STE WILLIAMS

When employees started to bring their BlackBerrys and laptops to work more than a decade ago, CIOs had few security concerns. In large part, it was just the C-suite who found it easier to live in the mobile space rather than on a PC.

Once smartphones came along, though, it became clear that employees were intent on using their own devices to conduct work-related transactions. That marked the start of the bring-your-own-device (BYOD) movement – and a new breed of security predators on the hunt to find ways to exploit the ever-expanding attack surface.

“Incident detection such as lost devices versus breached device or actual versus suspected breach is also a problem. Confidential information is being sent or received over an unsecure channel,” researchers wrote back in 2013, in a paper noting the security challenges that evolved from companies enabling BYOD. “Many mobile devices are always on and connected, so the vulnerability to malicious attacks increases through different communication channels.”

These days, according to Akshay Bhargava, SVP of innovation at Malwarebytes, the number of devices per person (3.5) far exceeds the number of employees who need to be monitored, leaving security teams to pick up the vulnerability pieces. So what can security teams do to protect the increased attack surface from extensive endpoint expansion?  

The Evolution of BYOD
Let’s start with a look at the BYOD landscape. As it is with most things in technology, security wasn’t the first factor considered when employees started using their personal devices for work purposes. The convenience of checking email on a personal device yielded greater productivity, and that was the main focus.

Security teams accepted this benefit, as well as employees’ growing demand for more control over how and where they worked. This, in turn, enabled the proliferation of devices – what Justin Somaini, Malwarebytes board member and former CISO at SAP and Yahoo, calls the “interception of culture and technical use.”

“Apple’s iOS devices really pushed the needle. It started out as employees saying, ‘I want to have one phone, not two,'” he says. “As the devices got smarter, access to those services became a lot more prevalent, which resulted in a downward adoption that really started from the top.”

The Evolution of BYOD Risk
Privacy considerations and the potential that devices could be lost or stolen were some of the security concerns that emerged early on in the BYOD movement. Gradually those concerns grew to include users accessing and transferring corporate data over unsecured networks. Then data leakage and malicious apps raised alarms.

From an attack landscape perspective, these connected devices increasingly became (and remain) an attractive threat vector for attackers. Innovation has rapidly changed the ways we use technology, which has delivered us to a place where the devices themselves are more sophisticated and have greater access to corporate information and other highly valuable assets, according to Bhargava.

Now, the concerns of security professionals include phishing attacks, business email compromise, and ransomware attacks on mobile devices, according to research recently published by Agari.

“Increasingly, more emails are opened on devices, and criminals are aware of that rampant acceleration. They are betting on the fact that most employees will open email on a personal device,” Bhargava says.

But malicious actors aren’t just rolling the dice. As with traditional attacks on the network, the BYOD attack life cycle begins with the first stages of reconnaissance and exploit. Once criminals are able to compromise a device, they can extract critical data and then move laterally.

“Cybercriminals are targeting phishing attacks accordingly, with email in particular, because the way it appears in Outlook on a desktop is very different from how it looks on a smartphone,” Bhargava says. “They can optimize the subject line and to/from bars in a way that is easier to spoof.”  

Blurred Lines
How to secure devices has been one of the greatest challenges that came along with the widespread adoption of BYOD. The issue was not only securing devices, but securing them on par with all other technology within the entire ecosystem.

Security practitioners struggled to find answers to a variety of questions, according to Somaini. “What is that software control to allow or deny software on that device? How do we ensure the configuration is appropriate per what our policy is? How do we make sure that software updates are getting applied? That was a big hurdle for many years until we saw mobile device management [MDM] pieces come out,” he says.

What stood in the way of finding clear-cut answers to those security questions was being able to identify where the company ended and the personal life began. “On one hand, the line between work and personal was getting blurred, but the productivity gains were phenomenal,” Bhargava says. “Employees and the resources they needed were accessible on channels that let employees communicate and collaborate with colleagues.”

The question then became, how do we meet in the middle? Over the course of a decade, organizations have been implementing different security strategies. Organizations, IT, and security have started taking BYOD more seriously and looking at solutions from the people, process, and technology perspectives, with more endpoint solutions serving as a first line of defense.

“The answer was really wrapped around the company’s ability to get visibility and control of that device when they didn’t own it and actually be refined enough to only apply that visibility and control to the services and capabilities that they wanted,” Somaini says.

Succeeding at gaining that visibility and control, though, has been difficult to do with unmanaged devices. MDM software packages created that management and control plane, but Somaini says these solutions were followed by a shift into more of a services and API model, which lacked the necessary visibility and control.

The Future of BYOD Security
The need for both visibility and control has given rise to technologies that enable access to both the personal and work environments. The security capabilities at the core of each of these environments is essentially similar, Somaini says, but solutions that bridge the gap between the consumer and corporate environments provide a more holistic view.

The more mature, security-minded organizations are using a model that will likely be the direction many organizations take as they develop their BYOD policies. “These companies are driving security into the services that they are allowing for those consumer devices and providing free or corporate owned security capabilities on those devices,” Somaini says.

In order to stay ahead of the adversary, organizations need the visibility that comes from the consumer products coupled with the intelligence afforded in the corporate environment.

“Now we have more mature solutions to be able to provide security on mobile devices or workstation laptops to make sure the company is not monitoring access to the personal data, while also making sure that malware isn’t encroaching and that those workstations are patched,” Somaini says. “I think we are getting a lot better.”

Related Articles:

• Mobile App Threats Continue to Grow
• Pairing Policy Technology: BYOD That Works for Your Enterprise
• Cryptojacking, Mobile Malware Growing Threats to the Enterprise
• 8 Threats That Could Sink Your Company

(Image: Adobe Stock)

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/security-considerations-in-a-byod-culture/b/d-id/1335178?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In early April, Shopify announced the company had paid out over $1 million in bounty payments since launching its bug bounty program in April 2015. The program has helped protect more than 800,000 businesses by resolving over 950 potential vulnerabilities.

With more than 700 reports awarded, the program has been highly successful. Last year was the company’s most impressive year to date, with the total amount paid to hackers increasing to $155,750.

“Bug bounty programs complement Shopify’s security strategy and allow us to leverage a community of thousands of researchers to enhance our platform,” says Pete Yaworski, application security engineer at Shopify.

Whether you are thinking about running your own program, starting with a private program, or partnering with a platform to launch a public program, here are some lessons from Shopify that could help you in the process of launching your own program.

‘Opportunity to Expand’
Though Shopify currently runs a public bounty program, the company ran its own program for about two years before partnering with HackerOne. Yaworski says those two years were extremely informative: Running a private program on its own allowed Shopify to get its feet wet and test things out.

“We found some of the partners who were leveraging our APIs to develop their own apps to extend the platform and recognized the value in having a dedicated channel. After the two-year mark, we had the opportunity to expand, not just with partners and niche hackers, but to expand within the global hacker community,” Yaworski says.

But the company also had to overcome some challenges in the process of preparing for, launching, and improving on its bug bounty program; transitioning wasn’t without its hiccups. For example, when Shopify took its bug bounty program public, it had a huge influx of reports that the company wasn’t exactly prepared for, according to Yaworski. “We knew there would be an influx, but we didn’t anticipate the extent, and we only had one person triaging,” he says.

In addition, while there was “significant” buy-in at the top level – “including engineering support, which is critical because bounties that come in need to be fixed,” Yaworski says – they failed to convey what they were doing to their support teams.

“We had hackers testing support and submitting hacking payloads, but the support team didn’t know what was happening, so that really tied up their bandwidth,” he says.

In hindsight, Yaworski says these obstacles could have been prevented if leadership had been better about conveying what they were doing at all levels across the company; now they are doing more security presentations internally in order to level up knowledge. Additionally, he noted, leadership could have done a better job of identifying what they wanted tested and not tested.

In its current program, Shopify clearly delineates what are acceptable and not acceptable submissions. It notes on its online policy page: “Valid vulnerabilities on any domain not explicitly listed in scope will be accepted but are ineligible for a reward. For example, vulnerabilities on any Shopify owned app or channel not listed below will not be awarded a bounty unless impact on Shopify core can be demonstrated.”

Along its learning curve, Shopify discovered that defaulting to disclosure – meaning the contents of resolved reports are publicly disclosed within 30 days – was important to its program. “We ask the community of hackers to disclose. If they agree, it becomes public for everyone to read,” Yaworski says.

Value of Relationships
The program has proved to be a complement to Shopify’s existing security team, who is focused on compliance auditing and routine pen testing. Even with the best security team, “Bugs are going to slip through the cracks,” Yaworski says. “Partnering with hackers around the world ensures round-the-clock testing so that those inadvertent slip-ups are caught.”

Perhaps the greatest insight gained from the program is the value of building relationships with a global community of hackers. “We are able to leverage their expertise and go deep. Because we are able to keep people coming back, they can level up in their knowledge and test systems that might not have been apparent when they first came in,” Yoworski says.

While a bug bounty program is not a silver bullet, Shopify has evidenced through its program the great value in being proactive and incentivizing hackers to create a library of knowledge from which the greater community can continue to learn.

Related Content:

• Bounty Hunters Find 100K+ Bugs Under HackerOne Program in 2018
• White-Hat Bug Bounty Programs Draw Inspiration from the Old West
• Bug Bounty Awards Climb as Software Security Improves
• Shopify Risk Director Talks Ecommerce, Bug Bounty Program

Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition’s security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM’s Security Intelligence. She has also contributed to several publications, … View Full Bio

Article source: https://www.darkreading.com/theedge/planning-a-bug-bounty-program-follow-shopifys-example/b/d-id/1335177?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As head of the federal National Risk Management Center (NRMC), Bob Kolasky stands at a busy crossroads: It’s where government and industry intersect, as do policy goals and real-world constraints. But it also allows Kolasky to flex considerable muscle in an important security discipline: measuring and managing risk.

“I’m good at being able to cross different disciplines,” says Kolasky, who adds he frequently bridges technical and intellectual issues into policy. “Obviously, I’m closer to the policy process now. But one of the challenging things I work with are experts in 16 different critical infrastructure – security, electrical grids, voting machines, banks – and they all know how that stuff works better than I do.”

Still, he enjoys being part of the mechanisms that allow government and industry to work together, all in the name of reducing risk and improving security. “I like to speak risk language rather than security language so as not to overplay a threat or incident or stifle the ability of security professionals to do their work,” Kolasky says. “I’m also not a technical person, so understanding business and policy and connecting that to risk helps me evaluate and make decisions.”

As director of the NRMC (part of the Cybersecurity and Instructure Security Agency, which is itself part of the Department of Homeland Security), Kolasky oversees cross-sector risk management to cyber and physical threats to the 16 sectors the government considers critical infrastructure (energy, communications, and manufacturing, among others). The center’s main mission is to offer a central venue for government and industry to talk, share, and plan where operational and strategic risk management are concerned.

‘Lasting Public Value’
Since college, Kolasky worked in journalism, then got a master’s degree in public policy focusing on macroeconomics. He worked on homeland security issues during three years at Booz Allen as an analyst and has spent the past 10 years in various risk management positions within the federal government. 

“I’ve wanted to spend my career doing something meaningful and to contribute to lasting public value,” Kolasky says. “But I’m not somebody who equates working for the government as the only way to be a public servant or create public value. You can do that in the private sector, too.”

Bob Kolasky, director, National Risk Management Center, DHS

He believes risk management and critical infrastructure can be viewed from a couple of different perspectives. One is to examine the extent to which entities within a sector are interconnected. “The more interconnected they are, the more cyber-risk is created,” he explains, adding he factors in how concentrated the sector is – a few players or thousands of entities, for example. 

Kolasky also views risk through the prism of how regulated a sector is. “Regulated entities work differently with government and have a different understanding of security and risk,” he says. The legal frameworks under which these organizations are licensed or operate typically translate to higher security standards, not to mention greater reporting and transparency.

One of Kolasky’s notable efforts to bring more risk mindedness to a sector occurred in the aftermath of the 2016 presidential election, when there was a lot of debate about whether the election infrastructure was critical infrastructure. The head of DHS at the time, John Kelly, tried to reach out to state and local officials, but it didn’t go well, according to Kolasky. 

“I started in 2017 trying to rebuild that relationship from mistrust and distrust and use lessons from other critical infrastructure. I talked to secretaries of state, and it wasn’t a pleasant conversation,” Kolasky says. He acknowledged the distrust in some of those conversations, but also emphasized his risk management experience in other sectors and belief in the ability to work together.  

“The information the US had [about Russian meddling in the election] wasn’t perfect, so we had to work on educating ourselves about what we had and didn’t, and work through the protocols of information sharing and communication,” he explains.

He says it was important to address the fear of federal overreach and also deliver something valuable. “We saw the best results when our partners saw there was something of value here and that they could communicate to their constituents to secure elections and fulfill their responsibilities,” he says. 

Bigger picture? “If you can do all that in the moment of stress, you can do it all in moments of less stress to reduce risk and improve security,” Kolasky adds. 

PERSONALITY BYTES

• What his co-workers don’t know about him: I actually know how to relax.

• Electronic must-haves: Podcasts, big-screen TV.

• Favorite hangout: Buck’s Fishing and Camping or somewhere else for dinner, drinks, and good conversation.

• Comfort food: Something I cook myself (pasta bolognese being my first choice).

• On his music playlist right now: New Josh Ritter album (Fever Breaks), always Bruce Springsteen.

• Ride: 2013 Toyota Prius

• After hours: Kids’ sports fields – soccer, basketball, and baseball to watch my three children, 15, 13, 10.

• Favorite team: Washington Nationals.

• Signature style: Whatever is in my closet/drawers.

• Actor who would play Kolasky in film: Jason Segel.

• Next career after security: Entrepreneurship.

Related Content:

• Russian-Speaking APT Recycles Code Used in ’90s Cyberattacks Against US
• Digital Transformation Exposes Operational Technology Critical Infrastructure
• Cyber and Physical Convergence is Creating New Attack Opportunities for Cybercriminals
• DHS: No Investigation Planned for Electrical Grid Incursions

(Image: Adobe Stock)

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/dhss-bob-kolasky-goes-all-in-on-risk-management/b/d-id/1335161?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Adobe Stock: mixmagic

2019 may well be remembered as the year GDPR got real.

To be sure, July alone has been hopping, with hundreds of millions in fines and settlements being doled out in both the US and UK for violation of the European Union-issued General Data Protection Regulation, which went into effect May 25, 2018.

“I think as of now it’s clear that GDPR is not an empty suit,” says Nader Henein, a senior director analyst at Gartner who focuses on data privacy. “I think the regulators really want to see companies handling personal information more carefully. A lot of organizations were sitting on the fence, but I think these fines are starting to have an impact. A lot of multinationals are paying more attention.”

Yet fines can’t do it alone, adds Matt Radolec, head of security architecture and incident response at Varonis. Real change, he says, must come from all three parties: regulators, complaints and questions from consumers, and guidance from security practitioners.

“Let’s build realistic security guidelines that are actionable and specific,” Radolec says, pointing out that the Risk Management Framework (RMF) developed during the Obama years were very effective in raising awareness.

Here are six GDPR-related actions, in chronological order, that have turned heads during the first part of this year.  

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/risk/compliance/6-actions-that-made-gdpr-real-in-2019/d/d-id/1335272?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Even companies that previously said “no” to cloud are migrating their services and resources to cloud-based infrastructure. As they do, many are concerned about maintaining the cloud’s rapid update pace and how the new paradigm exposes them to new types of security threats.

Moving to the cloud is one challenge. Knowing how to secure it afterward is another.

“One of the things I recognize, and certainly see for myself, is keeping up with changes at cloud scale is challenging, to say the least,” says Mark Morowczynski, principal program manager at Microsoft. “Organizations go from ‘never cloud,’ to ‘maybe cloud,’ to ‘cloud is an important business component,’ and many are trying to figure out how to determine that risk.”

It’s a challenge from an administrative and operations perspective, he continues, adding that “ultimately the cloud is a huge paradigm shift for people.” From Amazon Web Services to Office 365, there are countless applications that reside in the cloud. Identity protection, security settings, and vendor management are all different to track, and all affect organizational risk.

“We found that many organizations are struggling with what to do once they’re in the cloud, and how to secure their cloud tenant,” says Trimarc CTO Sean Metcalf. We’re seeing a lot of customers are moving to a work-from-anywhere model, and one of the things with that is there’s lots of good fundamentals and best practices we want people to be doing correctly.”

A common concern among businesses is “I don’t know what I don’t know,” he continues. Many organizations simply don’t understand the risks, and they’re moving into the cloud unsure of what they’re doing. The challenge is compounded for those using Microsoft, Google, and Amazon cloud services, he adds, as security controls are often in different cloud environments.

At this year’s Black Hat USA, Morowczynski and Metcalf will discuss threats specific to Microsoft cloud services in their talk, “Attacking and Defending the Microsoft Cloud (Office 365 Azure AD).” The goal, Metcalf says, is to help people understand how to secure Microsoft cloud environments, common mistakes made, and which configurations could make them vulnerable.

“Our approach is very much focused on mitigating real world attacks,” Metcalf adds.

One of the threats the duo plan to discuss is password spraying, which Morowczynski says is one of the most common attacks leveraged against Microsoft users. Historically, people have a “predictable pattern” in password reset policies: they change every 30 days and often switch their password to whatever month it is; for example, “July2019!”

Attackers recognize this behavior, he continues, so they keep a list of usernames and test the password against each one. If the system uses a legacy protocol that can’t support MFA, the attacker will likely succeed. “Good fundamentals really go a long way in protecting against attacks,” he notes, recommending companies abandon legacy authentication in favor of MFA.

Of course, “this isn’t a new issue,” Metcalf points out. “The on-prem environment password spray is something that’s been pretty prevalent. It’s just the fact that where the data is, what attackers want to get to, is located in the cloud.”

As attackers pivot to the cloud, it’s easier for them because the default configuration leaves these services available to the Internet at large, he explains. Organizations want their users to be productive from anywhere; with that access, an intruder could bounce around from a few different IP addresses to attempt to break into an account.

Metcalf describes a customer who had no MFA configured on any accounts, enabling an attacker to password-spray any environment. Because cloud and on-premise systems had the same passwords, they could break into one account, connect to a VPN, and gain access to a corporate environment. “That’s an extension of how bad an attack like that can be,” he says.

The two hope attendees take away a better understanding of security risks inherent to cloud services, how attackers exploit misconfigurations, and where they might be vulnerable. While their content is focused on Microsoft, some attack and defense topics apply to other providers.

Related Content:

• 8 Legit Tools and Utilities That Cybercriminals Commonly Misuse
• Calculating the Value of Security
• Bluetooth Bug Enables Tracking on Windows 10, iOS macOS Devices
• 800K Systems Still Vulnerable to BlueKeep

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/how-cybercriminals-break-into-the-microsoft-cloud/d/d-id/1335314?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 2017, Equifax suffered one of the most infamous data breaches in US history. Personal information of roughly 148 million people was compromised, and the company since has paid for the breach in terms of reputation damage and careers harmed, and now another bill is coming due — this one from the US Federal Trade Commission.

The FTC has announced a settlement with Equifax that will result in the company paying at least $575 million and as much as $700 million to the agency, the Consumer Financial Protection Bureau (CFPB), and 50 US states and territories.

Variation in the total amount comes from uncertainty over just how many consumers will take advantage of the settlement’s cash terms. Individuals are eligible for up to $20,000 in a cash settlement depending on the damages they can prove.

In addition, Equifax has agreed to provide at least four years’ monitoring of credit reports at the three major credit bureaus, and up to ten years’ credit monitoring at Equifax, for every US consumer. Those who were minors in May 2017 are eligible for 18 years of credit monitoring.

Both the fine and its sheer size are significant, according to Alex Calic, strategic technology partnerships officer for the Media Trust. “Companies need to be aware that they can’t wait for the breach to occur anymore and just say ‘sorry.’ They know there’s going to be a financial penalty,” he says.

That financial penalty has surprised some because of its size — though whether they’re surprised because it’s so large or so small depends on their point of view. Not everyone was caught off guard, though: “The size didn’t surprise me. I wouldn’t have been surprised to see several times large, or half this size,” admits Rob Clyde, board director and past chair of ISACA. “Below that amount would have raised eyebrows, but you also don’t want to destroy the company. There’s a balance to be hit.”

The FTC appears to want to prevent other companies finding themselves in situations similar to Equifax’s breach. “The Equifax fine was to punish people for not paying attention,” says Kiersten Todt, managing director of the Cyber Readiness Institute. “If I’m reading the tea leaves, the FTC wants companies to invest in resiliency, not just in response.”

She points out the difference in this case and the 2013 Target breach. The difference, she says, is that “after, Target executives were more willing to pay for response than prevention. But now the scale is shifting.”

It remains unclear if the Equifax fine by the FTC is a sign of things to come. “We’ll see more and more regulators ‘bring the hammer down’ and levy some of the largest fines ever seen to raise the sense of urgency. This time it’s the FTC, next could be European GDPR, then the upcoming California Consumer Privacy Act,” say Pravin Kothari, CEO of CipherCloud.

The fine isn’t likely to have a devastating operational impact on Equifax, experts say.”The best outcome isn’t Equifax making the situation right – although that is important for all of those affected – it’s everyone else learning that the price to be paid outweighs the inconvenience of ensuring proper measures are taken to secure the data that puts them at risk in the first place,” says Adam Laub, CMO of STELTHbits Technologies. “It’s got to be from the ground up, too. There’s no silver bullet.”

Related Content:

• GAO Says Equifax Missed Flaws, Intrusion in Massive Breach
• The Equifax Breach One Year Later: 6 Action Items for Security Pros
• Why Cybersecurity Must Be a Top Priority for Small Midsize Businesses
• Equifax Breach Underscores Need for Accountability, Simpler Architectures

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register. 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/equifax-to-pay-up-to-$700mn-for-data-breach-damages/d/d-id/1335315?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Adobe Stock: mixmagic

2019 may well be remembered as the year GDPR got real.

To be sure, July alone has been hopping, with hundreds of millions in fines and settlements being doled out in both the US and UK for violation of the European Union-issued General Data Protection Regulation, which went into effect May 25, 2018.

“I think as of now it’s clear that GDPR is not an empty suit,” says Nader Henein, a senior director analyst at Gartner who focuses on data privacy. “I think the regulators really want to see companies handling personal information more carefully. A lot of organizations were sitting on the fence, but I think these fines are starting to have an impact. A lot of multinationals are paying more attention.”

Yet fines can’t do it alone, adds Matt Radolec, head of security architecture and incident response at Varonis. Real change, he says, must come from all three parties: regulators, complaints and questions from consumers, and guidance from security practitioners.

“Let’s build realistic security guidelines that are actionable and specific,” Radolec says, pointing out that the Risk Management Framework (RMF) developed during the Obama years were very effective in raising awareness.

Here are six GDPR-related actions, in chronological order, that have turned heads during the first part of this year.  

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Article source: https://www.darkreading.com/risk/compliance/6-actions-that-made-gdpr-real-in-2019/d/d-id/1335272?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple