Category: Uncategorized

International conference on strengthening co-operation on cybercrime and e-evidence in Africa
The Council of Europe and the Moroccan Ministry of Justice will bring together cybercrime experts to discuss threats and current trends; international frameworks; legislation, policies and strategies; tools of the Convention on cybercrime and its Protocols; regional and international initiatives; co-operation with the private sector and academia; and capacity-building initiatives in the fight against cybercrime.
The opening session will start at 9.30 am, with the participation of several ministers (from Morocco, Benin, Sierra Leone, Equatorial Guinea and Liberia).
The conference will be livestreamed in Arabic, English, French and Portuguese.
A press briefing is scheduled at 11 am on Monday 6 March (Hotel Vichy Célestins).
More information – Contact : Estelle Steiner, tel. +33 3 88 41 33 35
 
Council of Europe Media Relations Division:
 
[email protected]
 
+33 3 88 41 25 60

source

Knowing which areas to focus on in a cybersecurity budget to drive the most significant business value is a must-have skill for CISOs.
Deloitte recently found that cybersecurity is core to cloud-based digital transformation, accounting for nearly 50% of the initiatives’ success. As they look at benchmarking and budgeting as the first step in driving revenue gains and advancing their careers, CISOs need to capitalize on every opportunity to link their spending to revenue gains. 
That mindset is essential for CISOs who wants to get a board-level position and show that they know how to use cybersecurity budgets to help support and drive revenue.
“I’m seeing more and more CISOs joining boards,” CrowdStrike cofounder and CEO George Kurtz said during a keynote at his company’s annual Fal.Con. “I think this is a great opportunity for everyone here [at Fal.Con and in the industry] to understand their impact on a company. From a career perspective, it’s great to be part of that boardroom and help them on the journey.”
Those CISOs who get it are turning their tech stacks’ complexity and high maintenance costs into consolidation opportunities that improve cyber-resiliencies, increase visibility and control and reduce gaps in their security posture. Consolidation is a given for every CISO inheriting a large, complex and costly tech stack that needs to be factored down to improve scale.
CrowdStrike was early in identifying the need to support CISOs who must consolidate tech stacks to help drive more revenue. By devising a growth strategy that benefits their growth and their customers’ security postures, CrowdStrike helps customers strike the best possible balance between consolidation and new investments in software and services. By providing a methodology and internally based benchmarks, CrowdStrike has a strong record of helping customers understand the optimal level of consolidation given their unique business requirements.
Like CrowdStrike, Palo Alto Networks has defined a consolidation strategy for its customers. While their consolidation strategies differ, both CrowdStrike and Palo Alto Networks look to bring greater scale through cost savings while driving upsell and cross-sell revenue. Each maintains a strong focus on getting budgets and benchmarking right. 
Selling a board of directors and CEO on a cybersecurity budget must begin by defining it in terms that quickly grab attention and buy-in. CISOs tell VentureBeat that they are most successful in winning budget battles by explaining the downside revenue risk of not securing an enterprise area, then using that data to quantify cyber-risks. 
Further strengthening the case for cybersecurity budget approval requires explaining the potential impact of a breach on revenues and the risks of not having a specific threat detection and response system in place. This must be quantified with cyber-risk data and strengthened with industry-standard benchmarks. Chief risk officers (CROs) and CISOs who collaborate and excel at cyber-risk quantification stand a better chance of having their budgets funded. 
Cyber-risk quantification is a technique for defining and expanding budgets for zero-trust security frameworks and initiatives.
“Risk quantification helps you assess the value of cybersecurity projects using a commonly understood framework that ascribes a financial value to each prioritized decision based on statistical modeling of risk and expected loss,” Mark Tattersall writes in his blog post The Business Case for Risk Quantification.
Quantifying risk is essential to benchmarking in the right context so that CISOs can have guardrails for making the best decisions.
As Kurtz put it at Fal.Con: “Adding security should be a business enabler. It should be something that adds to your business resiliency, and it should be something that helps protect the productivity gains of digital transformation.”
Kurtz’s comments proved prescient, as a Deloitte study completed later in 2022 quantified just how critical cybersecurity is to all digital transformation initiatives — with the cloud being the most important.
“This means that security is now a driver of corporate strategy rather than buried as an operational line item only to be managed and measured as a cost,” Chris Gilchrist, principal analyst at Forrester, said during a session at Forrester’s Security and Risk Forum 2022. “In other words, security now has the latitude to defend and drive growth.”
At the same event, Forrester VP and principal analyst Jeff Pollard hosted a session titled “Cybersecurity Drives Revenue: How to Win Every Budget Battle.” This provided valuable guidance, insights and a helpful framework that CISOs can use to define their budgets by showing the revenue contributions they help protect and make.
“When something touches as much revenue as cybersecurity does, it is a core competency,” Pollard said in his presentation. “And you can’t argue that it isn’t.”
Every cybersecurity vendor knows that if they can help their customers fine-tune budgets with benchmarking, customer lifetime value (CLV) — one of the most valuable metrics of customer success —will be maximized. That’s why leading cybersecurity platform vendors have internal spending benchmarks that they provide to customers and prospects to build a business case. 
It’s best to use vendor-supplied benchmarks to identify wide gaps that cybersecurity and IT teams have yet to consider in budget cycles. No single set of benchmarks will perfectly match a given business’s challenges, so it’s best to consider each set as guardrails on budgeting and planning. There are many versions of the truth for benchmarking cybersecurity spending.
A few of the many cybersecurity benchmarks available are those from AT&T Cybersecurity, Boston Consulting Group, CSO Online, Cybersecurity Dive, Forrester Planning Guide 2023: Security and Risk and SANS.
Clutch also recently released a helpful template showing how to create a cybersecurity budget for small businesses. 
Because every business has a unique set of cybersecurity challenges that are made more complex by their reliance on sales, support and supply chain networks, it’s impossible to have a single, definitive benchmark across all industries. The following guidelines reflect the consensus of the latest benchmark surveys along with interviews that VentureBeat has conducted with CISOs, CIOs and security and risk management (SRM) leaders.
On average in 2022, enterprises spent 9.9% of their IT budgets on cybersecurity. Tech, healthcare and business services (including insurance) lead all industries in cybersecurity investment. What’s concerning is how little the education, retail and manufacturing sectors spend on cybersecurity. The data below further validate that the manufacturing industry’s security epidemic needs a zero-trust cure.
Consistent with Gartner and IDC’s previous studies, cloud-based software spending typically accounts for 20 to 25% of cybersecurity budgets. The figure could be significantly higher depending on the cloud maturity of a given business and industry.
For example, in tech and healthcare, CISOS tell VentureBeat that cloud-based software spending can comprise 40% of their budget given the tech stack complexity that they’re managing across multiple business units.  
Many CISOs aim to revamp legacy tech stacks to protect infrastructure, IoT, industrial control systems and operational technology (OT) apps and systems.
Identity access management (IAM) and privileged access management (PAM) are among the fastest-growing budget categories going into 2023. While the Deloitte study found that 12% of budgets are allocated to IAM, VentureBeat hears from CISOs that this figure is growing faster than the market and that cloud-based PAM systems are helping close gaps in tech stacks.
Seeing benchmarking and budgeting as an iterative process is crucial to success. One CISO told VentureBeat that the benchmarking, budgeting and course-correction cycle needs to become part of an organization’s DNA to succeed. 
CISOs also tell VentureBeat that benchmarking data varies significantly by segment and subsegment of an industry, so knowing the unique challenges is critical. Comparing benchmarking data can locate gaps and identify when actions need to be taken.
One manufacturing company CEO told VentureBeat that the most valuable aspect of benchmarking is finding gaps that no one considered before and course-correcting quickly to close them. That company shifted spend from defense to cyber-resilience coincident with its zero-trust initiative.
Knowing how to navigate benchmark data to build a budget that both funds cyber-resiliency and drives revenue is a skill boards of directors are looking for. The better a CISO gets at balancing the two, the more likely their career will progress.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.
© 2023 VentureBeat. All rights reserved.

source

Let Cybersecurity Dive’s free newsletter keep you informed, straight from your inbox.

CISA has urged the technology industry to develop more resilient products before they reach customers.
Google strongly supports the push by federal cybersecurity officials to build resilience into products during the design phase, hailing secure by design or default principles. 
The goal is for developers to mitigate vulnerabilities and other flaws from the product’s creation so customers would not be exposed to flawed products during the installation process, the company said in a blog post Monday.
The Google support comes just weeks after Jen Easterly and Eric Goldstein from the Cybersecurity and Infrastructure Security Agency penned an op-ed calling for the industry to step up efforts for more security as part of the development process. 
“We think they’re right,” Kent Walker, president of global affairs and chief legal officer at Google and Alphabet, and Royal Hansen, VP of engineering for privacy, safety and security at Google, wrote in the blog post. “It’s time for companies to step up on their own and work with governments to help fix a flawed ecosystem.”
Ransomware has proliferated in recent years by hackers taking advantage of pre-existing vulnerabilities, insecure software, architectures that can’t be defended and inadequate investments into security, Walker and Hansen said.
Google has taken some early steps to raise the security protocols on their platform. Since 2021, the company turned on 2-step verification by default for online account holders and the company has built the second factor into its phones, according to the blog. 
“With society’s increased reliance on technology throughout all aspects of life, it’s vital organizations of all kinds adopt a secure by design approach to the development of products and services,” Dale Gardner, senior research director at Gartner, said via email. “We see literally countless costly examples of what happens when features and functionality are prioritized at the expense of security and safety.”
Get the free daily newsletter read by industry experts
Chief Product Officer Josh Prewitt said the company restored email access to more than three-quarters of its Hosted Exchange customers. But Rackspace officials pushed back on alleged connections to ProxyNotShell.
The retail behemoth invited a handful of journalists to its tech offices in Bentonville, Arkansas. The scope of Walmart’s operations speaks to the lengths enterprises must go to remain secure. 
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Chief Product Officer Josh Prewitt said the company restored email access to more than three-quarters of its Hosted Exchange customers. But Rackspace officials pushed back on alleged connections to ProxyNotShell.
The retail behemoth invited a handful of journalists to its tech offices in Bentonville, Arkansas. The scope of Walmart’s operations speaks to the lengths enterprises must go to remain secure. 
The free newsletter covering the top industry headlines

source

State-backed cyber attacks are on the rise–but they are not raising the level of alarm that they should in the corporate world.
When working with companies, my team often encounters executives who say they have insurance, so everything will be alright. Or, they say they are not likely to be targeted by state-backed attackers because their company doesn’t have any political or strategic importance.
Unfortunately, this is not a productive way of thinking. Come the end of March, Lloyds will no longer cover damage from cyberattacks carried out by state or state-backed groups. In the worst cases, this reduced insurance coverage could exacerbate the trend of companies taking a passive approach toward state-backed attacks as they feel there is now really nothing they can do to protect themselves. On the flip side, this increased risk and demand from companies for coverage could push the cyber insurance sector to innovate and find ways to deal with the growing risk levels.
The uncertainty of insurance could be the motivation that companies need to begin to take the threat of state-backed attacks more seriously.
As insurance companies grow more hesitant about risk, the average price for cyber insurance in the U.S. rose 79% in the second quarter of 2022, after more than doubling during each of the previous two quarters. At the same time, insurers are more carefully scrutinizing companies’ cyber practices, and excluding certain vulnerable technologies and attacks linked to war and conflict.
These limits will give insurers even more leverage to reject claims. For example, a court battle is ongoing following the 2017 NotPetya Russian-backed cyber attacks, in which some victims, including multinationals Mondelez International and Merck, have argued that insurers should not have rejected their claims for damage under the war exclusion because the attacks did not take place as part of what is commonly defined as war. Merck won its case and received the payout. Mondelez settled with its insurer, Zurich. But there is no doubt many more cases will end up in court.
Excluding coverage for state-backed attacks also opens the door to having to prove who the attackers actually are–something that is difficult. From my experience, most attackers aim to conceal their identities. Currently, identifying the attackers is not always part of corporate cyberattack response and efforts. Whether the burden of proof falls on the insurance company or the victim, identifying the attacker will lengthen the claims process.
Alongside deeper scrutiny and higher prices, cyber insurance providers are also embracing new ways to be able to absorb the growing risk. For example, the insurer Beazley recently announced that it would issue a $45 million catastrophe bond, which will allow it to share some of the risk with investors, and raise more capital. Such bonds are common in other types of insurance, including for property. But this approach is new in the still-young cyber insurance sector–and it is far from certain if such a method will really bring in enough money to pay out more expensive claims. It’s also unclear what type of event would meet the definition of a “catastrophe,” leaving ample room for uncertainty.
In December, Mario Greco, the CEO of Zurich, called cyberattacks “uninsurable”–at least in the traditional sense.
Three key things need to change as insurance becomes more expensive and less reliable.
First, all organizations need to understand that they are at risk of state-backed attacks. In my daily work, I see state-backed groups targeting ordinary companies to steal money, or to obtain data they can sell on the Dark Web. Companies need to get more serious about cyber threat intelligence and take a more proactive approach to defense. This can go a long way: if attackers are mainly after money or data they can quickly sell for money (rather than other objectives, like shutting down operations), challenges in carrying out an attack will likely cause them to move on to the next target.
Companies need to start paying attention to who is attacking them. An attack, or attempted attack, is a unique opportunity to learn about the enemy, including what methods and tools they use. In many cases, an attacker enters a network but takes no further action for weeks or months, leaving a valuable window for intelligence on the defensive side. In cases where we can find clues about who they may be, we are able to help organizations build the specific defenses they need to protect themselves.
Finally, the private sector and the government need to increase cooperation. This is even more urgent as available insurance options wane. There is progress on that front. Since last year, the White House and federal agencies overseeing cybersecurity have increased cooperation with the private sector–but it still remains limited to companies dealing with critical infrastructure and large tech companies, such as Microsoft, Amazon, and Apple.
However, governments also need to realize that not every company has the tools and resources necessary to protect against state-backed threats. More grants, training, and assistance needs to be made available, especially because the threat of state-backed attacks is no longer limited to large organizations that have strategic or political value. That happens at scale in Israel, where the National Cyber Directorate offers training and also engages in threat hunting on behalf of the private sector.
This is a matter of national security. The U.S. government could set requirements for cyber insurance that are based on the company taking reasonable steps rather than simply on who the attacker is, or offer subsidized insurance plans to qualified companies much like the U.S. Federal Emergency Management Agency offers flood insurance options to residents in at-risk areas where reasonable mitigation efforts were taken. Health insurers are also required to cover certain preexisting conditions. When it comes to natural disasters, the U.S. and other governments also step in to provide assistance that may not be offered or covered by private insurance policies.
If state-backed cyberattacks are considered a type of terrorism, there are strong precedents for the government aiding victims. In fact, the U.S. government is currently studying whether there should be a program where the government would step in to help cover losses from cyberattacks, like it does in cases of terrorism.
However, companies cannot let go of responsibility or simply blame state-backed actors for attacks as a tactic to reduce their burden of responsibility.
As the insurance industry excludes more state-linked scenarios and searches for new ways to absorb risk, it’s time to help companies defend themselves. It’s key to protecting the economy, society, and even lives from state-backed attacks.
Shmulik Yehezkel is the chief critical cyber operations officer and CISO at CYE.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
Learn how to navigate and strengthen trust in your business with The Trust Factor, a weekly newsletter examining what leaders need to succeed. Sign up here.
© 2023 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information | Ad Choices 
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.
S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions.

source

ChatGPT and more: What AI chatbots mean for the future of cybersecurity  ZDNet
source

By Steve Durbin
Contributing writer, CSO |
A core pillar of a mature cyber risk program is the ability to measure, analyze, and report cybersecurity threats and performance. That said, measuring cybersecurity is not easy. On one hand business leaders struggle to understand information risk (because they usually are from a non-cyber background), while on the other, security practitioners get caught up in too much technical detail which ends up confusing, misinforming, or misleading stakeholders.
In an ideal scenario, security practitioners must measure and report cybersecurity in a way that senior executives understand, find useful, satisfy curiosity, and lead to actionable outcomes.
 
Most stakeholders usually have questions around risk, compliance, or assurance. Unfortunately, such questions usually cannot be answered using a single data point. Fortunately, there are a wide range of things that security practitioners can measure in order to address stakeholder questions and concerns. These can be broadly categorized under:
Above categories can further be broken down in terms of numbers, time, or cost. For example, numbers can measure totals and percentages of unpatched servers, ratio of unpatched servers in comparison to the required baseline and capacity, or the number of servers possible to patch. Time can measure the amount of time it took to identify an incident, or the frequency of a particular threat over time. Cost can help measure the impact of an incident in financial terms, the cost of recovery, and the cost of lost business due to downtime.
Security practitioners must select the most relevant measurements when reporting to business teams. Most security teams focus on metrics, which provide low-level measurements related to assets, vulnerabilities, and threat events. Executive teams, on the other hand, care about key performance indicators (KPIs) and key risk indicators (KRIs) because these can help answer specific questions related to information security risk, health, preparedness, and business priorities:
These are the types of questions that KPIs and KRIs help answer and this is why practitioners must be laser-focused on KPIs and KRIs to benchmark their security performance, preparedness, and effectiveness.
Building the right measurement framework is a gradual, iterative process. Let’s explore the five main steps involved in building a security measurement cycle:
Engage in a two-way conversation with relevant stakeholders to define and understand their needs. When starting small, stakeholders may not always have a good understanding of information risk or their own requirements at this point, so a more bottom-up approach, where security practitioners measure what they think is important and report upwards, is necessary. Security practitioners can use these conversations to ask probing questions themselves, helping to educate and set the agenda if necessary.
Once stakeholder requirements have been defined, security practitioners should identify and select the key indicators that would help to support those requirements, all stakeholders must be consulted and informed on the measurements that will be presented at a later stage.
Having sight of key indicators should enable stakeholders to take action or make decisions. These key indicators should be at a high level and few. The goal is to help with decision making, not to overwhelm or confuse people with data.
Having identified high-level goals and indicators, security teams must now focus on identifying lower-level metrics that help report on those indicators. Depending on the exact nature of the indicator, this could involve dozens of metrics being required, from across the various categories of measurement outlined above.
Since requirements are now agreed upon, key indicators are selected and metrics are identified, practitioners can now begin collecting and analyzing data based on those key indicators. Metrics must only be derived using data that is accurate, timely, relevant, and trustworthy. Otherwise, the business can make the wrong decisions with serious consequences on the organization’s security posture. Security teams must find ways to collect this data on a continuous basis (most measurements will require a view of trends over time) and preferably make the process as automated as possible (manual process can be tiring and time-consuming).
Key indicators must be reported to decision makers in a timely manner. Security practitioners and stakeholders should agree on a cadence: How regularly does reporting need to happen? Reporting style must also be agreed upon as different methods suit different stakeholders: Are dashboards required, or would slide presentations do the job? Key indicators should be clearly visible and easily understandable. In the end, reporting should lead to decisions or action.
Finally, after each reporting cycle, it is important to review key indicators and revalidate them with stakeholders. Security teams and stakeholders must ask, do the reported indicators still provide value or does something need to change? If business requirements have indeed changed, then practitioners must again go back to defining requirements and analyzing a different set of indicators and metrics.
Don’t forget, the threat landscape is always evolving and therefore security must also evolve in lock step. Organizations, stakeholders, and security practitioners should not be afraid of going backwards or forwards. The ability to fail fast, move on and improvise or repurpose is critical to achieving success in measuring cybersecurity.
Steve Durbin is chief executive of the Information Security Forum, an independent, not-for-profit association dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000. Find out more at www.securityforum.org.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

Was your information compromised in the November 2022 T-Mobile data breach?
On Jan. 19, T-Mobile revealed that it was the target of yet another data breach in November 2022. The breach, which was discovered on Jan. 5, compromised customer addresses, birth dates, phone numbers and other data.
T-Mobile has faced several data breaches in the past, including an August 2021 breach which resulted in a $350 million class action settlement. Consumers affected by the most recent T-Mobile data breach may be eligible to take legal action.
If your information was compromised in the November 2022 T-Mobile data breach announced in January 2023, you could take legal action.
Fill out the form on this page for more information.
On Jan. 19, 2023, T-Mobile announced on its website that it had been the victim of a data breach. According to a filing with the U.S. Securities and Exchange Commission (SEC), the breach occurred in late November 2022 and was discovered on Jan. 5, 2023.
During the breach, an unauthorized user reportedly gained access to a single Application Programming Interface (API) but was unable to access sensitive data stored on T-Mobile’s systems. T-Mobile emphasizes that “no passwords, payment card information, Social Security numbers, government ID numbers or other financial account information” were impacted by the data breach. Instead, the names, billing addresses, birth dates, account numbers and other account data for 37 million customers was compromised. The mobile carrier says that this information is unlikely to compromise customer safety or finances.
“We understand that an incident like this has an impact on our customers and regret that this occurred,” T-Mobile said in its announcement.
“While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.”
The 2022 data breach occurred despite millions of dollars invested into cybersecurity as a result of previous data incidences. As part of a $350 million class action settlement, T-Mobile agreed to invest $150 million into cybersecurity enhancements. According to the SEC filing, T-Mobile has made “substantial” progress in these enhancements and will continue to strengthen its protections as part of the settlement’s multi-year investment program.
Over the last several years, T-Mobile has been the victim of several data breaches.
In August 2021, the mobile carrier suffered a massive data breach which compromised sensitive personal data of nearly 80 million Americans. The company agreed to a $350 million class action settlement to resolve legal claims surrounding the 2021 breach.
Before this massive breach, the company suffered similar but smaller-scale incidents in January 2021, November 2019 and August 2018.
Some tech experts are critical of T-Mobile’s apparent lack of progress in the face of repeated data breaches.
“I’m certainly disappointed to hear that, after as many breaches as they’ve had, they still haven’t been able to shore up their leaky ship,” Chester Wisniewski, the field chief technical officers at security firm Sophos, told Wired.
Although the T-Mobile data breach did not expose Social Security numbers or payment card data, consumers may still be at risk for fraud due to their stolen personal information. Hackers can use personal information to launch targeted attacks against consumers through phishing emails and other schemes.
Data breach victims may have legal recourse. Taking legal action could help affected consumers recover compensation for data breach-related damages.
If your information was compromised in the 2022 T-Mobile data breach, you may qualify to participate in this T-Mobile data breach lawsuit investigation.
Fill out the form on this page for a FREE case evaluation.
By submitting your information, you agree to receive communications from Top Class Actions and to be contacted by an attorney or law firm to discuss the details of your potential case at no charge to you if you qualify.

Δ
After you fill out the form, the attorneys who work with Top Class Actions may contact you to discuss your legal rights.
ATTORNEY ADVERTISING
The choice of a lawyer is an important decision and should not be based solely on advertisements.
 
Counsel responsible for this advertisement includes:
BradleyGrombacher, LLP (805-270-7100) and Aylstock, Witkin, Kreis and Overholtz, PLLC
PAID ATTORNEY ADVERTISEMENT: THIS WEB PAGE IS AN ADVERTISEMENT AND THE PARTICIPATING ATTORNEY(S) ARE INCLUDED BECAUSE THEY PAY AN ADVERTISING FEE. 
Top Class Actions is not a law firm, lawyer referral service, or prepaid legal services plan. We do not endorse or recommend any third-party claims processing company, lawyer, or law firm who participates in the network. We do not make any representation, and have not made any judgment, as to the qualifications, expertise, or credentials of any participating lawyer or processing group. No representation is made that the quality of the legal services or claims processing to be performed is greater than the quality of legal services or claims processing performed by other lawyers or claims processing group. The information contained herein is not legal advice. Any information you submit to Top Class Actions does not create an attorney-client relationship and may not be protected by attorney-client privilege because Top Class Actions is not a law firm. Instead, your information will be forwarded to an attorney(s) or their agent(s) or claims processing firm for the purpose of a confidential review and potential representation if you qualify. You will only be contacted by an attorney(s) or their agent(s) in response to your inquiry if your initial information appears to qualify you for representation. If you are not contacted by an attorney(s) or their agent(s) within one week, you should consult another firm since all legal claims are subject to filing deadlines. All photos on this website are stock art and do not depict clients.
Δ
Top Class Actions is a Proud Member of the American Bar Association
LEGAL INFORMATION IS NOT LEGAL ADVICE
This site provides information about the law and lawsuits and is designed to help users safely cope with their own legal needs. Legal information is NOT the same as legal advice – the application of law to an individual’s specific circumstances. Although we go to great lengths to make sure our information is accurate and useful, we recommend you consult a lawyer if you want professional assurance that our information, and your interpretation of it, is appropriate to your particular situation. You should consider all postings or writings at TopClassActions.com by staff or others as personal opinion only and NOT the advice of a lawyer. Top Class Actions Legal Statement
©2008 – 2023 Top Class Actions® LLC
Various Trademarks held by their respective owners
Please note: Top Class Actions is not a settlement administrator or law firm. Top Class Actions is a legal news source that reports on class action lawsuits, class action settlements, drug injury lawsuits and product liability lawsuits. Top Class Actions does not process claims and we cannot advise you on the status of any class action settlement claim. You must contact the settlement administrator or your attorney for any updates regarding your claim status, claim form or questions about when payments are expected to be mailed out.

Δ
@2023 Top Class Actions. All Rights Reserved. Privacy Policy | Terms and Conditions

source

Tony Fyler
@more__hybrid
fyler@hybrid.co
So much for cybersecurity. Protect your historical data too.
When people think of a data breach in 2023, they tend to imagine the data that’s attacked will be modern, up-to-date, and potentially of immediate use to the cybercriminals. But British sportswear retailers, JD Sports, has just amply demonstrated the need for a robust cybersecurity policy that deals with historic data too. A cyberattack on the chain’s systems has potentially compromised the data of 10 million customers who bought from it between 2018-2020.
The company, which is contacting affected customers, but which might understandably take a while to get around all 10 million, said the data that had been accessed could include its customers’ names, addresses, email addresses, phone numbers, order details and the final four digits of their bank cards.
While apologising to its compromised customers, the company also said it believed the data that had been affected was “limited” – the last four digits of card numbers, rather than the whole card numbers.
The type of data involved still allows significant potential activity by cybercriminals though.
JD Sports, which also owns several subsidiary brands, said it was working with both “leading cyber-security experts” and the UK’s Information Commissioner’s Office (ICO) to minimize the impact of its extensive data breach, while insisting that “Protecting the data of our customers is an absolute priority for JD Sports.”
Several cybersecurity experts almost immediately contacted Tech HQ to take some issue with the use of the phrase “absolute priority” in this case.
Muhammad Yahya Patel, Security Engineer at Check Point Software, said:
“In this case we see historic data has been affected, which raises questions regarding the volume of information being stored and what security is being implemented around it. As consumers, we trust retailers to secure our sensitive details. A breach of this size, or indeed any size, erodes that trust, which can be hard to recover.
“Transparent reporting is critical. Without all the information, it’s impossible to learn and improve security measures at a macro level.”
Meanwhile, Darren Guccione, the CEO of Keeper Security, explained that incomplete data could still be considered an effective haul.
“Even in cases where customer data is stolen but their passwords are not, the threat to their passwords and other sensitive information from the data breach remains. Bad actors sell this valuable information on the dark web and in this instance, will often compare the JD Sports customer information to information from data breaches at other organizations that did compromise passwords or use the information for a targeted phishing attack.
“In phishing attacks, bad actors often tailor scams using aesthetic-based tactics such as realistic-looking email templates and malicious websites. The aesthetics users recognize, such as the logo or color scheme of the site, are used to lure them into a malicious link or form field. The key to avoiding falling victim to this type of attack is to ensure users check that the URL matches the authentic website. In any case, emails containing links must always be subject to greater awareness and vigilance.  A password manager that can automatically identify when a site’s URL doesn’t match is a critical tool for preventing the most common password-related attacks, including phishing.
“Even though JD Sports says passwords were not part of the stolen information, its customers should immediately update their passwords to be unique from any other passwords they’ve used in the past, while ensuring each new password or passphrase is strong, with uppercase and lowercase letters, numbers, and symbols. Passwords should also be paired with a strong MFA option as an added layer of security in the event their password is discovered.”
That was advice echoed by JD Sports’ Chief Financial Officer, Neil Greenhalgh, who acknowledged that even with the “incomplete” dataset being compromised, affected customers – or anyone who thought they might be affected, ahead of having it confirmed by the company – should be “vigilant about potential scam emails, calls and texts.”
That will be of little comfort to the potential 10 million customers – especially as they now know the company is actively trying to get in touch with them. In a supreme irony, the ground has been laid for a perfect scenario in which cybercriminals with some of the customers’ private data – email address, name, home address, last four digits of a card, say – could actively communicate with the customers in an attempt to make them give up some crucial other elements of their data, while pretending to be a representative of JD Sports, advising of the breach of their data.
That’s a second-wave threat acknowledged by Vonny Gamot, Head of EMEA at McAfee. “Unfortunately, the data of over 10 million customers may now be at risk. A high-profile attack like this is often followed by cybercriminals launching further rounds of phishing attacks, usually via email or SMS, that direct people to bogus sites designed to steal more personal or financial information. Always double check the sender looks legitimate and watch out for any spelling or grammar errors.”
Meanwhile, for not being “sufficiently” protective of its customers’ private historical data, JD Sports may feel the scourging effect of the law.
Jonathan Compton, a leading legal expert on data protection from London law firm DMH Stallard, outlined how serious that could be for the compromised business.
“The aggravating factors here are the numbers involved, the personal data accessed, and the length of time since the infringement.
“JD Sports can expect fines up to the higher maximum permitted under Part 6 of the Data Protection Act 2018.
“The higher maximum amount is £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.”
 
This just in: historic user data is valuable too – companies need to protect it all from compromise, not just the most recent data generated.
How is your company’s historic data safety profile?
 
Tony Fyler
@more__hybrid
fyler@hybrid.co
3 March 2023
3 March 2023
2 March 2023

source

source

Let Cybersecurity Dive’s free newsletter keep you informed, straight from your inbox.

Organizations must plan ahead and invest in people and resources to succeed with zero trust, writes Gartner analyst John Watts.
Editor’s note: This article is from John Watts, a vice president analyst at Gartner. If you would like to submit a guest article, you can submit it here.
Most organizations view zero trust as a top priority when it comes to reducing risk in their environments. However, zero trust at scale across the entire organization is yet to become a reality for many organizations.
Zero trust is a security paradigm that explicitly identifies users and devices and allows them access to operate with minimal friction while still reducing risk. Zero trust requires organizations to think in terms of least privileged access, resource sensitivity and data confidentiality. 
These concepts are not new. Many teams have tried to implement least privileged access controls in the past and experienced challenges as they expanded the scope and increased the granularity of controls.
Zero trust is not immune to these issues. Organizations must plan ahead and invest in people and resources to succeed with zero trust, and not view it as a one time, one size fits all answer to securing their organization.
To initiate zero-trust implementation, organizations can start by defining a strategy and baseline prior to embarking on a wider zero-trust technology implementation.
It is important to tailor zero-trust strategy to the organization and align it to which types of attacks it is best positioned to mitigate such as lateral movement of malware.
Zero trust will not be achieved with one technology, but with the integration of multiple different components. 
Gartner predicts that over 60% of organizations will embrace zero trust as a starting place for security by 2025. However, more than half will fail to realize the benefits — initiating zero trust requires more than technology.
Due to the marketing pressures and hype around zero trust, security leaders are overwhelmed and struggle to translate the technical reality into business benefits. 
There is a common misconception that “zero trust” refers to no one being trusted, but this is not the case. Rather, zero trust refers to trusting the “right” amount needed and no more. Security leaders must understand zero trust will protect them and their organization from any oversights that may happen.  
When it comes to successfully launching zero trust within organizations, cybersecurity leaders must not attempt to execute zero trust programs with only technology controls. Zero trust is not a technology-first effort, but rather a shift in mindset and security approach. 
Once this is understood, cybersecurity leaders will then need to receive executive backing and support. This support will show how zero trust enables new business approaches and a more resilient environment that allows for more flexibility.
Failure to obtain this support will put zero trust programs at risk. 
Cybersecurity leaders must accept the potential for complexity and interim redundancy to occur. Security teams will operate under a new, granular approach, but old controls will still be required. There may be conflicting goals between the old and new controls. These must be reconciled and continuously reviewed to avoid conflicts.
As organizations move from the hype of zero trust into reality, security leaders must pivot their focus from technology and marketing messaging to the cultural and security program of zero trust. Security leaders can set themselves up for success by setting realistic goals that align to both manageability and security objectives.
Position zero-trust programs in terms of desired business outcomes such as risk reduction, better end-user experience or improved flexibility to set realistic expectations about the scope and impact of zero-trust programs.
Currently, the majority of organizations are in the early stages of their zero-trust journey. While organizations are excited about the promise of zero trust, few are focused on its post-implementation realities. 
Organizations that are further along in their zero-trust journey have encountered roadblocks implementing and maintaining least privileged access. To help avoid these roadblocks, invest in resources that will isolate and adhere to least privileged access policies for implemented controls. Investing in these resources will maintain a zero-trust posture after implementation. 
Gartner predicts that by 2026, 10% of large enterprises will have a mature and measurable zero trust program in place, up from less than 1% today.
A zero-trust strategy must be driven by a business decision on how much investment an organization is willing to make in cybersecurity, and the amount of benefit derived from the investment. Zero-trust efforts become less tactical as organizations improve in explaining cybersecurity as a business investment. 
There is no universal standard for measuring zero trust maturity today, however existing maturity models are a useful starting point.
For example, the U.S. Federal Government Cybersecurity and Infrastructure Security Agency (CISA) published a zero-trust maturity model design to assist U.S. Federal agencies as they develop strategies and implementation plans for zero trust.
Using this strategy will track progress against the organization’s internal zero-trust goals and objectives. Prioritize this plan of action rather than adopting relative benchmark assessments from maturity models, as these benchmarks may not be comparable across organizations due to scope and differences in desired outcomes. 
Moving from theory to practice with zero trust is challenging. It is easy to fall into the trap of deploying point zero-trust solutions without developing a strategy. A robust strategy is imperative and the only way to move beyond the marketing noise to ensure successful zero-trust implementation.
Get the free daily newsletter read by industry experts
Rates continue to soar, but Marsh research shows the pace of increases is slowing. 
The ubiquity of the cloud has left security gaps for organizations, leaving them to navigate a complex vendor landscape and defend their technology supply chain
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Rates continue to soar, but Marsh research shows the pace of increases is slowing. 
The ubiquity of the cloud has left security gaps for organizations, leaving them to navigate a complex vendor landscape and defend their technology supply chain
The free newsletter covering the top industry headlines

source