Top 5 Cyber-Secure Cities in the US and Abroad

The growing cyber threats across the globe are a sobering reminder that no matter where you’re located, hackers will find a way to exploit your business – or worse, an entire city. Cities all over the US, including major metropolitan areas like Atlanta, San Francisco, and Dallas, have all experienced some type of data breach or security incident, heightening the urgency for cities to place more of an emphasis on their cybersecurity initiatives. While municipal governments are faced with improving education, decreasing poverty levels, and improving their city’s economy, cybersecurity can easily get put on the back burner. However, the reality of advancing cybersecurity threats has people around the world asking, where are the most cyber-secure cities? Which cities are taking cybersecurity the most seriously?

How to Make a Cyber-Secure City

When it comes to being a cyber-secure city, there’s a few key components that come into play:

  • Financial Investment: Investing in cybersecurity is not cheap. In fact, many cities – especially smaller cities – are often targeted by malicious hackers because they don’t have the funds to invest in or create a robust information security program. Considering this, cities where large venture capitalist and investors are likely to reside helps fuel cybersecurity awareness and establish strong cybersecurity programs.
  • Research and Development: The threat landscape is ever-changing and malicious hackers continue to be creative and cunning. Cities that are cyber-secure will be hubs for research and development of new cybersecurity best practices and initiatives to combat these increasing threats.
  • Cybersecurity Personnel: There’s nearly a 2 million deficit in cybersecurity professionals around the world. Cyber-secure cities will be those that can attract cybersecurity professionals by providing ample housing, funding, and competitive job opportunities.

What Cities are Most Focused on Cybersecurity?

1. New York City, New York

New York City is a well-known hub for the financial services and banking industry, but there’s so much more to the city than Wall Street. In October of last year, the New York City Economic Development Corporation (NYCEDC) recognized this and put plans into action to establish Cyber NYC, an initiative dedicated to growing New York City’s cybersecurity workforce, helping companies drive innovation and business development, and building networks and community spaces. Made up of six unique efforts, Cyber NYC helps position New York City as a cyber-secure city because of its focus on financial investments to grow cybersecurity awareness, research and development of cybersecurity attacks and best practices, and booming economy that will attract cybersecurity professionals.

2. Silicon Valley, California

While Silicon Valley has established itself as the tech start-up capital of the world, it also has all of the key components to make it one of the most cyber-secure cities. Not only have some of the world’s most advanced technologies grown out of Silicon Valley, there’s ample venture capitalists, entrepreneurs, researchers and developers, and a burgeoning economy to attract cybersecurity professionals. In addition to this, the state of California recently introduced the California Consumer Privacy Act (CCPA), giving consumers in California more control over how their personal data is used. California’s focus on ensuring the privacy and security of consumers’ data in conjunction with the growing technology industry located in Silicon Valley helps position itself as a cyber-secure city.

3. Boston, Massachusetts

Though not quite up to the same caliber as New York City and Silicon Valley, Boston is quickly positioning itself as one of the United States’ most cyber-secure cities. With both Harvard and MIT located within the city, there’s no shortage of cybersecurity research and development, financial investors, or cybersecurity professionals.

4. Tel Aviv, Israel

Given Israel’s geographic location, advancing security threats, growing start-up scene, and reliance on military intelligence, there’s no wonder why Tel Aviv is one of the most cyber-secure cities. In fact, Tel Aviv and its innovative businesses have positioned themselves as leaders in the cybersecurity industry – the founders of Cyber NYC even went so far as to chose Israeli partners to establish their Global Cyber Center innovation hub.

5. London, United Kingdom

London’s cybersecurity initiatives are some of the most robust of their kind in Europe. Similar to Cyber NYC, London’s cybersecurity startup accelerator, Cyber London, or CyLon, is dedicated to helping businesses develop information security technology and products, furthering the city’s focus on cybersecurity. London is also home to some of the world’s most prestigious universities and research facilities, making it an attractive hub for cybersecurity professionals. All in all, London is an up-and-coming cyber-secure city.

Whether located in the United States or across the globe, cyber-secure cities are continuing to develop at a rapid pace. Want to learn more about the latest cybersecurity initiatives or how KirkpatrickPrice can keep your organization’s data secure against advancing threats? Contact us today.

More Cybersecurity Resources

What is Cybersecurity?

How to Lead a Cybersecurity Initiative

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

Cybersecurity Expectations for Financial Institutions

Social Security numbers, credit information, account balances, PINs, cardholder data, mailing addresses, email addresses – it’s all available to financial institutions. Malicious attackers targeting financial institutions isn’t a new threat. In 1984, someone stole a credit file password from Sears for TRW Information Systems and posted it on an electronic bulletin board. This password gave access to a credit file containing names, addresses, birth dates, credit limits, and Social Security numbers of 90 million people, plus that information could be used to get credit card numbers.

As these types of organizations rely more and more on technology, they become bigger targets for malicious attackers. How can financial institutions protect themselves from cyber threats? What are the risk management and cybersecurity expectations for financial institutions?

Cybersecurity Expectations in the US

In March 2017, the New York State Department of Financial Services Cybersecurity Requirements Regulation for Financial Services Companies Part 500 (NY CRR 500) of Title 23 went into effect, establishing new cybersecurity requirements for financial services companies. It states, “Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.” NY CRR 500 requires that financial services companies (covered entities) develop a cybersecurity program that protects the confidentiality, integrity, and availability of sensitive customer information and information technology systems.

In February 2018, the US Securities and Exchange Commission (SEC) issued interpretive cybersecurity guidance, which builds upon the Division of Corporation Finance’s guidance from 2011, for public companies to follow when dealing with cybersecurity incidents and risks. The guidance says, “…the investing public and the US economy depend on the security and reliability of information and communications technology, systems, and networks… Today, the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.”

In September 2018, the National Cybersecurity Center of Excellence (NCCoE) released the NIST Cybersecurity Practice Guides SP 1800-5, SP 1800-9, and SP 1800-18, with a specific use case for the financial services sector.

The cybersecurity expectations for financial institutions only continues to grow. In 2018, 24 states passed bills or resolutions related to cybersecurity. The legislative activity includes funding initiatives, public disclosure policies, promoting workforce training, and implementing improved cybersecurity practices. Outside of the US, we’ve seen the European Union implement GDPR, China implement The Cybersecurity Law, Singapore establish the Cyber Security Agency of Singapore, the Brazilian National Monetary Council issued Resolution No. 4,658, among other legislations impacting cybersecurity expectations for financial institutions.

Best Practices for Cybersecurity Strategies

In the US alone, the majority of the cybersecurity guidance that’s been issued have similar recommendations: implement a cybersecurity policy, a formal risk assessment, and a formal way to manage third-party risk.

  • The need for financial institutions to create and maintain a cybersecurity policy based on the findings from a risk assessment is an integral part to cybersecurity. Among other elements like business continuity, asset inventory, and physical security, this cybersecurity policy must include information about relationships with vendor and third-party service providers.
  • Through a formalized risk assessment, organizations can determine what types of cyber risks face them and how dangerous those risks are. This intel gives organizations the ability prioritize risk and create a more effect cybersecurity strategy.
  • One way to manage third-party risk is to develop and implement a third-party service provider security policy, which should include identification of vendors, risk assessment of vendors, the minimum cybersecurity requirements to be met by vendors, the due diligence process used to evaluate the competency of cybersecurity practices of vendors, periodic assessment of vendors based on the risk they present, periodic assessment of vendors to ensure the continued competency of their cybersecurity practices, access control management, the use of encryption for information in transit and at rest, and incident response procedures.

Real Threats to Financial Institutions

When Equifax reported its data breach that compromised millions of US consumers, the breach immediately became a headline. Breaches like this, but not as massive or has high-profile, occur all the time among financial institutions.

When breaches occur at financial institutions, the average cost per capita is $207. Banking Trojan botnets, Denial of Service attacks, skimming campaigns, malicious insiders – the threats aren’t stopping. What is your organization doing to protect yourself and meet the cybersecurity expectations for financial institutions? Contact us today to learn more.

More Assurance Resources

Key Takeaways from the SEC’s Cybersecurity Guidance

What NY CRR 500 Means for Vendor Compliance Management

How Can Penetration Testing Protect Your Assets?

You’re a Target for Cyber Attacks No Matter Your Business Size

It’s no secret that cyber threats are advancing at an alarming rate. Whether it’s through social engineering, malware, zero-day attacks, or DDoS attacks, every organization – no matter their size or industry – is at risk. While enterprise-level organizations are more likely to have the resources needed to mitigate these advancing threats, small businesses and startups alike must recognize that they are equally as likely to face a data breach or security incident.

Who’s At-Risk for Cyber Attacks?

No matter which industry you’re in, there’s sensitive assets to be stolen. Protected health information, payment card data, Social Security Numbers, dates of birth, phone numbers, email addresses, confirmation numbers, travel reward numbers – malicious hackers want it all, and they won’t discriminate based on what industry you’re in or the size of your company. But because we often see data breaches of enterprise-level organizations in headlines, it can be easy to think that small and medium size businesses aren’t targets for cyberattacks. This couldn’t be further from the truth, though. In fact, according to the Ponemon Institute’s 2018 State of Cybersecurity in Small & Medium Size Businesses report, 61% of small and medium businesses experienced a cyber attack in the past year.

Are Cyber Threats the Same for All Businesses?

While the assets that startups and small businesses hold can be significantly different than enterprise-level businesses, many of the cyber threats remain the same. For example, whether a company has five employees or 500, the threat of an employee causing a data breach is still one of the top concerns businesses have to mitigate. Similarly, things like weak passwords, ineffective mobile device policies, vulnerable POS systems, and misunderstanding cybersecurity threats can cause all types of businesses to fall victim to a data breach or security incident. A startup and a Fortune 500 company could both have the most robust information security programs in the world, but if just one of their employees falls for a phishing scam, ransomware could compromise the entire organization.  To put it simply: no organization is truly safe from cyber threats.

In 2013, the Target data breach impacted 40 million customers because malicious hackers were able to compromise their POS system with malware by stealing credentials from a third-party vendor. This exposed payment card data and later caused Target to pay a $18.5 million settlement. It’s easy to see why one of the largest retailers in America would be targeted by malicious hackers, but smaller retailers are just as vulnerable. In fact, considering that many small businesses utilize third-party vendors, the risk of experiencing a data breach or security incident significantly increases. The Ponemon Institute reports that in 2018, 43% of data breaches were caused by third-party mistakes and 37% were caused by external, malicious hackers. Like many other enterprises, Target was able to recover from their data breach because they had the resources to do so; many small businesses would likely not be as fortunate, which is why it’s imperative to recognize that you’re a target for cyber attacks no matter the size of your business.

When it comes to thinking about cybersecurity and the steps your organization needs to take to stay protected against the threat landscape, you need to consider the sensitive assets you hold that malicious hackers are after, not the size of your company. Are you sure you’re doing everything you can to stay secure? At KirkpatrickPrice, we’re here to help to help you regardless of the size of your company. Contact us today to speak to one of our Information Security Specialists to learn how KirkpatrickPrice can partner with you to strengthen your security posture and help you prepare against cyber threats.

More Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

How to Lead a Cybersecurity Initiative

More Small Business Resources

5 Information Security Considerations to Make Your Startup Successful 

Small Businesses Beware: Half of all Cyber Attacks Target You

How Can Employees in the Hospitality Industry Look Out for Social Engineering Attempts?

Employees in the hospitality industry are trained to meet needs, so it doesn’t take much effort for hackers to take advantage of their willingness to help. Employees are so valuable, but they can also be your weakest link. How much customer service is too much? When should an employee become suspicious of a guest or visitor’s behavior? Unfortunately, not often enough.

What is Social Engineering?

How sure are you that your employees can withstand a social engineering attempt? Social engineering is creative and engineered to trick your employees. Social engineering leverages and manipulates human interactions to compromise your organization. This could be something like bypassing a procedure and letting a guest into an employee-only area or believing someone’s unusual circumstances that lead to breaking policy. Eventually, these breaks in policy or procedure lead to malware or unauthorized access to your system. The stories that come out of social engineering engagements can be shocking to security officers and executives who believe that their employees would never fall for it – especially in the hospitality industry. Social engineering doesn’t require a lot of technology or complicated processes; all it needs is a distracted, careless, or maybe a too-accommodating employee.

Social Engineering in Hospitality

In the 2016 Erin Andrews-Marriott case, Andrews’ stalker was able to use the hotel restaurant’s house phone and asked to be connected to Andrews’ room. When the hotel complied with this request, he was able to see Andrews’ room number and discovered there was a room available next to hers. From there, he went to the front desk, requested that room, and was able to book it. Although the room was available, should the employee have let him book it, knowing a high-profile guest was in the room next door? Andrew’s stalker was then able to set up a camera through a peephole and record Andrews undressing, which he later released on the Internet.

Andrews asked in court, “Why didn’t they even call me to tell me? Why didn’t they ask? I was so angry. This could’ve been stopped. The Nashville Marriott could’ve just called me.” Why didn’t the Marriott employee recognize suspicious behavior? Why didn’t they tell her someone had requested a room that was, coincidentally, next to hers? This social engineering tactic worked on the front desk employee, eventually costing the hotel chain $26 million after Andrews sought justice for her privacy being violated. How many other times has a method like this one worked? The hospitality industry depends on guests and visitors feeling safe. When that trust is lost, how will your brand survive?

Social engineering with the intent of phishing is also a low-effort tactic for hackers. A simple attempt may look something like this: a hacker calls customer service to get help “confirming a reservation.” When the hacker offers to send the reservation information via email, the customer service representative doesn’t think twice about opening it. They’re just helping a customer, right? This is how quickly malware can enter into your organization when employees fall for phishing.

Not enough organizations test their employees with social engineering. It’s hard to convince organizations that our team of penetration testers will be able to manipulate their employees or environment, until they see the results. Even if employees mean well or cause unintentional harm, your employees are probably your weakest link and are highly targeted. Let us help educate your employees on ways they could be compromised during their day-to-day interactions.

More Social Engineering Resources

Not All Penetration Tests Are Created Equal

How Can Penetration Testing Protect Your Assets?

Why is Ransomware Successful?

What Happens in Vegas Doesn’t Always Stay in Vegas: Is Your Data Being Protected?

What do cities like Las Vegas, Atlantic City, Monte Carlo, and Macau all have in common? They’re some of the most lucrative cities in the world for gambling, which means that they all are at risk for data breaches. Whether it’s the casinos themselves or the hotels connected to the casinos, there are sensitive assets to be stolen. Let’s take a look at why the gaming industry is at such a high-risk for data breaches and how your business can prepare.

Threats to the Gaming Industry

The gaming industry has earned a reputation for strict, effective physical security, but what about cybersecurity? What data is being collected about players? How is it being stored? Who is protecting that data? Many people visit casinos because there’s a certain level of privacy that’s widely expected and provided; players feel that they can gamble and enjoy the allure of casinos without their identity being compromised. However, malicious hackers have no regard for privacy and will do everything they can to compromise sensitive data. Consider the following, for example. If a casino is connected to a hotel, what would happen if the networks weren’t segmented properly? A hacker may have found a way into the casino’s gaming network. From there, they could have access to the security cameras, ability to manipulate odds, see payout information for each machine, alter rewards information, or worse. Not to mention, because casinos are often connected to hotels, restaurants, bars, and retail stores, they’re introduced to even more cyber threats. Point-of-sale systems, ATM machines, employees – they’re all vulnerable.

Staying Protected in the Gaming Industry

We know that the large amounts of sensitive data, especially financial information, available at casinos makes them that much more susceptible to cyber attacks. That’s why securing the sensitive data of players is critical to ensuring the longevity of the casino industry. If players can’t expect their data to be protected or they feel that they’re at risk to be exposed, why would they continue gambling at your location? In order to secure the data that fuels the casino industry, there’s a few proactive steps that casinos can implement.

  1. Penetration Testing: Penetration testing, or ethical hacking, gives organizations insights into their security posture by showing them their security strengths and weaknesses through simulated yet real-word exercises. This means that organizations are then able to risk-rank security vulnerabilities and remediate accordingly, potentially preventing cyber attacks before they happen.
  2. Security Awareness Training: Like with all industries, employees pose one of the biggest threats to security at casinos. Whether it’s a blackjack dealer, bartender, or front desk receptionist, all employees are at risk for falling for cyber attacks. Implementing security awareness training for casino personnel will help employees identify, report, and prevent attacks from occurring.
  3. Incident Response Plan Training: It’s only a matter of when, not if, cyber attacks will occur and casinos must be prepared. Having an effective incident response plan in place is critical but practicing that incident response plan is equally as important. When an attack occurs, the incident response plan must be executed flawlessly, because if not, there could be costly implications. Conducting regular incident response plan training should be a top priority among casinos.
  4. Cyber Insurance: Because the average cost of a data breach is upwards of $4 million, in the event that a data breach or security incident does occur, casinos and other gaming institutions would be wise to have a cyber insurance policy that covers first-party coverages, such as coverages directly impacting the casino as a result of a data breach like loss of sensitive data, and third-party coverages, such as claims of other parties impacted by a data breach.

Case Study: Hard Rock Hotel & Casino Las Vegas

Over the last few years, the Hard Rock Hotel & Casino Las Vegas experienced a series of data breaches caused by hackers gaining unauthorized POS network access and installing POS scraping malware. Payment card information, including cardholder names, credit card numbers, and CVV codes were stolen. Though each data breach in the series of security incidents was slightly different, they each underscore the necessity for casinos, and especially resorts with numerous amenities, to implement a robust cybersecurity program that segments each part of the resort from each other. In Hard Rock’s case, only the hotel portion of the resort was impacted during the first breach in 2015. In 2016, however, the entire resort was impacted by malware.

While casino heists and hacks are often portrayed in Hollywood films, there’s nothing fictional about the threat of cyber attacks to casinos. Malicious hackers are creative and cunning, and their attacks are only getting more sophisticated. If your organization is committed to remaining secure in the gaming industry, don’t gamble on cybersecurity. Contact us today to learn how our audit, penetration testing, and consulting services can help keep you and your players secure.

More Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

7 Reasons Why You Need a Manual Penetration Test

Components of a Quality Penetration Test