DATA SECURITY

Lack of Remote and Hybrid Work Policies Put Education Industry at Risk for IT Security Issues

Apricorn | July 23, 2021

The leading manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives, Apricorn, has announced various findings for the education sector from the Apricorn Global IT Security Survey, 2021. The survey says the education industry lacks concern about security threats from employees and, due to limited IT security policies related to remote work, has a greater risk for cybersecurity breaches and data loss than other industries. For example, 69.4% of respondents say, as targets that attackers can use to access data, employees at their organizations don't think of themselves,  compared to 37.5% in information technology (IT).

The survey was to compare cybersecurity policies of various industries about hybrid and remote work. More than 400 respondents completed the survey. Unfortunately, the education industry constantly lags behind many other healthcare, manufacturing, IT, and financial services when executing lost/stolen devices and data security policies. Remarkably, compared to 55% in IT, only 26% of respondents in the education industry agreed that they have policies regarding lost/stolen devices.

Many education institutions, in the Fall, will be returning to in-person instruction; however,  in the education sector, most survey respondents (90.77%) said a hybrid work option exists. Organizations in education demonstrated a trend of allowing employee choice when it comes to policy adherence when asked about policies and procedures that have been put in place regarding transporting data and devices. Compared to an average of 52% for other top industries, only 20% of education organizations require encrypted hardware. More than half of EDUCATION organizations permit the use of personal USB devices.

About Apricorn

Founded in 1983, Apricorn is a leading provider of secure storage innovations to prominent companies in education, healthcare, finance, and government throughout North America, EMEA, and Canada. Apricorn products have become the trusted standard for a myriad of data security strategies worldwide. Under the Apricorn brand, numerous award-winning products and patents have been developed.

Spotlight

Webroot conducted research on web security in the U.S. and the UK. As remote users expand the security perimeter, the majority of companies reported significant effects in the form of increased help-desk time, reduced employee productivity and disruption of business activities. The impacts of web-borne attacks are also more severe for companies with employees who have remote access to the corporate network or other corporate online resources via their laptops, tablets or smartphones.


Other News
DATA SECURITY

ContraForce Announces $2M Seed Investment from DataTribe

ContraForce | December 28, 2021

DataTribe, a global cyber foundry that invests in and co-builds next-generation cybersecurity and data science companies, announced today a $2M seed investment in ContraForce, a leader in no-code security automation for small and medium-sized businesses. ContraForce delivers a no-code security automation platform that makes cyber security accessible for small and medium-sized businesses that lack the resources and expertise to defend themselves. In addition, ContraForce also brings this facility to security compliance; a critical feature, as customers, regulators and insurance companies are putting increasing pressure on small and mid-sized organizations to not only be secure, but also to prove it. No longer is it acceptable for smaller organizations to be a step behind in their security and compliance. Hackers are increasingly targeting them for ransomware or as an entry point into a supply chain. Because small businesses typically have limited resources to cope with a cyber attack, cyber attacks can represent an existential risk for them. ContraForce enables small and mid-sized businesses to manage this risk with their easy-to-use, self-service platform to automate threat detection, response, and compliance. “We are thrilled to announce DataTribe's most recent investment in ContraForce on the heels of the company winning the fourth annual DataTribe Challenge,” said John Funge, Managing Director at DataTribe. “By providing a sort of security and compliance ‘easy button’, ContraForce is filling a really significant gap. Just because an organization is small does not mean that it does not possess vital data, IP, or access to strategic networks. It is paramount that smaller organizations overcome the resource barriers to robust security. ContraForce’s unique approach dramatically lowers these barriers.” “I am looking forward to working with DataTribe as we build on the ContraForce team's passion for simple and effective cybersecurity solutions designed for the needs of small and medium-sized businesses,” Stan Golubchik, CEO and co-founder of ContraForce ContraForce’s security and compliance solutions map security vulnerabilities to the industry standard MITRE ATT&CK framework. They create and adapt security detection and response capabilities in real-time, ensuring the environment is secured in hours across the cloud, network, endpoint, and users. By using ContraForce, an organization without dedicated security personnel can respond to threats without having to learn or write complex security detection code and response workflows. About DataTribe DataTribe is a startup foundry that invests in and co-builds world-class startups focused on generational leaps in cybersecurity and data science. Founded by leading investors, startup veterans, and alumni of the U.S. intelligence community, DataTribe commits capital, in-kind services, access to an unparalleled network, and decades of professional expertise to give their companies an unfair advantage. DataTribe is headquartered in the Washington-Baltimore metro area, in Fulton, Maryland. About ContraForce ContraForce is the new no-code security automation company. We focus on securing the small and medium-sized businesses by helping their security and IT teams work smarter, allowing them to implement automated operations that are effective in combating cyberattacks and demonstrating compliance. ContraForce is headquartered in McKinney, Texas and was founded and built by industry security and cloud experts from Armor, McAfee, and Intel. ContraForce's mission is to empower IT and Security teams and enable them to be more efficient.

Read More

PLATFORM SECURITY

Veracode Research Reveals Software Supply Chain Security Shortfalls for Public Sector

Veracode | March 30, 2022

Veracode, a leading global provider of application security testing solutions, has released new findings that show the public sector has the highest proportion of security flaws in its applications and maintains some of the lowest and slowest fix rates compared to other industry sectors. Analysis of data collected from 20 million scans across half a million applications revealed these sector-specific findings as part of Veracode’s annual report on the State of Software Security (SOSS). "Public sector policy makers and leaders recognize that dated technology and vast troves of sensitive data make government applications a prime target for malicious actors. That’s why the White House and Congress are working together to update regulations governing cybersecurity compliance. In the wake of May 2021's Executive Order to improve the nation's cybersecurity and protect federal government networks, the U.S. Office of Management and Budget, Department of Defense and the White House have issued four memos addressing the need to adopt zero trust cybersecurity principles and strengthen the security of the software supply chain. Our research confirms this need.” Chris Eng, Chief Research Officer at Veracode No Time to Waste: Fix More Flaws Faster Veracode’s research found that compared to other industries, the public sector has the highest proportion of applications with security flaws, at 82 percent. When it comes to how quickly organizations fix flaws once detected, the public sector posts the slowest times on average—roughly two times slower than other sectors. The research also revealed that 60 percent of flaws in third-party libraries in the public sector remain unfixed after two years, which is double that of other sectors and lags the cross-industry average by more than 15 months. Finally, with only a 22 percent fix rate overall, the public sector is challenged to keep software supply chain attacks from impacting critical state, local, and educational applications. Eng continued, “Organizations in this sector must act with urgency. They can improve their secure DevOps practices significantly by using multiple types of scanning—static, dynamic, and software composition analysis—to get a more complete picture of an application’s security, which in turn will help them to improve remediation times, comply with industry regulations, and make the case for increasing application security budgets.” High Severity Flaws Are Priority One Demonstrating a positive trend, the public sector ranks highly when it comes to addressing high severity flaws. The research reveals that government entities have made great strides to address high severity flaws, which appear in only 16 percent of applications. In fact, the number of high severity flaws has decreased by 30 percent in the last year alone, suggesting that developers in the sector increasingly recognize the importance of prioritizing flaws that present the greatest risks. This is encouraging and may reflect growing understanding of new software security guidelines, such as those outlined in the U.S. Executive Order on Cybersecurity and the U.K. Government Cyber Security Strategy 2022 – 2030. Eng closed, "Recognizing that time is of the essence, public sector leaders are beginning to set timelines. For example, in “Moving the US Government Toward Zero Trust Cybersecurity Principles”, Shalanda Young has set a deadline of September 30, 2024 for all US federal agencies to meet specific cybersecurity standards. We think that the progress made against high security flaws is a great starting point and support all public sector agencies who seek to gain better control over their software supply chains." About the State of Software Security Report The twelfth volume of Veracode’s annual report on the State of Software Security (SOSS) examines historical trends shaping the software landscape and how security practices are evolving along with those trends. This year’s findings are based on the full historical data available from Veracode services and customers and represent a cross-section of large and mid-sized companies, commercial software suppliers, and open-source projects. The report contains findings about applications that were subjected to static analysis, dynamic analysis, software composition analysis, and/or manual penetration testing through Veracode’s cloud-based platform. About Veracode Veracode is a leading AppSec partner for creating secure software, reducing the risk of security breach, and increasing security and development teams’ productivity. As a result, companies using Veracode can move their business, and the world, forward. With its combination of process automation, integrations, speed, and responsiveness, Veracode helps companies get accurate and reliable results to focus their efforts on fixing, not just finding, potential vulnerabilities.

Read More

DATA SECURITY

HITRUST i1 Assessment control selection leverages security best practices, threat intelligence

HITRUST | December 18, 2021

HITRUST today announced it is addressing the need for a continuously-relevant cybersecurity assessment that aligns and incorporates best practices and leverages the latest threat intelligence to maintain applicability with information security risks and emerging cyber threats, such as ransomware. The design and selection of the controls for the HITRUST Implemented 1-year (i1) Assessment puts it in a new class of information security assessment that is threat-adaptive – designed to maintain relevance over time as threats evolve and new risks emerge, while retiring controls no longer deemed material. Most existing assessment approaches are not designed to keep pace with current and emerging threats; those that do, rely heavily on broad control requirements that raise questions about suitability of control and consistency of review that ultimately impact reliability of results. In contrast, HITRUST identifies information security controls relevant to mitigating known risks and leverages cyber threat intelligence data to influence the selection – and where necessary, updating – of technically-focused HITRUST CSF requirements included in the HITRUST i1 Assessment. As a result, the HITRUST i1 Assessment includes controls selected to address emerging cyber threats active today. “The HITRUST i1 Assessment is unique in both selection of controls and the design of its assurance program. Effort towards completion is comparable to other moderate assurance vehicles while delivering a higher level of reliability,” Jeremy Huval, HITRUST Chief Innovation Officer The HITRUST i1 Assessment is the first information security assessment of its kind with attributes not available through other assurance programs: Designed to maintain relevant control requirements to mitigate existing and emerging threats and provide updates as new threats are identified (It is threat-adaptive, prescriptive, and focused on controls relevant to risk) Designed to sunset controls that have lost relevance and have limited assurance value based on effort required to comply or assess Its unique controls selection and assurance program design deliver a higher level of reliability than other moderate assurance options The level of time and effort to complete is comparable to other moderate assurance options in the market Offers a forward-looking, 1-year certification As the HITRUST i1 was designed around relevant information security risks and emerging cyber threats, it is not surprising it provides coverage for numerous standards, such as NIST 800-171, GLBA Safeguards Rule, HIPAA Security Rule, and Health Industry Cybersecurity Practices (HICP). HITRUST will evaluate security controls and review threat intelligence data no less than quarterly, and for each subsequent major and minor release of the HITRUST CSF, to ensure the HITRUST i1 Assessment requirement selection remains relevant over time. Guidance documents will also drive enhancements to the HITRUST CSF and HITRUST i1 Assessment control sets as needed. While the HITRUST i1 Assessment is intended to adapt and evolve to maintain relevance, it’s important to note that HITRUST i1 Assessment certified organizations will not be impacted by changes to the HITRUST i1 Assessment control requirements until their next HITRUST assessment cycle. HITRUST is hosting a webinar at 11 a.m. CT on Thursday, February 3, 2022, to discuss the HITRUST Implemented 1-year (i1) Assessment in more detail. To register, and for more information, click here: Next Generation HITRUST Information Security Assessment Focuses on Continuous Cyber Relevance About HITRUST Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security, and risk management leaders from the public and private sectors, HITRUST develops, maintains, and provides broad access to its widely adopted common risk and compliance management frameworks as well as related assessment and assurance methodologies.

Read More

ENTERPRISE SECURITY

Confluera Cloud Research Finds Cybersecurity Concern as Biggest Obstacle to Cloud and Multi-Cloud Adoption

Confluera | February 19, 2022

Confluera, the leading provider of next-generation cloud cyber attack detection and response, today released the findings of their latest research report, which explores how IT leaders detect, evaluate, and act against cybersecurity threats in today's cloud environment. The study, 2022 Cloud Cybersecurity Survey Report, showcases the perspective of 200 U.S. IT leaders at medium to large sized organizations and how they are tackling the increasingly complex remote, cloud-centric IT security landscape. The majority of organizations are accelerating their cloud adoption with 97% of IT leaders surveyed stating that their strategy includes the expansion of cloud deployments. The strategy includes expansion in scale and in many cases, the adoption of multiple platforms such as AWS, Google Cloud and Azure. This strategy is not without its challenges, however. Approximately, 63% of IT professionals identified cyberthreats designed to target cloud services as the top obstacle to their cloud strategy. Cloud and multi-cloud adoption has greatly increased the workload of already burdened IT teams. Of the 200 IT leaders surveyed, only about half of the respondents said that they are adequately staffed to manage the frequency of alerts they receive. IT teams spend 54% of their time investigating security alerts, with over half of those alerts turning out to be false or benign alarms. As threats within the cloud proliferate, IT leaders are looking for solutions to help them quickly separate the signal from the noise so they can act on the real threats promptly. Some key findings of the survey as it relates to cloud deployments are below. More than 65% of IT leaders said cloud IaaS adoption (AWS, Azure, Google Cloud, etc.) was the primary contributor to their increased workload in 2021 When asked what challenges were associated with adopting multiple cloud platforms, 69% said maintaining consistent cybersecurity coverage across all cloud infrastructures Nearly 50% said securing the resources to manage different cloud infrastructures Nearly 45% identified the difficulty detecting threats progressing from one cloud infrastructure to another "While accelerated cloud adoption continues to be a critical element in adapting to the new way of doing business, it has strained IT leader's ability to manage their workload, Organizations need to ensure proper people, processes, and tools are in place for the team to expand the complex cloud environments without sacrificing their attention to security." John Morgan, CEO of Confluera Morgan continued, "To make matters worse, the Great Resignation has demonstrated the burnout that workers across the U.S. economy are feeling, and nowhere is this burnout more obvious than in the cybersecurity teams. Organizations must ensure frequent conversations between executives and cybersecurity managers to ensure they are well equipped to adequately manage alerts, maintain systems, and avoid burnout within their teams. Other key findings include the following: 85% of IT leaders said that they experienced increased workload due to shift in work model including remote workers Nearly 70% of IT leaders said that the change in work model has made it more difficult to keep company resources secure Nearly 59% of all alert investigations turn out to be false alarms or benign activities 90% of IT leaders said they create threat storyboards but close to 60% rely on third-party services to create storyboards after the incident Not all findings in the report were so glum, however. In a positive sign, 84% of IT leaders were optimistic about their cybersecurity readiness for 2022. The majority of respondents note the availability of new cybersecurity tools as the reason for their positive outlook, with 59% saying that a Detection and Response solution for the cloud, or CxDR, is the innovation they are most excited about for future deployment. "2021 was a tough year for many IT leaders, but the market is now providing organizations with the tools they need to effectively manage the infrastructures they have and even expand them further," added Morgan. "Given proper resources and effective communication, IT leaders have every right to be positive as we move into the new year." About the Study Confluera commissioned an independent research firm to survey U.S. IT leaders using a national network of verified panel providers. A total of 200 respondents completed the survey, which was conducted between December 3-7, 2021. Those surveyed included those with senior titles, including Manager, Director, and VP/C-level. The margin of error for this study is +/-5.9% at the 95% confidence level. About Confluera Confluera is the leading provider of next-generation Cloud eXtended Detection and Response (CxDR) solutions. Recognized by Forbes as one of the Top 20 Cybersecurity Startups to Watch in 2021, Confluera's storyboard technology automates cyber attack analysis making small and large security teams more efficient. The solution has unprecedented visibility of attacks in the cloud and modern application architectures, reveals threats in real-time, and will shut down advanced multistage attacks.

Read More

Spotlight

Webroot conducted research on web security in the U.S. and the UK. As remote users expand the security perimeter, the majority of companies reported significant effects in the form of increased help-desk time, reduced employee productivity and disruption of business activities. The impacts of web-borne attacks are also more severe for companies with employees who have remote access to the corporate network or other corporate online resources via their laptops, tablets or smartphones.

Resources