Tag: cybersecurity

Between 2011 and 2017 there were an estimated 4,732 cyber attacks carried out against American businesses. However, only 24 of those breaches were reported to the SEC by the affected company. Those numbers are surprising, but the fact that companies are tight lipped is not.

Data breach reporting is a highly-sensitive process. Companies know it’s their obligation to inform victims. But going public about the breach can make it harder to clean up the problem and catch the perpetrators. It’s also a major public relations blow to the brand. And since the SEC has guidelines but not federal rules about reporting, delays and excuses are common.

That may be understandable, but that doesn’t make it acceptable. Reporting is an ethical obligation and also a legal liability for companies. Companies that wait weeks, months, or even years to report breaches potentially compound the damage done to victims. If and when those victims choose to go to court, they have grounds to demand much larger settlements. The growth of the cybersecurity insurance industry is largely due to the growth in size and frequency of these settlements.

It’s easy to conclude that companies should report the breach as quickly and completely as possible. Unfortunately, it’s not that easy when so much is at stake. Following these best practices to approach breach notification systematically:

1. Understand Your Legal Obligation – All states have laws requiring reporting, including the District of Columbia, Puerto Rico, and the Virgin Islands. There may also be other local, state, or federal laws that inform the reporting process. Study these laws in advance of any breach, and determine exactly when they apply and what they mandate. In some cases the breach must be reported within 72 hours of discovery.

2. Notify Law Enforcement – This is mandatory ASAP after a data breach. Even if the extent of the breach/victims is unknown, law enforcement must be aware of the incident. Once law enforcement is involved there are professional investigators pursuing the hackers. Contact local officials first. If they cannot help they will recommend you to state or federal officials.
   

3. Coordinate the Response – An inconsistent and disorganized response is just as bad as a late response. Pick someone to be the spokesperson, and make sure the message is consistent in public statements, on social media, and in official documentation. It’s possible to make the situation worse if victims are notified but not notified completely or accurately.

4. Consider Notification Options – The preferred way of notifying victims is through traditional mail. In special circumstances, however, companies are allowed to send out email notifications. Look at the cost of notifications based on the scale of the incident. Then determine how to directly notify victims and how to publicize the incident generally, Most companies also include resources on their website, issue a press release, and make spokespeople available to the media.

If the data breach notification process sounds unpleasant your interpretation is accurate. It’s a necessary evil for companies that suffer from a cyber incident. Unfortunately, avoiding these incidents is almost impossible. The strategy that more companies are taking is to plan for the worst early. Make a plan for responding to an incident, including in-depth details about notification. It may not be able to spare a company embarrassment, but it can spare them expense.

Intel Security is now calling for improved cybersecurity education resources in the United Kingdom.

Hundreds of thousands of university students in the United Kingdom use no mobile security whatsoever on their smartphones. As a result, they are living their devices – and everything they contain – at a high risk of unauthorized access.

Intel Security is hoping to reach more students with a message of the importance of adequate mobile protection.

This year’s estimates were that there were more than 420,000 students in the United Kingdom headed to university with the start of this school year. However, a new Intel Security poll has pointed out that only half of them will have packed adequate smartphone protection with them when they go. This means that the other half of the university students in the U.K. have no mobile security software installed to protect their devices and their data.

With no mobile security software, these students are placing their devices at a very real risk.

The reason is that among those who took part in the poll, 90 percent said they log onto public WiFi. Those hotspots are accessed both on campus and off campus. This activity places them at a much higher exposure to mobile security threats. Without any protection software, they are essentially an open book for unauthorized parties to read.

Furthermore, according to the most recent data from the McAfee Labs Quarterly Threat Report, mobile malware is increasing at an explosive rate. Year over year, these mobile cybersecurity threats have risen by 150 percent.

On the other hand, while students may not have protected their devices yet, they are willing to learn. University students in the U.K. have expressed a desire to discover more about why having no mobile security is risky. They are also willing to learn more about related issues. Forty eight percent of the 1000 students who participated in the survey said they would be willing to attend an online security seminar if one were available.

According to Nick Viney, Intel Security VP consumer, this is a positive step, “Yet its concerning that many are still opening themselves up to risks unknowingly. When it comes to students’ online safety, we all have a responsibility.”