Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Compliance. Show all posts

Microsoft's Priva Platform: Revolutionizing Enterprise Data Privacy and Compliance

 

Microsoft has taken a significant step forward in the realm of enterprise data privacy and compliance with the expansive expansion of its Priva platform. With the introduction of five new automated products, Microsoft aims to assist organizations worldwide in navigating the ever-evolving landscape of privacy regulations. 

In today's world, the importance of prioritizing data privacy for businesses cannot be overstated. There is a growing demand from individuals for transparency and control over their personal data, while governments are implementing stricter laws to regulate data usage, such as the AI Accountability Act. Paul Brightmore, principal group program manager for Microsoft’s Governance and Privacy Platform, highlighted the challenges faced by organizations, noting a common reactive approach to privacy management. 

The new Priva products are designed to shift organizations from reactive to proactive data privacy operations through automation and comprehensive risk assessment. Leveraging AI technology, these offerings aim to provide complete visibility into an organization’s entire data estate, regardless of its location. 

Brightmore emphasized the capabilities of Priva in handling data requests from individuals and ensuring compliance across various data sources. The expanded Priva family includes Privacy Assessments, Privacy Risk Management, Tracker Scanning, Consent Management, and Subject Rights Requests. These products automate compliance audits, detect privacy violations, monitor web tracking technologies, manage user consent, and handle data access requests at scale, respectively. 

Brightmore highlighted the importance of Privacy by Design principles and emphasized the continuous updating of Priva's automated risk management features to address emerging data privacy risks. Microsoft's move into the enterprise AI governance space with Priva follows its recent disagreement with AI ethics leaders over responsibility assignment practices in its AI copilot product. 

However, Priva's AI capabilities for sensitive data identification could raise concerns among privacy advocates. Brightmore referenced Microsoft's commitment to protecting customer privacy in the AI era through technologies like privacy sandboxing and federated analytics. With fines for privacy violations increasing annually, solutions like Priva are becoming essential for data-driven organizations. 

Microsoft strategically positions Priva as a comprehensive privacy governance solution for the enterprise, aiming to make privacy a fundamental aspect of its product stack. By tightly integrating these capabilities into the Microsoft cloud, the company seeks to establish privacy as a key driver of revenue across its offerings. 

However, integrating disparate privacy tools under one umbrella poses significant challenges, and Microsoft's track record in this area is mixed. Privacy-native startups may prove more agile in this regard. Nonetheless, Priva's seamless integration with workplace applications like Teams, Outlook, and Word could be its key differentiator, ensuring widespread adoption and usage among employees. 

Microsoft's Priva platform represents a significant advancement in enterprise data privacy and compliance. With its suite of automated solutions, Microsoft aims to empower organizations to navigate complex privacy regulations effectively while maintaining transparency and accountability in data usage.

Embracing the Virtual: The Rise and Role of vCISOs in Modern Businesses

 

In recent years, the task of safeguarding businesses against cyber threats and ensuring compliance with security standards has become increasingly challenging. Unlike larger corporations that typically employ Chief Information Security Officers (CISOs) for handling such issues, smaller businesses often lack this dedicated role due to either a perceived lack of necessity or budget constraints.

The growing difficulty in justifying the absence of a CISO has led many businesses without one to adopt a virtual CISO (vCISO) model. Also known as fractional CISO or CISO-as-a-service, a vCISO is typically an outsourced security expert working part-time to assist businesses in securing their infrastructure, data, personnel, and customers. Depending on the company's requirements, vCISOs can operate on-site or remotely, providing both short-term and long-term solutions.

Various factors contribute to the increasing adoption of vCISOs. It may be prompted by internal crises such as the unexpected resignation of a CISO, the need to comply with new regulations, or adherence to cybersecurity frameworks like NIST's Cybersecurity Framework 2.0 expected in 2024. Additionally, board members accustomed to CISO briefings may request the engagement of a vCISO.

Russell Eubanks, a vCISO and faculty member at IANS Research, emphasizes the importance of flexibility in vCISO engagements, tailoring the delivery model to match the specific needs of a company, whether for a few days or 40 hours a week.

The vCISO model is not limited to smaller businesses; it also finds applicability in industries such as software-as-a-service (SaaS), manufacturing, industrial, and healthcare. However, opinions differ regarding its suitability in the heavily regulated financial sector, where some argue in favor of full-time CISOs.

Key responsibilities of vCISOs include governance, risk, and compliance (GRC), strategic planning, and enhancing security maturity. These experts possess a comprehensive understanding of cyber risk, technology, and business operations, enabling them to orchestrate effective security strategies.

Experienced vCISOs often play advisory roles, assisting CEOs, CFOs, CIOs, CTOs, and CISOs in understanding priorities, assessing technology configurations, and addressing potential cybersecurity vulnerabilities. Some vCISOs even assist in defining the CISO role within a company, preparing the groundwork for a permanent CISO to take over.

When seeking a vCISO, companies have various options, including industry experts, large consulting firms, boutique firms specializing in vCISO services, and managed services providers. The critical factor in selecting a vCISO is ensuring that the candidate has prior experience as a CISO, preferably within the same industry as the hiring company.

The process of finding the right vCISO involves understanding the company's needs, defining the scope and outcome expectations clearly, and vetting candidates based on their industry familiarity and experience. While compatibility with the company's size and vertical is essential, the right vCISO can outweigh some of these considerations. Rushing the selection process is discouraged, with experts emphasizing the importance of taking the time to find the right fit to avoid potential mismatches.

US Focus on Cybersecurity, But Contractors Lag Behind in Preparedness

 

The leaders of the Five Eyes, a coalition of English-speaking intelligence agencies, have emphasized the critical nature of safeguarding sensitive information in cyberspace, especially in light of the escalating tensions with The People’s Republic of China, which they have dubbed as the paramount threat of this era. Recent cyber intrusions by Chinese hackers, who pilfered 60,000 State Department emails, underscore the urgency of this issue. Additionally, defense intelligence has also been a target. Surprisingly, many companies holding such vital intelligence are unaware of their role in national security.

Almost a decade ago, the Department of Defense (DoD) introduced the Defense Federal Acquisition Regulation Supplement (DFARS) to protect the nation's intellectual property. Despite being included in over a million contracts, enforcement of DFARS has been lax. The DoD is on track to release the proposed rule for Cybersecurity Maturity Model Certification (CMMC) 2.0 in November, a pivotal step in ensuring the defense industrial base adheres to robust security measures.

While security controls like multifactor authentication, network monitoring, and incident reporting have long been stipulated in government contracts with the DoD, contractors were previously allowed to self-certify their compliance. This system operated on trust, without verification. Microsoft has noted an escalation in nation-state cyber threats, particularly from Russia, China, Iran, and North Korea, who are exploiting new avenues such as the social platform Discord to target critical infrastructure.

With over 300,000 contractors in the defense industrial base, there exists a substantial opportunity for hackers to pilfer military secrets. Mandating cybersecurity standards for defense contractors should significantly reduce this risk, but there is still much ground to cover in achieving compliance with fundamental cybersecurity practices. A study by Merrill Research revealed that only 36% of contractors submitted the required compliance scores, a 10% drop from the previous year. Those who did submit had an average score well below the full compliance benchmark.

Furthermore, the study highlighted that contractors tend to be selective in their adherence to compliance areas. Only 19% implemented vulnerability management solutions, and 25% had secure IT backup systems, both crucial elements of basic cybersecurity. Forty percent took an extra step by denying the use of Huawei, a company identified by the Federal Communications Commission as a national security risk.

This selectiveness suggests that contractors recognize the risks but do not consistently address them, perhaps due to the lack of auditing for compliance. It is important to understand that the government's imposition of new rules on defense contractors is not unilateral; CMMC 2.0 is the result of a decade-long public-private partnership.

Enforcement of CMMC 2.0 is vital for safeguarding sensitive defense information and national security assets, which have been in jeopardy for far too long. Adversaries like China exploit any vulnerabilities they can find. Now that the DoD has established a compliance deadline, it is imperative for defense contractors to adopt the requirements already embedded in their contracts and fully implement mandatory minimum cybersecurity standards.

Preserving American technological superiority and safeguarding military secrets hinges on the defense industry's commitment to cybersecurity. By embracing the collaborative vision behind CMMC 2.0 and achieving certification, contractors can affirm themselves as custodians of the nation's security.

Data of Users on Prominent Crypto Exchange Set to be Shared with IRS

 

Starting in November, Kraken, a cryptocurrency exchange based in San Francisco, will begin sharing the personal information of over 40,000 users with the United States Internal Revenue Service (IRS) to comply with a court order issued in June. 

This change will affect American users whose transactions exceed $20,000 on the platform from 2016 to 2020. Kraken notified its U.S. users of this development, stating that the information covered by the court's order will be shared in early November 2023.

In May 2021, Kraken and its subsidiaries received an IRS summons, known as a "John Doe" summons, requesting a substantial amount of data related to U.S. customers. The IRS aimed to address tax evasion in the cryptocurrency space, where individuals were accumulating wealth without reporting it to tax authorities. 

The International Monetary Fund (IMF) has also highlighted the challenges posed by crypto assets due to their decentralized and pseudonymous nature, suggesting that tax systems need to adapt.

The IMF emphasized that crypto transactions are pseudonymous, meaning they use public addresses that are challenging to link to individuals or entities, potentially facilitating tax evasion. The IMF acknowledged that centralized exchanges are more accessible targets for implementing know-your-customer checks and already possess extensive customer data. 

Initially, Kraken resisted disclosing user data but was compelled to do so by a court order in June. The number of affected users was reduced to approximately 42,000 from an initial request for data from nearly 60,000 users.

Kraken will be required to provide user information such as names, dates of birth, Tax IDs or social security numbers, addresses, and contact details including phone numbers and emails, along with transaction history from 2016 to 2020. 

However, the exchange clarified that it will not share data on IP addresses, net worth, bank information, employment details, or sources of wealth. Kraken assured users that sensitive account information is encrypted for security.

Despite these measures, the IMF warned that determined tax evaders may turn to centralized exchanges located outside the U.S. to keep tax authorities uninformed. Additionally, there is concern that reporting requirements could lead people to conduct transactions through decentralized exchanges or peer-to-peer trades, which are harder for tax administrators to monitor.

Electoral Commission Fails Cyber-Security Test Amidst Major Data Breach

 

The Electoral Commission has acknowledged its failure in a fundamental cyber-security assessment, which coincided with a breach by hackers gaining unauthorized access to the organization's systems. 

A whistleblower disclosed that the Commission received an automatic failure during a Cyber Essentials audit. Last month, it was revealed that "hostile actors" had infiltrated the Commission's emails, potentially compromising the data of 40 million voters.

According to a Commission spokesperson, the organization has not yet managed to pass this basic security test. In August of 2021, the election watchdog disclosed that hackers had infiltrated their IT systems, maintaining access to sensitive information until their detection and removal in October 2022. 

The unidentified attackers gained access to Electoral Commission email correspondence and potentially viewed databases containing the names and addresses of 40 million registered voters, including millions not on public registers.

The identity of the intruders and the method of breach have not yet been disclosed. However, it has now been revealed by a whistleblower that in the same month as the intrusion, the Commission received notification from cyber-security auditors that it was not in compliance with the government-backed Cyber Essentials scheme. 

Although participation in Cyber Essentials is voluntary, it is widely adopted by organizations to demonstrate their commitment to security to customers. For organizations bidding on contracts involving sensitive information, the government mandates holding an up-to-date Cyber Essentials certificate. In 2021, the Commission faced multiple deficiencies in their attempts to obtain certification. 

A Commission spokesperson acknowledged these shortcomings but asserted they were unrelated to the cyber-attack affecting email servers.

One of the contributing factors to the failed test was the operation of around 200 staff laptops with outdated and potentially vulnerable software. The Commission was advised to update its Windows 10 Enterprise operating system, which had become outdated for security updates months earlier. 

Auditors also cited the use of old, unsupported iPhones by staff for security updates as a reason for the failure. The National Cyber Security Centre (NCSC), an advocate for the Cyber Essentials scheme, advises all organizations to keep software up to date to prevent exploitation of known vulnerabilities by hackers.

Cyber-security consultant Daniel Card, who has assisted numerous organizations in achieving Cyber Essentials compliance, stated that it is premature to determine whether the identified failures in the audit facilitated the hackers' entry. 

He noted that initial signs suggest the hackers found an alternative method to access the email servers, but there is a possibility that these inadequately secured devices were part of the attack chain.

Regardless of whether these vulnerabilities played a role, Card emphasized that they indicate a broader issue of weak security posture and likely governance failures. The NCSC emphasizes the significance of Cyber Essentials certification, noting that vulnerability to basic attacks can make an organization a target for more sophisticated cyber-criminals.

The UK's Information Commissioner's Office, which holds both Cyber Essentials and Cyber Essentials Plus certifications, stated it is urgently investigating the cyber-attack. When the breach was disclosed, the Electoral Commission mentioned that data from the complete electoral register was largely public. 

However, less than half of the data on the open register, which can be purchased, is publicly available. Therefore, the hackers potentially accessed data of tens of millions who had opted out of the public list.

The Electoral Commission confirmed that it did not apply for Cyber Essentials in 2022 and asserted its commitment to ongoing improvements in cyber-security, drawing on the expertise of the National Cyber Security Centre, as is common practice among public bodies.

Unlocking the Power of Zero Trust Security: 5 Reasons to Adopt the Framework

Zero Trust Security

As cyber threats continue to evolve, traditional security models are becoming less effective in protecting against them. That’s why many organizations are turning to a zero-trust security model to secure their networks, data, and applications. '

Zero trust is a security framework that assumes that all users, devices, and applications are untrusted until proven otherwise. In other words, zero trust requires authentication and authorization for every access request, even those originating from inside the network. 

Here are five reasons why you should consider adopting a zero-trust security model.

1. Improved Security

The primary benefit of a zero-trust security model is improved security. By assuming that everything is untrusted, zero trust forces every access request to be authenticated and authorized. This means that even if an attacker gains access to your network or device, they won’t be able to access sensitive data or applications without the proper credentials. Zero trust makes detecting and responding to security threats easier since every access request is logged and monitored.

2. Better Visibility

Zero trust provides better visibility into network activity. By requiring authentication and authorization for every access request, zero trust allows you to see who is accessing what, when, and from where. This visibility is critical for detecting and responding to security threats. It also helps with compliance since you can easily see who has access to sensitive data and applications.

3. Simplified Compliance

Speaking of compliance, zero trust can simplify compliance efforts. Many regulatory frameworks, such as the GDPR and CCPA, require organizations to protect sensitive data and limit access to it. Zero trust provides a framework for doing this. 
By requiring authentication and authorization for every access request, zero trust ensures that only authorized users can access sensitive data and applications. This can help you meet regulatory requirements and avoid fines for non-compliance.

4. Flexibility

Zero trust is a flexible security model that can be implemented in a variety of environments. It works equally well for on-premises networks, cloud environments, and hybrid environments. This makes it a good choice for organizations that are migrating to the cloud or using multiple environments. 
Zero trust can also be implemented incrementally, allowing you to gradually transition to the new security model without disrupting your existing systems.

5. Reduced Risk

Finally, zero trust can reduce the risk of security breaches and data loss. By requiring authentication and authorization for every access request, zero trust makes it harder for attackers to gain access to sensitive data and applications. 
It also makes it easier to detect and respond to security threats before they become major breaches. This can reduce the risk of financial loss, reputational damage, and legal liability.