Is Breach Notification A Part Of Your Incident Response Plan?

Heidi Shey

Is customer-facing breach notification and response a part of your incident response plan? If should be! This is the part where you notify people that their information has been compromised, communicate to employees and the public about what happened and set the tone for recovery. It's more art than science, with different factors that influence what and how you do the notification and response. Unfortunately, many firms treat breach notification as an afterthought or only as a compliance obligation, missing out on an opportunity to reassure and make things right with their customers at a critical time when a breach has damaged customer trust.

At RSA Conference last week, I moderated a panel discussion with three industry experts (Bo Holland of AllClear ID, Lisa Sotto of Hunton & Williams, and Matt Prevost of Chubb) who offered their insights into the what to do, how to do it, and how to pay for it and offset the risk as it relates to breach notification and response. Highlights from the discussion:

Read more

Apple Did The Right Thing To Defend Customer Privacy, But It Will Make Security And Risk Management More Difficult For You

Chris McClean

Apple's refusal to follow a court order to support the FBI's San Bernardino shooter investigation was the right move for the company and for its customers, as my colleagues and I cover in Fatemeh Khatibloo's blog post here, and in our full, detailed report, here. As we discuss, there are many constituents with a large stake in the outcome of this case, but I will focus on security and risk management decision makers in this post.

There are four key implications to consider:

Read more

Forrester’s Security & Risk Spotlight: CISO Expertise From Across The Pond

Stephanie Balaouras

2015 was a tumultuous year for CISOs. Breaches affecting The Home Depot, Anthem Blue Cross Blue Shield, and T-Mobile dominated the headlines worldwide and left no industry, region, or CISO unscathed. These unfortunate spotlights created a slew of negative infosec publicity along with panicked demands from business leaders and customers alike. How secure are we? Ask the CISO. How did this breach occur? Ask the CISO. Why did this breach occur? Ask the CISO. Could we have prevented it? Ask the CISO. How could we let this happen? Ask the CISO.

Yet, CISOs continue to struggle to gain clout and influence with the rest of the C-suite and sometimes it can feel like a thankless role. There is little recognition when you’re doing your job right, but you face a whirlwind of pain and blame the second something goes wrong. The world’s growing emphasis and focus on cybersecurity should be running parallel with the capabilities and reputation of the CISO. Instead, CISOs see their responsibilities increasing with only modest funding increases, recognition, or support from their fellow colleagues.

Read more

How Do You Set Your Company Up For Success With Data Classification?

Heidi Shey

Defining your data via data discovery and classification is the foundation for data security strategy. The idea that you must understand what data you have, where it is, and if it is sensitive data or not is one that makes sense at a conceptual level. The challenge, as usual, is with execution. Too often, data classification is reduced to an academic exercise rather than a practical implementation. The basics aren’t necessarily simple, and the existing tools and capabilities for data classification continue to evolve.* Still, there are several best practices that can help to put you on the road to success:

  • Keep labels simple. At a high level, stick to no more than 3 or 4 levels of classification. This reduces ambiguity about what each classification label means. Lots of classification labels increases confusion and the chance for opportunistic data classification (where users may default to classifying data at a lower level for ease of access and use).
  • Recognize that there are two types of data classification projects: new data and legacy data. This will help to focus the scope of your efforts. Commit to tackling new data first for maximum visibility and impact for your classification initiative. 
  • Identify roles and responsibilities for data classification. Consider data creators, owners, users, auditors (like privacy officers, or a risk and compliance manager), champions (who’s leading the classification initiative?). Data is a living thing and all employees have a role in classification. Classification levels may change over time as data progresses through its lifecycle or as regulatory requirements evolve. 
Read more

Answering The Question: What Are The Real And Frightening Risks Within Healthcare Security?

Christopher Sherman

Connected medical devices are transforming healthcare. Unfortunately, security is too often an afterthought for the clinical engineering and business technology (BT) management teams implementing these revolutionary new technologies. In a recent report, Forrester predicted that 2016 will be the year we see ransomware for a medical device or wearable. This is a delicate thought, considering: 1) the Healthcare Industry is actually behind on data security compared to other industries and 2)  the FBI highlighted the risk posed to medical devices in their recent public service announcement: Internet Of Things Poses Opportunities For Cyber Crime.

This research initiative seeks to answer the following: Are there real threats posed by the emergence of connected medical devices? What can you do to protect your patients and employees from life threatening breaches? Is there an underground market for medical device exploits? This research will publish in early 2016 and will be featured in my talk at the RSA Conference this March.

We are looking for research interview candidates to support this initiative, specifically security professionals working in a healthcare setting or medical device security vendors with current solutions on the market. In exchange for your time, we will provide you with a complimentary copy of the final research. While anyone who participates will have the opportunity to be listed as an interviewee in the final report, all interviews will be treated as confidential unless expressly instructed otherwise.

Read more

Daily Fantasy Sports Sites’ Emerging Identity Management & Verification Challenges

Merritt Maxim

Recent business and sports headlines in the US have been dominated by state and federal government efforts to assess whether daily fantasy sports (DFS) sites, such as FanDuel and DraftKings, should be treated and regulated like gambling. The New York State Attorney General recently issued cease-and-desist letters against DraftKings and FanDuel to stop accepting bets in the state, stating that DFS operations are illegal gambling.  

Last week, Massachusetts Attorney General Maura Healey announced a plan to allow DFS providers to operate in Massachusetts under certain provisions, such as:

·         Prohibiting anyone under 21 participating in DFS.

·         Prohibiting professional athletes and other employees of pro teams from participating in DFS.

·         Prohibiting employees of DFS providers from participating in games

·         Requiring DFS providers to identify ‘‘highly experienced’’ players on all contest platforms and offer ‘‘beginner’’ games that would be off limits to the more experienced players.

These provisions present a range of identity management and identity verification challenges and questions, such as:

·         How will sites verify the ages of online participants?

·         How will systems detect DFS employees?

Read more

Two-Factor Authentication (2FA) Companies Continue to be Attractive Acquisition Targets

Merritt Maxim

Last week, Courion announced its acquisition of Nova Scotia-based SecureReset, which, through its QuickFactor product, provides mobile-based two-factor authentication (2FA). This is the fourth acquisition of a 2FA startup by an enterprise software vendor in 2015:

·         Twilio acquired Authy, February 2015 (purchase price N/A).

·         Salesforce acquired Toopher, April 2015 (purchase price N/A).

·         Micro Focus acquired Authasas, July 2015 (purchase price N/A).

·         Courion acquired SecureReset, November 2015 (purchase price N/A).

These acquisitions reflect ongoing enterprise demand for 2FA solutions as an alternative to passwords. By now, the problems with passwords are well-known: They are easy for hackers to steal in bulk, and ongoing advances in computing processing power have eroded password security.

Since a password-free world is still somewhere off in the future, two-factor authentication provides a compelling password alternative that can help mitigate security risks. The evolution toward software-based 2FA form factors running on smartphones instead of dedicated single-purpose hardware tokens has eased deployment and training costs; it has also enabled large-scale consumer deployments of two-factor authentication as a password replacement alternative. These 2015 acquisitions demonstrate the continued interest in two-factor authentication.

Read more

Forrester’s Security & Risk Spotlight – Kelley Mak

Stephanie Balaouras

Thanks for tuning in to this week’s analyst spotlight podcast with researcher Kelley Mak! Kelley’s research concentrates on threat and vulnerability management, web content security, email security and overall trends in security architecture and operations. Kelley is currently working side by side with Read more

Forrester Predictions: What’s In Store For Privacy In 2016?

Heidi Shey

When evaluating the top 10 critical success factors that will determine who wins and loses in the Age of the Customer in 2016, it comes as no surprise that privacy is one of them. In fact, privacy considerations and strategy augments all of the 10 critical factors to drive business success in the next 12 months.

 

So, what does this mean for businesses moving forward?

 

Read more

Blue Coat Systems Buy Elastica after Perspecsys

Andras Cser

As we predicted in our Brief: The Emergence of the Cloud Security Gateway, this market is consolidating fast. Blue Coat Systems announced this morning that they are acquiring Elastica. Forrester estimates that the acquisition price was between USD $280M-300M, while Blue Coat Systems has already spent an estimated $180-200M on Perspecsys. Here's how Forrester expects Blue Coat Systems will assemble their Cloud Security Gateway solution:

* Elastica intellectual property (IP): will be used for a) behavioral profiling, b) predictive analytics and c) anomaly detection in access to cloud applications.

* Perspecsys IP: will be used for a) cloud encryption and b) key management.

Blue Coat Systems has a herculean task on their hands: they have to successfully manage

1) Understanding existing Elastica and Perspecsys product portolios

2) Integrating Elastica and Perspecsys product portfolios into one single CSG offering

3) Integrating the resulting CSG solution with existing Blue Coat Systems solutions,

4) while managing the natural differecens,  post-acquisition attrition of key management and engineering resources from both acquired companies. 

Forrester expects that Blue Coat Systems will be able to the above in 9-12 months successfully.