Guest Post, Author at Cyber Secure Forum | Forum Events Ltd - Page 7 of 14
Posts By :

Guest Post

How can businesses maintain IT security in a hybrid working model?

 960 640 Guest Post
By:
0
0

By Claire Price of QMS International, one of the UK’s leading ISO certification bodies

Businesses now have the green light to go back to work, but your organisation may not be returning to its old working practices. So, if a hybrid model is being adopted, what can you do to ensure that information stays secure?

The introduction of more widespread homeworking has certainly piled on the pressure for businesses’ IT security.

At the beginning of 2021, QMS International carried out a survey of businesses about their cyber security and 75.7% of the respondents reported that they now felt more open to attack. Another 10% reported that they had no confidence in fending one off.

And businesses have a right to be worried. According to analysis of reports made to the UK’s Information Commissioners Office (ICO) by CybSafe, the number of ransomware incidents in the first half of 2021 doubled compared to the number reported in the first half of 2020.

Malicious emails have also been redirected to attack those working from home. Data supplied by Darktrace to The Guardian revealed that the proportion of attacks targeting home workers rose from 12% of malicious email traffic before the first lockdown in March 2020 to more than 60% six weeks later. With homeworking becoming more of a permanent fixture in business models, this trend is likely to continue.

While hybrid working offers your team the best of both worlds when it comes to office and home working, it also leaves your business open to the unique risks associated with both, with the added bonus of those linked to transport and travel.

But this doesn’t mean you have to abandon this new way of working. With the right processes in place, you can ensure your information stays secure, no matter where your staff are based.

Carry out a risk assessment

First things first – you must carry out a risk assessment.

Knowing the precise risks your business faces is key to developing methods of removing or mitigating them, but assessments like this are often overlooked. In fact, QMS’ cyber report found that 30% of respondents admitted that no new information security risk assessments had been carried out, despite changes to working practices.

Discover the risks, analyse their likelihood, and then decide if and how they can be controlled. This will give you the grounding you need to build your wider hybrid IT strategy.

Train and test your team

With cyber-attacks on the rise and remote workers being more vulnerable, it’s crucial that your hybrid team know what to look for and, just as crucially, how to report anything suspicious. The best way to do this is through training, which can now be carried out very effectively via e-learning.

This training should cover common cyber-attacks – such as phishing emails – how to spot them, the fundamentals of social engineering, and how to report suspicious activity. Ideally, this training should be refreshed regularly as new cyber threats emerge. You may also like to include training on the safe use of video calls and how to ensure video cameras are switched off when not in use.

To ensure your team have absorbed what they’ve learnt, carry out penetration testing. This involves crafting fake phishing emails and sending them out to your employees. What they do will give you an idea of whether your training has been effective.

Address access

When your hybrid team aren’t in the workplace, they will need to access servers and files remotely. This will often be via a VPN (Virtual Private Network), so you need to ensure that this is as secure as possible.

Remote workers will also be relying on their home Wi-Fi, but this may not be as secure as the Wi-Fi in your office. Your team should therefore be encouraged to create strong passwords – not the default ones on the base of the router.

Workers need to be cautioned against the use of free Wi-Fi hotspots too. It’s possible that your workers may want to use it to work on the train, for example, or in a coffee shop. However, public Wi-Fi is notoriously unsecure, and your workers should be cautioned against using it.

Think about physical protection

If your workers are going to be travelling between locations, then they are going to have to carry equipment such as laptops, phones and removable media with them. If something is lost or stolen, your business information could be compromised. Indeed, IBM’s Cost of a Data Breach report revealed that around 10% of malicious breaches are due to a physical security compromise.

A solid back-up protocol is key to ensuring that any lost information can be recovered. A robust password and access process are also musts – you may want to think about two-factor authentication to make logging in more secure. Make sure you also have a protocol in place so that if your team do report something as lost or stolen, you can act quickly.

When working remotely, you need to ensure that your staff keep their physical devices safe too. Equipment should be kept out of sight when not in use and papers stored away. If your workers are printing content, you may also need a safe disposal or destruction policy in place.

To prevent prying eyes seeing something they shouldn’t, workers should lock their screens when away from their workspace, whether they’re in the office or at home. And if any of your team do want to work while in public, they should be cautioned about the kind of work they perform – who knows who’s sitting next to you?

Create a culture of security

If you really want to take information security to the next level, you may want to consider a more wide-reaching measure such as ISO 27001.

ISO 27001 is the international Standard for information security management, and it is designed to help organisations integrate information security into every aspect of business.

Its 114 controls tackle every angle of security, including physical, legal, digital and human, bringing them together to enable you to maintain compliance and showcase to employees, customers and stakeholders that you have the processes in place to protect information from theft and corruption.

Going forward, it could give you the framework you need to adapt your practices to suit your new hybrid working model and any changes in the future.

How much does penetration testing cost?

 960 640 Guest Post
By:
0
2

By Redscan

Making sense of pen test pricing

Commissioning a penetration test is an important step in helping to enhance your organisation’s cyber security resilience. Pen testing costs vary from a few thousand to several thousand more, so it’s essential to ensure that the pen testing you select enables you to achieve the best security outcomes from your budget.

Every organisation has its own testing requirements and penetration testing pricing varies according to the type of test performed as well as its overall objectives and duration. Penetration testing costs ultimately depend on the issues and requirements identified during the initial scoping phase.

The importance of pen test scoping

Most penetration testing companies charge for pen testing on the basis of a day rate. As a result, it’s important that scoping stage of an assessment is conducted effectively to ensure that a quotation is as accurate as possible and that you don’t end up paying extra for unwanted elements.

At Redscan, we focus on ensuring that our clients gain the maximum value from their investment in a pen test. The scoping process allows us to identify the type of assessment best suited to your needs. It is the point when we work with you to define the full remit and goals of the pen test, including itemising the systems, assets and applications to be assessed.

Factors that affect pen testing costs

The number of days required to perform a pen test depends on factors including:

  • Type of test
  • Automated vs manual testing
  • Testing methodology
  • Remote or on-site testing
  • Experience of tester
  • When the test is conducted
  • Level of reporting
  • If retesting is included

Maximising the value of pen testing

Pen test pricing can vary significantly, but identifying the right provider to help accurately scope requirements makes assessing pen test quotations much more straightforward. As a CREST-certified company, Redscan performs testing to the highest technical, legal and ethical standards.

To learn more about how to achieve the best outcomes from penetration testing read the full article here.

Varonis Systems

WEBINAR: Keeping critical national infrastructure secure

 960 640 Guest Post
By:
0
0

Cyber-attacks are now arguably the biggest threat to the UK’s national infrastructure. In recent months we have seen ransomware on food production and fuel transportation wreak havoc in the United States. So how are we keeping the UK safe?

Join Varonis Field CTO, Brian Vecci, as we host a panel session with senior experts from Sellafield Ltd, Royal BAM, The National Cyber Security Centre and more on Friday 10th September at 2pm.

We will discuss the threat landscape, responding to breaches and how to implement controls and provide visibility across expansive and complex IT estates.

Our panelists and IT experts will also dive into;

  • Real life war stories of APT attacks and more
  • The actual cost of a breach and how to recover
  • Understanding and implementing NIS directives
  • Common entry points for attackers
  • Supply chain attacks

Register here for your exclusive Zoom invite link to the session.

The email authentication challenge

 960 640 Guest Post
By:
0
6

Email is the #1 way attackers target an organisation’s customers and email ecosystem. DMARC (Domain-based Messaging, Reporting & Conformance) authentication, specifically with an enforcement policy of Reject, is the single most effective way to close this vulnerability inherent to email.

While the premise of authentication is straightforward, organisations can encounter roadblocks and challenges along the way to an enforcement policy. These include:

  • The “many sender” problem
  • Ongoing configuration and record maintenance in DNS.
  • The cost of “doing it wrong”.

Managing this kind of complexity requires powerful, smart tools that organise the various sender, brand, and infrastructure relationships for you. Whether you are creating your own SPF, DKIM and DMARC records, or having Agari host them, Agari’s automation features will get you to enforcement quickly.

According to a study from Forrester Research, DMARC deployments using automated implementation tools like Agari have been shown to drive phishing-based brand impersonation scams to near zero almost instantly. Today, customers in numerous categories use Agari Brand Protection to manage nearly 257,000 domains with 81% at p=reject—far outperforming their industry peers.

Global adoption of DMARC topped 10.7 million email domains worldwide in 2020—reflecting a 32% increase in just six months as per H1 2021 Email Fraud and Identity Trends Report.

Agari Brand Protection™ solves these challenges.

WEBINAR: Ransomware Has Evolved, And So Should Your Company

 960 640 Guest Post
By:
0
8

By Veriato

2021 Has been an interesting year for Ransomware attacks so far. After plaguing countless victims with dreaded ransom notes and bringing the US Colonial Pipeline and other large corporations to their knees, the Ransomware attack method has built a strong reputation for inflicting cyber terror on consumers and businesses alike.

As cyber criminals noticed increasing success from this method, the trends shifted towards more targeted enterprise attacks with potentially more lucrative payouts. Furthermore, criminals saw the growing demands for these attacks on the Dark Web as a business opportunity to make attack kits more easily accessible. This new realm of service would essentially remove the burden of coding and crafting attacks from the criminals, thus reducing the difficulty of launching these types of attacks. What once required tons of planning and preparation could now be purchased as a subscription or service.

What is Ransomware?

Also termed digital extortionRansomware is a form of cyberattack in which criminals block access to prized digital possessions or resources and demand payment for their release. There are many variations of ransomware attacks, but the common goal is usually to extort companies or users for money. For example, an attacker may encrypt all of your data and ask for payment in exchange for the decryption key. Without the key, your operations could end up being crippled.

One of the biggest trends in technology over the last decade has been the growth of subscription-based service models and products. Examples include Software as a Service (SaaS), Platform as a Service (PaaS, Infrastructure as a Service (IaaS), and more. Instead of building software or installing software directly in corporate environments, these companies are providing customers with the ability to effectively rent access to the services they need without dealing with development, maintenance, and additional back-end work. Given the high demand for Ransomware in this day and age, creative cyber-criminal entrepreneurs followed this tech industry trend and created Ransomware as a service (RaaS) to ease the burden of cyber attackers having to develop their own attacks.

Using these services, cybercriminals can launch advanced Ransomware attacks using RaaS providers from the Dark Web. 

Sign up for our latest webinar to learn moreRansomware Has Evolved, And So Should Your Company.

Cybersecurity in Financial Services: Remaining compliant and reducing risk with automation

 960 640 Guest Post
By:
0
2

By LogRhythm

Businesses in the financial services sector have to manage enormous risk, wealth and personally identifiable information (PII), all while meeting strict regulatory requirements.  

As the proliferation of financial data continues to grow, organizations face the task of continuously protecting that information and keeping it secure, while maintaining a reputation in the financial sector. Despite this, many security teams lack the resources and funding to keep up with the evolving threat landscape and ecosystem of regulatory compliance rules.

The Complexity of Complying

For financial services organizations, cybersecurity is about minimising risk for both the customers and the business. This includes compliance, it is vital organizations reduce the possibility of further fines or other penalties by implementing security measures. 

On top of this, security teams are often attempting to mitigate threats manually, increasing effort and stress. Analysts need to eliminate the time spent writing scripts, building rules and creating reports to allow focus on evolving attacks.

Automating Processes for Financial Security

Implementing prebuilt content which is specifically mapped to the individual controls of each regulation enables instant results that do the heavy lifting for you. Combining compliance automation software with Security Information and Event Management (SIEM) gives analysts the resources to comply with necessary mandates more efficiently and effectively than previous manual processes. A SIEM platform can facilitate security teams to improve detection, mitigation and response capabilities.

Furthermore, automation systems allow workflows to be more streamlined to help analysts combat evolving threats by removing manual tasks and enriching data with contextual details consistently.

An Expanding Compliance Environment

Looking forward, the financial sector is expected to face continued vulnerabilities in its technological offerings, both online and traditional brick and mortar. With compliance automation systems at the forefront, patterns of fraudulent activity will be detected at a greater rate, increasing the likelihood of mitigation before impact. 

The compliance environment can only extend further, with more regulatory requirements coming into play. Financial organizations should be prepared for stricter security rules becoming a necessity to protecting both customer and business data.

LogRhythm’s offerings provide financial services organizations with industry-leading automation, compliance and auditing support, comprehensive reporting and protection against advanced cyberthreatsLearn more >

Normalising data leaks: A dangerous step in the wrong direction

 960 640 Guest Post
By:
0
3

It was only recently, in early April, when it came to light that the personal data from over 500 million Facebook profiles had been compromised by a data leak in 2019. And since then, an internal Facebook email has been exposed, which was accidentally sent to a Belgian journalist, revealing the social media giant’s intended strategy for dealing with the leaking of account details from millions of users. Worryingly, Facebook believes the best approach is to ‘normalise the fact that this activity happens regularly,’ and to frame such data leaks as a ‘broad industry issue’. 

It’s true that data breaches occur everyday, and are increasingly on the rise – new research predicts there will be a cyber attack every 11 seconds in 2021, nearly twice what it was in 2019. However, this doesn’t mean that it should be normalised. Quite the opposite in fact, explains Andrea Babbs, UK General Manager, VIPRE SafeSend...

Dangerously dismissive

The statement from Facebook is a very worrying strategy to come from a business which holds the personal and business data of millions across its platforms. Particularly in the wake of increasingly stringent regulations appearing globally, it is startling for such a large organisation to casually dismiss data leaks. To give businesses an excuse to no longer invest time, money and effort in data security is a dangerous step in the wrong direction.

Personal data is a valuable currency for cyber hackers, and individuals want to ensure it is protected. Leaking this confidential data, such as medical information, credit card numbers or personally identifiable information (PII) can have far-reaching consequences for both individuals and businesses. Keeping this data safe should be businesses’ number one priority. However, data is only as safe as the strength of an organisation’s IT security infrastructure and its users’ attention to detail.

A defence on multiple fronts

If you do not have the right technology in place to keep your data safe, then you will face problems – but the same goes for having the right tools and training available to your users. Data security is a difficult and never-ending task, one which requires ongoing investments on multiple fronts by every organisation in the world.

Particularly in the wake of COVID-19, businesses have had to transition to remote working and accelerate their processes to the cloud. Moving to cloud based security which moves with your users is key. And investment in user training will become more normalised because an uneducated workforce is a big risk to an organisation’s data security efforts. 

To combat such threats, deploying a layered security approach is necessary for both small and large businesses. In today’s modern threat landscape, a data protection plan needs to include cover for both people and technology at its core. There are innovative tools available, such as VIPRE’s SafeSend, which supports busy, distracted users to double check their attachments or recipient list before sending an email to help them make more informed decisions around the security of their data. Additionally, companies need to invest in thorough and more frequent security awareness training programmes, which include phishing simulations as a key component.

We will also see a bigger move towards Zero Trust Network Access (ZTNA) tools – which only allow people to access the data they need, not the entire network. There will be an evolution in this area, and protection for a workforce ‘on the go’ will become the standard, but with the same foundational principles of investing in the right technology, and the users themselves. 

Reputation and responsibility

No matter where users are or what they are doing, keeping security front of mind will be one way to ensure good IT security hygiene for businesses. Those who have already made significant progress in this area will reap the rewards in terms of safe data and reassured customers, clients and prospects. 

Businesses that get out in front of all areas of data loss, not just attacks from bad actors, are the ones that will do well in the long term. The ability to reassure customers and prospects of the safety of their data will become the new marketing message in the coming years, which is why attempting to normalise data loss could be so damaging to Facebook’s reputation.

Cyber threats are only going to increase in sophistication and become more personalised to the individual by using social engineering attacks or fileless based attacks. Attackers are going to continue to take advantage of current events, such as COVID-19, to trick users into clicking a link, downloading an attachment or signing into a phishing website etc.

Businesses of all sizes have a responsibility to keep data secure – and users must be a part of the solution, rather than the problem. In order to do this, businesses need to place cybersecurity as a priority throughout their processes and invest in the right tools and training to make this more of a business-critical solution, and less of an ‘emerging necessity’ as it is now.

GDPR

The data dichotomy and the vital importance of effective self-regulation

 960 640 Guest Post
By:
0
6

The data privacy debate that has raged for the past decade has patently failed to meet the needs of either industry or consumers. Legislative change continues to challenge digital marketing models – and has had little impact on consumer trust: Edelman’s 2021 Trust Barometer cites an era of “information bankruptcy”, with global trust levels at an all-time low. What has to change? John Story Vice President, Deputy General Counsel Global GTM, Acoustic, EMEA, explains why effective self-regulation is a vital step in rebuilding consumer trust...

Ethical Challenge

Data privacy is once again, front and centre of the advertising and marketing debate. From the imminent demise of third-party cookies, to ever-increasing privacy regulations including GDPR, UK DPA 2018 (essentially the post-Brexit version of GDPR), and the Privacy and Electronic Communication Regulations (PECR)—as well as the latest Apple / Facebook ad tracking row–it’s easy to see how consumers and marketers alike might be scratching their heads over where, how and why data can be used.

Marketers are justified in bemoaning the impossibility of doing an effective job or meeting customers’ desires for better, more relevant and personalised messaging given the increasing constraints placed by legislative change. But the industry needs to face facts: it has been too slow and too reactive. 

Just consider the inadequate industry response to scandals such as Cambridge Analytica’s data misuse. Effective self-regulation should have become an absolute priority, yet little happened. When the industry fails to step in and address its problems, when companies sit and wait for a major issue to emerge and only then attempt to address the fall out, legislators feel they have little option but to intervene. The results are more often than not to the detriment of everyone in the ecosystem.

Effective Self-Regulation 

For marketers, consumer trust is essential to survival – and the onus is on the industry to rebuild and sustain that trust. Which is why, however the motives are perceived, Apple’s recent move is a positive step in reinvigorating the debate and, hopefully, accelerating the adoption of the effective self-regulation that will rebuild consumer trust and confidence.

Improving the way companies – of every size – notify consumers, then request and honour consent is an indispensable step in the creation of an industry that truly recognises the importance of ethical behaviour. By finding a way to convey a commitment to data privacy without confusing or overwhelming the end customer, the industry can avoid the risk of further inappropriate or clumsy legislation – legislation that is both implemented inconsistently and fails to improve consumer confidence.  

Legislation takes too long to devise and ratify – making it technologically out-of-date by the time it is enforced. Even worse, once in place, it’s incredibly hard to change. It also rarely achieves the essential change in attitude to data ethics and data privacy that’s required. Legislators may hope fines encourage organisations throughout the data ecosystem to modify behaviour, but when the culture is one of enforcement the modification in behaviour is often the minimum required to avoid future sanction.  

Take Ownership of Data Ethics

Public trust can be rebuilt and maintained if the industry takes appropriate, ethically sound, self-regulatory steps that evolve with technology and public perception. There should then be little call for regulators and governments to step in and impose stifling legislation.

However, it’s important to recognise that this affects every company, every marketer, and every MarTech provider. This is not just an issue for the large technology companies. Indeed, given the fact that Apple remains a lone voice and there has been little sign from Google or Facebook of a willingness to put effective self-regulation ahead of revenue generation goals, unless marketers and MarTech companies highlight the ethical data privacy debate and take action, change won’t occur.

This is nothing new: the marketing and advertising industry has always worked together on self-regulation – from the development of advertising standards onwards. The only change is the technological context. Abdicating responsibility for data privacy and a commitment to data ethics will only erode public trust further and lead to the imposition of additional legislation.

Conclusion

We have seen the changes that can be achieved as a result of high-profile debate. With recent concerns about hateful content and misinformation online, for example, social media providers took positive steps to self-regulate;  they recognised that working effectively together was important to create a long-term future for their platforms. The next step must be to encourage the same levels of effective self-regulation around data usage and advertising.

Apple has nudged open the debate on data privacy and data ethics. The onus is now on players throughout the industry to push that door wide. Public trust is imperative – and that means effective self-regulation and the creation of a data ecosystem built on transparency and informed consent.

A new chapter in remote IoT security

 960 640 Guest Post
By:
0
4

By Keith Glancey, Systems Engineering Manager at Infoblox   

When the COVID-19 pandemic struck, businesses around the world found themselves forced to adapt quickly in order to survive. IT and security teams took centre stage, and were tasked with supporting a newly-remote network of employees and maintaining business continuity. Many companies emphasised ‘connectivity first,’ relegating security to an afterthought. However, as the dust starts to settle, remote work seems here to stay in some form. This has opened up a new threat for many businesses.    

Just as the pandemic has blurred the line between our professional and personal environments, it has also blurred the line between our professional and personal IoT devices– whether it’s a connected television, smart thermostat or a tablet connected to a work application. The increased use of personal devices is making the professional network vulnerable to attack, and so is the proliferation of IoT devices. With many employees yet to return to the office, it’s never been more important for businesses to assess and address the IoT security risks posed by our new reality.  

The remote rise of Shadow IoT 

Even before the pandemic struck, IoT security was a challenge. In fact, research discovered that one third (33%) of UK businesses believed there were around 1,000 unauthorised or non-business related IoT devices – also known as Shadow IoT devices – connected to their enterprise networks. These devices can open the wider business up to attack and also enable unsanctioned ‘lurkers’ to access any given network. One of the consequences of the rise of shadow IoT was the surge of 17 million cases ofdistributed denial-of-service (DDoS) attacks across the globe in 2020 alone, with reports highlighting a 250% increase of frequency over the last 3 years. 

As remote working has transformed the way that individuals are using their IoT devices, this threat has only increased. The average home today has 11 IoT devices connected to its network. And since IoT devices are notoriously insecure, this presents a serious headache for IT and security teams. Each of these devices provides a vector through which malware can enter an employee’s home network and then move laterally to infect the corporate network as well. Given that IT teams can’t easily enforce corporate security policies on devices that sit outside of their infrastructure, this is opening up the floodgates and putting businesses at increased risk from attacks such as phishing and malware.  

To add to this, many individuals are naturally less risk-averse at home. For some, using a work device to browse social media, shop or stream entertainment services has become the norm. Yet, combined with the threats posed by unsanctioned IoT devices, this use of unsecured Wi-Fi connections, unsanctioned applications, and browsers with insecure plug-ins has the potential to compromise the entire corporate network.   

Future-proofing 

Organisations must take this time to embrace a more strategic approach to security, rather than hanging onto a model that isn’t compatible with the cloud-first networks that remote work requires. Network architecture is no longer centralised on a physical campus, with a core data center into which users connect, and security practices need to reflect this. 

One effective way that IT teams can protect their network against shadow IoT threats is by increasing visibility. This is where DNS (Domain Name System) tracking comes in. DNS is a core network service, which means that it touches every device that connects to a company’s network and the wider internet. Because of this, it doesn’t rely on a device being authorised or known to the IT team. As a result, DNS has the power to see every connection point in the network, enabling IT and security teams to know exactly what each IoT device is doing at all times.  

To take it to the next level, businesses can merge DNS with DHCP (Dynamic Host Configuration Protocol), and IPAM (IP Address Management). This combination of modern technologies – known as DDI – can pinpoint threats at the earliest stages, identifying compromised machines and correlating disparate events related to the same device. DDI can also help teams automate the provisioning of security services to remote endpoints, removing the need to ship devices back and forth for on-site patching.   

As enterprises become more distributed and borderless, they need security to stretch across their entire infrastructure and protect users wherever they are located. Defending from the network edge will be critical in combating shadow IoT threats brought about by remote work and using modern technologies such as cloud-first DDI will enable organisations to stop and remediate attacks before they cross over from the home to the corporate network. 

WEBINAR: Overcoming The Challenges Of Selecting An Insider Threat Detection Tool

 960 640 Guest Post
By:
0
2

By Veriato

In a crowded market with so many new products being released, it can often be hard to make sure you’re getting the right tool for your organization’s security needs. Purchasing an Insider Threat Detection tool for your organization requires extensive research, which can be very time-consuming.

In our latest webinar, we try and clean up some of the noise in the industry together with experts Jim Henderson from the Insider Threat Defense Group and Dr. Christine Izuakor from CyberPopUp. In this webinar, we’ll discuss:

  • Cutting through the hype to see what a product can really do – is it all just marketing fluff?
  • To AI or not to AI – Machine Learning Vs Statistical Analysis
  • Core requirements for Insider Threat Detection solutions – Private Sector Vs Government considerations

Sign up now to learn more!