Too many organizations around the world take a "bare minimum" approach to third-party risk management, says Jonathan Ehret, founder of the Third Party Risk Association, who offers risk mitigation insights.
Hackers have repeatedly stolen valuable data - including launch codes and flight trajectories for spacecraft - from NASA's Jet Propulsion Laboratory in recent years, according to a new inspector general audit, which describes weak security practices.
The early days of email attacks - so much noise in the form of malware, spam and links - have given way to attacks that often rely on little more than words, and email gateways often struggle to arrest social engineering ploys, says Michael Flouton of Barracuda Networks.
Many cybersecurity tools are designed to block or allow specific activities based on prescribed rules, but with insider breaches continuing, enterprise protection also requires real-time reaction to actual user behavior, says Carl Leonard of Forcepoint.
When migrating systems, data and applications to the cloud, a critical security step is to involve compliance auditors in the process as early as possible, says Thien La, CISO at Wellmark Blue Cross Blue Shield.
The city of Riviera Beach, Florida, has agreed to pay hackers about $600,000 in bitcoin to end a ransomware attack that crippled the city's IT infrastructure for nearly a month. In another recent incident, Baltimore refused to pay a ransom after an attack and faces $18 million in recovery costs so far.
Bad news for anyone who might have hoped that the data breach problem was getting better. "Anecdotally, it just feels like we're seeing a massive increase recently," says Troy Hunt, the creator of the free "Have I Been Pwned?" breach-notification service. Unfortunately, he says, the problem is likely to worsen.
Bug bounty myths: All such programs must be public, run nonstop, pay cash to bug-spotters and allow anyone to join. But HackerOne's Laurie Mercer says such programs often run as private, invitation-only and time-limited endeavors, sometimes offering only swag or public recognition.
Organizations are increasingly relying on threat intelligence to help them better identify malicious behavior before it hits the network - or users encounter it - including using domain name system analysis to track emerging campaigns, says Corin Imai of DomainTools
A group of 22 state attorneys general, mainly from Democratic-leaning states, are demanding Congress offer local officials more support - including grants and equipment standards - to improve election infrastructure security in the run-up to the 2020 presidential contest.
Defending organizations against attackers is more challenging than ever. "The complexity and sophistication of the threats has increased," says Cisco's Mark Weir. "What we're seeing a lot of at the moment as well is intellectual property theft."