Category: Uncategorized

Copyright © 2023 Entrepreneur Media, Inc. All rights reserved. Entrepreneur® and its related marks are registered trademarks of Entrepreneur Media Inc.
Save big on our most comprehensive cybersecurity training bundle.
By Entrepreneur Store • Jan 13, 2023
Share
Disclosure: Our goal is to feature products and services that we think you’ll find interesting and useful. If you purchase them, Entrepreneur may get a small share of the revenue from the sale from our commerce partners.
For entrepreneurs and small business owners, cybersecurity is no longer an option. Of course, nobody is immune to cybercrime, but an attack can have far more devastating consequences for a small business than it would for a big one.
As such, you need to invest in cybersecurity, but who has the resources to bring in an entire IT or cybersecurity team? So instead, become your own cybersecurity expert. You can build a strong foundation with The Complete 2023 Cyber Security Developer & IT Skills Bundle.
One of the most comprehensive cybersecurity resources you’ll find anywhere, it’s comprised of 26 courses from one of the world’s leading online learning providers, iCollege. You’ll get study materials for many of the world’s most in-demand cybersecurity certification exams. iCollege is trusted by Silicon Valley startups and Fortune 500 companies to help employees keep their skills up to speed, so you know their materials are some of the best available on the web.
Courses cover exams from Microsoft, Cisco, CertNexus, Linux, CompTIA, NIST, and many more top-certifying bodies. From penetration testing and ethical hacking to cloud security, cybersecurity infrastructure, and more, you’ll develop a comprehensive skill set that will help you protect your own business, start a side hustle, or even launch a lucrative new career path. With lifetime access and so many certifications to cover, you can choose where you want to devote your attention based on your interests and needs.
This bundle is rated 5/5 stars online. One reviewer raved, “The instruction videos are absolutely magnificent, and all of the extra materials will surely assist come exam time!”
For a limited time, you can get The Complete 2023 Cyber Security Developer & IT Skills Bundle on sale for just $79 (reg. $7,774) — best of web pricing!
Prices subject to change.
Entrepreneur Leadership Network Contributor
Entrepreneur Store
One employee said he was asked to pay back more than he ever made at the company.
By Gabrielle Bienasz
AMC operates 600 theaters across North America, Europe, and the Middle East.
By Emily Rella
Once you have the night-vision skills of Fortune 500 restaurants, scaling becomes effortless. Here are 3 ways to scale, hidden in plain sight.
By Thalia Toha
Today's consumers expect personal, impactful ads. There's an advertising method that can get you there for half the price, making it the next frontier in digital advertising.
By Joshua Kreitzer
Make self-improvement easy to schedule.
By Entrepreneur Store
To start one of these home-based businesses, you don't need a lot of funding — just energy, passion and the drive to succeed.
By The Staff of Entrepreneur Media, Inc.
Successfully copied link
We'll be in your inbox every morning Monday-Saturday with all the day’s top business news, inspiring stories, best advice and exclusive reporting from Entrepreneur.
I understand that the data I am submitting will be used to provide me with the above-described products and/or services and communications in connection therewith.
Read our privacy policy for more information.
Copyright © 2023 Entrepreneur Media, Inc. All rights reserved. Entrepreneur® and its related marks are registered trademarks of Entrepreneur Media Inc.

source

The largest technology companies in the world have a vested interest in addressing the global cybersecurity talent shortage. By 2025, there will be 3.5 million cybersecurity jobs open globally—a 350% increase over eight years, according to Cybersecurity Ventures—and Microsoft is intent on closing this gap.
The high demand for cybersecurity experts is reflected by the salaries for these roles in the U.S. Microsoft estimated that in 2021, the country had 464,200 unfilled positions that required cybersecurity skills and the average salary for these jobs is $105,800. Some estimates for cybersecurity worker salaries are even higher. Companies like Booz Allen Hamilton report the annual earnings of entry-level cybersecurity employees to be around $150,000. The median base compensation for chief information security officers, which typically requires a master’s degree, is $584,000, according to a survey by Heidrick & Struggles. 
Despite steep demand and six-figure salaries, only 3% of U.S. bachelor’s degree-holders have cybersecurity-related skills, Cybersecurity Ventures reports. This skills gap is what Microsoft is hoping to change by honing in on the lack of diversity in the computing and cybersecurity fields. Among cybersecurity specialist jobs, 83% of these roles are held by men and 72.6% by white people. 
In 2021, Microsoft launched its cybersecurity skills initiative, which included the company giving $150 million to federal, state, and local governments to support upgrading government agencies’ cyber protection and committing to spending $20 billion on advancing their security solutions over the next five years. The initiative also included a large-scale effort to support cybersecurity education.
Microsoft is collaborating with 181 community colleges across 44 states in an attempt to provide accessible pathways into the profession. The tech company launched a campaign to recruit 250,000 people into the cybersecurity workforce by offering a free cybersecurity curriculum to all U.S. public community colleges, providing training for college faculty, and offering financial support to 25,000 students. Microsoft declined to provide the full list of partnering schools to Fortune. 
Alongside Abbott and Raytheon Technologies, Microsoft also supports the HBCU Cybersecurity Industry Collaboration Initiative Pilot. The program, which will run through Fall 2022, involves collaboration with with the schools of engineering at four historically black colleges and universities: Hampton University, North Carolina A&T State University, Prairie View A&M University, and Virginia State University.
To learn more about how the Big Tech company is striving to close the cyber skills gap, Fortune spoke with Naria Santa Lucia, senior director of digital skills and employability at Microsoft Philanthropies. 
The following interview has been edited for brevity and clarity. 
Fortune: The demand for cybersecurity experts is nothing new, so why has Microsoft decided to launch these initiatives in the past couple of years? 
Santa Lucia: We are a digital company, and so when there’s an alignment between what the company is driving towards and what we’re driving towards societally, the nexus of those two things is where we can really make a big difference.
COVID-19 obviously created a ton of opportunities for digital transformation. At one point, our CEO noted that at the beginning of COVID, two years’ worth of digital transformation happened in just two months—and that only grew from there. Additionally, cyber attacks and threats have increased significantly. So everywhere from our products to the communities, to nation states—how does Microsoft help?
From my perspective, cybersecurity is going to be a huge growth industry. So we asked ourselves: How can we make sure that people who have the talent, aptitude, and interest—especially those who are currently excluded—have a pathway into those roles? 
Fortune: How is Microsoft supporting colleges’ efforts to expand cybersecurity programming, and how are you ensuring these efforts are sustainable? 
Santa Lucia: We partnered with the American Association of Community Colleges to help build the capacity of the administrations and the faculty to teach computer science at all of these schools. We also are working with the National Cyber Training and Education Center—they designate the Centers for Excellence for community colleges—which allows schools to prove that they’re ready to deploy cybersecurity content.
There are many different ways to find cyber talent. On one end, there are those people who are maybe in a different IT role that with a little bit of re-skilling can go into cybersecurity. On the other end, there are those individuals who maybe never had a chance in a tech role, but can pursue the whole learning process and gain those skills, certifications, or credentials to enter the field. 
Both of those audiences are served at our nation’s community colleges. Not only do they have people who are going for those degree programs, but also there are workforce members that can go in and kind of brush up their skills. Community colleges are also so affordable and they are everywhere. So that’s why we think doubling down on the investment in community colleges is a really great way to close that talent gap quickly.
Right now, there are so many cyber threats and there is so much opportunity for new jobs and new roles in this space. I think if someone has even a little bit of interest in being a problem solver and is curious about the cybersecurity field, a really good place to check it out is your local community college.
Fortune: To address the demand for cybersecurity skills, why is it so critical to focus on career pathways for underserved communities?
Santa Lucia: We have found that the more targeted we can really be—especially for underserved populations—the better. Previously, we launched a global tech skilling initiative at the start of COVID. We’ve far exceeded our goal of reaching 25 million people and when we started looking underneath the hood of that initiative—we found that some roles are popping, and cybersecurity was one of those. There are lots of different kinds of jobs in cybersecurity, from analysts all the way to people that create the technology—it’s also a diverse set of roles. 
After we realized that this is a big opportunity to upskill talent and find roles for underserved individuals to be successful, we went out and spoke with several community colleges and asked them if students were interested and if so, what were the barriers to producing more cybersecurity talent. And we found out that students are very interested. The barriers included lack of access to up-to-date curriculums, limited bandwidth from faculty, and students themselves often needing financial assistance to pursue these programs. 
There is a lot of stereotyping of computer science professionals and I think a lot of the diversity issue in cybersecurity and computer science has to do with those stereotypes. Once I asked a leader from a community college about what kinds of people are really good at cybersecurity. And he said to me, honestly, anyone who is curious and loves problem-solving. When you frame it like that, that’s a lot of types of people, right? Many people could say that they love a good mystery or a good puzzle. 
So I think that we need to break those stereotypes, which is why I’m really proud that we’ve started our work first with community colleges because it is a system that is very robust across the U.S.—and that system has a lot of women and lots of students of color. If we can really tap that infrastructure to start getting that message out, that’s a good start to diversifying the pipeline.
See how the schools you’re considering fared in Fortune’s rankings of the best master’s degree programs in data science (in-person and online), nursing, computer science, cybersecurity, psychology, public health, and business analytics, as well as the doctorate in education programs MBA programs (part-time, executive, full-time, and online).

source

Advertisement
Supported by
The policy document urges more mandates on the firms that control most of the nation’s digital infrastructure, and an expanded government role to disrupt hackers and state-sponsored entities.
Send any friend a story
As a subscriber, you have 10 gift articles to give each month. Anyone can read what you share.
By David E. Sanger
WASHINGTON — The Biden administration issued a new cybersecurity strategy on Thursday that calls on software makers and American industry to take far greater responsibility to assure that their systems cannot be hacked, while accelerating efforts by the Federal Bureau of Investigation and the Defense Department to disrupt the activities of hackers and ransomware groups around the world.
For years, the government has pressed companies to voluntarily report intrusions in their systems and regularly patch their programs to fix newly discovered vulnerabilities, much as an iPhone does with automatic updates every few weeks.
But the new National Cybersecurity Strategy concludes that such good-faith efforts are helpful but insufficient in a world of constant attempts by sophisticated hackers, often backed by Russia, China, Iran or North Korea, to get into critical government and private networks. Instead, companies must be required to meet minimum cybersecurity standards, the new strategy contends.
The strategy is a policy document, not an executive order, although it represents a significant shift in attitude toward the “public-private partnerships” that the government has talked about for years. While some aspects of the new strategy are already in place, others would require legislative changes — potentially a major challenge in a Republican-dominated Congress. And the federal government does not have the ability to impose cybersecurity requirements on state-run facilities like hospitals, which have been targeted by hackers.
“The fundamental recognition in the strategy is that a voluntary approach to securing” critical infrastructure and networks “is inadequate,” Anne Neuberger, the deputy national security adviser for cyber and emerging technologies, said at an event at the Center for Strategic and International Studies, a Washington think tank.
Every administration since that of George W. Bush, 20 years ago, has issued a cybersecurity strategy of some kind, usually once in a presidency. But President Biden’s differs from previous versions in several respects, chiefly by urging far greater mandates on private industry, which controls the vast majority of the nation’s digital infrastructure, and by expanding the role of the government to take offensive action to pre-empt cyberattacks, especially from abroad.
The Biden administration’s strategy envisions what it calls “fundamental changes to the underlying dynamics of the digital ecosystem.” If enacted into new regulations and laws, it would force companies to implement minimum cybersecurity measures for critical infrastructure — and, perhaps, impose liability on firms that fail to secure their code, much like automakers and their suppliers are held liable for faulty airbags or defective brakes.
“It just reimagines the American cybersocial contract,” said Kemba Walden, the acting national cyber director, a White House post created by Congress two years ago. “We are expecting more from those owners and operators in our critical infrastructure,” added Ms. Walden, who took over last month after the country’s first cyber director, Chris Inglis, a former deputy director of the National Security Agency, resigned.
The government also has a heightened responsibility, she added, to shore up defenses and disrupt the major hacking groups that have locked up hospital records or frozen the operations of meatpackers around the country, along with government operations in Baltimore, Atlanta and small towns across Texas.
“We have a duty to do that,” Ms. Walden said, “because the internet is now a global commons, essentially. So we expect more from our partners in the private sector and the nonprofits and industry, but we also expect more of ourselves.”
Read alongside the cybersecurity strategies issued by the previous three presidents, the new document reflects how offense and defense in the sphere have become increasingly central to national security policy.
The Bush administration never publicly acknowledged American cyberattack capabilities, even as it mounted the most sophisticated cyberattack one state has ever directed at another: a covert effort to use code to sabotage Iran’s nuclear fuel facilities. The Obama administration was reluctant to name Russia and China as the powers behind major hacks of the U.S. government.
The Trump administration bolstered American offensive initiatives against hackers and state-backed actors abroad. It also raised the alarm about having Huawei, the Chinese telecommunications giant it accused of being an arm of the Chinese government, set up high-speed 5G networks in the United States and among allies, fearing that the company’s control of such networks would aid in Chinese surveillance or allow Beijing to shut down systems at a time of conflict.
How Times reporters cover politics. We rely on our journalists to be independent observers. So while Times staff members may vote, they are not allowed to endorse or campaign for candidates or political causes. This includes participating in marches or rallies in support of a movement or giving money to, or raising money for, any political candidate or election cause.
But the Trump administration was less active in requiring American companies to establish minimum protections on critical infrastructure, or seeking to make those firms liable for damage if vulnerabilities they had left unaddressed were exploited.
Imposing new forms of liability would require major legislative changes, and some White House officials acknowledged that Mr. Biden could face insurmountable opposition from Republicans in Congress if he sought to pass such sweeping new corporate regulations.
The Biden administration’s move to establish corporate liability for failure to meet basic security needs “will have decades-long ramifications,” said Glenn S. Gerstell, a former general counsel at the National Security Agency.
“In the cyberworld, we’re finally saying that Ford is responsible for Pintos that burst into flames, because they didn’t spend money on safety,” he added, referring to the famously combustible car that was recalled in 1978.
Many elements of the new strategy are already in place. In some ways, it is catching up with steps the Biden administration took after struggling through its first year, which began with major hacks of systems used by both private industry and the military.
After a Russian ransomware group shut down the operations of Colonial Pipeline, which handles much of the gasoline and jet fuel along the East Coast, the Biden administration used little-known legal authorities held by the Transportation Security Administration to regulate the nation’s vast network of energy pipelines. Pipeline owners and operators are now required to submit to far-reaching standards set largely by the federal government, and later this week, the Environmental Protection Agency is expected to do the same for water pipelines.
There are no parallel federal authorities for requiring minimum standards of cybersecurity at hospitals, which are largely regulated by states. Health centers have been another target of attacks, from Vermont to Florida.
“We should have been doing many of these things years ago after cyberattacks were first used to disrupt power to thousands of people in Ukraine,” Ms. Neuberger said in an interview on Wednesday. She was referring to a series of attacks on the Ukrainian power grid that began seven years ago.
Now, she said, “we are literally cobbling together an approach sector by sector that covers critical infrastructure.”
Ms. Neuberger cited Ukraine as an example of a proactive cyberdefense strategy: In the weeks after the Russian invasion, Ukraine changed its laws to allow ministries to move their databases and many government operations to the cloud, backing up computer servers and data centers around Kyiv and other cities that were later targets for Russian artillery. Within weeks, many of those server farms were destroyed, but the government kept running, communicating to servers abroad using satellite systems like Starlink, also brought in after the war broke out.
The U.S. strategy is catching up with its offensive program, which has become increasingly aggressive. Two years ago, the F.B.I. began to use search warrants to find and dismantle fragments of malicious code found on corporate networks. More recently, it hacked into the networks of a ransomware group, removed the “decryption keys” that would unlock documents and systems belonging to the group’s victims and foiled efforts to collect large ransoms.
The F.B.I. can operate in domestic networks; it is up to U.S. Cyber Command to go after Russian hacking groups like Killnet, a pro-Moscow group responsible for a series of denial-of-service attacks starting in the early days of the war in Ukraine. Cyber Command also slowed the operations of Russian intelligence agencies around the 2018 and 2020 American elections.
But none of those are permanent solutions; some groups the United States has targeted have formulated themselves anew, often under different names.
Mr. Biden’s only face-to-face meeting as president with Russia’s leader, Vladimir V. Putin, in 2021 in Geneva, was driven largely by the fear that rising ransomware attacks were affecting the lives of consumers, hospital patients and factory workers. Mr. Biden warned the Russian leader that his government would be held responsible for attacks emanating from Russian territory.
There was a lull for a number of months, and a prominent hacking group was raided by Russian authorities in Moscow. But that cooperation ended with the opening of the war in Ukraine.
In a speech this week at Carnegie Mellon University, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, described the efforts of the administration as “shifting liability onto those entities that fail to live up to the duty of care they owe their customers.”
“Consumers and businesses alike expect that products purchased from a reputable provider will work the way they are supposed to and not introduce inordinate risk,” Ms. Easterly said. She added that the administration needed to “advance legislation to prevent technology manufacturers from disclaiming liability by contract,” a common practice that few notice in the fine print of software purchases.
Advertisement

source

TL;DR: The Ultimate Advanced Cybersecurity Professional Certification Bundle(Opens in a new tab) is on sale for only $59.97 through April 3. That breaks down to only $11.99 per course.
As large as the cybersecurity industry could grow, entry-level positions may still be steeply competitive. If you want to stand out from the crowd, you may want to seek out professional certifications that you can study for on your own time. The Ultimate Advanced CyberSecurity Professional Certification Bundle gives you unlimited access to 175 hours of expert instruction on the fundamentals of cybersecurity(Opens in a new tab). During the Spring Digital Blowout, you can get this bundle for life for only $59.97, but that deal only lasts until April 3 at 11:59 p.m. PT. 
Whether you’re taking charge of your own education or supplementing formal classes, this bundle may have something valuable for you to learn. If you’re still a beginner, you can start by getting familiar with the basics. Study up on the National Institute of Technology Framework (NIST) that is used by 30 percent of all U.S. firms(Opens in a new tab). 
There’s more than one way to get your foot in the door of your first IT job, and one proven method is to get CompTIA-certified(Opens in a new tab). The two CompTIA courses in this bundle do not come with the certification exam itself, but they do give you access to nearly 100 hours of prep materials including video lectures on risk analysis and cyber defense, risk metrics, and more. 
Round out your IT education(Opens in a new tab) with courses on CISSP and CISM taught by pros from iCollege. Learn the technical and managerial skills that an IT team faces in a big company. That includes lessons on governance security principles, security ethics, and security architecture, and there’s even information on exam candidates for certification. 
Start studying. Get the Ultimate Advanced CyberSecurity Professional Certification Bundle(Opens in a new tab) while it’s only $59.97 (reg. $1,475). You don’t need a coupon to get this deal, but it only lasts until April 3.
Prices subject to change.
More in Cybersecurity

source

The White House
1600 Pennsylvania Ave NW
Washington, DC 20500
Promoting gender equity and equality is a cornerstone of U.S. foreign policy in Africa and around the world. Advancing the economic status of women and girls is not only a matter of human rights, justice, and fairness—it is also a strategic imperative that reduces poverty and promotes sustainable economic growth, increases access to education, improves health outcomes, advances political stability, and fosters democracy.
In particular, the digital gender gap undermines women’s full participation in the 21st century economy. Globally, approximately 260 million more men than women were using the internet in 2022—and this gap has increased by 20 million in the last three years. The gap is especially acute across Africa, where International Telecommunication Union data show that sixty-six percent of women do not use the internet.
To address this disparity, the Biden-Harris Administration will continue to work with other governments, private sector, foundations, and multilateral organizations to help close the digital divide, improve meaningful access to equitable digital finance and other online services, and address social norms that prevent women from participating fully in the digital economy. More broadly, the Biden-Harris Administration will continue to promote the economic empowerment of women.
In support of these goals, in Accra, Ghana, the Vice President is announcing a series of investments and initiatives—from the U.S. government, and in response to her call for investment from the private sector, and philanthropic community. The Vice President is also making a series of announcements on behalf of the Biden-Harris Administration to foster women’s political, economic, and social inclusion in Africa, building upon initiatives launched at the U.S.-Africa Leaders Summit in December 2022, including the Digital Transformation with Africa (DTA) Initiative.
.
Women in the Digital Economy Fund
The U.S. Agency for International Development and the Bill & Melinda Gates Foundation are announcing the Women in the Digital Economy Fund, a joint effort toward closing the gender digital divide. USAID will commit $50 million and the Gates Foundation will commit $10 million respectively by 2026, with at least half of these resources focused on Africa.
This new Fund will accelerate progress to close the gender digital divide by scaling evidence-based, proven solutions that improve women’s livelihoods, economic security, and resilience. The Fund will support programs that advance digital access and affordability; develop relevant products and tools; provide digital literacy and skills training; promote online safety and security; and invest in gender-disaggregated data and research.
USAID will mobilize its commitment to this effort, subject to the availability of funds, alongside additional U.S. government initiatives focused on advancing gender equality and digital connectivity in Africa as part of the DTA.
Additional Private Sector and Philanthropic Commitments to Support Closing the Gender Digital Divide
The Vice President is announcing nearly $400 million in private sector and philanthropic commitments, made in response to the Vice President’s call to support the key pillars of the Women in the Digital Economy Fund:
Private Sector Commitments to Support Women’s Economic Security in Africa
To build upon support for the Women in the Digital Economy Fund, and in response to the Vice President’s call to promote women’s economic security across Africa, the following five companies and organizations collectively announced $528 million in major new commitments today:•
U.S. Government Initiatives to Advance Gender Equality Across Africa
The Biden-Harris Administration is also making an additional $47 million in commitments in Africa to foster women’s economic participation, environmental stewardship, health, and freedom from gender-based violence, building on initiatives launched at the U.S.-Africa Leaders Summit.
Economic Participation
Environmental Stewardship
Health
Gender-Based Violence
We’ll be in touch with the latest information on how President Biden and his administration are working for the American people, as well as ways you can get involved and help our country build back better.
Opt in to send and receive text messages from President Biden.
The White House
1600 Pennsylvania Ave NW
Washington, DC 20500

source

On March 2, 2023, the Biden administration released the 2023 National Cybersecurity Strategy (the “Strategy”).¹ The Strategy acknowledges that the United States “must [effect] fundamental shifts in how . . . [it] allocates roles, responsibilities, and resources in cyberspace.”²To that end, that Strategy highlights two specific shifts that it seeks to accomplish: “rebalance[ing] the responsibility to defend cyberspace” and “realign[ing] incentives to favor long-term investments.”³ Achieving those goals relies on five distinct pillars:
Importantly, for the technology sector, the Strategy explains that “[i]ndividuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities.”⁴In light of those limitations, the Strategy seeks to strengthen the nation’s cybersecurity capabilities by
“ask[ing] more of the most capable and best-positioned actors to make our digital ecosystem secure and resilient. In a free and interconnected society, protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as the technology providers that build and service those systems.”⁵
In press briefings, Acting National Cyber Director Kemba Walden has described the Strategy as “fundamentally reimagining America’s cyber social contract.” From the perspective of the technology sector, the focus on rebalancing cybersecurity risk mitigation responsibilities will have potentially significant practical repercussions as the administration will “focus on points of leverage,” including efforts to place greater burdens on the technology industry through legislative and administrative action.⁶We discuss below some of the contemplated “points of leverage,” as well as some opportunities the Strategy may present for the technology sector.
Among the more significant elements of the Strategy is its contention that past efforts to rely on market forces to drive enhanced cybersecurity have proven unsuccessful. The Strategy asserts that rather than seeking to enhance cybersecurity capabilities, the industry has chosen not to adopt best practices and instead continues to engage in practices such as shipping products with unsafe default configurations or known vulnerabilities. Similarly, the Strategy states that software providers regularly take advantage of their market power to disclaim liability via agreements thrust upon their consumers. Software is a particular area of focus, with the Strategy noting that cyber weaknesses in software are primary drivers of “systemic risk across the digital ecosystem.”⁷
In sum, the Strategy concludes that because market forces have generally not been as effective as the administration would like, cyber incidents have disproportionally affected small businesses and individuals. In light of the ineffectiveness of the market, the Strategy clearly articulates the Biden administration’s intent to hold the industry more accountable for cybersecurity and to utilize the government’s purchasing power and grant-making authority, among other means, to better incentivize enhanced cybersecurity efforts. To that end, the administration specifically asserts that it will seek to shift liability onto companies that “fail to take reasonable precautions to secure their software.” According to the Strategy, emphasis will be placed on those organizations best able to prevent cyber-related problems rather than continuing to allow the impact of cyber vulnerabilities to fall on end-users and open-source developers whose products are included in commercial products.
The Strategy proposes legislative solutions that will seek to establish a new liability framework for software products and services. These efforts will seek to establish limits on collecting, using, transferring and maintaining personal data, as well as particular protection for data related to health and location. Included in the desired legislative outcome would be efforts to prevent manufacturers and software providers from disclaiming liability through contracts users have no means to avoid, i.e., click-through agreements and the like. The Strategy does put forward a carrot to go with its legislative stick in the form of a contemplated safe harbor from liability for those companies who achieve compliance with best practices for secure development and maintenance of software products and services. It is of course uncertain whether with a divided federal government the administration will be able to achieve its goals through the legislative process.
The Strategy notes that Executive Order 14,028 “Improving the Nation’s Cybersecurity”⁸ took steps to utilize the federal procurement process to strengthen cybersecurity-centric contract requirements and standardize those requirements across agencies. The Strategy builds upon that work by explaining that contractors “must live up to” their commitments to follow best cybersecurity practices.⁹ Specific reference is made to the Department of Justice’s (DoJ) Civil Cyber-Fraud Initiative¹⁰ to hold accountable those companies that put U.S. information or systems at risk by providing deficient systems or products or misrepresenting their cybersecurity capabilities. Although not a direct result of the DoJ initiative, the July 2022 $9 million settlement of a False Claims Act case with Aerojet Rocketdyne illustrates the risk of non-compliance with government contract cybersecurity requirements.¹¹
In addition to legislative action, the Strategy contemplates new regulations in critical sectors of the economy. According to the Strategy, if enacted, the new regulations will be “performance-based” and will seek to “leverage” existing guidance including that from the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). The focus of the regulations will be on defining minimum expected cyber practices and outcomes. From an industry perspective, active involvement in any rulemaking process will be critical to ensuring that any established minimum requirements are both achievable and reasonable.
Importantly, the Strategy acknowledges that key sectors often rely on the cybersecurity capabilities of third-party service providers, specifically including cloud-based services. The Strategy explains that regulators will be focused on identifying gaps in existing authorities as a means to achieve improved cybersecurity practices in the cloud computing space, as well as other types of third-party service providers. Here too, industry input will be critical as any rulemaking proceeds.
Recognizing that cybersecurity is a global issue with varying standards, the Strategy acknowledges that, to the extent necessary, the United States will work with its global partners to achieve cross-border harmonization of regulations, assessments and audit standards.
While the Strategy does seek to implement certain actions that would increase the technology sector’s burden in the cybersecurity space, it also offers some opportunities, including a plan to “reinvigorate” cybersecurity-focused research and development initiatives. Specifically, the Strategy recognizes that investing in research and development efforts focused on developing a stronger cybersecurity architecture with fewer vulnerabilities will pay dividends in the future in terms of more secure products and systems. Consistent with that objective, and as an element of updating the Federal Cybersecurity Research and Development Strategic Plan, the government will seek to implement research and development initiatives aimed at mitigating cybersecurity risks in both existing and next generation technologies. Focus areas will include artificial intelligence, cloud infrastructure, encryption, telecommunications and data analytics, among others. Key nodes within the federal government for those programs will include the National Science Foundation, the Department of Energy and its National Laboratories and other federally funded research and development centers. Public private partnerships with academia and technology companies will also be leveraged in this area.
In addition to investing in cybersecurity-related research and development, the Strategy also focuses on investments aimed at modernizing federal information and operational technology systems. In recent years, the government has expressed a desire to move toward a zero-trust architecture that would include multi-factor authentication, improved oversight of system management and access, and improvements to cloud security. Those enhancements, however, require upgrades that cannot be implemented until the government modernizes its systems. These efforts may lead to increased procurement activity in the technology sector and thus new opportunities for technology companies to increase their government business.
The Office of the National Cyber Director is charged with coordinating implementation efforts in conjunction with the National Security Staff and the Office of Management and Budget. It is unclear how quickly these efforts will move forward. In addition, as noted above, certain key elements of the Strategy are focused on legislative and/or regulatory actions. Industries should monitor implementation developments and weigh in when opportunities present themselves.
¹Available here: https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf.
²Strategy at 4.
3 Id. at 4-5
⁴Id. at 4.
⁵Id.
⁶Id. at 5.
⁷Strategy at 20.
⁸Available here: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.
⁹Strategy at 22.
¹⁰Available here: https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.
¹¹Available here: https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising
Refine your interests »
Back to Top
Explore 2023 Readers’ Choice Awards
Copyright © JD Supra, LLC

source

Despite increased emphasis on cybersecurity from authorities and high-profile breaches, critical gaps in vulnerability management within organizations are being overlooked by executive leadership teams, according to Action1. These gaps leave organizations vulnerable to cyber threats.

According to the survey, the time required to combat low cybersecurity awareness among employees has increased over the past year. This worrying trend makes organizations more vulnerable to phishing and other cyber-attacks.
The survey found that 10% of organizations suffered a breach over the past 12 months, with 47% resulting from known security vulnerabilities. Phishing was the most common attack vector reported by 49% of respondents, and 54% of victims had their data encrypted by ransomware.
IT teams ranked the lack of support from the executive team for cybersecurity initiatives as a critical threat to cyber resilience. Many IT teams also face operational issues that leave no time for cybersecurity.
30% of organizations take more than a month to detect known vulnerabilities. 38% of organizations fail to prioritize security flaws, while 40% take over a month to remediate known vulnerabilities (of them, 24% take more than 3 months). On average, 20% of endpoints remain continuously unpatched due to laptop shutdowns or update errors.
“The gaps in the detection and prioritization stages of vulnerability management suggest the actual proportion of unpatched endpoints could be much higher. Organizations must ensure effective communication on all levels to eliminate these gaps, implement automation, and build cyber resilience,” said Alex Vovk, CEO of Action1. “Otherwise, we risk another year of costly breaches.”
The most common root cause of breaches is known vulnerabilities, for which proof-of-concept exploit code is publicly available and is broadly leveraged by attackers. That is why any delays in patching publicly known security flaws put the company at significant risk.
Organizations must ensure that methods and processes across their fleet of remote and in-office endpoints enable them to detect unpatched security vulnerabilities, prioritize them effectively, and remediate them before they are exploited.
Justifying the need for cybersecurity investment to the executive team may be challenging for tech leaders. Compared to other business functions, the return from investing in IT security could be more apparent to executives.
However, the importance of investing in a strong security posture becomes more evident when compared to the damage from data breaches and ransomware attacks. By highlighting savings in terms of improved quality of execution of cybersecurity policies and improved IT productivity through automation, it becomes easier to articulate the value of cybersecurity initiatives to the executive team.
Modern social engineering attacks often use a combination of communication channels such as email, phone calls, SMS, and messengers. With the recent theft of terabytes of data, attackers are increasingly using this information to personalize their messaging and pose as trusted organizations.
In this context, organizations can no longer rely on a passive approach to cybersecurity awareness training. Low cybersecurity awareness among employees is not an option anymore. All employees must not only know how to identify phishing, but also follow the principle of verifying requests before trusting them.
This can be done by using methods other than the initial contact and assuming that any data received may have already been leaked and is now being used for hacking purposes.

source

On March 15, the CFPB issued a Request for Information (RFI) about data broker business practices to inform planned rulemaking under the FCRA and provide the CFPB with insight into the full scope of the data broker industry. In particular, CFPB is seeking information about (i) new business models that sell consumer data and (ii) consumer harm and market abuses.
The RFI applies to first-party data brokers that interact directly with consumers as well as third-party data brokers with no direct relationship with consumers. This includes firms that prepare employment background screening reports and credit reports. The CFPB’s market-level inquiries include what types of data is collected, the sources of the data, methods of data collection, whether people can avoid having their data collected, and what controls are in place to protect peoples’ data and safeguard their privacy. The individual inquiries are related to consumer experience, including data brokering harms and benefits, data accuracy and privacy, and correcting inaccurate data.
According to the CFPB, government agencies, technology and privacy experts, financial institutions, consumer advocates, and others have identified numerous consumer harms and abuses related to the operation of data brokers, including significant privacy and security risks, the facilitation of harassment and fraud, the lack of consumer knowledge and consent, and the spread of inaccurate information.
Comments on the RFI are due by June 13.
Putting It Into Practice: This latest inquiry should come as no surprise given the CFPB’s focus on consumer reporting companies that collect and sell access to consumer data (see our previous blog post regarding this focus here). The CFPB has previously highlighted problems that consumers have reported about the three nationwide reporting companies not adequately responding to consumer complaints about errors. The CFPB also issued an advisory opinion in November 2021 affirming that all consumer reporting companies, including tenant and employment screening companies, have an obligation to use reasonable procedures to assure maximum possible accuracy. 
This RFI comes as the CFPB also issued its January 2023 market monitoring orders to data aggregators, which relates to the Section 1033 rulemaking requiring consumer financial services providers to give consumers access to certain financial information. Companies that collect and share consumer data should follow developments related to the CFPB’s Section 1033 rulemaking and this most recent RFI.
About this Author
Moorari Shah is a partner in the Finance and Bankruptcy Practice Group in the firm’s Los Angeles and San Francisco offices. 
Moorari combines deep in-house and law firm experience to deliver practical, business-minded legal advice. He represents banks, fintechs, mortgage companies, auto lenders, and other nonbank institutions in transactional, licensing, regulatory compliance, and government enforcement matters covering mergers and acquisitions, consumer and commercial lending, equipment finance and leasing, and supervisory examinations,…
A.J. is an associate in the Finance and Bankruptcy Practice Group in the firm’s Washington, D.C. office. 
A.J. has over a decade of experience helping banks, non-bank financial institutions, and other companies providing financial products and services in a wide range of matters including government enforcement actions, civil litigation, regulatory examinations, and internal investigations.
With a diversified regulatory, compliance, and enforcement background, A.J. counsels financial institutions in matters involving…
 

You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.

source

Despite many companies investing more money than ever in advanced cybersecurity tools and technology, experts believe cyber-attack costs for US businesses will rise dramatically in 2023.
Professional cyber-criminals and nation-state threat actors carrying out highly sophisticated attacks continue to make the biggest headlines. However, based on trends, it’s safe to assume many incidents will still result from incredibly effective and hard-to-spot threats such as phishing and social engineering attacks.
Attacks such as these – despite requiring less technical ability – are still effective at getting past even the most advanced cybersecurity technology today because they prey on human error, which, according to a study by IBM, is responsible for 95% of all cybersecurity breaches.
To combat these threats and reduce the likelihood of human error leading to an incident, companies supplement their cybersecurity technology with employee training programs. When implemented effectively, these programs can improve employee cyber knowledge and reduce the risk of an employee falling victim to an attack. At a time when the average breach costs millions, this training is more important than ever.
Here are three tips to consider to help improve your company’s cybersecurity training program:
The old adage ‘practice makes perfect’ rings true, especially when it comes to cybersecurity training. 
But how can companies practice spotting and preventing various types of cyberattacks? Through simulations! 
There are few better ways to teach employees how to recognize, avoid and report potential threats than simulating the attacks they may encounter in the real world. 
Thankfully, several companies and programs, many delivered in an easy-to-use software as a service (SaaS) model – exist today to help organizations strengthen their security by generating phishing, malware and other common cyber-attacks employees may face. These test campaigns are then carried out against staff members, who are required to spot and prevent these hacking attempts.
These simulations of real-world, relevant scenarios can help increase employee vigilance and better prepare staff for threats they may face in a no-stakes environment. An environment of positive reinforcement means employees are more likely to report suspected phishing/smishing attempts ⎯ even when it turns out their suspicions were unwarranted. This may mean more reports to check, but more aware – and wary employees.
It seems like every week a new cyber-attack makes headlines. This inundation of news has led to a dangerous phenomenon known as ‘fear fatigue,’ defined as the “desensitization from repeated exposure to the same message over time.”
According to a survey conducted by Malwarebytes, 80% of the respondents reported some level of fear fatigue related to cybersecurity. This fear fatigue is dangerous and can result in careless behavior capable of leading to significant cybersecurity vulnerabilities and risks. 
To combat fear fatigue and remind employees that their actions are critical to the overall security of the company, organizations can begin by taking small steps. Companies should consider starting by implementing company-wide password protocols. Mandating employees change their passwords every several months and implementing two-factor authentication are simple but powerful reminders for employees to be active participants in their company’s overall cybersecurity posture.
Companies could also consider adding context to communications around cybersecurity to help employees understand the real-world consequences of a potential incident. One example is noting the potential monetary impact a cyber-incident may have on employee bonuses and salaries, among other things. 
Despite every company’s best efforts, relying on employees to prevent cyber-attacks will never be a completely foolproof plan. Therefore, every organization should also implement zero trust cybersecurity and an environment of least privileges. 
At its core, the zero trust cybersecurity security model closely guards company resources while operating under the ‘assume breach’ mentality. This means every request to access company information or services is verified to help prevent any unauthorized network access. 
Similarly, an environment of least privileges can safeguard against unwanted access to software, services, servers, hardware, etc. from accounts that don’t need that access. Ensuring proper access controls with regular assessments and updates helps restrict the attack surface significantly.
At a time when more companies are embracing long-term hybrid workplaces, zero trust and least privilege are powerful tools to help prevent and mitigate vulnerabilities. 
Moving forward, organizations should create products and software that are Secure by Design, with safety features built in. Taking a Secure by Design approach means focusing on people, infrastructure and software development to enhance the company’s security infrastructure. If organizations follow this new model, it can help prevent and mitigate future cyber-attacks. 

source

Doha: The National Cyber Security Agency (NCSA) organised a mandatory specialised training course in cyber security ‘level 1’, that lasted for 5 days, with the participation of more than 60 trainees from many governmental and non-governmental entities.
Several entities participated in the training course, such as the Supreme Judiciary Council, the Government Communications Office, Qatar National Bank, The Amiri Diwan, the Public Prosecution, and the Public Works Authority ‘Ashghal’.
The training course includes a series of training programs throughout the year with several levels and aims to enhance the concepts of cyber security in different entities, as well as introducing the definitions of confidentiality and enhancing the capabilities of individual in cybersecurity.
On this subject, Abdulrahman AlYafiee, a trainee from the National Cyber Security, said that the training course allows trainees to identify the principles of cybersecurity. Furthermore, he expressed his appreciation towards the Agency for supporting the employees to improve their capabilities.
In this regard, Abdullah AlBader, a trainee from the National Cyber Security, stated the significant role of this course in supporting capabilities of employees working in the cyber filed. As well as improving the employees’ skills in various aspects especially the cybersecurity. Furthermore, Sara AlHumaidi, a trainee from the Government Communications Office, emphasized on the importance of this course for understanding and applying a number of important aspects in cyber security and securing data and information.
For her part, Rawan AlKuwari, a trainee from the Government Communications Office, explained that she participated in this course because of her eagerness to learn more about cyber security due to its importance.
The National Cyber Security Agency seeks to enhance the cybersecurity competencies on a national level through training and development to combat cyber-attacks, as it is a shared responsibility between individuals and institutions to keep the nation’s cyber space secured.

Check all issues & supplements

source