The new General Data Protection Regulations (GDPR) which came into effect in 2018 meant some big changes in the way businesses collect and handle personal data. The idea behind the new legislation is to give individuals better access and control over their own personal data. While this is great news for individuals, it requires a little extra work from businesses who must now provide legal grounds for collecting data and must only use it for the intended purpose. What’s more, they need to follow these regulations to the letter and remain GDPR compliant at all times.
This applies to companies of all sizes – even your small business. If you collect personal data in any form, such as emails, addresses, names or financial details, your business needs to be GDPR compliant. If it’s found that you’re not effectively managing and protecting your data you could face a big fine. Though regulators may be a bit more lenient with smaller businesses depending on how much data you hold, an unwanted fine is always bad news. That’s why we’ve put together this checklist to help ensure your small business is GDPR compliant. In this guide we’ll look at:
- Understanding your data and responsibilities
- Defining your data consent policy
- Access requests and disposing of old data
- Setting up a data storage and security policy
- Training all staff on GDPR
- Creating data processing notices
Medical IoT devices operate in care facility environments that encompass care giving, case management, customer service, and clinic management. As such, the risk of data gathered and managed by medical devices extends beyond the device itself. A compromise of clinic management services can propagate to IoT device command and control, allowing compromise of devices in attacks that do not directly touch the device at all. This is clearly the major driver for the emerging category of “Medical IoT (IoMT) Cyber Security ”
A large hospital for examples could be home to as many as 85,000 connected devices. While each of these devices has a significant role in the delivery of care and operational efficiency, each connected device also opens the door to a malicious cyberattack. A recent report from Irdeto, found that 82 percent of healthcare organizations’ IoT devices have been targeted with a cyberattack within the last year.
Going over the players in this industry, it is clear that the Medical IoT security category includes a number of different approaches with the common target to provide the customer with a clear assets discovery and timely alerting on security breaches and attacks on its Medical environment.
Although many large security players are addressing this niche too, CyberDB identified a number of emerging players that are focusing on this industry and as such we expect them to benefit from the growth in this market. These players are (in alphabetical order):
Some businesses – usually those that have never experienced any kind of major IT incident – think of cybercrime as an inconvenience. They may believe that if their company is hacked it will cause some disruption and perhaps an embarrassing news story, but that ultimately the breach will have only a minor effect.
However, the truth is that cybercrime can have a huge range of unexpected consequences. Here we take a lot of the real impact of a breach – cybercrime might affect you a lot more than you think.
In recent years, IoT has been on the rise, with billions of new devices getting connected each year. The increase in connectivity is happening throughout markets and business sectors, providing new functionalities and opportunities. As devices get connected, they also become unprecedently exposed to the threat of cyberattacks. While the IoT security industry is still shaping, the solution is not yet clear. In this article, we will review the latest must-know about IoT visibility & security and we will dive into new approaches to secure the IoT revolution.
IoT visibility & security in 2019:
1. IoT endpoint security vs network security
Securing IoT devices is a real challenge. IoT devices are highly diversified, with a wide variety of operating systems (real-time operating systems, Linux-based or bare-metal), communication protocols and architectures. On top of the high diversity, comes the issues of low resources and lack of industry standards and regulations. Most security solutions today focus on securing the network (discover network anomalies and achieve visibility into IoT devices that are active in the network), while the understanding that the devices themselves must be protected is now establishing. The fact that IoT devices can be easily exploited makes them a very good target for attackers, aiming to use the weak IoT device as an entry point to the entire enterprise network, without being caught. Besides that, it’s important to remember that network solutions are irrelevant for distributed IoT devices (i.e., home medical devices), that has no network to protect them.
Manufacturers of IoT devices are therefore key for a secure IoT environment and more and more organizations are willing to pay more for built-in security into their smart devices.
2. “Cryptography is typically bypassed, not penetrated” Shamir’s law
In recent years we see a lot of focus on IoT data integrity, which basically means encryption & authentication. Though very important by itself, it’s important to understand that encryption doesn’t mean full security. When focusing mainly on encryption & authentication, companies forget that the devices are still exposed to cybersecurity vulnerabilities that can be used to penetrate the device and receive access into the decrypted information, thus bypassing the authentication and encryption entirely. In other words, what’s known for years in the traditional cyber industry as Shamir’s law should now make its way to the IoT security industry: “Cryptography is typically bypassed, not penetrated” and therefore companies must invest in securing their devices from cyber attacks and not just handle data integrity. To read more about that, please visit Sternum IoT Security two-part blog post.
Cybersecurity is the process of protecting and defending an enterprise’s use of cyberspace by detecting, preventing and responding to any of the malicious attacks like disabling, disrupting, injecting malware, or anything thing else aimed to harm the organization.
At its center, cybersecurity defends your organization from vicious and threat attacks aimed to disrupt and steal information from your organization. Cybersecurity risks are similar to financial and reputational risks as it could directly affect the organization’s growth, driving the costs up and adversely affecting the revenue.
If you’re a part of an organization, and especially, if your workplace stocks sensitive information of individuals or clients involved, then this is an ideal time to educate yourself regarding cybersecurity and ways to safeguard your organization against cyber attacks and threats with the help of professionals who hold cybersecurity certifications.
According to recent reporting, the North Atlantic Treaty Organization (NATO) announced that its Cyber Operations Center (COC) is expected to be fully staffed and functional by 2023. The new COC marks NATO’s understanding of the importance that cyberspace plays in conflict, particularly in times of political tensions that has resulted in cyber malfeasance that has targeted elections and critical infrastructure. The establishment of the COC is a natural evolution in how to address cyber attacks in a more timely manner by integrating cyber actions with more conventional military capabilities. In early 2014, after notable cyber incidents were a part of international incidents that occurred in Estonia in 2007 and Georgia in 2008, the Alliance updated its cyber defense policy to classify digital attacks as the equivalent of kinetic attacks under its collective security arrangement under Article 5 of the treaty.
In those particular instances, Russia was suspected in orchestrating or at least tacitly supporting the cyber attacks that afflicted both states. Since then, Russia’s alleged cyber activities have only become more brazen in their scale and aggressiveness. From suspected involvement in launching cyber attacks against Ukrainian critical infrastructure to launching a variety of cyber operations to meddle in the elections of foreign governments, Russia has taken advantage of the uncertainty of cyberspace where there is little consensus on key issues such as Internet governance, cyber norms of state behavior, or the criteria by which cyber attacks escalate to a point of war.
The White House has recently published its new National Cyber Strategy, rescinding an Obama-era memorandum Presidential Policy Directive-20 (PPD-20) that laid forth the process by which the United States would undertake cyber attacks against cyber foes, to include foreign state actors. The Strategy consists of four primary pillars designed to guide how the United States will undergo defensive, and perhaps more importantly, offensive actions in order to preserve its interests in cyberspace. Per the Strategy, the four pillars are:
A recent article revealed that the United States government has gotten better at providing unclassified cyber threat information to the private sector. Law enforcement and intelligence organizations have greatly cut down the time it takes to provide unclassified versions of cyber threat indicators (a term that can reference that can refer to a variety of technical data that includes but is not limited to IP addresses, malware, e-mail addresses, etc.) to the Department of Homeland Security (DHS) to disseminate promptly to the private sector. The process had traditionally been slow as it involves an originating agency to determine if the indicator has been properly vetted without exposing sources and methods, per the article.
Speed of delivering pertinent threat information is certainly an improvement in a domain where attacks occur in seconds. A November 2017 report from the DHS Office of the Inspector General provided a report on actions taken during 2016 in fulfillment of direction mandated by the Cybersecurity Information Sharing Act of 2015 with regards to the sharing of threat indicators. Per the report, despite successfully classifying indicators and defensive measures, it still faced challenges effectively sharing such information across the public and private sectors. The report advocated enhanced outreach and a cross-domain information processing solution.
Nowadays the cyber security is essential for individuals, companies, economies, governments and nations as a whole. The reality is that all of them are trying to stay on track against the latest cyberattacks, but there are some countries committing most to cybersecurity.
One of the best ways to determine where most of the cyber attack really come from in real time is by using the map created by Norse.
Another great alternative if you want to find out which are the countries best prepared against cyberattacks is to use the Global Cybersecurity Index (GCI) created by the International Telecommunication Union (ITU). As described by them it is “…a survey that measures the commitment of Member States to cybersecurity in order to raise awareness.” The GCI covers the five pillars of the ITU Global Cybersecurity Agenda (GCA): legal, technical, organizational, capacity building and cooperation.
In June 2018, Vietnam’s National Assembly passed a new cyber security law that has generated much concern for its stringent restrictions on popular social media organizations. Per the law that will go into effect January 1, 2019, tech companies would be compelled to store data about Vietnamese users on servers in-country, a move designed to improve the security of Vietnamese nationals. Vietnam has been historically weak when in it comes to cyber security, and has been ranked among the bottom regionally. According to a 2017 report by the United Nations’ International Telecommunications Union Global Cyber Security Index (GCI), Vietnam ranked 101 out of 165 countries in terms of being vulnerable to cyber attacks. The GCI is a survey that measures the commitment of member states to cybersecurity to classify and project development process at the regional and global levels.
There are several critics of the new cyber security law. Such a move – as has been expressed with regards to China’s new cyber laws – can potentially impact economic development and deter foreign investment. Perhaps more alarming, dissenters and even some Vietnamese lawmakers signed petitions and conducted peaceful demonstrations to denounce the new law. At the crux of this protest is the potential for the government to use this law in order to stifle human rights and privacy concerns such as online freedoms of speech and expression. According to the law, Vietnam’s authorities will have the discretion to determine when expression might be identified as “illegal” and restricted. It bans Internet users in Vietnam from organizing to conduct activities for “anti-state purposes” or to be allowed to distort the nation’s history. Unsurprisingly, Amnesty International has underscored how the law could empower the government to monitor everything people say online.