Category Archive

We’re Elixis Technology

.

News Source: https://www.forbes.com/

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

A European fashion retailer has become the latest big-name brand to expose personal data on millions of its customers after misconfiguring a cloud database.

Researchers at vpnMentor discovered the unencrypted Elasticsearch server on June 28 and parent company BrandBQ finally secured it around a month later, on August 20.

The Krakow-based retailer operates online and physical stores across Eastern Europe, in: Poland, Romania, Hungary, Bulgaria, Slovakia, Ukraine and the Czech Republic. Its main brands are Answear and WearMedicine.com.

Among the one billion entries in the exposed database, 6.7 million records related to online customers, with each entry featuring personally identifiable information (PII) including full names, email and home addresses, dates of birth, phone numbers and payment records (although not card details).

An additional 50,000 records relating to local contractors in certain jurisdictions included further information such as VAT numbers and purchase info. The database also contained logs of API calls from Answear’s mobile app, exposing PII on 500,000 users of the Android app and an unknown number who have downloaded the iOS version, vpnMentor claimed.

The exposed data could have provided cyber-criminals with a handy source of PII to launch convincing phishing attacks and identity fraud, it added.

“The same tactics could be used against the contractors exposed in the leak, and BrandBQ itself. A successful phishing campaign against a business can be absolutely devastating and challenging to overcome,” the firm explained in a blog post.

“Furthermore, it only takes a single employee with no education on cybercrime to click a link in an email that could infect a company’s entire network. With over 700 employees, this is a real risk for BrandBQ.”

Attackers could theoretically also have leveraged the data for corporate espionage, and used “sensitive technical information” in the database to probe for vulnerabilities to exploit.

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

The way cybersecurity awareness training is conducted in organizations has a huge bearing on employees’ subsequent security outlook and behaviors, according to a new report from Osterman Research.

The researchers discovered that users who found security training “very interesting” were over 13-times more likely to make “fundamental changes” to how they think about security compared to those who considered the training “boring.”

The survey of 1000 US everyday employees, IT managers and decision makers also found that the quantity of security awareness training given makes a major difference, with the ability of staff to spot and deal with security threats such as phishing and business email compromise improving as more training is provided.

Encouragingly, it appears as though organizations are set to place much greater emphasis on security awareness training going forward, with around 45% of employees surveyed expecting to spend 15 minutes or more per month in training by mid-2021, a substantial rise from 26% in 2020. In addition, this type of training was regarded as just as important as technology in dealing with security threats by respondents.

Despite this, the authors said that although organizations generally want to establish a strong cybersecurity culture, IT, security and business leaders are not effectively conveying that idea to a large proportion of their employees, with senior IT and business management much more enthusiastic about security awareness training than non-management employees.

Overall, the report noted that “security and IT leaders, their staff members, and business leaders are largely onboard with the idea that developing a strong cybersecurity culture is important; everyday employees, however, are much less convinced about the importance of doing so, indicating that the goal of developing a robust security culture has not yet been achieved in most organizations.”

Lisa Plaggemier, chief strategist at MediaPRO, which co-sponsored the research, added: “Security awareness training doesn’t do anyone any good if they sleep through it. You can deliver the best security advice in the world, but if no one is listening, you might as well be talking to a brick wall.

“Good security awareness training should get and keep your attention. That’s what it means to be engaging.”

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

Over a third of government and enterprise users have been given privileged access despite not needing it, potentially exposing their organization to greater cyber-risk, according to Forcepoint.

The security vendor polled nearly 1900 privileged users in the UK and US to better understand the current risk of insider threats.

Of the 36% of government and 40% of enterprise respondents who said they didn’t need privileged access, over a third said everyone at their level has privileged access. A similar number said that privileged access from a previous role had not been revoked when they changed jobs, while around a quarter claimed they were granted elevated access rights for no apparent reason.

Operating an access policy of “least privilege” is widely accepted to be cybersecurity best practice. Forcepoint argued that granting excessive privileges can undermine security because users may access sensitive data out of curiosity, be pressured to share their rights with others, and believe they are empowered to access all the info they can view.

Worse still, only half (48%) of government respondents said privileged users are vetted through background checks. Just 46% of government and 52% of enterprise respondents said their organization can effectively monitor privileged user activities, while even fewer (11% and 14%) were confident their organization has visibility into user access.

A lack of unified visibility from a single tool, and challenges around change management with outsourcing and offboarding, were both highlighted as issues.

Privileged abuse can also be hard to spot because of a lack of contextual insight from security tools, high false positive rates and info overload, the report claimed.

“Without granular visibility — visibility not just into who has access, but what they’re doing with it — organizations can’t detect or react to compromised or malicious access fast enough to stay protected,” said Forcepoint director of global government and critical infrastructure, Carolyn Ford.

“The key principle here is a zero-trust motto: ‘never trust, always verify’ particularly since the privileged user threat shows no sign of diminishing. Economic pressure leads to short-staffed companies, which leads to stressed employees who are more likely to cut corners in ways that threaten security. Especially now, real-time visibility into user access and actions should be non-negotiable.”

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

IT leaders have suffered significantly higher numbers of data breaches as a result of outbound email in the last 12 months.

According to research by Egress, 93% of 538 IT leaders surveyed reported a breach in the past year due to an email error, with 70% of those believing remote working increases the risk of sensitive data being put at risk from outbound email data breaches.

Egress CEO Tony Pepper said the problem is only going to get worse with increased remote working and higher email volumes, which create prime conditions for outbound email data breaches of a type that traditional DLP tools simply cannot handle.

“Instead, organizations need intelligent technologies, like machine learning, to create a contextual understanding of individual users that spots errors such as wrong recipients, incorrect file attachments or responses to phishing emails, and alerts the user before they make a mistake,” he said.

The most common breach types were replying to spear-phishing emails (80%), emails sent to the wrong recipients (80%) and sending the incorrect file attachment (80%).

Speaking to Infosecurity, Egress VP of corporate marketing Dan Hoy, said businesses reported an increase in outbound emails since lockdown, “and more emails mean more risk.” He called this a numbers game which has increased risk as remote workers are more susceptible and likely to make mistakes the more they are removed from security and IT teams.

According to the research, 76% of breaches were caused by “intentional exfiltration.” Hoy confirmed this is a combination of employees innocently trying to do their job and not cause harm by sending files to webmail accounts, but this does increase risk “and you cannot ignore the malicious intent.”

This is where better technology could better resolve the problem, he said, as current technology (such as static rule-based data loss prevention) does not catch these issues and problems increase. “Technology needs to shoulder more of the burden,” Hoy added.

Furthermore, almost two-thirds (62%) of businesses rely on people to identify outbound email data breaches, whilst 24% of IT leaders said the employee who sent the email would disclose their error. In terms of action taken, 46% of respondents said the employee who caused a breach was given a formal warning, while legal action was taken in 28% of cases. In 27% of serious breach cases, respondents said the employee responsible was fired.

Hoy pointed to the 62% statistic and the fact that we are “still reliant on people to self-report incidents” and called outbound email errors combined with remote workers as a “perfect storm.” Regarding employees being reprimanded, he said it is an interesting debate as to where responsibility lies.

Pepper said: “Relying on tired, stressed employees to notice a mistake and then report themselves or a colleague when a breach happens is unrealistic, especially given the repercussions they will face. With all the factors at play in people-led data breach reporting, we often find organizations are experiencing 10-times the number of incidents than they are aware of.

“It’s imperative that we build a culture where workers are supported and protected against outbound email breach risk with technology that adapts to the pressures they face and stops them from making simple mistakes in the first place. As workers get used to more regular remote working and reliance on email continues to grow, organizations need to step up to safeguard both employees and data from rising breach risks.”

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

A large proportion of employees are using their own devices to access data belonging to their company, according to a new study by Trend Micro.

Researchers found that 39% of workers use personal smartphones, tablets, and laptops to access corporate data, often via services and applications hosted in the cloud.

The Head in the Clouds study, which surveyed more than 13,000 remote workers globally, found that many of the personal devices used to access company data were not as secure as their corporate equivalents. 

A further finding of the study was that more than half (52%) of global remote workers have IoT devices connected to their home network, with 10% using lesser-known brands. 

Since home networks typically offer security protection that is inferior to that which a business can afford to implement, researchers expressed concern that attackers could access home networks, then use unprotected personal devices as a stepping stone into the corporate networks they’re connected to.

Getting access to personal devices may not present much of a challenge to threat actors, given that over one-third (36%) of remote workers surveyed did not have basic password protection on all personal devices.

“The fact that so many remote workers use personal devices for accessing corporate data and services suggests that there may be a lack of awareness about the security risks associated with this,” commented cyberpsychology expert Dr. Linda K. Kaye.

“Tailored cybersecurity training which recognizes the diversity of different users and their levels of awareness and attitudes around risks would be beneficial to help mitigate any security threats which may derive from these issues.”

The research also revealed that 70% of global remote workers connect corporate laptops to the home network, opening up the possibility for malware infections to be brought from the home into the office. 

“IoT has empowered simple devices with computing and connectivity, but not necessarily adequate security capabilities,” said Bharat Mistry, principal security strategist at Trend Micro. 

“This threat is amplified as an age of mass remote work blurs the lines between private and company devices, putting both personal and business data in the firing line.”

We’re Elixis Technology

.

News Source: https://www.infosecurity-magazine.com/

The COVID-19 pandemic – and the lockdowns that followed last spring – wrought changes across IT operations and strategy as businesses and employees adjusted to a new environment. But what changes were made, and which ones are likely to last?

Spiceworks Ziff Davis, a B2B tech marketplace, polled 1,073 IT buyers in North America and Europe in June and July 2020 to find out. The results in its 2021 State of IT report, released today, show that the pandemic-fueled transformation will continue, affecting both planning and budgets for the long term.

The survey shows that 76% of businesses envision long-term IT changes, with more than half planning to retain flexible work policies (such as remote work); 64% of companies enabled remote work in 2020 due to the pandemic.

How IT budgets will change

IT budgets at 46% of companies are expected to remain flat in 2021, while 33% expect to increase spending and 17% expect budget declines – essentially double the 8% who had expected budgets to decline this year when surveyed in 2019. (The remaining 4% did not know if their budgets would change in 2021.) Overall, budgets are expected to decline, with the size of the cuts surpassing spending increases by 33%.

European and North America firms had the same percentage expecting increases (33%), but North American firms were more likely to expect declines than European ones, 21% vs. 12%. The largest companies were more likely to expect budget cuts (24%) and less likely to expect increases (28%) than the average.

Hardware spending will remain the biggest component of IT budgets but will decline as part of a shift from the data center to the cloud and managed services. Hardware spending was already dropping, from 35% in 2019 to an expected 31% in 2021. Cloud and hosted services’ share of IT budgets are moving in the opposite direction, from 21% last year to an expected 24% in 2021. Software budgets are expected to stay flat at 29% compared to 2020. Enterprises will spend more on cloud (27%) than the average, and less on hardware (25%) and software (26%) than the average.

The top areas of investment will be in bread-and-butter IT areas, essentially modernizing work processes. For example, 36% plan to improve IT operations and systems performance; 33% expect to improve security and governance; 32% plan to deploy standardized tools to connect employees; 30% plan to provide training aids to remote employees; and 27% want to refine their disaster recovery plans to accommodate additional scenarios.

Investments in emerging and cutting-edge technologies will drop significantly, as the focus changes to more immediate, proven needs. Efforts on digital transformation will increase at 44% of firms, but “digital transformation” in this context means adopting digital technologies for highly analogue processes – adopting proven technology systems– not bringing in cutting-edge innovations.

The technology innovation trends that IT buyers do expect to adopt are mainly long-standing ones:

• 25% expect to adopt gigabit Wi-Fi (802.11ac and 802.11ax) networking; 35% already have;
• 19% expect to adopt IT automation in the next few years; 52% already have;
• 19% expect to adopt the internet of things; 29% already have;
• 19% expect to adopt converged or hyperconverged infrastructure; 22% already have;
• 18% expect to adopt virtual desktop infrastructure (VDI); 27% already have;
• And 18% expect to adopt container technology; 24% already have.

A third of planned increases in 2021 IT budgets are influenced by the pandemic, particularly involving communications tools, infrastructure, and security. For companies expecting to increase budgets, upgrading outdated IT infrastructure, getting IT projects done more quickly, addressing security concerns, addressing changes brought by the pandemic, and supporting remote work are major drivers for 2021.

How IT’s focus shifted as the pandemic unfolded

In March 2020, during the height of the adjustments required as COVID-19 related lockdowns became common, these tech areas got more attention from IT buyers: video conferencing, VDI, firewalls, network monitoring, communications systems, and collaboration tools.

And in May and June, a holding pattern developed, with no new strong drivers of IT attention.

The focus shifted dramatically to security by June, after the initial efforts to respond to the crisis were in place. Endpoint device security is the top security-related concern for remote-work efforts, cited by 55% of respondents.

We’re Elixis Technology

.

News Source: https://www.computerworld.com/

The Covid-19 pandemic has forced a massive shift to remote work. It is clear that, going forward, a much larger percentage of workers will work remotely. Organisations that deployed quick, short-term solutions for remote workers must now consider what will serve business goals and employees alike for the long term. Flexibility, security, performance and scalability are paramount in these uncertain times.

The scalability problem with VDI and VPNs

Giving employees secure access to applications and data is a pressing need for most organisations right now. Previous solutions to support remote work included on-premises VDI and VPNs, which were typically provisioned for five percent of people to work remotely.

Let’s look first at IPSec VPN technologies. For the vast majority of the time, end users would connect from the office. However, if they were traveling or needed to work from home, employees could use their corporate-owned device to establish a secure network tunnel back through a VPN to the corporate datacentre, and then access their applications and data. Now that the majority of people are working from home, IT has struggled to scale the VPN infrastructure to support the significant increase in users.

The quality of user experience depends greatly on the amount of traffic, as well as the latency and the bandwidth of the remote connection. Further, if access to common SaaS applications is funnelled through the datacentre, it could result in substantially slower performance and reduced end user productivity. Lastly, many organisations are concerned about the security of VPNs – it gives malware a direct route into the data centre and cannot ensure that sensitive or regulated data does not get copied to endpoints.

Alternatively, some organisations chose to expand their use of VDI. Workers could use their personal or corporate-owned devices to gain access to Windows desktops or to applications running in a datacentre. The reality is that VDI suffers from significant scalability and agility limitations. Adding infrastructure to support additional users is expensive and complex to deploy, especially when it is unclear how many users will remain remote once shelter in place restrictions are lifted. From an end user perspective, performance can be terrible. VDI in most cases was designed for occasional access to applications – not an eight-hour workday.

Compared to what’s possible today, VPN and VDI technologies stymie enterprise growth. Neither of these technologies was designed to address the widespread work-from-home scenarios companies are experiencing today – and for the foreseeable future. Today’s IT teams require an end user computing solution that supports the ability to work from anywhere, with little or no intervention from IT. It should be a seamless transition that happens at a moment’s notice; people should be able to simply go home and pick up work where they left off.

The future is cloud-first

In this cloud era, IT leaders have two new solution categories to consider that replace VPN and VDI:

• A SaaS equivalent of VDI, not an MSP hosted solution – Desktop as a Service (DaaS) solutions. These options make it simple and elastic for IT to deliver virtual desktops to end users. By taking advantage of service availability in cloud regions all over the world, IT can dramatically simplify their overhead and processes, plus reduce latency and deliver better end user performance
• Optimised for the SaaS and cloud era Zero Trust Network Access (ZTNA) solutions. They use a combination of techniques to solve the security problems mentioned above by sending SaaS traffic directly to the vendor and making Zero Trust end points possible.

Changes to the timeline

Of the 317 CFOs and finance leaders Gartner surveyed recently, 74% of them plan to shift “at least five percent of their previously on-site workforce to permanently remote positions post-COVID-19.” Nearly one-quarter (23%) plan to convert at least 20% of previously on-site employees into permanent telecommuters. Twitter and Square are just two of the companies that have announced their employees can work remotely forever.

Now that the quarantine situation has stretched into months, organisations must examine the sustainability of their plans. Most companies have improvised solutions that addressed the immediate transition to remote work but are beginning the search for more cost-effective and secure long-term solutions.

Planning for an uncertain future

Organisations are going to need solutions that enable remote work, for the foreseeable future. These solutions must be scalable, flexible and reliable in order to serve the needs of the organisation and its remote workers in both the short and long term. VDI and VPN are legacy solutions that were never intended to support a large contingent of remote workers, which makes them unsuitable for today’s needs.

More modern solutions such as DaaS and ZTNA offer much-needed scalability at an affordable cost. They not only help during times of uncertainty but can set you up for success and growth well into the future.

We’re Elixis Technology

.

News Source: https://cloudcomputing-news.net/