Info Risk Today Podcast

When he was CEO of RSA, Art Coviello warned global security leaders about cyber warfare among nation-states. What he didn't anticipate was how quickly social media would rise, enabling adversaries to weaponize misinformation. How does this impact his 2020 outlook?

Because vendors were implicated in many of the largest health data breaches in 2019, it's more critical than ever for healthcare organizations to manage the security risks posed by their suppliers, says Erik Decker, CISO and chief privacy officer at the University of Chicago Medicine.

Healthcare organizations must carefully vet their medical device suppliers to scrutinize how they're handling the security of legacy products and the lifecycle design of new devices, says consultant Kim Hirsch of Fusion Risk Management.

Tom Kellermann, former cybersecurity adviser to the Obama administration, doesn't mince words when he describes the nation-state threat to the U.S. as the "axis of evil in cyberspace." Nor does he hold back about the threat from destructive attacks, 5G deployment and other trends to watch in 2020.

While run-of-the-mill ransomware attacks continue, some crypto-locking malware gangs are bringing more advanced hacking skills to bear against targets, seeking the maximum possible payout, says cybersecurity expert Jake Williams of Rendition Infosec, who dubs the trend "ransomware 2.0."

Fake news, fake accounts - even fake food. Gartner analyst Avivah Litan is concerned about the onslaught of "fake everything" and how it undermines the trust upon which enterprises are built. In this 2020 preview, Litan discusses emerging technologies to combat the fakes.

What are some of the most important health data privacy and security regulatory developments to watch in 2020? Privacy attorney Kirk Nahra of the law firm WilmerHale discusses what he sees as the top five issues in the year ahead.

The latest edition of the ISMG Security Report discusses the recent ransomware attacks on the city of New Orleans as well as other units of local government and schools. Also featured: discussion on security issues for IoT and legacy medical devices.

Improving the security of diverse medical devices is a major challenge for a variety of reasons, according to security leaders at two device manufacturers, who spell out the key issues in this interview.

The latest edition of the ISMG Security Report discusses why cyber defense teams need to think more like attackers. Plus, a case study on cross-border payment fraud, and an expert's take on security for the 2020 elections.

What challenges does a CISO face when dealing with issues facing several industries? Abid Adam of Axiata Group, a conglomerate based in Malaysia, describes his efforts to manage privacy and security in three diverse sectors.

How does one make cloud a prominent part of enterprise security strategy? Is the cloud inherently more secure than on-prem? These were among the discussion points of a recent Dallas executive roundtable. Alex Pitigoi of Nominet shares her takeaways from the event.

ISMG and Nominet recently hosted a NYC roundtable discussion on the topic of cyber confidence. Dave Polton of Nominet reflects on the key takeaways and why cyber confidence is now one of the sector's hottest topics.

CISOs need to begin investigating the use of quantum-proof cryptography to ensure security is maintained when extremely powerful quantum computers that can crack current encryption are implemented, says Professor Alexander Ling, principal investigator at the Center for Quantum Technologies in Singapore.

The use of artificial intelligence, machine learning and robotics has enormous potential, but along with that promise come critical privacy and security challenges, says technology attorney Stephen Wu.

Applying offensive hacking expertise and a more adversarial mindset to better hone not just network defenses but also public policy is proving effective, says Jeff Moss, founder and creator of the Black Hat conference.

The latest edition of the ISMG Security Report offers an analysis of the FBI's security and privacy warnings about smart TVs. Also featured: discussions on the security of connected medical devices and strategies for fighting synthetic identity fraud.

In an in-depth interview, John Halamka, M.D., the former long-time CIO at Beth Israel Deaconess Medical Center in Boston, discusses his upcoming move to head Mayo Clinic's global digital health initiative in collaboration with Google - and why privacy and security are so critical to those efforts.

The EU's second Payments Services Directive is alive and well. But where are financial institutions now re: compliance and enforcement? James Rendell of CA Technologies, a Broadcom company, offers insight on PSD2 and EMV 3DS compliance for 2020.

What are the key mobile security threats to financial organizations, and how are these enterprises marshalling their mobile threat defense? These were the questions posed by ISMG and Wandera to security leaders in San Francisco. Wandera's Michael Covington discusses the response.

As a security leaders, too often you are brought to the table after a digital transformation project has been initiated, so you are forced to take a reactive position. But Adam Bosnian of CyberArk sees an important, proactive role for security. And a good start is by ensuring privileged access management is a key component of transformation.

Getting the proper vendor contracts completed is a top concern for organizations preparing to comply with the California Consumer Privacy Act, says Caitlin Fennessy, research director at the International Association of Privacy Professionals.

The latest edition of the ISMG Security Report discusses new combination ransomware and doxing attacks. Plus, Twitter drops phone numbers in 2FA, and why we need to consider quantum cryptography today.

All healthcare industry stakeholders must take critical steps to address the cybersecurity of connected medical devices, says Jennifer Covich Bordenick, CEO of of the eHealth Initiative and Foundation, an advocacy group that has issued a new report on the subject.

Election hacking is not just a US issue; it's a hot topic for every global democracy. And Joseph Carson of Thycotic is concerned that too many people are focused on the wrong elements of this topic. He analyzes the specific hacking techniques that demand attention.

This edition of the ISMG Security Report features an analysis of the very latest ransomware trends. Also featured: Discussions of Microsoft's move to DNS over HTTPS and strategies for tackling IoT security challenges.

Two rules proposed by federal regulators could provide significant help to strengthen cybersecurity in the healthcare ecosystem, says regulatory attorney Julie Kass of the law firm Baker Donelson.

Numerous regulations and standards have been introduced globally to help curtail online fraud. What makes EMV 3D Secure stand out? Matt Cooke and Paul Dulany of Broadcom weigh in on the implementation and benefits of EMV 3DS.

While IoT devices are entering enterprises at a rapid pace, the security practices around them are as much as 20 years behind those for enterprise computing, says Sean Peasley of Deloitte, who outlines steps organizations can take to ensure safe IoT computing.

Cloud solutions, the mobile workforce, the skills gap - these are among the security impacts that don't get enough attention when discussing digital transformation. David Ryder of Avast Business opens up on these topics.

Multifactor authentication is gaining traction - but it also is causing additional user friction when deployed poorly. Corey Nachreiner and Marc Laliberte of WatchGuard Technologies discuss how best to deploy and administer MFA.

The latest edition of the ISMG Security Report offers an in-depth analysis of whether Instagram is doing enough to protect the contact information of minors. Plus: Compliance updates on GDPR and PCI DSS.

Bolstering medical device security is a top priority at Fort Worth, Texas-based Cook Children's Health Care System, says CIO Theresa Meadows, who's a leader of two cybersecurity advisory groups.

There are robust and detailed discussions in cybercriminal forums on how to attack modern vehicles, seeking clandestine methods to steal cars, says Etay Maor of IntSights. Luckily, hackers aren't aiming to remotely trigger an accident, but there are broader concerns as vehicles become increasingly computerized.

With Google aggressively expanding its push into the healthcare sector, critical privacy-related issues are emerging, says regulatory attorney Alisa Chestler, who offers an overview of key issues.

Getting breached is not a question of "if," but "when." Nick Carstensen of Graylog explains what steps should be taken to mitigate data breach risk.

Many companies around the world that accept card payments are failing to continually maintain compliance with the PCI Data Security Standard, according to the new Verizon 2019 Payment Security Report. Verizon's Rodolphe Simonetti, who contributed to the report, explains the findings.

One key step for preparing to comply with the California Consumer Privacy Act, which goes into effect in January, is determining how best to verify the identity of users, say two leaders of the Sovrin Foundation, who discuss the key issues.

Bala Kumar of iovation, a TransUnion company, sees a marked spike in identity fraud in general, and at account origination in particular. How does this increase manifest across industry sectors, and how should organizations re-think their defenses?

Sprawling computing environments - from cloud to containers to serverless - are posing challenges in maintaining visibility and determining if data is secure, says Mike Adler of RSA.

The latest edition of the ISMG Security Report offers an analysis of how Twitter allegedly was used to spy on critics of the Saudi Arabian government. Also featured: A preview of the new NIST Privacy Framework and an update on business email compromise attacks.

Organizations should develop a comprehensive strategy for managing third-party security risks and avoid over-reliance on any one tool, such as vendor security risk assessment, monitoring or ratings services, says analyst Jie Zhang of Gartner.

By year's end, the National Institute of Standards and Technology should be ready to publish the first version of its privacy framework, a tool to help organizations identify, assess, manage and communicate about privacy risk, says NIST's Naomi Lefkovitz, who provides implementation insights.

The Sophos 2020 Threat Report is out, and among the key findings: Ransomware attackers continue to leverage automated active attacks that can evade security controls and disable backups to do maximum damage in minimal time. John Shier of Sophos analyzes the trends that are most likely to shape the 2020 cybersecurity landscape.

The healthcare sector is especially susceptible to ever-evolving cybercrimes, says attorney Jason G. Weiss, a former FBI special agent and forensics expert, who describes critical steps to take to avoid falling victim.

The latest edition of the ISMG Security Report offers an in-depth analysis of how to prevent data exposure in the cloud. Plus: why PCI's new contactless payment standard lacks PINs, and how to go beyond the hype to accurately define "zero trust."

Mobile devices are attractive targets for attackers because of messages, call logs, location data and more. State-sponsored groups are digging ever deeper into mobile hacking, says Brian Robison of BlackBerry Cylance.

It's one thing to know your attackers. It's another to emulate some of their techniques so you can improve your own enterprise defenses. Craig Harber, CTO of Fidelis Cybersecurity, is an advocate of this "think like an attacker" defensive strategy.

Agile environments benefit from development platforms and open-source software, but that also raises the risks of attacks seeded in those supply chains, says Chet Wisniewski of Sophos, who describes steps that organizations can take to mitigate the risks.

Big data analytics and search tools give organizations the ability to analyze information faster than ever before. But too many organizations deactivate security controls built into Elasticsearch, Amazon S3 buckets and MongoDB when they deploy, leaving their data exposed, says Elastic's James Spiteri.