Security executives have a lot on their plate. They’re grappling with a new breed of cyber-attacks, financially-motivated cyber assailants, and a bevy of new, connected devices that bring unintended security risks to their organization. But it’s not all doom and gloom. C-level executives are relying on new technologies and best practices to fight fire with fire. They’re turning to former enemies for help, getting more bang for the buck, and relying on automation to safeguard their organization’s most critical information assets. To garner the best practices of security leaders, Radware conducted a survey of more than 200 C-level security executives from the U.S. and United Kingdom. The Security and the C-Suite: Threats and Opportunities Report unearthed a series of top recommendations that organizations should heed carefully.
There are several tools in the market that can take the hassle off for HR departments. Tools like AppDynamics and Workforce Analytics reduce the burden in several ways. They not only assess and predict whether a potential candidate would accept a job offer or if the prospect only in exploration mode, it would also track other significant feed such as social media. For example, culling information on the frequency of a potential candidate’s visits to LinkedIn, the frequency of LinkedIn page updates, whether the candidate is exploring different other options, whether he is asking for recommendations from other LinkedIn users. The tools also provide information on aspects like cultural fit of a candidate for the organisation, their personality with respect to organization values, etc.
While new financial technology (fintech) is permanently changing how financial institutions operate, it could very well be that the biggest threat to Canadian financial institutions is not fintech challengers, but the legacy systems that prevent them from adapting. In fact, this could be the next major problem that the Big Five banks have to tackle. Dave McKay, the CEO of Royal Bank of Canada, has publicly stated that the biggest threat to financial services is not from without, but from within: "Regulation is not the problem. The biggest barrier to adapting is the incredible legacy systems." The legacy problem becomes more confounding when you consider that banks have some of the smartest leaders, and some of the biggest budgets of any type of business in Canada. So what gives?
With intelligent services, the system knows how to react to this chain of events, and can even “recommend” other actions to take before the leave starts. HR is notified when the recruiting manager submits the leave request. With intelligent services, the SuccessFactors system will automatically reschedule the learning course after the recruiting manager returns, suggests to the recruiting manager to update their appraisals and goals, and reroute any pending job candidates to other members of the team. This is not just a win for the manager, her team and candidates, it’s a chance for HR to get out of the administrative and spend more time focused on the strategic.
Quantum effects are being leveraged to generate random numbers at high rates and in ways that make guessing keys impossible, removing an important attack avenue for cyber criminals. Until this quantum effect was used, every other accepted method was not truly random, or was too slow to deliver the security really needed. This vulnerability has been the subject of years of research and community collaboration, including production of standards overseen by the U.S. Department of Commerce’s National Institute of Science and Technology (NIST). Since 1997 NIST has coordinated community-wide participation in a Random Number Generation Technical Working Group to help improve the ability of encryption solutions to leverage increasingly hard-to-break keys.
Hospitals and other large facilities, many of which shift computer equipment between rooms on a routine basis, could see particular benefits from this setup. Giving IT staff direct control of organization-owned machines without requiring physical access means making changes at the snap of a finger, relatively speaking; this could be a boon when updating against the latest malware or virus, or changing settings to reflect new rules and regulations. Best of all, desktop virtualization is the perfect compliment for an organization concerned with futureproofing. A growing facility could provision a new fleet of laptops in hours instead of days, easily push a new EHR system (with department-specific configurations) to remote and local devices across all its locations, and make compliance-related changes in the blink of an eye.
IT organizations are under increasing pressure to deliver better performance—as the partners already do—partly because of the growing availability and capabilities of third-party services such as cloud computing, infrastructure as a service, and software as a service. About one-third of business executives see third-party providers as a significant or complete substitute for the IT function’s services. Another source of pressure is the expansion of digital programs. Nearly all respondents (91 percent) say their companies are already pursuing a digital agenda, suggesting that the partnership between business and IT will become only more important over time—especially with so many organizations in the early days of their digital efforts.
Assume that, if the price is right, your system will be hacked. Take a lesson from the Great Wall of China – eventually the invading hordes will get through. The only solution is to design the system so that the security can be replaced once it is hacked. For web-based systems, this is fairly easy, since the security algorithms exist in software on a central web server that you can easily update. For pay TV systems, security algorithms are encoded in hardware and software on a smart card that is inserted into the TV set top box. When the system is hacked, the broadcaster can simply replace the smart card, which sends the hackers back to square one, trying to break a brand new combination of security hardware/software.
"Most business directors would never dream of ignoring risk when it comes to funds, but there is a disconnect there in terms of data," Drystek continued. That's why the communication needs to happen directly with the risk owner. Those enterprises that understand that risk is directly connected to business are the ones that are paving the way with sophisticated security programs. ... Those layers of both formal and informal communication most often enable security teams to get information into the right hands. "What I use as a prod is data quality, both integrity and availability. Security risk is business risk. Compliance is a weak form of security where it becomes an insurance issue," Drystek said.
Getting hit with ransomware would be bad enough, but imagine paying the ransom and then having the attacker come back and demand a second ransom? It happens; more and more people pay, but it’s not like a cybercriminal’s promise to decrypt upon receiving the first ransom is a sterling guarantee that the victim’s files will be decrypted. Grossman believes that unlockers – the decryption keys to unlock ransomware-encrypted files which are released to the public by security experts – may not be something people can hope for in the future. Right now, some crooks reuse the same key for all their ransomware infections; once a security researcher gets hold of the key, then they offer it to the public since it works for other victims of the same ransomware to decrypt their files.
Quote for the day:
"Sometimes the questions are complicated and the answers are simple." -- Dr. Seuss