Category: Endpoint Security

Absolute Named Leader in G2 Fall 2019 Grid Report for Endpoint Management

Thanks to high levels of customer satisfaction and positive reviews from verified users, G2 has – for the second time this year – named Absolute a leader in the Fall 2019 Grid Report for Endpoint Management Software. Absolute ranked 10th overall out of 150 total vendors in the category, and was named a top vendor based on positive verified user reviews and high levels of customer satisfaction. The reviews highlight the power of the Absolute platform in delivering endpoint security and resiliency.
With more than 790,000 verified user reviews on the platform, G2 helps buyers make more informed purchasing decisions, allowing them to compare the best software and services for their needs based on peer reviews, satisfaction scores, and synthesized social data.
“Absolute is the last-stand in our IT security profile. I like how it integrates with the BIOS to do its thing most of all. Once installed, it’s essentially and hands-off piece of software. And because it is at that low level it can do many things that similar software cannot. But I would be remiss if I didn’t mention the ability to track and recover lost or stolen laptops.” – Senior Network Administrator/IT Manager
Christy Wyatt, CEO of Absolute had this to say about inclusion in the recently released G2 Grid Report: “We are honored and grateful that our customers are willing to go to bat for us and publicly recognize our product innovation, execution, and dedication to continuous optimization and improvement. At Absolute, our number one goal is to be a trusted partner in making our customers more resilient and deliver the visibility, persistence, and intelligence they need to securely and confidently move their businesses forward.”
Get the full G2 Fall 2019 Grid Report for Endpoint Management Software here. To learn more about what real users have to say about Absolute or to leave your own review, visit our G2 profile.

Absolute Recognized as Hot 150 Cybersecurity Company to Watch in 2020

Absolute was recognized this week by Cybersecurity Ventures in their Hot 150 Cybersecurity Companies to Watch in 2020. As cyber risk climbs, so too grows the number of security vendors. This new ranking is a feature of ‘the hottest and most innovative’ cybersecurity companies in the market today.
Hot 150 selection criteria includes such as areas as: challenges addressed, feedback from CISOs, customer base and notable implementations, founder and management pedigree, company revenue growth and others. Among the Hot 150, 68 companies are headquartered in the U.S. and Canada.
See the full Hot 150 Cybersecurity Companies in Watch in 2020 in Cybercrime Magazine.

How Machine Learning Can Avert Cyber Disasters

High winds capable of downing power lines across a very-dry Northern California are causing officials to shutoff power this week for hundreds of thousands of residents. The decision came as a way to reduce the threat of wildfires in an area already hard-hit by natural disaster.
Mother Nature is once again flexing her powerful muscles and Californians are left to cope as best they can, with the information they have. This week’s weather event is yet another example of why researchers are working on how to use machine learning (ML) as a disaster preparedness and response tool. Because machines can quickly analyze massive amounts of data from numerous sources, the goal is to use that information to help community leaders and emergency response teams make more informed decisions.
Like natural disaster preparedness and response, ML also has important implications for endpoint security and the disaster that could originate on an endpoint while under cyberattack. As our CTO, Nicko van Someren explains in the below video prepared for National Cybersecurity Awareness Month, ML is key to improved security by way of a direct pull through from IT asset management.
An IT Asset Management Job with a Security Outcome
Within the context of IT asset management, organizations are busier than ever trying to manage the growing number of endpoint devices, applications and data. IT complexity has reached all-time highs. ML has been a very valuable tool for managing that complexity and, while doing so, can also make direct contributions to better security and more resilient endpoints. With the power of ML, you’re not only gaining improved visibility into your assets, you’re learning more about the actions and events happening there and finding patterns.
With patterns inevitably come outliers and so often, that’s where vulnerabilities hide. Being able to recognize outliers and remediating any resulting risk is how endpoints – and enterprises – become more resilient.
As Nicko explains: “Keeping machines up to date is an IT management job, but it’s a security outcome. Knowing what devices should be on my network is an IT management problem, but it has a security outcome. And knowing what’s going on and what processes are running and what’s consuming network bandwidth is an IT management problem, but it’s a security outcome. I don’t see these as distinct activities so much as seeing them as multiple facets of the same problem space.”
The growing number of assets is a challenge, certainly. And as security becomes an increasingly critical risk, organizations have been layering on more and more security tools – ten or more agents on each endpoint, says our research. But increased security spend does not equate to improved security. That much is painfully clear. Instead, you’re left with a complex environment full of competing, fallible agents and, consequently, a false sense of security.
Visibility is key and ML can deliver a complete data set that then gives you invaluable insight on what is happening on your endpoints. This way, you can work to reduce complexity and improve endpoint resiliency.
To learn more about the role of ML with IT complexity, watch our newest Cybersecurity Insights video below. And, subscribe to our complete YouTube series.
Complexity is Killing IT

Cybercriminals Take Aim at K-12

The school year is underway and millions of devices are now in the hands of students. More than 80 percent of today’s K-12 organizations provide computers to students and an estimated 70 percent of schools will be one-to-one by 2020.  With school-issued devices commonplace, schools have become easy targets for cyberattacks.
Since 2016, nearly 700 cyber incidents have hit K-12 organizations. And threats like ransomware have forced schools to close their doors, and even compelled Louisiana’s Governor to declare a state of emergency after several schools were wrecked by the Ryuk ransomware in the summer of 2019.
The K-12 attack surface has lured cybercriminals, but the technology itself has also become somewhat of a nightmare. In Absolute’s new study, Cybersecurity and Education: The State of the Digital District in 2020, we looked at 3.2 million devices across 1,200 schools and discovered over 6,400 unique Chrome extensions in-use, 319 security bypass apps (e.g. rogue VPN), and more than 130,000 app versions. The IT complexity is staggering.

Based on the new research, we see three key challenges facing today’s K-12 technology leaders – challenges no other industry faces.

Savvy students — more than five times as many tools for users to tunnel around security controls and policies than other sectors. (rogue apps were found in 42 percent of organizations)

Increased complexity — within five years, K-12 IT leaders have gone from managing a couple of operating systems, a handful of apps, and a few hundred devices to managing hundreds of versions of operating systems, apps, extensions, and thousands of devices. (93 percent of common apps are outdated)

Increased endpoint risk — as complexity expands, so does risk, leaving both students and schools increasingly vulnerable to cyberattacks. Case in point: schools have become the second-largest pool of ransomware victims, slightly behind local governments and closely followed by healthcare organizations. (56 percent of patch agents fail)

It is no surprise then, that 68 percent of K-12 IT leaders say cybersecurity is their top priority, and nearly half (47 percent) say their primary investment will be security controls and tools. But K-12 IT leaders must carefully consider their plans for more security spend and take aim at cyber resilience above all else.
School districts are saddled with the expectation to demonstrate ROI (the effects of the one-to-one program) but on the other hand, they need to keep tabs on security and inventory gaps in a quickly growing endpoint population. Read: Quantifying K-12 Device Use with Absolute.
How do you solve the riddle? Resilience is the key.
Winning the Battle Against Cyber Threats
It is increasingly critical school districts work to reduce IT complexity and improve endpoint resiliency by gaining visibility to every device everywhere. Then, IT leaders can identify use patterns, justify tech spend for maximum ROI, and discover device use patterns and rogue apps, how often devices are used, and what risks students are creating. K-12 IT leaders can rely on Absolute to unmask complexity risks and automate endpoint security—restoring fragile security controls, apps, and agents—to safeguard digital learning for the next generation.
To learn more about the cyber risks facing today’s K-12 schools, download the full report Cybersecurity and Education: The State of the Digital District in 2020.

5 Key Insights From Absolute’s 2019 Endpoint Security Trends Report

This post was originally published by Forbes Magazine and Software Strategies blog.

Endpoint security tools are 24% of all IT security spending, and by 2020 global IT security spending will reach $128B according to Morgan Stanley Research.
70% of all breaches still originate at endpoints, despite the increased IT spending on this threat surface, according to IDC.

To better understand the challenges organizations have securing the proliferating number and type of endpoints, Absolute launched and published their 2019 Endpoint Security Trends Report. You can get a copy of the report here. Their findings and conclusions are noteworthy to every organization who is planning and implementing a cybersecurity strategy. Data gathered from over 1B change events on over 6M devices is the basis of the multi-phased methodology. The devices represent data from 12,000 anonymized organizations across North America and Europe. Each device had Absolute’s Endpoint Resilience platform activated. The second phase of the study is based on exploratory interviews with senior executives from Fortune 500 organizations. For additional details on the methodology, please see page 12 of the study.
Key insights from the report include the following:

Increasing security spending on protecting endpoints doesn’t increase an organizations’ safety and in certain cases, reduces it. Organizations are spending more on cybersecurity than ever before, yet they aren’t achieving greater levels of safety and security. Gartner’s latest forecast of global information security and risk management spending is forecast to reach $174.5B in 2022, attaining a five-year Compound Annual Growth Rate (CAGR) of 9.2%. Improving endpoint controls is one of the highest-priority investments driving increased spending. Over 70% of all breaches are still originating at endpoints, despite millions of dollars spent by organizations every year. It’s possible to overspend on endpoint security and reduce its effectiveness, which is a key finding of the study. IBM Security’s most recent Cost of a Data Breach Report 2019 found that the average cost of a data breach in the U.S. grew from $3.54M in 2006 to $8.19M in 2019, a 130% increase in 14 years.
The more complex and layered the endpoint protection, the greater the risk of a breach. One of the fascinating findings from the study is how the greater the number of agents a given endpoint has, the higher the probability it’s going to be breached. Absolute found that a typical device has ten or more endpoint security agents installed, each conflicting with the other. MITRE’S Cybersecurity research practice found there are on average, ten security agents on each device, and over 5,000 common vulnerabilities and exposures (CVEs) found on the top 20 client applications in 2018 alone. Enterprises are using a diverse array of endpoint agents, including encryption, AV/AM, and Endpoint Detection and Response (EDR). The wide array of endpoint solutions make it nearly impossible to standardize a specific test to ensure security and safety without sacrificing speed. Absolute found organizations are validating their endpoint configurations using live deployments that often break and take valuable time to troubleshoot. The following graphic from the study illustrates how endpoint security is driving risk:

Endpoint security controls and their associated agents degrade and lose effectiveness over time. Over 42% of endpoints experience encryption failures, leaving entire networks at risk from a breach. They’re most commonly disabled by users, malfunction or have error conditions or have never been installed correctly in the first place. Absolute found that endpoints often failed due to the fragile nature of their encryption agents’ configurations. 2% of encryption agents fail every week, and over half of all encryption failures occurred within two weeks, fueling a constant 8% rate of decay every 30 days. 100% of all devices experiencing encryption failures within one year. Multiple endpoint security solutions conflict with each other and create more opportunities for breaches than avert them:

4. One in five endpoint agents will fail every month, jeopardizing the security and safety of IT infrastructure while prolonging security exposures. Absolute found that 19% of endpoints of a typical IT network require at least one client or patch management repair monthly. The patch and client management agents often require repairs as well. 75% of IT teams reported at least two repair events, and 50% reported three or more repair events. Additionally, 5% could be considered inoperable, with 80 or more repair events in the same one-month. Absolute also looked at the impact of families of applications to see how they affected the vulnerability of endpoints and discovered another reason why endpoint security is so difficult to attain with multiple agents. The 20 most common client applications published over 5,000 vulnerabilities in 2018. If every device had only the top ten applications (half), that could result in as many as 55 vulnerabilities per device just from those top ten apps, including browsers, OSs, and publishing tools. The following graphic summarizes the rates of failure for Client/Patch Management Agent Health:

5. Activating security at the device level creates a persistent connection to every endpoint in a fleet, enabling greater resilience organization-wide. By having a persistent, unbreakable connection to data and devices, organizations can achieve greater visibility and control over every endpoint. Organizations choosing this approach to endpoint security are unlocking the value of their existing hardware and network investments. Most important, they attain resilience across their networks. When an enterprise network has persistence designed to the device level, there’s a constant, unbreakable connection to data and devices that identifies and thwarts breach attempts in real-time. 
Bottom Line:  Identifying and thwarting breaches needs to start at the device level by relying on secured, persistent connections that enable endpoints to better detecting vulnerabilities, defending endpoints, and achieve greater resilience overall.

What is Cyber Resilience and How Can You Achieve It?

What Is Cyber Resilience?
As the cyberthreat landscape darkens each day, the term, cyber resilience is increasing in importance.
A cyber resilient company is in the best position to prepare for, respond to, and recover from a cyberattack. Being resilient, however, means much more than attack prevention or response. A cyber resilient enterprise can continue to function during an attack and is agile enough to adapt and recover from the incident.
While a protection-focused approach may have worked in the past, today’s enterprise must now move to adopt a strategy that is based more on endpoint resilience which, beyond protection, emphasizes adaptability, exposure reduction, information gathering and discovery.
Cyber resilience transcends technology and can protect the interests of everyone involved, including the C-suite, staff, shareholders, and the board of directors.
Resilience comes down to having a self-healing capability. Think of it this way: if your company must rely on an external source to resurrect you, then you can’t call yourself resilient. Only those organizations with a self-healing property (being able to recover without human intervention) can be truly classified as resilient.
Ultimately, if the organization has its eye on becoming more resilient, then it must incorporate technologies with the capacity of self-healing. Running around putting things back together isn’t the preferred state of a resilient enterprise.
Self-healing: The Only True Resilience
In the hardware world, we buy and deploy redundant systems: multiple firewalls, routers, switches, clouds, and cables. We do this because we expect our hardware defenses to fail; there’s even a name for it: “failover”. The other term used often is High Availability, which just means more hardware deployed for failover.
In the software universe, the equivalent is resilience. But unlike hardware, you can’t just have clones of the same tools, controls, apps, and agents that play understudy to the primary control. When the primary control fails, the clone steps into the spotlight is not an idea that exists with software.
So, enterprises need to rely on resilient software controls, apps, and agents. But the only way you can claim you are resilient is if you have a self-healing capability. Without it, you don’t have the replacement, so there is no failover. It’s a crack in your security fabric.
It All Starts With A Framework
While this resiliency may sound daunting and difficult to achieve, thankfully there is an existing framework from which the enterprise can leverage to improve their resiliency. The NIST Cybersecurity Framework (NIST CSF) outlines specific actions that organizations can perform to see success in their cybersecurity programs.
Related: See Everything With the NIST Cybersecurity Framework
The five pillars or actions of the NIST CSF are:

Identify each endpoint for a comprehensive inventory
Identify authorized and unauthorized hardware and software
Prioritize endpoints based on classification, criticality, and business use
Benchmark device controls against security standards and policy
Quantify risk based on device vulnerabilities and exposures
Catalog device, data, user, and application relationships across the end point population


Gain physical access control and geofencing for distributed endpoints
Freeze, delete, and wipe devices through remote commands
Enable secure remote access systems (e.g. VPN) on all endpoints
Validate and restore encryption for at-risk data
Automate validation for data integrity in software, firmware, and cloud storage apps
Control communication from endpoints to the corporate network or domain
Authorize telemetry analysis and remote command for maintenance and repair


Establish baseline behaviors for users, data, devices, and applications
Unify asset intelligence across the device population
Monitor user activity and enforce role-based security controls
Score high-risk users with access to sensitive data
Access geo-tracking and user-device awareness
Detect and log configuration changes


Utilize dynamic remediation and control changes
Perform role-based access control for in-console response commands
Deliver continuous device logs and forensic documentation
Isolate a device or group of devices for containment
Push control changes to prevent spread of detected compromise
Command hotfixes to mitigate indicators of exposure (IOEs)


Enforce policies within device controls
Monitor device use and locally accessed sensitive data
Control incident investigations, digital forensics, and documentation
Augment and push new controls for endpoint hygiene
Access documentation instantly for continuous improvement to endpoint hygiene and data protection

A Blueprint for Resilience
Each focal point of the NIST CSF is designed for resilient cyber defense and protection and aims to ensure data confidentiality, integrity, and availability. Much of the work that’s needed to be resilient is simply doing the basics: patching, strong authentication, control monitoring, etc.
What’s practical about something like NIST CSF (or CIS Top 20 or ISO or any others for that matter) is that it is a blueprint. Just like a blueprint to a building, the CSF is like having the architect’s plans for a well-engineered structure.
With NIST in particular, the goal is resilience —especially in the protect and recover sections. The Protect (initial resilience) and Recover (learn and grow more resilient) steps are emphasized as the target/goal.
Learn more about Absolute Persistence technology. With it, IT and security teams get an unrivaled view and command of their device population to enable data protection and improve security posture — all through automated endpoint hygiene.

3 Ways to Bolster Endpoint Resilience in the Face of Ransomware

This article originally appeared in ITProPortal. 
This June, two municipalities in Florida were the victims of dreaded ransomware attacks, and both agreed to resolve their nightmare by paying the cybercriminals to recover their systems and files.
According to the FBI, billions of dollars are lost every year restoring systems hit by such attacks, but the agency still does not support paying the ransom in response to attacks; for starters, it doesn’t guarantee an organisation will get its data back. So, when attacks like this hit, victims are left with the question of whether to comply with hackers’ demands or be left out of commission for an undetermined amount of time and a nebulous view of the damage incurred.
Since no organisation wishes to confront such decisions, it’s imperative that they are as prepared as possible. Adding resilience to an organisation’s security strategy is one way to contain a ransomware outbreak. To minimise risk, IT teams need increased visibility into all their devices for information about the presence and health of patch management and other endpoint security applications. Today’s technology allows for much of this to be automated, ensuring that security solutions are properly installed and effective.
Three Steps to Better Protection
Small steps can have a tremendous impact and can help increase resilience and ensure better protection in the face of ransomware criminals.

Increase visibility

Visibility into the health and efficacy of endpoints is a key element in building a solid security strategy. By identifying all endpoints and maintaining clear visibility into them, including those that are inactive and often easily forgotten, one can both ensure compliance with federal regulations and be better prepared for hackers who target weak links. Though most organisations assume that more than 95 per cent of endpoints are compliant with required applications and patches, the reality is that 28 per cent of endpoints are unprotected at any given time. Constant visibility over endpoint devices, data and applications — whether they’re on or off the network – ensures that administrators can easily identify which devices may still be vulnerable to attack and take appropriate remedial actions.
Devices are regularly being re-imaged, and critical applications are often disabled or in a state of disrepair. These ‘dark’ devices remain outside the control of IT and without the protection of the network, which ultimately poses a significant threat to data security. In the event of a security incident, these devices may no longer have the security controls needed to prevent an incident from escalating to a full-scale data breach. Endpoints – and in particular, ‘dark’ endpoints – are an ever-present danger to organisations. Total visibility and situational awareness are crucial to combating this threat, and lead to preparedness and better protection.
2. Patch continuously
According to the Ponemon Institute, the average time it takes organisations to patch is 102 days. At a time when zero-day attacks are four times more likely to compromise organisations, patching agents have quickly become one of the most vital protection mechanisms.  However, research finds that 75 per cent of patching agents report at least two repair events in one month, and 50 per cent report three or more repair events in the same period. Additionally, five per cent could be considered “chronically ill,” with 80 or more repair events in the same one-month period.
As complexity multiplies, emerging technology is essential. Artificial intelligence (AI) has transformed patching into a continuous and ongoing process that requires less maintenance but significantly broader coverage. When 19 per cent of endpoints require at least one repair within 30 days, a continuous patching strategy proves invaluable. Continuous patching ensures the maintenance of all endpoints, even those that have become dark.
3. Ensure endpoint control
Implementing additional data security measures that are unique to the network can increase control over all endpoints. By implementing an approach that is unique and tailored to the higher education industry, Wichita State University (WSU) has been able to remove blind spots and track school-owned devices, even after those devices leave the secured school network. By doing so, WSU has been able to increase their visibility and gain more all-encompassing control of these endpoints.
Strategies like these, when combined with more complex capabilities like persistence technology, provide a single source of truth into all endpoints and therefore drive a more dynamic cybersecurity approach in the face of ransomware attacks. Persistence technology ensures the ability of an endpoint to self-heal if a user tampers with the security agent on a device and increases visibility into exactly who is accessing a device and when. Not only does this strengthen cybersecurity preparedness, it also has an impact that can be more widely felt. The ability to deploy and confirm full disk encryption, track and lock devices, or freeze and wipe the data – combined with the ability to manage and secure the endpoint population – has helped organisations gain and maintain ongoing compliance with HIPAA, PCI-DSS, FERPA and other requirements.
While we may debate the pros and cons of paying ransom, it’s impossible to debate the importance of resilience. Although organisations may feel unprepared in the face of a ransomware attack, there are quick actions to take that can deter criminals’ efforts and alter the ending of the story. In today’s climate, increased visibility, continuous patching and endpoint resilience are no longer security bonuses, they are requirements that may be the difference between a successful crime and a thwarted attempt at paralysing an organisation.
For more information on top endpoint security threats, download the 2019 Endpoint Security Trends report.

Why Are We Still Facing a Serious Cybersecurity Skills Gap?

In a 2018-2019 report from ESG, over half of the companies surveyed (53 percent) report a serious shortage of cybersecurity skills in their organization. This skills gap isn’t new – the problem has plagued our industry for years. Why is there such an imbalance between the supply and demand for cybersecurity professionals? Where do we start in addressing the problem?
Current State of Supply vs. Demand on Cyber Pros
Jeff Frisk, Director for SANS Institute’s GIAC certification program, confirms that the data trends and indicators show there is a much greater demand than supply of cybersecurity professionals. “Demand for highly-technical cybersecurity practitioners’ remains on the rise,” he said. “The supply vs. demand issue in our industry is interesting given that, in most instances, deep technical skills and live-fire field experience are required to break into common low-level work roles.” So what’s causing the growing divide?
4 Reasons

More Cybercriminals

Not only are cybercriminals a threat to an organization’s cyber resilience, their nefarious activities have risen since machines were first linked together and with it, a wider skills gap.  Attackers goals have evolved from street cred within the hacker community to a well-organized, concentrated push for financial gain. Their incentive scheme lures more criminals into the game—and we just can’t keep up.

More Places to Hide

When we digitized our most important information—patents, consumer records, financial data—we added more to cybercriminals’ watch-list. This creates more space to hide and we often don’t have a wide enough lens to monitor an ever-expanding attack surface. To make matters worse, our own complex environments provide many opportunities for criminals to hide, users to go rogue, and auditors to always find something. Our mutating attack surface provides a compound effect—more threats in more places.

Dilemma of a Deep v. Wide Skill Set

Current and aspiring security professionals are often caught in a dilemma: expand their skills within a specific domain or pursue a broad range of many disciplines. Unfortunately, individuals are forced to make the tradeoff, leading to bulges in certain skills and scarcity in others. This distribution and concentration of skill is not always aligned with an organization’s requirements for a particular position.

Under-valuing the Role

Cybersecurity job requirements are too-often written like a wish list to Santa Claus; asking for candidates with decades of experience, deep knowledge in myriad disciplines, and a willingness to put in an abundance of hours for a compensation plan that looks like an internship. Cyber crime evolves at lightning speed – just as technology does. Unforeseen forces can exaggerate the skills gap. Instead, managers must learn to be flexible and future-looking when it comes to hiring cybersecurity talent.
Check out our comprehensive Cybersecurity 101 Guide.
Getting an Early Start to STEM Education
Before discussing the proper skillsets required for today’s cybersecurity professional, it’s important to take a step back and explore the notion that attracting those in the 10-17 age group is going to be critical. How are all these open positions going to be filled? A young workforce that comes armed with STEM skills learned in school can go a long way.
Offering an overview of cybersecurity in school, perhaps presented in innovative ways, might be exactly what is needed to pique students’ interests. Students are already fully immersed in the technology in their day-to-day lives, so having them learn (and even master) the underlying cybersecurity engineering behind their apps and devices represents a huge opportunity. Imagine how they could build upon those proficiencies as they either enter post-secondary education or the workforce.
Read about how to protect your data while empowering your workforce.
“Clearly, if we ever aim to close the supply/demand gap, starting early needs to happen,” Frisk said. “This, of course, takes time. Even when I look back 10 or 15 years ago, seeing the push for STEM focus in elementary and high school, it seems like we are just getting a foot in the door.”
So how do we attract the younger generation to the industry? Frisk suggests we think about gamification and cyber range activities targeting the high school level. “As an example, SANS CyberStart program has more than 6,500 high school girls playing CyberStart in 2019 across 27 states.”
What Skills are Needed for Cybersecurity?
The skills required for today’s cybersecurity professional changes all the time, and this is certainly a factor towards our supply issues. For would-be cybersecurity professionals, Frisk breaks down what’s in demand.
“This may sound cliché, but having verified, base-line technical skills coupled with the ability to adapt and learn about emergent technologies and threats is paramount,” he said. “The threat environment we face five years from now will be very different than the one we face today. Those with the desire to learn and the ability to adapt will be the best positioned to protect their organizations.”
He points out that those skills that are in increased demand compared with five years ago include: threat hunting, cloud security, cyber threat intelligence, and incident response. Also seeing steady growth are the skills to carry out penetration testing and digital forensics.
If you’re looking for more information on why we are continually faced with a cybersecurity skills gap, check out the latest edition of Cybersecurity Insights video series below and subscribe to our YouTube series.

Strengthen Your Incident Response Plan With Cybersecurity Drills

Time matters when it comes to breach response. There is a direct correlation between how quickly an organization can detect and contain a data breach, and the financial consequences that can result.
A strong security incident response capability can help organizations reduce breach related costs by 25 percent, according to the Ponemon Institute’s 2019 Cost of a Data Breach Report. Furthermore, organizations who formally identified an incident response team and had well-tested plans spent $3.51 million on breach response, compared to $4.74 million spent by those who didn’t. With the average global cost of a data breach nearing $4 million, or $150 per lost record, time is quite literally money.
New types of security incidents emerge frequently. Attacks often compromise personal and business data, and it is critical to respond quickly and effectively when data breaches occur. As the number of data breaches continues to rise, it’s no longer a matter of if your organization will have to defend itself, but when.
Preventive activities based on results of a risk assessment can lower the number of incidents, but not all incidents can be prevented. Incident management helps to identify and respond to unexpected disruptive events with the objective of controlling impacts within acceptable levels. These events can be technical, such as attacks mounted on the network via viruses, denial of service (DoS) or system intrusion, or they can be the result of mistakes, accidents, or system or process failure.
That’s why having a strong Incident Response Plan (IRP) is more important than ever, and the ability to detect and assess the situation, determine the causes, and quickly arrive at solutions can mean the difference between an inconvenience and a disaster.
What is an Incident Response Plan?
An IRP outlines the procedures to be followed when responding to a security incident. A security incident is any attempt to violate a security policy, a successful penetration, a compromise of system, or any unauthorized access of information. At a minimum, the IRP should cover:

Lessons learned

Compliance requirements can often be easier met when an IRP is in place because you’ve pre-identified key steps that need to be taken. But, true strength lies in having a plan where you are proactively performing cybersecurity drills. In other words, scheduled and continuously testing the IRP. It will ensure your team knows exactly what to do without wasting precious time deciding on critical next steps.
What are Cybersecurity Drills?
While practice may not always make perfect when it comes to security incidents, rehearsal of who does what, when, and how will save your organization both money and angst.
Cybersecurity drills allows your team to work through various drill exercises—like role-playing, planned exercises, spot checks, and team building—so everyone becomes familiar with various threat scenarios. Through testing and repetition, you can evaluate your team’s response and dissect lessons learned. You can also use these drills as a part of your cybersecurity training and employee education programs related to phishing scams, ransomware, and appropriate reporting of cybersecurity incidents.
Who Should Be Involved?
In order to be effective, an IRP needs to extend far beyond just the security organization. For maximum effectiveness, a drill team should consist of a security steering group, core members of the IMT/IRT team, and subject matter expertise from Legal, IT, HR, PR, Risk, etc. Proactive organizations are also extending cybersecurity drills to include business partners and third-party organizations for superior safeguarding.
Depending on the nature and extent of a particular incident, there could be involvement from internal and external resources such as a public relations (PR) representative, audit and legal counsel.
What Else Do I Need to Know?
What is a Security Incident? Ensure that there is a clear definition and understanding of what constitutes a security related incident. Typically, security incidents include; malicious code, unauthorized access to IT or information resources, unauthorized use of services, unauthorized changes to systems, network devices or information, DOS/DDoS attacks, misuse, social engineering etc.
Legal & Preserving Forensic Evidence – Don’t forget the legal aspects of preserving forensic evidence. Contamination of evidence following an intrusion could prevent an organization from prosecuting a perpetrator and limit its options. For evidence to be admissible in legal proceedings, it must have been acquired in a forensically sound manner and its chain of custody maintained. It is important to be aware that legal requirements vary in different jurisdictions. As a result, informed legal advice for appropriate processes that meet judicial standards are required.
IRP Effectiveness & Efficiency – Make sure that you measure the effectiveness and efficiency of your IRP. It will allow you to understand what has been done satisfactorily and where improvements need to be made. A few metrics that can be used:

Total number of reported incidents
Total number of detected incidents
Number of days without incident
Average time to respond to an incident relative to the RTO
Average time to resolve an incident
Total number of incidents successfully resolved
Incidents not resolved successfully
Detection and notification times

A comprehensive IRP cannot rely on guesswork. An attacker is interested in obtaining your crown jewels and will make every attempt possible to locate them.
The more visibility you have into where your sensitive data / most valuable assets reside, the more quickly you’re able to pinpoint where your security blind spots might be and the more effectively you’re able to respond to a potential threat or incident. Having this complete visibility and intelligence not only allows you to focus and prioritize your cybersecurity drills, it can also help you more quickly identify when you need to put your IRP into action and minimize potential the damages.
Absolute delivers complete visibility and control over devices, data, applications, and users — both on and off the corporate network. Learn how the industry’s only tamper-proof endpoint resilience solution can empower you to build a more effective / comprehensive IR plan.

4 Recent Data Breaches that Originated on the Endpoint

It’s estimated that by 2020, the global spend on IT security is predicted to total a staggering $128 billion. However, while companies are spending more and more of their IT budgets on security to safeguard their endpoints, data breaches originating on the endpoint are growing in frequency and severity. 
A study by Ponemon found that two-thirds of companies were compromised by attacks that originated on their endpoints in 2018. These attacks can be devastating to an organization in terms of fines, reputational damage, lawsuits, and irreparable damage to customer trust. Separately, the 2019 Cost of a Data Breach study, also from Ponemon, found:

$3.92 million: Average cost of a data breach
25,575 records: Average size of a data breach
$150: Average cost per lost or stolen record
279 days: Average time to identify and contain a breach

When IT security spending is increasing, why are endpoint attacks still so common? A new primary research study by Absolute discovered that a lot of security spending is done in vain since the efficacy of endpoint security tools diminishes significantly over time — unless those tools are deliberately controlled to improve endpoint resilience. 
Endpoint security is endpoint resilience. The spend levels indicate that there is no scarcity of tools and controls to help make these things safe. The problem is that those things are not naturally resilient. On the contrary they are fragile. The door is ajar and the compromise happens not because there are no guards, but because the guards got into a turf battle with one another, got wounded or killed, and then the main goal of keep-the-real-enemy-away was lost. They fight, they conflict, they collide, and where there is friction there is decay. This zero-sum competition reveals how lacking in resilience they are—they can’t stay there.
Avoidable Data Breaches
Results from Forrester’s latest security survey found that 15 percent of breaches are still caused by lost or missing devices. With one laptop stolen every 53 seconds, it is wise to ensure you have measures in place to prevent putting your data at risk. Let’s look at four recent breaches that originated on the endpoint to examine what you could do now to avoid a similar fate.

Eir: Stolen laptop had been decrypted by a faulty security update the previous working day.
Raley’s: Stolen laptop. Company could not confirm that encryption was in place.
Health Plan: Stolen laptop. Company could not confirm that encryption was in place.
Government of Canada: Stolen laptop was a new device. The encryption process either failed or was missed.

Irish telecom company, Eir leaks data of 37,000 customers
In August 2018, the data of 37,000 customers of Ireland’s largest telecom provider, Eir, was compromised when an unencrypted device was stolen from outside an office building. The laptop contained personally identifiable information (PII) including names, email addresses, phone numbers, and Eir account numbers. The laptop had been decrypted by a faulty security update the previous working day.
Because of the nature of the breach, the company was forced to report the incident to the police as well as the Data Protection Commissioner. Under new European GDPR rules, companies face higher fines and punitive action for losing or misusing customer information.
Stolen laptop exposes data of 10,000 Raley’s customers
In September 2018, Raley’s experienced a data breach affecting 10,000 pharmacy customers. The data on the laptop included patients’ first and last names, gender, date of birth, medical conditions, healthcare plans, and identification numbers, prescription drug records, and Raley’s Pharmacy visit dates and locations. Raley’s could not confirm whether the data had been accessed or misused, nor could they confirm if encryption was in place.
The company responded quickly to notify authorities, the press, and the people affected and has since put encryption in place added encryption to all laptops.
Stolen laptop compromises Houston’s Health Plan
In February 2018, a laptop stolen from an employee’s car may have contained PHI records of the city’s staff, including names, addresses, dates of birth, social security numbers, and medical information. The organization couldn’t tell if data was accessed or if encryption was in place, so they had no choice but to treat the incident as a data breach.
It took 21 days for the City to notify police. Generally speaking, any delay in notifying authorities about a breach is not looked on favorably by the regulators who reward quick, decisive action.
Stolen laptop exposes health data of 80 percent of NWT residents
In May 2018, a laptop was stolen from a locked vehicle in Ottawa, Ontario containing protected health information (PHI) of 33,661 residents of Canada’s Northwest Territories. The data included names of patients’ names, their birth dates, home communities, healthcare numbers, and, in some cases, medical conditions. The stolen laptop was a new device so the encryption process either failed or was missed.
Officials waited over a month before disclosing the breach publicly, and the department now faces stricter rules around remote workers and removing devices from the confines of the physical office location.
These examples show how easy an unnecessary breach can occur. There is a common thread across all of these cases — a lack of endpoint visibility and an inability to prove that:

All security technology was in place and functioning at the time the device went missing
No data was accessed post incident
The device was remotely disabled and all personal data was deleted

If you don’t have visibility into your devices, you must presume that the data on that device was breached and follow the relevant breach notification processes in your industry or region.
Back to Basics on Endpoint Security
According to the 2019 Endpoint Security Trends report, when it comes to endpoint security, less may, in fact, be more. This is reflected in wider industry trends as IT and security and risk professionals focus on streamlining and simplifying when it comes to securing their organizations’ data.
We need to get back to the basics of cybersecurity and hone in on the three ingredients for ensuring data protection at scale — people, process, and technology.
To learn more about the inevitable decay of endpoint security tools and what to do about it, read the full 2019 Endpoint Security Trends Report.