Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

Guest Blog

GDPR post Brexit: What will the impact be on hosting and cloud providers?

960 640 Stuart O'Brien

By Güneş Ilgüy, Head of Data Protection at A City Law Firm

The UK needed to upgrade its data privacy laws and bring it in line with the rest of the world. The main reason for the GDPR was to assist in harmonising the data privacy laws across Europe, setting a standard that the nations could adhere to. 

The GDPR was exactly that change. It was designed to ensure that a high standard was implemented, a code if you like, for businesses to be held more accountable for the data they collect and process. It also gave more power to the people by allowing them to have a say in how their data can be used. 

The question remains however: Will GDPR still be relevant post Brexit? 

In England and Wales, The Data Protection Act 2018 (DPA) came into force replacing the old one of 1998. The DPA mirrors the GDPR and where the GDPR is vague in some areas, the DPA adds more meat to the bone. 

Also, remember, the GDPR applies to all EU member states and any business collecting data of an EU national has to be GDPR compliant. It is also worthy of noting how far the GDPR reaches out in the international community. Any data processing by businesses outside of the EU, who process the personal data of individuals in the EU, are also subject to the GDPR. 

The Information Commissioner has stated that the GDPR “will send an important signal about the UK’s commitment to a high standard of data protection post-Brexit. This in turn will play a role in ensuring uninterrupted data flows between the UK and the EU.” 

The position of the UK post Brexit 

The GDPR is a directive and whilst the UK is still a member of the EU, it had a duty to implement this directive into domestic law. The DPA allows the UK to hold itself up to the same standard as the GDPR. It is not likely that the UK will now abandon the GDPR and amend its own laws, given the amount of money public bodies and businesses have invested into ensuring they are compliant. Changing the law would not make sense given that it has been brought up to date and implemented, with businesses winning over their customers

Keeping its current law in line with the GDPR will also pay dividends post Brexit as businesses will hope to maintain good relations with their EU counterparts. 

Hosting companies and Cloud providers 

Online data collection is probably most popular method of collecting data. Hosting companies and cloud providers have spent a lot of time and money ensuring that they can meet the demands of being compliant in terms of providing server security and processing data they handle.

Data transfer in itself does not have any boundaries. There is some uncertainty of how the UK will react to data privacy post Brexit however it would not make sense to go backwards and change the current regime to render it incompatible with the GDPR.

Developing strong ties with the EU in the terms of trade is of utmost importance and any change post Brexit will not be welcomed by companies.

Hosting and cloud providers, as data controllers or processors, have already been pushed to ensure they operate in line with the GDPR by their customers. If there was to be a different standard implemented by the UK, this could see UK providers losing customers to EU based providers who will be able to conform to the standards needed.

Companies outside of the UK are also looking at the current market. Where they have business operation in the UK, they are likely to use UK hosting companies. Post Brexit, using UK based hosting services might be more cost effective, depending on the value of the pound sterling, as opposed to using EU hosting providers who may look to increase the price of their services. 

One case that makes the crossover unclear is the Google Breach – in the future Post-Brexit can this scenario arise? As surely the reach of an EU country into the UK to this extent will no longer apply? There is no answer to this question, but it is something to watch.

The French Data Regulator, CNIL, fined Google a record £44 million (50 million Euros) for breaching the EU’s data protection laws. This made headline news because what makes this case remarkable is that the complaints against Google in May 2018 were raised by two privacy rights groups in France, and against a company whose headquarters were and are based in Ireland. 

Generally, you would expect the Irish regulator to have addressed this however, the CNIL found that the overarching decisions about the processing operations complained of were not made by Google’s Irish offices, or by anyone in the EU. It was discovered those were made by the US company. As this case was not about a data controller’s main EU establishment, CNIL was at liberty to take its own action. This conclusion was reached following communications with other EU supervisory authorities, including the Irish DPC. 

What can be learned from this? 

The Google case sends a strong message about data protection which should be received loud and clear. Regulators have powers to levy huge fines on companies found to be in breach and they are willing to use it even outside of the companies housed jurisdiction. whether an EU country would have this right post Brexit is something to watch? 

Conclusion

Focus is now on how an effective deal can be negotiated however any hard Brexit or no deal will have consequences on the economy, and this will affect how business choose to operate. It is hoped that the current data legislation is adequate enough not to be changed or significantly amended. Any changes that are incorporated would mean businesses in the UK and EU would need to adapt to ensure they maintain their customer base. What happens after Brexit is anyone’s guess. 

Under EU regulations an EU based data controller has to ensure that when data is passed to a country outside of the EU (which the UK will be upon Brexit even to Ireland) that the country housing the data has adequate levels of protection comparable to those of the EU. 

Whilst we don’t expect a significant shift given the UK is currently having to comply with GDPR and its own Data Protection legislation so harmonized, we do not know how the EU will view this in the future, especially since at the time of writing we may still be looking at a ‘hard Brexit’. It is likely EU based controllers will have to deal with the UK as it does for any non-EU countries – with established data protection mechanisms in place, such as the United States. 

Under lock and key: how can the public sector keep data safe?

960 638 Stuart O'Brien

Dan Panesar, VP EMEA, Certes Networks

The public sector faces intense public scrutiny, especially when it comes to cybersecurity.

However, the launch of the National Cyber Security Centre in (NCSC) in 2016 suggests that the sector is beginning to take the issue of cybersecurity seriously, marking the Government’s commitment to making the UK a safe place to live and work online.

And it’s not just public scrutiny the sector has to contend with, but the global digital revolution means that changes are happening rapidly, and technology adoption is not happening as quickly as it should.

On top of this, the public sector has numerous regulatory and Information Assurance (IA) based obligations they are required to fulfil, making some organisations within the sector too scared to make changes or enforce new policies for fear of breaking the rules. 

Restricted budgets, small teams and intense workloads can often make cybersecurity a low priority. Rather than enforcing and developing proactive, robust strategies to keep the organisation’s data safe, teams end up working reactively to mitigate threats as they arise. Not to mention the complex and wide-reaching nature of public sector organisations, making coordinating the array of essential services, stakeholders and functions a near impossible task. 

Keeping up with digital change 

The digital transformation means that traditional connectivity solutions are being replaced to reflect cloud deployments, network function virtualisation and the ability to deploy meaningful orchestration-based management. To reflect the update of digital and online services, public sector networks are expected to grow at 15-25% per year; in order to keep up with this demand, users are becoming increasingly reliant on both high-speed and high-availability transport networks, whether they are MPLS, SD-WAN or 5G or a combination of networks to deliver information when and where needed. 

In the not so distant future, dependency on traditional hardware will become more challenging as additional capacity means the user may have to continuously upgrade its network to reflect growth. However, current and conventional approaches to data protection create numerous challenges particularly around scalability, performance, complexity, key management and key rotation.

Don’t shy away from new technology

The public sector needs to start embracing new technology; the prospect of digital transformation should be exciting, rather than daunting. As a sector with a reputation for being slow to adopt mobile technology, potentially due to concerns over its lack of security, there is a tendency to instead lock down data and restrict the use of technology altogether. However, this just isn’t sustainable, and a lack of mobile technology won’t keep the hackers out. 

If changes don’t happen soon, the public sector will get left behind. To keep up, it needs to recognise that a digital network with a mix of connected users, devices and applications, does not need to make an organisation vulnerable; no matter how complex it may be. Flexibility and digital agility are undoubtedly at the top of every government’s agenda, making it essential for organisations to embrace the technology available. However, instead of putting adopting technology that attempts to secure each entity itself, or worse, layering technology on top of technology with a security solution tied into the network, organisations need to focus on what’s really important – and that’s Information Assurance (AI). In order for organisations in the public sector to really be secure, rather than securing the network, the focus needs to be on protecting the data.

An organisation’s biggest asset

Data is arguably an organisation’s biggest asset; it’s the crown jewels that must be protected, and what the hackers will inevitably set their sights on when planning an attack. In reality, a fine won’t be enforced under regulations such as the General Data Protection Regulation (GDPR) for a breach to an organisation’s network; the fine comes into play when a breach results in data being lost or stolen. That’s the difference in value between an organisation’s network and its data. 

And the fact is, the public sector is quickly becoming a prime target for hackers. But how can organisations ensure their data is really protected? Firstly, organisations need to move to a data-centric, IA security model underpinned by a robust and strategic security overlay, on top of an organisation’s existing network and independent of the underlying transport infrastructure, making the network itself irrelevant. A software-defined security overlay enables a centralised orchestration of IA policy and by centrally enforcing capabilities such as software-defined application segmentation using cryptography, key management and rotation, data is protected in its entirety on its journey across whatever network or transport it goes across. 

For the public sector, this means organisations no longer need to fear technology; each application on the network and the data it holds will be kept secure, irrespective of any changes made. Furthermore, if a data breach does occur, as long as it’s encrypted it will be rendered useless to hackers, mitigating the potential damaging consequences of a breach. 

Quite simply, cybersecurity must be at the forefront of business strategy. Public sector organisations need to embrace technology, coupled with the right security architecture, or risk being left behind. 

Guest Blog: The cyber resilience model

960 638 Stuart O'Brien

For too long, organisations have sought the holy grail of 100% Cyber Security. But security is never absolute; it is essential to understand that a breach is inevitable. It is the way in which organisations respond to a cyber security breach that is critical.

Alan Calder, Chief Executive of GRC International plc, parent company of IT Governance explains the fundamental importance of creating a Cyber Resilient model…

Cyber Security Myth

Cyber security is defined as the state of protecting information from attack by identifying risks and establishing appropriate defences. But as investment in security solutions continues to spiral it is essential for organisations to recognise the truth: total cyber security is unachievable. 

Cyber criminals can and will dramatically outspend their targets, creating ever changing and ever more sophisticated threats. At the same time, the ease with which these individuals and organisations bypass security technology and exploit poor process and ill-educated employees simply reinforces the futility of the current model: when 93% of security breaches occur as a result of a phishing or pretexting email, clearly a different approach is required.

Breaches occur routinely – and companies rarely know they have been breached. Not only are the majority of security breaches actually identified by third parties, on average it takes 193 days after the breach first occurred. So much for the much vaunted cyber security strategy.

What is required, therefore, is a far more robust approach to both managing the breach and minimising the business impact – a model that is predicated on achieving cyber resilience, not cybersecurity.

Cyber Essentials

To create a cyber resilience model an organisation needs to totally reconsider security provision; to assess and determine the business specific acceptable level of risk and acknowledge that an attack may be successful however well prepared the defences. By adopting a standards-based approach that encompasses technology, people and processes, a cyber resilience strategy can be designed to reflect each organisation’s maturity level with regards to both cyber security and data privacy.

At the heart of a cyber resilience strategy is defence in depth. In addition to using technology to block phishing emails, for example, a company must also ensure staff are trained to recognise the signs that an email may not be genuine. They must know how to respond if they mistakenly click on the email, including immediately notifying the help desk, which will prompt clearly defined escalation processes to minimise corporate exposure. Add in a device level back up process that does not allow the spread of malware and a business has a robust cyber resilience approach to the most prevalent form of breach.

Resilience Journey

This is, of course, an evolution. For smaller or start up business, a simple first step is to adopt Cyber Essentials, five basic controls which should prevent around 80% of Internet borne attacks from being successful. As an organisation matures, it is important to add process and people controls, even pursue the ISO 270001 information security standard, and to consider the wider business ecosystem. Is there a corporate network vulnerability created by the heating supplier routinely accessing the building’s heating, ventilation and air conditioning system, for example? What about customer security? Should the hosted web site be relocated to the cloud to achieve the encryption demanded by PCI DSS when handling credit card details? Throughout the evolution, a good cyber resilience model will continually learn, collecting data about breaches, for example, to highlight staff that need additional training or improvements to escalation processes, and ensuring the cyber risk assessment adapts in line with business expectation.

Critically, therefore, this is a board level issue and, over time a board’s awareness of and involvement in the business’ cyber resilience model must become part of the standard governance framework, as embedded as board and market reporting, health and safety and social engagement. 

Simply raising the cyber security budget year on year is not the answer: what is required is an evolving, multi-layered set of responses to the continually escalating cyber threat. Replacing a futile search for cyber security with a robust, practical and risk appropriate cyber resilience model is one of the most important steps an organisation can take.

GUEST BLOG: People and processes are key to effective cyber security

960 640 Stuart O'Brien

Alan Calder Founder and Executive Chairman at IT Governance

Cyber security investment continues to spiral, with Gartner predicting global security spend will reach £71.72 billion by the end of the year, as a result of regulatory change, mindset and a growing awareness of threats.

And with over 40 per cent of UK businesses experiencing some form of cyber security attack or breach in the last 12 months, with the attendant cost and reputational damage, it is easy to see how information security teams can argue for ever higher budgets.

But is handing over another tranche of cash really the most effective route to cyber resilience? Look closely at any recent high profile breach and the hack was not achieved through bypassing top of the line security technology but by identifying weaknesses within processes and staff. Whilst technology certainly has its part to play in a business’ overall cyber security strategy, people and processes actually have a much more significant role in ensuring a business is protected. From management commitment to strategic risk assessment to process change and employee awareness, as Alan Calder Founder and Executive Chairman, IT Governance argues, organisations need to reconsider security and rapidly onboard the skills required to achieve this three-fold approach to mitigating cyber risk.

Weakest Link

No organisation is immune to the threat of a cyber attack, especially as the types and methods of attack become increasingly more sophisticated. Given the enormous cost associated with breach, from regulatory fines to lost customers and compromised supplier relationships, this is clearly on the board’s agenda.  Unfortunately, most boards would rather commit to hiking the security budget than take the steps actually required to improve cyber resilience: namely, get involved.

According to the ISO 27001 security standard, board level commitment is an essential requirement – yet this is a message that the CIO or CISO is finding hard to get across. Most senior level individuals perceive that cyber security is too complex and too technical to have a place in any board meeting. Yet this attitude underlines a patent lack of understanding of the cyber criminal: it is not all about incredibly complex and sophisticated threats, attackers will aim at the weakest link in an organisation’s security posture – its people.

People are a risk because they will forget passwords, make errors, click on phishing emails or access web sites loaded with malware. It is not malicious – in the main – but it is a huge problem.  The fact is that the vast majority of breaches are linked to human error – and more often than not, the cause is ill considered processes and education, not inadequate security solutions.

Proving the Point

The massive data breach at Sony came about as a result of hackers getting access to the list of passwords written in plain text, essentially an open door to an extraordinary raft of sensitive information; while at Morrison’s, it was a disgruntled employee who was able to upload the details of 99,998 staff, including bank account details, salary information, dates of birth, National Insurance numbers, addresses and phone numbers, to data sharing websites.  Having spent more than £2 million tackling the breach, the High Court ruled the supermarket was vicariously liable because the individual was acting in the course of his employment when he leaked the information online.

A lack of management understanding of risk also contributes to technology and process compromises that create unacceptable exposure. The WannaCry ransomware attack that ravaged so many businesses in 2017 is a prime example of poor processes – in this case, failing to update software, creating huge vulnerabilities. The attack affected companies globally, although in the UK the media brunt was borne by the NHS, which estimates a cost of £92 million to recover damaged IT equipment; although it has made no public acknowledgement of the cost to patients’ health as a result of cancelled operations and missed diagnoses.

While these events clearly focus management attention on the escalating risk created by cyber security, none of these organisations had failed to invest in security hardware or software. What they had overlooked was that a cyber resilient business is underpinned by highly effective processes and a highly aware and educated staff.

New Information Security Culture

User awareness and education is a huge component of a cyber resilient organisation. Simple steps such as teaching employees to recognise a phishing email or spot a rogue Wi-Fi hotspot at the café, station or conference centre, can radically reduce incidents. But this is just the start: user awareness and training must be part of a complete resilience process.

Continually testing staff awareness – by sending phishing emails and following up with additional training to those who mistakenly click on the email – is essential, but staff also need to know what to do if they do click on a phishing email by mistake. And that means the company needs to put in place a clearly defined process that encompasses everything from ensuring users recognise the importance of immediately notifying the incident response team, to locking down the device and removing it from the network, and critically, undertaking an assessment to determine whether the incident has created a regulatory reportable breach.

In addition to improving awareness and understanding, it is also important to make life easy for the user.  While IT has become obsessed with the concept of complex passwords changed every sixty to ninety days, for the user the only option is to write these down – or continually waste time calling the help desk for a reset.  How much more effective to opt for single sign in and passwords changed only when the user perceives a risk? Or once a year? Not only does the business lose the massive risk associated with passwords written down everywhere, but the help desk calls plummet – and the IT team has time to fix the gaping security hole left by the disturbing number of network devices still operating on easily breached default settings!

Security Standards

This people and process model is at the heart of the global ISO 27001 security standard – a standard which in this post GDPR era is prompting increasing interest as a way of demonstrating the security provision in place should a breach occur. And, to circle back to where we came in, this is where the board needs to get involved: ISO 27001 states that management must be engaged in the information security management process; they must lead by example and provide clear guidance to the organisations on issues such as risk management. That means that security is not just a line on the budget and a chance to pass the buck to the information security management team; the board must actively discuss and consider security policy is certification is to be achieved.

And, to be frank, the board should be actively involved. The creation of a cyber resilience framework is key not only to reducing the likelihood of a breach but also to ensure systems can get back up and running as quickly as possible to minimise business disruption – and that framework is ultimately defined and directed by a corporate understanding of risk.

Simply accepting an ever increasing security cost is not enough. It is not until the board has discussed and agreed upon the risk appetite, which will vary significantly between organisations, that the business can begin to take the correct steps towards managing information security – and that means investing in the right skills to define and implement new processes and staff awareness.

GUEST BLOG: Phishing and Facebook – A test of reputation for businesses

960 640 Stuart O'Brien
By Asaf Cidon, VP Email Security, Barracuda Networks
 
Facebook is never far from the news agenda, so it was no surprise to see the company under the media spotlight again when it was revealed that a recent hack exposed the personal information of 30m users.
After polling visitors to Cloud Expo earlier this year on their views of Facebook and data privacy, we took to the floor at the IP Expo show in London earlier this month to learn how businesses were feeling about their defences in the wake of the latest high profile attack. 
 
The last time we spoke to the tech industry at a UK trade show, it was on the back of the news that millions of Facebook profiles were apparently exploited for political purposes, so we were keen to understand how views had changed in the six months since then. 
 
Back in April, trust in Facebook appeared to have been badly affected, with 55% claiming that they trusted Facebook less as a result of the Cambridge Analytica scandal. Results from IP Expo further confirmed this, with 41% of respondents citing that they didn’t trust Facebook even before this latest news story. What’s encouraging is that individuals are taking measures to protect themselves – 28% said that they had amended their security and sharing settings as a result, almost identical to the 29% who said the same at Cloud Expo.
 
Individuals in the IT industry have definitely become more wary of how they’re using Facebook, but did this have any bearing on their business?
 
So what does this mean for businesses? 
 
Whilst we still don’t know a great deal about what happened, we do know that while initial reports suggested 50 million accounts were accessed, it was actually closer to 30 million.
 
Despite this smaller number, it’s clear that hackers were able to get unfettered access to a significant amount of sensitive information. For 15 million users, the hackers had access to their name, phone number, and email address.
 
But for 14 million users, the attackers had access to the above as well as their relationship status, work, education, religion, current city, gender, username, device type, pages followed, last ten places checked into or tagged in, and 15 most recent searches.
 
Much of the information up for grabs plays right into the hands of cyber criminals planning their next phishing attack, and as it also includes people’s workplaces, it’s only natural to assume that this could well lead to an increased risk of phishing attacks at work.
 
So is this a precedent that businesses should be prepared for?
 
More than a third of the visitors we spoke to at IP Expo (35%) felt that the Facebook hack was likely to increase the likelihood of phishing attacks on businesses, since attackers would be emboldened by its success. Around 20% of our respondents felt it could work the other way though, as businesses would be forewarned and, therefore, forearmed against such attacks. 
 
Whatever the reality, businesses are certainly not being complacent when it comes to resisting phishing attacks. One in four (25%) of the 200 businesses who took part felt that they have both the technology and the user education in place to feel very confident in their protection. Confidence in technology but not user education meant that 38% felt quite confident in their ability to resist an attack, whilst a focus on user education over technology had instilled confidence in 22%. Only 7% felt that they were sitting ducks, with neither the technology nor user education in place to protect their business.

What now for businesses and individuals?
 
Anyone who regularly uses Facebook needs to review their security and sharing settings immediately, if they haven’t done so already. This is especially important if you have other apps connected to your Facebook account, as this gives attackers even more of a prize should they take over your account.
 
For businesses, the best defence against phishing and spear phishing is to help make users aware of the threats and techniques used by criminals. Organisations should implement a simulation and training program to improve security awareness for their users, regularly training and testing employees to increase their security awareness of various targeted attacks. Simulated attack training is by far the most effective form of training, as it helps humans recognise the subtle clues to identify phishing attempts, and gives employees a baseline understanding of the latest techniques attackers are using.
 
Effective user training can help prevent a lot of attacks, but keeping out attacks that don’t enter via email requires a combination of effective perimeter filtering, specially designed network architecture and the ability to detect malware that may already be inside the network. Businesses also need to keep up to date with software, security and firewall updates to ensure they have the most sophisticated approach to security in place to defend against threats. This demonstrates that SSO/MFA are not the silver bullet of protection against account compromise, because if the authentication provider gets compromised all connected applications are breached. This demonstrates the importance of using AI that can monitor employee behavior and detect anomalies in real time.
 
With huge global organisations such as Facebook and Google showing themselves to be susceptible to cyber-attacks, it’s clear that businesses need to remain vigilant. Every new breach further proves that the public needs to preserve and protect their own cloud data, because the providers are not. 

GUEST BLOG: Security insights from the outer edge

960 640 Stuart O'Brien

Gallagher Security Perimeter Product Manager, Dave Solly, talks about security at the perimeter and not just at the door…

If there’s one area of security that’s often overlooked in commercial channels, it’s perimeter. This all too common gap in thinking is preventing businesses from really solving their security issues, often issues they don’t realise, or don’t want to admit they have.

As a product manager for perimeter systems, of course I’d say that. But hear me out.

In my experience, few businesses who have a security problem think they need a perimeter solution. Instead, they turn to traditional access and intruder solutions and their well-known benefits of business efficiency, compliance and risk management. These are all great reasons to spend money on a reader at the door, but they don’t address the business continuity problem at the gate, nor do they provide any protection to outdoor assets or the building itself. That’s where the perimeter comes in.

What’s the difference between securing a door and securing a gate? In my opinion, other than the physical structure, not a lot, though many organisations would rather secure a building because that’s where they see the value. But if an intruder is already in your yard, breaking through a door, then damage has already occurred and the intruder has potentially reached your assets anyway. Securing your perimeter allows you to solve this. Wouldn’t you rather stop an intruder before they even have a chance to get in?

Too often, perimeter security is a box-ticking exercise: employ a guard and put in CCTV cameras. This type of approach is cheap, easy to deploy and very common. It’s also retrospective, prone to human error, reliant on other technologies to be truly useful, and often results in continued security problems.

As the first cordon of security, your perimeter system gives you the chance to completely stop theft and damage from intruders. Not reduce: completely stop. I’ve seen many examples where this has happened – such as when a freight depot was experiencing ongoing fuel theft, they invested in a secure, well designed perimeter solution. Overnight, intruders and theft disappeared and they haven’t had a problem since. Right now, you should be asking not just “What investment have we put in to our perimeter?” But also “How much do we value our business?”

Theft, damage, trespassers and accidental access to potentially dangerous environments are all risk factors that put business continuity firmly at the heart of perimeter security. The low upfront cost of the most common perimeter solutions needs to be considered in the context of ongoing guard patrol expenses, lost work time to fix damage, replacing stolen assets and the often unseen cost to staff morale of repeated break-ins. What’s the true cost of your not-so-secure perimeter?

In places like water treatment plants, rail yards, council yards, manufacturing plants and power stations there’s also a duty of care required to the community – preventing people from accessing dangerous environments and doing silly things. As a kid growing up in the country, I remember running on the conveyer belts in the nearby dolomite (fertiliser) plant. Interestingly, the control room and processing rooms were secure, but not the conveyor that feeds the rocks into the crusher. Perimeter security would’ve prevented me from doing what in hindsight was clearly very foolish (but fun at the time). This is a good example of the growing need for proper protection at the perimeter – for both your organisation and the public.

There needs to be a widespread change in mind-set when it comes to perimeter security for commercial businesses. Done well, a perimeter solution is an important investment in business continuity and duty of care, with a huge impact on safety and cost reduction in the long term. It’s a change in thinking many businesses can’t afford to ignore.

GUEST BLOG: 5 tips for a winning risk management strategy

960 640 Stuart O'Brien

By Gallagher

Risk comes in many forms, with varying degrees of cost to your business and recovery times.

Here are a few items worth considering when it comes to producing a risk management strategy:

1. Take care of your people

Staff really are the most important asset within an organisation. From a risk management perspective, it’s important to ask: Are we doing everything we can to create an environment in which our people are comfortable, informed, and safe?

2. Be vigilant in the cyber world

Cyber-attacks are happening everywhere with increasing sophistication. Regardless of the activity the impact could destroy your business, so ensure you take the appropriate measures to limit the possibility of this happening.

3. Understand liability from both the personal and corporate perspective

The world is becoming a more litigious place where someone needs to be accountable for the outcome of any incident – especially when it comes to the safety of people. Does your organisation have appropriate measures in place to understand what this might mean for you? Look at your policies and processes to ensure that you have an effective program in place in the event that something happens.

4. Focus on the important things

It’s easy to say “measure, analyse, assess, and mitigate” for every possible risk, and you won’t have any problems because everything will be covered. However, in reality, it is a lot more difficult to implement and manage. Focus on the most important things first and keep risk in the equation of every decision you make.

5. Plan for it

“Prior Planning and Preparation Prevents Poor Performance” This is as relevant for risk management as it is for almost everything that we do. Plan and prepare to ensure that you won’t be surprised by anything, and you’ll be well placed to safeguard the success of your business.

GUEST BLOG: 60 must-know cybersecurity statistics for 2018

960 640 Stuart O'Brien

By Varonis

Cybersecurity issues are becoming a day-to-day struggle for businesses. Trends show a huge increase in hacked and breached data from sources that are increasingly common in the workplace, like mobile and IoT devices.

Additionally, recent research suggests that most companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data lass.

We’ve compiled 60 cybersecurity statistics to give you a better idea of the current state of overall security, and paint a picture of how potentially dire leaving your company unsecure can be.

Click here to read the full article.

GUEST BLOG: The anatomy of a phishing email

960 640 Stuart O'Brien

By Varonis

Phishing scams are one of the most common ways hackers gain access to sensitive or confidential information.

In fact, according to the Verizon’s 2018 Data Breach Investigations Report, phishing is involved in 70 percent of breaches that feature a social engineering component.

What is Phishing?

At the most basic level, a phishing scam involves sending fraudulent emails that appear to be from a reputable company, with the goal of deceiving recipients into either clicking on a malicious link or downloading an infected attachment, usually to steal financial or confidential information.

If your employees don’t know the signs of a phishing email, your company is at risk. According to Verizon, the average time it took for the first victim of a large-scale phishing campaign to click on a malicious email was 16 minutes; however, it took twice as long — 33 minutes — for a user to report the phishing campaign to IT.

Given that 49 percent of malware is installed via email, these 17 minutes could spell disaster for your company…

Click here to continue reading.

GUEST BLOG: Having the right connections – Are VPNs really fit for purpose?

960 640 Stuart O'Brien

Stuart Sharp, Global Director of Solutions Engineering at OneLogin

Remote working has fast become commonplace in today’s business landscape. Free from the stress of the modern-day workplace, employees are increasingly keen to opt for the laptop and crack on with work uninterrupted, all from the comfort of their own home.

In fact, the Office for National Statistics (ONS) last year predicted that half of the UK workforce will be working from remote locations by 2020, many of whom cited how the increased flexibility can benefit their private lives. Not all business owners are convinced. Many tech goliaths, such as HP, IBM and Yahoo, have recently rescinded the option for their employees to work from home, inciting an ‘if you don’t like it, leave’ approach.

The reality is that for many companies, having a high percentage of employees working from home just isn’t the same as having an office full of busy employees, and it’s mostly down to the ease with which employees can access corporate applications remotely. The Virtual Private Network (VPN) was created to resolve this issue and provide a secure link between an employee, at home or on the road, to the corporate network. In fact, almost half (48%) of UK IT professionals surveyed by OneLogin require employees to use VPNs when working remotely. However, with 30% receiving frequent complaints that the use of a VPN slows down remote network access, many organisations are struggling to find a balance between productivity and security. The survey also found that half of remote workers spend up to one day per week connected to unsecured networks in an effort to circumnavigate VPNs and get on with their job, leaving organisations open to a host of cyber threats.

With ‘not fit for purpose’ VPNs, organisations are inadvertently making remote working impossible. The creativity, productivity and efficiency benefits that remote working originally boasted are being buried under a sea of stressed remote employees and IT teams battling complaints.

Organisations have outgrown the outdated tech they still rely on and can no longer afford to use unreliable VPNs that encourage employees to flaunt security best practices. If employees continue to favour unsecured networks, a cybersecurity catastrophe is just around the corner, particularly with the deadline looming for the EU’s General Data Protection Regulation (GDPR) on May 25th, 2018. Under GDPR, if data gets into the hands of cybercriminals as a result of neglect or employee ignorance, businesses could be faced with penalties that start at €10 million and can go up to as much as €20 million or 4% of a business’s annual turnover, whichever is higher [1].

While having a fully cloud-based strategy seems ideal for many, it isn’t always easy to realise. Many organisations, and particularly enterprises, are battling with a hoard of on-premise legacy IT systems. But the reality is that they simply can’t just move everything into the cloud overnight. IT policies and end-point management strategies need to account for both cloud and on-premise IT infrastructures. Neglecting either of them is not an option.

In order to evolve, businesses are on the hunt for a low-maintenance solution that handles employee provisioning and deprovisioning (when employees leave a company), while also improving security and reporting. To meet this demand, Identity and Access Management (IAM) providers need to step-up to the plate and offer solutions that manage both on-prem and cloud environments from one unified platform.

So how can companies make this a reality?

Regardless of whether companies deploy more on-premise or cloud applications, having one unified access management platform will simplify and manage access in real-time. Coupling this with a smart IAM system that can power intelligent authentication tools, bolster security measures and increase functionality for end users will only propel industries towards digital transformation in a safe and secure fashion. In today’s competitive landscape, business efficiency and agility are necessities — and safe and effective remote working has a key role to play going forward.

  • 1
  • 2