Each month, we’ll bring you a few of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss the debut of Salesforce Blockchain, zero trust security’s time in the spotlight, the Baltimore city government’s (cyber) hostage situation, and more.
At the TrailheaDX 19 conference, Salesforce recently introduced Salesforce Blockchain, a blockchain builder platform geared towards noncoders and those with limited blockchain and coding experience.
With the new platform, organizations can quickly build applications while placing more of the focus on design and business strategy. Companies can pull APIs or prebuilt apps to integrate, interact, and add third-party blockchains in Salesforce. Salesforce Blockchain is customized for Salesforce Lightning and contains three components: Blockchain Builder for building applications, Blockchain Connect for integrating blockchain actions with Salesforce apps, and Blockchain Engage for enabling invitations to apps created in Salesforce.
Zero trust is under the spotlight as corporate America hopes to contend with hackers. Organizations are examining zero trust, an IT security model that restricts user access to resources based on rigid identity verification, to determine if it can effectively protect data. Although global spending on cybersecurity is increasing – jumping to $124 billion this year – the list of cyberattack victims is still expanding. Zero trust, however, could be a game-changer in the war against hackers. With its principles of verifying every user every time, validating every device, and strategically limiting data access, zero trust could circumvent the flawed approach of building a robust security perimeter to deter malicious actors. By eliminating trust and requiring consistent verification, zero trust could transform the cybersecurity landscape.
“Trust is a vulnerability.”
– John Kindervag, Field CTO, Palo Alto Networks
New York is considering its own GDPR-inspired data security law. State lawmakers are currently debating approval of the Stop Hacks and Improve Electronic Data Security Handling (SHIELD) Act, which would give New Yorkers clearer visibility into how, when, and where their data has been compromised. The upgrade of the state’s current data breach notification law would encompass more personal information and would require organizations to provide notification after ransomware infections.
Like GDPR, SHIELD would cover any business managing personal data of New York citizens, not just businesses operating in the state. Another similarity to GDPR is that the SHIELD Act would require “unreasonable delay” when notifying affected individuals – the difference is that GDPR requires notification within 72 hours, whereas the SHIELD Act considers “unreasonable delay” to be a time period of 30 days, according to state Sen. Kevin Thomas.
If passed, the SHIELD Act will go into effect in 2020.
After a massive breach in 2017, credit reporting giant Equifax is still cleaning up the mess. The latest SEC filing from the company shows their breach costs reaching $1.4 billion. The billion-dollar price tag includes legal fees, an overhaul of their information security program, investigation costs, improvements in application and network security, launching the Lock and Alert program, liability fees, and lost revenue.
However, there are still ongoing lawsuits, investigations, and other outstanding factors that could contribute to the final cost. The ultimate price, however, will likely be felt by Equifax for many years to come – the loss of trust by millions of consumers, globally.
“While this charge represents our current estimate to resolve many of the significant issues facing the company, we expect to incur additional losses associated with the other claims and litigation related to the 2017 incident. We will continue to work with all parties to bring these matters to closure as soon as possible, while balancing the needs of our company, employees, customers and shareholders.”
– Mark Begor, CEO, Equifax
New York representatives Kathleen Rice and John Katko introduced a bill that would require U.S. House members to perform annual cybersecurity training. The Congressional Cybersecurity Training Resolution of 2019 calls for annual training to be completed by January 31 every year and new members would need to complete the training within 30 days of beginning service. The goal of the training program is to arm House members with the knowledge and skills necessary to protect government systems by improving awareness of cyberattack threats.
Currently, House officers and employees undergo training of this type, but the new bill would require it of all members.
“If we want to effectively counter those threats, then we need to make sure Members of Congress are equipped with the tools and knowledge to play an active role in this fight. Our employees and House officers are already required to take mandatory information security training, and it’s past time that Members are held to the same standard and bear the same responsibility.”
– Rep. Kathleen Rice
Hackers held the Baltimore city government hostage using a ransomware attack on around 10,000 city computers. The hackers demanded payment of 13 bitcoins – the equivalent of about $100,000 – to release all of the city’s systems and threatened to permanently delete files after ten days without payment.
While the FBI quickly intervened and took systems offline to avoid the spread of ransomware, the attack still managed to take down email, voicemail, and a payment system for utility bills, property taxes, and vehicle citations. So far, the city of Baltimore has refused to pay the ransom.
“Like any large enterprise, we have thousands of systems and applications. Our focus is getting critical services back online and doing so in a manner that ensures we keep security as one of our top priorities throughout this process. You may see partial services beginning to restore within a matter of weeks, while some of our more intricate systems may take months in the recovery process.”
– Bernard Young, Mayor of Baltimore
Per the latest report from the Office of the Australian Information Commissioner (OAIC), the personal information of more than 10 million individuals was compromised in a single incident. Though the report does not contain specific details on the origin or industry of the breach, it does show that the highest number of individuals affected by a finance-related breach was less than 500,000 and the health industry’s three largest breaches each affected less than 5,000 individuals.
The OAIC introduced the Notifiable Data Breaches (NDB) scheme in February 2018 to drive awareness and action on personal information security in Australia. The scheme holds both organizations and the government accountable for conducting assessments if they have reason to suspect personal information was lost, access without authorization, or disclosed without permission.
“By understanding the causes of notifiable data breaches, business and other regulated entities can take reasonable steps to prevent them.”
– Angelene Falk, Australian Information and Privacy Commissioner