A report from Gartner announced this week on DarkReading found that nearly one out of three companies don’t have on-staff cybersecurity expertise. Gartner research director Rob McMillan and principal research analyst Sam Olyaei compiled the 2018 CIO Agenda Survey from over 3,000 respondents the article said. And while more organizations have cybersecurity staff than previous years, one third are still lacking a dedicated resource.
With so many data breaches in the news, organization everywhere are reviewing their cybersecurity programs to ensure they stay out of the headlines. Since many high-profile data breaches have been caused by unaddressed vulnerabilities for which patches were available, organizations are increasingly looking to deploy solutions to help close these gaps.
How does vulnerability management help prevent hacks?
This week, an article on Healthcare Info Security pointed me to the Department of Health and Human Services' Office for Civil Rights' latest monthly newsletter which reminded HIPAA-covered healthcare organizations that software patching was a critical step in securing their networks and offered some advice about the tools and processes to implement. As the article points out, the advice applies to nearly all organizations, not just those in the healthcare sector, but it can be difficult for organizations to put into practice.
By now, you’ve likely heard that the next wireless security protocol has been announced by the Wi-Fi Alliance. WPA3, builds on previous Wi-fi Protected access standards and is designed to address issues with encryption in the previous standard (such as the KRACK exploit on WPA2 revealed late last year). The new standard will utilize 192-bitencrpytion and Opportunistic Wireless Encryption (OWE) which will ensure communications between router and device each use their own encryption keys, rather than sharing data. There are also new protections against dictionary attacks. The standard is not likely to be broadly adopted until 2019 and may require new hardware if updated firmware is not issued for existing devices.
I’ve written previously that Automation Can’t Replace People in a security program. This week, an article on DarkReading provided more data points on this topic. The shortage of skilled security talent is very real, with just 45% of organizations reporting their security teams were fully staffed according to a DarkReading survey earlier this year. According to a study by (ISC)2 also cited in the article, the shortfall is projected to reach 1.8 million by 2022. As a result, organizations are struggling to hire the staff they need to secure their organizations.
An article on SecurityWeek this week announced the results of the IDC Worldwide and U.S. Comprehensive Security Services Forecast, which showed that managed security services is the largest and fastest-growing of the segments they covered. The article points to two key drivers of this growth: growing complexity of Security Operations and an overwhelming volume of security incidents.
Banks are a prime target for cyberattacks. Banks store and utilize a large volume of confidential data surrounding their client’s personal information, account information, and other data. For bank leaders, it’s important to understand the unique challenges and regulations you must meet to protect this data. Attacks may range from malware, phishing or DDoS, to sophisticated compound attacks that use multiple methods at once to infiltrate the organizations and compromise security. You must be prepared to prevent, detect, and remediate any potential security incidents.
In a recent article for Forbes, Dave Lewis recalls an experience earlier in his career in which the physical access controls to production servers were completely undermined by lack of proper network segmentation. In the article, he notes that traditional network segmentation is now being replaced with movement towards “zero trust.” The concepts of “inside the network” versus “outside the network” are melting away as organizations steadily move towards cloud-based and hybrid infrastructures.
It was reported yesterday that Adobe has once again issued a critical patch for it’s Flash Player browser plugin due to a vulnerability that is being actively exploited to deploy malicious software. We’ve written before about the dangers of Flash and even Adobe has announced it will end support for the software at the end of 2020. However, while many security-minded professionals have heeded the advice to remove or enable click-to-run for this plugin, others have not. Many organizations still rely on websites and software that utilize the plugin for needed functionality and can’t simply remove the software entirely.