About 34 percent of U.S. consumers have been notified their data was breached during a cyber attack, according to a survey released Thursday by The Hartford Steam Boiler Inspection and Insurance Company (HSB).
Only about half of the organizations that suffered a ransomware attack in 2017 recovered their data after paying the ransom, according to a CyberEdge Group survey
The research and marketing firm spoke with nearly 1,200 IT security pros in 17 countries about their experiences with cyberattacks last year.
Here are five survey insights.
1. Seventy-seven percent of the organizations surveyed suffered a form of a cyberattack in 2017, which is down from 79 percent in 2016. This marks the first time in five years the percentage of organizations who were hit by a cyberattack declined.
2. Just over half (55 percent) of respondents fell victim to a ransomware infection in 2017, compared to 61 percent in 2016.
3. Of the organizations that suffered a ransomware attack, 38.7 percent of victims decided to pay the ransom demand. However, only 49.4 percent of those organizations actually recovered their data, as opposed to 86.9 percent of organizations that refused to pay the ransom and were able to recover their data.
4. Organizations ranked malware as their top concern, followed ransomware, phishing and credential abuse attack.
5. Cybersecurity-related budgets are expected to account for 12 percent of an organization’s overall IT spend in 2018, which represents a 4.7 percent growth year-over-year.
Click here to download the complete report.
Russia, North Korea and Iran are the main sources of hackers targeting financial institutions, while China is the most active in cyber espionage, the report found.
WASHINGTON: The annual cost of cybercrime has hit $600 billion worldwide, fuelled by growing sophistication of hackers and proliferation of criminal marketplaces and cryptocurrencies, researchers said today.
A report produced by the security firm McAfee with the Centre for Strategic and International Studies found theft of intellectual property represents about one-fourth of the cost of cybercrime in 2017.
Russia, North Korea and Iran are the main sources of hacke ..
Over the next three years, blockchain will embark upon a journey that will change the way our data is stored, tracked and verified to restore digital trust.
The surge in data growth through the convergence of technologies is mind blowing. The enablement of Wi-Fi, mobility services, online digital social interaction, cloud services, and information in general being created digitally instead of paper has knock on effects in our physical world around privacy and security of the data stored about us. (Mellink 2013
- Some figures predict a 10 to 50 fold growth of the digital data world from 2010 until 2020 this is driven by the transformation of our lives and the world we live in. (EMC Corp 2014)
Privacy and Security concerns come hand in hand with the explosion of the new information age and the availability of data. Some of the areas that have particular focus are: medical records, credit and financial, consumer and our personal or social information such as photos. Medical Industry and Medical Records:
- The medical industry collects information at every interaction this information about you can now be captured and stored in an Electronic Medical Record (EMR). The privacy and security comes about how that data is stored, used, is it given to insurance companies, do family members have access to the information, what happens if a screen with a patients information is visible to others and what if diagnoses are incorrectly recorded and communicated and how does this information get changed. (NitroSecuirty FairWarning)
- You might be surprised that once in the EMR system the Doctor or Organisation becomes the custodian of the data. (Potarazu 2013)
Financial and Credit Information:
- The safeguarding of you privacy and security of your data in the USA as an example is regulated by the Gramm-Leach-Bliley Act (GLB) but this is limited to the ability to opt out of sharing information onward with other 3rd parties or outside companies. (Privacy Rights Clearinghouse 2013)
- Privacy is dependent on the privacy notice sent to the customer and has to be sent out at least once a year. The data belongs to the financial organisation and you have rights to object to in accurate information. The GLB act only applies to individual consumers and does not cover business accounts or information. (Privacy Rights Clearinghouse 2013)
- Store loyalty cards might seem a great idea but you sign the rights away for the profile information that is collected to the organisation running the card. These companies are entitled to use that information as there business possibly selling it on to 3rd parties our using it to sell you other products and services. (Beckett 2014)
Personal, Cloud and Social Media:
- Google, Twitter, Microsoft and Facebook have all come under fire for allowing data to be viewed or accessed by 3rd parties. (Sangani 2010)Privacy policies have not been tight enough in the past. The data for example on Facebook is also owned jointly by you and Facebook, Facebook owns any IP you give it because you gave it permission via the Facebook statement of rights and responsibilities. (Facebook 2013). Security is focused around the user protecting the data and access as much as possible themselves.
Summary / Conclusions
Analysts IDC estimate that only 20% of the digital world has protections around privacy and security and the level of protection varies globally, there is also much less protection in emerging markets. (Gantz and Reinsel 2012). The data and information is always owned solely by yourself when it is under your control and until you let it out to a third party. In the new digital world data privacy and security understanding is lagging behind the adoption and use. Information on how companies protect your privacy and security is varied and tends to be in the small print of privacy and security statements. When you have given over your data to a 3rd party in most instances the data is now owned by the 3rd party that is custodian of the data, you might have the rights to obtain a copy of what they hold and adjust in accuracies but not the rights for them to copy or use the data for their business purposes. (Pentland 2014). There is only one way to keep your information private and secure and that is not to share it in the first place, but is that really possible in the connected world we live in today, realistically probably not but could we change the model now?
BECKETT, Louis (2014). Everything We Know About What Data Brokers Know About You. [online]. Last accessed 22 06 2014 at: http://www.propublica.org/article/everything-we-know-about-what-data-brokers-know-about-you EMC CORP (2014). EMC Digital Universe Study. [online]. Last accessed 22 06 2014 at: http://www.emc.com/leadership/digital-universe/index.htm FACEBOOK (2013). Statement of Rights and Responsibilities. [online]. Last accessed 22 06 2014 at: https://www.facebook.com/legal/terms GANTZ, John and REINSEL, David (2012). THE DIGITAL UNIVERSE IN 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in the Far East. Analysts Report, IDC. GANTZ, John and REINSEL, David (2012). THE DIGITAL UNIVERSE IN 2020: Big Data, Bigger Digital Shadows, and Biggest Growth in the Far East. Analyst Report , IDC. MELLINK, Bart (2013). The Nexus of Forces. Analysts Point of View, Gartner Group Point of View. [online]. Last accessed 22 06 2014 at: http://www.himss.org/files/HIMSSorg/content/files/SecurityandPrivacyofElectronicMedicalRecords.pdf O’CONNELL, Nick (2012). Data Protection and Privacy Issues in the Middle East. [online]. Last accessed 20 06 2014 at: http://www.legal500.com/c/united-arab-emirates/developments/17454 PENTLAND, Alex Sandy (2014). Should social media users retain ownership of their personal data? [online]. Last accessed 22 06 2014 at: http://curiosity.discovery.com/question/social-media-retain-ownership-data POTARAZU, Dr. Sreedhar (2013). Who owns your health data? You may be surprised. [online]. Last accessed 22 06 2014 at: http://www.foxnews.com/health/2013/04/03/who-owns-your-health-data-may-be-surprised/ PRIVACY RIGHTS CLEARINGHOUSE (2013). Financial Privacy FAQ. [online]. Last accessed 22 06 2014 at: https://www.privacyrights.org/financial-privacy-faq PRIVACY RIGHTS CLEARINGHOUSE (2014). Medical Privacy. [online]. Last accessed 22 06 2014 at: https://www.privacyrights.org/Medical-Privacy PRIVACY RIGHTS CLEARINGHOUSE (2014). Online Privacy & Technology. [online]. Last accessed 22 06 2014 at: https://www.privacyrights.org/Online-Privacy-and-Technology RIZZO, Mario (2011). Consumer Data: Who Owns It? [online]. Last accessed 22 06 2014 at: http://thinkmarkets.wordpress.com/2011/05/07/consumer-data-who-owns-it-2/ SANGANI, Kris (2010). Who owns your personal data? [online]. Last accessed 22 06 2014 at: http://eandt.theiet.org/magazine/2010/11/trusting-social-networks.cfm SCHAFFER.JONATHAN, L. and RYAN, Jackie (2010). Who owns the data? [online]. Last accessed 22 06 2014 at: http://www.aaos.org/news/aaosnow/apr10/managing2.asp STAFFORD, Nancy (2010). Who owns the data in an Electronic Health Record? [online]. Last accessed 22 06 2014 at: http://www.ehrinstitute.org/articles.lib/items/who-owns-the-data-in TROTTER, Fred (2012). Who owns patient data? [online]. Last accessed 22 06 2014 at: http://radar.oreilly.com/2012/06/patient-data-ownership-access.html
Microsoft Enterprise Mobility for Every Business and Every Device
Earlier today in San Francisco, Satya spoke about the wide-ranging work Microsoft is doing to deliver a cloud for everyone and every device. Satya’s remarks certainly covered a lot of ground – including big announcements about the availability of Office on the iPad, as well as the release of what we call the Microsoft Enterprise Mobility Suite.
Regarding the Enterprise Mobility Suite (EMS), I want to share some additional details about the upcoming general availability of Azure Active Directory Premium, as well as our latest updates to Windows Intune.
If you haven’t had a chance to read this morning’s post from Satya, I really recommend checking in out here. In the post, Satya talks about the focus of our company being “Mobile First – Cloud First.” I love this focus! The mobile devices that we all use every day (and, honestly, could not live without) were built to consume the cloud, and the cloud is what enables these devices to become such a critical and thoroughly integrated part of our lives.
For years I have emphasized that, as we architect the solutions that help organizations embrace the devices their users want to bring into work (i.e. BYOD), the cloud should be at the core of how we enable this. As I have worked across the industry with numerous customers it is clear that embracing a cloud-based infrastructure for Enterprise Mobility has become the go-to choice for forward-looking organizations around the world who want to maximize their Enterprise Mobility capabilities.
Enterprise Mobility is a big topic – so big, in fact, that it extends beyond mobile device management (MDM) and the need to address BYOD. Now Enterprise Mobility stretches all the way to how to best handle new applications and services (SaaS) coming into the organization. Enterprise Mobility also has to address data protection at the device level, at the app level, and at the data level (via technologies like Rights Management).
With these challenges in mind, we have assembled the EMS to help our customers supercharge their Enterprise Mobility capabilities with the latest cloud services across MDM, MAM, identity/access management, and information protection.
On one point I do want to be very specific: The EMS is the most comprehensive and complete platform for organizations to embrace these mobility and cloud trends. Looking across the industry, other offerings feature only disconnected pieces of what is needed. When you examine what Microsoft has built and what we are delivering, EMS is simply the only solution that has combined all of the capabilities needed to fully enable users in this new, mobile, cloud-enabled world.
Additionally, with Office now available on iPad, and cloud-based MDM from Intune, over time we will deliver integrated management capabilities for Office apps across the mobile platforms.
To see Office in action on an iPad, check out this video:
You can check out Office for iPad product guide here.
The capabilities packaged in the EMS are a giant step beyond simple MDM. The EMS is a people-first approach to identity, devices, apps, and data – and it allows you to actively build upon what you already have in place while proactively empowering your workforce well into the future.
The EMS has three key elements:
- Identity and access management delivered by Azure Active Directory Premium
- MDM and MAM delivered by Windows Intune
- Data protection delivered by Azure AD Rights Management Services
Cloud-based Identity & Access Management
Azure Active Directory (AAD) is a comprehensive, cloud-based identity/access management solution which includes core directory services that already support some of the largest cloud services (including Office 365) with billions of authentications every week. AAD acts as your identity hub in the cloud for single sign-on to Office 365 and hundreds of other cloud services.
Azure AD Premium builds on AAD’s functionality and gives IT a powerful set of capabilities to manage identities and access to the SaaS applications that end-users need.
Azure AD Premium is packed with features that save IT teams time and money, for example:
- It delivers group management and self-service password reset – dramatically cutting the time/cost of helpdesk calls.
- It provides pre-configured single sign on to more than 1,000 popular SaaS applications so IT can easily manage access for users with one set of credentials.
- To improve visibility for IT and security, it includes security reporting to identify and block threats (e.g. anomalous logins) and require multi-factor authentication for users when these abnormalities are detected.
The Azure AD Premium service will be generally available in April. For more info, check out this new post from the Azure team.
Windows Intune is our cloud-based MDM and PC management solution that helps IT enable their employees to be productive on the devices they love.
Since its launch we have regularly delivered updates to this service at a cloud cadence. In October 2013 and January 2014 we added new capabilities like e-mail profile management for iOS, selective wipe, iOS 7 data protection configuration, and remote lock and password reset.
Following up on these new features, in April we will also be adding more Android device management with support for the Samsung KNOX platform, as well as support for the upcoming update to Windows Phone.
Data Protection from the Cloud
Microsoft Azure Rights Management is a powerful and easy-to-use way for organizations to protect their critical information when it is at rest or in transit.
This service is already available today as part of Office 365, and we recently added extended capability for existing on-prem deployments. Azure RMS now supports the connection to on-prem Exchange, SharePoint, and Windows Servers.
In addition to these updates, Azure RMS also offers customers the option to bring their own key to the service, as well as access to logging information by enabling access policy to be embedded into the actual documents being shared. When a document is being shared in this manner, the user’s access rights to the document are validated each time the document is opened. If an employee leaves an organization or if a document is accidentally sent to the wrong individual, the company’s data is protected because there is no way for the recipient to open the file.
Cost Effective Licensing
Now with these three cloud services brought together in the EMS, Microsoft has made it easy and cost effective to acquire the full set of capabilities necessary to manage today’s (and the future’s) enterprise mobility challenges.
As we have built the Enterprise Mobility Suite we also have thought deeply about the need to really simplify how EMS is licensed and acquired. With this in mind, EMS is licensed on a per-user basis. This means that you will not need to count the number of devices in use, or implement policies that would limit the types of devices that can be used.
The Enterprise Mobility Suite offers more capabilities for enabling BYO and SaaS than anyone in the market – and at a fraction of the cost charged elsewhere in the industry.
* * *
This is a major opportunity for IT organizations to take huge leaps forward in their mobility strategy and execution, and Microsoft is committed to supporting every element of this cloud-based, device-based, mobility-centric transformation.
EMS is available to customers via Microsoft’s Enterprise Volume Licensing channels beginning May 1st.
There is so much we want to tell you about the Enterprise Mobility Suite and the innovations we are delivering here. This will be a big topic for us at TechEd North America and it will be a big part of the keynote on May 12. See you there!
Palo Alto Networks has announced that its buying Tel Aviv-based Cyvera for $US200 million, including $US88 million in cash.
The attraction is the Israeli company’s TRAPS (Targeted Remote Attack Prevention System), an endpoint protection system for Windows machines, which PAN will add to its existing firewall and cloud security products.
PAN’s blog post about the acquisition makes the bold claim that Cyvera has “successfully stopped every published zero-day attack since they first began deploying their product”.
Announcing the acquisition, PAN’s CEO Mark McLaughlin tagged endpoint security as a market worth between $US4 billion and $US5 billion.
Details on the operation of Cyvera’s technology are sketchy, but according to the San Jose Mercury News, it impressed PAN’s co-founder Nir Zuk, who said the normal zero-day attack toolkit is “limited to about 20 different techniques … what Cyvera does is basically blocks the bad guys from being able to use those techniques.”
Cyvera’s 55 staff will remain in Israel, and the acquisition is expected to be completed in the second half of the year. ®
Interesting thing about all of this is that we really believe sending any email or text (which is basically simple text) SMTP (simple mail transfer protocol) across multiple networks that we don’t own to servers we don’t own (the internet or cloud) can be secure or not be snooped on. There are lots of tools out there not owned by the intelligence services that can so data capture and intercept any data on a network can be voice, email, anything lots of organisations, countries, and people do this be if for regulatory reasons or personal reasons.
Written on Time. Harry McCracken: 10 Things we Know to Be True About This Microsoft Hotmail Privacy Case: March 22, 2014
Anyway for Microsoft It’s ugly. It’s complicated. And it’s a great opportunity for any webmail provider who isn’t Microsoft
When the news broke on Wednesday that Microsoft had tapped into the e-mail of a Hotmail user who had apparently received stolen software from Alex Kibkalo, a rogue Microsoft employee in Lebanon, I didn’t immediately write about it in this space. It’s a complicated matter, and there’s a lot we don’t know about the details — including the identity of the French blogger who allegedly received the purloined code. (There’s a theory on the web about who the person is, but Microsoft’s criminal complaint doesn’t name a name.)
Still, in the fullness of time, I have come to a few conclusions:
1. You can be sympathetic to Microsoft about the crime apparently committed against it and still deeply unhappy with its response. There are presumably all sorts of questionable, potentially illegal things going on in Outlook.com (the successor to Hotmail) and its competitors. The one sort of case in which we know that Microsoft thinks it’s O.K. for it to spy on your e-mail without a warrant is when you might be stealing its own stuff. It’s a fundamental conflict of interest, and it isn’t completely solved by the company’s new policy which states it’ll seek approval from a former judge before doing this again. (The higher court is still a Microsoft higher court.)
2. Just calling the Hotmail user “a blogger” is misleading. When I hear about a blogger tussling with a giant software company, my instinct, as a journalist, is to side with the blogger. But Microsoft wasn’t just concerned about leaked screenshots showing up online. As the criminal complaint explains, outsider with Windows source code might be able to crack the operating system’s copy protection. The complaint says that this was Kibkalo’s whole idea in leaking the code, and that the blogger admitted to having previously trafficked in Microsoft activation codes on eBay.
3. Calling the person a journalist or reporter is even more misleading. That’s what Techdirt’s Mike Masnick did, even though the case isn’t just about a leaked-screenshot blog, let alone reporting. Microsoft was worried about leaked SDK code enabling piracy of its software. Even if you’re unhappy about the actions the company took, I don’t think this case is about freedom of the press.
4. These guys were idiots. According to the complaint, Kibkalo and the outsider used Microsoft products such as Hotmail, SkyDrive and Windows Live Messenger to steal Microsoft’s software. When it comes to digital espionage, they were a gang that couldn’t shoot straight.
5. We don’t know what Microsoft has done in other instances. It says that these events which we’re discussing were extraordinary, and perhaps they were. But thanks to the court case, they’re the only ones we know about. (The company says that it will henceforth disclose the quantity of such instances and the number of user accounts impacted on a biannual basis, but unless they crop up in the courtroom, we’ll apparently never know the gist of each individual situation.)
6. We really don’t know what other webmail providers have done. Maybe nothing like this has ever happened to a Gmail user or a Yahoo Mail user. Or maybe far more troubling stuff has been going on. Who knows? Not us. (For the record, TechCrunch founder Michael Arrington says that he’s “nearly certain” that Google once dug around in his Gmail account, although his evidence is far from airtight.)
7. I’m not comfortable that I understand the legal situation. If Microsoft had successfully gotten a court order to search the blogger’s Hotmail, most outsiders would likely find its actions to be reasonable. Microsoft says that it’s impossible to get a court order to search your own servers, but the Electronic Frontier Foundation’s Andrew Crocker says that this is not the case. If Crocker is right, then the only appropriate scenario in future situations such as this is Microsoft getting a court order.
8. Once again, “Scroogled” makes Microsoft look bad, not Google. Microsoft has been telling us that the way Google scans for keywords in Gmail e-mails to serve up related ads is an outrageous privacy violation. That automated practice, which affects every Gmail account, has virtually nothing in common with Microsoft’s contention that it’s acceptable to dig into a single Hotmail account to protect the company’s intellectual property. But it craters Microsoft’s ability to be self-righteous and makes the whole “Scroogled” campaign look even sillier and hypocritical than it already did. (Danny Sullivan of Marketing Land has a good post on this.)
9. This creates a fantastic opportunity for somebody. Microsoft says it reserves the right to keep on doing this, albeit under tighter rules. If Google or Yahoo or somebody else declares that it won’t rummage through your mail without court approval, period, that company would make lemonade out of Microsoft’s lemons. I’m not holding my breath, though: So far, other webmail providers haven’t even said they’ll hew to self-imposed restrictions of the sort which Microsoft now says it’ll follow.
10. In a perverse way, Microsoft has done us all a favor. The French blogger didn’t own that Hotmail account; people who use Outlook.com don’t own their accounts. Their stuff is stored on Microsoft property, and when they signed up for the service, they gave the company broad license to intrude upon it. The same is true for countless other online freebies from other companies.
If we become a more cynical bunch based on these events, it’ll be kind of sad — but it’ll also be a more appropriate attitude than blithely treating a web service as if it really belonged to you.
Four years after Google turned on HTTPS by default in Gmail, and less than a year since the Edward Snowden document leaks, Google removes your ability to opt out of encryption.
Google has removed your ability to get out of encrypting your Gmail, the company announced Thursday.
This follows a 2010 decision to make HTTPS the default for Gmail communications, but up until today Google had given users the ability to not use encryption. Four years ago, the company explained the opt-out as necessary because encryption could “make your mail slower.”
“The team has been working hard to mitigate any performance costs, which now puts us in a position where it no longer makes sense to allow HTTP connections,” a Google spokesperson told CNET. “The large majority of users already use HTTPS connections, so this is the final step in the journey.”
Google notes that Gmail messages are encrypted internally, as they move about Google’s servers and data centers, a measure implemented in the wake of the Edward Snowden leaks. The company also boasted about Gmail’s stability, with service available 99.978 percent of the time.