data Archives - Security IT Summit | Forum Events Ltd
  • Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

data

Meeting the Tests to get out of Data Lockdown

960 640 Guest Post

Digital transformation of any business has always been hampered by making sense of underlying data. And that data has been growing in volume at an unprecedented rate driven by the growth of IoT. It’s the perfect storm – the need for real-time information being increasingly distanced by the rate at which the data volume is growing. Businesses need insight, not just data, which means getting the right information, to the right person, at the right time. 

But the age-old problem remains today – how do you understand and see what data you have readily available, in a format that’s usable and that you can access at the right time? Peter Ruffley, CEO, Zizo, explores three aspects businesses must consider to get out of ‘data lockdown‘…

Data access 

There are a multitude of ways to store and access data, but a majority of businesses haven’t considered access to external data sources yet. When we begin to question how to enrich and improve data, one of the fundamental capabilities of this process is by integrating external third-party data sources, such as weather, crime or other open data sources. 

Businesses need to have an understanding of what they need to do to make the process worthwhile, and ensure they have the correct capabilities before they start. A common first approach for many organisations is to build from scratch and make it their own, rather than considering the buyer approaches where you look at what’s out there, explore the marketplace and transform existing data to use within the business, rather than starting from the ground up. 

If they can’t combine different sources of data quickly and cost-effectively together, they won’t move forward. It makes sense to digitally transform an organisation if it is going to make use of what’s already out there, as being able to tap in and share other work and insights will make the exercise worthwhile and cost-effective. With combinations of solutions available in the marketplace that can accelerate the process by providing the necessary building blocks, it’s time to transform the digital transformation process. 

Data responsibility 

There remains a disconnect between IT teams and businesses’ impressions about what it means to provide the data. If both parties are not aligned with the same aims of the business, the project could stall at the first hurdle. Instead, organisations need to bridge the divide and encourage stronger collaboration between all stakeholders. When businesses realise where those holes are in their structure, it’s key to get people involved to solve those challenges. 

This involves change on three levels; personnel, cultural and technological. Who’s responsible for this chain? Whose action is it? How do we bring these teams together? The business might be storing a lot of data, but how can it be accessed, interrogated and made useful? How will the business’ data goals be defined? 

Typically, the digital transformation initiative comes from the top in the organisation. In order to get your business on board, you have to make a very clear case of what the benefits are. Employees need to trust that improvements will be made for them by doing this, rather than just dictating the plan. Digital transformation is a change programme, which impacts all aspects of the business. You therefore have to approach it in the same way that you would approach any change project – with clear objectives and an agreed process of identifying how you’re going to get value from data. With a compelling case, you have a much better chance of carrying it through with buy in from all stakeholders. 

Data and objective identification:

You can’t embark on a digital transformation initiative without a concept – you’re condemning the project to failure if the business is not engaged properly with the process before you start. In order to yield business benefit from data, organisations must identify the areas that will realise the most benefits. Even if they’re hypothetical, there must be measurable ambitions in place or milestones for this journey, so that there is an understanding of what you’re going to do, and what you want to get out of it. Or if those ambitions weren’t achieved, why not? What steps need to be taken next time? 

Organisations have to be able to collect the data and assess whether they can achieve their business objectives from that data. But a goal of just ‘digital transformation’, ‘digitising data’ or ‘making more money’ will never translate into a concrete business case. Goals need to be specific and measurable in order to determine the project roadmap and for success to be evaluated. 

More importantly, you have to understand where the data is in your organisation and what it’s being used for, before you start the process of transformation. The whole supply chain needs to be aware of the transformation and the demands that are going to be in place. You’ve got to be very open about this process, because there will be people who you haven’t thought of that might be impacted by the changes you’re making.

With easy access, a connected team and clear objectives, companies can have a clear outline of what it is they set out to achieve in their digital transformation, how they expect to make this transition with the data available, and who can take on what role in this process. 

User Access Review – What’s That?

960 640 Guest Post

By Tenfold Security

Users come, they stay, they leave, they move around between departments and they collect privileges on the way. That’s OK, they need privileges to do their jobs. But do they need all the privileges they have, always? That’s a question you need to ask yourself, for every userrepeatedly.

This article covers what is meant by a user access review, why is it important for your business and how can you simplify the process and up your company‘s IT security and level of data protection at the same time.

Click here to read the full article.

Solving the data centre skills shortage

960 640 Stuart O'Brien

By Stephen Whatling, Chairman at BCS

The growth in demand for data centres worldwide has posed many challenges in recent years and this has now been expedited by the Covid-19 pandemic. Following a major uplift in demand for data services since March, the need for a resilient data infrastructure has never been greater.

However, this year BCS’ independent survey shows an increase in concern about the availability of design and build staff with an 11% rise, to 75%, of respondents believing there is an inadequate supply of skilled labour. The same independent BCS survey shows that 90% of those involved in the design and construction of data centres believe there is a dearth of both design and build personnel.

As the confusion regarding exam results and the subsequent issues with university places continues to test the education system, it is a growing concern for the future supply of resources skilled in the design and build of data centres.  It is then perhaps no surprise that for the second survey running, greater industry engagement with educators is ranked as the top factor to address this identified skills shortage. This is particularly important given the tremendous competition for suitably qualified STEM staff from a wave of different technology sectors across the wider economy. Early engagement with the industry at the educational level is needed to encourage the next generation of potential datacentre professionals through providing clear routes to jobs and career advancement that exist in many of the competing industries.

Better on the job training and improved or greater incentives for apprenticeships also ranked highly in the survey as  respondents acknowledged the positive impact that the education sector and businesses working in partnership can have in developing home-grown resources.  At BCS we believe that the expansion of apprenticeship places is vital to the success of the generation of UK based skills.  This year we had over 200 applicants for the apprentice and graduate scheme we operate in partnership with London Southbank University which provides funded places and, alongside studies, enables the apprentices to access every aspect of the BCS business.

From this year’s intake, Imogen Paton is enrolled on a Quantity Surveying Degree Apprenticeship at London Southbank University and will be sharing her time between studying there and getting some great practical experience with BCS over the next five years. Imogen said: “I am really looking forward to this opportunity to grow and work with both a great company and great university and can’t wait to get started!”

Many businesses might think that taking on an apprentice during the current pandemic will not bear fruit but that is not necessarily the case.  Yes, it can be harder and will require a little more care and attention but the right candidates will learn some invaluable skills during these strange times.

Ben Chappell, a BCS Apprentice Consultant from London Southbank University says he will “definitely take a new sense of confidence in working independently back to the office when the lockdown is over.”

“I’ve been balancing client tasks with Southbank University work successfully, which has given me assurance that my routine is productive. One of the lessons for my industry is that we now know that a significant amount of work can be done remotely if the circumstances require it. However, I am also very much aware of the importance of social interaction for both the office teams and client relations and I’m looking forward to getting back on site,” he said.

It is also worth remembering that the survey was undertaken at the beginning of the UK lockdown, before the length of the lockdown and subsequent travel restrictions could be fully understood.  Despite the timing, almost three-quarters of respondents believed that shortages amongst data centre operational staff was already making it increasingly difficult to run facilities well. It is now clear that the difficulties associated with international travel such as the lack of availability of flights and hotel rooms or the more recent focus on quarantine rules has made it even more difficult for the roving teams of design, build and maintenance engineers to do their jobs efficiently.  These teams are, of course, essential workers and not subject to the quarantine rules but travel, and life in general, is more difficult now, and as a result less productive.  This will mean that even more skilled engineers are required to support the existing infrastructure.

Meeting the demands for greater capacity was an issue before Covid-19 with 74% seeing higher labour costs, 55% using increased outsourcing and almost 50% seeing delays due to the shortage of available skills.  It is likely these numbers will be even higher next year. We should also take note of the likely impact of Brexit and any future immigration policy.  It is vital that any future policy recognises the importance of the data centre industry in the UK and supports it with favourable access for the skilled workers that will be needed in order to meet the existing demand. 

In conclusion, the demand for UK based data centres currently outstrips supply, smart working and automated processes, and a focus on education alongside investment and support from the Government, is required sooner rather than later to ensure the UK capitalises on this opportunity.

These are the key data privacy issues in 2020

960 649 Stuart O'Brien

Tuesday January 28th marked Data Privacy Day, the annual international day aimed at raising awareness of privacy and data protection issues and promoting best practices.

Here we’ve gathered up the thoughts of some leading figures from across the sector, covering everything from GDPR to biometrics and compliance, and what 2020’s priorities need to be…

Chase Buckle, Trends Manager, GlobalWebIndex

“In today’s post-Cambridge Analytica world, we’re witnessing a ground-breaking shift in consumer attitudes towards data, privacy and brand trust.

While GDPR has certainly shifted the balance of power, leading to new perspectives on consumers’ rights to share or withhold data online, 58% of UK consumers are still concerned about the internet eroding their personal data.

The increased awareness of how companies collect and use data online, also brought by events such as Data Privacy Day, has done little to alleviate concerns over online privacy more generally –  61% of UK consumers worry about how their personal data is being used by companies and 55% now prefer to be anonymous when browsing online.

This anxiety around online privacy and technology is most prevalent among younger age groups. These so-called digital natives are more conscious of the complexity of data security and technology, and are more aware of just how much they might not know around the issue. In fact, the younger the consumer, the more likely they are to say that they don’t feel in control of their personal data online, and that they just don’t understand new technology. 

Within this new digital landscape, company reputations hinge on their trust and transparency credentials over personal data. To build consumer relationships, trust has to become one of the core elements of any brand proposition.”

Nigel Hawthorn, data privacy expert, McAfee

“Over a year after the EU’s General Data Protection Regulation (GDPR) came into force, the regulatory bodies are changing their focus from guidance to full enforcement. The GDPR framework serves as a driver for organisations to revisit their current processes and take full responsibility for how they process and store personal data. As the UK leaves the EU, this legal responsibility doesn’t go away. The UK government passed the Data Protection Act 2018 to provide an equivalent law to GDPR. As we’re stepping into a new decade, we are seeing the rise of more regulations which put internet users first and a rise in the data stored in the cloud.”

“With the increasing reliance on the cloud, businesses need to be rest assured that they have complete visibility and control over data regardless of where it is. According to our latest research, 40% of large UK businesses expect to be cloud-only by 2021. What we’re going to see in 2020 is even more data and applications shifting to the cloud – and where they migrate, cybercriminals will follow.

Today, we should recognise that the age of the cloud is here. Whether businesses are cloud-only or shifting towards a cloud-first approach, the key is to make sure it isn’t an easy target for cybercriminals.”

Zachary Jarvinen, Head of Product Marketing, AI and Analytics, OpenText – “As we welcome in another Data Privacy Day, this date – and what it represents – has never been more relevant or more important.

“It’s clear that 2020 will be the year that the rest of the data privacy iceberg begins to emerge. While regulations like Europe’s GDPR and the California Consumer Privacy Act (CCPA) have already been established, new regulatory developments surrounding data privacy are continually coming to light.

“Although these regulations have their inherent differences, the general scope of data privacy laws is to give consumers the right to know how and what type of personally identifiable information (PII) is collected, and the option to take legal action in the event that they should incur damages from bias or data security breaches. In 2019, 53% of consumers stated that they would cancel a transaction if they didn’t like something in the privacy policy – more must be done this year to make sure data privacy and protection is a top priority for companies.

“Until now, most organisations have focused their efforts on structured information, but they must also be able to understand what PII is located in textual documents. Archived data, in particular, is an especially pressing concern for most enterprises. AI-powered solutions will be instrumental in locating sensitive data and managing it through automated workflows. Today, organisations will also need to establish internal data governance practices to determine who is accountable for data security and enterprise-wide policy, which may include creating teams that blend technical and regulatory expertise.

“It’s also a great time to get started with a career in the industry. Over the past four years there has been a 75% increase in jobs with “privacy” in the title. Privacy is hot. And, finally data protection is at the table for new initiatives and technology decisions.”

Simon Wood, CEO, Ubisecure  “The topic of data privacy could not be more relevant in the current cybersecurity landscape. Last year, for example, a number of headline-hitting data breaches were revealed to be a result of misplaced security design choices – demonstrating the damaging consequences of underestimating security requirements. 

“A large cause for concern here is when it comes to businesses building identity management functionality in-house. No matter how big the development team some companies may have, a lack of experience and resources in cybersecurity areas like identity management means that building such features internally comes with increased risk. Faced by tight deadlines and pressure to get applications to market as fast as possible, teams are challenged to build functionality that properly adheres to privacy by design and proven security methodology. Often, we see the impact of not doing so through the breaches that take advantage of weak authentication policies and a failure to keep data privacy central to the whole design process. 

“One way for tech leaders to solve this problem is to deploy Identity-as-a-Service (IDaaS) solutions – cloud based authentication and identity software or APIs already proven and in use in the market. Such solutions allow teams to integrate identity features into applications as securely and as seamlessly as possible, without reinventing the wheel each time. Ultimately, this on-demand expertise reduces the risk of data breaches caused by employee-led error and places data privacy at the forefront of the development process.“

Gijs Roeffen, Director IT & Security at EclecticIQ – “As data breaches continue to hit the headlines, businesses and consumers alike are becoming more and more aware of the need to protect their data. Here are a couple of simple tips to help keep your personal information secure: 

Swap PIN codes for biometrics

“When it comes to passwords and PIN codes, people are creatures of habit. People not only use the same password across multiple online accounts, they will also happily use the same PIN code for their debit card and their phone, or a generic PIN number. In fact, cybersecurity specialist Tarah Wheeler recently shared the most common PINs used by smartphone users to secure their devices, and shockingly, the most common PIN number was 1234. 

“Passcodes and PIN numbers can easily be captured from a glance over someone’s shoulder, or can be photographed or filmed from another mobile device. Biometrics, however, such as facial recognition or fingerprints, are unique to the user and can’t be obtained in either of these ways, making them a much safer option than passwords and PINs.

 Safeguard your SMS messages

“While it is possible to intercept SMS messages over the air, it requires multiple factors to be aligned to be successful. Attacks on SMS are often very targeted, since intercepting SMS codes requires specialist knowledge and hardware. 

“Using a two-factor authentication, however, is an effective means of defence against account takeover, so be sure to check your SMS is protected. Alternatively, look into using an encrypted messaging service. Encryption jumbles the content of a message into random data until it is received on the other end, so if a hacker intercepts the message, they won’t be able to view it in full. Apple’s iMessage service uses encryption, as does WhatsApp, which works across both Android and iPhone devices.”


Ashley Bill, enterprise data consultant, Micro Focus – “Fortunately, life after the General Data Protection Regulation (GDPR) has seen organisations begin to change how they think about data privacy. While avoiding regulatory fines and reputational damage is often top of mind, savvy business leaders may also see the business benefits that effective compliance can bring: the ability to generate high quality, streamlined data that can be monetised through applying predictive analytics.

“By investing in optimised data management driven by compliance, organisations can effectively increase the value of their data. It not only saves them pouring significant amounts of time into making sense of exploding datasets, but also creates an environment where teams can effectively deploy predictive analytics to make informed decisions. Using insights gleaned from quality data, companies can better predict the preferences and behaviour of their target audiences to inform and maximise the potential of marketing, advertising and product development. Ultimately, accurately predicting what customers want and remaining a step ahead of competitors is the ‘holy grail’ of business success.

“If predictive analytics is essential for boosting business outcomes, data privacy compliance is a fundamental component. And looking ahead, it will be a major driving force behind the development of modern, ethical, data-driven organisations.”

Chris Greenwood, Senior Director and General Manager UK&I at NetApp

“Data privacy has moved beyond protection and is now a question of trust. 

“We, as consumers, trust organisations to handle our data in a secure, standardised and accountable way. But with 60% of UK businesses planning to migrate apps and data to the cloud within the next year, the risks are high. Combine this with the rise of 5G, edge computing and AI bringing about entirely new and disruptive ways to use data, organisations must ensure suitable safeguards are in place, tested and updated as we begin to unravel these various possibilities.

“75% of IT leaders anticipate that security will have the largest impact on their data strategy over the next 12 months. In order for privacy to succeed, it is the duty of companies and organisations to not only understand how and why data is being used, but also have the capabilities to remedy any ethical concerns which may naturally arise as new lines are drawn on what ‘is’ versus what ‘was’ acceptable as technology becomes ever more powerful.

“This can only be achieved by being able to see, access and conscientiously use data from any and every environment whilst affording the end user the means to control how and what data is there in the first place. Only then can user privacy truly succeed.”

Malcolm Murphy, Systems Engineering Director, EMEA at Infoblox – “You hear a lot of people in the industry talking about Zero Trust. Whist it is certainly a core element of improving data protection standards, we need to be more realistic about its wide-scale implementation.

“Despite the hype, no one is actually doing ‘Zero Trust’ yet. Putting the infrastructure in place to enable organisations to verify anything and everything trying to connect to its systems before granting access is a really hard thing to do, as we can’t easily layer it onto existing technology at scale.

“As it stands, we’re nowhere near being able to implement the Zero Trust concept at a cost-effective level, and this is unlikely to change in 2020 – and our data privacy may suffer because of it.”

“This approach will remain difficult, expensive and inconvenient. I think it will take a catastrophic event or new regulation to make organisations invest in Zero Trust, it won’t happen on its own.”

Paul Farrington, EMEA CTO, Veracode“Many businesses today are software-driven and they are conscious of the role software security plays in keeping data protected. There is a greater need to ensure security is a core part of the software development process going forward. As a new data-driven decade commences, businesses should empower developers by training them on best practices in secure coding and providing the tools to enable them to find and fix vulnerabilities in their software.

“We know that unresolved vulnerabilities that pile up over time, also known as security debt, can leave organisations exposed to data breaches. Hackers will continue to look for weak points at the application layer, which is still the predominant threat vector. By shifting security left, developers are able to fix vulnerabilities faster and more effectively, improving an organisation’s overall security and ultimately better protecting sensitive data. Across Europe, more businesses are learning that they are able to adopt application security without stifling innovation.”

Elodie Dowling, EMEA General Counsel, BMC Software

“With an increasing number of data protection laws around the world, data privacy remains a very pressing topic, and businesses such as cloud service providers continue to face an array of complex and logistical challenges to adhere to across their multi-cloud infrastructure, to ensure their customers’ data remains protected.

“Over the course of the last year, there have been a large volume of data breaches being reported. Data Privacy day comes as a very timely reminder for customers and their service providers to continue to work towards updating their existing privacy standards to a compliant level, while ensuring robust security is in place to protect customer data. Most recently, European regulators have imposed £97m in data breach fines, and businesses who operate within the cloud must remain vigilant to avoid similar penalties.

“It’s important once a business starts using a variety of cloud-based services and infrastructure to regularly carry out audits to ensure that systems and services being used remain compliant with data privacy laws. Under GDPR, personal data may not be stored longer than needed for the predefined purpose. Therefore, it’s important businesses implement retention periods, whilst having the ability to delete data effectively when retention periods have expired – both for data locally stored and in the cloud.

“Companies are able to achieve better data protection in today’s IT ecosystem through four critical measures.

  1. Visibility – IT needs the tools to know where sensitive customer data resides, how it is being processed, and by whom.
  2. DevOps – teams must be aligned to maintain security and compliance.
  3. Integrity – IT must validate structured and unstructured data automatically, and ensure that stored data is intact.
  4. Recovery – Organisations must ensure data is recoverable in a timely manner in the event of any physical or technical incidents.”

NCSC details key wins in cyber security war

960 640 Stuart O'Brien

A scam to defraud thousands of UK citizens using a fake email address spoofing a UK airport was one of a wide range of cyber attacks successfully prevented by the National Cyber Security Centre (NCSC) in the last 12 months.

Details of the criminal campaign are just one case study of many in Active Cyber Defence – The Second Year, a comprehensive analysis of the NCSC’s programme to protect the UK from cyber attacks.

The thwarting of the airport scam was one example in 2018 of how ACD protects the public.

The incident occurred last August when criminals tried to send in excess of 200,000 emails purporting to be from a UK airport and using a non-existent gov.uk address in a bid to defraud people.

However, the emails never reached the intended recipients’ inboxes because the NCSC’s ACD system automatically detected the suspicious domain name and the recipient’s mail providers never delivered the spoof messages. The real email account used by the criminals to communicate with victims was also taken down.

In addition, a combination of ACD services has helped HMRC’s own efforts in reducing the criminal use of their brand. HMRC was the 16th most phished brand globally in 2016, but by the end of 2018 it was 146th in the world.

Dr Ian Levy, the NCSC’s Technical Director and author of the ACD report, said: “These are just two examples of the value of ACD – they protected thousands of UK citizens and further reduced the criminal utility of UK brands. Concerted effort can dissuade criminals and protect UK citizens.

“While this and other successes are encouraging, we know there is more to do, and we would welcome partnerships with people and organisations who wish to contribute to the ACD ecosystem so that together we can further protect UK citizens.

“This second comprehensive analysis we have undertaken of the programme shows that this bold approach to preventing cyber attacks is continuing to deliver for the British public.”

Introduced by the NCSC in 2016, ACD is an interventionist approach designed to stop cyber attacks from ever happening. It includes the programmes Web Check, DMARC, Public Sector DNS and a takedown service.

The ACD technology, which is free at the point of use, intends to protect the majority of the UK from the majority of the harm from the majority of the attacks the majority of the time.

Other key findings for 2018 from the second ACD report include:

  • In 2018 the NCSC took down 22,133 phishing campaigns hosted in UK delegated IP space, totalling 142,203 individual attacks;
  • 14,124 UK government-related phishing sites were removed;
  • Thanks to ACD the number of phishing campaigns against HMRC continues to fall dramatically – with campaigns spoofing HMRC falling from 2,466 in 2017 to 1,332 in 2018. These figures relate to 16,064 spoof sites in 2017 and 6,752 sites in 2018;
  • The total number of takedowns of fraudulent websites was 192,256, and across 2018, with 64% of them down in 24 hours;
  • The number of individual web checks run has increased almost 100-fold, and we issued a total of 111,853 advisories direct to users in 2018.

Chancellor of the Duchy of Lancaster and Minister for the Cabinet Office David Lidington said: “The UK is safer since the launch of our cyber strategy in 2016. Over the last three years, and backed by a £1.9 billion investment, we have revolutionised the UK’s fight against cyber threats as part of an ambitious programme of action.

“The statistics and examples in this report speak for themselves. They outline the tangible impact that Active Cyber Defence is having, and how it is a key building block in improving cyber security in the UK now, and in the future.”

The new report also looks to the future of ACD, highlighting a number of areas in development. These include:

  • The work between the NCSC and Action Fraud to design and build a new automated system which allows the public to report suspicious emails easily. The NCSC aims to launch this system to the public later in 2019;
  • The development of the NCSC Internet Weather Centre, which will aim to draw on multiple data sources to allow us to really understand the digital landscape of the UK;
  • We’ll explore developing an Infrastructure Check service: a web-based tool to help public sector and critical national infrastructure providers scan their internet-connected infrastructure for vulnerabilities;
  • NCSC researchers have begun exploring additional ways to use the data created as part of the normal operation of the public sector protective DNS service to help our users better understand and protect the technologies in use on their networks.

You can read the full 2019 report here.

Rob Norris, VP Enterprise and Cyber Security, Fujitsu, said: “Cybersecurity challenges aren’t slowing down and this annual report by GCHQ’s National Cyber Security Centre illustrates the magnitude of the problem. Cybercriminals today are creative and equipped with a multitude of tools helping them see their attacks through, making it vital for all organisations to think how they can safeguard their data and business assets.

“Unfortunately one of the simplest methods of stealing sensitive information is through a basic email phishing campaign, as proved by the fact that NCSC stopped 140,000 phishing attacks last year alone. This is partially because organisations still rely heavily on email to communicate both internally and externally, but also because of the human factor. Human behaviour is cited as the biggest challenge in email security, therefore it is imperative that businesses prioritise vigilance and awareness through education and training. 

“I would advise that some of the things we can do to identify suspected email security threats are hovering over the email hyperlinks before clicking to see the web address; blocking executable files and emails with large attachments; being mindful of password reset emails; and using a VPN when working remotely or using public WiFi. In today’s digital world, no one is immune from data theft, and being vigilant, both as an employee and as a consumer, is paramount.”

UK businesses subjected to one cyber attack every minute in 1Q19

960 640 Stuart O'Brien

UK businesses were subjected to 119,659 internet-borne cyber attacks each, on average, in the first quarter of 2019, according to analysis by Beaming.

This rate of attack, which equates to one every minute, was more than double that experienced in the first three months of 2018, when companies were attacked online 53,981 times on average.

Between January and March 2019, Beaming’s cyber security analysts identified 442,091 unique IP addresses that were being used to launch cyber attacks over the internet on UK businesses.

While 51,004 of these could be traced to locations in China and a large amount of attack activity continued to originate in Brazil (32,386) and Russia (31,131), there was also a threefold increase in the number of IP addresses in Egypt (36,282) used to attack UK businesses in the first three months of the year.

Remotely controlled IoT applications and file sharing services were the most likely targets for online cyber criminals, attracting 201 and 114 attacks per day respectively between January and March.

Sonia Blizzard, managing director of Beaming, said: “Cyber attacks continue to be a clear and present danger to UK businesses and the IT infrastructure they rely on. Business leaders should be wary, the rate of attack has been at historically high levels since October last year. Since we started tracking cyber attack activity just over three years ago we’ve come to expect that businesses will be attacked around 20,000 times a month on average. At the moment we are seeing twice that level of malicious activity online.”

“While there is plenty that we can do at a network level to minimise the threat of online attacks, businesses need to take cyber security seriously, educate employees and put in place security measures such as managed firewalls to ensure they don’t expose themselves to undue risk.”

More than half of companies have over 1,000 exposed sensitive files

960 640 Guest Post

By Matt Lock (pictured), Director of Sales Engineers UK, Varonis

All an attacker needs to steal your valuable data is access.

Unfortunately, many companies unknowingly give attackers access to their critical data. Personal identifying information on employees and customers, intellectual property, and more can easily make their way from secured systems to unprotected files and emails. 

To make matters worse, companies don’t have time to update global access groups, fail to archive old data, and skip monitoring who has access to what information. Once attackers slip through the cracks, they — and corrupt insiders alike — have the access they need to steal your data.

To shed light on the state of overexposed data, we analysed a random sample of 785 Data Risk Assessments, including more than 54 billion files. The results, available in the report Data Gets Personal: 2019 Global Data Risk Report from the Varonis Data Lab reveal that companies are failing to shore up their sensitive data. 

Some key findings from the report include:

  • Every employee, on average, can access 17 million files.
  • More than half (53%)of companies had at least 1,000 sensitive files open to all employees. 
  • Over one in five (22%) of all folders were accessible, on average, to every employee. 
  • 38% of users had passwords that never expire, up from 10% last year. 
  • Six in 10 companies had over 1,000 enabled, but stale, “ghost” users — accounts belonging to former employees that can still access your network.
  • Financial services firms had the most exposed sensitive files, with an average of 3,791 exposed, sensitive files per TB.
  • Retail organisations had the lowest number of exposed sensitive files, with an average of 858 exposed, sensitive files per TB.

Despitedire warnings of heavy fines under the GDPR and the steady stream of breaches and attacks in the news, companies are not prioritising their data. Take action with a data-centric security approach to ensure you are not giving malicious insiders and external attackers an all-access pass to your data. 

Ramnit Trojan resumes attacks on European financial institutions

960 640 Stuart O'Brien

The Ramnit banking Trojan has returned to its old hunting ground after recent forays into the e-commerce space,

The discovery follows analysis by F5 Labs and F5’s EMEA-based F5 Security Operations Center (SOC) examining active Ramnit banking Trojan Malware configurations in February and March 2019.

All signs indicate that Ramnit’s authors are —once again—largely targeting financial services websites to coincide with Tax return activity, primarily in Italy.

Ramnit was previously hitting the headlines during the 2018 holiday season for shifting its attack focus to US e-commerce sites1.

In the most recent studied Ramnit sample active in March this year, the Trojan’s authors were primarily focused on financial services and financial tech sites in Italy (40% of all attacks). 9% of attacks were aimed at the UK and 8% at France2. Overall, 70% of all Ramnit targets in March were European, 27% American and 3% were located across the rest of the world3.

Interestingly, while social networking sites made up a smaller portion of targets observed in February and March, some of the biggest social networking platforms in the world were still under fire, including Twitter, Facebook, Tumblr, and YouTube. 

In other notable developments, F5 Labs was able to discover how this March’s Ramnit configurations are continually adapting, including scaling web injection tactics4 to attack websites5. An interesting innovation in this respect entailed going after targets with no link to a specific company or website.

Instead, several words in French, Italian, and English were added to the mix in the hope of catching random websites. Along with the simple word targets, Ramnit also included the name of an Italian Opera and a few misspelled domain names. 

“Ramnit is a persistent banking Trojan that first emerged in 2010 as a less sophisticated form of a self-replicating worm. Today, both its tactics and targets have evolved to include many other industries. It is highly adaptable, as we can see with this recent shift back to the financial sector, as well as its authors’ new attempt to expand the attack surface,” said Roy Moshailov, head of security and malware research, F5 Networks.

“It is critical for banks and financial institutions to implement web fraud protection solutions to protect their customers and to help ease the burden of fraud expenses—especially banks that are actively being targeted. Other industries also need to be aware of attackers’ increasingly clever techniques so they can take similar precautions. The main thing is not to be complacent. Because Trojan malware is typically installed through phishing or malicious advertising, it’s also vital that all organisations to provide security awareness training to employees and clients.”

Image by dawnfu from Pixabay

Cybersecurity’s biggest asset: Why use the cloud?

960 640 Guest Post

The cloud is one of those hot buzzwords that gets thrown around a lot both in the tech world and in our daily lives.

No longer reserved for IT departments alone, the cloud has become something that we depend upon greatly, especially in the way companies go about their business. And it’s about to become even more important.

In fact research shows that companies are looking to drastically increase their investment in the cloud in the coming years. Morphean recently conducted an independent survey of more than 1500 IT decision makers across Europe to discover their views on cloud services. The survey reported:

  • 78% expect their spending on the cloud to increase in the next two to five years
  • 47% said their internal data would be cloud processed within the same time frame
  • 45% said they would definitely consider migrating their physical security systems, such as video surveillance, to the cloud

There’s no doubt that the cloud is becoming a more important part of everyday business dealings, but some people still have reservations about the safety of this storage system, and whether or not it is worth it. We believe it is, and let us tell you why. 

But what exactly is the cloud?

Short for ‘cloud computing’, the cloud is essentially a terrestrial home for your data. So instead of being stored on the computer in front of you, it’s stored somewhere else, or in multiple places, and it is up to a network of servers to take you to it.

Some everyday examples you may recognise include the Apple iCloud, Dropbox, Google Drive, Microsoft OneDrive, and even Netflix.

Is the cloud the future of cybersecurity?

Unfortunately, the cloud has received some negative press in the last few years in regards to security and safety. In fact, according to the Morphean survey, 45% of people cited security risks as being their biggest obstacle to instigating a full move across to the cloud. 

The only way to truly protect your information is to lock it up underground, but you can rest assured that the cloud is far safer than information stored on a local device. Cloud computing services have more complicated security methods in place than the average computer owner can come up with. Any wannabe hackers would then have to get past the cloud system’s first line of defence; encryption.

Encryption is the practice of using complex algorithms to protect your data. In order to get past these algorithms, the hackers would need something called an encryption key. 

But it’s not all down to these intricate and convoluted systems. In fact one of the biggest threats to cloud security is the barriers set by individual people. In other words, easy-to-guess password and security questions. 

Above we talked about negative press aimed at the cloud over the past few years, most notably the infamous Apple hack where celebrities had photos stolen and leaked. The media reported that the cloud had been hacked, which led to a drop in public confidence and has no doubt contributed to people’s existing fears. In reality the cloud itself wasn’t hacked, but rather the accounts of individuals who used the cloud to store their data.  

The truth is that the cloud is incredibly safe and secure, but it’s up to individual users to do their part. That means choosing strong passwords by adding letters, numbers and symbols, using different passwords for different accounts, and avoiding using passwords that relate to your personal life.

But if that’s not enough to convince you of the cloud’s excellent security systems, did you know that online retailing giant Amazon runs its entire business off of its own cloud service, AWS? 

Other benefits of using the cloud

It’s not only the increased security that comes along when you start using the cloud. Here’s a few more that you can expect for your business.

Continuity

No matter what kind of industry you are in, having a continuity plan in place is vital for protecting your sensitive data and systems. Disasters can strike at any time and for a whole multitude of reasons, ranging from the weather and natural disasters to power failures. By having your information stored off-site in the cloud, you can rest assured that it is backed up and protected in a secure and safe location. Even if you have to move office, you will be able to access and download your data from any location with internet, therefore minimising your downtime and avoiding loss of productivity.

Working flexibility

The world is getting smaller. Not literally of course but modern technology is drastically reducing businesses’ needs for a physical office with staff present 100% of the time. The cloud helps to make this even more possible by granting flexibility in staff’s working practices. Once employees are able to access their work from home, on their commute or even on holiday – anywhere with an internet connection – suddenly the whole world is your office.

Scalability

When it’s time to scale your business up, purchasing and installing upgrades to your storage needs can be both expensive and incredibly time consuming. But when you work with the cloud, everything can be done quickly to suit your exact needs. Whoever provides your cloud computer services will be able to handle all upgrades for you, leaving you free to get on with the important task of running your business.

It’s natural for any business owner to be concerned about the safety and security of their important data. Your business is your baby, and you of course want to protect it. The cloud is undoubtedly the best option and as research shows, more and more businesses will be placing their trust in this extraordinary technology, for more than its safety benefits, to further their growth and secure a strong future.

Image by Patricia Alexandre from Pixabay

Survey reveals increasing IT investment in containers

960 640 Stuart O'Brien

87 percent of IT professionals are now running container technologies, with 90 percent of those running in production and 7 in 10 running at least 40 percent of their application portfolio in containers.

That’s up considerably from two years ago, when just 67 percent of teams were running container technologies in production, according to the 2019 Annual Container Adoption Survey from Portworx and Aqua Security.

The report features insights from over 500 IT professionals across a variety of industries and company sizes. The survey, conducted in April and May, asked questions about the state of container usage, tooling, environments and barriers to adoption, to get a snapshot of the container market landscape today and its evolution over time.

Yet despite their pervasiveness, the report highlights that containers aren’t without hurdles: when asked to name their top challenges to container adoption, respondents most frequently cited security (51%), data management (40%) and cross-cloud/multiple cloud support (36%). 

Other Key Findings:

  • Organisations are making bigger investments in containers. In 2019, nearly one in five organisations is spending over $1 million annually on containers (17%). Compare this to just four percent in 2016.
  • Data security tops the list of security challenges with a super majority of respondents (61%) listing this as their top security challenges, followed by vulnerability management (43%) and runtime protection (34%).
  • For the third year in a row, increasing developer speed and efficiency is the primary driver of container adoption with 37 percent of respondents listing it as the top benefit.
  • When asked which team bears the main responsibility for container security, most (31%) named the organisation’s security team, with a joint responsibility or DevSecOps in second place (24%). However, respondents’ own roles influenced their answer, with 47% of DevOps respondents naming DevSecOps as the main owner and 54% of Security respondents named Security as the main owner. 

Download the full 2019 Portworx & Aqua Security Container Adoption Survey Report here.