malware is your next line of defense. It helps to prevent the execution of known nefarious code/software. Anti-virus/malware is a requirement, but don’t let this lull you into a false sentiment of protection. Those technologies are not bulletproof, and malware can still get through.
    4. Security Awareness training and phishing impact training are also an important means of stopping ransomware. Users can be your best asset to protect against attacks, but they can also be your worst enemy.
    5. Advanced firewall/NIDS (network intrusion detection systems) may detect or block rogue agents communicating with their command and control, largely mitigating their impact.

    Confidentiality, integrity and availability (or the CIA triad) is a popular model for guiding information security policies within organizations. Are there any extra measures companies can take in 2018?

    Today’s information security model is commonly based on the CIA triad, but never before has information taken so many physical forms. With the advent of the Internet of things (IoT), we may need to also evaluate the security objectives of information assets in regard of the physical integrity of human beings. This is particularly true for autonomous robots or vehicles.

    What is the appropriate level of security regarding human life? A good example of the blurred line of information vs physical security is the recent demonstration by researchers that autonomous driving systems could be “hacked” by putting simple stickers on a stop sign, rendering it unrecognizable and possibly leading to traffic accidents causing serious or fatal injuries.

    What is the acceptable level of physical protection required for implementing surgical robots? Armed robotic guards? Autonomous flying airplanes? Manufacturing robots? Drones?

    As AI and IoT create new forms of autonomous objects, there is a need to integrate security approaches on both information and physical security. An integrated approach is more likely to address all the risks and provide security controls that work towards common goals.

    As someone with their finger on the pulse of technology, what are some of the most innovative ideas you see emerging on the market in 2018?

    Zero UI: The combination of voice recognition technology, natural language API and deep learning is likely to finally deliver on the promises of Zero UI where requests and responses can be achieved in a natural discussion, eliminating the need for a formal user interface. ZeroUI has some limited success in virtual assistants, but is now likely to refine and expand to more diverse systems.

    Specialized AI: Despite the hype, computers showing humanlike “generalized” intelligence is not around the corner – it’s still decades away. Nevertheless, computer systems managing to show human intelligence for performing very specific tasks are already available. These systems will revolutionize the workplace and are likely to transform it much like computers and the Internet did decades ago. AI will not “replace” humans per se, but change the way our work is done and make us more productive, allowing us to concentrate higher value tasks. On the downside, this is likely to further increase the digital divide, between workforces that can harness digital/AI and those who cannot.

    Compliance: The cost of cyber crime that is already estimated to exceed $3 trillion which is likely to double by 2021 and is a phenomenon considered by experts to be “out of control”.

    Authorities across the world are putting together new regulations to impose some basic standards in terms of how organizations need to protect information assets. After HIPPA, FERPA, PCI-DSS, GDPR more compliance regulations, whether compulsory or mandated, are likely take force in 2018 and the years to come. All organizations will need to stay on the lookout and adjust their IT strategy in accordance. For those that are not prepared, the change will be painful.

    Automation: With salaries rising in East Asia, there is a trend to bring manufacturing closer to its intended market. Robots and automation have reached a tipping point in terms of tasks they can perform and can now replace low-wage workforces in several areas. This will not only transform manufacturing, but also local services like restoration and retails where several tasks can now be economically automated.

    Want to learn more about how you can enable compliance, prevent data breaches, and take your organization’s data governance to the next level? Speak with an expert today about solutions that cater to your specific business needs. Contact us.

    The original article can be found here.

  • Reblog: 3 Major Data Security Risks Every Business Should Know About

    Let’s face it – regardless of size and industry, the success of any organization relies on sensitive data. In 2016, news and media outlets were flooded with stories about cyber attacks – from the personal records of nearly 30,000 FBI and Department of Homeland Security workers’ personal records getting hacked, to dozens of celebrities’ private photos being leaked online. Terms like data security and cybersecurity that were once reserved for IT and security professionals became household names. Just last month, what’s considered to be the biggest ransomware attack in history hit tens of thousands of computers all over the world, disrupting businesses of all sizes.

    With a growing public awareness of the data security risks organizations are faced with, companies of all sizes are under more pressure than ever to keep operations running smoothly without any interruptions from cyber attacks and other data security incidents.

    The truth is that when organizations lose sensitive data, they face an extensive list of liabilities. Costs associated with data breaches can include reimbursement to customers, data recovery fees, and even worse – legal fines. Perhaps the worst consequence of a data breach is that it damages an organization’s reputation. Research conducted by Unisys Corporation revealed that the majority of people would not only lose faith in an organization in the event of a data breach, they’d stop doing business with them altogether. Who can blame them? When cyber attacks and other types of data breaches occur, it’s the public’s health records, credit card numbers, and more that are at stake. Let’s take a look at some of the most prevalent data security risks affecting businesses in 2017, and examine a few ways that organizations can fight back and take their data security to the next level.

    1. Employees Don’t Know How to Protect Data

    Up until recently, security skills in the workplace wasn’t a topic of discussion, much less part of a standard employee training regimen. Most people just assume that their organization’s IT department has the whole “data security” thing covered. It’s safe to assume that unless we work for a company specializing in IT security, the average worker goes about their day handling and sending sensitive data without thinking about hackers or data loss. It’s actually the lack of security awareness and skills that makes organizations an easier target for hackers or disgruntled employees who have access to networks and admin accounts.

    When organizations implement an information security and risk management (ISRM) strategy, it raises awareness and helps everyone to do their part. An ISRM strategy will look different from organization to organization, but a solid internal strategy involves identifying vulnerabilities and putting a few best practices in place. For example:

    Mandatory compliance training for all employees in environments where protected health information (PHI) and personally identifiable information (PII) changes hands regularly. That’s right; not just doctors, administrators, mortgage brokers, and account managers – all employees.

    Training sessions that teach employees best practices such as managing passwords for various devices, locking workstation screens when leaving your desk, the proper handling/destroying of paper documents, or any other small actions that make a big difference when it comes to keeping sensitive data protected.

    Internal vulnerabilities are one of the biggest threats facing sensitive data, and security training and skills growth in the workplace must be ongoing if organizations want to reduce the risk of data breaches.

    2. Fax Machines aren’t Secure Enough to Protect your Data

    When most people hear the word fax, they picture a bulky, outdated technology, but the truth is that many organizations – from schools to healthcare clinics and government offices – use it on a daily basis. Fax technology has certainly come a long way, with organizations now able to send and receive faxes on multifunction printers (MFPs) that also serve as scanners, printers, etc. But even though faxing as we know it has evolved quite a bit, it still relies on physical machines to transmit sensitive data.

    Fax machines, in any shape or form, require physical maintenance and are subject to human error. In larger organizations, entire departments may be working off a single centralized machine in order to send and receive important data. Not only does this bottleneck the workflow, it increases the likelihood that sensitive documents are left lying around in the open. Now take this likelihood and imagine the risk involved when two or more organizations send each other data via fax. Even if you can be sure that all of your organization’s physical, network, and process security measures are in place, can you say the same about your recipients? Certain regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) that set the standard for protecting sensitive data in healthcare, require that subcontractors and business associates must also be in compliance.

    Increasingly, organizations of all sizes are choosing to transition over to cloud faxing solutions. When you fax online using software that communicates with fax machines, MFPs, and also faxes directly to a recipient’s email, you ensure that faxes get exactly where they need to go. You eliminate much of the risk associated with paper documents lying around and falling into the wrong hands. As an important bonus, cloud fax solutions are built with the robust security features that help organizations maintain HIPAA compliance or meet many other industry regulations that may apply.

    3. Email Isn’t as Secure as you Think

    It’s no secret that email is the most prevalent method of communication used in business today. Thanks to the internet, we are sharing more than ever, making email an inexpensive and highly effective business tool. It’s so prevalent that for many of us, “catching up on emails” can become a challenge on any work day, no matter which industry we may work in.

    Some practices rely solely on email to send and receive sensitive data. Email is used all the time to send sensitive information like purchase orders, patient information, debit receipts – and the list goes on. Email is also readily available on mobile devices, making it a more accessible tool than ever. While email is rapid, effective, and universally used, it is inherently non-secure. This might best be summed up in an article from Digital Trends:

    “Email isn’t secure because it was never meant to be the center of our digital lives. It was developed when the Internet was a much smaller place to standardize simple store-and-forward messaging between people using different kinds of computers. Email was all transferred completely in the open – everything was readable by anyone who could watch network traffic or access accounts (originally not even passwords were encrypted). Amazingly, email sent using those wide-open methods still (mostly) works.” Read the full article here.

    With this in mind, IT professionals work hard to protect communications from within their organizational infrastructures. One of the best ways to do this is by using encryption, which scrambles email content until its unlocked by a recipient. Encryption can be done on the level of servers, networks, and individual messages. The downside of encryption is similar to security issue when using traditional fax: efforts might be made on your organization’s end to keep data secure, but can you be sure about your recipients? Since most people on the workforce manage dozens if not hundreds of email contacts, the answer is probably not.

    A secure file exchange solution offers a basic way to get sensitive files where they need to go while protecting their confidentiality and availability. Secure file exchange platforms that integrate with your email are an easy-to-use alternative for sending sensitive data. Some use double encryption, which requires recipients to use a key that’s generated when a transfer is initiated as an additional security measure. While designed to be user-friendly, the right secure file exchange platform will also come with plenty of advanced management, auditing and security features so that administrators can customize it to their organization’s specific needs.

    The original article can be found here.

    Looking for a secure file transfer solution that will help your organization save time and money while keeping you in regulatory compliance? Contact us: sales@rincon.co.in