Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

industry data

Brits ‘more likely’ to change spending habits after a data breach

960 640 Stuart O'Brien

The consequences of a data breach have a greater impact in the UK versus the United States, according to new data.

41% of British consumers said they will stop spending with a business or brand forever following a data breach, compared to just 21% of US consumers.  

The research into consumer trust and spending habits was conducted by payment security specialists PCI Pal, and pointed to some clear cultural differences between the two countries.

The survey found that 62% of American consumers would instead stop spending for several months following a security breach or hack, with 44% of British consumers agreeing the same. 

Over half (56%) of all UK respondents were more reticent to give credit card details verbally over the phone than their American counterparts where it was found that four out of every ten (42%) of US respondents were uncomfortable reading out their details.

US consumers were generally less accepting to provide payment details over the phone with only 15% saying they would “hand over their information, no questions asked”, compared to a quarter of UK consumers. Instead 38% of American’s would ask for an online alternative to complete a transaction, while 32% of Brits said they would “hang up and find an alternative supplier.”

“Awareness of data security is something that is on everyone’s radar, yet our UK and US surveys have highlighted some real differences of opinions and traits, when comparing attitudes to data and payment security between the two countries,” said James Barham, CEO at PCI Pal.

“UK consumers certainly seem more guarded with providing personal information, such as payment card details, over the phone, yet the US is catching up fast. Similarly, if a security breach has occurred at an organisation, Brits appear more likely to avoid that organisation in future, and instead go elsewhere. In my opinion, 2019 is the year that organisations need to take steps to provide far clearer assurances to consumers as to how their data is being captured, processed and stored otherwise customers are not going to wait, and they may find them going elsewhere for their purchase.”

Looking at trust in businesses and brands, 55% of UK respondents felt they could trust a local store with their data more than a national company. They felt a local store was more likely to care about their reputation (30%) and hackers were less likely to target a local store as it is smaller (25%) while only 22% felt a national company would be more secure as they follow more security protocols.

In stark contrast, the reverse was true in the US with only 47% of respondents feeling they could trust a local company more than a national chain. In fact, 28% felt a national company would be more secure as they follow more security protocols, while 25% felt they have more money to invest in security protocols. 

Almost a third (31%) of UK consumers stated that they would spend less with brands they perceive to have insecure data practices, compared to just 18% of US survey respondents.

What keeps you up at night? It’s users, isn’t it

960 640 Stuart O'Brien

Ninety-two per cent of organisations’ biggest security is concern is users, with 81% having some degree of concern around security issues.

A new report, What Keeps You Up At Night 2019 – commissioned by security awareness training company KnowBe4 – looked at over 350 organisations globally.

The research was carried out against a background in which AI and machine learning are being leveraged by criminal organisations to help them better understand how to improve their attacks, targeting specific industry verticals, organisations and even individuals.

In the results, increases in the frequency of ransomware, phishing and crypto jacking attacks were experienced by businesses of nearly every size, vertical and locale.

When it came to attack vectors, data breaches were the primary concern, with credential compromise coming in as a close second.

The report says these two issues go hand-in-hand, as misuse of credentials remains the number one attack tactic in data breaches, according to Verizon’s 2018 Data Breach Investigations Report.

Phishing and ransomware ranked next, demonstrating that organisations are still not completely prepared to defend themselves against these relatively “old” attack vectors.

Other key findings from the report include: 

• 92% of organisations rank users as their primary security concern. And at the same time, security awareness training along with phishing testing topped the list of security initiatives that organisations need to implement. 

• Organisations today have a large number of attack vectors to prevent, monitor for, detect, alert and remediate; in terms of attacks, 95 per cent of organisations are most concerned with data breaches.

• Ensuring security is in place to meet GDPR requirements is still a challenge for 64 per cent of organisations, despite the regulation details being out for quite some time.

• Attackers’ utilisation of compromised credentials is such a common tactic, 93 per cent of organisations are aware of the problem, but still have lots of work to do to stop it. 

• When it comes to resources, 75 per cent of organisations do not have an adequate budget.

“2018 was a prolific year for successful cyberattacks, and many of them were caused by human error,” said Stu Sjouwerman, CEO of KnowBe4. “IT organisations are tasked with establishing and maintaining a layered security defence. The largest concern, as demonstrated again in this report, is employees making errors. Organisations must start with establishing a security culture, and in order to combat the escalation of social engineering, they have to ensure users are trained and tested.” 

88% of UK businesses have suffered a cyber attack in the last year

960 640 Stuart O'Brien

The UK’s cyber threat environment is intensifying, with attacks growing in volume along with an increased amount of security breaches.

New research, commissioned by leading next-generation endpoint security company Carbon Black and released in its second UK Threat Report, found that:

  • 88% of UK organisations reported suffering a breach in the last 12 months
  • The average number of breaches per organisation over the past year was 3.67
  • 87% of organisations have seen an increase in attack volumes
  • 89% of organisations say attacks have become more sophisticated
  • 93% of organisations plan to increase spending on cyber defence

The research also found that compared with the previous report, published in September, the average number of breaches has increased from 3.48 to 3.67. More than 5% of organisations have seen an increase in attack volumes.

100% of Government and Local Authority organisations surveyed reported being breached in the past 12 months, suffering 4.65 breaches, on average. 40% have been breached more than five times. In the private sector, the survey indicates that Financial Services are the most likely to report a breach, with 98% of the surveyed companies reporting breaches during the past 12 months.

Discussing the report, Rick McElroy, Head of Security Strategy for Carbon Black, said: “We believe our second UK threat report underlines that UK organisations are still under intense pressure from escalating cyberattacks.

“The report suggests that the average number of breaches has increased, but as threat hunting strategies start to mature, we hope to see fewer attacks making it to full breach status.”

The report also found that malware remains the most prolific attack type in the UK, with more than a quarter (27%) of organisations naming it the most commonly encountered. Ransomware holds second position (15%). However, the human factor plays a part in the attacks resulting in breaches. Phishing attacks appear to be at the root of one in five successful breaches. Combined, weaknesses in processes and outdated security technology were reported factors in a quarter of breaches, indicating that failures in basic security hygiene continue to be high risk vectors that organisations should address as a priority.

Organisations across all sectors reported increases in the volume of attacks during the past 12 months. However, of the organisations surveyed, Government and Local Authority organisations saw particularly high increases, with 40% noting more than 50% increase in the number of attacks. Similarly, in Healthcare, 29% of respondents noted increases of 50% or more.

60% of UK organisations surveyed said they are actively threat hunting and more than a quarter (26%) have been doing so for a year or more. A very encouraging 95% reported that threat hunting has strengthened their defences. The survey results suggest that threat hunting is most mature in the financial services sector, with 53% threat hunting for more than a year.

“We believe threat hunting is an integral part of a mature security posture,” McElroy said. “It’s encouraging to see this numbers continuing to climb.”

A copy of the report can be downloaded here:

https://www.carbonblack.com/resources/threat-research/global-threat-report-series

Hi-tech car theft warning from Which?

960 640 Stuart O'Brien

New research by consumer watchdog Which? has found that four of the five best-selling car brands in the UK are susceptible to so called ‘keyless theft’.

Analysed data from roadside recovery organisation General German Automobile Club (ADAC) by Which? revealed that out of 237 keyless cars tested by ADAC for keyless attacks only three remained secure, with the Ford Focus, Nissan Qashqai, VW Golf and Ford Fiesta all at risk.

Latest models of Range Rover and Discovery, along with the 2018 Jaguar i-Pace, were resistant to keyless theft.

Thieves fool the car’s onboard keyless security by bypassing the systems with devices that allow them to access the vehicle and drive away. More than 106,000 offences of theft of a motor vehicle were reported to police in England and Wales up to March 2018, the highest figure since 2009, with keyless technology thought to be partly responsible.

In a statement, Which? said: ”Thieves have been using keyless theft for several years, but manufacturers continue to make new models that can be stolen in this way, meaning there is an ever-larger pool of vehicles for thieves to target.”

In a response to the findings, the Society of Motor Manufacturers & Traders (SMMT) said that new cars were “more secure than ever”, with manufacturers “investing billions” in sophisticated security features.

Meanwhile, the AA has released a video sharing its top 10 tips for avoiding car break-ins in light of new Home Office figures that show a 50% increase in vehicle thefts in the last five years.

In 2017, there were 280,313 recorded thefts from vehicles in England & Wales, up 13% on 2016, while 103,644 were stolen, up 19% on 2016.

Millennials ‘most vulnerable’ to phishing attacks

960 640 Stuart O'Brien

‘Digital savvy’ millennials are more likely to fall victim to cyber threats than baby boomers and older generations, demonstrating a concerning lack of knowledge on cyber threats such as phishing and ransomware.

New research, commissioned by cybersecurity and compliance company Proofpoint for their fifth annual ‘State of the Phish’ report, also revealed that 83 percent of global respondents experienced phishing attacks in 2018, compared to just 10 percent of respondents reporting experiencing a ransomware attack.

Also amongst the standout findings was the revelation that despite popular belief, older generations were actually less likely to fall victim to cyber attacks than their younger counterparts. 58% of those aged 22-27 knew correctly what phishing was, compared to 73% of those aged 54+ who knew correctly what phishing was. In addition, 52% of those aged 54+ knew correctly what ransomware was, whereas only 40% of those aged 22-37 knew correctly what ransomware was.

“Email is the top cyberattack vector, and today’s cybercriminals are persistently targeting high-value individuals who have privileged access or handle sensitive data within an organisation,” said Joe Ferrara, general manager of Security Awareness Training for Proofpoint.

“As these threats grow in scope and sophistication, it is critical that organisations prioritise security awareness training to educate employees about cybersecurity best practices and establish a people-centric strategy to defend against threat actors’ unwavering focus on compromising end users.”

“Lack of cybersecurity awareness, in particular amongst the millennial/Generation Z demographic, presents a greater threat than many businesses expect,” added Adenike Cosgrove, strategist, EMEA, Proofpoint.

“Our latest research shows that surprisingly, older generational groups can more accurately identify threats such as phishing and ransomware than digitally-savvy millennials. This tells us that millennials, despite being much more comfortable and at ease with digital platforms, display greater complacency towards threats and perceived risks.

“With the percentage of millennials in the workforce set to reach 50 percent globally by 2020, it’s imperative that businesses focus on developing a people-centric approach to security and deploy cybersecurity awareness training programs that aim to change employee behaviour. The bottom line is that organisations that do not consider the human factor as a key pillar to their cyber defence strategy will continue to be prime targets for cybercriminals, putting their businesses at risk of potentially crippling attacks.”

A copy of the report can be downloaded here: https://www.proofpoint.com/us/resources/threat-reports/state-of-phish

Research into AI cyber security threat lacking

960 640 Stuart O'Brien

A study of cyber security academic research projects worth €1bn to assess academic trends and threats has found Cyber Physical Systems, Privacy, IoT and Cryptography the strongest cyber security areas to watch – but that Artificial Intelligence is an “apparent omission”.

Crossword Cybersecurity looked at nearly 1,200 current and past research projects from academic institutions in the United Kingdom, United States, Europe, Australia, and Africa, with reported funding of EU projects at over €1 billion.

The database identified several global trends by comparing the periods January 2008 to June 2013 with July 2013 to December 2018, including:

· Cyber Physical Systems (CPS) – Over 100 projects were found in this area alone, a significant figure. The United States appears to be the most active in CPS research, with a focus on securing critical infrastructure.
. Privacy – Projects related to privacy have increased by 183% in recent years.
· Internet of Things (IoT) – Projects with an IoT element have increased by 123% lately, with around 14% of current projects having this characteristic.
· Cryptography – With the promise of quantum computing on the horizon, there has been an influx of new projects that apply the technology to the future of cryptography, with a 227% increase in this area of research (albeit this was from a low base).

Significant differences can also be seen between regions. For example, the EU appears distinctly focused on minimising Small & Medium Enterprises’ (SME) exposure to cyber security risk. Conversely, when compared with other regions, the US has a greater focus on the human component of cyber security. Other US top project funding areas include Cyber Physical Systems (as applied to smart cities and power grids), securing the cloud, cybercrime, and the privacy of Big Data sets (as applied to the scientific research community).

In the UK, the leading research verticals are critical infrastructure and securing the health sector (with 11 current projects each). Current funding across UK projects exceeds £70m, with quantum and IoT-related projects both more than doubling over five years. There are currently nine new UK projects with a focus on Cyber Physical Systems.

The four UK projects with the greatest funding are in the fields of Safe and Trustworthy Robotics, Big Data Security, Cybercrime in the Cloud and Quantum Technology for Secure Communications.

The most notable UK decline was in big data projects, which have dropped by 85%.

Globally, there are currently 52 global projects with a cryptographic focus, and at least 39 current live EU projects featuring a cryptographic element. In the UK, this area has been consistently strong over the last ten years, with 18 projects starting between 2008 and mid 2013, and 19 projects from mid 2013 to now.

Tom Ilube, CEO at Crossword Cybersecurity plc said: “The need to protect critical infrastructure has never been stronger as technology becomes more deeply embedded in every aspect of our daily lives. However, one apparent omission is research solely focused on the application of AI techniques to complex cyber security problems. We hope to see more of that in the future, as the industry works to stay ahead of the constantly evolving cyber security landscape.”

The Crossword Cybersecurity database will be periodically updated, to deliver ongoing insight into the most prevalent cyber security research trends and investment areas. If you are interested in further details, contact the Scientific Advisory Team at Crossword Cybersecurity on innovation@crosswordcybersecurity.com.

Cybersecurity responsible for 36% of management stress

960 640 Stuart O'Brien

Over half of SME owners count internet issues as one of their biggest bugbears heading into 2019, with phishing emails from overseas ‘billionaires’ topping the list of the strangest mailbox scams from the past 12 months.

In a survey conducted by Q2Q, 52% of company bosses complained that problems with their internet were responsible for some of their firm’s biggest technology-related headaches. While an additional 41% of respondents said that six months on, GDPR compliance was still causing confusion within the workplace.

The research also found that phishing emails – including those masquerading as financial information requests from the CEO, and communications purporting to be from a foreign billionaire looking to pass on significant sums of money – made up 38% of the most common scam communications.

Unsurprisingly then, cyber-security was responsible for 36% of management stress, with 22% of respondents citing emerging online risks as one of their biggest IT challenges heading into the New Year.

The research also found that around 64% of SMEs choose to outsource their IT support, while – shockingly – 10% of company owners didn’t have any sort of technical provision.

Andrew Stellakis, managing director at Q2Q, said; “Hearing that internet issues are still responsible for over half of SME’s IT-related headaches is simply inexcusable in this day-and-age. There are plenty of things which can cause a slow connection, but understanding the root cause is key to getting the most out of our systems, employees and the working day.

“It’s also rather worrying that – six months on – 40% of SME’s are still unsure about the rules and regulations surrounding GDPR. Over the past 18 months, I’ve spent a lot of time working closely with SMEs to ensure they are fully compliant – and it isn’t as daunting as it may seem.

“The appointment of a dedicated IT provider or GDPR officer – either in-house or externally – is often left until something goes wrong. But, as the news has been filled with reports of cyber-attacks and GDPR fines over the past few months, it should be all SME owners’ New Year’s resolution to ensure their company – and reputation – remains intact in 2019.”

INFOGRAPHIC: Only 29% travel sites opt to fully protect consumers with EV SSL

960 640 Stuart O'Brien

UK phishing scams jumped 648% YoY on Cyber Monday, with lack of EV SSL certificates on travel websites cited as a primary cause.

Sectigo investigated security levels on the websites of 35 airlines, 27 hotel groups, 23 travel comparison websites, 11 car hire firms and eight train operating companies, to find out whether they are doing all they can to protect customers as we approach peak travel season.

Among its key findings were:

  • Only 29% of these enterprises had an EV SSL certificate on their website.
  • As many as 65% of these organisations only have a free SSL certificate, with neither any company branded address on their homepage nor any “Not secure” warnings.
  • Up to 6% had no EV certificate whatsoever

Full findings are illustrated in the infographic below:

Vigilance urged for EMEA businesses as phishing season begins

960 640 Stuart O'Brien

Businesses in EMEA are being urged to remain vigilant as phishing attacks ramp up during the winter months.

F5 Labs, in collaboration with Webroot, has launched its second annual Phishing and Fraud report, highlighting an anticipated threat surge from October until January.

According the report, fraud incidents in October, November, and December tend to jump over 50% compared to the annual average.

Indicative of the scale of the problem, 75,6% of all websites taken offline by the F5 SOC platform between January 2014 and the end of 2017 were related to phishing attacks. This is followed by malicious scripts (11.3%) and URL redirects (5.2%), which are also used in conjunction with phishing operations. Mobile phishing (2%) was also identified as a growing issue.

“We’re in the middle of a cyber-crimewave where phishers and fraudsters take advantage of people at their most distracted,” said David Warburton, Senior EMEA Threat Research Evangelist, F5 Networks.

“It is prime season for individuals giving up credentials or inadvertently installing malware. Businesses are wrapping up end-of-year activities, key staff are on vacation, and record numbers of online holiday shoppers are searching for the best deals, looking for last-minute credit or feeling generous when charities come calling.”

Although phishing targets vary based on the nature of the scam, a remarkable 71% of attackers’ efforts from 1 September to 31 October 2018 focused on impersonating just ten organisations.

Technology companies were most mimicked (70% of incidents), with 58% of phishers’ time spent posing as big hitters like Microsoft, Google, Facebook, Apple, Adobe, Dropbox, and DocuSign during the monitored period.

The finance sector was also under fire. 13 of the top 20 fastest growing targets were financial organisations. Banks accounted for 55% of these, five of which were major European entities.

Notably, some of the most successful malware programs started out as banking malware. For example, Trickbot, Zeus, Dyre, Neverquest, Gozi, GozNym, Dridex, and Gootkit are all banking trojans known to have spread initially through phishing campaigns.

The Phishing and Fraud report stresses that the best first line of defence is a consistent education programme and creating a culture of curiosity. Tests by Webroot show that security awareness training can have a particularly ameliorative effect.

Companies that ran 11 or more training campaigns reduced employee phishing click-through rates to 13%. Six to ten sessions saw a 28% click-through rate, rising to 33% with one to five employee engagements.

In addition to awareness-raising, F5 Labs stresses the importance of organisations implementing access control protections, including multi-factor authentication and credential stuffing controls, to prevent phished credentials becoming a breach. Other report recommendations include the following defensive tactics:

  • Email labeling. Clearly label all mail from external sources to prevent spoofing. A simple, specially formatted message can alert users to be on guard.
  • Anti-virus (AV) software. AV software is a critical tool to implement on every system a user has access to. In most cases, up-to-date AV software will stop the malware installation attempt. Set your AV policy to update daily at a minimum.
  • Web Filtering. A web filtering solution helps block access to phishing sites. Not only will this prevent a breach (providing the phishing site is known by your web filter provider), but it presents a valuable teaching opportunity by displaying an error message to the user
  • Traffic decryption and inspection. F5 Labs analysed malware domains from Webroot that were active in September and October 2018. 68% of them were phoning-home over port 443, which is the standard TCP port used for websites encrypting communications over SSL/TLS. If organisations do not decrypt traffic beforeinspection, the malware installed through phishing attacks will go undetected inside the network.
  • Single-Sign On (SSO). The fewer credentials users manage, the less likely they are to share them across multiple applications, create weak passwords, and store them insecurely. 
  • Report phishing. Provide a means for employees to easily report suspected phishing. Some mail clients now have a built-in phish alert button to notify IT of suspicious activity. If your email client doesn’t have this feature, instruct all users to call the helpdesk or security team.
  • Change email addresses. Consider changing the email addresses of commonly targeted employees if they are receiving an unusually high number of phishing attacks on a continual basis.
  • Use CAPTCHAs. Use challenge-response technologies like CAPTCHA to distinguish humans from bots. However, users can find them annoying so use in cases where it’s highly likely a script is coming from a bot.
  • Access control reviews. Review access rights of employees regularly, especially those with access to critical systems. These employees should also be prioritised for phishing training.
  • Look out for newly-registered domain names. Phishing sites are often newly registered domains. When F5 reviewed the list of active malware and phishing domains collected by Webroot in September, only 62% were still active a week later.
  • Implement web fraud detection. Implement a web fraud solution that detects clients infected with malware. This stops cybercriminals logging into your systems and allowing fraudulent transactions to occur.

“Phishing is a big problem and we expect attacks to continue because they are so effective, especially during the winter period” added Warburton.

“As organisations get better at web application security, it will be easier for fraudsters to phish people than to find web exploits. Ultimately, there is no one-stop-shop security control for phishing and fraud. A comprehensive control framework that includes people, process, and technology is a critical requirement to reduce the risk of an attack becoming a major incident.”

Security breaches – A high price tag for UK business this Christmas

960 640 Stuart O'Brien

Forty-four per cent of UK consumers will stop spending with a business or brand for several months in the immediate aftermath of a security breach or a hack.

That’s according to new data from payment security specialist PCI Pal that, even more significantly, shows a further 41% of consumers will never return to a brand or a business post-breach, representing a potentially significant loss of revenue.

The findings  suggest that a combination of high-profile recent breaches, headlines devoted to new data privacy regulations such as the GDPR, and personal experience have put security concerns at the forefront for UK consumers.

Over a third (38%) confirmed they have personally suffered the negative consequences of a data security breach.

Meanwhile, consumers reported that even being perceived as having insecure data practices can be enough to incur spending penalties: 31% reported that they spend less with brands they perceive to have insecure data practices, while over a quarter (26%) say they stop spending completely if they don’t trust a company with their data.

The findings suggest that it’s not just online threats that worry consumers – with 76% uncomfortable with providing payment information, such as credit card details, over the phone. Specifically, almost a third (32%) said they would hang up and find an alternative payment option, while nearly a quarter (24%) would ask for an online payment option and a further fifth (20%) would enquire as to how the data is being captured and whether it is safe.

Interestingly, when looking at the research findings by age group, 41% of those aged 18-24 said they would give their payment information over the phone with no questions asked, compared to just 14% of those aged 55-65.

Finally, from an industry perspective, consumers were asked which verticals they consider to be the least secure or more likely prone to a security breach, 41% of consumers said the financial sector, followed by 40% suggesting retail and 35% suggesting the travel industry.

“While security breaches are not new, consumers’ attitudes towards them appear to be changing significantly, with the vast majority of those surveyed now reporting that trust in security practices, or lack thereof, influences not just where but also how, and how much they are prepared to spend,” said James Barham, CEO at PCI Pal.

“What’s really interesting is how consumers are increasingly questioning data security practices. Nearly half of those surveyed know they should check a company’s security processes and 22% said they question businesses directly or research how an organisation safeguards consumer data. This suggests a real change in how consumers prioritise privacy and security. This should act as a real wake-up call to consumer-facing brands: they need to adopt stronger security practices, especially for those operating contact centres where payments are handled over the phone if they want to keep customers loyal and spending with them.”

  • 1
  • 2