Some Favorites From Other Sites

4 hidden risks of your enterprise cloud strategy

This CIO piece examines the unexpected challenges that await IT leaders unaware of — or unprepared for — shifting risk postures, emerging regulations, or shortcomings in their approach to the cloud. Read full story

Will generative AI kill KYC authentication?

This CSO piece looks at how generative AI can create fake documents and personal histories that fool common know-your-customer authentication practices. Read full story

Is your cloud security strategy ready for LLMs?

This CSO piece looks at existing cloud security practices, platforms, and tools that will only go so far in protecting organizations from threats inherent to the use of AI's large language models. Read full story

The New SEC Cybersecurity Rule:The Good, the Bad, and the Maddening Frustrations and Contradictions

A deep dive into the SEC cybersecurity regulation. Read full story

Tips for Modernizing SecOps Teams

This Dark Reading special report looks at ways security operations teams can improve their efficiency and effectiveness to address the latest threats. Read introductory description | Read full story

Rise of the cyber CPA: What it means for CISOs

This CSO piece answers the question: New accountant certification rules starting January 2024 could deliver many new cybersecurity-trained accountants. Is this good or bad news for CISOs? Read full story

How US SEC legal actions put CISOs at risk and what to do about it

This CSO story looks at how CISOs could find themselves in a painful Catch-22 situation when the US Securities and Exchange Commission’s new cybersecurity rules are enacted in December. Read full story

What CISOs Should Exclude From SEC Cybersecurity Filings

This Dark Reading story examines the question: Should CISOs include only known information in the SEC filings for a material security incident, or is there room to include details that may change during the investigation? Read full story

Do CISOs Have to Report Security Flaws to the SEC?

This Dark Reading story examines the new SEC rules that make it seem that there is no need to report the presence of security vulnerabilities, but that doesn't quite tell the full story. Read full story

Confusion Surrounds SEC's New Cybersecurity Material Rule

This Dark Reading story examines the complex question with elusive answers in determining what to report, and what details to disclose. Read full story

CISOs Need Backing to Take Charge of Security

This Dark Reading story examines the question: Unless the CEO and other C-suite executives defer to the CISO's decisions on cybersecurity, is that CISO really running things? Read full story

What Implementing Biometrics for Authentication Looks Like

This Dark Reading story examines how CISOs are incorporating biometrics as part of their multifactor authentication strategies. This is what they should be thinking about during implementation. Read full story

Choose the Best Biometrics Authentication for Your Use Case

This Dark Reading story focuses on how voice, face, and vein recognition each have its pros and cons. Here's what CISOs need to know. Read full story

Companies Must Have Corporate Cybersecurity Experts, SEC Says

This Dark Reading story focuses on how enterprises must now describe their management's expertise in cybersecurity. But what exactly does that entail? Read full story

SEC Adopts New Rule on Cybersecurity Incident Disclosure Requirements

This Dark Reading story focuses on how boards must now file notice of a "material incident" within four business days, though questions remain. Read full story

Biometric Kiosk Authentication — A Talk With Frank Olea

This Kiosk Kiosks story focuses on how kiosks are handling more sensitive and compliance-controlled data–as well as literally giving users money and other high-value items–robust authentication is critical. Read full story

Generative AI: Coming soon to a kiosk near you

This Kiosk Kiosks story focuses on the most talked about technology this year–generative AI, which is behind ChatGPT, BingChat, Google Bard and dozens of other implementations—is likely to be talking right from the speaker of most kiosks quite soon. Read full story

Why Legacy System Users Prioritize Uptime Over Security

This Dark Reading story focuses on the fear of mission-critical systems grinding to a halt overrides line-of-business execs' cybersecurity concerns. How can CISOs overcome this? Read full story

How Boards Can Set Enforceable Cyber Risk Tolerance Levels

This Dark Reading story focuses on boards who love to say they have low risk tolerance, but are they willing to make the expensive and painful decisions to make it truly happen? Read full story

Kiosks Look Good If They Are Properly Tweaked For The Visually-Impaired

This Kiosk Kiosks interview with Sabine Croxford with the Royal National Institute of Blind People (RNIB), one of the UK's leading sight loss charities, examines a world where so many people are visually impaired to varying degrees, it is wise to rethink kiosk features, the screen layout, compatibility with peripherals (such as headphones), kiosk placement (away from noisier areas), and overall design. Read full story

Security Is a Revenue Booster, Not a Cost Center

This Dark Reading story focuses on what customers and partners need from a company can help CISOs show the real financial benefits of improving cybersecurity. Read full story

How CISOs Can Reduce the Danger of Using Data Brokers

This Dark Reading story examines how without proof that purchased data was collected legally, it can threaten an enterprise's security compliance and may expose the company to litigation. Read full story

How CISOs Can Work With the CFO to Get the Best Security Budget

This Dark Reading story looks at how CISOs can and should push back when they're presented with budget costs that affect the business. Here's how. Read full story

Why Does IT Link Purchase Strategy With Their Company Size? Does That Make Any Sense?

This InfoBlox Blog story looks at when executives are strategizing their IT purchase plans, they may pigeonhole their companies into buckets, such as enterprise or SMB. But those classifications are typically based on annual revenue or, far less often, the number of employees. Is that really the right metric for IT strategies? Read full story

When deploying Zero Trust, don't forget about DNS

This InfoBlox Blog story looks at the Zero Trust strategy discussions among enterprise security teams. The problem is that every enterprise is implementing ZT differently and many CISOs are struggling trying to find the ideal approach for their business. Read full story

Interactive Self-Order ROI - BurgerFi Case Study

This Kiosk Association story examines how finding, sustaining and ultimately proving kiosk ROI can be tricky. Karl Goodhew, the chief technology officer at QSR BurgerFi, has come up with a very repeatable method of bringing home the kiosk ROI. Read full story

What To Do About Cyber Insurance Trying To Exclude Nation-State Attacks From Coverage

This InfoBlox Blog story examines cat and mouse game between enterprise security teams and the insurance companies trying to do whatever they can to limit what they have to pay. Read full story

Beyond Security, DNS is a Cost-Cutter

This InfoBlox Blog story examines how DNS is typically viewed as a fine method for a post-incident investigation, but that's about all. In truth, given the reality of the threat environment as well as the threat today, DNS can save money, accelerate blocking attacks and defend against a wide range of DNS-specific attacks that can't be blocked any other way. Read full story

Discovering the Benefits of Discovery

This InfoBlox Blog story examines how IPAM can fill in the data gaps from DHCP. With enterprise cybersecurity under almost constant attack today, CISOs need a complete and current view of their entire global environment. Read full story

Kiosk Privacy Is About To Get Far More Complicated – Feature

This Kiosk Industry story examines kiosks as an highly effective way to interact with customers, but in healthcare settings, they must be handled carefully to avoid compliance, privacy and cybersecurity problems. Read full story

Critical Privacy Considerations For Kiosks – Feature Article

This Kiosk Industry story examines kiosks and the flood of new privacy rules and consent litigation that go well beyond compliance rules. Read full story

While Rivals Struggle to Hire, Amazon Has an Employee Surplus

This The Motley Fool story examines how many enterprises are struggling to find enough employees, especially in lower-level roles. But Amazon has hired more employees than it needs -- and it did so deliberately. Here's how the company's massive scale and ambition could help it turn a potential weakness into yet another strength. Read full story

The Case for Cybersecurity Modernization

This InfoBlox Blog story examines government regulators' increased and active interest in cybersecurity defenses, especially with transportation and energy industries. Although the best practices proposed are basic measures that organizations should take, there are additional approaches that can boost an organization's security capabilities and responsiveness. Read full story

Coupling AI with Asset Management & DNS Can Make An Amazing Difference In Speed

This InfoBlox Blog story examines how leveraging AI in with asset management–on top of DNS management–can accelerate detection and blocking of an attack some 60 times. Read full story

Modern Security Defenses Need To Examine IPAM, DNS

This InfoBlox Blog story examines the least surprising observation of the 2021 security landscapes that are far more complicated and attacker-friendly due to changes such as remote sites, IoT, soaring cloud use and partners demanding an ever-increasing amount of access to sensitive operational data. What is, however, surprising is how many enterprises are not leveraging DNS, IPAM and related tools that already exist in their environments. Indeed, one of the most useful things about DNS and IPAM is that they can detect patterns of movement within the enterprise that many other tools miss. Read full story

In Today's Sharply Different Enterprise Security Environment, Additional DNS Analysis May Prove Critical

This InfoBlox Blog story examines how the enterprise security world changed forever in March 2020, with almost all enterprises flipping from 90 percent of people and information flow happening inside to 90 percent (or more) happening outside. The implications of this, coupled with sharp increases in cloud and IoT, has forced CISOs to deal with an environment completely different than what they are used to, and what they were trained for. Read full story

Zero Trust Networking Is Needed, But It Must Be Implemented Aggressively

This InfoBlox Blog story examines how Zero Trust Networking (ZTN) is more of a concept of security, an approach, an ideology if you will, than a detailed specification. There are many ways of implementing ZTN, but the common thread is that everything must prove that it is a legitimate user. No "well, you're here in a secure area so something must have approved you" thinking. As a Unix admin would say, no trusted host anymore. Read full story

For energy executives to boost efficiency, they must first know what they don't know

This TechCrunch story examines what energy executives can do to make major changes across the globe. Not only will such change take a very long time, but energy executives have a limited ability to materially move that needle. Read full story

Hard lessons

This SC Magazine story explores the industry's hard lessons and what security teams across industries can learn from them. Read full story

The AI advantages for healthcare and finance

This TechCrunch story examines senior executives at two of the world's most highly-regulated verticals—healthcare and finance—explore ways of improving operations, boosting margins and delivering it all with a strong ROI, their go-to plan focuses on pushing technology. Read full story

AI that explains its recommendation delivers far better ROI

This TechCrunch story examines decision-makers lack of trust with AI, meaning that they resist if not disregard its recommendations in security defending against malware-armed attackers, to marketing trying to predict next season's buying habits, and manufacturing trying to guess the next piece of machinery to breakdown. Read full story

From venture capital to internet capital: founders have a better way to fundraise more online

This TechCrunch story looks at startups looking to raise capital, more and more founders are turning to online fundraising. These platforms are relatively new, launching as a direct result of the 2012 JOBS Act, which paved the way for startups to publicly advertise their capital raises and leverage equity crowdfunding to turn everyday customers into investors — whether or not those customers were "accredited investors". Read full story

New attack vectors fortifying the phishing culture

This SC Magazine story looks at the race to keep up with changing phishing attacks built to defeat new defenses. In the end, attackers are evolving faster than defense strategies are developed. Read full story

IoT Security Needs Pen Testing Approach

This IoT World Today story examines how experts say IoT pen testing is a no-brainer, but don't test everything. Read full story

Follow the bouncing compliance regulations

This SC Magazine story explores how ever-changing rules, corporate landscapes, and supply chains put compliance mandates always in play. Juggling those variables make the CISO's compliance requirements a moving target. Read full story

6 new ways threat actors will attack in 2021

This CSO story looks at cyber criminals leveraging improved capabilities and vulnerabilities introduced during the COVID crisis to improve the efficiency of their attacks. Read full story

Continuous Authentication: Superficial Confusion, but More Security

This Virtasant story looks at how security technology is supposed to telegraph its functionality, but in the case of continuous authentication, the name does a great disservice to the technology and, more critically, to the CISOs and CSOs who potentially benefit. Read full story

How grocers survived the COVID crush

This Protocol story looks at the software that facilitated decades of thin but stable margins in the grocery industry couldn't handle the weight of a pandemic. Read full story

Gaining visibility to network attacks

This SC Magazine story looks at how CISOs are wrestling with limiting attack surface risk while COVID-19 is exploding the size of corporate networks far beyond the firewall. Controlling endpoints and deploying zero trust models are key to containing potential breaches. Read full story

How shadow IT could cast a cloud over returning to work

This SC Magazine story looks at the physical security aspect of empty office buildings forced closed by COVID-19. Read full story

Are your fleet's vehicles leaking your data secrets?

This SC Magazine story looks at how enterprise CISOs are used to worrying about corporate data leaks via typical mobile, remote locations, IoT and Shadow IT. But what about the vehicles used by so many people who have access to the systems and data you are paid to protect? Read full story

IoT security: It is about context and correlation

This SC Magazine story looks at one of the biggest threats is shadow IT where trying to defend against every IoT device in the company might not be the answer but having rules in place could help. Read full story

Cloud Security And Compliance Will Get Even Trickier As 2020 Progresses

This InfoBlox Blog story looks at the cloud as a powerful way to boost bandwidth and scalability and to help with security, but it brings significant complexity for both security and compliance. Read full story

If You Want To Leverage 5G When It Arrives, Start Network Upgrades Now

This InfoBlox Blog story looks at how 5G carrier rollouts will be slow and the argument on why CISOs/CIOs need to focus on this right away. Read full story

Building a Better Asset Management Program

This SC Magazine story looks at network vulnerabilities that often occur in conjunction with some other IT security policy or procedure violation, creating a multilayer challenge for the security team. Read full story

Rethinking cyber risk

This SC Magazine story looks into how it's time to rethink risk – both how to operationalize it and how to define it. With all the incompatible views of risk from different stakeholders through an enterprise, it's hardly surprising that so many organizations struggle to get beyond checklist security mentality. Read full story

How To Protect—And Defend Against—IoT In A 5G World

This InfoBlox Blog story looks into upcoming 5G rollouts that are going to complicate Internet of Things (IoT) security far more than what we have now. Read full story

Knowing your assets is job one

This SC Magazine story looks at today's enterprise-level asset management and how it has transformed asset management into something that was difficult to track into something that is often almost impossible to track. Read full story

Where enterprise CISOs go wrong

This SC Magazine story looks at where CISOs can fall short when best laid plans are often fraught with mistakes — some big, some more nuanced. Read full story

The Best Ways To Use AI To Help with Security

This InfoBlox Blog story explores how AI can be used to review all internal and external threat feeds while the security team defends against an active attack. Read full story

You're breached! Balancing the threat with considered defenses

This SC Magazine story explores what CISOs do right and wrong when fighting an active attack. Read full story

Compliance: Watch your step!

This SC Magazine story explores the perilous pitfalls of compliance. Read full story

Follow the bouncing compliance regulations

This SC Magazine story explores ever-changing rules, corporate landscapes, and supply chains put compliance mandates always in play. Juggling those variables make the CISO's compliance requirements a moving target. Read full story

Upping The [Threat] Intelligence Quotient of Incident Response

This SC Magazine story explores how judicious use of threat intel can be vital when actively defending against an attack. Read full story

Putting Threat Intelligence Into Context

This SC Magazine story explores how companies need to regain control over their threat intelligence feeds. Read full story

Reshaping The Retail Industry Paradigm Through AI

This Harvard Business Review piece explored the future of retail and AI. Read full story

Phishing Reference Guide: Alternative Medicine To Phight Phishing

This SC Magazine piece discusses how users are still baffled and defeated by phishing hustlers. CISOs and CIOs unleash their red teams to help users recognize the pernicious attacks. Read full story

CISOs vs. the Board

This SC Magazine piece discusses the delicate conundrum of security chiefs who need to tell the board the truth, albeit a more palatable version of the truth. Read full story

Ransomware: Often, there might be honor among thieves

This SC Magazine piece discusses the business of ransomware and as such, it has rules, requirements, customer support, and a driving need for customer loyalty and trust. Trust your attacker? Read full story

The changing cultures of identity and authentication

This SC Magazine piece discusses the risk of getting identity wrong and enabling a breach is driving behavioral analytics and other technologies, taking IAM to new heights. Will that solve the problem? Read full story

Sharing is caring—and smart

This SC Magazine piece discusses sharing threat intelligence in an ISAC can make companies stronger when they fully participate. Read full story

CISOs struggling to take the risk out of risk

This SC Magazine piece discusses that risk is everywhere, but how can a CISO reduce the company's risk profile without accidentally introducing even more? Read full story

B2B Digital Payments

Evan Schuman wrote and reported this Harvard Business Review piece that looks at how mid-sized companies are struggling with B2B digital payments and the strategies to take those payments to the next level . Read full story

SIEMple evolution

This SC Magazine piece discusses how the future of SIEM is cloudy, literally and figuratively, as companies strive to keep up with potentially billions of events. Evan Schuman explains. Read full story

Solving the enigmatic insider threat within

This SC Magazine piece discusses the insider threats that can be malicious or accidental, but they are always a threat. Evan Schuman explores how to solve the puzzle with analytics. Read full story

Can machine learning successfully combat social engineering?

This Emerge piece discusses the single largest threat to everyday security enterprise systems is social engineering, where cyberthieves rely on deceit and human emotions to trick people into revealing sensitive data like passwords and personally identifiable information. But in an interesting twist, leveraging artificial intelligence (AI), researchers are now working on systems that can function as the human, using machine learning (ML) to predict when the other person is being deceitful. Read full story

A Security Champion in the Developer Midst May Just Solve the Secure Code Conundrum

This The Veracode Blog piece discusses how the enterprise challenge in generating secure code is well known: as software becomes a competitive advantage and customers expect regular updates, the need to release new features and content frequently often trumps the need to release secure code. Although that's a true conflict, it's not the full story. Read full story

Man vs machine: The future of AI

This SC Magazine piece reports the fear of successful cyberattacks meets fear of unintended consequences when machine learning is your first line of defense. Read full story

Maximizing the Bang for Your Security Training Buck

This The Veracode Blog piece covers developer training on application security is critical to the success of every security program, but many companies deploy training improperly or insufficiently, argues Maria Loughlin, VP of Engineering at CA Veracode. Read full story

IT Is Finally Embracing DevSecOps

This The Veracode Blog piece is about how it's taken quite some time to get here, but enterprise IT execs are finally embracing DevSecOps. Read full story

Can DevSecOps Boost Your Bottom Line?

This The Veracode Blog piece covers one of the sad truths about security is that it has typically been viewed by enterprise C-level executives as akin to an insurance policy — necessary, but would never produce profits, boost revenue, or attract new customers. But are those long-held perceptions changing? Read full story

What could a machine learning analysis of a helpdesk reveal?

This Emerge piece states that using artificial intelligence (AI)—and especially one example of AI: machine learning (ML)—is all the rage these days with enterprise IT. But could it also turn the reactive "have you tried restarting?" corporate helpdesk into a mechanism that could anticipate and predict technology problems before they're readily apparent? Quite possibly. Read full story

Is Machine Learning Part of Your Security Strategy?

This IDG piece states that machine learning technology is still an evolving area in security. But it has the potential to be a game changer. Read full story

Can Shadow IT Be Good for Enterprises?

This IDG discusses how shadow IT was borne out of innovative necessity, often causing security headaches. But there are strategies for controlling it. Read full story

Managing mobile devices: IT's version of Whack-A-Mole

This SC Magazine piece asks: Has MDM gotten out of hand? Enterprises try to reign in mobile devices, new ones pop up on the network and additional software is installed to manage the chaos. Read full story

Making Identity and Access Management Work for You

This IDG piece states a successful Identity and Access Management plan requires multiple departments to be involved in data identification. Read full story

The French approach to AI privacy won't solve the real problem

This Emerge piece is about France's President Emmanual Macron last month laid out a vision for artificial intelligence (AI) dominance in a major speech, a vision that he hopes will place top global AI resources in France and not China or the U.S. But Macron's vision, especially when it comes to realistic privacy goals, seems to ignore key parts of what AI truly is. Read full story

The IoT Threat Can Be Tamed with Internal Communication

This IDG piece states the Internet of Things devices have taken the enterprise by surprise. But communication and understanding can help to mitigate the rising risks around IoT. Read full story

Last-Minute GDPR Compliance

This SC Magazine piece states it's too late to do GDPR compliance right for the May 2018 launch, but not too late to start. Read full story

The Picture of Threat Intelligence

This SC Magazine piece looks at the light side and dark side of threat intelligence. Read full story

GDPR: Conflicted Compliance - Contradicting rules are a bridge to nowhere

This SC Magazine piece looks at how balancing governance, risk and compliance is complicated enough in the U.S., especially for companies in highly regulated industries. Throw in international requirements and now you're dealing with regulations that contradict U.S. regulations directly. Read full story

A Very V-E-R-Y Long Day Without Software

The Veracode Blog story about making business people better understand how devastating cyber thief and cyber terrorist attacks can be and how remarkably dependent we are today on software. Read full story

GDPR Resistance is Futile

SC Magazine story about U.S. companies that are passionately resisting attempts to comply with GDPR. Why they are doing it and why it's self-defeating. Read full story

Digital transformation: How machine learning could help change business

This piece in Ars Technica discusses ML has more than just a learning curve to overcome before it transforms business. Read full story

Hybrid AI Takes On Cybersecurity

This piece in SC Magazine discusses Hybrid AI's pros and cons. Read full story

Striking the Right Balance Between Security and Functionality

This piece in The Veracode Blog discusses that doing security well is hard work, but it should never block useful functionality for your customers. If security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. And yet two instances from this month suggest that is exactly what is happening. Read full story

Android App Holes Means You're On Your Own

This piece in The Veracode Blog discusses the latest discovery of "132 Android apps on Google Play infected with tiny hidden IFrames that link to malicious domains in their local HTML pages," according to the security firm that made the discovery. Read full story

The Wacky World of GRC

This piece in SC Magazine discusses that there are few areas of technology that are as contradictory as governance, risk and compliance. A company might do everything to be secure yet still not be in compliance. This GRC story won a bronze writing award at the 2018 Azbee Awards of Excellence Gallery (the American Society Of Business Publication Editors). Read full story

Incident Response

This piece in SC Magazine discusses the overarching reality that in the first hours and even days following the detection of an incursion you truly know nothing. Were you perhaps breached more than a year ago and just learning of it now? Could someone on your team — intentionally or otherwise — be a factor? Not only do you know nothing in that first post-breach-discovery phase, but your initial probe might be more misleading than informative. So what should you do? Read full story

How About Some Shared Security Responsibility For Developers?

This piece in The Veracode Blog discusses a reminder that app security has not yet arrived at the optimal state. Consider this piece from Kaspersky's Threatpost pointing out how re-used third-party libraries perpetuate security holes long after they have been discovered. Read full story

Some Surprises in the New New York Cybersecurity Regulations

This piece in The Veracode Blog discusses how in the US, there exist no meaningful national cybersecurity rules, but, as a practical matter, that is likely to change this year. But it's not coming from Congress. The catalyst is new rules slated to start in March from the New York State Department of Financial Services. In financial areas, that New York department is typically mimicked by a wide range of other state regulators, along with federal regulators. Hence, de facto national rules. The rules themselves (you can peruse the full guidelines here) are not especially controversial, primarily being security best practices. The rules insist on regular penetration testing and vulnerability assessments. They also establish strict encryption guidelines and require written access-control policies. Notably, however, the way they approach application security is somewhat novel, and the regulations do contain some language that might cause confusion. Read full story

After the Interview: Things One Journalist Wishes You Did

This piece in NewCo Shift discusses how a news story or feature article published by the right media outlet can have a massive impact on your business — good or bad. After all, most reputable publications have far more credibility than does any marketing collateral your company might craft, simply because the press are considered unbiased observers. Read full story

Got an Appointment with a Journalist? Here's What To Do Before the Interview

This piece in NewCo Shift discusses how you made sure that reporters can reach you. Congratulations! You strategized reasons for them to want to talk with you, and now you have an interview lined up with a journalist from a relevant media outlet. Many companies never make it this far, so you've accomplished quite a bit. Now all you have to do is not blow it. Read full story

Apple's Abandonment Of Its Own App Security Deadline Is Bad For So Many Reasons

This piece in The Veracode Blog discusses a great idea for the most effective way to make life easier for cyberthieves, especially those who are focused on ineffective app security. All you have to do is get one of the most powerful brands in computing to publicly declare a security deadline and then have it quietly withdraw that deadline on the eve of it being effective. Read full story

App Security Deserves Far More IT Respect

This piece in The Veracode Blog discusses how app Security today is the Rodney Dangerfield of IT security. Everyone knows about it, but it gets no respect. Isn't it obvious that because apps are granted greater data-sharing with other apps and the ability to update itself—directly to the mothership—without IT signoff, that perhaps this should soar to the top of the danger list? Read full story

How To Get Your Company Execs Quoted As Thought Leaders

This piece in NewCo Shift discusses how reporters absolutely love real thought leaders: smart people who offer surprising and useful insights. But true leadership is quite hard to find. If you make it easy for the media to catch your execs being brilliant, your business may well benefit. Read full story

Free Media is a Gift. Make Sure You Can Be Reached

This piece in NewCo Shift discusses the most persuasive kind of publicity is media coverage. Free media is more valuable than almost any kind of marketing, except word of mouth, because it lets you tell the world the value of your offerings, and it comes with the validation of a third party (the publication). Nowhere is press coverage more crucial than for a budget-constrained start-up or small business. Read full story

New Visa Attack Hole Demands New Fraud Defenses

This piece in Sift Science covers security researchers recently published that multi-merchant attacks gave them unlimited attempts at guessing Visa card fields (but not Mastercard fields), it was a reminder of the inherent fragility of payment card security today. Read full story

Holiday Short-Duration Sites Deliver Long-Duration Headaches

This piece in The Veracode Blog discusses the holiday season and the retail pop-up stores and seasonal sites. Those are all good for merchants, good for gift-seeking shoppers and potentially very good news for cyberthieves hoping for vulnerable sites that can fuel fraud. Read full story

GDPR

This piece in SC Magazine discusses what you need to know about how the EU's privacy rules could impact your business operations. Just because you don't do business directly in the EU, that doesn't mean GDPR won't impact your business. Read full story

Strengthening Your Security With Mundane—But Often-Overlooked—App Maintenance

This piece in The Veracode Blog discusses the often said in security circles that a massive percentage of intrusions and breaches could be thwarted by the IT equivalent of eating your vegetables and exercising regularly. Whereas CFOs are often attracted to—or, in some cases, repelled by—the shiny objects of high-end security defenses, the mundane wash-your-hands-before-eating rules have the most impact. That means not reusing passwords, never clicking on unknown links, logging off before walking away and 50 other boring but amazingly effective tactics. Read full story

The Hidden Operational Costs of Fraud

This piece in Sift Science discusses that it's no secret that fraud is costly for online businesses. But are you tracking exactly where your money is going? A new report from Javelin research found that fraud costs merchants more than 7.5% of their annual revenue — a figure computed by looking at a combination of fraud management costs, false positives, and chargeback losses. Read full story

How Safe Is It Letting Google And Apple Be Your App Security Team?

This piece in The Veracode Blog discusses how malware threats are ever-present in mobile and this needs to be a top concern for IT execs, as they continue to issue millions of mobile devices to enterprise workers daily. Read full story

Processing Payments on the Web: 7 Things to Consider

This piece in PCMagazine discusses seven considerations to think about before you make the jump into payments processing on your e-commerce website. Read full story

Can Security And The App Economy Learn To Get Along?

This piece in The Veracode Blog discusses how the App Economy is streamrolling along and has the very legitimate potential to rewrite so much of how businesses use technology. Uber obliterated Yellow Taxis, Pandora and Spotify has all but made FM radio irrelevant and streaming video has forced TV and movie theaters to sit in the back seat. Read full story

How To Avoid Security Scaring Your Shoppers

This piece in Sift Science discusses how security vs. convenience is always a delicate balancing act in e-commerce. But even if you're doing everything "right," security communication can be challenging. No shopper goes to a particular merchant because that shopper think that merchant's security is top-notch. Security perception can be a reason that someone decides to not shop somewhere, but it's never a reason they decide to shop somewhere. Read full story

Geolocation Is A Nice Tool For Authentication, But It's Far From Perfect

This piece in Sift Science discusses the truth that geolocation is a very effective—albeit limited—tool to help authenticate a transaction. But Clifford Cook, senior vice president and head of product and marketing for the Retail Payment Solutions division at U.S. Bank is wrong when he says the bank can validate the transaction is legitimate. Not quite. Read full story

The App Security Battle Is Winnable, But Only If You Suit Up

This piece in The Veracode Blog discusses about how dangerous are your app security holes. Sadly, they are quite dangerous and getting far more so. In a study released Tuesday (Oct. 18) that examined billions of lines of code from 300,000 assessments performed over the last 18 months, a stunning 97 percent of Java applications contained at least one component with a known vulnerability. Read full story

Message Encryption Is Great—Depending On Who Has The Key

This piece in The Veracode Blog discusses how corporate execs are understandably worried these days about all of their electronic communications. Whether messages can be intercepted by corporate spies working for the opposition, government investigators snooping for terrorists or cyberthieves looking to steal what they can get, anything that is intercepted can wind up somewhere else. See Edward Snowden. Read full story

Has The Media Finally Figured Out The Importance Of App Security?

This piece in The Veracode Blog discusses how non-tech media outlets have figured out that applications make wonderful entry points for cyberthieves. Given the layers of complexity that many enterprise apps feature today, it's hardly surprising that they boast massive security holes. That message seems to be finally sinking in. Read full story

Will There Ever Be a Global Standard for Online Payments?

This piece in Sift Science discusses a single, standard way to pay for anything securely online. Sounds great, right? But does this ambitious vision actually stand a chance of happening? Read full story

Why Apple Won't Ever House A Security Backdoor

This piece in The Veracode Blog discusses how much has been written about Apple's official stance against giving law enforcement an encryption backdoors into its customers' files. And Apple's firm position against a backdoor has been painted as a marketing decision, as it gives people a really good reason to buy Apple devices instead of Android or something else. Read full story

Verified by Visa is Abandoning Passwords. But Is It Too Little, Too Late?

This piece in Sift Science discusses the surprise timing of the world's largest card brand's pledge to abandon passwords for just this one program wasn't to make them disappear by this year's holiday shopping season. Or for next year's holiday shopping season. No, Visa's announced plan was to rid its Verified By Visa world of "password1234" by April 2018. Good to see that this authentication risk is being taken so seriously. Read full story

Security's Weak Communications Skills Can Undermine Safety

This piece in The Veracode Blog discusses how it's hardly a revelation that hardcore security veterans are not at the pinnacle of clear communication. And the more technical the talent, in general, the weaker the communication. For most in IT and almost everyone in corporate outside of IT, this is generally dismissed as a fact-of-life. Read full story

Gift Cards: The Cyberthief's Best Friend

This piece in Sift Science discusses the happy partnership between a fraudster and his gift cards. It's the perfect way to launder stolen funds while also getting a multi-day head start over law enforcement. Much of the reason involves how retailers handle—and, most critically, track—gift cards. Read full story

Can one CISO ever beat an army of IoT devices?

This piece in SC Magazine discusses the security threat from the Internet of Things (IoT) has grown real because far too many of those sneaky IoT devices fly in under the radar. Corporate maintenance, facilities and operations departments are not accustomed to requesting IT's signoff on purchasing light bulbs or door locks. And yet, when those devices have their own independent — or dependent — communications capabilities, they are an easy backdoor for cyberthieves. Read full story

Could How A Shopper Types Be The Best Authentication?

This piece in The Veracode Blog discusses how it's not what you say, but how you say it. That piece of advice, which has given to countless politicians and executives over the decades, might be the premise behind an intriguing knew approach to biometric authentication. Although to be precise, it's closer to "It's not what you type, but how you type it." Read full story

What Went Wrong With EMV? So Much.

This piece in Sift Science discusses how EMV payments were supposed to modernize payment card security in the U.S. But guess what? They haven't. There is still a fine chance that they will eventually be a huge fraud help in the U.S., but looking into the many deployment problems delivers a frighteningly accurate snapshot of U.S. bureaucracy. Read full story

Why Age Verification Needs To Be A Key Part Of Your Security Strategy

This piece in The Veracode Blog discusses how not only is e-commerce being radically changed due the mobilization of shoppers, but it's disproportionately happening with younger consumers. At the same time, law enforcement and government regulatory attention is being focused on age violations. And yet, the vast majority of companies have age-verification systems that provide almost no legal protections. Read full story

How Mobile Payments Can Win the Fraud Perception Game

This piece in Sift Science discusses about when it comes to payment fraud fears and shopping behavior, there's a big difference between what people say, and what they actually do. For example, studies show that debit card use is on the rise —despite the fact that the absence of zero liability protections for debit means that credit cards are much safer overall. Those same consumers will tell surveys that they would never shop with a retailer who has suffered a major data breach—and yet those retailers never sustain a detectable drop in revenue. Read full story

All Marketplaces Should Be Concerned with Third-Party Fraud

This piece in Sift Science discusses one of the pitfalls with interpreting judicial decisions is that it's easy to generalize—as in "this case means you had better no longer do X and Y"—whereas judges tend to be extremely specific (as in "this case with these exact players in these exact circumstances shouldn't do X and Y.") A classic example of this kind of misleading analysis is happening with an e-commerce fraud case called Gucci Vs. Alibaba. Read full story

If Security Isn't A Priority For Appdev, What Chance Does A Deployed App Have?

This piece in The Veracode Blog discusses one of the biggest security threats is that enterprise mobile app testing is overwhelmingly focused on functionality and not security. Pen testing of apps to see what data they—or some third-party app it is integrated with—are actually retaining is hardly ever done prior to deployment, if then. Why? Read full story

Multi-Factor Authentication For E-Commerce Makes Sense—Or Does It?

This piece in Sift Science discusses how fraud prevention has always been about striking the right compromise between convenience and security — and this is especially true in the world of e-commerce. Although multi-factor authentication will work wonderfully in banking and legal—where the end-user is just as worried about security as your CISO—in online retail, it's dicey. People don't typically visit an e-commerce site concerned about credit card fraud. Why make your virtual storefront more difficult to interact with than your competitors'? Read full story

False Decline Costs Are Worse Than We Thought

This piece in Sift Science discusses how research does little more than confirm what we already suspect — and that, in effect, forces us to confront an uncomfortable reality. Such is the case with new data about false declines. Fresh research from Business Insider puts the false decline problem front-and-center: "U.S. e-commerce merchants will lose $8.6 billion in falsely declined transactions in 2016, according to our estimates. This amounts to over $2 billion more than the $6.5 billion in fraud they will prevent." Read full story

Fighting fraud is one thing. Catching fraudsters is quite another.

This piece in The Veracode Blog talks about crowdsourcing security holes—aka bug bounties—has become an increasingly-popular tech firm tactic, bordering on Silicon Valley standard-operating-procedure. But as tempting as such an approach is, it's not without serious drawbacks. Read full story

Forcing Monthly Password Changes Only Helps The Thieves

This piece in The Veracode Blog discusses about when protecting app data, the default response for years has been passwords. And as long as a company's data is solely being defended by passwords, it makes sense to insist that they be changed regularly, no? Would not such mandated periodic changes shorten the life of the access-controls for thieves? Turns out that the answer is "no" to all of the above. Read full story

Fighting fraud is one thing. Catching fraudsters is quite another.

This piece in Sift Science discusses how fighting e-commerce fraudsters is a constantly changing game of point counter-point, where we develop defenses against today's attacks and then the fraudsters craft new attacks to sidestep our defenses. Wash, rinse, repeat. We've actually gotten quite good at defending against the common attack types, while cutting-edge approaches using predictive analytics help protect against more sophisticated attacks by detecting patterns that appear to be fraud. Read full story

Your Mobile Apps Retain A Lot More Than You Know. I Guarantee It

This piece in The Veracode Blog discusses a fact about mobile apps that is as true for Fortune 100 companies as mom-and-pops: Rare is the company that understands what data its mobile app retains. Read full story

The Fraudsters Who Don't Need To Hide

This piece in Sift Science discusses that online retailers know how fraudsters generally act: they conceal themselves behind bogus names and disposable IP addresses. Those HTML hoodlums are risking arrest by various levels of law enforcement, so they have to hide in the shadows. But what if that's not always true? What if some fraudsters are using their real names and aren't hiding at all? Read full story

To Weak Authentication, A Thief Looks Exactly Like A Cop

This piece in The Veracode Blog discusses an uncomfortable truth for IT to internalize: enabling access for a friend facilitates access for an enemy. This is what was behind the anti-backdoor argument that Apple aggressively made, albeit for non-altruistic sell-more-hardware reasons. In effect, if you provide an easy way for government investigators to access data, there's no reason to believe that bad guys won't use a variation of that to steal data. Read full story

Birkenstock Surrenders to the Fraudsters

This piece in Sift Science discusses how fraud-fighting is ultimately an ROI equation. How much time and how many resources can you justify, and how much will this investment reduce your fraud? Given that it's almost never cost-effectively possible to bring fraud down to zero, it's a balancing act. But one major manufacturer—Birkenstock, of sandal fame—has crunched the numbers and decided to give up and let the fraudsters win. Birkenstock has decided to no longer supply products to Amazon as of January 1. Read full story

Keeping Your Breach a Secret and Other Self-Destructive Decisions

This piece in The Veracode Blog discusses a delightful bit of survey happiness out of Ireland: a vendor survey found that "almost half of Irish businesses wouldn't disclose a data security breach to impacted third parties, including customers and suppliers." Even worse, these results likely underestimate how many execs agree with that thinking, but are shrewd enough to not share that with someone taking a survey. Read full story

Big Sales Events Shouldn't Mean Relaxed Fraud Defenses

This piece in Sift Science discusses the reasons for the increase in fraud attempts is essentially the same, whether it's in a store or online. Thieves take advantage of crowds, inexperienced temporary sales people and a perceived relaxing of fraud practices to hide their fraudulent behavior. Why do thieves expect fraud defenses to be relaxed during big sales events? Because, unfortunately, they often are. Read full story

App Encryption Soaring, But How It's Being Done Is Where Things Get Interesting

This piece in The Veracode Blog discusses a very interesting new Ponemon Institute report on app encryption, which concludes that app encryption usage is sharply increasing, as it has consistently for years. The report found 37 percent of the companies examined this year embrace enterprise encryption, up from 15 percent in 2005. Read full story

Is Mobile Authentication Really E-Commerce's Best Shot?

This piece in Sift Science discusses the struggle that e-commerce businesses have with payment fraud—affectionately known in the payments world as CNP (card not present) fraud—strategies all come down to a single concept: authentication. With a physical CP (card present) transaction, there are plenty of easy ways to authenticate. In a virtual reality, that task becomes a lot more challenging. Read full story

Think Your Data Leaks Are Limited To Your Databases? Think Again

This piece in The Veracode Blog talks about security professionals and how they spend an awful lot of time trying to protect sensitive corporate information, locking it away in virtual vaults, as they should. But they often neglect to protect the people who have the keys/combinations to those virtual vaults—in some cases, protecting those key-holders from themselves. Read full story

Obscured Data Can Be A Psychological Security Trap

This piece in The Veracode Blog talks about how encryption and tokenization are great security tools—when executed properly—as they sidestep protecting data and instead attempt to make the data worthless to thieves. It's a great strategy. But when it's executed improperly, it can insidiously weaken security. This happens when IT gets cocky and overconfident that the data would indeed be worthless to attackers and starts to get lax implementing strong prevention tactics, such as firewalls. Read full story

How Can Enterprises Still Be Victimized By Attacks That We've Known About For Decades?

This piece in The Veracode Blog talks about another major security hole reported last week (June 8). This report, from Talos, is about a hole that allows malicious files to be launched when anyone clicks on a PDF from within the Google Chrome browser. Read full story

The Peril Of Confusing A Security Researcher With A Cyberthief

This piece in The Veracode Blog talks about the security researcher's lot is not an easy one. This player is an essential part of the security ecosystem, an experienced security person who tries and finds security holes in systems so that they can be flagged and fixed. The problem is that the good guy security researcher—at a glance—looks and acts an awful lot like a bad guy cyberthief. From the CISO's desk, how is one to tell the difference? Read full story

It's Time To Rethink The Password. Yes, Again

This piece in The Veracode Blog talks about another prominent person in software security suggests that the password needs to be done away with—and they invariably say it as though it's a new idea. In reality, the security community has effectively agreed for more than a decade that passwords are no longer sufficiently secure to protect the sensitive data it is tasked with protecting. Read full story

If Government Data Threats Get Companies To Take Data Security Seriously, It May Be All Worthwhile

This piece in The Veracode Blog talks about how perceived security threats motivate IT people the same way they do everyone else. People react to how much a threat scares them, which sometimes has little relation to how truly threatening that threat is. Read full story

Security Needs to Start Deep Within the OS: And It Needs to Start Now

This piece in The Veracode Blog talks about how enterprise security is today at its most fundamental level, an afterthought. We take the OS, apps, databases, network controls as they are given to us, and then we try and Band-Aid on top of it the best security we can. We use firewalls and filters and VPN tunnels and encryption to try and limit the damage software vulnerabilities can do. As a practical matter, enterprise CISOs have little choice. Or do they? Read full story

When US-CERT Issues an Alert, Does IT Listen?

This piece in The Veracode Blog talks about the US-CERT (the U.S. Computer Emergency Readiness Team) who issued an alert about an old SAP security hole after a vendor flagged that attackers were still using it. Read full story

One Problem With Perimeter Security: Today's Networks Shouldn't Even Have A Perimeter

This piece in The Veracode Blog where a security consultant argues that healthcare enterprises need to re-envision security and pull information from the network perimeter and back into servers, where everything is easier to control. It's a compelling argument until you get realistic, practical and focus on the reason enterprise networks exist in the first place. Read full story

Survival Instinct

Report for SC Magazine where some believe preparing an incident response plan is a useless precaution. Regardless, we must have them. Read full story

Peripheral Security Issues Today Are Anything But Peripheral

This piece in The Veracode Blog talks about Microsoft's optional security alert relating to peripherals and specifically mice. Until the patch is implemented, Microsoft said, the peripheral could receive plain English—aka QWERTY—key packets in keystroke communications issued from receiving USB wireless dongles to the RP addresses of wireless mouse devices. Read full story

Badlock Is A Serious Hole, But How It Was Preannounced Is A Disgrace

This piece in The Veracode Blog talks about something unnerving—and even a tad repugnant—about announcing that there's a massive security hole and that it won't be patched for weeks. Welcome to Badlock. Read full story

What's Worse Than Missing An Attack Because It Was Obscured In A Sea Of False Alerts? Not Much

Penned for The IBoss Blog a piece concerning IT security professionals today, one thing that is of minimal concern is an attack that goes undetected. Read full story

The Apple-FBI Security Lesson: Redundant Protections Are Essential

Penned for The Veracode Blog a piece concerning a security lesson that can be taken from this FBI versus Apple surrealistic encounter, it's that security redundancy is truly important. We're talking multi-layered security, where any one or two layers can completely fail and security is still maintained. Why? Let's look at the latest in the FBI-Apple encryption dance. And if any of you bought into this "this Apple fight is over" rhetoric, you haven't been paying attention. Read full story

Hospitals Are Security's Biggest Nightmare

This piece in The Veracode Blog talks about cyberattacks on hospitals that represent the true security nightmare scenario. It combines privacy risks far more severe than attacks on the largest banks or retailers with life-and-limb risks that rival remote takeovers of nuclear power plants and cars. Read full story

More SMBs let their guard down on cybersecurity

Wrote for Third Certainty about despite rising cyber exposures and intensifying attacks, small and midsize businesses actually may be regressing when it comes to defending their networks. Read full story

The Best Point-of-Sale (POS) Software of 2016

Reviewed Restaurant POS offerings for PCMagazine. Read full story

Jump directly to the individual reviews:
Aldelo POS Pro
PAR Brink POS
Posera Maitre'D POS
Revention POS
Action Systems Retaurant Manager
Menusoft Systems Digital Dining

Vulnerabilities still leave DNS—and businesses—wide open to attack

Looked at encryption and other protection measures for Third Certainty and explored whether they actually may make security more difficult. Read full story

JP Morgan Chase capter offers frank lessons about insider theft

Wrote for Third Certainty about whether employees must be enlisted—and monitored—as part of security given that perimeter protection is no longer enough. Read full story

Cyber Arms Race Goes Nuclear With Quantum Computing

This piece in Fortinet discusses strong encryption, the security professional's arms race. Read full story