Authentic8 Blog Author: Gerd Meissner

Gerd writes, produces, edits, and manages content at Authentic8. Before, he covered information technology and data security as a journalist and book author in the US and in Europe.

81% of CIOs and CISOs Defer Critical Updates or Patches

New research indicates that eight out of ten CIOs and CISOs refrain from adopting an important security update or patch, due to concerns about the impact it might have on business operations.

*

More than half (52%) said they have done so on more than one occasion. What about in your organization?

The Global Resilience Gap study, commissioned by security software firm Tanium, polled 500 CIOs and CISOs in the United States, United Kingdom, Germany, France and Japan, in companies with 1,000+ employees. Its goal was to explore the challenges and trade-offs that IT operations and security leaders face in protecting their business from a growing number of cyber threats and disruptions.

Infographic: CIOs/CISOs Holding Off on Patches and Updates (Source: Tanium Report)

Source: Tanium

The Problem: “Lack of Visibility and Control”

The report identifies “[l]ack of visibility and control across networks” as the main cause behind such missed or delayed updates.

80% of respondents reported they found out that a critical update or patch they thought had been deployed had not

Meet Frankie Keyes, the Most Trusted Expert in Cybersecurity

Frankie… who? No April Fool’s joke: Francis (“Frankie”) Archibald Keyes, Esquire, a fictitious figure you likely have never heard of, enjoys significantly higher trust among IT professionals than most real-life cybersecurity vendors or experts, according to new survey results from this year’s RSA Conference in San Francisco.

Of those surveyed in our Cybersecurity Approval Poll at RSA, a total of 88% stated that they trusted the made-up Mr. Keyes “much more”, “slightly more” or “about the same” as “other cybersecurity vendors and experts.”

If these results don’t instill much confidence in the industry’s ability to protect its customers from data breaches, malware attacks, and online election meddling, that is the whole point.

Frankie Keyes, a self-proclaimed Mr. Fix-it played by a professional actor, served as the face of F.A.K.E. Security, a make-believe company (website, Twitter handle and all) made up by Authentic8.

Fake Security, Real Survey

F.A.K.E. Security had its own booth

VPN: A Big Misunderstanding?

Most VPN services fail to provide a level of data protection and anonymity that would pass professional-level muster. Part 3 of our VPN miniseries shows how confusion about this 20+ years old technology and its complexities has added new risks and threats.

*

In the first two posts, we focused on the “online privacy” promise of VPN, and on how misconceptions about VPN impact IT security and productivity in the enterprise in general.

In this post, we’ll address the most common misunderstandings about VPN and their ramifications one by one.

A VPN service creates a secure connection (often described as a “tunnel”) between two computers, say between an executive’s laptop at home or on the road and a company server.

This can provide protection, for example when going online via public WiFi networks or consumer-grade home broadband connections. Many services encrypt much of the data transmitted from point to point within the VPN. Others - and that’s the bad news

VPN for Secure and Private Web Access? Think Again.

Many believe a Virtual Private Network (VPN) will protect users against online privacy violations and web-borne exploits. But how far can you really trust VPN? A new report by Authentic8 provides answers that may surprise you.

*

VPN creates an encrypted data “tunnel” between the user’s computer and a secure server - on the corporate network, for example - that can also serve as a springboard to the web. Still, this secure tunnel is not sufficient. Over the more than 20 years that VPN has been around, its limitations have become obvious.

Yes, VPN can make connecting with networks and resources across the web more secure. What is often overlooked: VPN still allows web code to pass through to the locally installed web browser.

This opens the door for malware and spyware infiltration as well as data exfiltration, localization and de-anonymization by third parties. In last week’s blog post, we focused on the “online privacy” promise of VPN. We showed how

5 Must-Read Resources for Compliance and IT Leaders in Investment Firms

Regulated investment firms use the web to gather market intelligence, to access data aggregation tools and business apps, and to communicate via webmail and social media.

While many (if not most) business functions have shifted to the web and cloud apps, including IT security, the primary tool used by research analysts and investment managers remains stuck in IT’s past: the locally installed browser. A holdover from the 1990s, the local browser’s inherent weaknesses make it notoriously difficult to manage, monitor, and secure against web-borne exploits.

This has created a growing compliance blindspot for buy-side and sell-side firms. At the same time, the pressure from federal and state regulators is steadily increasing. Registered investment advisers are one example. By subjecting 17% of firms to OCIE examinations in FY 2018, the SEC already exceeded its own ambitious goal (15%) in this group alone for this year.

Chief Compliance Officers, CISOs and CTOs in the industry have been put on notice. One simple