Veriato Blog

  • To cloud, or not to cloud. That is the question.

    by Stephen Voorhees, CISSP | Mar 21, 2017
    If you are thinking about storing sensitive information in the cloud, you need to be as sure of the security of that data as you would be storing it on your own infrastructure. In effect, you are outsourcing data storage. And there are good, valid reasons to do so. Most of them stem from a lower costs (or the perception of lower costs) and management overhead.
    Full story
  • Don’t Be Held Hostage By Ransomware. Stop The Attack Before Critical Damage Is Done.

    by Mike Tierney | Mar 06, 2017
    Ransomware, a type of malware that encrypts your critical files until money is paid, continues to wreak havoc on organizations worldwide. In fact, studies show that more than half have experienced a ransomware attack, and it takes them an average of 33 hours to recover lost data—with only 23 percent of companies completely recovering their lost data. According to researchers, the spread of these attacks were projected to cost companies $1 billion dollars in 2016 alone!
    Full story
  • Step 5 of 5 to Quantifying Insider Risk

    by Mike Tierney | Feb 14, 2017
    One of the best practices found in the Common Sense Guide to Mitigating Insider Threats – a document written well ahead of its time by the world-renown CERT division of Carnegie Mellon University’s Software Engineering Institute (SEI) – is the need to develop an employee termination process that takes into account the threat a departing employee can pose.
    Full story
  • Step 4 of 5 to Quantifying Insider Risk

    by Mike Tierney | Feb 11, 2017
    At a very high level, the risk scores equate to how much the organization sees the position, department, or individual in terms of potential exposure. Because a successful insider attack will result in harm to the organization, the appropriate response is to watch for signs or elevating insider risk (metastasizing into threat), using an appropriate level of scrutiny aligned to their risk level. In general, those with a lower level of risk only need to be monitored with a level of scrutiny that looks for leading indicators of elevating risk. Those posing a higher level of risk need to be monitored far more carefully –with an ability to rapidly review their actions in detail if necessary.
    Full story
  • Step 3 of 5 to Quantifying Insider Risk

    by Mike Tierney | Feb 08, 2017
    In order to establish controls that allow the organization to properly detect insider risk, you must first know where you should be looking. Each position within your company has a relative level of risk associated with it. For example, a position that has access to and works directly with intellectual property puts the organization at a much higher level of risk than someone who has limited access to customer contact data. A measured response is needed for each position, relative to its level of risk. Put not enough emphasis on monitoring risky users and you will find your organization a victim of an insider attack. Put too much emphasis on ‘eyes on glass” monitoring of users that pose no real risk to the organization, and you will have wasted time, budget, and energy
    Full story
  • Step 2 of 5 to Quantifying Insider Risk

    by Mike Tierney | Feb 05, 2017
    Insider risk begins the moment you grant access. What’s required on an employee’s first day is to present them with a Confidentiality & intellectual Property Agreement (CIPA). This agreement is designed to put a number of insider risk controls in place:
    Full story
  • Step 1 of 5 to Quantifying Insider Risk

    by Mike Tierney | Feb 02, 2017
    Risk around company data normally falls to someone within IT, the security team, or to the CISO, as these individuals will play a crucial role in quantifying and addressing insider risk. But, to properly assess the state of insider risk, as well as ensure suitable controls are responsively in place, you will need the perspective and assistance of a number of positions within your organization.
    Full story
  • Intro to Quantifying Insider Risk

    by Mike Tierney | Jan 31, 2017
    Risk is one of those subjective concepts that usually fall into vague categories like “low” and “high” – which has very little meaning on its own, and only has value when you tie those categories to actions (which we will cover later in this guide). To properly quantify the insider risk within your organization, we want to initially walk you through how to begin thinking about insider risk, as it is more a fluid and shifting concept than, say, the static risk assessment associated with whether your systems and applications are completely up to date on their patches.
    Full story
  • Quantifying the risk of an insider data leak

    by Mike Tierney | Sep 08, 2016

    One of the challenges associated with effectively combating the threat of insider data leaks, stems from a lack of understanding of the risk resident within the perimeter.

    Full story
  • 4 Steps to Reduce the Risk of Malicious Insider Activity

    by Mike Tierney | Jul 01, 2016
    Our CSO, David Green, has a new whitepaper out. Here he addresses some practical things you can do to improve your organizational ability to detect insider threats before they become insider attacks, react quickly and with confidence to potential (or actual) problems, and in doing so increase the security of you intellectual property and confidential information.
    Full story