sales@net-ctrl.com
01473 281 211

Net-Ctrl Blog

A deeper dive into GDPR: Right to be forgotten?

August 17th, 2017

Last week we went over the GDPR A Deeper Dive – 2changes that set GDPR apart from other mandates and data privacy legislation. One aspect of GDPR that has received a lot of attention is the ‘Right to be Forgotten’ which is outlined in Article 17 entitled “Right to Erasure (’right to be forgotten’)”. It states:

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).”

In plain English this means that organisations need to fully erase a subject’s data from all repositories when that person revokes their consent; when the purpose for which the data was collected is complete; or when compelled by the law.

It is worth noting that this is not an absolute requirement and subjects do not have an unconditional right to be ‘forgotten’. If there are other legitimate, legal reasons – as outlined in the regulation – for the organisation to retain and process data, subjects are not entitled to be forgotten. However, exceptions are few compared to the multitude of data uses common in our daily lives.

So, in the spirit of GDPR, how do organisations ensure that data is deleted from all of the places that it is stored or processed? Full data erasure isn’t a straight forward proposition. Using a standard delete function doesn’t always fully remove data. While it may not appear in file registries or indexes, deleted data is often still recoverable. In these instances, despite best efforts, simply hitting ‘delete’ doesn’t achieve GDPR compliance. To complicate the issue, in 21st century business data is shared constantly between suppliers, partners, resellers and customers. When consent is revoked or a contract comes to term, how does an organisation guarantee that data is adequately deleted by all of these different players?

Encryption is one way to fully ensure that data is unusable per GDPR’s erasure obligation. Encryption alters data by using a specific secret – or key defined by an algorithm – to render data unreadable. The only way to return encrypted data into a readable state is by providing the corresponding key that was used to alter the data in the first place. If that key were to be deleted, it would be impossible to convert or decrypt that data back into a readable format. When it comes to GDPR’s ‘right to be forgotten’ encrypting data and deleting the key (also known as cryptographically erasing the data) is both an effective and convenient solution.

Such an approach gives organisations quite a bit of flexibility in deciding how to meet this obligation. Encryption is the kind of tool that organisations can apply at different levels of the data’s flow from creation to rest. If it were as simple as deleting a file, an organisation could use a file system-level solution to encrypt the file and delete the key. On a larger scale, say at the end of a project, an organisation could encrypt an entire database column – say of social security numbers, usernames, or family names – and delete the key. More advanced developers could even incorporate encryption into their applications and then delete the keys that the application uses. In any scenario, policy-based access controls allow organisations to finely tune their approach to data deletion for greater confidence in their approach to GDPR compliance. The permutations are many, but the fundamentals are the same.

As organisations consider their GDPR needs, they should place them in the context of their larger security needs. Adopting one-off encryption solutions to address discrete challenges is the quickest way to end up with a collection of burdensome security silos that complicate on-going management. Encryption is the tool that works on the data, but an organisation’s key management apparatus will eventually be the key (pun fully intended) to future security and compliance success. In choosing an encryption and key management vendor, organisations should consider the solutions currently in place in their data centre, their existing needs, and their future needs in order to find a solution set that will grow with them.

The ‘right to be forgotten’ isn’t as daunting a requirement as it may seem at first glance. A thoughtful use of encryption can help organisations respect data subjects’ wishes and preserve privacy in any scenario. Next week we’ll return to the pages of this blog to take a look at GDPR’s data control and integrity requirements. Stay tuned!

For additional information on GDPR, check out The General Data Protection Regulation ebook.

View original article by Gemalto.

A deeper dive into GDPR: What makes it different?

August 10th, 2017

Taking place in May 2018, the Data Protection Regulation also known as GDPR sets a new standard for data privacy and security across the European Union (EU). Much has been made of the law establishing data privacy as a fundamental right, and its governance and security requirements.

Over the course of the next few weeks, we will be taking an in-depth look at the mandate’s articles and offering insight into how you can comply.

Today let’s take a look at what sets GDPR apart from other standards and regulations, namely its expanded scope and reach.

GDPR will affect any organization that offers goods or services, or whose activity monitors the behaviour of individuals in the EU; it doesn’t matter if the organization resides and processes data within the EU or not. Multi-national organizations across the world – from Australia to the United States – that collect EU subjects’ data will need to prepare for the new mandate. Additionally, as organizations collaborate and partner, GDPR holds them responsible for their data’s privacy even as it passes outside of their control. In effect, GDPR increases the number of stakeholders involved and the level of due diligence each party must perform to what can already be a complex web of relationships that span the globe.

What is more, GDPR broadens the definition of ‘personal data’. Any piece of information that can be combined with another data point (or collection of data points) to identify an individual must be protected following GDPR’s mandates. Such a broad definition includes pieces of information such as online identifiers, genetic data or location metadata – data that organizations are unaccustomed to protecting. This will certainly impact how organizations protect their data currently and will affect how they do business while protecting this data going forward.

For all of this data, GDPR asks that protection is by design as a default; that is data privacy must be a consideration from the moment an operation is conceived. Security in service of privacy must be incorporated into the very fabric and design of an organization and its operations as the default setting. Under GDPR, security is no longer an option; it is a requirement.

GDPR’s penalties are severe. In the event of a breach, organizations will be required to notify both the supervisory authority in their jurisdiction and the customers whose data was affected. And, when breached data poses a risk to data subjects’ privacy, organizations will be subject to fines that have the potential to rise to as high as €20 million or 4% of annual worldwide profit – whichever is greater.

The new penalty regime fundamentally changes the data security cost/benefit equation for any organization with a presence – real or virtual – in the EU.

For as daunting as it may seem, you won’t have to face it alone. On this blog, we’ve already shared how to break the process into manageable chunks via our 6 step approach to tackling GDPR. Our experts go into these 6 steps – in partnership with ISC2 – in a joint webinar entitled “6 Steps To GDPR Compliance”. Over the next few weeks, we’ll dig deeper into topics such as the ‘Right to be Forgotten’, data integrity obligations, due diligence requirements, and more. Stay tuned to this blog each week for a new instalment in our GDPR series.

That said, if you’re anxious to get started on your GDPR preparation, you can find more information, white papers and ebooks on GDPR compliance here: https://safenet.gemalto.com/gdpr

View original article.

GDPR Compliance in Six Steps

August 7th, 2017

In less than a year’s time, a radical change to data protection and legislation will come into effect in the EU – the General Data Protection Regulation (GDPR). Aiming to help protect EU citizens’ data, the regulation will ensure that businesses are held accountable to their customers. While companies in the US must declare any data breaches they experience, the same can’t be said for businesses operating within the EU until GDPR comes into effect and changes this. In short, this means the already large number of records lost or stolen in Europe could be considerably larger.

With GDPR almost here, the data protection and privacy landscape of the EU is set to change in big ways. But how can a business ensure that it is compliant with the regulation, and how would they go about becoming compliant? Below are six steps every business should undertake:

Step one – Get to grips with GDPR’s legal framework

The first step that any business needs to take is to understand how each aspect of the legislation apply to them. By conducting a full audit against the GDPR legal framework, a business will need to understand what it needs to do and what the consequences for failing to do so are. As part of this compliance audit, a business should hire a Data Protection Officer (DPO), who will be responsible for ensuring the company adheres to the regulations. Ideally, a DPO would have a background in both law and technology, so they’re able to understand both the technical specifications and the regulatory framework needed to meet this. Every organisation is different, and so no GDPR journey will look the same – correct guidance from business leaders to employees is needed ensure the whole company understands how to be compliant.

Step two – Create a Data Register

Once a business understands the steps they need to take, it’s important that they keep a record of the process. This is best done with a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of each country will enforce GDPR, and be responsible for judging if a business is compliant when determining any penalties for being breached. In this event, the Data Register will be a crucial tool for demonstrating the progress the affected business has made in becoming compliant. If they have no proof, the DPA would be able to fine between 2% and 4% of the company’s turnover. The amount and speed of the DPA’s decision would depend on the sensitivity of the data.

Step three – Classify data

While understanding what protections, if any, are already in place is important, this step focuses on helping businesses understand what data they need to protect and how that is being done. First, a business must locate any Personal Identifiable Information – information that can directly or indirectly identify someone – of EU citizens. It’s crucial to know where this is stored, who can access it, who it has been shared with etc. It can then determine which data is more vital to protect. In addition to this, it’s important to know who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.

Step four – Identify the top priorities

Next, a business needs to evaluate how that classified data is being produced and protected. Regardless of how data is collected, the first priority should always be to protect the user’s privacy. Businesses should ask themselves if they need the sensitive data they have collected – this data is worth a lot to a hacker, and has the greatest risk of being stolen. Businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of all security policies. When doing this, it’s important to keep the rights of EU citizens in mind, including restrictions of processing and data portability. In particular, any data third parties use to identify someone must be deleted if requested by that individual and approved by the EU. It’s crucial that all this data is correctly and promptly destroyed and can’t be accessed. This process is known as the “right to be forgotten”.

Evaluating how the business protects this data comes next (for example, with encryption, tokenisation or psuedonymisation). The evaluation must explore: any historical data, the data being produced and any data that is backed up – either on-site or in the cloud. This data must be anonymised to protect the privacy and identities of the citizens it relates to. All data needs to be protected from the day it is generated to the day it is not needed.

Step five – Document and assess any additional risks and processes

Of course, there’s more to compliance than just protecting the most sensitive data – the next stage of the process is to assess and document any other risks, to discover any other processes or areas that might be vulnerable. While doing this, the business should update its Data Register, to show the DPA how they are addressing any existing risks. Only by doing this can a business demonstrate to the DPA that it is treating compliance and data protection seriously and with respect.

Step six – Revisit and repeat

Finally, the last step on the compliance journey focuses on revisiting the outcome of the previous steps and remediating any potential consequences, tweaking and updating where necessary. Once this is complete, businesses should evaluate their next priorities and repeat the process from step four.

Moving forward, every decision, plan and application a business makes needs to have security at its forefront. This is process is known as “privacy by design”, and ensures that any data that enters a business is located and protected from the moment it arrives. Any business that fails to demonstrate they have the right measures in place, or have at the very least begun the process of introducing them, will face severe fines and damage to its reputation. In less than a year, when businesses lose the ability to hide their data breaches, we’ll get a realistic picture of the state of cybersecurity in the EU.

View the on-demand webinar on the same content.

By Jan Smets, Data Security Expert at Gemalto, and qualified Data Protection Officer
View the original article.

New Research Report Reveals Trends and Tactics Used in Ransomware Demands

July 21st, 2017

Analysis of the psychology behind digital ransom notes, commissioned by SentinelOne, sheds light on the range of social engineering tactics used by cyber attackers.

SentinelOne, the company transforming endpoint protection by delivering unified, multi-layer protection driven by machine learning and intelligent automation, has commissioned a new report examining ransomware ‘splash screens’ – the initial warning screens of ransomware attacks.

The report “Exploring the Psychological Mechanisms used in Ransomware Splash Screens” by Dr. Lee Hadlington PhD,1 senior lecturer of cyberpsychology at De Montfort University, London, reveals how social engineering tactics are used by cyber criminals to manipulate and elicit payments from individuals. It provides analysis of the language, visuals and payment types from 76 splash screens, to highlight how key social engineering techniques – fear, authority, scarcity (or urgency) and humour – are exploited by cyber criminals in ransomware attacks.

The report also examines the differing levels of sophistication on the part of the attackers and comes in the wake of recent global ransomware attacks which have struck both public sector and private organisations, causing massive disruption and costing businesses millions2 in lost revenue.

From the analysis of the splash screen samples, common trends highlighted include:

  • Time criticality: In over half the samples (57%), the ‘ticking clock’ device – in which a specific amount of time is given to pay a ransom – was used to create a sense of urgency and to persuade the victim to pay quickly. Deadlines given ranged from 10 hours to more than 96 hours.
  • Consequences: The most likely consequence given for not paying the demand or missing the deadline was that files would be deleted and the victim would not be able to access them. In other screens, threats were made to publish the locked files on the Internet.
  • The Customer Service Approach: 51% of splash screens included some aspect of customer service, such as instructions on how to buy Bitcoins (BTC) or presenting frequently asked questions (FAQs). One example offers victims the chance to ‘speak to a member of the team’.
  • Imagery: The research also examines the use of a variety of imagery, including official trademarks or emblems, such as the crest of the FBI, which instil the notion of authority and credibility to the request. One of the most prominent pop cultural images used was ‘Jigsaw’ – a character from the Saw horror movie series.
  • Payment: BTC was the preferred mechanism for payment; 75% of ransomware splash screens asked for payment in BTC. Over half the sample (55%) contained the ransom demand in the initial splash screen. The average amount asked for by attackers was 0.47 BTC ($1,164 USD).
  • “We know that psychology plays a significant part in cyber crime – what’s been most interesting from this study is uncovering the various ways that key social engineering techniques are used to intimidate or influence victims” said Hadlington. “With ransomware on the rise, it’s important that we improve our understanding of this aspect of the attack and how language, imagery and other aspects of the initial ransom demand are used to coerce victims.”

    “Although ransomware has leapt to the top of the public’s consciousness following recent attacks, what’s been less well documented is exactly how the criminals are manipulating their targets into paying up,” said Tony Rowan, chief security consultant at SentinelOne. “This report sheds light on the most common tactics used, with the aim that, through awareness, we are better placed to advise individuals and businesses how not to be duped by these criminals’ claims.”

    A copy of the full “Psychology of Digital Ransom Notes” report is available for download here.

    Notes for Editors

    Dr. Lee Hadlington PhD FHEA CPsychol AFBPsS, Senior Lecturer in Cyberpsychology and Chartered Psychologist, Psychology and Technology Research Group. De Monfort University, Leicester
    https://www.scmagazineuk.com/multinational-talks-of-100-mil-loss-as-petyanotpetya-leaves-its-mark/article/673198/

    MOBOTIX – Mx6 Camera Line is Complete

    July 20th, 2017


    MOBOTIX has introduced the new indoor models c26, i26, p26 and v26, thereby completing the successful Mx6 6MP camera line. The new, higher performing processor delivers up to twice as many images per second as before – at the same resolution. The video data is simultaneously offered in three formats (MxPEG, MJPEG and H.264), as well as in a range of different resolutions. RTSP/multicast makes the Mx6 cameras more flexible. All of the models come standard with intelligent motion detection directly on the camera, and thereby offer more capacity for additional software applications.

    More Power, Easily Integrated

    As with the Mx6 outdoor cameras, now Mx6 indoor models are also available with a more powerful CPU as well as an H.264 encoder. The new processor architecture significantly increases the frame rate, which allows the cameras to do an even better job of capturing fast movements. Moreover, intelligent motion detection is integrated as a standard, and more capacity is available on the camera for additional software applications. The new Mx6 camera system is far more flexible and higher performing, thanks to RTSP/Multicast. The video stream can be displayed on multiple clients simultaneously without reducing the frame rate. Alongside the MxPEG video codec, which was specially developed for security applications, H.264 is available for the first time, ensuring compatibility with the industry standard. Depending on requirements, the focus can be set on high image quality with MxPEG, or the industry standard for video transmission and camera integration can be used. Moreover, Mx6 cameras also offer basic functions in keeping with ONVIF *, a global open interface standard. In this way, the new camera system opens up far more application and integration options for our partners and end customers. Regular software updates ensure that the performance of the Mx6 range continually improves, which in turn guarantees a maximum return on investment.

    “We will continue to remain true to our decentralised concept – storing maximum intelligence in a camera – and thereby offer solutions that go above and beyond traditional applications. At the same time, we are open to generally used technologies such as H.264 and participation in standard forums such as ONVIF. We do not consider these two parts of our approach to be in conflict with each other; instead, they help our range prepare for the future and stay solution-oriented,” explains MOBOTIX CTO Dr. Oliver Gabel.

    Flexibly Protect Interior Spaces

    With a diameter of only 12 centimetres and a weight of approximately 200 grams, the c26 is the smallest and lightest MOBOTIX 360° camera yet for fast ceiling mounting in suspended ceilings. The i26 is ideally suited for corresponding wall mounting, as it is just as compact and discreet. Thanks to its tilt angle of 15°, it provides a complete overview of the room and can thereby replace up to four conventional cameras. The p26 provides maximum flexibility during installation thanks to its manual swivel and tilt functions, and can also completely secure an entire room when it is installed in a corner area, thanks to its 90° lens. The v26 is the first vandalism indoor camera to also offer all MOBOTIX functions. Alongside the standard lenses, an on-wall audio set and suitable vandalism sets are available for optimum protection. All of the indoor models are fitted with 6-megapixel Moonlight sensors and deliver sharp, richly detailed videos, even under poor light conditions (>1 Lux).

    * ONVIF-ready; full Profile S support with future software update

    Palo Alto Networks Upholds Leadership Position in Gartner Magic Quadrant for Enterprise Network Firewalls

    July 17th, 2017

    Palo Alto Networks, the next-generation security company, today announced that it has again been recognised in the “Leaders” quadrant of the July 10, 2017 “Magic Quadrant for Enterprise Network Firewalls” by Gartner Inc.

    According to the report, “The Leaders quadrant contains vendors that build products that fulfil enterprise requirements. These requirements include a wide range of models, support for virtualization and virtual LANs, and a management and reporting capability that is designed for complex and high-volume environments, such as multi-tier administration and rule/policy minimization. A solid NGFW capability is an important element, as enterprises continue to move away from having dedicated IPS appliances at their perimeter and remote locations. Vendors in this quadrant lead the market in offering new features that protect customers from emerging threats, provide expert capability rather than treat the firewall as a commodity and have a good track record of avoiding vulnerabilities in their security products. Common characteristics include handling the highest throughput with minimal performance loss, offering options for hardware acceleration and offering form factors that protect enterprises as they move to new infrastructure form factors.”

    This marks the sixth consecutive time that Palo Alto Networks has been named a leader in the Magic Quadrant for Enterprise Firewalls, which evaluates vendors’ ability to execute and completeness of vision.

    QUOTE

    “We’re honoured to be recognised by Gartner as a Leader in the Magic Quadrant for Enterprise Network Firewalls. Our mission to protect our way of life in the digital age by preventing successful cyberattacks is enabled by our Next-Generation Security Platform, of which our firewall is a cornerstone. We believe this recognition for the sixth consecutive time validates that the advancements made to our next-generation firewall, including security consistency for public and private clouds, are addressing today’s toughest cybersecurity challenges.”
    – René Bonvanie, CMO, Palo Alto Networks

    Over 39,000 customers in over 150 countries have chosen Palo Alto Networks because of our deep expertise, unwavering commitment to innovation and breach prevention-oriented next-generation platform.

    To learn more about the Palo Alto Networks Next-Generation Security Platform, visit: https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform

    To learn more about the Palo Alto Networks Next-Generation Firewall, visit: https://www.paloaltonetworks.com/products/platforms/firewalls.html

    To read the complete report, visit: http://go.paloaltonetworks.com/gartner

    Scale Up Your Network with Clusters and Ruckus Wireless

    July 17th, 2017

    Whether managed on premises or by distributed services, networks serve as the information pipeline that ensures the day-to-day operation for nearly every business. As a business grows, so does the size of the network. The goal is to minimise capital expenditure (CAPEX) while meeting today’s needs and to maximise the investment to realise the best long-term total cost of ownership (TCO). In scaling a network to meet growing business demands, how do you retain value on purchased equipment without relegating existing components to obsolescence?

    One solution is “clustering.” By adding network controller capacity, you can still make use of your existing controller services. With a highly integrated base controller design architecture, this becomes a viable approach.

    There are two basic design options:

    Active-Passive – Where a secondary controller service simply monitors an active controller and is only activated upon failure of the primary controller. With this architecture, the value of the overall system is diluted, as the secondary controller is left idle for long periods of time. This design is also less responsive during recovery from controller failures.

    Active–Active – Where a number of controller services act collaboratively to sustain network reliability even upon failure of any one of the controller services. The TCO of this option is much lower because all units are active and recoveries are virtually seamless.

    Active-Active clustering is a straightforward option for expanding network capacity. It provides the highest level of reliability for wireless networks and delivers additional key benefits:

    Because there are multiple controllers within the cluster, a “single-pane-of-glass” interface simplifies network management.

    Geographic redundancy can isolate localised controller failure scenarios and increase the overall reliability.

    Support of both appliance and virtual deployment options have a direct impact on CAPEX and overall network capacities when you select a cluster solution.

    “Cluster balancing” is a smart way to optimise utilisation of each cluster element.

    Client license management across a cluster is generally flexible and not bound to any single controller.

    When making an architectural decision on a WLAN solution, selecting one that meets your needs today and in the future without increasing IT overhead is your best bet. Ruckus SmartZone products provide flexible, reliable and scalable “clustering” solutions that meet the needs of fast-growing businesses like yours.

    Link: Ruckus SmartZone

    View original article by: Richard Watson, Product Marketing Manager

    Gemalto research reveals businesses overly confident about keeping hackers at bay, but less so about keeping data safe

    July 12th, 2017

    Despite the increasing number of data breaches and nearly 1.4 billion data records being lost or stolen in 2016 (source: Breach Level Index), the vast majority of IT professionals still believe perimeter security is effective at keeping unauthorised users out of their networks. However, companies are under-investing in technology that adequately protects their business, according to the findings of the fourth-annual Data Security Confidence Index released today by Gemalto (Euronext NL0000400653 GTO), the world leader in digital security.

    Surveying 1,050 IT decision makers worldwide, businesses feel that perimeter security is keeping them safe, with most (94%) believing that it is quite effective at keeping unauthorised users out of their network. However, 65% are not extremely confident their data would be protected, should their perimeter be breached, a slight decrease on last year (69%). Despite this, nearly six in 10 (59%) organisations report that they believe all their sensitive data is secure.

    Perimeter security is the focus, but understanding of technology and data security is lacking

    Many businesses are continuing to prioritise perimeter security without realising it is largely ineffective against sophisticated cyberattacks. According to the research findings, 76% said their organisation had increased investment in perimeter security technologies such as firewalls, IDPS, antivirus, content filtering and anomaly detection to protect against external attackers. Despite this investment, two-thirds (68%) believe that unauthorised users could access their network, rendering their perimeter security ineffective.

    These findings suggest a lack of confidence in the solutions used, especially when over a quarter (28%) of organisations have suffered perimeter security breaches in the past 12 months. The reality of the situation worsens when considering that, on average, only 8% of data breached was encrypted.

    Businesses’ confidence is further undermined by over half of respondents (55%) not knowing where their sensitive data is stored. In addition, over a third of businesses do not encrypt valuable information such as payment (32%) or customer (35%) data. This means that, should the data be stolen, a hacker would have full access to this information, and can use it for crimes including identity theft, financial fraud or ransomware.

    “It is clear that there is a divide between organisations’ perceptions of the effectiveness of perimeter security and the reality,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “By believing that their data is already secure, businesses are failing to prioritise the measures necessary to protect their data. Businesses need to be aware that hackers are after a company’s most valuable asset – data. It’s important to focus on protecting this resource, otherwise, reality will inevitably bite those that fail to do so.”

    Most Businesses are unprepared for GDPR

    With the General Data Protection Regulation (GDPR) becoming enforceable in May 2018, businesses must understand how to comply by properly securing personal data to avoid the risk of administrative fines and reputational damage. However, over half of respondents (53%) say they do not believe they will be fully compliant with GDPR by May next year. With less than a year to go, businesses must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies.

    Hart continues, “Investing in Cybersecurity has clearly become more of a focus for businesses in the last 12 months. However, what is of concern is that so few are adequately securing the most vulnerable and crucial data they hold or even understand where it is stored. This is standing in the way of GDPR compliance, and before long the businesses that don’t improve their cybersecurity will face severe legal, financial and reputational consequences.”

    About the survey

    Independent technology market research specialist Vanson Bourne surveyed 1,050 IT decision makers across the US, UK, France, Germany, India, Japan, Australia, Brazil, Benelux the Middle East and South Africa on behalf of Gemalto. The sample was split between Manufacturing, Healthcare, Financial Services, Government, Telecoms, Retail, Utilities, Consultation and Real Estate, Insurance and Legal, IT and other sectors from organisations with 250 to more than 5,000 employees.

    Original article published by Gemalto.

    Frost & Sullivan Recognises Gemalto for Leadership in Encryption and Data Protection

    July 7th, 2017

    Gemalto has been awarded the Frost & Sullivan 2017 Encryption and Data Protection Technology Leadership Award(1). Frost; Sullivan analysts independently evaluated Gemalto’s SafeNet data protection and encryption solutions, in particular, the commercial success, growth potential, operational efficiency, and benefits provided to customers.

    Each year, Frost & Sullivan recognises companies across different industries based on their excellence in technology and innovation. Gemalto was selected based on the following attributes:

    • A unique position in the market based on an extensive portfolio and the variety of use cases and customers
    • Strong expertise in creating versatile and flexible solutions that support a variety of deployment environments
    • Quality of solutions and the company’s positive brand recognition
    • Commitment to research and development driving innovation in the industry

    “Gemalto’s vision for data protection guarantees a tailored, scalable, centralized-IT-service solution for organisations needing efficiency, without an overhaul of their existing security systems,” said Frost & Sullivan Research Analyst Danielle VanZandt. “Companies can standardise encryption and data protection breaking down internal silos achieving greater collaboration and visibility between departments.”

    “This award highlights our ability to provide customers with a simple, consolidated method of enterprise-wide data protection. The single pane of glass alleviates the burden of monitoring operations across multiple security platforms and simplifies the execution of internal data security policies,” said Todd Moore, Senior Vice President of Encryption Products at Gemalto. “When preparing for an internal or external audit, a centrally managed system helps organisations quickly demonstrate their level of compliance without the hassle of collecting information across different systems.”

    Gemalto’s portfolio of SafeNet data encryption and key management solutions ensures sensitive information remains secure wherever it resides, from the cloud and data centre to the network. Additionally, Gemalto speeds up deployment timelines by supporting a variety of digital and cloud environments, integrating with over 700 solutions across more than 240 different ecosystem partners. For more information on the solutions evaluated by Frost & Sullivan analysts, download the report.

    Additional resources:
    Gemalto SafeNet Data Protection
    Whitepaper: Own and Manage Your Encryption Keys
    Encrypt Everything

    1 Frost & Sullivan Best Practices Awards recognise companies in a variety of regional and global markets for demonstrating outstanding achievement and superior performance in areas such as leadership, technological innovation, customer service, and strategic product development. Industry analysts compare market participants and measure performance through in-depth interviews, analysis, and extensive secondary research to identify best practices in the industry.

    View original article by Gemalto.

    Tips for Gamifying Your Cybersecurity Education and Awareness Programs

    July 6th, 2017

    Employees are fast becoming the weakest link in the defence against cybercriminals. Sometimes common sense can only go so far, as you need to make sure that best practices around security don’t go in one ear and out the other. Whether through innocent mistakes or because they were targeted for their access to sensitive information, employee error can easily open the door to malware or information theft.

    Successful attacks often involve poor processes and exploit human tendencies. To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention. Pure compliance-driven approaches have proven to be ineffective for organisations when used for employee security training, usually, because it isn’t interesting or personal enough to capture employees’ imaginations. Businesses should focus on educating employees about how to protect their personal data, thereby encouraging employees to enact further security-orientated practices in the workplace.

    Employee training may take different forms, including the increasing practice of “gamifying” cybersecurity education programs. Gamification is the process of using gaming mechanics in a non-gaming context, leveraging what is exciting about games and applying it to other types of activities that may not be so fun. Designed with elements of competition and reward, gamification programs are becoming popular because they can be used in a variety of industries.

    Many businesses currently use gamification in such areas as customer engagement, and employee education and training to drive performance and motivation. Gaming elements include one-on-one competitions, rewards programs, and more.

    There are two key ways business owners can use gamification as a way of addressing cybersecurity in their organisation:

    1. Make training more exciting and engaging for employees

    Using gamification can help businesses improve their cybersecurity in numerous ways, including showing employees how to avoid cyberattacks and learning about vulnerabilities in software.

    Global consulting firm PwC teaches cybersecurity through its Game of Threats. [1] Executives compete against each other in real-world cybersecurity situations, playing as either attackers or defenders. Attackers choose the tactics, methods, and skills of attack, while defenders develop (defence) strategies, and invest in the right technologies and talent to respond to the attack. The game gives executives an understanding of how to prepare for and reacts to threats, how well-prepared the company is, and what their cybersecurity teams face each day.

    Gamifying will help make the training process more exciting and engaging for employees, increasing employee awareness of cybersecurity practices, including how to deal with attacks correctly.

    2. Offer incentives and rewards to encourage desired behaviours

    Human error is responsible for most security breaches, with employees feeling pressured to complete work by certain deadlines and as quickly as possible, which can result in them overlooking important company policy regarding security.

    For example, running so-called PhishMe campaigns can be a great way to train employees on better email security. These include regular phishing emails sent across the organisation, testing the staff’s response and action.

    Gamification lets businesses reward those employees who follow security procedures and adhere to the correct security guidelines, which will further promote good behaviour. This may take the form of employees receiving a badge or recording points, which are then displayed on a scoreboard for the office to follow. In some organisations, after employees reach specific milestones, they are presented with a material reward, such as a gift voucher.

    This system also allows for the identification of those who display poor behaviour within gamification and may result in the employee needing to complete further cybersecurity training. Recognising and rewarding employees when they do the correct thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cyber-secure working environment.

    At the heart of any security awareness training is education to teach employees a shared sense of responsibility for the data they work with, and the data they create and use at home. All security awareness campaigns should become part of an ongoing process, not a one-time initiative. Leaders of any business, big or small, can sometimes feel they lack the resources needed to drive an effective cybersecurity education campaign, but this can be done without breaking the bank.

    • Visual aids work well. Start with some small videos, posters and/or contests as a reminder to drive the message home for all to understand that security is everyone’s responsibility.
    • ‘Fear of God’ tactics do not work. The business goal should be to build a culture of cyber awareness, so treat this like a marketing campaign with the intent to persuade and change the behaviour of an employee.
    • Short and concise work best. Long emails always get ignored. Keep them short and fun, and ALWAYS ensure it is a top-down approach. Employees look up to their leaders. If the leaders do not embody a cyber-secure culture, why should the employees? The aim is to educate employees about best practices, not force them to be cybersecurity experts. Make it fun and have a laugh, so everyone can learn at the same time.
    • Reinforcement and follow-up are key. Training is a constant; learn from what works and re-educate as needed. Re-test your newly onboarded, as well as existing, staff members on whether they fall for a phishing email, and check to see how many employees still fail to recognise a fake email. Encourage communication to report a fake and call out departmental groups that may be lagging. The aim is not to single people out, but rather create some healthy rivalry within the organisation.

    Eliminating cyber risks in any business is an ongoing process, but it can be managed. We need to foster a way for employees to call out where they question something and re-educate as needed. If employees walk away from the security awareness program questioning before they click on something malicious, you have moved the needle towards being more secure.

    [1] https://www.pwc.com/us/en/financial-services/cybersecurity-privacy/game-of-threats.html

    Original article published by Palo Alto Networks.

    Net-Ctrl Blog - mobile

    A deeper dive into GDPR: Right to be forgotten?

    August 17th, 2017

    Last week we went over the GDPR A Deeper Dive – 2changes that set GDPR apart from other mandates and data privacy legislation. One aspect of GDPR that has received a lot of attention is the ‘Right to be Forgotten’ which is outlined in Article 17 entitled “Right to Erasure (’right to be forgotten’)”. It states:

    “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

    (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
    (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    (d) the personal data have been unlawfully processed;
    (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
    (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).”

    In plain English this means that organisations need to fully erase a subject’s data from all repositories when that person revokes their consent; when the purpose for which the data was collected is complete; or when compelled by the law.

    It is worth noting that this is not an absolute requirement and subjects do not have an unconditional right to be ‘forgotten’. If there are other legitimate, legal reasons – as outlined in the regulation – for the organisation to retain and process data, subjects are not entitled to be forgotten. However, exceptions are few compared to the multitude of data uses common in our daily lives.

    So, in the spirit of GDPR, how do organisations ensure that data is deleted from all of the places that it is stored or processed? Full data erasure isn’t a straight forward proposition. Using a standard delete function doesn’t always fully remove data. While it may not appear in file registries or indexes, deleted data is often still recoverable. In these instances, despite best efforts, simply hitting ‘delete’ doesn’t achieve GDPR compliance. To complicate the issue, in 21st century business data is shared constantly between suppliers, partners, resellers and customers. When consent is revoked or a contract comes to term, how does an organisation guarantee that data is adequately deleted by all of these different players?

    Encryption is one way to fully ensure that data is unusable per GDPR’s erasure obligation. Encryption alters data by using a specific secret – or key defined by an algorithm – to render data unreadable. The only way to return encrypted data into a readable state is by providing the corresponding key that was used to alter the data in the first place. If that key were to be deleted, it would be impossible to convert or decrypt that data back into a readable format. When it comes to GDPR’s ‘right to be forgotten’ encrypting data and deleting the key (also known as cryptographically erasing the data) is both an effective and convenient solution.

    Such an approach gives organisations quite a bit of flexibility in deciding how to meet this obligation. Encryption is the kind of tool that organisations can apply at different levels of the data’s flow from creation to rest. If it were as simple as deleting a file, an organisation could use a file system-level solution to encrypt the file and delete the key. On a larger scale, say at the end of a project, an organisation could encrypt an entire database column – say of social security numbers, usernames, or family names – and delete the key. More advanced developers could even incorporate encryption into their applications and then delete the keys that the application uses. In any scenario, policy-based access controls allow organisations to finely tune their approach to data deletion for greater confidence in their approach to GDPR compliance. The permutations are many, but the fundamentals are the same.

    As organisations consider their GDPR needs, they should place them in the context of their larger security needs. Adopting one-off encryption solutions to address discrete challenges is the quickest way to end up with a collection of burdensome security silos that complicate on-going management. Encryption is the tool that works on the data, but an organisation’s key management apparatus will eventually be the key (pun fully intended) to future security and compliance success. In choosing an encryption and key management vendor, organisations should consider the solutions currently in place in their data centre, their existing needs, and their future needs in order to find a solution set that will grow with them.

    The ‘right to be forgotten’ isn’t as daunting a requirement as it may seem at first glance. A thoughtful use of encryption can help organisations respect data subjects’ wishes and preserve privacy in any scenario. Next week we’ll return to the pages of this blog to take a look at GDPR’s data control and integrity requirements. Stay tuned!

    For additional information on GDPR, check out The General Data Protection Regulation ebook.

    View original article by Gemalto.

    A deeper dive into GDPR: What makes it different?

    August 10th, 2017

    Taking place in May 2018, the Data Protection Regulation also known as GDPR sets a new standard for data privacy and security across the European Union (EU). Much has been made of the law establishing data privacy as a fundamental right, and its governance and security requirements.

    Over the course of the next few weeks, we will be taking an in-depth look at the mandate’s articles and offering insight into how you can comply.

    Today let’s take a look at what sets GDPR apart from other standards and regulations, namely its expanded scope and reach.

    GDPR will affect any organization that offers goods or services, or whose activity monitors the behaviour of individuals in the EU; it doesn’t matter if the organization resides and processes data within the EU or not. Multi-national organizations across the world – from Australia to the United States – that collect EU subjects’ data will need to prepare for the new mandate. Additionally, as organizations collaborate and partner, GDPR holds them responsible for their data’s privacy even as it passes outside of their control. In effect, GDPR increases the number of stakeholders involved and the level of due diligence each party must perform to what can already be a complex web of relationships that span the globe.

    What is more, GDPR broadens the definition of ‘personal data’. Any piece of information that can be combined with another data point (or collection of data points) to identify an individual must be protected following GDPR’s mandates. Such a broad definition includes pieces of information such as online identifiers, genetic data or location metadata – data that organizations are unaccustomed to protecting. This will certainly impact how organizations protect their data currently and will affect how they do business while protecting this data going forward.

    For all of this data, GDPR asks that protection is by design as a default; that is data privacy must be a consideration from the moment an operation is conceived. Security in service of privacy must be incorporated into the very fabric and design of an organization and its operations as the default setting. Under GDPR, security is no longer an option; it is a requirement.

    GDPR’s penalties are severe. In the event of a breach, organizations will be required to notify both the supervisory authority in their jurisdiction and the customers whose data was affected. And, when breached data poses a risk to data subjects’ privacy, organizations will be subject to fines that have the potential to rise to as high as €20 million or 4% of annual worldwide profit – whichever is greater.

    The new penalty regime fundamentally changes the data security cost/benefit equation for any organization with a presence – real or virtual – in the EU.

    For as daunting as it may seem, you won’t have to face it alone. On this blog, we’ve already shared how to break the process into manageable chunks via our 6 step approach to tackling GDPR. Our experts go into these 6 steps – in partnership with ISC2 – in a joint webinar entitled “6 Steps To GDPR Compliance”. Over the next few weeks, we’ll dig deeper into topics such as the ‘Right to be Forgotten’, data integrity obligations, due diligence requirements, and more. Stay tuned to this blog each week for a new instalment in our GDPR series.

    That said, if you’re anxious to get started on your GDPR preparation, you can find more information, white papers and ebooks on GDPR compliance here: https://safenet.gemalto.com/gdpr

    View original article.

    GDPR Compliance in Six Steps

    August 7th, 2017

    In less than a year’s time, a radical change to data protection and legislation will come into effect in the EU – the General Data Protection Regulation (GDPR). Aiming to help protect EU citizens’ data, the regulation will ensure that businesses are held accountable to their customers. While companies in the US must declare any data breaches they experience, the same can’t be said for businesses operating within the EU until GDPR comes into effect and changes this. In short, this means the already large number of records lost or stolen in Europe could be considerably larger.

    With GDPR almost here, the data protection and privacy landscape of the EU is set to change in big ways. But how can a business ensure that it is compliant with the regulation, and how would they go about becoming compliant? Below are six steps every business should undertake:

    Step one – Get to grips with GDPR’s legal framework

    The first step that any business needs to take is to understand how each aspect of the legislation apply to them. By conducting a full audit against the GDPR legal framework, a business will need to understand what it needs to do and what the consequences for failing to do so are. As part of this compliance audit, a business should hire a Data Protection Officer (DPO), who will be responsible for ensuring the company adheres to the regulations. Ideally, a DPO would have a background in both law and technology, so they’re able to understand both the technical specifications and the regulatory framework needed to meet this. Every organisation is different, and so no GDPR journey will look the same – correct guidance from business leaders to employees is needed ensure the whole company understands how to be compliant.

    Step two – Create a Data Register

    Once a business understands the steps they need to take, it’s important that they keep a record of the process. This is best done with a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of each country will enforce GDPR, and be responsible for judging if a business is compliant when determining any penalties for being breached. In this event, the Data Register will be a crucial tool for demonstrating the progress the affected business has made in becoming compliant. If they have no proof, the DPA would be able to fine between 2% and 4% of the company’s turnover. The amount and speed of the DPA’s decision would depend on the sensitivity of the data.

    Step three – Classify data

    While understanding what protections, if any, are already in place is important, this step focuses on helping businesses understand what data they need to protect and how that is being done. First, a business must locate any Personal Identifiable Information – information that can directly or indirectly identify someone – of EU citizens. It’s crucial to know where this is stored, who can access it, who it has been shared with etc. It can then determine which data is more vital to protect. In addition to this, it’s important to know who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.

    Step four – Identify the top priorities

    Next, a business needs to evaluate how that classified data is being produced and protected. Regardless of how data is collected, the first priority should always be to protect the user’s privacy. Businesses should ask themselves if they need the sensitive data they have collected – this data is worth a lot to a hacker, and has the greatest risk of being stolen. Businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of all security policies. When doing this, it’s important to keep the rights of EU citizens in mind, including restrictions of processing and data portability. In particular, any data third parties use to identify someone must be deleted if requested by that individual and approved by the EU. It’s crucial that all this data is correctly and promptly destroyed and can’t be accessed. This process is known as the “right to be forgotten”.

    Evaluating how the business protects this data comes next (for example, with encryption, tokenisation or psuedonymisation). The evaluation must explore: any historical data, the data being produced and any data that is backed up – either on-site or in the cloud. This data must be anonymised to protect the privacy and identities of the citizens it relates to. All data needs to be protected from the day it is generated to the day it is not needed.

    Step five – Document and assess any additional risks and processes

    Of course, there’s more to compliance than just protecting the most sensitive data – the next stage of the process is to assess and document any other risks, to discover any other processes or areas that might be vulnerable. While doing this, the business should update its Data Register, to show the DPA how they are addressing any existing risks. Only by doing this can a business demonstrate to the DPA that it is treating compliance and data protection seriously and with respect.

    Step six – Revisit and repeat

    Finally, the last step on the compliance journey focuses on revisiting the outcome of the previous steps and remediating any potential consequences, tweaking and updating where necessary. Once this is complete, businesses should evaluate their next priorities and repeat the process from step four.

    Moving forward, every decision, plan and application a business makes needs to have security at its forefront. This is process is known as “privacy by design”, and ensures that any data that enters a business is located and protected from the moment it arrives. Any business that fails to demonstrate they have the right measures in place, or have at the very least begun the process of introducing them, will face severe fines and damage to its reputation. In less than a year, when businesses lose the ability to hide their data breaches, we’ll get a realistic picture of the state of cybersecurity in the EU.

    View the on-demand webinar on the same content.

    By Jan Smets, Data Security Expert at Gemalto, and qualified Data Protection Officer
    View the original article.

    New Research Report Reveals Trends and Tactics Used in Ransomware Demands

    July 21st, 2017

    Analysis of the psychology behind digital ransom notes, commissioned by SentinelOne, sheds light on the range of social engineering tactics used by cyber attackers.

    SentinelOne, the company transforming endpoint protection by delivering unified, multi-layer protection driven by machine learning and intelligent automation, has commissioned a new report examining ransomware ‘splash screens’ – the initial warning screens of ransomware attacks.

    The report “Exploring the Psychological Mechanisms used in Ransomware Splash Screens” by Dr. Lee Hadlington PhD,1 senior lecturer of cyberpsychology at De Montfort University, London, reveals how social engineering tactics are used by cyber criminals to manipulate and elicit payments from individuals. It provides analysis of the language, visuals and payment types from 76 splash screens, to highlight how key social engineering techniques – fear, authority, scarcity (or urgency) and humour – are exploited by cyber criminals in ransomware attacks.

    The report also examines the differing levels of sophistication on the part of the attackers and comes in the wake of recent global ransomware attacks which have struck both public sector and private organisations, causing massive disruption and costing businesses millions2 in lost revenue.

    From the analysis of the splash screen samples, common trends highlighted include:

  • Time criticality: In over half the samples (57%), the ‘ticking clock’ device – in which a specific amount of time is given to pay a ransom – was used to create a sense of urgency and to persuade the victim to pay quickly. Deadlines given ranged from 10 hours to more than 96 hours.
  • Consequences: The most likely consequence given for not paying the demand or missing the deadline was that files would be deleted and the victim would not be able to access them. In other screens, threats were made to publish the locked files on the Internet.
  • The Customer Service Approach: 51% of splash screens included some aspect of customer service, such as instructions on how to buy Bitcoins (BTC) or presenting frequently asked questions (FAQs). One example offers victims the chance to ‘speak to a member of the team’.
  • Imagery: The research also examines the use of a variety of imagery, including official trademarks or emblems, such as the crest of the FBI, which instil the notion of authority and credibility to the request. One of the most prominent pop cultural images used was ‘Jigsaw’ – a character from the Saw horror movie series.
  • Payment: BTC was the preferred mechanism for payment; 75% of ransomware splash screens asked for payment in BTC. Over half the sample (55%) contained the ransom demand in the initial splash screen. The average amount asked for by attackers was 0.47 BTC ($1,164 USD).
  • “We know that psychology plays a significant part in cyber crime – what’s been most interesting from this study is uncovering the various ways that key social engineering techniques are used to intimidate or influence victims” said Hadlington. “With ransomware on the rise, it’s important that we improve our understanding of this aspect of the attack and how language, imagery and other aspects of the initial ransom demand are used to coerce victims.”

    “Although ransomware has leapt to the top of the public’s consciousness following recent attacks, what’s been less well documented is exactly how the criminals are manipulating their targets into paying up,” said Tony Rowan, chief security consultant at SentinelOne. “This report sheds light on the most common tactics used, with the aim that, through awareness, we are better placed to advise individuals and businesses how not to be duped by these criminals’ claims.”

    A copy of the full “Psychology of Digital Ransom Notes” report is available for download here.

    Notes for Editors

    Dr. Lee Hadlington PhD FHEA CPsychol AFBPsS, Senior Lecturer in Cyberpsychology and Chartered Psychologist, Psychology and Technology Research Group. De Monfort University, Leicester
    https://www.scmagazineuk.com/multinational-talks-of-100-mil-loss-as-petyanotpetya-leaves-its-mark/article/673198/

    MOBOTIX – Mx6 Camera Line is Complete

    July 20th, 2017


    MOBOTIX has introduced the new indoor models c26, i26, p26 and v26, thereby completing the successful Mx6 6MP camera line. The new, higher performing processor delivers up to twice as many images per second as before – at the same resolution. The video data is simultaneously offered in three formats (MxPEG, MJPEG and H.264), as well as in a range of different resolutions. RTSP/multicast makes the Mx6 cameras more flexible. All of the models come standard with intelligent motion detection directly on the camera, and thereby offer more capacity for additional software applications.

    More Power, Easily Integrated

    As with the Mx6 outdoor cameras, now Mx6 indoor models are also available with a more powerful CPU as well as an H.264 encoder. The new processor architecture significantly increases the frame rate, which allows the cameras to do an even better job of capturing fast movements. Moreover, intelligent motion detection is integrated as a standard, and more capacity is available on the camera for additional software applications. The new Mx6 camera system is far more flexible and higher performing, thanks to RTSP/Multicast. The video stream can be displayed on multiple clients simultaneously without reducing the frame rate. Alongside the MxPEG video codec, which was specially developed for security applications, H.264 is available for the first time, ensuring compatibility with the industry standard. Depending on requirements, the focus can be set on high image quality with MxPEG, or the industry standard for video transmission and camera integration can be used. Moreover, Mx6 cameras also offer basic functions in keeping with ONVIF *, a global open interface standard. In this way, the new camera system opens up far more application and integration options for our partners and end customers. Regular software updates ensure that the performance of the Mx6 range continually improves, which in turn guarantees a maximum return on investment.

    “We will continue to remain true to our decentralised concept – storing maximum intelligence in a camera – and thereby offer solutions that go above and beyond traditional applications. At the same time, we are open to generally used technologies such as H.264 and participation in standard forums such as ONVIF. We do not consider these two parts of our approach to be in conflict with each other; instead, they help our range prepare for the future and stay solution-oriented,” explains MOBOTIX CTO Dr. Oliver Gabel.

    Flexibly Protect Interior Spaces

    With a diameter of only 12 centimetres and a weight of approximately 200 grams, the c26 is the smallest and lightest MOBOTIX 360° camera yet for fast ceiling mounting in suspended ceilings. The i26 is ideally suited for corresponding wall mounting, as it is just as compact and discreet. Thanks to its tilt angle of 15°, it provides a complete overview of the room and can thereby replace up to four conventional cameras. The p26 provides maximum flexibility during installation thanks to its manual swivel and tilt functions, and can also completely secure an entire room when it is installed in a corner area, thanks to its 90° lens. The v26 is the first vandalism indoor camera to also offer all MOBOTIX functions. Alongside the standard lenses, an on-wall audio set and suitable vandalism sets are available for optimum protection. All of the indoor models are fitted with 6-megapixel Moonlight sensors and deliver sharp, richly detailed videos, even under poor light conditions (>1 Lux).

    * ONVIF-ready; full Profile S support with future software update

    Palo Alto Networks Upholds Leadership Position in Gartner Magic Quadrant for Enterprise Network Firewalls

    July 17th, 2017

    Palo Alto Networks, the next-generation security company, today announced that it has again been recognised in the “Leaders” quadrant of the July 10, 2017 “Magic Quadrant for Enterprise Network Firewalls” by Gartner Inc.

    According to the report, “The Leaders quadrant contains vendors that build products that fulfil enterprise requirements. These requirements include a wide range of models, support for virtualization and virtual LANs, and a management and reporting capability that is designed for complex and high-volume environments, such as multi-tier administration and rule/policy minimization. A solid NGFW capability is an important element, as enterprises continue to move away from having dedicated IPS appliances at their perimeter and remote locations. Vendors in this quadrant lead the market in offering new features that protect customers from emerging threats, provide expert capability rather than treat the firewall as a commodity and have a good track record of avoiding vulnerabilities in their security products. Common characteristics include handling the highest throughput with minimal performance loss, offering options for hardware acceleration and offering form factors that protect enterprises as they move to new infrastructure form factors.”

    This marks the sixth consecutive time that Palo Alto Networks has been named a leader in the Magic Quadrant for Enterprise Firewalls, which evaluates vendors’ ability to execute and completeness of vision.

    QUOTE

    “We’re honoured to be recognised by Gartner as a Leader in the Magic Quadrant for Enterprise Network Firewalls. Our mission to protect our way of life in the digital age by preventing successful cyberattacks is enabled by our Next-Generation Security Platform, of which our firewall is a cornerstone. We believe this recognition for the sixth consecutive time validates that the advancements made to our next-generation firewall, including security consistency for public and private clouds, are addressing today’s toughest cybersecurity challenges.”
    – René Bonvanie, CMO, Palo Alto Networks

    Over 39,000 customers in over 150 countries have chosen Palo Alto Networks because of our deep expertise, unwavering commitment to innovation and breach prevention-oriented next-generation platform.

    To learn more about the Palo Alto Networks Next-Generation Security Platform, visit: https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform

    To learn more about the Palo Alto Networks Next-Generation Firewall, visit: https://www.paloaltonetworks.com/products/platforms/firewalls.html

    To read the complete report, visit: http://go.paloaltonetworks.com/gartner

    Scale Up Your Network with Clusters and Ruckus Wireless

    July 17th, 2017

    Whether managed on premises or by distributed services, networks serve as the information pipeline that ensures the day-to-day operation for nearly every business. As a business grows, so does the size of the network. The goal is to minimise capital expenditure (CAPEX) while meeting today’s needs and to maximise the investment to realise the best long-term total cost of ownership (TCO). In scaling a network to meet growing business demands, how do you retain value on purchased equipment without relegating existing components to obsolescence?

    One solution is “clustering.” By adding network controller capacity, you can still make use of your existing controller services. With a highly integrated base controller design architecture, this becomes a viable approach.

    There are two basic design options:

    Active-Passive – Where a secondary controller service simply monitors an active controller and is only activated upon failure of the primary controller. With this architecture, the value of the overall system is diluted, as the secondary controller is left idle for long periods of time. This design is also less responsive during recovery from controller failures.

    Active–Active – Where a number of controller services act collaboratively to sustain network reliability even upon failure of any one of the controller services. The TCO of this option is much lower because all units are active and recoveries are virtually seamless.

    Active-Active clustering is a straightforward option for expanding network capacity. It provides the highest level of reliability for wireless networks and delivers additional key benefits:

    Because there are multiple controllers within the cluster, a “single-pane-of-glass” interface simplifies network management.

    Geographic redundancy can isolate localised controller failure scenarios and increase the overall reliability.

    Support of both appliance and virtual deployment options have a direct impact on CAPEX and overall network capacities when you select a cluster solution.

    “Cluster balancing” is a smart way to optimise utilisation of each cluster element.

    Client license management across a cluster is generally flexible and not bound to any single controller.

    When making an architectural decision on a WLAN solution, selecting one that meets your needs today and in the future without increasing IT overhead is your best bet. Ruckus SmartZone products provide flexible, reliable and scalable “clustering” solutions that meet the needs of fast-growing businesses like yours.

    Link: Ruckus SmartZone

    View original article by: Richard Watson, Product Marketing Manager

    Gemalto research reveals businesses overly confident about keeping hackers at bay, but less so about keeping data safe

    July 12th, 2017

    Despite the increasing number of data breaches and nearly 1.4 billion data records being lost or stolen in 2016 (source: Breach Level Index), the vast majority of IT professionals still believe perimeter security is effective at keeping unauthorised users out of their networks. However, companies are under-investing in technology that adequately protects their business, according to the findings of the fourth-annual Data Security Confidence Index released today by Gemalto (Euronext NL0000400653 GTO), the world leader in digital security.

    Surveying 1,050 IT decision makers worldwide, businesses feel that perimeter security is keeping them safe, with most (94%) believing that it is quite effective at keeping unauthorised users out of their network. However, 65% are not extremely confident their data would be protected, should their perimeter be breached, a slight decrease on last year (69%). Despite this, nearly six in 10 (59%) organisations report that they believe all their sensitive data is secure.

    Perimeter security is the focus, but understanding of technology and data security is lacking

    Many businesses are continuing to prioritise perimeter security without realising it is largely ineffective against sophisticated cyberattacks. According to the research findings, 76% said their organisation had increased investment in perimeter security technologies such as firewalls, IDPS, antivirus, content filtering and anomaly detection to protect against external attackers. Despite this investment, two-thirds (68%) believe that unauthorised users could access their network, rendering their perimeter security ineffective.

    These findings suggest a lack of confidence in the solutions used, especially when over a quarter (28%) of organisations have suffered perimeter security breaches in the past 12 months. The reality of the situation worsens when considering that, on average, only 8% of data breached was encrypted.

    Businesses’ confidence is further undermined by over half of respondents (55%) not knowing where their sensitive data is stored. In addition, over a third of businesses do not encrypt valuable information such as payment (32%) or customer (35%) data. This means that, should the data be stolen, a hacker would have full access to this information, and can use it for crimes including identity theft, financial fraud or ransomware.

    “It is clear that there is a divide between organisations’ perceptions of the effectiveness of perimeter security and the reality,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “By believing that their data is already secure, businesses are failing to prioritise the measures necessary to protect their data. Businesses need to be aware that hackers are after a company’s most valuable asset – data. It’s important to focus on protecting this resource, otherwise, reality will inevitably bite those that fail to do so.”

    Most Businesses are unprepared for GDPR

    With the General Data Protection Regulation (GDPR) becoming enforceable in May 2018, businesses must understand how to comply by properly securing personal data to avoid the risk of administrative fines and reputational damage. However, over half of respondents (53%) say they do not believe they will be fully compliant with GDPR by May next year. With less than a year to go, businesses must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies.

    Hart continues, “Investing in Cybersecurity has clearly become more of a focus for businesses in the last 12 months. However, what is of concern is that so few are adequately securing the most vulnerable and crucial data they hold or even understand where it is stored. This is standing in the way of GDPR compliance, and before long the businesses that don’t improve their cybersecurity will face severe legal, financial and reputational consequences.”

    About the survey

    Independent technology market research specialist Vanson Bourne surveyed 1,050 IT decision makers across the US, UK, France, Germany, India, Japan, Australia, Brazil, Benelux the Middle East and South Africa on behalf of Gemalto. The sample was split between Manufacturing, Healthcare, Financial Services, Government, Telecoms, Retail, Utilities, Consultation and Real Estate, Insurance and Legal, IT and other sectors from organisations with 250 to more than 5,000 employees.

    Original article published by Gemalto.

    Frost & Sullivan Recognises Gemalto for Leadership in Encryption and Data Protection

    July 7th, 2017

    Gemalto has been awarded the Frost & Sullivan 2017 Encryption and Data Protection Technology Leadership Award(1). Frost; Sullivan analysts independently evaluated Gemalto’s SafeNet data protection and encryption solutions, in particular, the commercial success, growth potential, operational efficiency, and benefits provided to customers.

    Each year, Frost & Sullivan recognises companies across different industries based on their excellence in technology and innovation. Gemalto was selected based on the following attributes:

    • A unique position in the market based on an extensive portfolio and the variety of use cases and customers
    • Strong expertise in creating versatile and flexible solutions that support a variety of deployment environments
    • Quality of solutions and the company’s positive brand recognition
    • Commitment to research and development driving innovation in the industry

    “Gemalto’s vision for data protection guarantees a tailored, scalable, centralized-IT-service solution for organisations needing efficiency, without an overhaul of their existing security systems,” said Frost & Sullivan Research Analyst Danielle VanZandt. “Companies can standardise encryption and data protection breaking down internal silos achieving greater collaboration and visibility between departments.”

    “This award highlights our ability to provide customers with a simple, consolidated method of enterprise-wide data protection. The single pane of glass alleviates the burden of monitoring operations across multiple security platforms and simplifies the execution of internal data security policies,” said Todd Moore, Senior Vice President of Encryption Products at Gemalto. “When preparing for an internal or external audit, a centrally managed system helps organisations quickly demonstrate their level of compliance without the hassle of collecting information across different systems.”

    Gemalto’s portfolio of SafeNet data encryption and key management solutions ensures sensitive information remains secure wherever it resides, from the cloud and data centre to the network. Additionally, Gemalto speeds up deployment timelines by supporting a variety of digital and cloud environments, integrating with over 700 solutions across more than 240 different ecosystem partners. For more information on the solutions evaluated by Frost & Sullivan analysts, download the report.

    Additional resources:
    Gemalto SafeNet Data Protection
    Whitepaper: Own and Manage Your Encryption Keys
    Encrypt Everything

    1 Frost & Sullivan Best Practices Awards recognise companies in a variety of regional and global markets for demonstrating outstanding achievement and superior performance in areas such as leadership, technological innovation, customer service, and strategic product development. Industry analysts compare market participants and measure performance through in-depth interviews, analysis, and extensive secondary research to identify best practices in the industry.

    View original article by Gemalto.

    Tips for Gamifying Your Cybersecurity Education and Awareness Programs

    July 6th, 2017

    Employees are fast becoming the weakest link in the defence against cybercriminals. Sometimes common sense can only go so far, as you need to make sure that best practices around security don’t go in one ear and out the other. Whether through innocent mistakes or because they were targeted for their access to sensitive information, employee error can easily open the door to malware or information theft.

    Successful attacks often involve poor processes and exploit human tendencies. To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention. Pure compliance-driven approaches have proven to be ineffective for organisations when used for employee security training, usually, because it isn’t interesting or personal enough to capture employees’ imaginations. Businesses should focus on educating employees about how to protect their personal data, thereby encouraging employees to enact further security-orientated practices in the workplace.

    Employee training may take different forms, including the increasing practice of “gamifying” cybersecurity education programs. Gamification is the process of using gaming mechanics in a non-gaming context, leveraging what is exciting about games and applying it to other types of activities that may not be so fun. Designed with elements of competition and reward, gamification programs are becoming popular because they can be used in a variety of industries.

    Many businesses currently use gamification in such areas as customer engagement, and employee education and training to drive performance and motivation. Gaming elements include one-on-one competitions, rewards programs, and more.

    There are two key ways business owners can use gamification as a way of addressing cybersecurity in their organisation:

    1. Make training more exciting and engaging for employees

    Using gamification can help businesses improve their cybersecurity in numerous ways, including showing employees how to avoid cyberattacks and learning about vulnerabilities in software.

    Global consulting firm PwC teaches cybersecurity through its Game of Threats. [1] Executives compete against each other in real-world cybersecurity situations, playing as either attackers or defenders. Attackers choose the tactics, methods, and skills of attack, while defenders develop (defence) strategies, and invest in the right technologies and talent to respond to the attack. The game gives executives an understanding of how to prepare for and reacts to threats, how well-prepared the company is, and what their cybersecurity teams face each day.

    Gamifying will help make the training process more exciting and engaging for employees, increasing employee awareness of cybersecurity practices, including how to deal with attacks correctly.

    2. Offer incentives and rewards to encourage desired behaviours

    Human error is responsible for most security breaches, with employees feeling pressured to complete work by certain deadlines and as quickly as possible, which can result in them overlooking important company policy regarding security.

    For example, running so-called PhishMe campaigns can be a great way to train employees on better email security. These include regular phishing emails sent across the organisation, testing the staff’s response and action.

    Gamification lets businesses reward those employees who follow security procedures and adhere to the correct security guidelines, which will further promote good behaviour. This may take the form of employees receiving a badge or recording points, which are then displayed on a scoreboard for the office to follow. In some organisations, after employees reach specific milestones, they are presented with a material reward, such as a gift voucher.

    This system also allows for the identification of those who display poor behaviour within gamification and may result in the employee needing to complete further cybersecurity training. Recognising and rewarding employees when they do the correct thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cyber-secure working environment.

    At the heart of any security awareness training is education to teach employees a shared sense of responsibility for the data they work with, and the data they create and use at home. All security awareness campaigns should become part of an ongoing process, not a one-time initiative. Leaders of any business, big or small, can sometimes feel they lack the resources needed to drive an effective cybersecurity education campaign, but this can be done without breaking the bank.

    • Visual aids work well. Start with some small videos, posters and/or contests as a reminder to drive the message home for all to understand that security is everyone’s responsibility.
    • ‘Fear of God’ tactics do not work. The business goal should be to build a culture of cyber awareness, so treat this like a marketing campaign with the intent to persuade and change the behaviour of an employee.
    • Short and concise work best. Long emails always get ignored. Keep them short and fun, and ALWAYS ensure it is a top-down approach. Employees look up to their leaders. If the leaders do not embody a cyber-secure culture, why should the employees? The aim is to educate employees about best practices, not force them to be cybersecurity experts. Make it fun and have a laugh, so everyone can learn at the same time.
    • Reinforcement and follow-up are key. Training is a constant; learn from what works and re-educate as needed. Re-test your newly onboarded, as well as existing, staff members on whether they fall for a phishing email, and check to see how many employees still fail to recognise a fake email. Encourage communication to report a fake and call out departmental groups that may be lagging. The aim is not to single people out, but rather create some healthy rivalry within the organisation.

    Eliminating cyber risks in any business is an ongoing process, but it can be managed. We need to foster a way for employees to call out where they question something and re-educate as needed. If employees walk away from the security awareness program questioning before they click on something malicious, you have moved the needle towards being more secure.

    [1] https://www.pwc.com/us/en/financial-services/cybersecurity-privacy/game-of-threats.html

    Original article published by Palo Alto Networks.

    Net-Ctrl Blog

    A deeper dive into GDPR: Right to be forgotten?

    August 17th, 2017

    Last week we went over the GDPR A Deeper Dive – 2changes that set GDPR apart from other mandates and data privacy legislation. One aspect of GDPR that has received a lot of attention is the ‘Right to be Forgotten’ which is outlined in Article 17 entitled “Right to Erasure (’right to be forgotten’)”. It states:

    “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

    (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
    (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
    (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
    (d) the personal data have been unlawfully processed;
    (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
    (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).”

    In plain English this means that organisations need to fully erase a subject’s data from all repositories when that person revokes their consent; when the purpose for which the data was collected is complete; or when compelled by the law.

    It is worth noting that this is not an absolute requirement and subjects do not have an unconditional right to be ‘forgotten’. If there are other legitimate, legal reasons – as outlined in the regulation – for the organisation to retain and process data, subjects are not entitled to be forgotten. However, exceptions are few compared to the multitude of data uses common in our daily lives.

    So, in the spirit of GDPR, how do organisations ensure that data is deleted from all of the places that it is stored or processed? Full data erasure isn’t a straight forward proposition. Using a standard delete function doesn’t always fully remove data. While it may not appear in file registries or indexes, deleted data is often still recoverable. In these instances, despite best efforts, simply hitting ‘delete’ doesn’t achieve GDPR compliance. To complicate the issue, in 21st century business data is shared constantly between suppliers, partners, resellers and customers. When consent is revoked or a contract comes to term, how does an organisation guarantee that data is adequately deleted by all of these different players?

    Encryption is one way to fully ensure that data is unusable per GDPR’s erasure obligation. Encryption alters data by using a specific secret – or key defined by an algorithm – to render data unreadable. The only way to return encrypted data into a readable state is by providing the corresponding key that was used to alter the data in the first place. If that key were to be deleted, it would be impossible to convert or decrypt that data back into a readable format. When it comes to GDPR’s ‘right to be forgotten’ encrypting data and deleting the key (also known as cryptographically erasing the data) is both an effective and convenient solution.

    Such an approach gives organisations quite a bit of flexibility in deciding how to meet this obligation. Encryption is the kind of tool that organisations can apply at different levels of the data’s flow from creation to rest. If it were as simple as deleting a file, an organisation could use a file system-level solution to encrypt the file and delete the key. On a larger scale, say at the end of a project, an organisation could encrypt an entire database column – say of social security numbers, usernames, or family names – and delete the key. More advanced developers could even incorporate encryption into their applications and then delete the keys that the application uses. In any scenario, policy-based access controls allow organisations to finely tune their approach to data deletion for greater confidence in their approach to GDPR compliance. The permutations are many, but the fundamentals are the same.

    As organisations consider their GDPR needs, they should place them in the context of their larger security needs. Adopting one-off encryption solutions to address discrete challenges is the quickest way to end up with a collection of burdensome security silos that complicate on-going management. Encryption is the tool that works on the data, but an organisation’s key management apparatus will eventually be the key (pun fully intended) to future security and compliance success. In choosing an encryption and key management vendor, organisations should consider the solutions currently in place in their data centre, their existing needs, and their future needs in order to find a solution set that will grow with them.

    The ‘right to be forgotten’ isn’t as daunting a requirement as it may seem at first glance. A thoughtful use of encryption can help organisations respect data subjects’ wishes and preserve privacy in any scenario. Next week we’ll return to the pages of this blog to take a look at GDPR’s data control and integrity requirements. Stay tuned!

    For additional information on GDPR, check out The General Data Protection Regulation ebook.

    View original article by Gemalto.

    A deeper dive into GDPR: What makes it different?

    August 10th, 2017

    Taking place in May 2018, the Data Protection Regulation also known as GDPR sets a new standard for data privacy and security across the European Union (EU). Much has been made of the law establishing data privacy as a fundamental right, and its governance and security requirements.

    Over the course of the next few weeks, we will be taking an in-depth look at the mandate’s articles and offering insight into how you can comply.

    Today let’s take a look at what sets GDPR apart from other standards and regulations, namely its expanded scope and reach.

    GDPR will affect any organization that offers goods or services, or whose activity monitors the behaviour of individuals in the EU; it doesn’t matter if the organization resides and processes data within the EU or not. Multi-national organizations across the world – from Australia to the United States – that collect EU subjects’ data will need to prepare for the new mandate. Additionally, as organizations collaborate and partner, GDPR holds them responsible for their data’s privacy even as it passes outside of their control. In effect, GDPR increases the number of stakeholders involved and the level of due diligence each party must perform to what can already be a complex web of relationships that span the globe.

    What is more, GDPR broadens the definition of ‘personal data’. Any piece of information that can be combined with another data point (or collection of data points) to identify an individual must be protected following GDPR’s mandates. Such a broad definition includes pieces of information such as online identifiers, genetic data or location metadata – data that organizations are unaccustomed to protecting. This will certainly impact how organizations protect their data currently and will affect how they do business while protecting this data going forward.

    For all of this data, GDPR asks that protection is by design as a default; that is data privacy must be a consideration from the moment an operation is conceived. Security in service of privacy must be incorporated into the very fabric and design of an organization and its operations as the default setting. Under GDPR, security is no longer an option; it is a requirement.

    GDPR’s penalties are severe. In the event of a breach, organizations will be required to notify both the supervisory authority in their jurisdiction and the customers whose data was affected. And, when breached data poses a risk to data subjects’ privacy, organizations will be subject to fines that have the potential to rise to as high as €20 million or 4% of annual worldwide profit – whichever is greater.

    The new penalty regime fundamentally changes the data security cost/benefit equation for any organization with a presence – real or virtual – in the EU.

    For as daunting as it may seem, you won’t have to face it alone. On this blog, we’ve already shared how to break the process into manageable chunks via our 6 step approach to tackling GDPR. Our experts go into these 6 steps – in partnership with ISC2 – in a joint webinar entitled “6 Steps To GDPR Compliance”. Over the next few weeks, we’ll dig deeper into topics such as the ‘Right to be Forgotten’, data integrity obligations, due diligence requirements, and more. Stay tuned to this blog each week for a new instalment in our GDPR series.

    That said, if you’re anxious to get started on your GDPR preparation, you can find more information, white papers and ebooks on GDPR compliance here: https://safenet.gemalto.com/gdpr

    View original article.

    GDPR Compliance in Six Steps

    August 7th, 2017

    In less than a year’s time, a radical change to data protection and legislation will come into effect in the EU – the General Data Protection Regulation (GDPR). Aiming to help protect EU citizens’ data, the regulation will ensure that businesses are held accountable to their customers. While companies in the US must declare any data breaches they experience, the same can’t be said for businesses operating within the EU until GDPR comes into effect and changes this. In short, this means the already large number of records lost or stolen in Europe could be considerably larger.

    With GDPR almost here, the data protection and privacy landscape of the EU is set to change in big ways. But how can a business ensure that it is compliant with the regulation, and how would they go about becoming compliant? Below are six steps every business should undertake:

    Step one – Get to grips with GDPR’s legal framework

    The first step that any business needs to take is to understand how each aspect of the legislation apply to them. By conducting a full audit against the GDPR legal framework, a business will need to understand what it needs to do and what the consequences for failing to do so are. As part of this compliance audit, a business should hire a Data Protection Officer (DPO), who will be responsible for ensuring the company adheres to the regulations. Ideally, a DPO would have a background in both law and technology, so they’re able to understand both the technical specifications and the regulatory framework needed to meet this. Every organisation is different, and so no GDPR journey will look the same – correct guidance from business leaders to employees is needed ensure the whole company understands how to be compliant.

    Step two – Create a Data Register

    Once a business understands the steps they need to take, it’s important that they keep a record of the process. This is best done with a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of each country will enforce GDPR, and be responsible for judging if a business is compliant when determining any penalties for being breached. In this event, the Data Register will be a crucial tool for demonstrating the progress the affected business has made in becoming compliant. If they have no proof, the DPA would be able to fine between 2% and 4% of the company’s turnover. The amount and speed of the DPA’s decision would depend on the sensitivity of the data.

    Step three – Classify data

    While understanding what protections, if any, are already in place is important, this step focuses on helping businesses understand what data they need to protect and how that is being done. First, a business must locate any Personal Identifiable Information – information that can directly or indirectly identify someone – of EU citizens. It’s crucial to know where this is stored, who can access it, who it has been shared with etc. It can then determine which data is more vital to protect. In addition to this, it’s important to know who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.

    Step four – Identify the top priorities

    Next, a business needs to evaluate how that classified data is being produced and protected. Regardless of how data is collected, the first priority should always be to protect the user’s privacy. Businesses should ask themselves if they need the sensitive data they have collected – this data is worth a lot to a hacker, and has the greatest risk of being stolen. Businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of all security policies. When doing this, it’s important to keep the rights of EU citizens in mind, including restrictions of processing and data portability. In particular, any data third parties use to identify someone must be deleted if requested by that individual and approved by the EU. It’s crucial that all this data is correctly and promptly destroyed and can’t be accessed. This process is known as the “right to be forgotten”.

    Evaluating how the business protects this data comes next (for example, with encryption, tokenisation or psuedonymisation). The evaluation must explore: any historical data, the data being produced and any data that is backed up – either on-site or in the cloud. This data must be anonymised to protect the privacy and identities of the citizens it relates to. All data needs to be protected from the day it is generated to the day it is not needed.

    Step five – Document and assess any additional risks and processes

    Of course, there’s more to compliance than just protecting the most sensitive data – the next stage of the process is to assess and document any other risks, to discover any other processes or areas that might be vulnerable. While doing this, the business should update its Data Register, to show the DPA how they are addressing any existing risks. Only by doing this can a business demonstrate to the DPA that it is treating compliance and data protection seriously and with respect.

    Step six – Revisit and repeat

    Finally, the last step on the compliance journey focuses on revisiting the outcome of the previous steps and remediating any potential consequences, tweaking and updating where necessary. Once this is complete, businesses should evaluate their next priorities and repeat the process from step four.

    Moving forward, every decision, plan and application a business makes needs to have security at its forefront. This is process is known as “privacy by design”, and ensures that any data that enters a business is located and protected from the moment it arrives. Any business that fails to demonstrate they have the right measures in place, or have at the very least begun the process of introducing them, will face severe fines and damage to its reputation. In less than a year, when businesses lose the ability to hide their data breaches, we’ll get a realistic picture of the state of cybersecurity in the EU.

    View the on-demand webinar on the same content.

    By Jan Smets, Data Security Expert at Gemalto, and qualified Data Protection Officer
    View the original article.

    New Research Report Reveals Trends and Tactics Used in Ransomware Demands

    July 21st, 2017

    Analysis of the psychology behind digital ransom notes, commissioned by SentinelOne, sheds light on the range of social engineering tactics used by cyber attackers.

    SentinelOne, the company transforming endpoint protection by delivering unified, multi-layer protection driven by machine learning and intelligent automation, has commissioned a new report examining ransomware ‘splash screens’ – the initial warning screens of ransomware attacks.

    The report “Exploring the Psychological Mechanisms used in Ransomware Splash Screens” by Dr. Lee Hadlington PhD,1 senior lecturer of cyberpsychology at De Montfort University, London, reveals how social engineering tactics are used by cyber criminals to manipulate and elicit payments from individuals. It provides analysis of the language, visuals and payment types from 76 splash screens, to highlight how key social engineering techniques – fear, authority, scarcity (or urgency) and humour – are exploited by cyber criminals in ransomware attacks.

    The report also examines the differing levels of sophistication on the part of the attackers and comes in the wake of recent global ransomware attacks which have struck both public sector and private organisations, causing massive disruption and costing businesses millions2 in lost revenue.

    From the analysis of the splash screen samples, common trends highlighted include:

  • Time criticality: In over half the samples (57%), the ‘ticking clock’ device – in which a specific amount of time is given to pay a ransom – was used to create a sense of urgency and to persuade the victim to pay quickly. Deadlines given ranged from 10 hours to more than 96 hours.
  • Consequences: The most likely consequence given for not paying the demand or missing the deadline was that files would be deleted and the victim would not be able to access them. In other screens, threats were made to publish the locked files on the Internet.
  • The Customer Service Approach: 51% of splash screens included some aspect of customer service, such as instructions on how to buy Bitcoins (BTC) or presenting frequently asked questions (FAQs). One example offers victims the chance to ‘speak to a member of the team’.
  • Imagery: The research also examines the use of a variety of imagery, including official trademarks or emblems, such as the crest of the FBI, which instil the notion of authority and credibility to the request. One of the most prominent pop cultural images used was ‘Jigsaw’ – a character from the Saw horror movie series.
  • Payment: BTC was the preferred mechanism for payment; 75% of ransomware splash screens asked for payment in BTC. Over half the sample (55%) contained the ransom demand in the initial splash screen. The average amount asked for by attackers was 0.47 BTC ($1,164 USD).
  • “We know that psychology plays a significant part in cyber crime – what’s been most interesting from this study is uncovering the various ways that key social engineering techniques are used to intimidate or influence victims” said Hadlington. “With ransomware on the rise, it’s important that we improve our understanding of this aspect of the attack and how language, imagery and other aspects of the initial ransom demand are used to coerce victims.”

    “Although ransomware has leapt to the top of the public’s consciousness following recent attacks, what’s been less well documented is exactly how the criminals are manipulating their targets into paying up,” said Tony Rowan, chief security consultant at SentinelOne. “This report sheds light on the most common tactics used, with the aim that, through awareness, we are better placed to advise individuals and businesses how not to be duped by these criminals’ claims.”

    A copy of the full “Psychology of Digital Ransom Notes” report is available for download here.

    Notes for Editors

    Dr. Lee Hadlington PhD FHEA CPsychol AFBPsS, Senior Lecturer in Cyberpsychology and Chartered Psychologist, Psychology and Technology Research Group. De Monfort University, Leicester
    https://www.scmagazineuk.com/multinational-talks-of-100-mil-loss-as-petyanotpetya-leaves-its-mark/article/673198/

    MOBOTIX – Mx6 Camera Line is Complete

    July 20th, 2017


    MOBOTIX has introduced the new indoor models c26, i26, p26 and v26, thereby completing the successful Mx6 6MP camera line. The new, higher performing processor delivers up to twice as many images per second as before – at the same resolution. The video data is simultaneously offered in three formats (MxPEG, MJPEG and H.264), as well as in a range of different resolutions. RTSP/multicast makes the Mx6 cameras more flexible. All of the models come standard with intelligent motion detection directly on the camera, and thereby offer more capacity for additional software applications.

    More Power, Easily Integrated

    As with the Mx6 outdoor cameras, now Mx6 indoor models are also available with a more powerful CPU as well as an H.264 encoder. The new processor architecture significantly increases the frame rate, which allows the cameras to do an even better job of capturing fast movements. Moreover, intelligent motion detection is integrated as a standard, and more capacity is available on the camera for additional software applications. The new Mx6 camera system is far more flexible and higher performing, thanks to RTSP/Multicast. The video stream can be displayed on multiple clients simultaneously without reducing the frame rate. Alongside the MxPEG video codec, which was specially developed for security applications, H.264 is available for the first time, ensuring compatibility with the industry standard. Depending on requirements, the focus can be set on high image quality with MxPEG, or the industry standard for video transmission and camera integration can be used. Moreover, Mx6 cameras also offer basic functions in keeping with ONVIF *, a global open interface standard. In this way, the new camera system opens up far more application and integration options for our partners and end customers. Regular software updates ensure that the performance of the Mx6 range continually improves, which in turn guarantees a maximum return on investment.

    “We will continue to remain true to our decentralised concept – storing maximum intelligence in a camera – and thereby offer solutions that go above and beyond traditional applications. At the same time, we are open to generally used technologies such as H.264 and participation in standard forums such as ONVIF. We do not consider these two parts of our approach to be in conflict with each other; instead, they help our range prepare for the future and stay solution-oriented,” explains MOBOTIX CTO Dr. Oliver Gabel.

    Flexibly Protect Interior Spaces

    With a diameter of only 12 centimetres and a weight of approximately 200 grams, the c26 is the smallest and lightest MOBOTIX 360° camera yet for fast ceiling mounting in suspended ceilings. The i26 is ideally suited for corresponding wall mounting, as it is just as compact and discreet. Thanks to its tilt angle of 15°, it provides a complete overview of the room and can thereby replace up to four conventional cameras. The p26 provides maximum flexibility during installation thanks to its manual swivel and tilt functions, and can also completely secure an entire room when it is installed in a corner area, thanks to its 90° lens. The v26 is the first vandalism indoor camera to also offer all MOBOTIX functions. Alongside the standard lenses, an on-wall audio set and suitable vandalism sets are available for optimum protection. All of the indoor models are fitted with 6-megapixel Moonlight sensors and deliver sharp, richly detailed videos, even under poor light conditions (>1 Lux).

    * ONVIF-ready; full Profile S support with future software update

    Palo Alto Networks Upholds Leadership Position in Gartner Magic Quadrant for Enterprise Network Firewalls

    July 17th, 2017

    Palo Alto Networks, the next-generation security company, today announced that it has again been recognised in the “Leaders” quadrant of the July 10, 2017 “Magic Quadrant for Enterprise Network Firewalls” by Gartner Inc.

    According to the report, “The Leaders quadrant contains vendors that build products that fulfil enterprise requirements. These requirements include a wide range of models, support for virtualization and virtual LANs, and a management and reporting capability that is designed for complex and high-volume environments, such as multi-tier administration and rule/policy minimization. A solid NGFW capability is an important element, as enterprises continue to move away from having dedicated IPS appliances at their perimeter and remote locations. Vendors in this quadrant lead the market in offering new features that protect customers from emerging threats, provide expert capability rather than treat the firewall as a commodity and have a good track record of avoiding vulnerabilities in their security products. Common characteristics include handling the highest throughput with minimal performance loss, offering options for hardware acceleration and offering form factors that protect enterprises as they move to new infrastructure form factors.”

    This marks the sixth consecutive time that Palo Alto Networks has been named a leader in the Magic Quadrant for Enterprise Firewalls, which evaluates vendors’ ability to execute and completeness of vision.

    QUOTE

    “We’re honoured to be recognised by Gartner as a Leader in the Magic Quadrant for Enterprise Network Firewalls. Our mission to protect our way of life in the digital age by preventing successful cyberattacks is enabled by our Next-Generation Security Platform, of which our firewall is a cornerstone. We believe this recognition for the sixth consecutive time validates that the advancements made to our next-generation firewall, including security consistency for public and private clouds, are addressing today’s toughest cybersecurity challenges.”
    – René Bonvanie, CMO, Palo Alto Networks

    Over 39,000 customers in over 150 countries have chosen Palo Alto Networks because of our deep expertise, unwavering commitment to innovation and breach prevention-oriented next-generation platform.

    To learn more about the Palo Alto Networks Next-Generation Security Platform, visit: https://www.paloaltonetworks.com/products/designing-for-prevention/security-platform

    To learn more about the Palo Alto Networks Next-Generation Firewall, visit: https://www.paloaltonetworks.com/products/platforms/firewalls.html

    To read the complete report, visit: http://go.paloaltonetworks.com/gartner

    Scale Up Your Network with Clusters and Ruckus Wireless

    July 17th, 2017

    Whether managed on premises or by distributed services, networks serve as the information pipeline that ensures the day-to-day operation for nearly every business. As a business grows, so does the size of the network. The goal is to minimise capital expenditure (CAPEX) while meeting today’s needs and to maximise the investment to realise the best long-term total cost of ownership (TCO). In scaling a network to meet growing business demands, how do you retain value on purchased equipment without relegating existing components to obsolescence?

    One solution is “clustering.” By adding network controller capacity, you can still make use of your existing controller services. With a highly integrated base controller design architecture, this becomes a viable approach.

    There are two basic design options:

    Active-Passive – Where a secondary controller service simply monitors an active controller and is only activated upon failure of the primary controller. With this architecture, the value of the overall system is diluted, as the secondary controller is left idle for long periods of time. This design is also less responsive during recovery from controller failures.

    Active–Active – Where a number of controller services act collaboratively to sustain network reliability even upon failure of any one of the controller services. The TCO of this option is much lower because all units are active and recoveries are virtually seamless.

    Active-Active clustering is a straightforward option for expanding network capacity. It provides the highest level of reliability for wireless networks and delivers additional key benefits:

    Because there are multiple controllers within the cluster, a “single-pane-of-glass” interface simplifies network management.

    Geographic redundancy can isolate localised controller failure scenarios and increase the overall reliability.

    Support of both appliance and virtual deployment options have a direct impact on CAPEX and overall network capacities when you select a cluster solution.

    “Cluster balancing” is a smart way to optimise utilisation of each cluster element.

    Client license management across a cluster is generally flexible and not bound to any single controller.

    When making an architectural decision on a WLAN solution, selecting one that meets your needs today and in the future without increasing IT overhead is your best bet. Ruckus SmartZone products provide flexible, reliable and scalable “clustering” solutions that meet the needs of fast-growing businesses like yours.

    Link: Ruckus SmartZone

    View original article by: Richard Watson, Product Marketing Manager

    Gemalto research reveals businesses overly confident about keeping hackers at bay, but less so about keeping data safe

    July 12th, 2017

    Despite the increasing number of data breaches and nearly 1.4 billion data records being lost or stolen in 2016 (source: Breach Level Index), the vast majority of IT professionals still believe perimeter security is effective at keeping unauthorised users out of their networks. However, companies are under-investing in technology that adequately protects their business, according to the findings of the fourth-annual Data Security Confidence Index released today by Gemalto (Euronext NL0000400653 GTO), the world leader in digital security.

    Surveying 1,050 IT decision makers worldwide, businesses feel that perimeter security is keeping them safe, with most (94%) believing that it is quite effective at keeping unauthorised users out of their network. However, 65% are not extremely confident their data would be protected, should their perimeter be breached, a slight decrease on last year (69%). Despite this, nearly six in 10 (59%) organisations report that they believe all their sensitive data is secure.

    Perimeter security is the focus, but understanding of technology and data security is lacking

    Many businesses are continuing to prioritise perimeter security without realising it is largely ineffective against sophisticated cyberattacks. According to the research findings, 76% said their organisation had increased investment in perimeter security technologies such as firewalls, IDPS, antivirus, content filtering and anomaly detection to protect against external attackers. Despite this investment, two-thirds (68%) believe that unauthorised users could access their network, rendering their perimeter security ineffective.

    These findings suggest a lack of confidence in the solutions used, especially when over a quarter (28%) of organisations have suffered perimeter security breaches in the past 12 months. The reality of the situation worsens when considering that, on average, only 8% of data breached was encrypted.

    Businesses’ confidence is further undermined by over half of respondents (55%) not knowing where their sensitive data is stored. In addition, over a third of businesses do not encrypt valuable information such as payment (32%) or customer (35%) data. This means that, should the data be stolen, a hacker would have full access to this information, and can use it for crimes including identity theft, financial fraud or ransomware.

    “It is clear that there is a divide between organisations’ perceptions of the effectiveness of perimeter security and the reality,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “By believing that their data is already secure, businesses are failing to prioritise the measures necessary to protect their data. Businesses need to be aware that hackers are after a company’s most valuable asset – data. It’s important to focus on protecting this resource, otherwise, reality will inevitably bite those that fail to do so.”

    Most Businesses are unprepared for GDPR

    With the General Data Protection Regulation (GDPR) becoming enforceable in May 2018, businesses must understand how to comply by properly securing personal data to avoid the risk of administrative fines and reputational damage. However, over half of respondents (53%) say they do not believe they will be fully compliant with GDPR by May next year. With less than a year to go, businesses must begin introducing the correct security protocols in their journey to reaching GDPR compliance, including encryption, two-factor authentication and key management strategies.

    Hart continues, “Investing in Cybersecurity has clearly become more of a focus for businesses in the last 12 months. However, what is of concern is that so few are adequately securing the most vulnerable and crucial data they hold or even understand where it is stored. This is standing in the way of GDPR compliance, and before long the businesses that don’t improve their cybersecurity will face severe legal, financial and reputational consequences.”

    About the survey

    Independent technology market research specialist Vanson Bourne surveyed 1,050 IT decision makers across the US, UK, France, Germany, India, Japan, Australia, Brazil, Benelux the Middle East and South Africa on behalf of Gemalto. The sample was split between Manufacturing, Healthcare, Financial Services, Government, Telecoms, Retail, Utilities, Consultation and Real Estate, Insurance and Legal, IT and other sectors from organisations with 250 to more than 5,000 employees.

    Original article published by Gemalto.

    Frost & Sullivan Recognises Gemalto for Leadership in Encryption and Data Protection

    July 7th, 2017

    Gemalto has been awarded the Frost & Sullivan 2017 Encryption and Data Protection Technology Leadership Award(1). Frost; Sullivan analysts independently evaluated Gemalto’s SafeNet data protection and encryption solutions, in particular, the commercial success, growth potential, operational efficiency, and benefits provided to customers.

    Each year, Frost & Sullivan recognises companies across different industries based on their excellence in technology and innovation. Gemalto was selected based on the following attributes:

    • A unique position in the market based on an extensive portfolio and the variety of use cases and customers
    • Strong expertise in creating versatile and flexible solutions that support a variety of deployment environments
    • Quality of solutions and the company’s positive brand recognition
    • Commitment to research and development driving innovation in the industry

    “Gemalto’s vision for data protection guarantees a tailored, scalable, centralized-IT-service solution for organisations needing efficiency, without an overhaul of their existing security systems,” said Frost & Sullivan Research Analyst Danielle VanZandt. “Companies can standardise encryption and data protection breaking down internal silos achieving greater collaboration and visibility between departments.”

    “This award highlights our ability to provide customers with a simple, consolidated method of enterprise-wide data protection. The single pane of glass alleviates the burden of monitoring operations across multiple security platforms and simplifies the execution of internal data security policies,” said Todd Moore, Senior Vice President of Encryption Products at Gemalto. “When preparing for an internal or external audit, a centrally managed system helps organisations quickly demonstrate their level of compliance without the hassle of collecting information across different systems.”

    Gemalto’s portfolio of SafeNet data encryption and key management solutions ensures sensitive information remains secure wherever it resides, from the cloud and data centre to the network. Additionally, Gemalto speeds up deployment timelines by supporting a variety of digital and cloud environments, integrating with over 700 solutions across more than 240 different ecosystem partners. For more information on the solutions evaluated by Frost & Sullivan analysts, download the report.

    Additional resources:
    Gemalto SafeNet Data Protection
    Whitepaper: Own and Manage Your Encryption Keys
    Encrypt Everything

    1 Frost & Sullivan Best Practices Awards recognise companies in a variety of regional and global markets for demonstrating outstanding achievement and superior performance in areas such as leadership, technological innovation, customer service, and strategic product development. Industry analysts compare market participants and measure performance through in-depth interviews, analysis, and extensive secondary research to identify best practices in the industry.

    View original article by Gemalto.

    Tips for Gamifying Your Cybersecurity Education and Awareness Programs

    July 6th, 2017

    Employees are fast becoming the weakest link in the defence against cybercriminals. Sometimes common sense can only go so far, as you need to make sure that best practices around security don’t go in one ear and out the other. Whether through innocent mistakes or because they were targeted for their access to sensitive information, employee error can easily open the door to malware or information theft.

    Successful attacks often involve poor processes and exploit human tendencies. To reduce an organisation’s threat surface, the focus of regular employee training needs to shift from reaction to prevention. Pure compliance-driven approaches have proven to be ineffective for organisations when used for employee security training, usually, because it isn’t interesting or personal enough to capture employees’ imaginations. Businesses should focus on educating employees about how to protect their personal data, thereby encouraging employees to enact further security-orientated practices in the workplace.

    Employee training may take different forms, including the increasing practice of “gamifying” cybersecurity education programs. Gamification is the process of using gaming mechanics in a non-gaming context, leveraging what is exciting about games and applying it to other types of activities that may not be so fun. Designed with elements of competition and reward, gamification programs are becoming popular because they can be used in a variety of industries.

    Many businesses currently use gamification in such areas as customer engagement, and employee education and training to drive performance and motivation. Gaming elements include one-on-one competitions, rewards programs, and more.

    There are two key ways business owners can use gamification as a way of addressing cybersecurity in their organisation:

    1. Make training more exciting and engaging for employees

    Using gamification can help businesses improve their cybersecurity in numerous ways, including showing employees how to avoid cyberattacks and learning about vulnerabilities in software.

    Global consulting firm PwC teaches cybersecurity through its Game of Threats. [1] Executives compete against each other in real-world cybersecurity situations, playing as either attackers or defenders. Attackers choose the tactics, methods, and skills of attack, while defenders develop (defence) strategies, and invest in the right technologies and talent to respond to the attack. The game gives executives an understanding of how to prepare for and reacts to threats, how well-prepared the company is, and what their cybersecurity teams face each day.

    Gamifying will help make the training process more exciting and engaging for employees, increasing employee awareness of cybersecurity practices, including how to deal with attacks correctly.

    2. Offer incentives and rewards to encourage desired behaviours

    Human error is responsible for most security breaches, with employees feeling pressured to complete work by certain deadlines and as quickly as possible, which can result in them overlooking important company policy regarding security.

    For example, running so-called PhishMe campaigns can be a great way to train employees on better email security. These include regular phishing emails sent across the organisation, testing the staff’s response and action.

    Gamification lets businesses reward those employees who follow security procedures and adhere to the correct security guidelines, which will further promote good behaviour. This may take the form of employees receiving a badge or recording points, which are then displayed on a scoreboard for the office to follow. In some organisations, after employees reach specific milestones, they are presented with a material reward, such as a gift voucher.

    This system also allows for the identification of those who display poor behaviour within gamification and may result in the employee needing to complete further cybersecurity training. Recognising and rewarding employees when they do the correct thing leads to continued positive behaviour, motivating employees to undertake safe practices and resulting in a more cyber-secure working environment.

    At the heart of any security awareness training is education to teach employees a shared sense of responsibility for the data they work with, and the data they create and use at home. All security awareness campaigns should become part of an ongoing process, not a one-time initiative. Leaders of any business, big or small, can sometimes feel they lack the resources needed to drive an effective cybersecurity education campaign, but this can be done without breaking the bank.

    • Visual aids work well. Start with some small videos, posters and/or contests as a reminder to drive the message home for all to understand that security is everyone’s responsibility.
    • ‘Fear of God’ tactics do not work. The business goal should be to build a culture of cyber awareness, so treat this like a marketing campaign with the intent to persuade and change the behaviour of an employee.
    • Short and concise work best. Long emails always get ignored. Keep them short and fun, and ALWAYS ensure it is a top-down approach. Employees look up to their leaders. If the leaders do not embody a cyber-secure culture, why should the employees? The aim is to educate employees about best practices, not force them to be cybersecurity experts. Make it fun and have a laugh, so everyone can learn at the same time.
    • Reinforcement and follow-up are key. Training is a constant; learn from what works and re-educate as needed. Re-test your newly onboarded, as well as existing, staff members on whether they fall for a phishing email, and check to see how many employees still fail to recognise a fake email. Encourage communication to report a fake and call out departmental groups that may be lagging. The aim is not to single people out, but rather create some healthy rivalry within the organisation.

    Eliminating cyber risks in any business is an ongoing process, but it can be managed. We need to foster a way for employees to call out where they question something and re-educate as needed. If employees walk away from the security awareness program questioning before they click on something malicious, you have moved the needle towards being more secure.

    [1] https://www.pwc.com/us/en/financial-services/cybersecurity-privacy/game-of-threats.html

    Original article published by Palo Alto Networks.

    Keep up-to-date with Net-Ctrl

    Simply fill in the fields below to sign up for the Net-Ctrl Newsletter.

    Don't worry we only send it once a month.

    • New Solution Announcements
    • Latest Promotions
    • Links to some great content.