Experts share perspective on the state of journalists’ cybersafety

The Inter America Press Association (IAPA) recently hosted journalists from around the US and Latin America for their 73^rd General Assembly in Salt Lake City; for the first time this year there were cybersecurity panels, with almost an entire day dedicated to the topic.

These days, journalists and publishers are increasingly concerned about protecting themselves, their work, and their sources. Rightfully so, for we live in a time when nearly every aspect of publishing occurs online, from data gathering and file sharing, to researching and writing, even phone calls. Journalists sit at the confluence of many cyberthreats that are becoming more sophisticated. Nation-state attacks and cyberespionage campaigns are proliferating.

Michael Kaiser, Executive Director of the National Cyber Security Alliance moderated this year’s IAPA cybersecurity panels that included cybersecurity experts from Google, ESET and Utah Valley University.

Stephen Somogyi, a product manager at the Security and Privacy division at Google, began his remarks by acknowledging that, while this panel is about digital threats, the physical threats which journalists face are enormous and should not be overlooked.

Journalists targeted by cybercriminals

Then the discussion moved into why journalists are targeted by cybercriminals. The panel agreed that journalists hold a lot of power because they act as the voice of the people and working with critical information puts a target on their backs. Cybercriminals or cyberespionage groups can attempt to either withhold key information, or reveal it in a time and manner that is advantageous for them, and/or the group they represent be it a nation state, or criminal enterprise.

According to ESET security researcher Stephen Cobb, some of the greatest threats come from well-funded cybercrime and cyberespionage groups that will go to great lengths to accomplish their objectives: “Really the most dangerous groups are well-funded attackers, or threat actors with resources; the more resources the more dangerous they can be.”

Cobb gave as an example the Mexican government purchasing commercial spyware and reportedly using it to target journalists, like Carmen Aristegui, a reporter who exposed the biggest government corruption cases to date. These types of hacking tools in the hands of well-funded organizations can be used against reporters through intimidation and harassment.

Robert Jorgensen, Cybersecurity Program Director at Utah Valley University, expanded on the point of threat actors seeking personal information, “There is a true and present danger of people impersonating journalists or discrediting them and their sources;  when the press is the voice of the people and its integrity is compromised, the effects can be so far reaching.”

Kaiser then asked the panel what can be done – even in the face of well-funded organizations: “When you put yourself in the shoes of a journalist or someone like a publisher, how do you begin to understand the risks and build protection around those risks?”

For journalists there could be a broad range of directions from which attacks may come, so the concept of risk management is an important one. Also, publishers and heads of news organizations should be involved and ask questions about their security, as should the teams that manage their security, whether that be outsourced IT or in-house.

Knowing the risks that exist, and how to mitigate those risks is critical. “You need to constantly reevaluate the assessment of what is the risk,” said Cobb. It’s an ongoing process that journalists and publishers should be engaged in, and in which they should have regular training and education. Somogyi pointed out that you need to ask what are you protecting, and how long it needs to stay protected.

“When I interact with journalists they get excited about the James Bond stuff,” said Somogyi, “but what is going to get you and your sources in trouble, is the mundane stuff”

Somogyi, gave the example of DDoS attacks, that he explained using this analogy:  “You have not slept for days and you have 15 children demanding attention from you, you can keep up.” Technically, this type of attack floods a server with traffic that renders the website inaccessible.  That means the publisher of the site is no longer able to get their news across. This is one class of attack that is relatively easy to execute Somogyi said, adding, “It’s a very cold, calculating, and ruthless thing.”

Understand the risks

The panel agreed that the supply chain creates a lot of risk. Attacks can occur or originate not inside an organization, but somewhere in the supply chain, where you have little control over the security of your suppliers. The supply chain issue is common in the entertainment industry, but is a serious risk for publishers and news organizations as well.

“There are also risks in the software supply chain,” said Cobb, adding “If you are running software – which all companies do – be aware that the bad guys will keep evolving attacks that abuse software at its source, which underlines the need for threat intelligence.”

Matthew Sander, President of the Inter American Press Association in the audience pointed out that we are at a cyber nexus, and asked where to begin in this “sophisticated cybersecurity public health problem.”

“There are a number of frameworks you can look at,” said Jorgensen. “Really it starts with taking an inventory of devices and software. Start small and worry about larger stuff as time goes on.”

“Communication among peers is a very good thing,” said Somogyi, “Find a way to help employees and empower them to adopt good practices.”  Simple things matter, like software updates, because “if you don’t update and then get compromised, you become the vector for which your colleagues become compromised.”

Jorgensen suggested that you should start with education, “Anything you do to impart security knowledge to your employees is going to help.”

Cobb agreed that education is a key factor, and these days you can make it about personal computing as well as work computing. When everyone has a computer or smartphone, cyber education and training benefits both home and personal life.

When asked about security standards, the panelists warned that a checklist approach is not enough. Merely checking boxes or complying with standards is not the same as being secure, said Somogyi, “Do not labor under the illusion that that compliance gives you security.”

https://www.welivesecurity.com/2017/11/10/experts-journalists-cybersafety/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Groei en investeringen: AEB geeft de toekomst vorm

■       Investeringen in research & development, digitalisering van interne processen en een nieuwe generatie IT-oplossingen – allemaal gefinancierd uit de dagelijkse operatie

■       Nieuwe orders en omzet op recordniveaus

■       Nieuw hoofkantoor van €32 miljoen euro weerspiegelt toekomstgerichte strategie

 AEB GmbH, een leverancier van software voor internationale handel en logistiek, verwelkomt de toekomst met open armen. Het bedrijf investeert stevig  in research & development (R&D), digitalisering van interne processen en training en opleiding voor medewerkers. Het doel is om de gezonde groeicurve van de afgelopen jaren door te zetten en het fundament voor succes op lange termijn te verbreden.

In dit kader investeert AEB meer dan 5 procent van zijn jaarlijkse omzet in de ontwikkeling van medewerkers en meer dan 10 procent in R&D. Een van de belangrijkste doelstellingen is uitbreiding en verdere internationalisering van het huidige software portfolio. Een nieuwe douane-oplossing bijvoorbeeld stelt bedrijven in staat om hun douaneaangiftes voor veel landen met slechts één oplossing af te handelen – geautomatiseerd en gestandaardiseerd.

AEB vergroot daarnaast het portfolio met high-performance cloudoplossingen, die eenvoudig online aangeschaft en snel voor gebruik geconfigureerd kunnen worden. De softwareleverancier heeft daarnaast een eigen startup opgericht met het doel om nieuwe businessmodellen, technologieën en oplossingen te ontwikkelen.

Software gebaseerd op standaarden – klantspecifiek

Een ander doel van AEB’s R&D-investeringen is het ontwikkelen van een nieuwe generatie IT-oplossingen die flexibele, klantspecifieke ondersteuning voor bedrijfsprocessen biedt. “Het idee is dat we de rol van logistiek voor onze klanten versterken om innovatie te stimuleren en groei te versterken. Logistiek is een factor waarmee bedrijven zich kunnen onderscheiden van hun concurrentie”, verklaart Markus Meissner, Managing Director van AEB.

De software is grotendeels gebaseerd op standaard componenten uit het AEB-portfolio. De nieuwe componenten kunnen worden geïntegreerd in een flexibel aanpasbare proceslaag, waarin klanten hun eigen unieke processen tot op het kleinste detail kunnen modelleren. “Gebruikers krijgen een oplossing die is gebouwd op best practices en zo gemakkelijk te configureren is dat aanpassingen zelf doorgevoerd kunnen worden”, voegt Meissner toe. “Standaard componenten met speciale features zorgen voor de noodzakelijke stabiliteit. De module voor douaneaangiftes bijvoorbeeld volgt de normale onderhoudscyclus van standaard software, zodat die alle updates ontvangt en op elk moment aan alle eisen van douaneautoriteiten voldoet.” De eerste projecten op basis van deze nieuwe oplossingen verkeren nu in de implementatiefase.

Nieuwe orders en omzet op recordniveaus

AEB heeft een sterke financiële positie en financiert alle investeringen uit de cashflow die de dagelijkse operatie genereert. De meest recente financiële rapportage van het softwarebedrijf laat – net als voorgaande jaren – een stijgende omzet, een robuuste cashflow en een recordaantal nieuwe orders zien. De omzet in het fiscale jaar 2016 is met bijna 9 procent gestegen tot €40,8 miljoen, terwijl het aantal nieuwe orders met 12 procent is gegroeid tot een bedrag van €18,4 miljoen.

AEB rapporteert een vergelijkbare positieve trend in het huidige fiscale jaar. “We zoeken succes dat we ons kunnen veroorloven. De huidige trend loopt volledig synchroon met onze planning en onderstreept onze focus op de lange termijn”, legt Meissner uit. “Dit is geworteld in onze bedrijfsfilosofie: we laten winst op korte termijn graag liggen als ons dat op lange termijn sterker maakt.”

Nieuw hoofdkantoor hét voorbeeld van de focus op groei en investeringen

AEB’s bedrijfscultuur en de succesvolle groei van de afgelopen jaren wordt ook weerspiegelt in het nieuwe hoofdkantoor. Het bedrijf heeft €32 miljoen geïnvesteerd in een nieuw hightech gebouw in Stuttgart.

Het hoofdkantoor meet 8.950 vierkante meter kantoorruimte en biedt ruimte aan 500 medewerkers. Het gebouw heeft een open en transparante, centraal gelegen atrium en meer dan 400 werkplekken in heldere, flexibele, open kantoorruimtes – zonder vaste werkplekken voor de verschillende leden van een team. Het idee is om de communicatie, samenwerking en creativiteit onder de medewerkers te bevorderen. De open ruimtes worden afgewisseld met ‘denktanks’, privéruimtes, projectkamers en creatieve ruimtes. Het buitenterrein is ingericht met kruidentuinen, een sportveld en werkplekken in de open lucht.

Het nieuwe gebouw biedt ook onderdak aan twee datacenters waarin zowel het hart van de eigen IT-infrastructuur als de cloudoplossingen van meer dan 5.000 bedrijven draaien. De transacties die hier worden gefaciliteerd omvatten bijvoorbeeld circa 3,8 miljoen exportaangiftes per jaar, waarmee de datacenters op IT-gebied een sleutelrol spelen in de Europese export.

Businesses and GDPR: What they need to do to be compliant? By Editor

By Editor

Enforcement of General Data Protection Regulation (GPDR) is now just few months away. The media have intensively examined and written about this topic from practically every angle since it became legislation. Businesses continue to struggle with both understanding and implementation of what they need to do to be compliant.

WeLiveSecurity sat down with ESET’s Global Security Evangelist, Tony Anscombe, to better understand the essentials of GDPR .

GDPR comes into force on May 25, 2018. What do you expect to see happening the most – companies making sure they are compliant or companies delaying development of an action plan?

Speaking at multiple conferences this year – both in Europe and outside, I have witnessed the same issue everywhere: businesses all over the world are unsure of how GDPR will actually work in practice. They do not understand the requirements in detail, do not know if all of them are applicable to their businesses, and they do not understand either the key Data Subject Rights, or the role personal data will play in this regulation.

 An understanding of all of these seems critical to meeting the requirements of GDPR once it comes into force. If you manage a business, are the remaining seven months long enough to define what your company needs to do in order to comply?  

Well, you can get a lot done in seven months. The majority of European businesses within the European Union (EU) have been compliant with the previous Data Protection legislation, such as Directive 95/46/EC, since 1995. Some of the EU countries implemented local legislation beyond this directive, adding further requirements to give citizens additional protection. For many it is a matter of applying the same principles with greater precision so as to comply with the new requirements that GDPR has added.

Being ‘close’ to compliant can still result in fines of thousands, maybe millions, of euro. What have you seen companies do to accelerate their preparedness for GDPR and what do you think they should be doing?

“They need to understand there is no general approach applicable to all companies.”

First, I would recommend that businesses have a privacy professional explain the basic requirements of GDPR in relation to their businesses. They need to understand there is no general approach applicable to all companies. In particular, they need to understand that the critical part of being compliant is based on what type of personal data the organization is working with, how the information is being collected and processed, and finally, where and how the same information is being stored, they are all key to meeting GDPR requirements. This is a very good starting point for the next steps, such as the creation of a personal data inventory.

Once the inventory is created, data will need to be categorized for all the data types you are both collecting and processing, including data coming from citizens of the European Union. It’s incredibly important to note that if you are a company not based in the EU, for example a company based in the USA, you must recognize the requirement to comply with GDPR if you are doing business with EU citizens.

With all the options given to us by online shopping, for example, almost every business selling to the European Union needs to comply. That makes for a long list of businesses doesn’t it?

Yes, you are right (laugh). Any company that sells or provides goods or services to European citizens and collects data needs to comply. That is true whether they have an office or legal entity in the EU or not. There are questions about how the EU will enforce or impose fines relating to non-compliance on companies not located in the EU but I am sure they will move quickly to make examples of companies not in compliance to encourage others to comply.

Are there any exceptions? Can I be just selling my handmade soaps to people in EU without being compliant?

Yes and No. GDPR is a requirement for all companies, regardless of size. If you are selling directly through your own website then you need to comply. However if you sell through a general online store such as Amazon and you are only providing goods to Amazon which is then responsible for fulfilling and shipping the order, then you may not need to comply. If a company has over 250 employees or its business transactions are based on the handling of personal data, then it requires to employ a data protection officer. The maximum fine for non-compliance is 20 million euro or up to 4 percent of a company’s annual global turnover, which is – for any company – a high number.

While this may sound daunting and the consequences of non-compliance are significant, it’s considered unlikely that regulators will make an example of small businesses that can demonstrate they have a plan and have attempted to comply fully with requirements. It is more likely that the regulator will work with these companies on the additional steps needed to achieve full compliance.

What else can businesses do to make sure they step into the new era of protecting personal data?

I strongly recommend that companies engage the services of a privacy professional, and provide training to their employees focused on instituting a proper plan on how to store and protect data, and that it encompasses the entire company. One of the key requirements is to deploy an encryption solution with access controls, protecting data everywhere you go – even for employees not located on the businesses’ main premises.

Are you still nervous about being non-compliant with GDPR? Don’t worry, there is still enough time to demonstrate that your company is taking the right steps to protect personal data and learn the core skills needed for surviving the new age of data protection.

___________________

For more information on the General Data Protection Regulation, ESET has a dedicated page to help ensure that you have everything covered before 25 May 2018 . 

https://www.welivesecurity.com/2017/11/06/businesses-gdpr-compliant/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29