Apple, Google Launch COVID-19 Exposure Notification Tool Yesterday
Mading available the first public version of their exposure notification API, which was originally debuted as a joint contact-tracing software tool. The partners later renamed it the Exposure Notification system to more accurately reflect its functionality, which is designed to notify individuals of potential exposure to others who have confirmed cases of COVID-19, while preserving privacy around identifying info and location data.

The launch today means that public health agencies can now use the API i in apps released to the general public. To date, Apple and Google have only released beta versions of the API to help with the development process.

To be clear, this launch means that developers working on behalf of public health agencies can now issue apps that make use of it - Apple and Google themselves are not creating an exposure-notification or contact-tracing app. The companies say that many U.S. states and 22 countries across five continents have already asked for, and been provided access to, the API to support their development efforts. techcrunch.com

Working-At-Home Security
 

New Remote Work Emphasis Drives Re -Accessing App Usage & Value
With Remote Work Here to Stay, IT Executives Reassess Tech Priorities
Information technology leaders at software companies including Dropbox Inc. and Elastic NV are preparing for an extended period of remote work, a process that involves signing up for some new workforce IT tools and culling others that seem superfluous.

Devices and data center systems are expected to see the largest drops in spending, while spending on public cloud services is expected to grow 19% this year, Gartner says.

About 74% of companies plan to permanently shift at least 5% of their previously on-site workforce to remote positions after the coronavirus crisis subsides, according to a Gartner survey of 317 financial executives from various industries on March 30.

Some executives say their workers will have the option to work remotely for the foreseeable future, even as local governments ease social distancing guidelines.

The goal is to prevent workers from needing to toggle between dozens of applications that are difficult to use.

Consider buying new tools, such as those that can analyze how specific apps are being used and which features within apps are being used by different teams, to help understand employee activity and engagement. wsj.com

Permanent Work-At-Home Growing - Here's Extensive List
Work-At-Home and Remote Access - It's Time for a Security Review
Government agencies and security organizations have recently provided updated standards and guidance to address these remote work challenges. Examples include:

- Cybersecurity and Infrastructure Security Agency (CISA),
- National Institute for Science and Technology (NIST)
- National Security Agency (NSA)
- Center for Internet Security (CIS)
- SANS Institute.

There's much valuable information to be found at each site. It's best to review these resources, select one or more that best fit a company's circumstances, and use it or them in the security review process.

Security for remote work should be part of a risk-based, comprehensive cybersecurity program. Risks from constantly evolving remote work, remote access, and collaboration technology should be included in the process of improving or developing an inclusive program.

Some important considerations include: jdsupra.com

Remember - 60% of Data Breaches Caused By Employees Leaving
How to Protect Company Data When Laying Off Remote Workers

What are the legal considerations around employee data on company-owned devices?

Schrader: While the European Union and other jurisdictions have significantly more restrictive and punitive personal-data privacy laws, in the United States, the employee generally has no privacy right to data they put on a company-owned system. That said, best practice would be to instruct the employee to remove any personal information on company-owned devices before the employee leaves. There also should be verbiage in the company's data policies and exiting-employee agreements that states that any personal data left with the company upon departure becomes the property of the company and can be destroyed at the company's discretion.

If the company is ever involved in a legal matter, it's possible that the employee's data could be collected as part of discovery. While not required, to be extra careful, the employee agreement could include a statement noting that the company is not responsible for any consequences of the employee's personal data being on any company-owned devices. That way, if it's ever mixed into such a discovery effort, the company can't be held responsible for any disclosure or misuse of that data. shrm.org

Scattered Teams - Reduced Headcount - Increased Incidents
Coronavirus Concerns: Security Teams Scattered, Enterprises Vulnerable
Throughout the past eight weeks, security teams, like many enterprise teams, have found themselves scattered as their organizations rapidly switched to remote work. And, in the transition, many security professionals have found themselves reassigned away from security tasks to other projects. It's hard to see how these changes haven't increased enterprise data and system risks.

Enterprise security risks are increasing as the move to home offices also increases the overall enterprise attack surface. "Most corporate IT users are not road warriors and their desktops, laptops, mobile devices, applications and network access were not designed to securely operate outside the corporate office," he said.

The biggest risks to come from these changes, Layton said, include ungoverned personal device use and the lack of corporate use policy being enforced. "The rush to get users online without a rigorous IT use policy or plan for security is opening lots of back doors to corporate networks," he noted. "Keeping everyone working at any cost has the potential to push security aside-hopefully only briefly."

Decreased Focus, Increased Risk

The scattering of security teams and of their focus could be taking their toll. According to a recent ISC2 Cybersecurity Pulse Survey, 23% of respondents said they have seen an increase in security incidents in their organization, while 47% of respondents said they have been reassigned from security tasks to IT tasks.

"It's vital for your IT and security teams to share information and work together to face these challenges." securitybloulevard.com

Phishing Doubled in March & April - Targets Remained Same As Before
'Coronavirus-Themed Phishing Fears Largely Overblown, Researchers Say'
As COVID-19-themed spam rises, phishing-not so much. An analysis of newly registered domains finds that only 2.4% are actually phishing sites aiming to steal credentials.

While many security firms have warned that massive spam campaigns employing coronavirus-themed messages in an attempt to fool potential victims into parting with their credentials, the incidence of COVID-19-specific phishing attacks is no higher than before the pandemic, according to a new report.

Lastline researchers found that 84% of newly registered domains did not have any content, while about 14% of domains led to a questionable landing page - or "gray zone" - that tried to sell counterfeit goods or questionable coronavirus-related products. Only 2.4% of sites were actually phishing for specific information from the victims, and only four campaigns, consisting of less than 800 URLs, were specifically designed to take advantage of the coronavirus pandemic.

"The volume of attacks using the topic of COVID-19 did not change," he says. "Overall, phishing grew very considerably in March and then in April - it has basically doubled according to our numbers. But the targets of those landing pages - Bank of America and Chase Bank are the top ones - remain the same as before." darkreading.com

Cisco's Call Center Product: Critical Java flaw strikes 'call center in a box', patch urgently
Organizations using Cisco's call-center platform, Unified Contact Center Express (Unified CCX), should update the software urgently, Cisco has warned.

"A successful exploit could allow the attacker to execute arbitrary code as the root user on an affected device," Cisco warns. zdnet.com

Account Takeover Attacks Are an Enormous Vulnerability for Which Many Merchants Are Unprepared

Riskified Survey Shows Merchants Endanger Their Revenue and Reputation but Have Done Little to Protect Themselves or Their Customers

Riskified, the payments and fraud-prevention solutions provider, today released a survey on the effect of Account Takeover (ATO) attacks on eCommerce merchants and customers. ATOs happen when a bad actor gains access to a legitimate customer's eCommerce store account and uses that account for fraud. The survey shows that ATO attacks have a huge negative impact on customers and merchants, damaging brand reputation and hurting merchants' bottom lines. Despite that, many merchants lack security measures, and more than one in three (35%) of merchants report that at least 10% of their accounts have been taken over in the last 12 months.

Sixty-six percent of merchants and 69% of customers say they are concerned about their accounts getting hacked. Purchases made using compromised store accounts are hard for merchants to detect, because they look like they are made by legitimate returning customers. ATOs are also very costly for merchants.

65% of customers say they would likely stop buying from a merchant if their account was compromised. More than half (54%) of customers say they would delete their account, 39% would go to a competitor, and 30% say they would tell their friends to stop shopping with the merchant. businesswire.com

Amazon Continues to Dodge Questions Over COVID Data
E-Commerce giant insists sharing data on coronavirus cases in its warehouses
isn't useful
Amazon is famed for its data-driven approach to management and decision-making. It measures worker "rates" to determine productivity; collected extensive local data as part of its search for a second headquarters; takes pains to predict what customers want next based on prior purchases; and frequently issues press releases dense with random stats about product sales. But when it comes to the total number of coronavirus cases in its warehouses, Amazon's view is, as one executive recently put it, that information isn't "particularly useful."

For weeks, the company has frustrated workers and critics by declining to provide information about the total number of confirmed coronavirus cases at its warehouses, which have become crucial hubs for household supplies. Despite numerous confirmed cases at Amazon warehouses across the country, and around the world, the e-commerce giant has downplayed the significance of releasing site or aggregate data, making it difficult to get a clear picture of overall infections at its sites.

An Amazon spokesperson told CNN Business that the company does track the information at a site level but maintains that the aggregate number is not informative to workers because it would include resolved cases.
cnn.com

'There's no other option:' Costco, Gap and other retailers sweeten online options but it's coming at a cost
Many retailers such as Walmart and Target were already expanding their e-commerce offerings prior to the coronavirus pandemic. The global crisis, though, has added greater urgency to that effort. Other retailers, such as Macy's and Gap, have used curbside pickup as a way to reopen as lockdowns lift. Online sales come at a higher cost, though, and bring new headaches, such as the need to train employees for new roles. cnbc.com

Zuckerberg announces Facebook Shops, making it easier for businesses to list products for sale

Amazon Pushing Prime Day to September