Category: Corporate Risk

Half of management teams lack awareness about BPC despite increased attacks

Trend Micro revealed that 43 percent of surveyed organizations have been impacted by a Business Process Compromise (BPC). Despite a high incidence of these types of attacks, 50 percent of management teams still don’t know what these attacks are or how their business would be impacted if they were victimized.

In a BPC attack, criminals look for loopholes in business processes, vulnerable systems and susceptible practices. Once a weakness has been identified, a part of the process is altered to benefit the attacker, without the enterprise or its client detecting the change. If victimized by this type of attack, 85 percent of businesses would be limited from offering at least one of their business lines.

Read more about the findings of the Trend Micro survey on HelpNetSecurity.

Data Breach Threats Bigger Than Ever

In its 2018 Strategic Security Survey (registration required), Dark Reading polled some 300 IT and security leaders and found that more organizations, not fewer, expect to face data breaches in the coming year compared with the previous year’s survey. Moreover, the companies believe they’re not fully ready to protect their data against intruders.

A large proportion of respondents expect that staffers with privileged access might be the source of a breach, but they’re also wary of attackers from outside mounting one of many sophisticated new attacks. A growing attack surface, distributed denial-of-service extortion, targeted attacks, and ransomware are contributing to the unease that many organizations sense.

Read more about the findings of the new survey on DarkReading.

Uber fined nearly $1.2 million by British and Dutch authorities for 2016 data breach

Uber was fined a combined $1.17 million by British and Dutch authorities for a 2016 data breach that exposed the personal details of millions of customers.

The U.K.’s Information Commissioner’s Office (ICO) announced a £385,000 fine ($491,284) against the ride-sharing company for “failing to protect customers’ personal information during a cyber attack” in October and November of 2016. The Dutch Data Protection Authority imposed its own €600,000 ($679,257) penalty for the same incident. The 2016 cyberattack allowed hackers to access the personal details of 2.7 million Uber customers in the U.K. and 174,000 in the Netherlands.

Read more about this story on CNBC.

GDPR’s impact: The first six months

GDPR is now six months old – it’s time to take an assessment of the regulation’s impact so far. At first blush it would appear very little has changed. There are no well-publicized actions being taken against offenders. No large fines levied. So does this mean its yet another regulation that will be ignored? Actually nothing could be farther from the truth.

GDPR is a much-evolved form of European regulation allowing data subjects to file suits against data collectors whom they believe are violating their rights. The day GDPR came into law complaints were filed by data subjects against Facebook and Google. This battle is going to be fought in 28 EU countries courts much sooner than in their Data Protection commissioners ministries who enforce the law and handout fines for violations.

Read more about the GDPR’s impact so far on Help Net Security.

85% of enterprises allow employees to access data from personal devices, security risks abound

Smartphone access is integral for many employees to perform their jobs, and giving workers the freedom to choose their own devices as well as permitting the use of personal devices for work purposes are now concessions made by IT departments nationwide.

A recent report from security firm Bitglass surveyed IT experts, and found that 85% of organizations enable BYOD policies, citing employee mobility (74%) and employee satisfaction (54%) as the top two reasons for allowing BYOD. However, the convenience of BYOD creates a particularly large attack surface for malicious actors to harvest information from these organizations.

Read more about the findings of the Bitglass survey on TechRepublic.

Third parties: Fast-growing risk to an organization’s sensitive data

The Ponemon Institute surveyed more than 1,000 CISOs and other security and risk professionals across the US and UK to understand the challenges companies face in protecting sensitive and confidential information shared with third-party vendors and partners.

According to the findings, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent — up 5 percent over last year’s study and a 12 percent increase since 2016.

Read more about the findings of the new report on Help Net Security.

The majority of business pros aren’t able to prevent cyberattacks

Nearly two-thirds of business professionals aren’t confident in their abilities to prevent and address serious cyberattacks, according to a recent report from the Ponemon Institute and Illusive Networks. The report analyzed how effective organizations are in minimizing damage caused by silent attackers.

The study surveyed 627 IT and IT security practitioners within the US, who are all involved in the IT security solutions and practices within their organizations. Security budgets are expected to increase in the coming year, with threat detection spending growing from 32% to 40%, but preventative security control spending is dropping from 31% to 18%, the report found.

Read more about the findings of the new report on TechRepublic.

60% of firms believe a major security event will hit in the next few years

Only 30 percent of 1,250 senior executives, management and security practitioners in the U.S., U.K. and Canada are confident their business will avoid a major security event in the coming two years and 60 percent believe an attack will hit in the next few years, according to eSentire.

In terms of cyberattack preparedness in global organizations, the research also uncovered gaps between the C-suite, board and technical leaders. Among CEO and board members surveyed, 77 percent are optimistic in their firm’s ability to cope with a breach. This is in stark contrast to technical leaders on the front lines, who are approximately 20 percent more likely to predict an attack.

Read more about the findings of the eSentire report on Help Net Security.

Cyberattacks Top Business Risks in North America, Europe, EAP

A new report from the World Economic Forum (WEF) shows cyberattacks are the business risk of greatest concern in North America, Europe, and East Asia and Pacific (EAP) regions.

The WEF polled 12,000 private-sector decision makers from about 130 countries to compile its new report, which illustrates regional impact of business risks. Taking all respondents into consideration, cyberattacks are fifth among the top 10 risks of concern. First is unemployment / underemployment, followed by failure of national governance, energy price shock, and fiscal crises. European businesses are most troubled by cyberattacks, which topped the list of concerns in 12 of 37 countries.

Read more about the findings of the WEF report on DarkReading.

95 percent of IT security pros underestimate phishing risks

A new survey of cybersecurity decision-makers shows that most companies lack adequate safeguards against phishing threats and many don’t fully understand the risks or how widespread the threat is. The survey from phishing site detection company SlashNext reveals that 95 percent of respondents underestimate how frequently phishing is used at the start of attacks to successfully breach enterprise networks.

Only five percent of respondents realize that phishing is the at the start of over 90 percent of successful breaches. And despite multi-level security controls and phishing awareness training for employees, most organizations remain unaware of their increasing vulnerability to these threats.

Read more about the findings of the SlashNext survey on BetaNews.