Allied Market Research forecast the mobile security market will grow to $34.8 billion in 2020 sales, from $3.4 billion in 2013, it said in a news release Thursday. It said the bring-your-own-device trend is a major reason for the adoption of mobile security software.
Close to 100 percent of the 408 surveyed IT decision-makers working in the retail and financial sectors said their organizations are vulnerable to insider threats, said the results of the 2015 Vormetric Insider Threat Report, released Tuesday. Some 97 percent of U.S. financial services respondents said they were somewhat or more vulnerable to insider threats. For retail respondents, 93 percent said they were somewhat or more vulnerable to insider threats, with 51 percent of those saying they feel very or extremely vulnerable to insider threats. In the past 12 months, 48 percent of U.S. retail respondents and 41 percent of financial services respondents said they had experienced a data breach or failed a compliance audit. "Retailers and financial services organizations are feeling the heat,” said Vormetric CEO Alan Kessler. But the data shows “organizations are not connecting the dots about how to solve the problem,” because they continue to invest in network and endpoint security technologies that “consistently fail under today’s attacks,” he said. "Within the past 3-5 years, threats have changed dramatically and will continue to do so in the year ahead," said Andrew Kellett, author of the report. "Vulnerable sectors like the retail and financial industries need to understand that compliance standards evolve too slowly to keep up with fast moving threats, and even then ticking all the compliance boxes is no guarantee of safety.” The report said that IT security strategies must now include layered defenses combining traditional IT security solutions with advanced data protection techniques, have both secure on-premise databases and remote cloud resources, use data encryption, tokenization, data masking and other techniques that de-identify data, and implement a monitoring system that identifies data usage and unusual and malicious access patterns.
Lenovo shipped tablets that included Superfish software between September and December, but the software has been disabled since January, Lenovo said in a news release Thursday. Superfish lets consumers view more advertisements, but some privacy advocates consider the software a security threat. Superfish “tampers with Windows' cryptographic security to perform man-in-the-middle attacks against the user's browsing,” an Electronic Frontier Foundation blog post said Thursday. “This is done in order to inject advertising into secure HTTPS pages, a feature most users don't want implemented in the most insecure possible way,” it said. “Superfish technology is purely based on contextual/image and not behavioral. It does not profile nor monitor user behavior,” Lenovo said. “It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. Every session is independent.” Lenovo said it won’t use the software again.
The Telecommunications Industry Association sees the cybersecurity information sharing executive order that President Barack Obama signed last week (see 1502130048) as helping industry, TIA CEO Scott Belcher said. It will “enable the voluntary sharing of real-time bi-directional cybersecurity information amongst and between key government and industry partners (and their suppliers),” Belcher said in a written statement Tuesday. It "moves towards an improved ability for businesses to have more access to government information on threats and more open channels for greater information sharing between companies,” Belcher said. Congress must “provide adequate liability protections” and ensure that “an information-sharing regime appropriately addresses privacy and civil liberties concerns,” he said. “Information sharing should not be viewed as the end game,” but rather as a “tool to achieve timely, reliable, and actionable situational awareness through information sharing, analysis, and collaboration,” Belcher said. “It is important for the White House, Congress and other stakeholders to also work together towards other important improvements, such as cybersecurity R&D, workforce training and education, and public awareness.”
“I am very appreciative of the White House for convening the summit with technology leaders from across the country to increase partnerships between the public and private sectors in an effort to strengthen the nation’s cybersecurity framework and boost protections of consumer data,” CompTIA CEO Todd Thibodeaux said in a statement released Tuesday. Thibodeaux’s comments follow his participation in the White House Summit on Cybersecurity and Consumer Protection last week, which he says “provided companies, advocacy organizations and the administration an opportunity to share concerns and strategies for developing a more robust and effective system for sharing data and thwarting future threats.” Though organizations have invested heavily in technology solutions, “technology alone is not the cure-all,” because “security assurance depends on human actions and knowledge,” he said. “To be truly effective in preventing and combating security threats, organizations need to take the further step by spreading security awareness and knowledge from a select group of IT staff through the entire organization, from the clerk in the mail room to the CEO in the corner office.” CompTIA will continue to work with lawmakers to pass legislation to “provide liability protection to the private sector,” and to “pass federal legislation that streamlines the data breach notification process,” Thibodeaux said.
Department of Homeland Security funding beyond Feb. 27 remains in question, as the House and Senate departed the Capitol in the past two days for more than a week of recess. Once both chambers reconvene Feb. 23, lawmakers will have five days to act to avert a DHS shutdown. The House passed HR-240 to fund the department for the rest of FY 2015, but the legislation has measures to scale back President Barack Obama’s executive action on immigration. Democrats in the Senate have blocked attempts to move that bill through the chamber, and Obama has threatened to veto the bill. The Senate is scheduled to vote to open debate on the bill again Feb. 23. Congress left DHS out of an FY 2015 appropriations package that passed in December over Republican resistance to the immigration action. Senate Majority Leader Mitch McConnell, R-Ky., recently said DHS funding is now up to the House, although House Speaker John Boehner, R-Ohio, said the onus remains on the Senate. Thursday, McConnell again pressed Senate Democrats to open debate on the House legislation. “I’ve already offered a fair and open debate to them several times now,” McConnell said on the Senate floor. “It’s a debate that would allow for amendments from both parties. That means amendments from Democrats, too.” President Barack Obama Friday sought DHs funding (see 1502130048).
“Now is the time to support comprehensive legislation to help protect personal and corporate data, promote security best practices and encourage the sharing of threat intelligence,” Online Trust Alliance Executive Director Craig Spiezle said in a statement on the release of OTA’s data protection and breach readiness guide Wednesday. The report includes a template with recommended language organizations should use when notifying the public of a data breach, details on why sharing information about breached data with law enforcement is important, security best practices, and reasons it’s important to complete security and privacy assessments and audits of vendors and cloud providers. “To maintain a competitive advantage over today’s cyber criminals, it is critical that the public and private sector continue to proactively leverage the power of task force partnerships,” said Robert Kierstead, Secret Service special agent in charge, Seattle Field Office. “Our continuing success in high-tech investigations is a result of the collaborative efforts of law enforcement and private sector partners." The OTA guide will be presented at a Friday national cybersecurity open house, co-sponsored by the Department of Justice, FBI and Secret Service. The report findings include that 90 percent of data breaches that occurred in the first half of 2014 “could have been easily prevented,” and 40 percent of data breaches were the “result of external intrusions,” an OTA release said. “The pillars of data security are digital literacy, up-to-date awareness of threats and active security protocols,” said Timothy Wallach, supervisory special agent over the FBI Seattle Cyber Task Force. “Anyone who wants to protect themselves online needs to start with educating themselves in those areas, not once but continually.”
U.S. Cellular supports smartphone theft deterrence “via a diverse set of initiatives,” it said in a letter to FCC Chairman Tom Wheeler in docket 14-143. “U.S. Cellular encourages all of our [operating system] or device partners to develop anti-theft capabilities, and in no way prohibits or restricts development of these capabilities through our requirements,” the carrier said. “Today, over 96 percent of our smartphone customer base is covered by solutions provided at no cost by our device or OS partners. We would welcome any efforts by our device or OS partners to have such functionality operational by default.”
New security measures were implemented on the FTC’s public consumer websites donotcall.gov, ftccomplaintassistant.gov, and hsr.gov, the agency’s Chief Technologist Ashkan Soltani said Monday. It was called part of an ongoing effort by federal agencies to improve their websites. In addition to the use of HTTPS encryption, the websites will use a feature known as HTTP Strict Transport Security (HSTS) “which hardcodes all future communications to be encrypted by default,” Soltani said. Now, when consumers attempt to visit the Do Not Call Registry, “HSTS-enabled browsers will automatically encrypt the connection without any additional instruction from the website,” he said. The additional security measure “reduces the potential for an attacker to maliciously redirect (downgrade) their connection or impersonate an FTC website when connecting from... insecure networks and open Wi-Fi hotspots,” he said.
Sony expects to emerge relatively unscathed financially for the fiscal year ending March 31 from the cyberattack that caused “serious disruption” to the Sony Pictures Entertainment network and information technology infrastructure, the company said Wednesday. But for the $15 million in “investigation and remediation costs” to be recorded for Q3, Sony thinks the “impact of the cyberattack” on its overall results for the fiscal year “will not be material,” the company said. Sony Pictures expects to finish the year with a 7.3 percent revenue increase and an operating profit about 2.4 billion yen higher than a year earlier, Sony said. Though the Sony Pictures operating income target is slightly lower than in the October forecast, its revenue target actually is 3.5 percent higher than the forecast in October, a month before the cyberattack. The White House has blamed on North Korea the hack of Sony Pictures, which resulted in many emails and other confidential information being released online (see 1412180056).