STE WILLIAMS

The FBI’s Internet Crime Complaint Center (IC3) logged more than 301,000 complaints of Internet crimes last year that resulted in losses of more than $1.4 billion — and that’s just from consumers and businesses that reported incidents to the bureau.

Victims who reported attacks to the IC3 mostly were hit with so-called non-payment/non-delivery scams, personal data breaches, and phishing attacks. The most-costly types of Internet crimes reported to the FBI were business email compromise (BEC), confidence/romance fraud, and non-payment/non-delivery scams.

Ransomware, the darling of the cybercrime and nation-state hacker scenes, actually declined in 2017, according to the FBI IC3 data, from 2,673 complaints in 2016 to 1,783 last year. Victims of ransomware lost more than $2.3 million last year, versus $2.4 million in 2016.

But that data may well be skewed by shifts in ransomware targets: the drop in ransomware reports to the FBI could be due to the rise in those attacks on more lucrative targets than consumers — larger organizations. It also could reflect larger organizations not reporting their attacks to IC3.

“The FBI IC3 only reports on what is given to them. In the case of ransomware specifically, victims seem even less inclined to report — to the point where it hampers our ability to go after the bad guy,” says John Bambenek, vice president of security research and intelligence at ThreatSTOP.

Bambenek says many large enterprises may have the resources in-house to handle the incident without law enforcement, and some corporate counsels may advise reporting a ransomware attack if it’s not required. In addition, he notes, cryptojacking’s recent rise also has contributed to lower ransomware numbers as attackers have found a simpler and more lucrative way to make money than relying on ransom payments.

BEC
Meanwhile, reported BEC and email account compromise (EAC) attacks netted the most losses to victims last year, with 15,690 BEC complaints and losses of more than $675 million. These types of attacks dupe business users into transferring money, purportedly to their supplier or other business partner. EAC is where an attacker wrests control of a legitimate user’s business email account rather than use a phony account.

So-called confidence fraud/romance schemes, where a fraudster poses online as a love interest or other trusted person to squeeze money from the target, netted attackers more than $211 million last year, according to the IC3’s report. Scams where victims paid for an item or service online that never arrived or they didn’t receive payment for an item (non-payment/non-delivery) resulted in more than $141 million in losses to victims.

Another popular scam last year was tech support fraud, which increased by 90% over 2016. The IC3 logged nearly 11,000 complaints of attacks that resulted in losses of $15 million.

The top 10 US states with the most victims of Internet crime were California (41,974), Florida (21,887), Texas (21,852), New York (17,622), Pennsylvania (11,348), Virginia (9,436), Illinois (9,381), Ohio (8,157), Colorado (7,909), and New Jersey (7,657).

“We want to encourage everyone who suspects they have been victimized by online fraudsters to report it to us,” says Donna Gregory, chief of the IC3. “The more data we have, the more effective we can be in raising public awareness, reducing the number of victims who fall prey to these schemes, and increasing the number of criminals who are identified and brought to justice.”

Related Content:

• Deconstructing a Business Email Compromise Attack
• FBI IC3: Tech Support Scam Losses Rose 86% in 2017
• 6 Tips to Protect Against Technical Support Fraud

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/fbi-reported-internet-crimes-topped-$14-billion-last-year/d/d-id/1331751?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data protection and privacy regulations affect organizations of every stripe. Whatever your business, if you have customers or employees, you have data that requires protection under some state or federal mandate. Such regulations are intended to ensure that proper precautions have been taken to protect potential victims of digital crimes such as fraud or identity theft stemming from malicious actors gaining access to data through hacking, technical malfunction, or human error.

Alphabet Soup of Laws and Standards
It’s important to note before any discussion of regulatory compliance begins that following the rules doesn’t guarantee your systems and data will remain secure. As the saying goes, “compliance is a floor, not a ceiling,” and so meeting the minimum standards under the law should be regarded as a starting point. Where you take your information security program from there depends on your industry, the kinds of data your organization deals with, and its appetite for risk.

Data security and privacy regulations make up an expanding landscape made up of a long, overlapping, and often confusing alphabet soup of laws and standards like HIPAA, SOX, FCRA, GLBA, PCI DSS, GDPR, PIPEDA, and others. Security and risk management decision makers must understand the nature of these laws and set security strategies accordingly or suffer the consequences of falling short of their demands. It’s not an easy task, but it is a manageable one when broken into its parts.

The first step of that process involves recognizing the ways (apart from blatantly ignoring the regulations) an organization might inadvertently fall outside the bounds of compliance.

Common Conditions That Can Compromise Compliance
The three most common conditions that can compromise a compliance program are the use and proliferation of so-called shadow IT (technologies that operate within the enterprise outside the purview of IT management); a failure to document compliance processes or enforce existing processes; and a lack of visibility into the means of collecting, managing, and storing data.

Certainly, there will likely be gaps in even the most rigorous of compliance programs, especially since compliance is a dynamic, ever-evolving endeavor. Laws change, technology changes, and the threat environment changes, so processes must change in response. Data management that includes security policies, training and awareness programs, technology maintenance, and regular systems and response testing is required. “Set it and forget it” is not a real option.

Consequences of Non-Compliance
Believe it or not, compliance saves money! According to a recent study from Ponemon and Globalscape, “The True Cost of Compliance with Data Protection Regulations,” the cost of non-compliance to businesses now runs an average of $14.8 million annually, a 45% increase since 2011. The cost of compliance, on the other hand, was found to average $5.5 million, up 43% from 2011. It’s clear that non-compliance puts your organization at greater risk of a data breach, and a data breach is certain to come with a steep financial cost as evidenced by the rash of well publicized data breaches since 2017 alone. Here are six ways a non-compliant organization might suffer in the event of a data breach:

Lawsuits
A data breach doesn’t only affect the breached organization but may also put at risk the associated employees, consumers, customers, partners, and service providers — any of which may decide to take legal action seeking justice and protection. Win or lose, a lawsuit can be an expensive proposition.

Bank Fines
If credit card data is affected, banks may end up reissuing new cards to their customers. When that happens and the banks incur associated costs, they will likely seek to recoup those costs from the organization whose breach prompted the action by levying fines or added fees.

Governmental Audits
Any egregious breach of consumer data risks action by the Federal Trade Commission (FTC) acting on behalf of US consumers. If the organization was found to be out of compliance and negligent, the FTC may not only fine the company but also require expensive annual compliance audits for years following the negligent behavior. In April of this year, the Securities and Exchange slapped Yahoo with a $35 million fine for waiting two years to disclose its massive 2014 data breach in which Russian hackers stole personal information on approximately 1 billion user accounts.

Compensation and Remediation Costs
Among the many costs involved with a security failure are those associated with forensic investigations to determine the source and cause of the breach, fix the gaps that were exploited, and address any residual risk to consumers and others. Someone has to pay for free credit monitoring services, after all.

When Nothing Is Safe
A data breach may cause consumers to lose trust in the affected organization. When that happens there’s a good chance that they will take their business elsewhere. Consider the number of retail security breaches in 2017, online or in stores, including Sears, Kmart (twice), Delta, Best Buy, Saks Fifth Avenue and Lord and Taylor (parent company Hudson’s Bay), Under Armour, Panera Bread, Forever 21, Sonic, Whole Foods, Gamestop, and Arby’s. What’s more, who can forget when cybercriminals hacked Equifax and stole the personal data of 145 million people, including Social Security numbers, not to mention Shadow Brokers, WannaCry, NotPetya, Bad Rabbit, and more.

Lost Reputation
When word of a data breach gets out, loss of reputation soon follows. To mend fences with all affected parties, organizations will incur costs associated with increased marketing, communications, and public relations campaigns. As the saying goes, a good reputation takes years to gain — but a moment to lose.

Data Management Matters
Given the risk of failure, it’s important to implement a strong data management program as a part of an organization’s security and compliance strategy. If you don’t know what data you have, where it’s stored, who has access, and how it is used, it’s impossible to keep it secure — and to prove compliance. Data management provides a framework for understanding how information moves through the enterprise. It helps with security and compliance in three primary ways:

1. Workflow and Process Automation
Human error continues to be one of the weakest links in the security chain. Workflow and process automation remove the human factor from many tasks that might otherwise be vulnerable. Automating processes associated with vital applications and services, and doing so while the organization’s security and compliance functions operate in the background, lets users focus on their jobs while giving management greater peace of mind.

2. Centralized Control and Visibility
Not knowing what’s happening in your network is unsettling — and can mean the enterprise is at risk of a breach. As networks grow more complex and as perimeters expand to include mobile devices, the cloud, and more, IT administrators need even greater levels of transparency into the network in order to gain a top-down view of the infrastructure that’s required to achieve compliance and mitigate other security and performance risks.

3. Custom Compliance Profiles and Reporting
Every organization has its own set of regulatory expectations and challenges based on industry, size, risk appetite, and a thousand other factors. One-size-fits-all doesn’t apply; specialized compliance tools offering customized data workflows and configurations ensure that, whether facing PCI DSS, HIPAA, SOX, or some combination of these and other regulations, a tailored profile and reporting structure is needed.

Related Content:

• 6 Tips for Building a Data Privacy Culture
• A Data Protection Officer’s Guide to GDPR ‘Privacy by Design’
• The Cybersecurity Mandates Keep On Coming

Peter Merkulov serves as chief technology officer at Globalscape. He is responsible for leading product strategy, product management, product marketing, technology alliances, engineering and quality assurance teams. Merkulov has more than 16 years of experience in the IT … View Full Bio

Article source: https://www.darkreading.com/cloud/compliance-complexity-the-(avoidable)-risks-of-not-playing-by-the-rules/a/d-id/1331704?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

(Image: Tanatat via Shutterstock)

The decision to embrace cloud should not be purely based on cost. After all, there are many factors driving cloud adoption, and most aren’t based on financial savings but agility, says JP Morgenthal, CTO of Application Services at DXC Technology.

“It’s more of an operational concern than a cost concern,” he explains, noting that, as you adopt cloud-based infrastructure and applications, what should be top-of-mind is not the price tag but the myriad ways in which the change will affect business processes. People are moving to cloud for improved agility, productivity, and quick access to sophisticated tools, he says, not to save money.

“A few years ago, I would have said most are enabling their business to get to the cloud, trying to save money,” adds Robert LaMagna-Reiter, director of information security at First National Technology Solutions. “I think they quickly learned that’s not the case.”

Moving to the cloud is a process that affects the entire enterprise. So, while cost should not be the sole factor driving adoption, it’s something all technology and business leaders will want to keep in mind. Cloud is also complicated with several factors driving the overall price. Consequently, cost reduction is no longer a top driver for cloud adoption. But as you prepare to embrace the cloud, you’ll want to know how the change will affect your overall budget, and why.

Let’s take a close look at eight common and often unforeseen costs that businesses face as they adopt, and operate in, cloud-based environments. Were there any unexpected costs you encountered as your company shifted to the cloud? Feel free to share in the comments.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/calculating-cloud-cost-8-factors-to-watch-/d/d-id/1331735?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A survey of millennials and post-millennials in the US gives some optimism about the cybersecurity talent gap, which seems doomed to worsen due to perception challenges about industry careers, poor access to early training, and unrealistic job requirements.

Enterprise Strategy Group (ESG) polled 524 millennials and post-millennials in the US to learn their perspectives on the skill shortage. Data shows 68% consider themselves either a tech innovator (27%) or early adopter (41%). Technology drives this generation’s education choices: 48% were part of a STEM program during their K-12 years and 82% plan to attend college after high school. Of the college hopefuls, 23% plan to study computer science and technology.

Part of the challenge in getting young people into cybersecurity is making them aware of the field. Nearly 70% have never taken a security class in school, and 65% said their school never offered a security course. “Don’t know enough about this field/career path” was the most popular reason cited among those who were not interested in cybersecurity. Other reasons for poor interest included a lack of technical aptitude and level of education required in security.

Researchers wanted to learn how women will play a role in cybersecurity’s future, so they parsed their data according to respondents’ gender. What they found at first seems discouraging. Twice as many men than women plan to study engineering in college, twice as many men will pursue computer science, and twice as many men are considering IT careers.

However, some key nuggets indicate women could change the game in security. Female respondents showed quicker and higher rates of adoption for new technologies, with 52% of women stating this compared with 42% of men. More women have advanced tech such as virtual reality in their households, and more women indicated they have spent time using (and would spend more time using) these technologies. Ten percent more women plan to enroll in college.

It’s worth noting two tech-related career fields equally interest men and women: video game development and, yes, cybersecurity. Women are more excited by security than men, with 57% of female millennials expressing excitement compared with 40% of male millennials.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/careers-and-people/millennials-women-may-bridge-cyber-talent-gap/d/d-id/1331754?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Anyone who has tried to recruit information security professionals in recent years knows how hard it can be to find qualified people. Unfortunately, while there has been quite a bit of dialogue around recruiting, there has been far too little around retention. Tragically, retention is most often overlooked, even though it is arguably more important than recruiting.

Over the course of my career, I’ve seen organizations do a variety of things that cost them their best security talent. There are some circumstances that are simply unavoidable. But in many cases, talent leaves for reasons that are all too preventable. Isn’t a valuable resource that you’ve invested time and money in worth more to you than one that you haven’t yet invested in?

It is in this spirit that I present to you 20 signs you are heading for a retention problem.

Problem 1: No board support: Retention success starts at the top. Talented security professionals have lots of choices when it comes to where they work. Who wants to work in an environment whose value is constantly questioned, that is constantly underfunded, and where one’s existence needs to be constantly justified?

Problem 2: No executive support: If senior leadership doesn’t believe that security is important to the organization, how can those working in the security organization be expected to see a future for themselves there?

Problem 3: Not enough funding: Security is hard enough when adequately resourced but when it is inadequately resourced, it becomes an unwinnable battle. Good people want to work, not wage war.

Problem 4: Lack of vision: The most successful security programs have a clear and concise vision. The best security professionals like to know in which direction they’re headed. It helps them focus and perform to their full potential.

Problem 5: Bad boss: Studies have shown repeatedly that the boss is the most important factor when it comes to retention. Have an idiot or a jerk in charge of things? Kiss that security talent goodbye.

Problem 6: Lack of qualified team members: No one enjoys pulling five times the weight of everyone else. The more team members there are that aren’t up to par, the harder it becomes to retain the top performers.

Problem 7: Failing technology: There are few things more frustrating than fighting with inadequate technology. Knowing exactly what needs to be done and how to do it only to find yourself held back by technology can quickly put top talent in a foul mood.

Problem 8: No collaboration between operations and engineering: The best security solutions are those that meet the needs of the operators. If there is no communication between those who deploy and those who operate, what hope is there for long-term success? The impact of this point on retention is greater than most people realize.

Problem 9: Micromanaging: As management, it is expected that you will communicate what you need from your staff. That’s your job. But don’t try and tell highly skilled professionals how to do what you need them to do. That’s their job.

Problem 10: Not approaching security operations strategically: There is a limit to how much of a “Wild West” approach to security operations top performers can take. After a while, if there isn’t some order to the chaos, they will lose their patience.

Problem 11: Failure to take incident response seriously: Sooner or later, every organization will face a serious or critical incident. Seasoned security pros know this, and thus each day that goes by without a serious approach to incident response makes their blood boil a bit more. At some point, they may conclude that the organization will never get serious about incident response and run for the hills.

Problem 12: Unpreparedness: No one likes getting caught with their pants down professionally. Concern about this is a big reason people move on to greener pastures.

Problem 13: More PowerPoint than PowerShell: Well-run security programs allow their staff to spend more time working and less time explaining what they’re doing to others. If your best people end up spending more than half of their time explaining what they do to others, I think it’s safe to say that their days with you are numbered.

Problem 14: Butts in seats: If you measure productivity by time spent in the office rather than by output, say goodbye to your best employees.

Problem 15: Warm bodies: Sometimes, employees need certain accommodations to allow them to balance work and life. For example, family commitments in another geographic area may prohibit them from being physically present all of the time. If you’re not open to alternative arrangements, retention becomes that much harder.

Problem 16: Say one thing, do another: I have seen time and time again that people seek genuineness first and foremost. If a security organization preaches one thing and practices another, it hurts retention.

Problem 17: Lack of respect on the inside: If the security organization does not have the respect of other areas of the business, it can have a big impact on the morale of each employee. This, in turn, hurts retention.

Problem 18: Lack of respect on the outside: Security is an industry built on trust and respect. If an organization does not have the respect of its peer organizations, that matters to many security professionals.

Problem 19: Penny wise, dollar foolish: “How is there budget to fly management around the world 25 times, but I can’t get a few days of training each year?” This line of thinking is all too common among security professionals with one foot out of the door.

Problem 20: Failure to invest in human resources: It is true that when you invest in your people, you allow them to improve their resumes. But, perhaps ironically, when people are in a constructive environment that allows them to grow professionally and sharpen their skills, they don’t look to leave. Conversely, if you don’t invest in them, they will look to improve their resumes elsewhere.

Related Content:

• 20 Ways to Increase the Efficiency of the Incident Response Workflow
• Pragmatic Security: 20 Signs You Are ‘Boiling the Ocean’
• 20 Signs You Need to Introduce Automation into Security Ops

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/20-signs-you-are-heading-for-a-retention-problem/a/d-id/1331749?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple