Private details of 2.5 MILLION PlayStation and Xbox users are leaked in major hack

Reports are surfacing that private details, including email addresses, account passwords and IP addresses, of 2.5 million PlayStation and Xbox users have been leaked in a major data breach. The hack breached forums ‘XBOX360 ISO’ and ‘PSP ISO’ in 2015, but details of the leak are only just coming to light now.

Commenting on this, Robert Capps, VP of business development at NuData Security, said “The recently disclosed data theft from the unofficial PlayStation and Xbox forums is yet another example of the need for consumers to be wary of who they provide their information to, online.  While this site is mostly used to distribute pirated copies of games, DVD’s and BluRays, consumers who use the forums need to make sure that they are vigilant. Keep alert to any phishing scams that may appear in email as a result of this hack, changing passwords on any site where the passwords or usernames used on these sites are used. This data is likely to be sold on the Dark Web and used for future cyber crime. It’s a good reminder to choose unique passwords on all sites that require registration.”



Create a delegated development program for aspiring coders in your organisation

By Robert Duffner

Robert Duffner is Senior Director, Product Marketing, Cloud, at ServiceNow

How often does someone from HR, finance, marketing or another business unit come to you with a request to develop a new business application? There’s likely an ever-growing collection of these open requests that you just can’t find the time to develop. Fortunately, instead of being a roadblock to these requests, you can leverage cloud-based low-code development platforms to help your users help themselves. Adopting a delegated approach to application development frees you to devote your time to more strategic priorities, and positions DevOps as an invaluable partner across all lines of the business.

Forrester defines low code development platforms as those that enable rapid delivery of business applications with a minimum of hand-coding and minimal upfront investment in setup, training, and deployment. The analyst firm sees three dominant forces shaping the landscape for low-code platforms:


  1. A drive to expand and diversify the developer talent pool
  2. A shift towards general-purpose usage of low-code platforms
  3. Increased funding that validates the market for low-code

Not long ago, helping users to develop their apps wasn’t an option. The high risks associated with assigning them the necessary administrative privileges was too high. That led to the rise of the Shadow IT trend, with users implementing third party solutions without IT’s permission or knowledge. Delegated development reverses that trend and also reduces your backlog of requests so you can focus on more strategic projects.

Before launching a delegated development program, take a step back and confirm you do not already have a viable low-code platform in place. A number of SaaS platforms are built on an application platform-as-a-service (PaaS) that offers tools for declarative programming low-coders can use to define, customise, and create new apps without writing a line of code.

Once you’ve determined whether or not you need to implement a low-code platform, you’re ready to take the first step. Since the Major League Baseball playoffs are underway, football season has begun, and the NBA tips off this month, let’s stick with the sports theme for this next recommendation: embrace the MVP.

I’m not recommending you select someone as organisation’s Most Valuable Player. Rather, look to implement what I call the “minimum viable product” to help you deliver apps to users faster than ever. A primary benefit of low-code development is speed. The quicker you get your apps to users, the quicker they can provide you with feedback that you can use to guide iterative development. Users prefer apps that do one thing, maybe two, very well. Rather than building all-in-one apps that try to do everything, select one function for your app and make sure it excels at performing it.

The key to achieving and maintaining this speed consistently is to create workflows that automate traditionally manual processes. A good low-code development platform can replace manually-intensive tasks like trading emails and updating spreadsheets with collaborative workspaces and automated business processes to streamline the flow of work.

Facilitating collaboration will help you break down the silos that typically separate the individual lines of business from one another. IT has the opportunity to lead the move away what is likely a vertical and departmental approach to one that brings departments together to brainstorm and contribute to decision-making processes. Your low-code platform can be an invaluable tool for this effort by enabling you to architect, design and implement based on the requirements across the entire company. Again, IT is seen as the leader of the organisation-wide digital transformation.

Finally, strike a balance between providing users with freedom to create and collaborate without sacrificing control. You can provide low-coders with a platform featuring templates for building apps without administrative privileges. They have the freedom to create apps that help them get their work done, but within metaphorical guard rails that prevent them from accessing data they don’t have permission to see. One template can serve the needs of multiple departments, eliminating the need for IT to create multiple variations.

You may have noticed that the common thread woven through all of these recommendations is the goal of positioning IT as a partner to the entire business, instead of a roadblock that users try to avoid. Your users can move at the speed of business, and learn to rely on IT as an invaluable services provider that drives innovation. The result: IT evolves from its old role as Keeper of the Data Center to a modern services provider that helps users solve their own problems while also getting Shadow IT under control.



The Dark Web explained – what does it mean for online security?

Deep below the part of the internet that most of the public use every day, there exists an anonymous world known as ‘The Dark Web’. The hidden nature of The Dark Web can make it difficult to know exactly what goes on there, but it is frequently associated with financial fraud, file sharing and data breaches, including the sale of details from identity theft.

We delve into the subject of The Dark Web, examining how it works, what is shared there, the prices paid for personal financial data and what you can do to improve your own online security.

Infographic explaining the dark web
Source: Equifax



Vulnerabilities could leave thousands of Netgear routers exposed

Trustwave has released findings on new vulnerabilities discovered in 31 models of Netgear routers, adding up to a minimum of 10,000 vulnerable devices, but could be as much as possibly over a million.

These new vulnerabilities allow an attacker to discover, or completely bypass, any password on a Netgear router, giving them complete control of the router, including the ability to change configuration, turn infected routers into botnets or even upload entirely new firmware. This comes on the heels of the December Netgear vulnerabilities, which were “Command Injection” based, showing the increasing severity of the issue in use of these routers.

Commenting on this, Mike Ahmadi, Global Director – Critical Systems Security at Synopsys, said “We have tested many routers and firewalls over the last decade, and have found vulnerabilities numbering in the thousands, using both fuzz testing and software composition analyses. Vendors typically build such devices for the stated functionality, which is to route traffic and block unwanted traffic, when used as intended.

“What many vendors fail to do, however, is adequately assess the inherent security of the devices they sell, thereby flooding the market with vulnerable devices. Some vendors have taken it upon themselves to address the inherent vulnerabilities, but the end user is often left guessing which devices are adequately tested, since there is currently no regulatory requirement to test to a given level of rigor, and any attempt to force such regulations are met with extreme resistance.

“The only way a consumer can determine the level of risk associated with a device is to run their own tests and determine what vulnerabilities are present, and use this information in procurement to force a vendor to fix the issues, or move on to another vendor that is doing a better job addressing such issues, or require a third party security audit, such as the UL CAP program.”



Ediscovery trends in 2017: from artificial intelligence to mobile data centres

Kroll Ontrack, the global provider of ediscovery technologies and services to companies involved in litigation and investigations, predicts a year of change in 2017 as organisations prepare for the new General Data Protection Regulation (GDPR) and the accelerated adoption of artificial intelligence.

Faced with the need to manage greater volumes of data as well as multiplying communications channels, organisations and their legal representatives will have little choice but to implement new technology-based processes to reduce the time needed to identify and manage information required to satisfy regulatory and legal demands.

The ediscovery industry will continue reshaping itself to meet these requirements in 2017, building on the huge international consolidation seen in the previous two years. As exemplified by the merger of Kroll Ontrack with LDiscovery in late 2016, ediscovery suppliers recognise the need for organisations to access local data processing centres and document review services in order to comply with data privacy regulations, and to partner with global firms that can provide these facilities anywhere in the world.

Against this backdrop, Kroll Ontrack makes the following predictions for 2017:


  1. Technology will play a vital role in helping organisations prepare for GDPR

The tough new General Data Protection Regulation currently being implemented in Europe will have a global impact. In cross-border litigation and investigations, where data needs to cross borders to comply with discovery requests, mobile discovery will become even more essential.  These solutions capture, process, filter and examine data on-site, avoiding the need to transfer data across borders. GDPR has strict rules for protecting individuals’ right to be forgotten and organisations will need the relevant tools to find and erase personal data. Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or four percent of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs.


  1. Ediscovery will find new homes beyond regulation and legislation

Ediscovery is widely used by professionals working on legal cases in litigation, regulation, competition law and merger control, employment law and arbitration.  This year, it will be used more and more in an anticipatory manner by organisations to identify, isolate and address any concerns about compliance that could expose them to the risk of some kind of intervention or sanction.  This trend will be exacerbated by the introduction of an increasingly complex and aggressive regulatory environment, as illustrated by the French Anti-Corruption laws adopted in November 2016.


  1. New sources of evidence will move into the spotlight

Enterprises are creating more data than ever before. Data can be found anywhere that there are storage devices to hold it, whether that is a data centre, laptop, mobile, on wearable devices or the cloud. Channels to move data from one place to another are also proliferating. As a result we are seeing a diversification of evidence sources being used to build up a picture of what has happened in a legal matter. Whilst email and structured data remain the most common sources of evidence, other data sources such as social media and satellite navigation systems are gaining in importance and providing key insights into many cases. Clients are increasingly choosing ediscovery providers who can integrate a wider variety of data sources into one platform for analysis.


  1. AI becomes good business practice

Savvy law firms and corporate counsel will benefit from bringing the latest technologies including artificial intelligence (AI) to the attention of their clients. A long line of court decisions in the United States, and now also in the United Kingdom and Ireland, have already driven greater interest in and adoption of predictive coding.  This technology learns from human document reviewers and automatically reviews and classifies documents accurately with significant cost savings.


  1. Big data will take centre stage in competition and data privacy matters

Regulators are becoming increasingly aware of the competition and data privacy implications of big data. From a competition point of view, big data held by companies can trigger both Articles 101 (relating to antitrust cases) and 102 (abuse of dominance cases) of Treaty on the Functioning of the European Union (TFEU). This is highlighted by the joint report of May 2016 from the French and German Competition Authorities entitled Competition Law and Data which explains that big data can trigger article 101 TFEU and thus be considered a cartel. Companies that handle substantial data volumes on a day-to-day basis will need to factor it into their compliance strategies and embrace technological solutions to aid in investigations.


  1. Authorities call for electronic submissions


Despite evidence becoming mostly electronic, until recently regulatory authorities still required the submission hard copies of RFI forms, merger filings and other investigatory materials. However, the introduction of the European Commission’s eQuestionnaire for merger control and antitrust cases means parties must now submit all information electronically.

In December 2016, the EC has also recently published guidelines entitled “Recommendations for the Use of Electronic Document Submissions in Antitrust and Cartel Case Proceedings”. It is important to note that the EC strongly encourages the use of electronic formats even for paper documents which means they have to be scanned and made readable.

Tim Philips, Managing Director at Kroll Ontrack, said: “Ediscovery continues to provide essential tools and technologies for all manner of legal matters and allows companies to efficiently navigate through this era of big data, regulatory scrutiny and more stringent data protection requirements. 2017 is set to be another landmark year in terms of the adoption of ediscovery technology and the evolution of ediscovery technology itself.”



Share urges public to take the power back this Data Privacy Day

The security and privacy advice comparison website is encouraging people that feel helpless in the wake of the Investigatory Powers Act to make their privacy concerns heard this Data Privacy Day on the 28th of January.  The Act is supposed to protect national security; however, recent FOI requests reveal that it has been used to secretly spy on UK residents as reported in the Guardian  bringing into question its abuse.

Over the course of last year, the UK government made it legal for the “interception of communications, equipment interference and the acquisition and retention of communications data, bulk personal datasets and other information”. This means that communications companies will store the records of websites visited by every customer for 12 months, making them accessible to police, security services and other public bodies with a warrant.  The act applies to all UK residents, except it seems politicians – where any warrants to access their information will need the extra layer of the Prime Minister’s approval.

Lee Munson, security researcher at says that “businesses of all sizes are obligated to look after the personal information under their control, but we have seen countless cases including TalkTalk, where this information has been breached.  Now, with the government requiring communications companies to store more than just personal identifying information – information that points to habits, likes/dislikes and internet browsing history – privacy for UK citizens is eroding very quickly.  If there are ways for the ‘good’ guys to access this information at will, you can bet the bad guys aren’t far behind.  People have the right to know what information is being stored on them and what steps are being used to secure that information.”


The best ways for the public to take back some power over privacy:

  1. Send a subject access request under the Data Protection Act to your Internet Service Provider (ISP) or phone company to ask them to provide you with the data that is being stored on you and which government departments have had access to it.
  2. Sign the petition to repeal the Law, then
  3. Write a letter to your MP expressing your wish for repeal of the law that was branded unconstitutional by the European Court of Justice.  Ask your MP if s/he thinks it is right that s/he is exempt from the law while the rest of the public faces this attack on privacy.
  4. Make sure you use a Virtual Private Network (VPN) to protect your privacy online. Pick a VPN that isn’t based in the UK, doesn’t keep log files and scores highly for privacy. surmises that if thousands of people submit requests and make their concerns tangible, then it will force the government to look more closely at the issue to protect its citizens not only from the threats of acts of terror, but from cybercriminals or nation state actors that might exploit their information.

Data Privacy Day is held every 28th of January and is an international effort to encourage Internet users to consider the privacy implications of their online actions and encourage prioritizing data protection in all corporate fields.

“The hope is that, with enough people showing concern for their privacy, the government will have to consider it.  It’s not just about names on a list that can be easily ignored – these requests will require action,” said Munson. has submitted its own Freedom of Information request to the government which will be made available when the answers are forthcoming.

The full blog post with details of how to submit a subject access request and a sample letter to an MP, please see the blog.



Digital Labour – Are you ready?

By Chris Bedi, CIO, ServiceNow

Digital labour can be a game changer. But, so far, we haven’t seen enterprise adoption take off. This will start to change in 2017.

Advances in automated bots, machine learning, cognitive computing, and the availability of data of all kinds will finally start having a real, meaningful impact on the enterprise, enabling organisations and individuals to reach previously unseen levels of productivity and drive growth through new capabilities.

But we should not expect this transformation to happen overnight. The transition from a largely human workforce to one where digital labour plays a major role will be met with many sceptics. The truth is that a lot of IT remains sceptical of the digital labour movement. Over the years, IT has seen too many technologies that promise great things to under-deliver. I believe the technologies are finally there where IT organisations can lead the next wave of productivity across the enterprise. The transition will surely include some elimination of human labour, however, greater value will be achieved by freeing human labour from routine tasks which don’t really create business value. It will cause organisations to redefine jobs and examine future skill set requirements.

Progressive CIOs will move beyond discussions and start experimenting with digital labour solutions in the first half of 2017 with real implementations taking off in the later part of the year. Like other disruptive technologies—cloud, mobile and social—it will take time for enterprise business leaders and workers to get past the FUD (fear, uncertainty and doubt) and understand how digital labour can better their business. We’ll see progress on two fronts this year that will increase workers’ comfort level with digital labour and help to pave the way for enterprise-wide adoption in the future.

The End of Busy Work

Employees spend 2 out of 5 business days each week on routine work that is not core to their jobs. Using manual tools that are ill-suited to the tasks they need to complete—email, spreadsheets, personal visits— they waste almost as much time on busy work as they spend on doing the real work.

A McKinsey multi-year study found about 60 percent of occupations could have 30 percent or more of their constituent activities automated. And IDC believes that by 2020, 60 percent of the G2000 will double their productivity by digitally transforming many processes from human-based to software-based delivery.

Automation can certainly help where there are a lot of manual or semi-manual repetitive processes. CIOs need to assure IT and line of business staff that the robots won’t take over. But repetitive, rule-driven business tasks increasingly will become codified. Not every task is ideal for automation. Processes that are high volume, span multiple systems, collate data from various sources or involve data entry are good candidates for software robots.

It’s the CIO’s role to help business lines identify those capabilities that truly add value and spend less effort on those that don’t. Automating processes can allow workers to focus on business issues, not busy work, and enable companies to reduce costs and improve quality and scalability.

According to ServiceNow’s State of Work research organisations with 5,000 employees collectively across the United States could save $575 billion a year by automating unnecessary tasks and inefficiencies which would equal a 3.3 percent gain in the U.S. GDP, or approximately the combined annual profits of America’s 50 largest public companies.

Machine Learning Lets Us Reach Our Potential

Digital labour is not all about labour costs savings. Because bots access applications through the user interface, just as humans do, they can be a less problematic method for integrating disparate systems. Software robots can compare data gathered from different systems that humans once had to reconcile. But the bots can do it faster, better, and never have to take a break. This will open the door to a new level of intelligence.

As the bot landscape expands and bots improve through machine learning, they will move beyond basic tasks in 2017. Chatbots will provide individual contextual recommendations that will be used to positively alter employee behaviour. Chatbots will serve as digital virtual assistants to help workers reach their highest productivity. Based on ever-increasing data inputs, bots will evaluate how workers’ time is spent, make recommendations to improve productivity and quality, and suggest best practices through the use of algorithms and bot-driven benchmarking. Essentially, all of our data will be synthesised by a machine, and the machine will tell us what to do next—the data will drive our day. According to Gartner, by the end of 2017, at least one commercial organisation will report significant increases in profit margins because of algorithms used to positively alter employee behaviours.

Does this mean we’ll all be taking orders from a bot one day? Possibly. But today, humans are not yet ready to move to a purely robotic world. We are decades away from robots taking over, if ever. At the same time, we are quantifying information like never before—we create 2.5 quintillion bytes of data every day. It is impossible for humans to manage all of this data and analyse all of the relationships between people, information and things. The highest levels of intelligence will be achieved when machines understand activities, context and motivation and can make the appropriate decisions for humans so that we can focus on the issues that only humans can solve.

As technology leaders, CIOs have the opportunity to start the digital labour revolution in their own backyard. By enhancing their own service delivery models through automation, machine learning and artificial intelligence, CIOs and their IT teams can gain the experience needed to deliver, manage and optimise an enterprise-wide rollout of digital labour solutions in the future. Ultimately, the companies that strike the right balance between digital labour and human labour will come out on top.




How artificial intelligence can defend against IoT-based cyber attacks

Bryan Lillie, Chief Technology Officer at QinetiQ explores the current threat of IoT-based cyber-attacks and suggests a novel method that could defend against them

By 2020 it is estimated that the global internet of things (IoT) market will have grown to more than $1.7 trillion. According to a study by Gartner, by the end of this year alone the number of IoT devices on the planet will have reached more than 4 billion. It is not unreasonable to suggest that by the end of this decade, these devices will outnumber humans.

Such exponential growth has facilitated two major developments. It has boosted technology markets around the world and it has warped the landscape of cyberspace. The information superhighway that constitutes our digital communications can now be accessed through a plethora of different tools. From fridges and cars to medical instruments and children’s toys, the IoT has given rise to an era in which almost every technology is being gifted with a connection to the internet, causing this superhighway to grow in size and become multifaceted.

For the cyber security industry, this has made cyberspace increasingly difficult to defend with existing security methods having remained relatively stagnant in comparison to this rapid evolution. Artificial intelligence is one of the few technologies that is part of this new era of connectivity and therefore may offer a solution to the underlying problem within the IoT sector. This problem stems from the lack of security on IoT devices, a problem exacerbated by the sheer number of them. The vast majority of devices sport low-end processers and have limited capacity. Some altogether lack the capability to be extended with security software. When you’re competing for processing power and space, security is either a secondary consideration or not considered at all by many manufacturers. This has seen the IoT become a prime target for cyber-attacks and is regularly exploited by cybercriminals.

Take healthcare. Patient monitoring systems are becoming connected to allow for continuous tracking and potentially, automated care routines. Yet there is proof that these can be hacked through a simple USB drop, providing a route to then infiltrate the wider hospital network. The construction industry is undergoing similar transformations as a result of the IoT revolution. Building management systems (BMS) are being installed within constructions, allowing buildings to become more connected. Called Building Information Modelling (BIM), this new industry is expanding and is seeing technologies placed within constructions to track use across their lifespan and allow for better management of facilities. IoT is now a catch-all term that is not necessarily limited to just ‘things’. Infrastructure itself is becoming part of the internet, expanding cyberspace on a grand scale.

The combined factors of intense growth and little regard for security has created an interconnected network with numerous vulnerabilities that stretches across the globe and is allowing compromised IoT devices to frequently become staging posts for more serious hacks in networks. Most recently, IoT devices were used to host malicious lines of code that served as a launching pad for a series of DDoS attacks on popular websites. Unknown perpetrators gained access to thousands of home devices by hacking easy-to-guess default passwords, hijacking the devices and using them to down popular websites such as Twitter, Reddit, Spotify and many others.

Traditional security measures are not always effective in dealing with this rapidly emerging threat. But recent strides in artificial intelligence have the potential to provide a new level of advanced cyber security that could prove highly effective in contending with the unconventional and dispersive nature of IoT cyber-attacks. These programmes sit within systems, adapting their behaviour based on what they experience within that infrastructure. The potential this technology has for defending businesses is phenomenal. By studying an organisation’s network the programme can determine what characteristics of the environment are abnormal. Systems using artificial intelligence will gather information about the network and connected devices and subsequently seek out anything that is out of the ordinary. They can monitor incoming and outgoing IoT device traffic to create a profile that determines normal behaviour of the IoT ecosystem and react to the slightest irregularities in a way that traditional security software is unable to do. Machine learning developed for this purpose mirrors the immune system of a human, allowing a system to detect anomalies and adapt to cyber-attacks it has not recognised before.

The rapid expansion of the IoT into various industries has afforded cybercriminals with a new and almost completely undefended attack vector. As a result, cyberspace has evolved and the cyber security industry must evolve with it in order to effectively contend with these rising threats. Artificial intelligence offers one such solution and may provide the answer the cyber security industry is looking for. These advanced technologies have the potential to offer the appropriate defensive needs against a threat that is growing and altering very rapidly.



3rd Annual New Generation Operational Risk 2017

3rd Annual New Generation Operational Risk 2017 (14-15 March) will bring together industry professionals to provide a platform for discussion, insights and reviewing of the top priorities across the industry.

Operational risk is an area that is expanding in focus with many institutions deploying large resources and focusing attention on better management, understanding and most importantly adding value to the enterprise to overcome the direct and indirect risks associated.

The Center for Financial Professionals looks to provide high-level insight on critical operational risk areas through interactive panel discussions, thought provoking presentations, interactive Q&A’s, luncheon roundtables and extensive networking opportunities to further progress the discussions.

Key highlights addressed at the New Generation Operational Risk Summit


An overview of the regulatory landscape across operational risk from the PRA


A review of the roles of each line of defense across large banking organisations


Incorporating operational risk into a larger ERM framework and reviewing differing approaches


A review of the link between conduct risk events and reputation implications


Challenges, overview and uses of scenario analysis as a value adding exercise


Using risk appetite and use test for reflective results aligned with operational risk framework


Understanding supply chain and third party risks to better identify vulnerabilities


Reviewing the evolving model risk and requirements to ensure accurate reporting of stress test outcomes


The next generation of operational risks

Hear from over 20 senior operational risk presenters including:

Operational Risk Specialist, PRA Bank of England

Global Head of Three Lines of Defense, HSBC

EMEA Head of International Risk Oversight, Wells Fargo

Head of Operational Risk Governance, Legal & General

Head of Operational Risk Management Framework Programme, Royal Bank of Scotland

Executive Director, Operational Risk Management, MUFG Securities

Former Head of Policy, Risk and Regulatory Affairs, MUFG

Head of Operational Risk Framework and Policy, HSBC

Head of Resilience and Op Risk Unit, Technology & Operations, Santander

Head of Advanced Analytics UK, Santander UK

Non Executive Director, Permanent TSB

Head of People Risk, Yorkshire Building Society Group

Head of operational risk regulatory advisory, Credit Suisse

ED, Head of Framework, Design & Systems, UBS Investment Bank

If you would like more details on the operational risk management conference you can contact the Center for Financial Professionals on or +44 (0) 20 7164 6582.




93% of companies suffer technical challenges to protect data despite heavy investment in security

While data breaches destroy customer confidence, impact revenues, attract large regulatory fines and cost C-levels their jobs, 76% of data security professionals believe in the maturity of their data security strategy, according to a new study. Despite heavy investments in a variety of data security tools as part of their strategy, 93% report persistent technical challenges in protecting data.

The Data Security Money Pit: Expense In Depth Hinders Maturity,” a January 2017 study conducted by Forrester Consulting on behalf of Varonis Systems, Inc. (NASDAQ: VRNS), a provider of software solutions that protect data from insider threats and cyberattacks, finds organisations “focused on threats rather than their data and do not have a good handle on understanding and controlling sensitive data.”  The fragmented approach to data security exacerbates vulnerabilities and challenges, and 96% of these respondents believe a unified approach would benefit them, including preventing and more quickly responding to attempted attacks, limiting exposure and reducing complexity and cost. The study goes on to highlight specific areas where enterprise data security falls short:

  • 62% of respondents have no idea where their most sensitive unstructured data resides
  • 66% don’t classify this data properly
  • 59% don’t enforce a least privilege model for access to this data
  • 63% don’t audit use of this data and alert on abuses

David Gibson, Vice President of Strategy and Market Development with Varonis, states, “Many point products are designed to mitigate specific threats. If they’re used tactically, instead of supporting a strategy that improves the overall security of data, they can not only cost a lot of money, but also provide a false sense of security. Ransomware, for example, exploits the same internal deficiencies that a rogue or compromised insider might – insufficient detective capabilities and over-subscribed access. Too many organisations look for tools that specifically address ransomware, but neglect to buttress core defences that would mitigate more than just this specific threat.”

In order to provide data visibility and controls organisations desire, the study states, “It’s time to put a stop to expense in depth and wrestling with cobbling together core capabilities via disparate solutions.” Almost 90% of respondents desire a unified data security platform. Within such a solution, 68% see the value of data classification, analytics and reporting to help reduce risk. Additional criteria also include meeting regulatory compliance (76%), aggregating key management capabilities (70%) and improving response to anomalous activity (66%). In summarizing the findings, Forrester writes, “A platform can help to address concerns and challenges that have sprouted from trying to make use of many disparate tools, freeing up resources to allow for greater focus on ensuring that firms have the correct policies, procedures and remediation actions in place to meet business and data security strategy objectives.”

Wade Sendall, Vice President of IT, The Boston Globe, concurs, “Security products focus on one little piece of data security, which costs a lot of money and requires a lot of time. We’d like to think we don’t have any insider threats, but like anybody else, you really don’t know until you have a unified data security platform like Varonis to say ‘this is what’s going on.'”

Gary Hayslip, Chief Information Security Office to the City of San Diego, states, “One of the greatest challenges a CISO faces involves data. It is incumbent upon our team to understand not only how our stakeholders work, conduct business and use data, but also what applications the stakeholders require; what data is important to them; and which data if compromised would critically impact the ability of the organization to conduct business. Varonis gives my teams and I insight into the flow of data throughout my 24 enterprise networks.”

The study surveyed 150 data security professionals in the U.S. and Canada. It is available for download at