Today's Tech Digest - Feb 12, 2020

What is data governance? A best practices framework for managing data assets

Data governance is just one part of the overall discipline of data management, though an important one. Whereas data governance is about the roles, responsibilities, and processes for ensuring accountability for and ownership of data assets, DAMA defines data management as "an overarching term that describes the processes used to plan, specify, enable, create, acquire, maintain, use, archive, retrieve, control, and purge data. While data management has become a common term for the discipline, it is sometimes referred to as data resource management or enterprise information management. Gartner describes EIM as "an integrative discipline for structuring, describing, and governing information assets across organizational and technical boundaries to improve efficiency, promote transparency, and enable business insight." Data governance may best be thought of as a function that supports an organization’s overarching data management strategy. A data governance framework provides your organization with a holistic approach to collecting, managing, securing, and storing data.

Average tenure of a CISO is just 26 months due to high stress and burnout

Today, CISO jobs come with low budgets, long working hours, a lack of power on executive boards, a diminishing pool of trained professionals they can hire, but also a constant stress of not having done enough to secure the company's infrastructure against cyber-attacks, continuous pressure due to newly arising threats, and little thanks for the good work done, but all the blame if everything goes wrong. Across the years, many CISOs have often pointed out the problems with their jobs and the stress and damage they inflict. However, there has been no conclusive study to support broad assertations. ... The Nominet study only surveyed high-ranking CISO executive jobs, but the problem is widespread across the industry. Infosec -- or cyber-security -- has a habit of grinding through employees due to the rigors of the job. Low-level infosec positions, like threat analyst or penetration tester, are just as bad in terms of stress level, if not worse, primarily for the same reasons -- constant fear of new incoming attacks, long-working hours, low pay, almost no job satisfaction.

How do I build a cloud-ready network?

Enterprises that decide to move processing to a cloud provider must prepare their networks for the migration. That will almost certainly mean upgrading WAN links, but enterprises shouldn't start talking to internet service providers until they've performed a careful analysis of the applications they plan to move. Here are some considerations enterprises should evaluate when preparing a cloud-ready network: Are you planning to move an interactive application to the cloud or begin using a SaaS platform? Are you simply eliminating the need to maintain the resources for end-of-month processing or application testing? Are you currently operating an in-house private cloud but plan to move some of the processing to a public cloud to create a hybrid cloud? Look carefully at what network resources each type of application requires. Interactive applications typically don't move a great deal of data across the network.

Half of cybercrime losses in 2019 were the result of BEC scams

For comparison, BEC/EAC-associated losses were $1.3 billion in 2018, $676 million in 2017 and $360 million in 2016 (with a $30,000 average monetary loss per complaint). The IC3 also observed an increase in the number of BEC/EAC complaints related to the diversion of payroll funds. Some victims can get their money back, though: IC3’s Recovery Asset Team (RAT), which was established to streamline communication with financial institutions and assist FBI field offices, gets involved if the victims made transfers to domestic accounts under fraudulent pretenses. In 2019, they recovered $305 million of the $384 million lost in 1,307 such incidents, by reacting quickly and requesting banks to freeze the accounts involved. In some cases, they even managed to identify the scammer. “In February 2019, the IC3 RAT received a complaint involving a BEC incident for $138,000, where the victim received a spoofed email and wired funds to a fraudulent bank account in Florida. The RAT took quick action and worked with key financial partners to freeze the funds,” the IC3 shared.

Presidential campaigns taking email security more seriously--not so much at the local level

While the picture for email security at the presidential campaign level appears to be improving, at the local level, email security seems to be overlooked: 142 of 187 domains used by election officials in the three largest counties (or parishes) in every state don't use DMARC at all. Of the remaining jurisdictions, 42 use monitor-mode only, and 11 use invalid DMARC, leaving only 5.3% of those local domains protected by DMARC, Valimail's research shows. At the local level, "it appears to be awareness more than anything else," that is a problem with adopting DMARC and other secure email technologies, Blank says. "There is an enormous amount of technology that exists [but local officials] don't even know where to start and that there are tools that can help." Organizations such as the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) stand ready to help campaign officials learn what the best technologies are and how to deploy them. Last week the group issued summary guidance for what it calls "essential cybersecurity" for election officials. The three key technologies the M3AAWG advises campaigns to use are multi-factor authentication (MFA), email authentication and encryption.

Read more here ...