An illustration picture shows projection of binary code on man holding aptop computer in Warsaw

Investors still in the dark as cyber threat grows

LONDON/BOSTON (Reuters) – Investors are being poorly served by a haphazard approach from fund managers to the growing threat of cyber crime damaging the companies in which they invest, with a lack of clarity from the businesses themselves compounding the problem.

Banks have led the way in developing cyber defenses and some top fund managers have ramped up pressure on companies to do more, but the broader picture is less encouraging.

“I don’t see any visible stand asset managers are taking, like they do on other social responsibility items,” said Malcolm Harkins, information security chief at U.S. cyber security start-up Cylance Inc.

The soft underbelly of companies outside the banking sector was exposed again this month when hackers leaked details of nearly 37 million clients of Ashley Madison. The infidelity website had to postpone its stock market listing and now faces a $750 million lawsuit.

More than half the value of companies worldwide is in intangible assets, such as intellectual property, much of which is stored on computers and could therefore be vulnerable to hackers.

That figure could be as high as $37.5 trillion of the $71 trillion in enterprise value of 58,000 companies, according to Brand Finance, a consultancy specializing in valuation of intangible assets. The World Economic Forum said that robust protection against cyber risk could add as much as $22 trillion to the global economy by 2020.

The global financial cost of attacks is rising fast — up more than 10 percent last year, a report by specialist researcher Ponemon Institute said.

Though some might argue that investors can sell out of businesses they consider to be performing badly on cyber safety, the reality is less straightforward. Passive funds that track a specific index or sector have no leeway, while pension funds tend to demand a longer-term view from asset managers.

But even those keen to evaluate cyber risk face an uphill struggle, hampered by a lack of resources, poor data and weak disclosure from companies.

Sacha Sadan, corporate governance head at the fund arm of insurer Legal & General, told Reuters that cyber risk is one of his team’s top priorities for corporate engagement but described the approach of some rivals as “hit and miss”.

“We would rather a company, when they come to talk to us, had a slide that said ‘this is what we’re doing’. At the moment, it’s us asking them and they say, ‘well, most other shareholders don’t ask’.”

MIXED PRIORITIES

A Reuters survey of fund firms with a combined $16 trillion in assets showed pressure on company boards is far from uniform.

Only four of 12 governance chiefs at British, French, German and U.S. fund houses interviewed by telephone and email said they considered cyber risk a “top priority” across all of their investments. The remainder said they either discussed the issue case by case or that there was too little information for proper risk-assessment.

BlackRock, the world’s biggest asset manager, is among those that have engaged with companies, though it declined to provide further detail on examples in its quarterly governance report.

In its latest report BlackRock said it had spoken to a large insurer and “shared perspectives” gained from speaking to cyber experts and other companies.

As for the types of business meriting closer examination, Jessica Ground, global head of stewardship at Schroders, said that less-obvious targets such as travel agents need to do more. Another chief named online gaming as a sector laggard.

Most fund managers do have dedicated teams supervising governance. But these often number fewer than 10 people to analyze and speak to thousands of companies on a broad range of topics, with matters such as executive pay regularly given higher priority than cyber security.

On the other side of the fence, the companies themselves are far from united in their approach.

“There is significant divergence across companies as to how prepared they are,” said Antony Marsden at Henderson Global Investors.

Though attitude to cyber risk is inherently difficult to quantify, analysis of the most recent annual reports of the 10 biggest companies in Europe and the United States showed variable communication on the issue.

Only three of the Europeans — Novo Nordisk, HSBC and Royal Dutch Shell — had a separate section on cyber risk or information security. Across all 10 reports there were a mere 14 mentions of keywords “cyber”, “information security”, “hack” or “hacking”.

That compares with five of the U.S. companies — Apple, Wells Fargo, Facebook, General Electric and JPMorgan —  and 63 keyword references, partly influenced by more banks featuring in the list.

WHEN, NOT IF

“You can look at an annual report and see some companies talk a lot about what would happen if the euro were to fail … But just as important is what happens if you get hacked,” L&G’s Sadan said. “You will get hacked. So what’s your contingency planning?”

Several smaller U.S. investment firms with a mandate for socially responsible investment are already pressing companies publicly over data security matters, including the filing of proxy resolutions at shareholder meetings.

Arjuna Capital, for example, had American Express shareholders vote on whether it should report annually on how its board oversees privacy and data security. Amex opposed the idea, saying its board receives regular updates, and the proposal won only 22 percent of the vote at the annual meeting.

Highlighting the lack of a consistent approach from asset managers, a number of large fund firms opposed the resolution.

It is little wonder, then, that some have yet to address a skills gap that leaves them ill-equipped for proper risk-assessment.

“The frameworks for dealing with cyber risk, about what it means for our business and what can we do about it, are only now being put in place,” said Sandra Carlisle at Newton Asset Management.

Rules in the United States requiring companies to report data privacy breaches are likely to be replicated in Europe in the near future, which will aid funds’ understanding of the risks.

In the meantime, investors are very much in the dark.

“What you get is assurance that people are looking at these things,” said Iain Richards at Anglo-U.S. fund firm Columbia Threadneedle. “There’s a scarcity of meaningful disclosure.”

(Additional reporting by Carolyn Cohn; Editing by David Goodman)

This article was written by Simon Jessop and Ross Kerber from Reuters and was legally licensed through the NewsCred publisher network.

Dendroid Malware Creator Pleads Guilty, Faces 20 Years

Dendroid Malware Creator Pleads Guilty, Faces 20 Years

Hacking forum Darkode

Morgan Culbertson, a former intern at the cybersecurity company FireEye, pleaded guilty in federal court to designing a malicious software tool that enabled hackers to take control of a target’s Android phone. Culbertson then sold the tool kit, known as Dendroid, in the Darkode dark net marketplace.

Dendroid was a software tool that enabled users to build their own malware-infused app capable of taking almost full control of an Android phone. The apps could take pictures with the phone’s camera, record phone calls, download photos, record video, and access other sensitive features. Dendroid also proved it could get apps into the Google Play store by including code that subverted Google’s security checks.

“I am sorry to the individuals to whom my software may have compromised their privacy,” Culbertson said in Pennsylvania federal court, as quoted by the Pittsburgh Post Gazette. “I committed the crime.”

Culbertson, 20, listed Dendroid for $300 on Darkode, the now-shuttered hacking forum frequented by members of the Lizard Squad hacking collective and other nefarious customers. He also offered to sell the source code for Dendroid for more money, enabling buyers to create their own customized version of the malware.

Culbertson faces a maximum of 10 years in prison and a $250,000 fine.

This article was written by Jeff Stone from International Business Times and was legally licensed through the NewsCred publisher network.

Iran's Revolutionary Guard Allegedly Hacked Two-Factor Authentication

Iran Military Hackers Allegedly Launched Phishing Campaign At US

Iranian Internet

Iranian expatriates and American activists are being targeted by an “elaborate phishing campaign” that enables hackers to take control of their Google account, research from Citizen Lab says. Iranian government-backed hackers are believed to be responsible, with researchers connecting this attack campaign with a similar one that coincided with Iran’s 2013 presidential election.

The Citizen Lab report published Thursday named Jillian York, director of international freedom of expression at the Electronic Frontier Foundation, as one target of the hacking campaign. York, who has written on the danger of blogging in Iran and on a range of related issues, said someone using a British phone number called her last Friday. The caller had a German accident, York said, and claimed to be a Reuters journalist trying to interview her, at which point she told him to send an email.

The message appeared to be from the news organization’s “Tech Dep” and contained a number of errors, including the misspelling “Reutures.” York and other targets also were asked to follow a link to a phony site asking them to input their user credentials. The hackers would use that information immediately, triggering a text message that claimed to be from Google, saying there had been an unauthorized attempt to access their account, with a verification code attached.

Don’t have time to read? Check out this two-minute video on “Phishing Emails and How To Avoid Them” http://t.co/xO6dovZ5Ud #ChatSTC

— ESET (@ESET) August 27, 2015

The target would then input that code into the fake website, surrendering complete control of the account. The hack is a rare example of intruders taking control of accounts that rely on two-factor authentication, one of the easiest and most reliable ways for Internet users to protect their accounts online. It’s not clear how many hacks were successful; the report is based on failed attempts.

“There’s no doubt that this comes from Iran’s Revolutionary Guard, which has been very vicious against the free press and free speech,” Omid Memarian, an exiled Iranian journalist and one of the campaign’s targets, told the Associated Press. The attack uses some of the same hallmarks employed by Iranian hackers in 2013. Google’s Security blog reported June 12, 2013 — just days before the election of Iran’s President Hassan Rouhani — that security software suddenly detected tens of thousands of attacks on Iranian users.

“These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region,” Eric Grosse, Google’s vice president of security engineering, wrote at the time. “The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election.”

This article was written by Jeff Stone from International Business Times and was legally licensed through the NewsCred publisher network.

Iran's Revolutionary Guard Allegedly Hacked Two-Factor Authentication

Iran Military Hackers Allegedly Launched Phishing Campaign At US

Iranian Internet

Iranian expatriates and American activists are being targeted by an “elaborate phishing campaign” that enables hackers to take control of their Google account, research from Citizen Lab says. Iranian government-backed hackers are believed to be responsible, with researchers connecting this attack campaign with a similar one that coincided with Iran’s 2013 presidential election.

The Citizen Lab report published Thursday named Jillian York, director of international freedom of expression at the Electronic Frontier Foundation, as one target of the hacking campaign. York, who has written on the danger of blogging in Iran and on a range of related issues, said someone using a British phone number called her last Friday. The caller had a German accident, York said, and claimed to be a Reuters journalist trying to interview her, at which point she told him to send an email.

The message appeared to be from the news organization’s “Tech Dep” and contained a number of errors, including the misspelling “Reutures.” York and other targets also were asked to follow a link to a phony site asking them to input their user credentials. The hackers would use that information immediately, triggering a text message that claimed to be from Google, saying there had been an unauthorized attempt to access their account, with a verification code attached.

Don’t have time to read? Check out this two-minute video on “Phishing Emails and How To Avoid Them” http://t.co/xO6dovZ5Ud #ChatSTC

— ESET (@ESET) August 27, 2015

The target would then input that code into the fake website, surrendering complete control of the account. The hack is a rare example of intruders taking control of accounts that rely on two-factor authentication, one of the easiest and most reliable ways for Internet users to protect their accounts online. It’s not clear how many hacks were successful; the report is based on failed attempts.

“There’s no doubt that this comes from Iran’s Revolutionary Guard, which has been very vicious against the free press and free speech,” Omid Memarian, an exiled Iranian journalist and one of the campaign’s targets, told the Associated Press. The attack uses some of the same hallmarks employed by Iranian hackers in 2013. Google’s Security blog reported June 12, 2013 — just days before the election of Iran’s President Hassan Rouhani — that security software suddenly detected tens of thousands of attacks on Iranian users.

“These campaigns, which originate from within Iran, represent a significant jump in the overall volume of phishing activity in the region,” Eric Grosse, Google’s vice president of security engineering, wrote at the time. “The timing and targeting of the campaigns suggest that the attacks are politically motivated in connection with the Iranian presidential election.”

This article was written by Jeff Stone from International Business Times and was legally licensed through the NewsCred publisher network.

Are you ready to lead your organization to a more secure cloud?

Anticipating VMworld

It’s the end of the summer of 2015 – the nights are getting cooler, the leaves are starting to change colors, and flocks of students are abandoning the beaches of Cape Cod bound for college campuses. The seasonal change also signals another annual ritual – VMworld in San Francisco. 

VMworld used to be focused on virtual server technology, and then it expanded to VDI. Now the show represents all things cloud computing. Of course, I’ll be looking at a specific sub-segment: The intersection of cloud computing and cybersecurity. As such, I’m anticipating discussions around:

  • Micro-segmentation. A few years ago, virtual networking really meant virtual switching at Layer 2. While virtual switches offered a lot of functionality, most organizations used them as a bridge to forward traffic to the “real” physical network. This is no longer the case. Many enterprises are embracing virtual networking in data centers across layers 2-4. As part of this transition, I’m starting to see a lot more interest in micro-segmentation for network isolation, east-west traffic segmentation between data center servers, and even the creation of network tunnels from endpoints to data center applications. From a cybersecurity perspective, micro-segmentation offers great potential as it can be used to limit the attack surface. I’m curious to find out about micro-segmentation adoption. Is it still a cutting-edge technology, or has it crossed the proverbial chasm? My hope (and gut feel) is that we are making progress – more soon.
  • Network security services. As virtual networks gain traction, they will pull virtual network security services along for the ride. VMware is pushing this model with NSX partners like Check Point, F5, Palo Alto, Rapid 7, Symantec, and Trend Micro who can supplement server and network virtualization with proven, enterprise-class security services. Cisco offers a similar architecture and partner program with ACI and its security services architecture. Others, like Illumio and vArmour, are intent on virtualizing network security services on their own – sort of like what Novell NetWare did for file and print services 25 years ago. If you are serious about cloud computing, you have to go down the network security services route, but this is a big leap of faith for many seasoned cybersecurity veterans who grew up as CCNEs and Cisco Pix firewall administrators. I’ll be monitoring VMworld to see how this transition is progressing as changes here could have big implications on the security market. 
  • Identity and access management (IAM) in the cloud. According to ESG research, 68% of enterprise cybersecurity professionals’ claim that the combination of cloud and mobile computing have made IAM security a lot more difficult (note: I am an ESG employee). Why? Cloud computing extends IAM to new infrastructure and applications, some with their own authentication, entitlements, and management tools. This in turn creates IAM blind spots, policy contention, and loads of opportunity for human error. There are several ways to bridge these worlds, including homegrown integration using federated identity standards (i.e. SAML), single-vendor product solutions (i.e. CA, Centrify, IBM, Microsoft, Oracle, RSA, etc.), and gateway solutions (OneLogic, Okta, Ping Identity, etc.). There’s also a slight chance that social networking vendors like Facebook, Google, and LinkedIn will fill this void, and there are promising authentication technologies (i.e. Apple, FIDO alliance) that could greatly impact IAM at large. Lots of balls in the IAM air, so I’m interested to see how this will play out. 
  • Cloud security organizational dynamics. Many industry events resemble a techno pep rally focused on silicon and code rather than carbon-based life forms. I hope this isn’t the case at VMworld, as I’d like to explore cloud security as it relates to IT and cybersecurity organizations. My current observation is that cloud security responsibilities often migrate toward different groups like application developers, DevOps, and data center infrastructure groups. OK, but where do network security engineers fit into this mix? And since cloud security is a relatively new pursuit, how are cybersecurity professionals (and others) gaining necessary skills around secure design, physical/virtual security integration, cloud security operations, best practices, etc. In my humble opinion, skills development is a critical and often neglected aspect of cloud security. With the right training, CISOs can use things like micro-segmentation and virtual network security services to improve security protection and mitigate risk. In lieu of this, however, other IT groups with minimal cybersecurity knowledge will be in charge of “winging it,” putting everyone at risk.

A few years ago, cloud computing seemed to be hamstrung by security concerns, but this is no longer the case. Many organizations, led by the public sector, are moving full-speed ahead into the cloud, so it is incumbent upon the cybersecurity community to keep up. When I leave VMworld next week, I should have a good indication of whether cloud security is a ray of sunshine on Amazon, OpenStack, and vCloud Air, or whether stormy cybersecurity weather is in the forecast. 

This article was written by Jon Oltsik from NetworkWorld and was legally licensed through the NewsCred publisher network.

Are you ready to lead your organization to a more secure cloud?

Anticipating VMworld

It’s the end of the summer of 2015 – the nights are getting cooler, the leaves are starting to change colors, and flocks of students are abandoning the beaches of Cape Cod bound for college campuses. The seasonal change also signals another annual ritual – VMworld in San Francisco. 

VMworld used to be focused on virtual server technology, and then it expanded to VDI. Now the show represents all things cloud computing. Of course, I’ll be looking at a specific sub-segment: The intersection of cloud computing and cybersecurity. As such, I’m anticipating discussions around:

  • Micro-segmentation. A few years ago, virtual networking really meant virtual switching at Layer 2. While virtual switches offered a lot of functionality, most organizations used them as a bridge to forward traffic to the “real” physical network. This is no longer the case. Many enterprises are embracing virtual networking in data centers across layers 2-4. As part of this transition, I’m starting to see a lot more interest in micro-segmentation for network isolation, east-west traffic segmentation between data center servers, and even the creation of network tunnels from endpoints to data center applications. From a cybersecurity perspective, micro-segmentation offers great potential as it can be used to limit the attack surface. I’m curious to find out about micro-segmentation adoption. Is it still a cutting-edge technology, or has it crossed the proverbial chasm? My hope (and gut feel) is that we are making progress – more soon.
  • Network security services. As virtual networks gain traction, they will pull virtual network security services along for the ride. VMware is pushing this model with NSX partners like Check Point, F5, Palo Alto, Rapid 7, Symantec, and Trend Micro who can supplement server and network virtualization with proven, enterprise-class security services. Cisco offers a similar architecture and partner program with ACI and its security services architecture. Others, like Illumio and vArmour, are intent on virtualizing network security services on their own – sort of like what Novell NetWare did for file and print services 25 years ago. If you are serious about cloud computing, you have to go down the network security services route, but this is a big leap of faith for many seasoned cybersecurity veterans who grew up as CCNEs and Cisco Pix firewall administrators. I’ll be monitoring VMworld to see how this transition is progressing as changes here could have big implications on the security market. 
  • Identity and access management (IAM) in the cloud. According to ESG research, 68% of enterprise cybersecurity professionals’ claim that the combination of cloud and mobile computing have made IAM security a lot more difficult (note: I am an ESG employee). Why? Cloud computing extends IAM to new infrastructure and applications, some with their own authentication, entitlements, and management tools. This in turn creates IAM blind spots, policy contention, and loads of opportunity for human error. There are several ways to bridge these worlds, including homegrown integration using federated identity standards (i.e. SAML), single-vendor product solutions (i.e. CA, Centrify, IBM, Microsoft, Oracle, RSA, etc.), and gateway solutions (OneLogic, Okta, Ping Identity, etc.). There’s also a slight chance that social networking vendors like Facebook, Google, and LinkedIn will fill this void, and there are promising authentication technologies (i.e. Apple, FIDO alliance) that could greatly impact IAM at large. Lots of balls in the IAM air, so I’m interested to see how this will play out. 
  • Cloud security organizational dynamics. Many industry events resemble a techno pep rally focused on silicon and code rather than carbon-based life forms. I hope this isn’t the case at VMworld, as I’d like to explore cloud security as it relates to IT and cybersecurity organizations. My current observation is that cloud security responsibilities often migrate toward different groups like application developers, DevOps, and data center infrastructure groups. OK, but where do network security engineers fit into this mix? And since cloud security is a relatively new pursuit, how are cybersecurity professionals (and others) gaining necessary skills around secure design, physical/virtual security integration, cloud security operations, best practices, etc. In my humble opinion, skills development is a critical and often neglected aspect of cloud security. With the right training, CISOs can use things like micro-segmentation and virtual network security services to improve security protection and mitigate risk. In lieu of this, however, other IT groups with minimal cybersecurity knowledge will be in charge of “winging it,” putting everyone at risk.

A few years ago, cloud computing seemed to be hamstrung by security concerns, but this is no longer the case. Many organizations, led by the public sector, are moving full-speed ahead into the cloud, so it is incumbent upon the cybersecurity community to keep up. When I leave VMworld next week, I should have a good indication of whether cloud security is a ray of sunshine on Amazon, OpenStack, and vCloud Air, or whether stormy cybersecurity weather is in the forecast. 

This article was written by Jon Oltsik from NetworkWorld and was legally licensed through the NewsCred publisher network.

Healthcare needs more IT security pros – stat

More than 80% of healthcare IT leaders say their systems have been compromised

Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey by KPMG.

The KPMG report also states that only half of those executives feel that they are adequately prepared to prevent future attacks. The attacks place sensitive patient data at risk of exposure, KPMG said.

The 2015 KPMG Healthcare Cybersecurity Survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans.

KPMG

Sixty-six percent of the IT executives at healthcare plans who were surveyed said they were prepared to fend off attacks. Based on revenue, larger organizations are better prepared than smaller ones, KPMG said.

Compared with past KPMG polls, the one released Wednesday showed that the number of attacks on healthcare IT systems has increased, with 13% of respondents saying they are targeted by external hack attempts about once a day and another 12% seeing about two or more attacks per week.

“More concerning, 16% of healthcare organizations said they cannot detect in real-time if their systems are compromised,” the report said.

Malware, which is designed to disrupt or gain access to private computer systems, was the most frequently reported line of attack during the past 12 to 24 months, according to 65% of survey respondents. Botnet attacks, where computers are hijacked to issue spam or attack other systems, and “internal” attack vectors, such as employees compromising security, were cited by 26% of respondents.

The areas with the greatest vulnerabilities within an organization include external attackers (65%), sharing data with third parties (48%), employee breaches (35%), wireless computing (35%) and inadequate firewalls (27%).

The KPMG survey found that spending to prevent cyberattacks has increased at most institutions, but it has to be on the right initiatives and fit the organization’s strategy, said KPMG’s Gregg Bell. “There are no cookie-cutter approaches to security. An organization with a mobile workforce may have a far different technology need from an organization that processes healthcare claims, for example.”

“The vulnerability of patient data at the nation’s health plans and approximately 5,000 hospitals is on the rise and health care executives are struggling to safeguard patient records,” Michael Ebert, who runs KPMG’s Healthcare & Life Sciences Cyber Practice, said in a statement. “Patient records are far more valuable than credit card information for people who plan to commit fraud, since the personal information cannot be easily changed.”

KPMG listed five main reasons healthcare organizations are facing increased security threats:

  • The adoption of digital patient records and the automation of clinical systems.
  • The use of antiquated electronic medical records (EMRs) and clinical applications that are not designed to securely operate in today’s networked environment — and software vendors who push that problem to the provider.
  • The ease of distributing electronic personal health information both internally (via laptops, mobile devices, thumb drives) and externally (third party firms and cloud services).
  • The heterogeneous nature of networked systems and applications (i.e. network-enabled respirator pumps on the same network as registration systems that can browse the Internet).
  • The evolving threat landscape, where cyberattacks today are more sophisticated and well-funded, given the increased value of the compromised data on the black market.
  • Healthcare organizations not experiencing an increase in cyber attacks are also more likely to underestimate the threat, according to Bell, who leads KPMG’s Cyber Practice.

    “The experienced hackers that penetrate a vulnerable health care organization like to remain undetected as long as they can before extracting a great deal of content, similar to a blood-sucking insect,” Bell said.

    This article was written by Lucas Mearian from Computerworld and was legally licensed through the NewsCred publisher network.

    When to throttle yourself as a new CISO

    When to throttle yourself as a new CISO

    Recently, I was speaking with a new CISO for a casino property that came into an absolute mess of an environment with cybersecurity risk that was “off the charts” and “unmanageable.” While it is very tempting to come into a new company and be the superhero to fix many of the issues right away, this may look good in the C-Suite as it defines who you are in your first 90 days.

    All the indicators would show how a lot of work needs to be performed on short order and you would want to show leadership, motivation, and be known for being the person that “gets things done.” No CISO wants to be perceived as the last CISO that most likely did not work out or burned many bridges within the company.

    MORE ON CSO: The things end users do that drive security teams crazy

    While it may be tempting to rollout new tools, patching, programs, teams, monitoring, end-to-end encryption, etc. these would be great ideas and intentions, but may end up with the CISO getting kicked out the door within one year.

    Why? When a CISO shows up, it is important to remember you will be viewed as the “IRS” or the person that will be telling everybody what they are doing wrong in their jobs. This is a harsh image of the CISO, but perception is reality.

    Not many people like or enjoy working with the IRS because they know that since you are a CISO, you are there to tell everybody how they are doing everything wrong, a feeling as if you are calling everybody’s baby ugly because you are finding vulnerabilities and problems everywhere.

    In addition, the CISO is another step with overall business processes for approvals across the enterprise. The CISO can be seen as the gatekeeper to making key decisions, even though we would prefer to see ourselves as business enablers and protecting the companies’ data assets. The perceptions of CISOs in general is absolutely horrible by other business executives.

    If you do not throttle yourself as the CISO, it is highly likely your career within your company will be in jeopardy. It can be very misleading believing that as a CISO, you came in to perform all the duties as assigned by the executive leadership team, but failed to recognize that the rest of the company will experience “cybersecurity exhaustion.”

    Cybersecurity exhaustion is very much like a hangover after a fun night of partying. For the first nine months on the job as a CISO, everyone will be pleased with your ambition, progress, and making the company more secure, but it is important to remember the party does not last forever and if you party too hard, everyone will wake up with a bad hangover. As a new CISO, it is great to have the visibility and the spotlight on you, but people will get tired of you and will seek ways to derail your efforts. While this may sound sadistic, this is the unfortunate behavior and way of life in a company. People get tired of the superstar of a party.

    When we become a CISO, we all know better to operate at the speed of the company, not operate like a racehorse for which I did in my first CISO job. I will admit, I was taken by cybersecurity adrenaline to put in an insane amount of hours to do whatever it takes to protect my past employer that ended up being my demise. While I exhibited a loyalist and high work ethic, I let the adrenaline of the cybersecurity issues get the best of me as I operated faster than all of the other executives, because I wanted to protect the company. I was fearful of a cybersecurity breach on my watch and this was totally about individual pride and ego.

    [ ALSO ON CSO: CISOs facing boards need better business, communication skills ]

    Earlier in my career, I made this mistake myself without realizing until it was too late. For instance, I was the first CISO for a $2 billion holding company that was in dismal condition and under horrible IT leadership. I came in to be the new IT director for our business and functioned as the companies first CISO for five business units for a shared services IT model. I rebuilt the IT shop I was in charge of, kicked major butt by fixing problems and issues, turned the place around, built IT and cybersecurity programs, became compliant for SOX and PCI, improved reliability and up-time, reduced cyber risk, implemented layers of security, etc. to only be shown the door within one year.

    I learned the hard way that I pushed too aggressively and people became “exhausted” with my endeavors. We all know that we have to moderate ourselves in our jobs, but with cybersecurity it is different.

    CISOs have a less desirable position in a company compared to a VP of marketing for instance. The VP of marketing gets to do the fun sexy work of promoting the company and being creative and the CISO gets to be the person that is viewed as the company “police officer.” Everybody wants a police officer when they need one, but when they don’t, they want you gone. This is the life of a CISO regardless of how gregarious or likable you may be. Being a CISO is a very difficult position in a company and can be viewed as a “thankless” position.

    While this advice may sound like typical “cookie cutter” leadership that is playing the “safe card,” it actually isn’t. I firmly believe in being bold, innovative, a thought leader, and a progressive leader, but this is very hard to perform because the role we need to carry out may limit our true ambitions.

    Bottom line, go at the pace your company would like to see; don’t tire out your company to a point where the other executives experience your “cybersecurity exhaustion.”

    Happy survival in the C-Suite.

    This article was written by Todd Bell from CSO and was legally licensed through the NewsCred publisher network.

    A guest takes a video of U.S. President Barack Obama with his mobile phone during a welcome reception for the WNBA Champions Phoenix Mercury team at the East Room of the White House in Washington

    Obama will raise cyber security concerns with China’s Xi – White House

    WASHINGTON (Reuters) – The White House said on Wednesday that President Barack Obama will “no doubt” raise concerns about China’s cyber security behaviour when he meets with Chinese President Xi Jinping next month.

    Obama will host Xi at the White House in September for a state visit. The United States has alleged Chinese hackers have stolen information from U.S. computer servers.

    This article was from Reuters and was legally licensed through the NewsCred publisher network.

    Why it is time to intensify employee education on phishing

    Phishing is a $3.7-million annual cost for average large company

    The average 10,000-employee company spends $3.7 million a year dealing with phishing attacks, according to a new report from the Ponemon Institute.

    The report, which surveyed 377 IT professionals in companies ranging in size from less than 100 to over 75,000 employees, showed that about half of the costs were due to productivity losses.

    The average employee wastes 4.16 hours a year on phishing scams.

    MORE ON CSO: How to spot a phishing email

    In addition, 27 percent of the costs was the risk of having to respond to a data breach caused by a compromised credential, 10 percent was the direct costs of addressing compromised credentials, 9 percent was the risk of a data breach caused by malware, and the remaining 6 percent were the direct costs of containing malware.

    “Everyone understands the cost of a breach, and one of the biggest threat vectors is phishing,” said Joe Ferrara, CEO at Wombat Security Technologies, which sponsored the report.

    According to the latest Verizon data breach report, phishing is the second most common threat vector, implicated in around a quarter of all data breaches last year.

    “But I don’t think anyone really had a handle on all the costs layered into it,” said Ferrara.

    But the Ponemon report wasn’t all bad news. Companies can substantially reduce their phishing-related costs with employee education, such as the automated training offered by Wombat, which was spun off from Carnegie Mellon’s CyLab cyber security research center.

    Companies who roll out training programs see improvements of between 26 and 99 percent in their phishing email click rates, with an average improvement of 64 percent, according to Ponemon.

    The cost of phishing Cost for 10,000-employee organization Cost per employee Percent cost Part 1. The cost to contain malware $208,174 $22 6% Part 2. The cost of malware not contained $338,098 $35 9% Part 3. Productivity losses from phishing $1,819,923 $191 48% Part 4. The cost to contain credential compromises $81,920 $9 2% Part 5. The cost of credential compromises not contained $1,020,705 $107 27% Total extrapolated cost $3,768,820 $3,768,820 $395 100%

    Adding in a 25 percent drop in retention, Ponemon calculated a phishing-related cost savings of $188 per user for the average company.

    This translates to $77 per user for the lowest-performing training program.

    At a cost of less than $4 per employee, that results in a 20-fold return on investment over a year from the worst-performing training program, and a 50-fold return from the average program.

    This calculation does not include the training time, however. According to Ferrara, it takes a user about 30 minutes to go through all three of the company’s anti-phishing training modules, and the “teachable moment” of interacting with a simulated phishing email is under a minute.

    With that adjustment, the total savings drops to around $137 for the average training program, and $24 for the least effective one, making for a 37-fold and seven-fold return on investment, respectively.

    “The important thing to keep in mind is that the potential loss after a phishing attack is far greater and far more devastating than just the loss of productivity,” Ferrara added.

    A good way to get employees motivated to do the training is to first run a simulated phishing attack, said Ferrara.

    Not only does that provide a baseline metric for how often phishing emails are clicked on, but it also demonstrates to employees that they are vulnerable.

    “We had a customer who ran a simulated attack against their IT organization and they had a huge failure rate — it was a real eye-opener for them — more than 50 percent of the people failed,” said Ferrara. “We used that as motivation to get them to take training. As long as you don’t hammer them over the head or belittle them, you can get a great response.”

    This article was written by Maria Korolov from CSO and was legally licensed through the NewsCred publisher network.