Average cost of a breach? $15 million, report says

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

U.S. firms pay an aver­age of $15 mil­lion apiece on cyber crime each year, accord­ing to a new study. The Ponemon Institute’s annu­al “Cost of Cyber Crime” study polled 58 U.S.-based com­pa­nies about their secu­ri­ty-relat­ed spend­ing. The U.S. aver­age of $15 mil­lion per year is one-fifth high­er than last year, and it rep­re­sents an 82 per­cent jump since Ponemon start­ed issu­ing the report in 2010. It shows Amer­i­can firms are tak­ing cyber threats seri­ous­ly, said Lar­ry Ponemon, founder of the Insti­tute. “Some coun­tries assume every­thing is under con­trol, or they’d rather have their heads in the sand,” he said. “In the U.S., exec­u­tives are real­iz­ing they need more C-suite involve­ment in secu­ri­ty.” Source: NBC News

That debt collector may be doing you a favor

sh_past due_280Debt col­lec­tors are among the groups noti­fy­ing con­sumers about iden­ti­ty theft, accord­ing to a report by the Bureau of Jus­tice Sta­tis­tics. When a con­sumer is the vic­tim of “oth­er iden­ti­ty theft,” mean­ing any­thing out­side of steal­ing from one of their exist­ing accounts, 13.8 per­cent report that com­mu­ni­ca­tion with a debt col­lec­tor alert­ed them to the fraud. Less than 3 per­cent of all iden­ti­ty theft vic­tims end­ed up com­mu­ni­cat­ing with debt col­lec­tors “about charges and bills that were made as a result of the ID theft,” Bureau of Jus­tice Sta­tis­tics sta­tis­ti­cian Eri­ka Har­rell said. If the iden­ti­ty theft occurred with an exist­ing con­sumer account (a major­i­ty of iden­ti­ty thefts), the per­cent­age of con­sumers com­mu­ni­cat­ing with debt col­lec­tors falls to 1.6 per­cent. Source: The Asso­ci­a­tion of Cred­it and Col­lec­tion Professionals

Snowden: Governments can get into your smartphone

sh_snowden_280Send­ing just one text, Edward Snow­den claims, enables the Unit­ed King­dom and the Unit­ed States to take over someone’s smart­phone. The for­mer intel­li­gence work­er and con­tro­ver­sial whistle­blow­er told the BBC that Britain’s secu­ri­ty agency GCHQ has a sophis­ti­cat­ed tech­nol­o­gy allow­ing it to gain near-total access to a smart­phone by send­ing it an encrypt­ed text mes­sage. He added the tech­nol­o­gy is pro­vid­ed by the U.S. Nation­al Secu­ri­ty Agency, which gives “task­ing and direc­tion” to its British coun­ter­part and uses a sim­i­lar pro­gram itself in the Unit­ed States that costs $1 bil­lion. “(They send) a spe­cial­ly craft­ed mes­sage that’s texted to your num­ber like any oth­er text mes­sage, but when it arrives at your phone it’s hid­den from you,” Snow­den said. “It doesn’t dis­play. You paid for it but who­ev­er con­trols the soft­ware owns the phone.” Once in, agen­cies alleged­ly can access many func­tions of the phone—reading mes­sages, look­ing at Web his­to­ry, and even tak­ing secret pho­tos with the camera—without the owner’s knowl­edge. Source: Quartz

Cyber insurance purchase could be risky

The process of buy­ing cyber insur­ance can height­en a company’s expo­sure to risks and may dis­cour­age some orga­ni­za­tions from mak­ing a pur­chase, a risk man­ag­er said. That reluc­tance may par­tial­ly explain why a minor­i­ty of orga­ni­za­tions in Europe buy the cov­er­age, he said. But more com­pa­nies are buy­ing the as they get a bet­ter under­stand­ing of the risks and the mar­ket devel­ops cyber insur­ance to offer broad­er cov­er­age, insur­ance experts said. The dis­clo­sures that orga­ni­za­tions must make to insur­ers as a require­ment of pur­chas­ing cov­er­age include some of their most sen­si­tive secu­ri­ty infor­ma­tion, said Philippe Cotelle, head of insur­ance risk man­age­ment at Air­bus Defence & Space, a divi­sion of Air­bus Group. “The under­writ­ing infor­ma­tion that insur­ers need is the key secu­ri­ty infor­ma­tion of a com­pa­ny. Are you will­ing to give that infor­ma­tion to an exter­nal par­ty?” Cotelle asked dur­ing a ses­sion of the Fed­er­a­tion of Euro­pean Risk Man­age­ment Asso­ci­a­tions’ 2015 Risk Man­age­ment Forum. Source: Busi­ness Insurance

Expert says bad guys are tops in tech …

sh_hack_280Com­put­er virus­es and mal­ware are obso­lete scams for the lat­est wave of increas­ing­ly aggres­sive com­put­er crim­i­nals, says a top cyber foren­sics expert at Pur­due Uni­ver­si­ty. Mar­cus Rogers, direc­tor of Purdue’s Cyber Foren­sics Lab, said past reports of cyber attacks—allegedly by for­eign nations—have opened the flood­gates for com­put­er crim­i­nals to launch ille­gal efforts. “They fig­ure it’s open sea­son now,” said Rogers, a for­mer police inves­ti­ga­tor work­ing in the area of fraud and com­put­er inves­ti­ga­tions, who still works with law enforce­ment. “There are going to be less resources law enforce­ment and the intel­li­gence com­mu­ni­ty can put to bear on these cas­es when they’re spread so thin.” Improved tech­nol­o­gy, in part, has led to more brazen crim­i­nal efforts. Phish­ing attacks—emails dis­guised as var­i­ous enti­ties to obtain sen­si­tive information—are on the rise. It’s a race to use the most sophis­ti­cat­ed tech­nol­o­gy, Rogers says, and right now the bad guys have the best tech. It puts more respon­si­bil­i­ty on the users to police the emails com­ing into their com­put­ers every day. “You have to take respon­si­bil­i­ty for pay­ing atten­tion to what’s going on your­self. The tech­nol­o­gy is not going to do it for you. The attacks are slic­ing right through our tech­nol­o­gy.” Source: Phys.org

… And we’re worried about that

More peo­ple are con­cerned about cyber threats, accord­ing to the lat­est Con­sumer Risk Index released by Trav­el­ers. The third annu­al index of 1,029 sur­vey respon­dents found that cyber-relat­ed con­cerns grew by more than 20 per­cent­age points from last year, mov­ing from the fifth-ranked to the third-ranked con­cern over­all. The sur­vey found that one in four Amer­i­cans say they have been the vic­tim of a data breach or cyber attack. “Cyber threats are join­ing the ranks of the con­ven­tion­al issues that indi­vid­u­als have wor­ried about for decades,” said Patrick Gee, senior vice pres­i­dent for claims at Trav­el­ers. “Many may be feel­ing more vul­ner­a­ble to cyber risks as Amer­i­cans are becom­ing increas­ing­ly reliant on tech­nol­o­gy in near­ly every aspect of their dai­ly lives. This may also be play­ing a role in con­sumers’ over­all per­cep­tion of risk with so many respon­dents believ­ing the world is becom­ing a riski­er place.” Source: Claims Jour­nal

Denial of service attack might just be a way in

sh_ddos_200Hack­ers and cyber crim­i­nals always have used dis­trib­uted denial-of-ser­vice attacks to tar­get orga­ni­za­tions, but new research indi­cates that the attack method is quick­ly evolv­ing as it becomes cheap­er to cre­ate and deploy. The soft­ware used in such an attack is now wide­ly dis­trib­uted via under­ground mar­ket­places on the Dark Web, acces­si­ble only with the Tor brows­er, which has led to a spike in attacks, as a report from Kasper­sky Lab not­ed. The report, titled “Denial of Ser­vice: How Busi­ness­es Eval­u­ate the Threat of DDoS Attacks,” sur­veyed more than 5,500 com­pa­nies in 26 coun­tries and found that 50 per­cent of DDoS attacks “lead to a notice­able dis­rup­tion of ser­vices,” while 24 per­cent lead to ser­vices being com­plete­ly unavail­able. Source: V3

Let’s talk cybersecurity, Japan says

Japan is spon­sor­ing the Cyber3 Con­fer­ence Oki­nawa 2015, sub­ti­tled “Craft­ing Secu­ri­ty in a Less Secure World,” in Novem­ber. Among the speak­ers will be Toshiyu­ki Shi­ga, vice chair­man of Nis­san Motor, Adm. Den­nis Blair, For­mer U.S. direc­tor of Nation­al Intel­li­gence, and Noboru Nakatani, exec­u­tive direc­tor of Inter­pol Glob­al Com­plex for Inno­va­tion. Key issues on the agen­da are cyber con­nec­tions, cyber­se­cu­ri­ty and cyber crime. Source: PR Newswire

White House not pleased with EU court ruling on privacy

European Union long shadow flag with a lock padThe Euro­pean Union’s high­est court struck down a sys­tem Euro­pean and U.S. com­pa­nies use to trans­fer sen­si­tive per­son­al infor­ma­tion based on a fun­da­men­tal mis­un­der­stand­ing of Amer­i­can pri­va­cy laws, the White House charged. “[W]e have a vari­ety of con­cerns about this spe­cif­ic rul­ing; one of them is that we believe that this deci­sion was based on incor­rect assump­tions about data pri­va­cy pro­tec­tions in the Unit­ed States,” White House spokesman Josh Earnest said. Since 2000, nations on both sides of the Atlantic have used a sys­tem estab­lished by the Euro­pean Com­mis­sion known as the “safe har­bor” sys­tem to trans­fer sen­si­tive data rang­ing from per­son­nel records to online adver­tis­ing infor­ma­tion. The Court of Jus­tice of the Euro­pean Union ruled that safe har­bor does not ade­quate­ly pro­tect EU cit­i­zens’ pri­va­cy. The court con­clud­ed that the system’s con­ces­sions to U.S. intel­li­gence and law enforce­ment con­cerns put Euro­peans’ per­son­al infor­ma­tion at risk. Source: The Wash­ing­ton Examiner

Hey, hit the brakes on that, Google says

sh_android auto_200Android Auto does not phone key auto­mo­tive data back home, Google says after Motor Trend stat­ed that Porsche opt­ed to not include Android Auto in the new 9912 as Google’s sys­tem col­lects and trans­mits back to Google infor­ma­tion such as vehi­cle speed, throt­tle posi­tion, coolant and oil temp, and engine revs. “We take pri­va­cy very seri­ous­ly and do not col­lect the data the Motor Trend arti­cle claims such as throt­tle posi­tion, oil temp and coolant temp. Users opt in to share infor­ma­tion with Android Auto that improves their expe­ri­ence, so the sys­tem can be hands-free when in dri­ve, and pro­vide more accu­rate nav­i­ga­tion through the car’s GPS,” Google says. The in-car sys­tem can share infor­ma­tion with the Android device, such as GPS loca­tion, as the car’s sys­tem is often more accu­rate than the con­nect­ed phone, Google says. The sys­tem also rec­og­nizes when the vehi­cle is in park or dri­ve to dis­play either the on-screen key­board or to acti­vate voice con­trols. Source: Tech Crunch