4 information security threats that will dominate 2017 By Security and Risk Online

4-information-security-threats-that-will-dominate-2017Cybercriminals are becoming more sophisticated and collaborative with every coming year. To combat the threat in 2017, information security professionals must understand these four global security threats.

As with previous years, 2016 saw no shortage of data breaches. Looking ahead to 2017, the Information Security Forum (ISF), a global, independent information security body that focuses on cyber security and information risk management, forecasts businesses will face four key global security threats in 2017.

“2016 certainly lived up to expectations,” says Steve Durbin, managing director of the ISF. “We saw all sorts of breaches that just seemed to get bigger and bigger. We lurched from one to another. We always anticipate some level of it, but we never anticipate the full extent. I don’t think anybody would have anticipated some of the stuff we’ve seen of late in terms of the Russians getting involved in the recent elections.”

The ISF says the top four global security threats businesses will face in 2017 are the following:

  • Supercharged connectivity and the IoT will bring unmanaged risks.
  • Crime syndicates will take quantum leap with crime-as-a-service.
  • New regulations will bring compliance risks.
  • Brand reputation and trust will be a target.

“The pace and scale of information security threats continues to accelerate, endangering the integrity and reputation of trusted organizations,” Durbin says. “In 2017, we will see increased sophistication in the threat landscape with threats being tailored to their target’s weak spots or threats mutating to take account of defenses that have been put in place. Cyberspace is the land of opportunity for hacktivists, terrorists and criminals motivated to wreak havoc, commit fraud, steal information or take down corporations and governments. The solution is to prepare for the unknown with an informed threat outlook. Better preparation will provide organizations of all sizes with the flexibility to withstand unexpected, high-impact security events.”

The top four threats identified by the ISF are not mutually exclusive. They can combine to create even greater threat profiles.

Supercharged connectivity and the IoT bring unmanaged risks

Gigabit connectivity is on the way, and it will enable the internet of things (IoT) and a new class of applications that will exploit the combination of big data, GPS location, weather, personal health monitoring devices, industrial production and much more. Durbin says that because connectivity is now so affordable and prevalent, we are embedding sensors everywhere, creating an ecosystem of embedded devices that are nearly impossible to secure.

Durbin says this will raise issues beyond privacy and data access: It will expand the threat landscape exponentially.

“The thing for me with 2017 is I describe it as an ‘eyes-open stance’ we need to take,” Durbin says. “We’re talking about devices that never ever had security designed into them, devices that are out there gathering information. It’s relatively simple to hack into some of these things. We’ve seen some moves, particularly in the U.S., to encourage IoT manufacturers to engineer some level of security into their devices. But cost is an issue, and they’re designed to link.”

Durbin believes many organizations are unaware of the scale and penetration of internet-enabled devices and are deploying IoT solutions without due regard to risk management and security. That’s not to say organizations should pull away from IoT solutions, but they do need to think about where connected devices are used, what data they have access to and then build security with that understanding in mind.

“Critical infrastructure is one of the key worry areas,” Durbin says. “We look at smart cities, industrial control systems — they’re all using embedded IoT devices. We have to make sure we are aware of the implications of that.”

“You’re never going to protect the whole environment, but we’re not going to get rid of embedded devices,” he adds. “They’re already out there. Let’s put in some security that allows us to respond and contain as much as possible. We need to be eyes open, realistic about the way we can manage the application of IoT devices.”

Crime syndicates take quantum leap with crime-as-a-service

For years now, Durbin says, criminal syndicates have been operating like startups. But like other successful startups, they’ve been maturing and have become increasingly sophisticated. In 2017, criminal syndicates will further develop complex hierarchies, partnerships and collaborations that mimic large private sector organizations. This, he says, will facilitate their diversification into new markets and the commoditization of their activities at the global levels.

“I originally described them as entrepreneurial businesses, startups,” Durbin says. “What we’re seeing is a whole maturing of that space. They’ve moved from the garage to office blocs with corporate infrastructure. They’ve become incredibly good at doing things that we’re bad at: collaborating, sharing, working with partners to plug gaps in their service.”

And for many, it is a service offering. While some organizations have their roots in existing criminal structures, other organizations focus purely on cybercrime, specializing in particular areas ranging from writing malware to hosting services, testing, money mule services and more.

“They’re interested in anything that can be monetized,” Durbin says. “It doesn’t matter whether it’s intellectual property or personal details. If there is a market, they will go out and collect that information.”

He adds that rogue states take advantage of some of these services and notes the ISF expects the resulting cyber incidents in the coming year will be more persistent and damaging than organizations have experienced previously.

New regulations bring compliance risks

The ISF believes the number of data breaches will grow in 2017, and so will the volume of compromised records. The data breaches will become far more expensive for organizations of all sizes, Durbin says. The costs will come from traditional areas such as network clean-up and customer notification, but also from newer areas like litigation involving a growing number of partners.

In addition, public opinion will pressure governments around the world to introduce tighter data protection legislation, which in turn will introduce new and unforeseen costs. Reform is already on the horizon in Europe in the form of the EU General Data Protection Regulation (GDP) and the already-in-effect Network Information Security Directive. Organizations conducting business in Europe will have to get an immediate handle on what data they are collecting on European individuals, where it’s coming from, what it’s being used for, where and how it’s being stored, who is responsible for it and who has access to it. Organizations that fail to do so and are unable to demonstrate security by design will be subject to potentially massive fines.

“The challenge in 2017 for organizations is going to be two-fold,” Durbin says. “First is to keep abreast of the changes in regulations across the many, many jurisdictions you operate in. The second piece is then how do you, if you do have clarity like the GDP, how do you ensure compliance with that?”

“The scope of it is just so vast,” he adds. “You need to completely rethink the way you collect and secure information. If you’re an organization that’s been doing business for quite some time and is holding personally identifiable information, you need to demonstrate you know where it is at every stage in the lifecycle and that you’re protecting it. You need to be taking reasonable steps even with your third party partners. No information commission I’ve spoken to expects that, come May 2018, every organization is going to be compliant. But you need to be able to demonstrate that you’re taking it seriously. That and the nature of the information that goes missing is going to determine the level of fine they levy against you. And these are big, big fines. The scale of fine available is in a completely different realm than anyone is used to.”

Brand reputation and trust are a target

In 2017, criminals won’t just be targeting personal information and identity theft. Sensitive corporate information and critical infrastructure has a bull’s eye painted on it. Your employees, and their ability to recognize security threats and react properly, will determine how this trend affects your organization.

“With attackers more organized, attacks more sophisticated and threats more dangerous, there are greater risks to an organization’s reputation than ever before,” Durbin says. “In addition, brand reputation and the trust dynamic that exists amongst customers, partners and suppliers have become targets for cybercriminals and hacktivists. The stakes are higher than ever, and we’re no longer talking about merely personal information and identity theft. High-level corporate secrets and critical infrastructure are regularly under attack, and businesses need to be aware of the more important trends that have emerged in the past year, as well as those we forecast in the year to come.”

While most information security professionals will point to people as the weakest link in an organization’s security, that doesn’t have to be the case. People can be an organization’s strongest security control, Durbin says, but that requires altering how you think about security awareness and training.

Rather than just making people aware of their information security responsibilities and how they should respond, Durbin says the answer is to embed positive information security behaviors that will cause employees to develop “stop and think” behavior and habits.

“2017 is really about organizations having to wake up to the fact that people do not have to be the weakest link in the security chain,” Durbin says. “They can be the strongest link if we do better about understanding how people use technology, the psychology of human behavior.”

Successfully doing so requires understanding the various risks faced by employees in different roles and tailoring their work processes to embed security processes appropriate to their roles.

Advertisements

Pacific Associates Limited Minato-ku Tokyo Japan, Recruiting in Tokyo is my life’s work

I have been in the recruiting industry in Tokyo since graduating business-school at the end of the ’80s. Growing up in Chicago in the ’60s and high-school there in the ’70s, the thought of moving to California and graduating from U.C. San Diego (Economics) would have seemed a dream. Leaving for London with a duffle-bag on graduation-day and never coming back certainly would have seemed the things of fantasy, but if one follows their heart good things can happen. Thus it was I arrived, in due-course, in Japan in 1985. The opportunities and dignity of the place have kept me here ever since.

paul-a-levine

The opportunity to help professional (people to whom career is vitally important) find a path to a better life via proactive career building is, in my opinion, an honorable undertaking. That it can be done in the elegant way of Japan, where each placement we do is ‘hand-made’ after intensive in-person discussion with our candidates and clients has led me to dedicate my life to this work. An important goal of mine has long been to be a master-craftsman in the art of recruiting. To this end I am still meeting candidates and clients to further develop my art.

K.K. Pacific Associates Limited

President, Paul A. Levine

President Bio & History

In 1998 I made the decision to move my own career forward from being a senior recruiter who happens to own a head-hunting company to being a full-time president who happens to be expert in recruiting. Though the difference may sound pedantic or rhetorical, the day-by-day reality is quite different. The bottom line is that from the time of making this transition, my company at that time Access Technology Japan, grew from roughly 10 staff to 189 with operations in four countries in the space of three years. Further evolving, in 2004 I changed my role to Chairman, appointing one of my long-term managers as President. This facilitated the sale of that company in 2007; the largest such deal in the Tokyo recruiting-market up to that point.

My goal then was to discover life beyond that of 12+hours days and enjoy the life of the early-retired. This allowed time with my family, work my limited abilities in photography, enjoy travel and compete more often in power-lifting.

Like a pleasant afternoon nap that comes to a refreshing end, my time in retirement came to a happy finish with my establishment of Pacific Associates Limited in 2010. Pacific Associates Limited (PAL) is established as a partnership rather than sole-proprietorship. The difference is huge: my current professional objective, beyond growing my skills as in pursuit of being a master-craftsman in recruiting, is to lead my partners to be presidents. As far as I know, in the Tokyo recruiting market there has not yet been a company dedicated to helping its staff to leave the company by becoming, first a partner and then president of a separate company.

Paul Levine’s Profile

Paul Levine first visited Japan in 1985. He got an MBA at the University of San Diego and the California State University in 1989, and in the same year, came back to Japan to be a headhunter. In 1992, he established Access Technology Japan; the very first Japanese headhunting company specialized in the high-tech industry. He obtained a master’s degree in business administration at Harvard University in 2007. He established K.K. Pacific Associates Limited in February 2010, and continues to expand the company to new heights every day.

He has been married with two children. He loves bourbon, photograph taking and weightlifting and his skills in both fields are semi-professional. He is still active in the weightlifting field, winning first prize at a tournament in Tokyo. He still works out twice a day, coached by Chuck Wilson, his friend for over 10 years.

His trademark white shirt, red tie and red suspenders have been prominent since 1995. “I meet different candidates in the same meeting room, dressed in the same clothes. Staying consistent really helps you to concentrate on the people you meet. As a professional in judging people, “I can understand an individual within about five minutes of speaking with them”.

Axia Consultants : (Service Level Agreement) Metrics

Tips for creating SLA metrics and measuring service performance

Build performance measurement into your SLA, when you set it up – consider the following points:

  1. Identify the most important SLA outcomes first – and then determine clear metrics to track those outcomes.
  1. Create a range of (say 10) simple metrics, such as targets, kpi’s (key performance indicators), that are easily understandable.
  1. Ensure the metrics are relevant and match the key business needs of your SLA.
  1. Clearly, the metrics should also be measurable/quantifiable and unambiguous.
  1. Base your metrics on your specific SLA requirements and needs – rather than readily available data, existing reports, or generic SLA metrics applicable for such services.
  1. Design the metrics to measure different performance problems that your SLA / service provider may have.
  1. Metrics should be mutually exclusive and not duplicate each other. Each metric should focus on a different potential problem.
  1. The metrics should be comprehensive enough, such that if your service provider fails to meet the required performance, at least one of the metrics will be triggered.
  1. Review and test the metrics, to confirm they will pick up the undesirable problems.
  1. Agree the metrics between both parties – service provider and customer
  1. For each Service Level metric include:
  • a reference name
  • a description
  • measurement parameters eg data sources
  • calculation formula and frequency
  • a baseline performance
  • the required performance or target, from a service provider
  • remedies and penalties for poor or non-performance eg monetary credits
  • any specific exclusions/exceptions

Then:

  1. Set up an automatic monitoring of the metrics, wherever possible.
  1. Set up alerts for exception reporting.
  1. Monitor performance (metrics) on a regular basis. Make it one of your regular daily or weekly tasks.
  1. Raise any performance issues at your regular service review meetings.
  1. Review metrics and when required amend them, to ensure they continue to be relevant to your service needs.

Axia Consultants Writing Service Level Agreements

10 tips for writing better Service Level Agreements

  1. Ensure all key terms are clearly defined eg SLA scope, customer and provider responsibilities, reporting, service expectations, performance indicators, escalation, remedies and penalties. Make sure you understand them. If you do not, or have queries – ask!
  1. Include the option to change the SLA in the future. Businesses and technology change rapidly. So if the SLA is to remain relevant, it will need to be updated as required.
  1. Include the provision for regular SLA reviews. Six-monthly would be ideal, but failing that – annually, to manage changing circumstances.
  1. Make sure you have a ‘get-out’ clause. It is important to be able to terminate the SLA under certain conditions eg exceptionally poor performance, major problems, significant changes to services.
  1. Include performance-monitoring criteria within the SLA. Plus, include automatic penalty credits for non-compliance of performance. Better to build this into the SLA from the start, than negotiate each time it occurs.
  1. Writing the SLA should be a joint effort between customer user and IT staff and the service provider. Input and agreement from all is required. One party should not dictate or force SLA terms on the others!
  1. Allow sufficient time to prepare, negotiate and agree, a comprehensive and relevant SLA. The quality of the SLA is improved by not rushing and taking more time, whatever the project time pressures.
  1. Look out for exceptions within the SLA. Ensure you understand them and their potential impact on the overall SLA.
  1. Look out for third party components within the SLA. Ideally, one service provider would provide the entire service. However, there may be input or reliance from other third parties. So check who is responsible for what, and whether it is included or excluded from the SLA.
  1. Carefully review your SLA. Make sure it is easy to understand by all – even non-technical users. Does it cover everything? See our SLA Checklist. Does it meet your business and service requirements? Are you satisfied with it?

Ng Lee Associates Acountants Singapore: Our Services

Assurance and Business Advisory

 

– Accounting compilations and reviews

– Statutory and other audits

– Management accounting

– Business valuations

– Executive compensation

– With effect from 15 September 2005, we are registered with the Public Company Accounting Oversight Board (PCAOB) which allow us to prepare or issue audit reports on U.S. public companies, participate or play a substantial role in such audits.

 

Tax Consulting

 

– Income tax planning and management for individuals, partnerships, and corporations, including complex matters such as reorganizations, liquidations, mergers and acquisitions

– Income tax compliance for individuals, partnerships, corporations, and fiduciaries

– International taxation relating to cross-border transactions and operations

– Estate duty planning, valuation and compliance

– Goods and Services Tax

 

Corporate Finance

 

– Business planning and financial analysis

– Capital sourcing services

– Budget and cash flow projections

– Due diligence and other investigations

– Listing of companies on the Singapore Exchange

– Mergers and acquisitions

– Share valuations

 

Management Consulting

 

– Strategic business planning

– Budget and budgetary control

– Pricing and cost analysis

– Activity based costing

– Internal control and operational review

– Financial modelling and performance measurement

– Productivity improvement and cost of quality management

 

Corporate Secretarial Services

 

– Compliance services

– Corporate governance

– Share registry

– Advice on legislative changes

 

Financial Planning

 

– Corporate financial planning

– Personal financial planning

– Retirement planning

– Succession planning

 

Corporate Recovery

 

– Restructuring and turnaround

– Investigations

– Insolvency services

 

Shared/Outsource Services

 

Accounting services

– GST administration services

– Trust administration

– Payroll administration

– Executive support

 

Information Technology

 

– Accounting system evaluation and design

– Financial reporting system design and implementation

– Installation, training and ongoing support of computerized accounting software

– Needs assessments and software selection

– Network management consulting

– Procedures for evaluation, design, and implementation

– Project design and management

– Technology planning

Notes from Genius Tour, Meir Ezra

Genius Tour June 14, 2013 Meir Ezra

Meir Ezra WOWed all of us. His presentation was filled with so many golden nuggets of information, splattered with exercises of both the mind and body, as well as some pretty funny dirty jokes in his rather strong and charming Israeli accent. When he comes to town again (he LOVES Hawaii!!), please go [Update: Meir will be teaching again on August 17 and 18 at the Hyatt Place. To sign up, go to The Genius Tour and choose Hawaii.]

Here are the notes that I took from this intense 2 day seminar. Most of them are stand alone ideas that deserve time to absorb:

What do you expect from the seminar? If you don’t know what you expect, how will you know that you arrived there? We must define what we want.

Essence of genius is simplicity. Know the definition of words.

A professional is one who thinks it is simple.

What is truth? Exact time, place, form and event. Does not contain continuation. A Lie is the opposite time, place, form and event, and continues.

People are ethically good. We are the worst judge of ourselves, so when we do something bad, we feel bad. When we do something good, we feel good.

Must understand the mind – everything you deal with are minds.

How do you find a purpose, how do you find what your purpose is? It is your Fuel of the soul. What is your purpose? Write down your purpose. Look up the definition of purpose.

Ideas are conveyed by sentences. Sentences are conveyed by words or symbols. If you do not understand the sentence it is because there is a word or words that you do not know in the sentence. If you do not understand the sentences, you will not get the idea. Your IQ is defined by the number of WRONG words you know. Increase the number of words that you do know, and you increase your IQ.

People become criminal because of the number of words that they don’t understand. A good man comes across a word or symbol that he does not understand, which causes confusion, which causes sins.

Once you go past a misunderstood word without figuring out what it means, your understanding goes away. The more words you do not understand, the stupider you become. Learn definitions of words from the dictionary.