Data Localization

Data localization or data residency law requires data about a nations’ citizens or residents be collected, processed, and/or stored inside the country, often before being transferred internationally, and usually transferred only after meeting local privacy or data protection laws, such as giving the user notice of how the information will be used and obtaining their consent. There is a lot of action globally right now related to data localization. Check out this blog that caught my eye:

APIs in a COVID-19 World

Application program interfaces (APIs) are growing exponentially in the COVID-19 world. In a rare collaboration, Apple and Google are now working together to deliver their exposure notification API to developers that are working on apps for public health. This API is expected to be released in mid-May and tested over the next several weeks. The initiative uses Bluetooth to track exposures to confirmed COVID-19 cases, and smartphones can show who infected people may have been in contact with based on information stored on their phones. Specific information related to patients’ identities or locations is not shared with Google or Apple.

No alt text provided for this image

Radar is another company that is currently working with retailers to help them connect their apps to location services via APIs. With COVID-19, there is a need for curbside pickup for many restaurants and retailers. Having insight into customers’ locations is needed to deliver products on time as well as meet other demands around changing customer expectations.

No alt text provided for this image

APIs are cruical today to offering innovative products and services. They enable businesses to access a new database or technology. For example, Radar has 3 key APIs. There is an API to identify the distance between the store and the shopper to find the estimated time of arrival. Then they use a second API to connect to search, which allows the consumer to open the store’s website and see all relevant locations nearby so the trips can be combined. Finally, Radar has a third API that does geocoding that takes the longitude and latitude measurements and converts it into an address. Sometimes it is helpful to think of these mobile app solutions in terms of a different series of screens that help customers find the most relevant pages and help stores display content to improve the customer experience.  

While people are used to computer screens, the magic relates to the interface that is hidden to the user that has become much more open and standardized over the years. API provides the standard interface through which software programs can communicate, share messages, and manage shared memory. Unlike a web form where there might be multiple transactions for processing user registration, an API will often include all the information needed to complete a transaction. For example, if you are thinking about searching all your records for how many orders a particular customer has placed, you could go through your business’s records and slowly scan the “customer name” data field and print each record. But, if the records are uploaded to a central database, now you can write a program that accesses that database and just finds all the instances of the customer’s name (without scanning), which takes less time and is more accurate. 

No alt text provided for this image

While some think of APIs as error-free, this is not true. APIs are not like a USB port where you have access to everything in another program. Some have compared APIs to getting help from a person in a help desk in a foreign country. API provides data that programmers have made available to outside users, and you have to know the language to ask the right questions to do anything with the data. When programmers make data available, the expose endpoints or parts of the language they used to build the program so other programmers can get that data through URLs or other special programs that build URLs.

No alt text provided for this image

Monitoring API performance is important in this COVID-19 world to make sure that APIs performance are functional, accessible, and do not suffer from things like downtime or excessive loading times. Also, when IoS has a new update, there a changes that an API has to get ahead of to ensure future customer experiences stay consistent.

APIs are useful for pulling specific information from another program, and developers can help with building programs to display that data in an application. Consultants can help in building existing APIs and also creating custom connections. However, having some basic understanding of how APIs work will be key to great integrations in the post-pandemic world.

#COVID-19 #APIs #API #DigitalTransformation

Cybersecurity 101: Ten KPI’s to Monitor

It’s no surprise that attackers are using more sophisticated techniques to target systems from personal devices to all sizes of businesses. Deloitte estimated that a low-end cyber-attack costing $34/month could return $25K while larger attacks costing a few thousand dollars could return as much as $1 million per month. IBM estimates the average cost of a data breach to a business as $3.86 million. To mitigate the harm caused by data breaches, you need to know what to monitor and why. Here are ten cybersecurity monitoring suggestions to protect networks, devices, and programs and information from attack, damage, and unauthorized access. 

Security Incidents and Impact

The number of reported incidents should be measured to stay aware of cyberattacks. Not every incident leads to a costly data breach. The first step is to calculate the threat percentage of major and minor incidents. Then the average cost of an incident can be determined. Once the numbers of how cybersecurity and data breaches are impacting the company are known, the big picture of annual loss expectancy can be discussed.

Annual Loss Expectancy = (Number of Incidents per Year) x (Potential Loss per Incident)

The annual loss expectancy can change, though, as data breaches and the costs of cleaning up a data breach rise, which requires adjustments to the calculation. Third-party tools can be helpful in detecting and monitoring all applications to see trends in incidents.

Number Security of Incidents

The number of both small and major security incidents is important to measure to remain informed of exploitation and set key performance indicator priorities. If you have the number of security incidents, it is possible to focus on the incidents that have the most significant financial impact on the company. Some hackers are targeting areas for a catastrophic loss. For example, the WannaCry attack is predicted by experts to have created $4 billion in damages, and hospitals were shut down during recovery. While the smaller incidents may not be catastrophic, the alert team should detect and disarm these threats before damage is done. Minor incidents typically include things like suspicious emails and activity on the server from hackers that may try to take down your website.

Time to Resolve an Incident

Time to resolve an incident is essential to measure to learn how the cyber team is performing and measure business impact. Time is money, and cybersecurity is no exception. A log should be kept documenting the time that the breach was first noticed until the final report. Third-party vendor tools can support the logging and interpretation of this time. Downtime can hurt a business from loss of sales to customer confidence. Server logs and hosting providers can help identify data, and traffic issues can provide insights into how much potential damage was caused by the hack. Both the mean-time-to-identify and the mean-time-to-respond should be measured as poor performance in these areas can be a contributor to breach costs. For US companies in 2017, the mean-time-to-contain was 208 days, and the mean-time-to-identify was 52 days.

Number of Systems with Known Vulnerabilities

Knowing the number of assets that have vulnerabilities helps determine the risk that the business could incur. While managing updates and patches can sometimes be complicated, it is vital to avoid loopholes that could be used by hackers. A vulnerability scan should be performed that includes all the assets that indicate what can be done to improve the security of the business.

Invalid Log-In Attempts

It is important to check system logs from time to time to see if anyone has tried to access your computer. It is good to have a system that monitors every attempt to login and tracks, whether it is successful or otherwise. It is good to monitor failed and locked on logon attempts for the entire domain. Software like ADAudit Plus, Netwrix Account Lockout Examiner, and Security Onion can help with these goals. Software like UserLock allows users granulated access restrictions by specific areas like workstation, device, IP, and range. They also can limit for concurrent sessions, enforce user logon times, use real-time user access monitoring, create alerts and rapid response to inappropriate login behavior, remove disconnection from sessions left open as well as report and audit all access events.

Number of Users with “Super User” Access

Employees should have an access level to company resources that are necessary for their work. Identifying the access levels of network users allows them to be adjusted as needed by blocking any super users that have access, but it is not required to perform their job.

Number of Communication Ports Open During a Period of Time

Generally speaking, it is standard to avoid allowing inbound traffic for NetBIOS. Also, businesses should be observant of outbound SSL since a session that stays active for an extended time could be an SSL VPN tunnel that allows bi-directional traffic. Any common ports for protocols that would enable remote sessions should be monitored for the length of time.

Frequency of Access to Critical Enterprise Systems by Third Parties

Managers may grant access to third parties on particular activities. It is critical to monitor whether the access is canceled at the end of the provided service. If this is not measured, there is a chance that the third party returns to extract data or carry out other hacks. And, if the third party’s network is hacked, it exposes the network to the same threat.

Percentage of Business Partners with Effective Cybersecurity Policies

Companies that provide services to your business cannot be overlooked. Providing access to environments to outsourced companies can post a risk if there are not effective cybersecurity policies in place. Your security practice is as strong as the third parties that are connected to your system.

Meeting Regulatory Requirements

It is essential to measure this because there are national regulatory requirements as it relates to cybersecurity incidents. If the business is naïve to understanding current regulations and requirements, it does not relieve the firm of liability and can result in fines as well as reputation costs. States like New York, for example, require financial service companies to hire a CISO responsible for risk mitigation. Data breaches also have requirements that are time-bound for businesses.

 Key performance indicators (KPIs) can help a company keep objectives at the forefront of decision making. This overview provided ten suggestions for measuring KPI’s that can help in mitigating risks by measuring your performance against your cybersecurity goals.

#Cybersecurity #Monitoring  #KPIs

About the Author

Shannon Block is an entrepreneur, mother and proud member of the global community. Her educational background includes a B.S. in Physics and B.S. in Applied Mathematics from George Washington University, M.S. in Physics from Tufts University and she is currently completing her Doctorate in Computer Science. She has been the CEO of both for-profit and non-profit organizations. Currently as Executive Director of Skillful Colorado, Shannon and her team are working to bring a future of skills to the future of work. With more than a decade of leadership experience, Shannon is a pragmatic and collaborative leader, adept at bringing people together to solve complex problems. She approaches issues holistically, helps her team think strategically about solutions and fosters a strong network of partners with a shared interest in finding scalable solutions. Prior to Skillful, Shannon served as CEO of the Denver Zoo, Rocky Mountain Cancer Centers, and World Forward Foundation. She is deeply engaged in the Colorado community and has served on multiple boards including the International Women’s Forum, the Regional Executive Committee of the Young Presidents’ Organization, Children’s Hospital Quality and Safety Board, Women’s Forum of Colorado, and the Colorado-based Presbyterian/St. Luke’s Community Advisory Council. Follow her on Twitter @ShannonBlock or connect with her on LinkedIn.

Visit www.ShannonBlock.org for more on technology tools and trends.

Security Assessment versus Security Audit?

If you are a member of the Board and the topic of a cybersecurity audit comes up, it is important to define what it is and what it is not. Audits are often used to evaluate the effect of policies. While sometimes security audits and assessments are referred to interchangeably, they really are not the same thing.

An assessment is an evaluation that seeks information to better understand a specific situation (people, process, and technology) and make informed decisions as it relates to that specific situation. An audit, on the other hand, typically involves verifying the system against a holistic standard that results in a pass or fail outcome.

An audit often contains different assessments, with a combination of conceptual and technical reviews. A security audit might include conducting physical, access control, and vulnerability assessments. But, a security audit will also likely include evaluating design controls and processes, standard operating procedures, disaster recovery plans, as well as several other components.

Audits can be costly and, depending on the scope, may only provide broader insights into an organization’s cyber health. For example, cyber health could be defined in terms of the presence of controls. But, if what is really needed is to evaluate the effectiveness of those controls in mitigating risk? If the effectiveness of a control is desired, then asking more questions around specific assessments might be warranted. For example, the auditor may determine that the organization checks the box because a firewall is in place on company devices. But, if the firewall is not properly configured, then the firewall might not even work.

A formal audit is typically performed by an external third-party vendor that has no conflict-of-interest. It is not uncommon for larger companies to have internal audit teams running assessments throughout the year to protect the company, as well as better prepare for the external audit. A security audit is often a more systematic evaluation of the organization’s information system compared to an established set of criteria. Processes like ISO27000 provide important frameworks and details that have influenced both assessments and audits.

When trying to determine a company’s cybersecurity posture, there are a variety of different assurance actions that can be taken. Cybersecurity audits and assessments are helpful tools in assuring that policies have been applied and that there are enforceable controls in place to ensure the correct application of policy across the organization.

#Cybersecurity #VendorManagement #CyberAudits #CyberAssessments