Info Risk Today Podcast

NIST's Ron Ross, in an audio interview, explains new draft guidance that's designed to help technology vendors build secure components that their customers can use to build trustworthy information systems. Ross will be a keynoter at ISMG's Fraud and Breach Prevention Summit in Washington.

The digital banking shift creates great convenience - for the fraudsters, as well as the customers. What can institutions do to reduce their vulnerability to breaches and fraud? Dave Allen of Bottomline Technologies offers advice.

Clinics, laboratories, durable medical equipment suppliers and other smaller healthcare entities need to bolster their breach preparedness as cyberattacks against smaller entities in all sectors continue to multiply, says David Finn of Symantec, who discusses findings from a new report.

Within the next 20 years, quantum computing could be applied to easily crack current approaches to cryptography, according to the National Institute of Standards and Technology, which already is beginning work on new approaches to encryption that can withstand the power of quantum computing.

The Verizon 2016 Data Breach Investigations report finds malware, ransomware and phishing attacks are more common than ever and creating even more damage. Organizations are continuing to get exploited via vulnerabilities that are months or even years old, forensics expert Laurance Dine explains in this interview.

Five new payment card data security requirements for third-party service providers are among the most significant changes included in version 3.2 of the PCI Data Security Standard released April 28, says Troy Leach of the PCI Security Standards Council.

The most important lesson from the lawsuit electronic health records vendor Epic Systems filed against Tata Consultancy Services is that data security controls must extend beyond protecting personally identifiable information to include intellectual property, attorney Ron Raether explains in this audio report.

Denise Hayman, vice president at the security firm Neustar, offers in-depth advice to women interested in launching an information security career in this audio interview.

A soon-to-be-launched pilot project funded by the National Institute of Standards and Technology aims to provide a potential model for how online access to patient information can be streamlined while boosting security, NIST trusted identities expert Phil Lam explains in this audio interview.

Now, more than ever, managing the risks involved in working with business associates and their subcontractors should be a top priority for healthcare organizations in their efforts to safeguard patient information, says risk management expert Andrew Hicks, who explains why.

"Internet of Things" developers must think about how attackers might attempt to exploit a device, and why, and then write code designed to block such attacks, says Charles Henderson, IBM's global head of security testing and threats.

Are you making the most of all the intelligence available to you today? What are the practical aspects of plugging abstract threat intelligence into your specific business use cases? Deloitte's Parthasarathy shares deeper insight.

U.S. merchants of all sizes - not just smaller retailers - have seen significant increases in chargebacks in the wake of the Oct. 1, 2015, EMV fraud liability shift date, Liz Garner, vice president of the Merchant Advisory Group, contends in this in-depth interview.

Only 23 percent of surveyed organizations can respond effectively to a cybersecurity incident. This is among the findings of Solutionary's fourth annual Global Threat Intelligence Report. Researcher Rob Kraus discusses the security gaps.

A federal court's recent rejection of a motion filed by health insurer Anthem Inc. in its attempt to fight a class-action lawsuit in the wake of its massive data breach is important because it upholds the privacy rights of breach victims, says attorney Steven Teppler.

As the threat of malware infections, especially those involving ransomware, grows, organizations need to balance their perimeter-based security practices with an "intrusion tolerance" strategy that helps ensure a quick recovery, says medical device cybersecurity expert Kevin Fu.

What steps can organizations take to help ensure they're not the next victim of a ransomware attack? Technology expert Craig Musgrave of The Doctors Company, which offers cyber insurance, identifies the top priorities.

Today's distributed enterprise faces two key challenges: Provide top-notch cybersecurity and ensure a seamless user experience. Paul Martini, CEO and co-founder of iboss Cybersecurity, discusses a new strategy designed to meet both goals.

At a time when workers use more apps than ever to do their jobs - and from more locations and devices than ever - traditional IAM is simply not sufficient, says David Meyer of OneLogin. Cloud-Based IAM is what organizations truly need.

A new coalition of leaders from government, industry and privacy advocacy groups hopes to help provide a framework for reaching a consensus on how to use IT to ensure society's security while protecting individuals' privacy, says Art Coviello, an organizer of the new Digital Equilibrium Project.

MedStar is but the latest healthcare entity to fall victim to a ransomware attack. What can organizations do proactively to improve their ransomware defenses and response? PhishMe CEO Rohyt Belani offers insight.

David Finn, a former healthcare CIO, says he agreed to join a new Department of Health and Human Services cybersecurity task force because he supports its mission of involving representatives of all healthcare sectors in the effort to tackle challenges. In this interview, he outlines key security issues.

Many organizations both misunderstand and underestimate the power and scale of today's DDoS attacks, says Darren Anstee of Arbor Networks. And these lapses may be negatively impacting enterprises' DDoS defense.

PCI DSS 3.1 is scheduled to become effective as of June 30, 2016, and with that comes several changes - and challenges for security professionals. In an interview, Dell's Tim Brown discusses why network security is instrumental to ultimately meeting PCI DSS 3.1.

A new report, Threat Horizons 2018, from the Information Security Forum paints a fairly pessimistic picture of enterprises' ability to protect their IT from cybercriminals over the next two years. In an interview, ISF's Steve Durbin discusses what organizations can do to mitigate cyberthreats.

Cyber attackers are not just more sophisticated and more persistent than ever before. They also are greedier, says IBM Security's Limor Kessem, who shares insight on the latest fraud threats to UK banking institutions.

Now that the Department of Health and Human Services has announced that it will soon begin the next round of HIPAA compliance audits, organizations need to take specific steps to prepare in case they're chosen for scrutiny, says attorney Robert Belfort, a regulatory specialist.

Although the battle over whether the courts should compel Apple to help the FBI unlock the iPhone used by one of the San Bernardino shooters is on hold for now, the debate over the privacy issues involved isn't going away, says Greg Nojeim of the Center for Democracy and Technology.

In many enterprises, the CISO reports to the CIO, and occasionally you find a CIO who reports to the CISO. But Venafi's Tammy Moskites holds both roles. How does she manage the natural tension between IT and security?

Cambridge Savings Bank in Massachusetts is incorporating biometrics into its online and mobile banking platform as a way to limit, and in some cases remove, the need for username and password authentication. In this case study interview, two bank executives discuss what others can learn from the project.

The White House has yet to announce who will be the government's first CISO, a position President Obama announced six weeks ago. In this audio report, experts weigh in on whether there's enough time left for the new information security leader to be effective before the president's term ends.

Smaller hospitals and clinics must avoid the common mistake of thinking they won't fall victim to cyberattacks, warns risk management expert Tom Andre, vice president of information services at the Cooperative of American Physicians.

In the world of the extended enterprise, everybody seeks greater visibility into network activity. But Gidi Cohen was there in 2002, founding Skybox Security to provide analytics to improve cybersecurity. Cohen discusses the evolution of visibility.

Growing worries about the use of the U.S. financial system to launder funds for terrorists has spurred proposals for new state and federal regulations aimed at tightening money-laundering controls. Attorney Lauren Resnick explains steps banks are taking to help detect suspicious activity.

Although relatively few carriers offer cyber insurance, buyers can negotiate favorable terms when purchasing policies, say Experian's Michael Bruemmer and NetDiligence's Mark Greisiger, who explain why in this interview.

In a one-on-one discussion about today's top healthcare security challenges, Premise Health CISO Joey Johnson talks about the "paradigm shift" needed to move entities from a compliance mindset to one that embraces true cybersecurity.

Because of growing cybersecurity concerns, CISOs in the financial sector finally are getting more time with their boards of directors and more direct interaction with senior executives, says John Carlson, chief of staff at the Financial Services Information Sharing and Analysis Center.

Automated threat intelligence sharing can significantly reduce the amount of time it takes organizations to identify, assess and react to attacks, according to new research from Johns Hopkins. Mark Clancy, CEO of Soltra, says automated information sharing with government and other sectors is catching on.

Blockchain technology used by bitcoin and other cryptocurrencies offers opportunities for enhanced authentication and ID management, as well as cross-border money remittances, says Ben Knieff of the consultancy Aite. But he contends it's not clear that the technology could play a role in faster payments.

The big-name breaches have made us all sensitive to the loss of personal and competitive data. But are we overlooking the real risks? Shawn Henry of CrowdStrike offers insight on how we need to evolve our core defenses.

Webroot has just released its 2016 edition of its annual threat brief. In an exclusive interview, Michael Malloy, executive vice president of products and strategy, discusses the report and how its key findings will likely play out in the year ahead.

Threat response is a lot like physical fitness. Enterprises know what they need to do - they often just opt not to do it. RSA's Rashmi Knowles offers advice for how to move from threat prevention to response.

More cybercriminals are adapting their attack techniques, using compromised credentials linked to privileged accounts to invade networks and systems, according to researchers at Dell SecureWorks, who describe an open source solution that can help mitigate the threat.

Former intelligence operative Will Hurd brings his CIA values, including his belief in the benefits of sharing of threat information, to his job as chairman of a House subcommittee with information security oversight. Hurd addresses a number of cybersecurity matters in a wide-ranging interview.

Gavin O'Brien of NIST explains why the institute is reworking its guidance on the cybersecurity of wireless infusion pumps - and when the new advice will be available.

Unlike other security and breach reports, Verizon's Data Breach Digest is a collection of data breach investigation case studies from around the world. Verizon's Ashish Thapar elaborates on findings from this digest.

Apple's standoff with the U.S. government is creating a healthy debate about whether federal investigators, under certain circumstances, should have the right to circumvent the security functions of smartphones and other devices, says cybersecurity attorney Chris Pierson.

Virginia Gov. Terry McAuliffe has a message for state leaders across the nation: Cybersecurity has to be a top item on their policy platforms. And, by the way, he very much intends to make Virginia the cyber capital of the United States.

Healthcare organizations must take several important steps to protect their environments against ransomware attacks, says Mac McMillan, CEO of the security consulting firm CynergisTek. He outlines key measures in this interview.

Organizations can apply user behavioral analytics - the practice of reacting to how people behave in the information security realm - to better spot and block data breaches, says Fortscale's Kurt Stammberger.