Cybersecurity Blog

CyberSecurity Blog

Reblog from Xerox Newsroom
June 4, 2018

Talk To Me. Xerox Adds New Voice Command Solution to MFP Making It Easy to Copy, Print, Fax, Scan and Call for Service

With a full-court press to build the most productive, efficient workplace, Xerox (NYSE: XRX) will feature Gabi® Voice, a smart, intuitive voice command solution for its Xerox AltaLink® multifunction printers (MFPs). Touchless requests to copy, scan, print, fax or place a service call are now possible on this award-winning Workplace Assistant MFP. 

“Let’s face it – hassle-free accessibility and ease of use are important prerequisites to achieving workplace greatness and we’re on the path to deliver just that,” said Tracey Koziol, senior vice president, Workplace Solutions Business Group, Xerox. “Gabi Voice is a significant addition to our ConnectKey® portfolio that equips today’s diverse workforce with the ability to do more with confidence, speed and accuracy.”   

Powered by IBM Watson, Gabi Voice was developed by Gabi Solutions and supports Section 508c of the Rehabilitation Act of 1973, which governs accessibility of information technology for people of all abilities.

With security top of mind in every workplace setting, Gabi Voice checks that box with a number of key features, including:  

  • Whitelisting: Only performs functions that are pre-programmed.
  • Storage and encryption: All data is encrypted and no data is stored.
  • Voice activation and the wake word: Only begins to listen for pre-programmed commands when user says “Gabi…”
  • Frequent, auto-updates: Security patches can be proactively applied.

Installation is simple with the Gabi Smartbox that communicates directly with the AltaLink MFP. Gabi Voice and all software as a service (SaaS) offerings of the Gabi Smartbox meet security guidelines and certifications set forth by IBM Watson, including ISO 9001, ISO 1400, ISO 50001, OHSAS 1800, Privacy Shield, DAL09, PAR01, HITRUST, ISO 27018, ISO 27017, ISO 27001, SOC 1, SOC 2, FISMA, NIST, GDPR and 508(c).

Reblog from Security Week
May 30, 2018

GDPR: What Every Organization Should Ask Itself

Regulatory Issues Such as GDPR Are a Process in Which Security and Privacy Challenges Should Continuously be Addressed

The deadline for the General Data Protection Regulation (GDPR) has just passed – now what? Many spent the past few months doing everything possible to update and upgrade systems, document changes for compliance purposes, analyze weak points and prepare their information protection systems to comply with regulations, spending millions in the process. Now that the deadline drama has passed, IT organizations can take advantage of GDPR and recognize the opportunity that now exists – to redefine information protection and enhance security posture over the long term.  

Our research has shown that GDPR is a massive concern for nearly all organizations, and little more than a quarter were confident they would be ready by the deadline. Complying with the regulation was the immediate challenge, but now there is an opportunity to capture the good work that has been done and make data protection a top of mind focus for enterprises every day. A common thread throughout many of the recent “mega breaches” is that organizations fail to protect their sensitive data because they simply do not know where it is. Many organizations are at risk across their cloud applications, on their shared network resources and within their email – our research found that 20 percent of files in cloud applications are publicly accessible, that 1 in 50 network files is wrongly exposed and 1 in 400 emails contain confidential information that may go unprotected.

GDPR places strict regulations on organizations that collect or process personal data from EU residents, even if the data handling organization is not based there. GRPR holds all organizations that store and share such personal information accountable for their privacy and security procedures. Not knowing where data is will no longer be just a security risk, but a regulatory one that will carry steep financial penalties. Non-compliance can lead to significant fines, up to €20 million (roughly $25 million) or 4 percent of total worldwide annual turnover. This is amplified by the damage both from the breach itself and the subsequent fall in company reputation. The risk is especially perilous among consumer brands, where reputation is of the utmost importance. Regulators also have the power to stop or suspend an organization’s ability to handle data, which could cause severe operational disruption.

The new rules are designed to ensure organizations are aware of the personal data that they have, protect that data at rest and in transit, embed privacy into their processes and control transfers of that data. This regulation comes at a time when issues of privacy are on everyone’s mind, and against the backdrop of a European regulatory climate that sees privacy as a fundamental human right. As such, the EU has implemented stronger regulations than other global regions. 

Questions for every IT organization

Still not sure that everything was taken care of ahead of the deadline? While May 25th has passed, there’s never a wrong time to evaluate your data protection posture. The first step is to identify the biggest risks to existing data storage and sharing applications to better understand what needs to be adjusted. Everything from wrongly exposed cloud and network files to unsecured email with confidential information is a problem, and finding all the loose threads is necessary before any real changes can be made.

Next, it’s not enough to simply protect data at rest; organizations must understand how to identify and monitor sensitive data wherever it moves. Information travels throughout an organization as a normal course of business and as such, needs to be identified, classified with a rule-based approach focused on compliance and sensitivity, and protected throughout its lifecycle regardless of its resting place. 

Data protection is incomplete without considering access rights management. Organizations need to question how they define access and ensure that only authorized users can view certain information. This has the potential to be the greatest challenge for GDPR compliance beyond the basic blocking and tackling, as it is critical to the privacy aspects of the law. Individuals are gaining new rights, including the right to understand how data is accessed and the right to be forgotten, all of which must be accounted for in any data protection strategy.

It is also critical to recognize that data protection strategy goes beyond files. It is not a matter of securing spreadsheets and business documents, it is an enormous challenge that encompasses data and metadata within logs, data at rest in files stored on-premises and in cloud applications, customer records, cloud workloads stored in AWS and Microsoft Azure, databases and more. Everything must be accounted for in a data protection strategy, regardless of organizational complexity.

Finally, organizations must be prepared for incident response. Identifying when a breach has occurred and being able to respond within 72 hours is imperative. But, they also need to understand that there is a “new normal” in a post-WannaCry world. Proactive protection is now more critical than it has ever been, and all organizations need to emphasize a proactive strategy that is more fluid, agile and intelligent. Catching a breach early, or even better, preventing it entirely, can stop the exfiltration of large amounts of data and will minimize the damage to overall company reputation. As has been seen time and again during major breaches, the longer they go unnoticed the worse the damage is in the end.

What can IT leaders do right now

IT leaders and security officers should shift their mindset and view GDRP as an opportunity rather than a challenge. It’s a great time to engage business stakeholders and encourage them to explore an improved security posture. 

Regulatory changes are not just challenges for IT, but can be impediments to business. By bringing leaders from all sides to the table, the organization can better understand the challenges and react in the most appropriate manner. In addition, once actions are decided upon, IT leaders should regularly engage business stakeholders and board members on progress.

Next, a total assessment of all personal data held by the company is imperative, as it is impossible to understand if a company is compliant without knowing what it holds, where it rests, and how it is protected, starting with the most critical data.  And, finally, once that is understood, IT leaders need to identify what aspects of their data protection strategy will require new technologies, staff or partners as they work to fill gaps within their strategy.  

May 25th has come and gone, but regulatory issues such as GDPR are a process in which security and privacy challenges should continuously be addressed.  For those security practitioners who partner with their business leaders to create shared accountability on that journey, the result will be a significant step forward in protecting the data which both people and organizations hold dear.  

Reblog from the National Institute of Standards & Technology
April 16, 2018

NIST Releases Version 1.1 of its Popular Cybersecurity Framework

Identify, Detect, Respond, Protect, and Recover
Credit: N. Hanacek/NIST

GAITHERSBURG, Md.—The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) has released version 1.1 of its popular Framework for Improving Critical Infrastructure Cybersecurity, more widely known as the Cybersecurity Framework.

“Cybersecurity is critical for national and economic security,” said Secretary of Commerce Wilbur Ross. “The voluntary NIST Cybersecurity Framework should be every company’s first line of defense. Adopting version 1.1 is a must do for all CEO’s.”

The framework was developed with a focus on industries vital to national and economic security, including energy, banking, communications and the defense industrial base. It has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.

“The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. “From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry and academia. The impact of their work is evident in the widespread adoption of the framework by organizations across the United States, as well as internationally.”

Version 1.1 includes updates on:

  • authentication and identity,
  • self-assessing cybersecurity risk,
  • managing cybersecurity within the supply chain and
  • vulnerability disclosure.

The changes to the framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held in 2016 and 2017. Two drafts of Version 1.1 were circulated for public comment to assist NIST in comprehensively addressing stakeholder inputs.

“This update refines, clarifies and enhances Version 1.0,” said Matt Barrett, program manager for the Cybersecurity Framework. “It is still flexible to meet an individual organization’s business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”

Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment and collaboration.

“Engagement and collaboration will continue to be essential to the framework’s success,” said Barrett. “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”

The process used to update the framework is now published on the Cybersecurity Framework websiteto ensure all parties understand how future updates will be made.

Numerous industry surveys from organizations such as Gartner, Tenable and Cisco indicate sustained and increasing use of the framework over time. In May 2017, President Trump issued the Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure(link is external), which directs all federal agencies to use the Cybersecurity Framework. Corporations, organizations and countries around the world, including Italy, Israel and Uruguay, have adopted the framework, or their own adaptation of it.

“We’re looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework,” said Barrett.

NIST will host a free public Webcast explaining Version 1.1 in detail on April 27, 2018, at 1 p.m. Eastern time.

NIST is also planning a Cybersecurity Risk Management Conference—which will include a major focus on the framework—for November 6 through 8, 2018, in Baltimore, Maryland. Detailed information on the conference will soon be available on the Cybersecurity Framework website. The website also includes guidance for those new to the framework, links to framework-related tools and methodologies, and perspectives on the framework from those who use it.

NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life. NIST is a non-regulatory agency of the U.S. Department of Commerce. To learn more about NIST, visit www.nist.gov.

 

By Luis J. Diaz

GDPR is coming. Are you Ready?

The General Data Protection Regulation (GDPR) takes effect May 2018 and will have a significant impact on companies with IoT devices.

Did you know you can use Gabi® Go for GDPR compliance?  Using Artificial Intelligence, natural voice, and biometric multi-factor authentication, this revolutionary app provides a cost-effective cybersecurity solution that ensures your company does not over-retain data on an multi function printer (MFP) or copier. 

GDPR Articles 5, 13, 17 and 25 require companies to dispose of any personal data once it has fulfilled its purpose, unless there is a legal or regulatory obligation to retain the data longer. 

Over-retention of personal data is not defensible under the GDPR. Aside from compliance, Gabi® Go dramatically increases employee productivity and reduces total cost of ownership for MFPs. 

Call Jonathan Hairgrove at 864-416-7725 to arrange a free demo.

“Using Artificial Intelligence, natural voice, and biometric multi-factor authentication, this revolutionary app provides a cost-effective cybersecurity solution that ensures your company does not over-retain data on an multi function printer (MFP) or copier.”