| 05.08.14 | Firms waste millions on faulty IT security awareness programs, says ISF

If you are unable to see the message below, click here to view.

What's New: 1. Firms have wasted millions on faulty IT security awareness programs, says ISF 2. Obama should push Congress to beef up big data privacy protections, says report 3. After pledging to protect customer data, Orange reports second major data breach this year 4. Cloud app security exceptions have become the rule, says report 5. Small firms invest big in content security to protect data Spotlight: Software vulnerability disclosures on the rise, says Microsoft Also Noted: Long live antivirus!; IoT's many security challenges; Much more... News From The Fierce Network: 1. Cellular M2M connections to triple in Asia by 2017, predicts IHS 2. Mobility saves time--and trees 3. In case of emergency, don't break Glass May 8, 2014 Subscribe | Website Refer FierceITSecurity to a Colleague This week's sponsors: HP HP HP Follow @fierceitsec on Twitter This week's sponsor is HP.   Ponemon According to the Ponemon Institute's 2013 Cost of Cyber Crime study, the average cost to businesses of cyber crime is more than $7M per year—a 30% increase over last year. And the average number of attacks per company grew 20% to 73 successful attacks annually. With the incidence and cost of cyber crime rising sharply, this study of 234 companies in six countries details the types of cyber attacks found to be most common and the losses resulting from each type of attack. Read it to learn more. Sponsor: HP Webinars > Reduce Datacenter Energy Costs by up to 15%: Software Meets Datacenter ROI - Friday, May 16, 2014 - 2 pm ET / 11 am PT > WEBINAR: Rethinking Enterprise Mobility Management ? Beyond BYOD - SPONSORED BY: CA Technologies Marketplace > Whitepaper: Finding ROI in Document Collaboration > Whitepaper: Delight & Engage Customers with Mobile APIs > eBook: Critical Infrastructure and Cybersecurity > Whitepaper: 5 Unsung Tools of Dev Ops > eBook: Getting to DevOps (And Getting the Payoff) > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks > eBook: eBrief | Best Practices in Mobile Application and Management Delivery > Whitepaper: Hardware Test Equipment is the Key to Accurate Network Testing > Whitepaper: Supporting VDIs and Thin Clients > Whitepaper: Four Ways to Improve IT Efficiency This week's sponsor is HP. eBook | Critical Infrastructure and Cybersecurity Critical infrastructure industries vary in the sophistication of their digital defenses. In this FierceITSecurity eBook, industry experts discuss how to stay ahead of cuber security threats and maximize their defensive efforts.Download this eBook today. What's New 1. Firms have wasted millions on faulty IT security awareness programs, says ISF By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Enterprises have spent millions of dollars on information security awareness programs over the year with little to show for the money. In fact, the number of data breaches is exploding. Obviously, something needs to change. The problem is that many of these programs have been designed to "check the box" for security compliance, rather than to reduce risks to the organization. Other problems with security awareness programs identified by members of the non-profit Information Security Forum (ISF) include: solutions are not aligned with business risks, neither progress nor value are measured, incorrect assumptions are made about people and their motivations, unrealistic expectations are set, correct skills are not taught and deployed, and security awareness is just "background noise." Instead, firms need to "embed" positive information security behaviors in employees that will encourage them to "stop and think" before acting, according to a report prepared by the non-profit Information Security Forum. Training for employees under this new paradigm involves focusing on risk, says Steve Durbin, global vice president of ISF. "While many organizations have compliance activities which fall under the general heading of 'security awareness', the real commercial driver should be risk, and how new behaviors can reduce that risk," says Durbin. ISF identifies four requirements for an "embedded" information security program: develop a risk-driven program, target behavior change, set realistic expectations and engage employees on a personal level. "The C-suite has become more cyber-savvy, and regulators and stakeholders continually push for stronger governance, particularly in the area of risk management. Moving to behavior change will provide the CISO with the ammunition needed to provide positive answers to questions that are likely to be posed by the CEO and other members of the senior management team," concludes Durbin. For more: - check out the ISF release - read the report's executive summary (reg. req.) Related Articles: 3 smarter ways to fight social engineering Mobile security added to National Cyber Security Awareness Month How to sneakily lure risk partners into collaborating Read more about: Information Security Forum back to top This week's sponsor is HP.   Reputation Whitepaper A study by Verizon finds 86% of security breaches come from the outside. Spotting cyber attacks in your network means identifying the signatures of known threats. Reputation data takes that one step farther by identifying communications coming from or going to known bad actors based on their reputations. Read this white paper now for more details. 2. Obama should push Congress to beef up big data privacy protections, says report By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn A White House report issued this month is recommending that President Barack Obama push Congress to pass a number of pieces of legislation to strengthen privacy protections in an era of big data. The report--Big Data: Seizing Opportunities, Preserving Values--was prepared by John Podesta, counselor to the president, at the request of President Obama. In a blog, Podesta explains that the report recommends the President push Congress to pass a Consumer Privacy Bill of Rights to protect consumer privacy in an era of big data, national data breach legislation along the lines of the White House's 2011 cybersecurity legislative proposal, and amend the Electronic Communications Privacy Act to cover email, the internet and cloud computing. In addition, the report recommends that the Obama administration extend the Privacy Act to non-U.S. citizens, beef up protection of student data collected by schools for educational purposes, and identify big data practices and outcomes that have a "discriminatory impact on protected classes and develop a plan for investigating and resolving violations of law," Podesta explains. Not everyone is thrilled with the report. As our sister publication FierceBigData reports, the U.S. Chamber of Commerce opposes the proposals to expand regulation to protect privacy, while the Electronic Freedom Foundation believes the report's proposals do not go far enough, particular in the area of metadata and data brokers. In addition, EFF is concerned that a national data breach law may be less strict than a number of state data breach laws, thus lessening consumer protections in those states. The report's proposals for legislative changes are unlikely to be enacted in a divided Congress, with Republicans controlling the House and Democrats the Senate. On the other hand, proposals for administrative action will have a better chance of succeeding. For more: - see the White House report - read Podesta's blog - check out the EFF's views Related Articles: Praise, criticism as groups dissect White House big data report White House needs to buckle down on big data, privacy Data follies and naked doctors Read more about: Consumer Privacy, White House back to top 3. After pledging to protect customer data, Orange reports second major data breach this year By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn French telecom firm Orange said that the personal data on 1.3 million customers was stolen from its online portal, the second major data breach at the French telecom firm this year, Reuters reports. Attackers were able to hack into a software platform that Orange uses to send promotional emails and text messages to subscribers who agree to receive them. Information that was stolen includes telephone numbers, birth dates and email addresses. Orange stressed that no credit or debit card numbers were stolen, but it warned that the personal information could be used to send phishing attacks against customers, the newswire reports. The company said it detected the breach on April 18 but did not announce the breach until this week in order to analyze the data breach and contact victims, a company spokeswoman told The Wall Street Journal. The latest breach brings the number of Orange customers who have had their personal data stolen through hacks of Orange's website to 2.1 million. Ironically, in November Orange chief executive Stephane Richard signed a charter on data protection in which he pledged to keep customers' information safe, Reuters notes. As FierceITSecurity reported last September, a number of European carriers admitted to major data breaches involving customer data. The largest, a breach at Vodafone's German unit, exposed personal data on two million customers at its German unit. In that case a hacker was able to compromise its servers and steal customer names, bank codes and account numbers. For more: - read the Reuters report - see the Journal article - check out the Orange statement (in French) Related Articles: Costs of data breaches continue to climb IT security pros are 'deficient, disconnected and in the dark,' survey finds Swisscom backup tapes containing personal data stolen Read more about: Orange, Phishing back to top 4. Cloud app security exceptions have become the rule, says report By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Cloud app security exceptions have become the rule, putting organizations' security at risk, warns the most recent Netskope Cloud Report. A disturbing 90 percent of cloud app usage is in apps that were blocked at the network perimeter but were granted exceptions, according to the report, which compiles data from Netscape Active Platform users. "Enterprises who block apps with network perimeter technologies, like next-gen firewalls and secure web gateways, aren't achieving their objectives because most of the usage is in the 'exceptions.' We call this phenomenon 'exception sprawl,'" says Sanjay Beri, CEO and founder of cloud security firm Netskope. How does exception sprawl happen? Jamie Barnett, vice president of marketing at Netskope, explains in a blog. "IT sets a policy and the network team blocks a service like Dropbox or Twitter at the perimeter. Then some poor guy in marketing whose job it is to tweet about new product releases goes to IT and asks for an exception. It's granted. Then the ENTIRE marketing team asks for the exception. Granted. The CEO, who has just gotten her groove on in the social media realm, also asks for an exception…for herself AND the entire executive staff. Granted, of course…And so it goes…until you have the vast majority of usage in the exceptions, and the exceptions truly become the rule." According to the report, the areas in which violations of cloud app usage policy occur most often are storage, social, software development, finance and accounting and customer relationship management and sales force automation. The most frequent violation is uploading to cloud storage apps. Netskope found that enterprises use an average of 461 cloud apps, yet IT estimates that there are on average between 40 and 50 cloud apps in their organization. "If enterprises can learn one lesson from this report, it's that the dam has broken on cloud app usage. To address this IT needs to leverage solutions that provide context around app usage and enact security controls at the user, device and activity level," concludes Beri. For more: - check out the Netskope release - read the full report (reg. req.) Related Articles: Spotlight: Bruce force attacks against cloud infrastructure on the rise Startups dominate SMB cloud security market, says ABI Evolve or perish: IT security needs to redefine risk in the cloud Read more about: cloud storage, cloud apps back to top 5. Small firms invest big in content security to protect data By Fred Donovan Comment | Forward | Twitter | Facebook | LinkedIn Faced with increasing threats to their data, small businesses are investing heavily in content security products. Market research firm Canalys forecasts that the content security market for small businesses will increase at a compound annual growth rate, or CAGR, of 7.8 percent between 2014 and 2017, reaching $3.3 billion by then. The market grew 5.0 percent in 2013, reaching $2.4 billion, which represents 28 percent of all content security market spending during the year. "Small businesses are beginning to understand the need to demonstrate to customers that their information is being handled securely, especially in light of numerous data breaches and the NSA scandal," says Nushin Vaiani, a senior analyst at Canalys. In response, vendors are providing tailored content security products for small businesses. "These solutions focus on simple deployment, a combination of data protection features and ease of management," says Canalys research analyst Karissa Chua. The top content security vendors are Trend Micro with a 17.2 percent market share, Symantec with 15.3 percent, McAfee with 14.6 percent and Kaspersky Lab with 5 percent, according to Canalys stats. In response to increased competition, vendors have reduced their prices while increasing the number of features available in their products. This has provided small businesses greater choice and better value for their investment, judges Canalys. Cloud-based content security products are particularly attractive to small businesses, given the low capital expenditure and remote management by a third party. Canalys forecasts small business investment in cloud-based security services will grow at a CAGR of 36 percent to 2017. For more: - see the Canalys release Related Articles: Despite Target, Adobe breaches, content security gateway revenue declined last year Cisco, Check Point, Fortinet top growing security appliance market, says IDC McAfee closes on Blue Coat for lead in content security gateway appliance market Read more about: Canalys, small business back to top Also Noted TODAY'S SPOTLIGHT... Software vulnerability disclosures on the rise, says Microsoft Software vulnerability disclosures increased 12.6 percent year-over-year and 6.5 percent sequentially in the second half of 2013, according to Microsoft's latest Security Intelligence Report. On the good news side, vulnerability disclosures are below their recent peak levels in the first half of 2012 and well below levels seen prior to 2009. In addition, high-severity vulnerability disclosures declined 8.8 percent sequentially in the 2013 second half after increasing 20.4 percent sequentially in the first half of the year. The most common exploits in the second half were those targeting Java, the report notes. Read more. > Antivirus is dead: Long live antivirus! (KrebsonSecurity) > Internet of Things present host of security challenges (eWeek) > Address bar tweak in early Chrome beta puts even savvy users at risk (Ars Technica) > FireEye develops 'enterprise forensics' with nPulse acquisition (Infosecurity Magazine) > Phishing scams increasingly using mobile apps to bait victims (PC World) And Finally… A parking lot paved with solar panels (Wired) Webinars > Reduce Datacenter Energy Costs by up to 15%: Software Meets Datacenter ROI - Friday, May 16, 2014 - 2 pm ET / 11 am PT Join us for a look at two Intel Datacenter Software solutions, sample use cases, and implementation overviews. Intel Data Center Manager (Intel DCM): Energy Director provides device-level power and thermal monitoring and management for groups of servers, networking, storage, and other IT equipment. Register Today! > WEBINAR: Rethinking Enterprise Mobility Management ? Beyond BYOD - SPONSORED BY: CA Technologies Enterprise mobility management is about more than just getting handle on the flood of BYOD devices coming into the organization. It is about managing the explosion of new devices, applications, content and transactions, which threatens to overwhelm IT managers. Our panel of experts will help you understand how to develop effective strategies that accelerate mobility transformation and prepare your organization for the mobile future. Register Today! Marketplace > Whitepaper: Finding ROI in Document Collaboration Read this Accusoft whitepaper to learn about the factors that make document collaboration more difficult than it should be, and about how to create a collaboration strategy that makes sense for your organization. Download Now! > Whitepaper: Delight & Engage Customers with Mobile APIs Read this success story and learn how a robust API and secure API Management powered Keep’s iOS app to become one of the most popular apps in the Lifestyle category in the iTunes App Store. > eBook: Critical Infrastructure and Cybersecurity This FierceITSecurity eBook looks at key dependencies among critical infrastructure sectors and how companies in these areas can stay ahead of threats and maximize their defensive efforts. Download this eBook today! > Whitepaper: 5 Unsung Tools of Dev Ops Jonathon Thurman shares his five favorite DevOps tools which have been around a long time. They may not be flashy but they're time tested and just work. He also tells you how to use them and how to configure them for maximum value. Download 5 Unsung Tools of DevOps to see which tools make the cut and why. > eBook: Getting to DevOps (And Getting the Payoff) DevOps is a more holistic approach to application development, more fully taking into account deployment and ongoing operational needs – and tossing a lot of automation into the mix. This FierceEnterpriseCommunications eBook provides step-by-step guidance on implementing DevOps for CIOs and IT and application development managers. Download this eBook today! > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies Download the White Paper "802.11ac in the Enterprise: Technologies and Strategies" to learn from industry expert Craig Mathias about the technologies behind 802.11ac, deployment misconceptions and review steps that every organization should take in getting ready for 802.11ac. Download today! > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats Today's most-damaging targeted attacks don't occur by happenstance. They are carefully planned and executed by a new breed of professional adversaries. Read this white paper, Defense Against the Dark Arts: Finding and Stopping Advanced Threats to gain a practical understanding of today's Advanced Threat Landscape and strategies for detecting and stopping Advanced Threats. Download today! > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks The last few years have seen a dramatic increase in the use of email as a vehicle for cyberattacks on organizations and large corporations. Recently, Proofpoint researchers identified a new class of sophisticated and effective, large-scale phishing attack dubbed "longline" phishing attacks. Download this whitepaper to learn about the unique characteristics of these attacks, how they are carried out, and the alarming effectiveness they have. Download today! > eBook: eBrief | Best Practices in Mobile Application and Management Delivery Your organization knows that mobile productivity is important, and it may have already started down the road toward Mobile Device Management (MDM) and Mobile Application Management (MAM). But have you developed a holistic view of application management and delivery -- and its impact on the business? Download this free eBrief to learn about best practices for your mobile deployment. > Whitepaper: Hardware Test Equipment is the Key to Accurate Network Testing Surprisingly, many organizations are not adequately testing their networks. Network testing is crucial for any IT organization that wants to ensure availability, security and performance of applications and services running on their networks. Download this whitepaper now to learn more! > Whitepaper: Supporting VDIs and Thin Clients Companies have already begun deploying VDIs and thin clients (like Google's Chromebook) on a massive scale. The low-cost, easily deployed workstations present a significant cost savings for companies, but require unique tools to support them. This whitepaper, written by Proxy Networks, outlines the best way to do that. Download now. > Whitepaper: Four Ways to Improve IT Efficiency The role of the help desk within businesses has expanded considerably over the last decade, becoming an integral piece of the overall corporate strategy. In this whitepaper, Proxy Networks outlines the best way to align your IT department with that strategy in order to improve overall departmental efficiency. Download now. ©2014 FierceMarkets, a division of Questex Media Group LLC This email was sent to ignoble.experiment@arconati.us as part of the FierceITSecurity email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778. Refer FierceITSecurity to a Colleague Contact Us Editor: Fred Donovan. VP sales and business development: Jack Fordi. Publisher: Ron Lichtinger. Advertise General advertising: Jack Fordi. Press releases: Fred Donovan. Request a media kit. Email Management Manage your subscription Change your email address Unsubscribe from FierceITSecurity Explore Our Network You may enjoy these publications from FierceMarkets: FierceBigData FierceBiotech FierceBiotechIT FierceBiotech Research FierceCable FierceCIO FierceCIO:TechWatch FierceCMO FierceCFO FierceContentManagement FierceCRO FierceDeveloper FierceDiagnostics FierceDrugDelivery FierceEMR FierceEnergy FierceEnterpriseCommunications FierceFinanceIT FierceGovernment FierceGovernmentIT FierceHealthcare FierceHealthFinance FierceHealthIT FierceHealthPayer FierceHealthPayerAntiFraud FierceHomelandSecurity FierceITSecurity FierceMedicalDevices FierceMedicalImaging FierceMobileGovernment FierceMobileHealthcare FierceMobileIT FierceMobileRetail FierceOnlineVideo FiercePharma FiercePharmaManufacturing FiercePharmaMarketing FiercePracticeManagement FierceRetail FierceRetailIT FierceSmartGrid FierceTelecom FierceVaccines FierceWireless FierceWireless:Europe FierceWirelessTech Hospital Impact