Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

Guest Blog

GUEST BLOG: People and processes are key to effective cyber security

960 640 Stuart O'Brien

Alan Calder Founder and Executive Chairman at IT Governance

Cyber security investment continues to spiral, with Gartner predicting global security spend will reach £71.72 billion by the end of the year, as a result of regulatory change, mindset and a growing awareness of threats.

And with over 40 per cent of UK businesses experiencing some form of cyber security attack or breach in the last 12 months, with the attendant cost and reputational damage, it is easy to see how information security teams can argue for ever higher budgets.

But is handing over another tranche of cash really the most effective route to cyber resilience? Look closely at any recent high profile breach and the hack was not achieved through bypassing top of the line security technology but by identifying weaknesses within processes and staff. Whilst technology certainly has its part to play in a business’ overall cyber security strategy, people and processes actually have a much more significant role in ensuring a business is protected. From management commitment to strategic risk assessment to process change and employee awareness, as Alan Calder Founder and Executive Chairman, IT Governance argues, organisations need to reconsider security and rapidly onboard the skills required to achieve this three-fold approach to mitigating cyber risk.

Weakest Link

No organisation is immune to the threat of a cyber attack, especially as the types and methods of attack become increasingly more sophisticated. Given the enormous cost associated with breach, from regulatory fines to lost customers and compromised supplier relationships, this is clearly on the board’s agenda.  Unfortunately, most boards would rather commit to hiking the security budget than take the steps actually required to improve cyber resilience: namely, get involved.

According to the ISO 27001 security standard, board level commitment is an essential requirement – yet this is a message that the CIO or CISO is finding hard to get across. Most senior level individuals perceive that cyber security is too complex and too technical to have a place in any board meeting. Yet this attitude underlines a patent lack of understanding of the cyber criminal: it is not all about incredibly complex and sophisticated threats, attackers will aim at the weakest link in an organisation’s security posture – its people.

People are a risk because they will forget passwords, make errors, click on phishing emails or access web sites loaded with malware. It is not malicious – in the main – but it is a huge problem.  The fact is that the vast majority of breaches are linked to human error – and more often than not, the cause is ill considered processes and education, not inadequate security solutions.

Proving the Point

The massive data breach at Sony came about as a result of hackers getting access to the list of passwords written in plain text, essentially an open door to an extraordinary raft of sensitive information; while at Morrison’s, it was a disgruntled employee who was able to upload the details of 99,998 staff, including bank account details, salary information, dates of birth, National Insurance numbers, addresses and phone numbers, to data sharing websites.  Having spent more than £2 million tackling the breach, the High Court ruled the supermarket was vicariously liable because the individual was acting in the course of his employment when he leaked the information online.

A lack of management understanding of risk also contributes to technology and process compromises that create unacceptable exposure. The WannaCry ransomware attack that ravaged so many businesses in 2017 is a prime example of poor processes – in this case, failing to update software, creating huge vulnerabilities. The attack affected companies globally, although in the UK the media brunt was borne by the NHS, which estimates a cost of £92 million to recover damaged IT equipment; although it has made no public acknowledgement of the cost to patients’ health as a result of cancelled operations and missed diagnoses.

While these events clearly focus management attention on the escalating risk created by cyber security, none of these organisations had failed to invest in security hardware or software. What they had overlooked was that a cyber resilient business is underpinned by highly effective processes and a highly aware and educated staff.

New Information Security Culture

User awareness and education is a huge component of a cyber resilient organisation. Simple steps such as teaching employees to recognise a phishing email or spot a rogue Wi-Fi hotspot at the café, station or conference centre, can radically reduce incidents. But this is just the start: user awareness and training must be part of a complete resilience process.

Continually testing staff awareness – by sending phishing emails and following up with additional training to those who mistakenly click on the email – is essential, but staff also need to know what to do if they do click on a phishing email by mistake. And that means the company needs to put in place a clearly defined process that encompasses everything from ensuring users recognise the importance of immediately notifying the incident response team, to locking down the device and removing it from the network, and critically, undertaking an assessment to determine whether the incident has created a regulatory reportable breach.

In addition to improving awareness and understanding, it is also important to make life easy for the user.  While IT has become obsessed with the concept of complex passwords changed every sixty to ninety days, for the user the only option is to write these down – or continually waste time calling the help desk for a reset.  How much more effective to opt for single sign in and passwords changed only when the user perceives a risk? Or once a year? Not only does the business lose the massive risk associated with passwords written down everywhere, but the help desk calls plummet – and the IT team has time to fix the gaping security hole left by the disturbing number of network devices still operating on easily breached default settings!

Security Standards

This people and process model is at the heart of the global ISO 27001 security standard – a standard which in this post GDPR era is prompting increasing interest as a way of demonstrating the security provision in place should a breach occur. And, to circle back to where we came in, this is where the board needs to get involved: ISO 27001 states that management must be engaged in the information security management process; they must lead by example and provide clear guidance to the organisations on issues such as risk management. That means that security is not just a line on the budget and a chance to pass the buck to the information security management team; the board must actively discuss and consider security policy is certification is to be achieved.

And, to be frank, the board should be actively involved. The creation of a cyber resilience framework is key not only to reducing the likelihood of a breach but also to ensure systems can get back up and running as quickly as possible to minimise business disruption – and that framework is ultimately defined and directed by a corporate understanding of risk.

Simply accepting an ever increasing security cost is not enough. It is not until the board has discussed and agreed upon the risk appetite, which will vary significantly between organisations, that the business can begin to take the correct steps towards managing information security – and that means investing in the right skills to define and implement new processes and staff awareness.

GUEST BLOG: Phishing and Facebook – A test of reputation for businesses

960 640 Stuart O'Brien
By Asaf Cidon, VP Email Security, Barracuda Networks
 
Facebook is never far from the news agenda, so it was no surprise to see the company under the media spotlight again when it was revealed that a recent hack exposed the personal information of 30m users.
After polling visitors to Cloud Expo earlier this year on their views of Facebook and data privacy, we took to the floor at the IP Expo show in London earlier this month to learn how businesses were feeling about their defences in the wake of the latest high profile attack. 
 
The last time we spoke to the tech industry at a UK trade show, it was on the back of the news that millions of Facebook profiles were apparently exploited for political purposes, so we were keen to understand how views had changed in the six months since then. 
 
Back in April, trust in Facebook appeared to have been badly affected, with 55% claiming that they trusted Facebook less as a result of the Cambridge Analytica scandal. Results from IP Expo further confirmed this, with 41% of respondents citing that they didn’t trust Facebook even before this latest news story. What’s encouraging is that individuals are taking measures to protect themselves – 28% said that they had amended their security and sharing settings as a result, almost identical to the 29% who said the same at Cloud Expo.
 
Individuals in the IT industry have definitely become more wary of how they’re using Facebook, but did this have any bearing on their business?
 
So what does this mean for businesses? 
 
Whilst we still don’t know a great deal about what happened, we do know that while initial reports suggested 50 million accounts were accessed, it was actually closer to 30 million.
 
Despite this smaller number, it’s clear that hackers were able to get unfettered access to a significant amount of sensitive information. For 15 million users, the hackers had access to their name, phone number, and email address.
 
But for 14 million users, the attackers had access to the above as well as their relationship status, work, education, religion, current city, gender, username, device type, pages followed, last ten places checked into or tagged in, and 15 most recent searches.
 
Much of the information up for grabs plays right into the hands of cyber criminals planning their next phishing attack, and as it also includes people’s workplaces, it’s only natural to assume that this could well lead to an increased risk of phishing attacks at work.
 
So is this a precedent that businesses should be prepared for?
 
More than a third of the visitors we spoke to at IP Expo (35%) felt that the Facebook hack was likely to increase the likelihood of phishing attacks on businesses, since attackers would be emboldened by its success. Around 20% of our respondents felt it could work the other way though, as businesses would be forewarned and, therefore, forearmed against such attacks. 
 
Whatever the reality, businesses are certainly not being complacent when it comes to resisting phishing attacks. One in four (25%) of the 200 businesses who took part felt that they have both the technology and the user education in place to feel very confident in their protection. Confidence in technology but not user education meant that 38% felt quite confident in their ability to resist an attack, whilst a focus on user education over technology had instilled confidence in 22%. Only 7% felt that they were sitting ducks, with neither the technology nor user education in place to protect their business.

What now for businesses and individuals?
 
Anyone who regularly uses Facebook needs to review their security and sharing settings immediately, if they haven’t done so already. This is especially important if you have other apps connected to your Facebook account, as this gives attackers even more of a prize should they take over your account.
 
For businesses, the best defence against phishing and spear phishing is to help make users aware of the threats and techniques used by criminals. Organisations should implement a simulation and training program to improve security awareness for their users, regularly training and testing employees to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training, as it helps humans recognise the subtle clues to identify phishing attempts, and gives employees a baseline understanding of the latest techniques attackers are using.
 
Effective user training can help prevent a lot of attacks, but keeping out attacks that don’t enter via email requires a combination of effective perimeter filtering, specially designed network architecture and the ability to detect malware that may already be inside the network. Businesses also need to keep up to date with software, security and firewall updates to ensure they have the most sophisticated approach to security in place to defend against threats. This demonstrates that SSO/MFA are not the silver bullet of protection against account compromise, because if the authentication provider gets compromised all connected applications are breached. This demonstrates the importance of using AI that can monitor employee behavior and detect anomalies in real time.
 
With huge global organisations such as Facebook and Google showing themselves to be susceptible to cyber-attacks, it’s clear that businesses need to remain vigilant. Every new breach further proves that the public needs to preserve and protect their own cloud data, because the providers are not. 

GUEST BLOG: Security insights from the outer edge

960 640 Stuart O'Brien

Gallagher Security Perimeter Product Manager, Dave Solly, talks about security at the perimeter and not just at the door…

If there’s one area of security that’s often overlooked in commercial channels, it’s perimeter. This all too common gap in thinking is preventing businesses from really solving their security issues, often issues they don’t realise, or don’t want to admit they have.

As a product manager for perimeter systems, of course I’d say that. But hear me out.

In my experience, few businesses who have a security problem think they need a perimeter solution. Instead, they turn to traditional access and intruder solutions and their well-known benefits of business efficiency, compliance and risk management. These are all great reasons to spend money on a reader at the door, but they don’t address the business continuity problem at the gate, nor do they provide any protection to outdoor assets or the building itself. That’s where the perimeter comes in.

What’s the difference between securing a door and securing a gate? In my opinion, other than the physical structure, not a lot, though many organisations would rather secure a building because that’s where they see the value. But if an intruder is already in your yard, breaking through a door, then damage has already occurred and the intruder has potentially reached your assets anyway. Securing your perimeter allows you to solve this. Wouldn’t you rather stop an intruder before they even have a chance to get in?

Too often, perimeter security is a box-ticking exercise: employ a guard and put in CCTV cameras. This type of approach is cheap, easy to deploy and very common. It’s also retrospective, prone to human error, reliant on other technologies to be truly useful, and often results in continued security problems.

As the first cordon of security, your perimeter system gives you the chance to completely stop theft and damage from intruders. Not reduce: completely stop. I’ve seen many examples where this has happened – such as when a freight depot was experiencing ongoing fuel theft, they invested in a secure, well designed perimeter solution. Overnight, intruders and theft disappeared and they haven’t had a problem since. Right now, you should be asking not just “What investment have we put in to our perimeter?” But also “How much do we value our business?”

Theft, damage, trespassers and accidental access to potentially dangerous environments are all risk factors that put business continuity firmly at the heart of perimeter security. The low upfront cost of the most common perimeter solutions needs to be considered in the context of ongoing guard patrol expenses, lost work time to fix damage, replacing stolen assets and the often unseen cost to staff morale of repeated break-ins. What’s the true cost of your not-so-secure perimeter?

In places like water treatment plants, rail yards, council yards, manufacturing plants and power stations there’s also a duty of care required to the community – preventing people from accessing dangerous environments and doing silly things. As a kid growing up in the country, I remember running on the conveyer belts in the nearby dolomite (fertiliser) plant. Interestingly, the control room and processing rooms were secure, but not the conveyor that feeds the rocks into the crusher. Perimeter security would’ve prevented me from doing what in hindsight was clearly very foolish (but fun at the time). This is a good example of the growing need for proper protection at the perimeter – for both your organisation and the public.

There needs to be a widespread change in mind-set when it comes to perimeter security for commercial businesses. Done well, a perimeter solution is an important investment in business continuity and duty of care, with a huge impact on safety and cost reduction in the long term. It’s a change in thinking many businesses can’t afford to ignore.

GUEST BLOG: 5 tips for a winning risk management strategy

960 640 Stuart O'Brien

By Gallagher

Risk comes in many forms, with varying degrees of cost to your business and recovery times.

Here are a few items worth considering when it comes to producing a risk management strategy:

1. Take care of your people

Staff really are the most important asset within an organisation. From a risk management perspective, it’s important to ask: Are we doing everything we can to create an environment in which our people are comfortable, informed, and safe?

2. Be vigilant in the cyber world

Cyber-attacks are happening everywhere with increasing sophistication. Regardless of the activity the impact could destroy your business, so ensure you take the appropriate measures to limit the possibility of this happening.

3. Understand liability from both the personal and corporate perspective

The world is becoming a more litigious place where someone needs to be accountable for the outcome of any incident – especially when it comes to the safety of people. Does your organisation have appropriate measures in place to understand what this might mean for you? Look at your policies and processes to ensure that you have an effective program in place in the event that something happens.

4. Focus on the important things

It’s easy to say “measure, analyse, assess, and mitigate” for every possible risk, and you won’t have any problems because everything will be covered. However, in reality, it is a lot more difficult to implement and manage. Focus on the most important things first and keep risk in the equation of every decision you make.

5. Plan for it

“Prior Planning and Preparation Prevents Poor Performance” This is as relevant for risk management as it is for almost everything that we do. Plan and prepare to ensure that you won’t be surprised by anything, and you’ll be well placed to safeguard the success of your business.

GUEST BLOG: 60 must-know cybersecurity statistics for 2018

960 640 Stuart O'Brien

By Varonis

Cybersecurity issues are becoming a day-to-day struggle for businesses. Trends show a huge increase in hacked and breached data from sources that are increasingly common in the workplace, like mobile and IoT devices.

Additionally, recent research suggests that most companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data lass.

We’ve compiled 60 cybersecurity statistics to give you a better idea of the current state of overall security, and paint a picture of how potentially dire leaving your company unsecure can be.

Click here to read the full article.

GUEST BLOG: The anatomy of a phishing email

960 640 Stuart O'Brien

By Varonis

Phishing scams are one of the most common ways hackers gain access to sensitive or confidential information.

In fact, according to the Verizon’s 2018 Data Breach Investigations Report, phishing is involved in 70 percent of breaches that feature a social engineering component.

What is Phishing?

At the most basic level, a phishing scam involves sending fraudulent emails that appear to be from a reputable company, with the goal of deceiving recipients into either clicking on a malicious link or downloading an infected attachment, usually to steal financial or confidential information.

If your employees don’t know the signs of a phishing email, your company is at risk. According to Verizon, the average time it took for the first victim of a large-scale phishing campaign to click on a malicious email was 16 minutes; however, it took twice as long — 33 minutes — for a user to report the phishing campaign to IT.

Given that 49 percent of malware is installed via email, these 17 minutes could spell disaster for your company…

Click here to continue reading.

GUEST BLOG: Having the right connections – Are VPNs really fit for purpose?

960 640 Stuart O'Brien

Stuart Sharp, Global Director of Solutions Engineering at OneLogin

Remote working has fast become commonplace in today’s business landscape. Free from the stress of the modern-day workplace, employees are increasingly keen to opt for the laptop and crack on with work uninterrupted, all from the comfort of their own home.

In fact, the Office for National Statistics (ONS) last year predicted that half of the UK workforce will be working from remote locations by 2020, many of whom cited how the increased flexibility can benefit their private lives. Not all business owners are convinced. Many tech goliaths, such as HP, IBM and Yahoo, have recently rescinded the option for their employees to work from home, inciting an ‘if you don’t like it, leave’ approach.

The reality is that for many companies, having a high percentage of employees working from home just isn’t the same as having an office full of busy employees, and it’s mostly down to the ease with which employees can access corporate applications remotely. The Virtual Private Network (VPN) was created to resolve this issue and provide a secure link between an employee, at home or on the road, to the corporate network. In fact, almost half (48%) of UK IT professionals surveyed by OneLogin require employees to use VPNs when working remotely. However, with 30% receiving frequent complaints that the use of a VPN slows down remote network access, many organisations are struggling to find a balance between productivity and security. The survey also found that half of remote workers spend up to one day per week connected to unsecured networks in an effort to circumnavigate VPNs and get on with their job, leaving organisations open to a host of cyber threats.

With ‘not fit for purpose’ VPNs, organisations are inadvertently making remote working impossible. The creativity, productivity and efficiency benefits that remote working originally boasted are being buried under a sea of stressed remote employees and IT teams battling complaints.

Organisations have outgrown the outdated tech they still rely on and can no longer afford to use unreliable VPNs that encourage employees to flaunt security best practices. If employees continue to favour unsecured networks, a cybersecurity catastrophe is just around the corner, particularly with the deadline looming for the EU’s General Data Protection Regulation (GDPR) on May 25th, 2018. Under GDPR, if data gets into the hands of cybercriminals as a result of neglect or employee ignorance, businesses could be faced with penalties that start at €10 million and can go up to as much as €20 million or 4% of a business’s annual turnover, whichever is higher [1].

While having a fully cloud-based strategy seems ideal for many, it isn’t always easy to realise. Many organisations, and particularly enterprises, are battling with a hoard of on-premise legacy IT systems. But the reality is that they simply can’t just move everything into the cloud overnight. IT policies and end-point management strategies need to account for both cloud and on-premise IT infrastructures. Neglecting either of them is not an option.

In order to evolve, businesses are on the hunt for a low-maintenance solution that handles employee provisioning and deprovisioning (when employees leave a company), while also improving security and reporting. To meet this demand, Identity and Access Management (IAM) providers need to step-up to the plate and offer solutions that manage both on-prem and cloud environments from one unified platform.

So how can companies make this a reality?

Regardless of whether companies deploy more on-premise or cloud applications, having one unified access management platform will simplify and manage access in real-time. Coupling this with a smart IAM system that can power intelligent authentication tools, bolster security measures and increase functionality for end users will only propel industries towards digital transformation in a safe and secure fashion. In today’s competitive landscape, business efficiency and agility are necessities — and safe and effective remote working has a key role to play going forward.

GUEST BLOG: Social Media Security – How safe is your information?

960 640 Stuart O'Brien

By Varonis

In 2012 a massive cyber attack by a hacker named “Peace” exploited over 117 million LinkedIn users’ passwords. After the dust settled from the initial attack, new protocols were put in place and the breach was all but forgotten in the public eye, the same hacker reared their head again. Nearly five years later, “Peace” began releasing the stolen password information of the same LinkedIn users from the earlier hack.

With millions of users’ data (or billions, in the case of Facebook) floating around the web, the need for tight security from social media platforms is obvious. Facebook alone has reported receiving more than 600,000 security hack attempts each day. (Although that is nothing compared to the NSA’s 300 million attempted hacks each day!)

The wide age range and technology experience level of social media users makes security management even more complex. A social platform needs to not only combat hackers, but also has to protect users whose personal security practices might be elementary. Only 18 percent of Americans report changing their social media password regularly.

So with the constant threats of hacks coming in — from both foreign and domestic hackers — what exactly are these platforms doing to keep our information safe?

Click here to continue reading.

GUEST BLOG: Do Americans Ever Change Their Passwords?

960 640 Stuart O'Brien

By Varonis

Just how cautious are Americans when it comes to cybersecurity?

In today’s hyper-connected, highly-digitized society, data breaches are becoming increasingly commonplace. And they affect both corporations and individuals. In 2017 alone, the Equifax breach — considered by some to be the worst security breach in recent history — put 145.5 million Americans at risk of exposed information and identity theft.

Additionally, a Gmail phishing attack last year put 1 million users at risk of exposed information, and an Instagram hack revealed the contact information of 6 million users. Yahoo also revealed that a 2013 data breach affected the private information associated with all of their users — 3 billion in total.

According to the Pew Research Center, 64 percent of Americans have experienced some type of data breach in their lifetime. Despite this, the center found that the majority of Americans fail to follow cybersecurity best practices in their own digital lives.

In an effort to uncover more on password security habits (and associated feelings of cybersecurity), we put these numbers to the test.

Read on to discover what we found after surveying 1,000 Americans.

GDPR

GUEST BLOG: GDPR and CCTV – This will impact your business!

960 640 Stuart O'Brien

By 2020 CCTV

Is your business prepared for the implementation of the General Data Protection Regulation (GDPR)?

Set to be introduced on the 25th May 2018, considering what actions you must take is essential to ensuring your company does not face the tough consequences that have been set out.

GDPR is set to replace the Data Protection Act (DPA), so if you think your business is still covered — it’s not. Even though it is a piece of European Union legislation, it is likely that Britain will adopt this even after Brexit — meaning that your company should be preparing for the worst.

4% Global Annual Turnover Penalty: How To Avoid It

Businesses could find themselves paying a hard fee of 4% of their global annual turnover — so making sure that you’re compliant with the changes GDPR has regarding CCTV is essential. Here are some of the key things you need to know:

  • You need a strong and valid reason for the placement of CCTV around your perimeter.
  • You can’t use CCTV to ‘watch over’ your employees.
  • You must not place CCTV in places where employees expect privacy i.e. canteens.
  • You must notify surrounding people that they are being recorded as employees and site visitors become data subjects.
  • You shouldn’t keep data for over 30 days — under different circumstances, this can
  • You have a duty to protect the data that you collect.

GDPR Requirements: What Your Business Needs To Do To Avoid Prosecution

Corresponding with the bulleted list above, we’ve teamed up with 2020 Vision, which are consultants regarding CCTV security IP CCTV and access control systems, to give you the solutions that you need to know to avoid prosecution by the European Parliament:

  • A reason for CCTV could be to help protect your employees when it comes to health and safety and capture any incidents that could potentially occur — such as a robbery.
  • Compile an operational requirement, which should support your decision for CCTV placement.
  • Highlight a security risk which could be minimised through CCTV — whether this is being placed in canteens or smoking areas. An operational requirement can be made in this instance too.
  • Notify the public that you are recording them for CCTV and security purposes by putting up signs that signal this — include a contact number too, so anyone can contact if they incur any issues.
  • Dispose of your data after 30 days of retainment — it can be kept for longer if the local authorities have a written request and must view it on your own premises.
  • Avoid data breaches by drafting up a contract with your security supplier (who will become your data processor under GDPR legislation) and highlight what they can and can’t do with any footage that they obtain from your surveillance.

If you need further help understanding the implementation of GDPR, contact security consultants 2020 Vision today to ensure that you don’t leave it too late before May 25th. Make sure that you’re covered at all costs by clicking here and avoid facing tremendous penalties for non-compliers.

  • 1
  • 2