We talk about ‘data breaches’ because of regulatory and statutory definitions that focus on the disclosure of data. An organization’s security strategy should work with the end in mind, and focus heavily on denying threat actors access to those data with the highest regulatory, statutory, or contractual risks.
In this session, a panel of experts will reflect on the various ways in which hackers have targeted the pandemic over the past 12 months, lifting a lid on the methods employed and outlining how businesses and users can best protect themselves from ongoing COVID-related attacks, scams and fraudulent activity.
Incident responses and recovery plans should be updated biannually. Kayne McGladrey, CISSP and cybersecurity strategist for Ascent Solutions said, “Effective incident response plans must cover preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.”
You have a remarkable economic incentive for threat actors to do their job. Unlike a fire, threat actors innovate. There’s not some new way we’re going to have a fire. I guarantee you by the end of the week, we’re going to have a dozen new ways for threat actors to do their jobs.
McGladrey finds an increased need in cybersecurity as the pandemic has forced an increase in online resources. “Cybersecurity is a way of protecting our friends, family, and communities from financial losses and the loss of their privacy,” McGladrey said.
“Multi-factor authentication and passwordless technologies help to protect our digital identities and account credentials from theft or impersonation. This matters just as much to an individual using a hardware key to access their online bank as it does for a corporate employee using facial recognition to access a privileged administrative account.”
– Kayne McGladrey, IEEE Senior Member
“You can never get risk to zero, but you can mitigate risk to an acceptable level for that agency or that project,” McGladrey says. “You need to know what risks you can accept and what you have done to mitigate the potential damage associated with those risks.”
On February 17th, 2021 I’ll will be leading a tabletop exercise for the students of CISS 471 at Western Washington University. The tabletop exercise explores the ethical decisions associated with a ransomware attack at a fictional international organization.
“I hope that you want to create safe products that benefit individuals and society, that make life better.
That you want to reverse course, and can advocate for security in face of lean IT, DevOps, and less money and less time and less people.
IEEE code of ethics includes the phrase “disclose promptly factors that might endanger the public or the environment”.
Not as strong as language as the other code of ethics I’m bound to follow as a CISSP, to “protect society, the common good, necessary public trust and confidence, and the infrastructure”
Regardless of which code of ethics you’re following, we have responsibility to society to turn this around.”
Telehealth was an unexpected technology bright spot in 2020, as the Office for Civil Rights (OCR) relaxed enforcement of certain aspects of HIPAA, helping to reduce COVID exposure via virtual rounding and virtual visits.
Unfortunately, bad actors have shown a lack of morality in their pursuit of illegal profits and have continued to attack medical organizations. Ransomware attacks, for example, can cripple a hospital’s abilities to provide high-quality patient care by denying access to key computer systems, which would force medical professionals to have to treat patients based on memory and paper-based records.
The following three high-level recommendations provide a basis for defense in depth for healthcare organizations in 2021.
Kayne McGladrey (@kaynemcgladrey), Security Architect at Ascent Solutions, agrees: “Microsoft 365, for example, allows for automatic classification and labeling of unstructured data, but also permits users to provide a justification when the automation gets it wrong.
“Combined with automated data loss prevention, this can allow a business to easily enforce and report on policies for sharing non-public data both inside and outside of their organization,” he says.
Companies should record video calls when doing so poses an obvious business benefit, the participants have consented to it, and there are adequate controls in place to limit access to the resulting video to only authorized parties, Kayne McGladrey, security architect at cybersecurity consultancy Ascent Solutions, said.
To ensure accessibility,companies should also strongly consider using closed captioning on call recordings, McGladrey added.