HW
Uploaded byHenry Worth
151 views

Cyber Security small

The document discusses cybersecurity threats and strategies. It highlights that the greatest cybersecurity risk comes from within organizations, as many breaches are caused by employees unintentionally clicking on phishing emails or accessing files outside of work. It also notes that ransomware attacks are a growing threat, and all companies are potential targets from various cyber attackers like hackers, hacktivists, and foreign intelligence services. The document advocates for cybersecurity training for all staff, and emphasizes adopting the UK Cyber Security Strategy to help protect against common cyber threats.

Embed presentation

Download to read offline
REGISTER NOW SUMMIT LONDON 27 APRIL 2016 http://tinyurl.com/RSASummit2016LondonT: +44 (0) 1344 781613 DISCOVER NEW STRATEGIES FOR SECURING MODERN IT Whatarethenextsteps towardscybersecurity? Readanextractfromthe UKCyberSecurityStrategy 2011-2016AnnualReport AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET APRIL FUTUREOFTECH.CO.UK READ Whatisthebiggest causeofacyberbreach?P4 INSIDE Howtoempowera commonriskconversationP6 ONLINE Whymodernvehicles couldbecomeatargetforcyberattack CybersecurityFUTUREOFTECH.CO.UK
AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET2 FUTUREOFTECH.CO.UK MEDIAPLANET T he greatest need is for training and awareness for all staff. A common routeintoasystem is via a member of staff clicking on a phishing email. Attacks can be very sophisticated, for example, looking as if it’s a note from the boss. It is on- ly via training that members of staff will understand how important the- se issues are and their role in helping preventthem. Here at the MoD, the DCPP advo- cates a three stage approach, starting with a risk assessment that is car- ried out on every contract. In some cases there will be no risk; in others we measure risk in four levels rising from low to very high. We give the supplier an assurance questionnaire primarily based on self-assessment and the controls we apply are appro- priateandproportionate.Thisisnota casewhereonesizefitsall. Onegrowingthreatatthemoment is the use of ransomware,when an e- criminal attacks and encrypts your information and only after you ha- ve paid up will they give you the key to unlock it. This has happened to a number of hospitals in the US, inclu- ding one in LA which was attacked, had not backed up its files and had to pay a $17,000 ransom to get their in- formationback. All companies are potential tar- gets for these and other attacks,whi- le the adversaries come from a num- ber of backgrounds; as well as e-cri- minals attacks can come from bored Don’t let cyberthieves in by the back door Cyber attacks, including cyber crime, are on the increase and affects every area of life. Nowhere does this apply more than the Ministry of Defence, where my focus is on the defence supply chain and the Defence Cyber Protection Partnership (DCPP), a joint initiative between the MoD and the business community READ MORE ON FUTUREOFTECH.CO.UK Playing catchup Piers Wilson outlines how the cyber security industry is addressing the skills shortage to get ahead of threats P4 “Not if, but when” Jon Buttriss on how to protect ourselves from the evolving professionalism of the cyber security industry P5 Catch him if you can Frank Abagnale Jr explains how cyber- crime and fraud is a threat to banking and financial services teenagers seeing what they can get away with, hacktivists who might have political agendas they wish to further, cyber terrorists or foreign in- telligenceservices. Challenges arise because each group has a different approach. Hack- ers might be trying at random to see what targets they are able to breach, without any specific organisation in mind,much as a car thief might stroll around a car park,trying car doors un- til they find one that is unlocked. If a company has basic cyber security protection in place – most easily achieved through the government’s Cyber Essentials Scheme, they will li- kely be thwarted and go off and try andfindeasiertargets.Otherattackers maybemoretargetedandpersistent. Suppliers need to be mindful of the scale of the risks they face. Last year 90 per cent of large organisations sur- veyed reported that they had suffered a security breach and the costs can be significant, rising into seven figures. Theycanalsobeattackedmorestrate- gically than before: there is a growing awareness that companies don’t ope- rate in isolation and that they can be vulnerable to attack via their supply chain.ThishappenedtotheTargetsu- permarketchainintheUS,whenthey wereattackedviaatheirheating,ven- tilation and air conditioning compa- ny. This turned into a significant breach which compromised the de- tails of 61 million customers. All of which means it has never been more important to have the appropriate controlsinplaceandaworkforcewho aretrainedandaware. Please RecycleFollow us facebook.com/MediaplanetUK @MediaplanetUK @MediaplanetUK Project Manager: Henry Worth E-mail: henry.worth@mediaplanet.com Content and Production Manager: Henrietta Hunter Business Developer: Rebecca Nicholson Designer: Juraj Príkopa Managing Director: Carl Soderblom E-mail: carl.soderblom@mediaplanet.com Mediaplanet contact information: Phone: +44 (0) 203 642 0737 E-mail: info.uk@mediaplanet.com IN THIS ISSUE Dan Selman Cyber Industry Deputy Head, Ministry of Defence
AN INDEPENDENT SUPPLEMENT BY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 3 COMMERCIAL FEATURE COMMERCIAL FEATURE Mosthigh-profileattacks on corporate data centers and institu- tional networks have originated outside of the victimised organisations. But the network open- ings that allow outside cyber-attack- ers to burrow in, infect databases and potentially take down an organisa- tion’s file servers, overwhelmingly originatewithtrustedinsiders. According to a worldwide survey of Information Security Forum (ISF) members, the vast majority of those network openings were created inno- cently through accidental or inadvert- ent behaviour by insiderswithout any intention of harming their employer. Inanumberofcases,thatvulnerability was, ironically, the result of a trusted employee doing a seemingly run-of- Matthias Maier is a security specialist at Splunk, a plat- form for Operational Intelligence that helps customers to monitor, analyse and visualise machine-generated big data. “Fun- damentally, everything that is dig- ital can be exposed by cyber crimi- nals, cyber terrorists or malicious insiders. If we look at an emerging example,the majority of the health- care industry was not connected to the network 10 years ago, but now you can turn devices on and off remotely. Being able to do this has advantages, but it also represents a real opportunity for those with malicious intent to steal data or cause damage.” When trusted insiders are your biggest security threat Data driven security: Machine data is the first line of defence the-mill task like taking files home to workonintheirownsparetime. There are three types of risky insider behaviour. Malicious:Maliciousinsiderbehav- iour combines a motive to harm with adecisiontoactinappropriately. Negligent: Negligent behav- iour can occur when people look for ways to avoid policies they feel impede their work. Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones. Combatting the wholesale theft of databylimitingthetypesofinadvert- ent actions which could lead to its misappropriationshouldbeapriority In an environment of advanced threats, changing business demands and extensive technology infrastruc- ture, a traditional perimeter focused approached to ITsecurity is no longer effective. Maier believes that a totally new approach to cybersecurity is required. “Organisations need to adopt a data driven approach to cyber security if they are to stay ahead of external attacks, malicious insiders andpotentialfraud.” The evidence of an attack exists in machinedatawithinanorganisation, so security teams need to gain insight from that data to properly detect, analyse and respond. Attackers will attempt to use all possible mech- anisms to compromise an organ- isation, which may involve use of By Steve Durbin By Virginia Blackburn The modern professional life requires organisations to review not only the threat of malicious outsiders, but of negligent insiders too One of the major business trends from the past decade is the growing digitalisation of customer interactions.With all indus- tries looking at ways to take a more digital and integrated approach to how they work, there is a significant opportunity to improve customer services.At the same time, digitalisation presents a challenge as it opens up an organisation to a more diverse and threatening set of risks ble management step in safeguard- ing an organisation’s information assets. After new employees have been satisfactorily screened, con- tinue the trust-building process through onboarding by equipping them with the knowledge and skills required of trusted insid- ers. Expectations of trustworthy behaviour should be made explicit from the outset. Above all,a culture of trust built on shared values, ethical behaviour and truth begins at the top. The conduct of senior management sets a tone which reverberates from the C-suite to the shop floor. Having a culture of trust affects more than just informa- tionsecurity;itisalsofundamentalto the organisation’s prospects for futuresuccess. what’s happening within your secu- rity and IT environment, you can’t protectyourself.” Organisations like UniCredit and John Lewis have adopted Splunk to get answers out of machine and digi- talservicesgenerateddata.“Forthese organisations it’s critical that in a dynamic digital landscape they can apply big data technology to quickly get answers to their questions to in near real time,” says Maier. “This means they can react as soon as they detectanythingthatmightgivethem – or their customers – cause for con- cern.”With the threat landscape con- tinuing to evolve, it’s clear that machinedatawilltakeitsplaceasthe first line of defence for organisations inallindustries. for every organisation. Investment in technologies that can help to pre- ventintrusionsandprotectdatafrom attackers is essential. Management controls including segregation of duties,periodic reassessment of priv- ileges,andaudits,arealsoimportant. But the most fundamental ele- ment of threat is deeply human. It starts with the proper vetting of employees to look for signs that the individual has not, in the past, been a responsible steward of informa- tion entrusted to them. Applicants whosepastshaveincludedquestions over managing information should not be brought onboard. The trust factor Cultivating a culture of trust is likely to be the single most valua- identity, endpoints, servers, business apps,webandemailservers,aswellas non-traditionalsystemssuchasHVAC access control. The evidence of these activities is captured in the machine data from these systems, which makesalldatasecurityrelevant. “By continuously monitoring this data acrossyour entire infrastructure you can detect malicious activity as early as possible,” says Maier. “This could involve spotting anomalies, recognising unusual activity or iden- tifying indicators of compromised systems. As soon as you identify an issue you can determine the scope and impact of a threat before under- standing who is affected, what to do about it and how to ensure it doesn’t happen again.Ifyou aren’t able to see Steve Durbin Managing Director, Information Security Forum Matthias Maier Security specialist, Splunk
AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET4 FUTUREOFTECH.CO.UK MEDIAPLANET COLUMN Oneofthebiggestissuesfacingthecybersecurityindustrytodayisthe skillsshortage.Althoughtheneedtobecyber-safehasneverbeengreater, thereisstillalackofpeoplewiththenecessaryexpertise,somethingthe industryrecognisesandiskeentotackle understood it,” says Wilson. “On the other hand if a new security threat arisestomorrow, thecybersecurityin- dustry is immediately playing catch- up to understand it and be able to de- tectandrespond.” Thechallengesarenotsettogoaway. “There are some developments around machine learning and anomaly detec- tion where smart technologies can identify and diagnose threats and the logical next step for this is to see what systems can do to automate responses in a confident and safe way,” says Wil- son. “They are making security more efficient by removing the noise,distill- ing down the data to make decisions and enabling swift action that is con- sistent,repeatable and allows the busi- nesstoreactmorequickly. Thisfreesup time for other activities that improve security, like hunting for threats that are not yet apparent, improving the overall security posture and training anddevelopment.” There will always be an asymmetry between the at- tackers’capabilityandthede- fenders’,asinordertoprotect a system you need to cover all the vul- nerabilities, all of the time,” says Piers Wilson,director of IISP,the profession- al body for security professionals. “But budgets are finite; whereas to mount a successful attack you only have to find one exposed weakness and you can be as patient and spend as much effort as youfeelisworthwhile.” Education is key bothwith academ- ia and universities as well as within industry itself. This means keeping board members up to scratch as well asprovidingconstantretrainingforIT staff – because technology and poten- tialthreatsarechangingallthetime. Therearevariousoptionsopenforcy- ber training. “They range from formal courses comprising quick overviews to specific courses, to product and technology courses to full-time MSc programmes,”saysWilson. “It’salsoan industrythatgeneratesahugeamount of research and white paper materi- al – so training aside there is no short- ageofmaterialsavailableforself-learn- ingtoo. Whichofthosefitsaparticular organisational or individual need is a matter for debate.At the IISP we have been active in setting standards and running a training course accredita- tion and assessment programme.This way people can select courses that we can vouch for and also find out which topicareaswillbecovered.” The steady march of technology means that in IT everyone is always learning - 10 years ago the technolo- gies and hence the attackvectorswere different but now there are superior platforms,security controls andwork- ing knowledge of facilities. “Some are- ascanaffordtotakeamoreconsidered path: developers, for example might only migrate from one language to the next one once they feel they have Theurgentneedto combattheskills shortage By Virginia Blackburn In the field of HLS & Cyber, the Israeli industry provides an extensive array of outstanding and innovative technologies specifically designed to counter a variety of threats in an ever-changing world. Registration will open on June 1 on our website: www.israelhlscyber.com For more information about the 4th International HLS & CYBER Conference in Tel Aviv, please contact: Julia.Bayer@israeltrade.gov.il | http://itrade.gov.il/uk/ THE 4TH INTERNATIONAL CONFERENCE NOVEMBER 14–17, 2016 ISRAEL TRADE & FAIRS CENTER, TEL AVIV NEWS “ Piers Wilson Director, IISP Waqas Hashemi CEO, Whitehall Media Bewareofthe humanfactor I n this age of short term contracts allied to new working practices inclu- ding the cloud, mobi- le and flexible working hours, one of the biggest issues in the cyber security sector is managing employee identity. “When an individual joins an organisation, it usually marks a fusion of IT and human resour- ces,” says Waqas Hashemi, CEO of Whitehall Media, which runs a suite of conferences around se- curity and risk management as well as identity and access ma- nagement. “Emerging trends in the workplace are proving disruptive and are causing pro- blems with integrating access to the new technology.” The biggest problems of all when it comes to managing em- ployee identity is not malicious intent but negligence and the human factor, according to Reh- man. “Password management is also difficult,” she adds. “People still don’t use ones with suffi- cient complexity.” “To mount a successful cyber attack you only have to find one weakness”
AN INDEPENDENT SUPPLEMENT BY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 5 “The cost of an attack far outstrips the ongoing cost of security” Thereisanever-growingawarenessofcybersecuritythreats,withalmostdailycoverageinthemedia.Evenlarge organisations,withtoptalentandsignificantresourcesdevotedtocyber-security,havesufferedmajorbreaches.The truism“it’snotif,butwhen”ringsintheearsofbusinessleadersandreinforcestheneedforskilledsecurityprofessionals tomitigateagainstthethreat.Thetruthiseveryorganisationisvulnerable,and100percentdefenceisnotpossible H aving identi- fied cyber se- curity as a na- tional priori- ty, in 2015 the UK Governme- nt announced an increase in cyber security spending to £1.9bn by 2020 – the only area of the budget to increase. This is reflected in business, with average salaries for se- curity professionals increasing 16 per centyearonyear. The reason for the increased invest- ment is simple; the cost of an attack far outstrips the ongoing cost of security. TheICOhashandedoutfinesashighas £980,000 –which is still less damaging than the customer loss and reputatio- naldamageasresultsofabreach. But despite increasing budget to counter the cyber threat,businesses are still struggling to recruit the skills they need to keep up. Unemployment in the securityindustryhasbeenreportedat0 per cent, with a 10 per cent increase in demand forecast each year to 2020. So how can we deliver the skills needed to address the current shortfall and also meetthegrowingdemand? This is a question being asked by government, organisations and professionals. It is the reason for the in- tensifying chatter surrounding professi- onalisationofthecybersecurityindustry. Professionalisation addresses this burning issue by establishing a stan- dard that enhances the quality of the workforce. By understanding, alig- ning and cultivating the most needed skills, the profession can raise the bar in the areas thatwill have the mostva- lue. This also establishes standardised roles and skills clusters.Businesses ha- ve a shared vocabulary to describe the skills they need that are recognised by potential applicants. New entrants are clearer on the skills they need and mindful of the need to continually self- develop. Structure, clarity and recog- nition make security a more attracti- ve career path,which in turn encoura- ges new entrants and grows the talent pool. This is perhaps the most critical of all – considering the evident need to step-change the number of workers in thefield. It is not always easy for professio- nals and potential entrants to naviga- te the skills and competencies requi- red at each stage of their careers. Em- ployersarenotalwaysclearthemselves on this so the demand cited in job ad- vertisements is not necessarily an accurate reflection of what is needed. This is where recognised skills frame- worksdevelopedbyprofessionalbodies comein.Andfromthisstandardisation and definition comes the ability to cul- tivatetheskillsonagreaterscale. For professionals wanting to demon- strate their capabilities against these frameworks, certification offers verifi- cation of their proficiency, clear step- ping stones for development and im- proved employment and earning pro- spects. For employers, certification helps to assure the calibre of the pro- fessionals they are recruiting, provided this is backed up by demonstrable ex- perience.It signifies that potential em- ployeeshavebeenindependentlyasses- sed,aidingemployersinrecruitingrele- vantskillsintotheirorganisations. As well as being a mark of technical capability,certificationalsocomespack- agedwithmembershiptoaprofessional body such as BCS, The Chartered Insti- tute for IT.These memberships demon- strate a commitment to self-develop- ment and require adherence to codes of professionalconduct. The combination of skills alignment, certification and continuous develop- ment comes together, in the form of professionalisation, to promote stan- dards and quality amongst cyber secu- rity professionals. There is little doubt that businesses need quality security professionals, and in greater numbers. Cybersecurityisnotachallengethatwe willsolveovernight,orwithanyoneso- lution.Neitherdoesithaveanenddate; we will have to continually assess the threat and work together to evolve best practicetostayahead. Theevolvingprofessionalism ofthecybersecurityindustry By Jon Buttriss IT has been gaining momentum within global business for decades and we’ve been there from the beginning, nurturing talent and shaping the profession. Today professionals & organisations work with us to exploit our unique in- sight and independent experience as we continue to set the standards of per- formance and professionalism in the industry. ABOUT BCS, THE CHARTERED INSTITUTE FOR IT FACTS Jon Buttriss CEO, BCS Learning and Development
AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET6 FUTUREOFTECH.CO.UK MEDIAPLANET “The UK is the most cyber- attacked country in Europe and the second most assailed in the world” INFOGRAPHIC Cybercrimeisontherisebuttherearemanywaystofightit.From addressingtheproblemsatboardleveltomakingsurestaffareproperly trained,SMEscannotguaranteetheywon’tbeattacked,buttheycan makeextensivepreparationsinadvance evidence you can such as a screen shots. Use back-ups.” Given that an attack is almost ine- vitable, Talal stresses that it is as im- portant for a company to be able to re- spond to a breach as it is to erect defen- cesagainstit.“Thereisnotjustoneway to respond across the board,” he says. “For example,TalkTalk notified custo- mers as to what was going on but that didn’t actually help as other opportu- nistic hackers saw this as an opportu- nitytomakefishingattempts.Theway to react depends on what type of orga- nisationyouare.Youshouldalwaysno- tify the authorities,which many com- panies still don’t do and it’s safer not to alwaysusethesameemailtemplate.” This is not a problem that is going to goaway any time soon and sothe cyber security industry continues to work overtimetofind,ifnotasolution,thenat least the heavy weaponry required to fight back. “One new trend is the in- creased use of data security analytics,” saysTalal.“Companiesareanalysingin- formationthatcomesinonadailybasis to foresee where the threat will come from next. And there will be further threats.As increasing numbers ofdevicesareinterconnectedandsmart cities continue to expand across the world,everincreasingnumbersofhack- ers will come after everyone. This goes down to individuals not companies: make sure in all your wearable devices thatsecurityisbuiltinbydesign.” A s the world beco- mes increasingly interconnected, cyber crime is a problem as never before. It is now a case of not if but when most companies get attacked and this is especially the case in this country, with the UK as the most cy- ber-attacked country in Europe and the second most assailed in the world, with attacks up 40 per cent,according to Symantic.They are at least aware of theproblem,withresearchbyEquinix showing that seven out of 10 compa- nies in the UK do not feel prepared for cyber-attacks.Sowhattodo? Talal Rajab is Programme Manager – Cyber, National Security and Criminal Justice at techUK. “Regardless of how much money is spent on products and services,attacksandthreatsareinevita- ble,”hesays.“Thesedaystoolstolaunch such an attack can be bought very cheaply on the dark web,as in theTalk Talk crisis, where it is widely believed the perpetrators were not much more thanchildren.Butatleasttheseattacks are increasing public awareness of the problem,asdidtheassaultsonSonyand AshleyMadison.However,althoughwe cantracetheregionthesecomefrom,it isdifficulttotrackdowntheactors.” One problem is that SMEs are often targeted because they are less likely to have basic security measures in place and a further issue is that many who do not offer online payments are safe. They are not. “Any company that has data on its system is threatened,” says Talal.“Thefirststepindealingwiththis istomakesurethatcybersecurityison the boardroom agenda.Many breaches stem from the fact that staff are not aware of best practice which means thattrainingandawarenessarecrucial. Manyarenotevenawareofthemostba- sic password security and the constant importance of updating systems and ensuring companies are not left with legacysoftware.”Checksthatshouldbe standard across every company inclu- de strong passwords, the regular upda- ting of software and regular back-ups, whether the company is a multi-natio- nalconglomerateoraone-manband. Many companies are at leastwaking up to the fact that this is no longer just anITproblem.“Traditionallyitwasthe case that responsibility for security lay solelywithIT,”saysTalal.“Anduntilre- cently, the IT person was essentially thechiefsecurityofficerbutnowincre- asing numbers are appointing dedica- tedCSOs.Theyarealsosendingfarmo- repeopleonsecuritycourses.” And so once an attack begins, how should a company respond? It is es- sential to plan ahead, and have the right staff and skills in place. “Be cy- ber streetwise,” says Talal. “Don’t continue using the system. Noti- fy the authorities. Get any forensic Fightingcyberthreatsis essentialforSMEstowin thewarwithcyberbreaches By Virginia Blackburn NEWS Talal Rajab Programme Manager – Cyber, National Security and Criminal Justice, techUK According to the 2014-2015 Cyber Governance Health Check of FTSE 350 companies: 88 %of companies now actively consider cyber security as a business risk have a basic or clear under- standing of where their critical information and data sets are shared with third parties The Winter 2015 FT-ICSA Boardroom Bellweather Survey found that regard the threat of cyber-attack to be increasing The UK’s domestic cyber security sector contributes over £17 billionto the economy The National Cyber Crime Unit (NCCU) is leading domestic and international operations to disrupt serious cyber crime The Metropolitan Police set up a Fraud and Crime Online (FALCON) team in 2014, which brings together their specialist cyber crime investigators to pursue and disrupt cyber criminals. The work of the FALCON team has resulted in 985 arrests, 431 people charged, 241 convicted and £3.1 million confiscated. Tackling online fraud is a top priority During 2012, HMRC took down almost 1000 fraudulent websites During 2015, that figure rose to more than 11,000 HMRC established a cyber security team in 2012. During 2014-2015, the team assisted in the prevention of frauds totalling more than 59 % 82 % 170 £103 million 1011 PHOTO: THINKSTOCK
AN INDEPENDENT SUPPLEMENT BY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 7 John Cannon Commercial director – Fraud and ID, Callcredit Information Group COMMERCIAL FEATURE Under the forthcoming EU General Data Protection Regulation(GDPR),which comes into force in 2018, unless the data breach is unlikely to result in a high privacy risk for an individual,orifthedatawasappropri- ately encrypted, all organisations will have to inform their customers when a serious data breach occurs, and rec- ommend ways in which any adverse effects could be mitigated, and if they fail to do so could be fined up to four per cent of their global turnover. So what are the issues facing the indus- try and how can businesses work to overcome them? The first step is to understand who the potential hackers are. “They are quite wide ranging,” says John Can- non,commercial director – Fraud and ID of Callcredit Information Group. “From organised criminal gangs who are motivated by fraud, to terrorist groups and corporate and rogue state sponsored espionage with malicious intent. But the threat isn’t just from organised groups: hackers have all kinds of motives and could just be an individual flexing his/her intellectual muscles showing off to peers simply because they can.” There are now a number of security risks facing businesses today. “Many more of us are interacting digitally and data is increasingly important, meaning where and how it’s stored,” says Cannon. “Businesses that are migrating from their traditional modelintodigitalchannelsarepoten- tially not as well geared up to the threat.”They are having to accept the idea, he says, that there are threats posed both externally and internally, such as from rogue employees. As a result of all of this, however, New EU regulation highlights the risks of cybercrime companies are becoming increas- ingly aware of the potential dangers and many are taking action to try to alleviate the risks. “This is becoming increasingly high on the agenda at board level,” says Cannon. “Recent data breaches have clearly shown the financial and reputational impact to businesses and those not giving it focus risk being caught out by the introductionofthenewGDPR.” Theseareissuesindividualsmustbe awareof,too.Thereisamisconception that if hackers don’t manage to get hold of PINs and full card details then there is nothing to worry about. That is not the case. “We are seeing the rise of ‘social engineering’ techniques,” says Cannon. “This means that even if hackers exposed a low level of infor- mation, it could be used to gather the datatheyreallywant.Thesedays,most ofusarecluedupenoughtoknowthat if we get a phone call out of the blue asking for our bank details, then we shouldn’t hand them over. But if you werecontactedbyanorganisationyou hold an account with and they quoted that account number, you may be more likely to be tricked into handing overmoresensitiveinformation...” The new EU regulations are forcing companies to take cyber risk and data breaches a lot more seriously and to implement measures to guard against attack. “The first step is to make sure someone in the company is empow- ered to implement the relevant pro- cesses,” says Cannon. “Then start thinking about a plan. Come up with the worst case scenarios, think about whatdatayouholdandwhatisimpor- tant to the business. Play through the various scenarios and see what you can do to increase your protection and what to do afterwards. Think By Virginia Blackburn The rise of cybercrime is now one of the biggest issues affecting many businesses and the EU regulators have now taken actions to try to get the business community to act to protect itself breach. The service can be available to consumers within 48 hours of a breach occurring and consumers who sign up to the service can use it to help identify and respond to fraud- ulent activity, checking whether their credit profile is being damaged by criminals. Noddle Protect allows consumers to review their credit report for free and helps them to look out for people applying for credit in their name or using their details fraudulently, giving them peace of mind and ensuring they continue to trustinyourbrand.” The increase in data breaches in recent years coincides with the increase in consumers making use of digital channels due to the conveni- ence they offer.The value of your per- sonal data to fraudsters is increasing asitistheirwaytogainaccesstoyour digital accounts. Your data is their means to an end. “I often compare it to car security,” says Cannon. “In the past,if someone wanted to steal a car theywouldbreakintothecarandhot- wire it to drive away. As a result, car manufacturers have increased their security meaning it is now much harder.Theapproachofacarthiefhas shifted to stealing the car keys by breaking into your house. It’s similar in the digital world, as organisations increase security around services they offer through digital channels, fraudsters see your data as the key to unlockingyourdigitalaccountsusing techniquessuchasidentityfraudand accounttakeoverbeingabletobypass security.” In other words, while the benefits of life online are enormous, so are the risks and companies and individuals alike must take measures to protect themselves against the threatofcyber-crime. aboutwhatyouneedtoimplementto recoverfromanattackandmakesure employees are trained to understand whatabreachlookslike.” If a company is attacked, there are twostepsitmusttake.“First,establish and understand as much as you can about what’s happening,” says Can- non. “IT security must understand exactlywhat’sgoingon.Thenexecute the plan you have put in place. If you canestablishwheretheattackiscom- ingfromyoumay,say,beabletomake changestoyourfirewall.Orinextreme casesyoumayneedtoconsidertaking your system offline. Secondly, com- munication is key as everyone should be aware of what is happening both internallyandexternally.” Of course, after a data breach it is crucial for businesses to reassure their customers that the problem has been dealt with: damage to their corporate or brand reputation could prove a disaster in the longer run. “You should consider what has happened and give your customers the absolute confidence that you have done everything to mitigate the breach happening again in the future,” says Cannon. “Customers will understandably worry about their personal details being exposed and through education are becom- ing increasingly aware of the value of their personal data. Media stories highlighting anonymous forums used by fraudsters on the dark web are adding to their concern so you should proactively consider having a data breach response. For example, Noddle Protect enables businesses to put in place a fast and effective reme- diation plan to safeguard consumers who may have had their personal data compromised following a data PHOTO: THINKSTOCK
Integral to ‘making the UK a secure place to do business ’ has been the call for industry to openly collaborate with each other in order to overcome the Cyber Threat. However, many organisations still seem to need to be convinced, despite losses being reported on an almost daily basis. A recent survey revealed that 68% of CEOs are reluctant to share security incidents externally , for fear that publically admitting a breach could have irreparable damage on the brand, reputation and share price of their business. Templar Executives’ CEO, Andrew Fitzmaurice, believes however that the current Cyber Security market is perpetuating a climate of ‘Project Cyber Fear’ which gener- ates two behaviours with the same outcome: a belief that stories are just scaremon- gering to promote sales and secondly, fear to discuss issues at all. “Business leaders are becoming apathetic to these scare stories and are asking us what we can do about it”, Fitzmaurice says. “We are changing the narrative from a glass half empty to a glass half full by promoting ‘Project Cyber Business’. Cyber Security needs to owned by the business, and addressed holistically within the organisation”. As a leadership issue, the C-suite need to lead their organisations by adopting ‘Project Cyber Business’ to deliver business excellence. Organisations who align Cyber Security best practice to business objectives by investing in proportionate controls, are optimising their businesses with better Cyber maturity. The benefits include gaining competitive advantage, winning new business contracts, as well as enhancing reputation and shareholder confidence. Fitzmaurice explains, “Templar has engaged continuously over the past 5 years with a client to develop and sustain their Cyber maturity and resilience, and as a result this client has won over £7.2 billion worth of new business”. As a direct impact of ‘Project Cyber Business’, businesses are seeing an increased return on their investment, as well as a rise in brand value and share price. The results speak for themselves. To optimise your business and join the success story, contact Templar Executives at Turning a cyber half glass empty into a half glass full – A Call to Action enquiries@templarexecs.com T he pace of change has accelerated ex- ponentially since then and will only continue to quick- en. Technology is a huge force for good, an opportunity from which we can all benefit. In 2010, the Internet of Thingswasstillinitsinfancy;in2016, oversixbillionconnecteddeviceswill be in use worldwide, enabling people to connect with people and govern- ments and businesses to deliver bet- ter services. By 2020, that number is settorisetoover20billion. The 2010 National Security Strate- gy identified cyber as one of the top threats to the UK. In response, the Government has invested £860 mil- lion since 2011 in a National Cyber Security Programme to: • Tackle cyber-crime and make the UKoneofthemostsecureplacesinthe worldtodobusinessincyberspace. • Make the UK more resilient to cyber-attack and better able to pro- tect our interests in cyberspace. • Help shape an open, vibrant and stablecyberspacethatsupportsopen societies and: • Build the UK’s cyber security knowledge, skills and capabili- ties. We have made tangible pro- gress against these vital objectives. In collaboration with our industry, academicandinternationalpartners, we have laid solid foundations for the future. We have significantly enhanced our national capabilities and technolo- gies to defend ourselves against tho- se who would do us harm. We have a national approach to incident re- sponse and secure information sha- ring on threats, through CERT-UK and the Cyber Security Information Sharing Partnership it hosts. Businesses of all sectors and sizes now have unprecedented levelsofexpertguidanceandtraining available to help them manage their cyberrisks.Governmentdigitalservi- cesaremoresecurethanever,andwe arebuildinginsecuritybydesignand taking robust action against at- tempts at online fraud. Through this, the UK is helping shape the international deba- te on the future of cyberspace. UK cyber security companies now have an increased market share in- ternationally. And we are on a long- er-termmissiontoensuretheUKhas the right cyber skills and knowledge, with interventions at every level of the education system and cutting- edge research in cyber security. But there is more to do. The 2015 National Security Strategy confirmed that cyber remains a top level threat to the UK’s economic and national security. That threat is increasing in scaleandcomplexity.Itisalsoincrea- sing at such a pace that we must run simply to stand still. The increased inter-connectedness of our everyday lives means that the range of targets is broader and the task of protecting themharder. Five years is a long time in cyberspace. When we published the UK’s first Cyber Security Strategy, digital technology was already having a transformational impact on how we consume, share and save information Thenextsteps towardscyber security By the Rt Hon Matthew Hancock MP INSPIRATION AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET8 FUTUREOFTECH.CO.UK We must build the UK’s cyber security knowledg and capabilities to become more resilient to cyber-a
265x112 So we have announced that we will substantially increase our investment to £1.9 billion in protec- ting the UK from cyber-attack and developing our sovereign capabi- lities in cyberspace. Our new Pro- gramme, led by a new National Cyber Security Centre,will mark a re- doublingofoureffortstotacklethecy- berthreat.Butwecannotdothisalone. Everyone has a role to play in keep- ing our society safe. Continued, sus- tained and close collaboration bet- ween government, industry, acade- mic and international partners is vital and we must accept our indivi- dualandcollectiveresponsibilities. 2016 will see the launch of the UK’s second National Cyber Security Stra- tegy. This will define our vision and ambition for the next fiveyears.Whi- leweknowthescaleofthetaskahead, we also know we are building on a good platform.This report highlights the current Programme’s achieve- ments over the past year and the wi- der impact of the Programme since its inception. We should be proud of the foundations we have jointly laid through our first National Cyber Se- curityProgramme.Theyhavepositio- neduswellforthefuture. “We are on a long-term mission to ensure the UK has the right cyber skills and knowledge” PHOTO: THINKSTOCK AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET MEDIAPLANET 9 MindTheGap:Empowera CommonRiskConversation COLUMN C ommuters throughout London encounter a simple message about risk everyday.As one boards the rail or tube,Transport for London will advise them to “Mind the Gap”.The phrase serves as a simple and effective message to mitigate the risk of someone being injured. Next time the words are heard, consider a different gap - the gap that exists between strategies organisations use to manage their business and cyber risk. Today,we are more reliant on technology than ever before,with exposure from cyber threats constantly escalating, organisations are struggling to explain security in terms the business can understand. To be successful in today’s digital world and address advanced threats, companies must have a converged view of business and cyber risk. Organisations need to be able to determine what level of appetite they have for security risks. Business decisions must carefully consider the impact cyber has on the overall strategy and risk posture. Organisations need to approach this in three ways. Every employee should be engaged in active- ly managing risk. Security practitioners need to partner with and provide meaningful insight that resonates with the business. The business and security teams need to align taxonomies that enable a common conversation. To learn more about empowering a common risk conversation, new approaches to visibility, analysis, and action, and managing identities, attend the RSA London Summit on April 27th. Until then, please continue to “Mind the Gap” to prevent personal injury and to protect the business. Genaro Scalo GRC Senior Manager, Europe, Middle East and Africa, RSA Extract from the UK Cyber Security Strategy 2011-2016 Annual Report ge, skills attack LONDON TECH WEEK 20-26 JUNE ReadMediaplanet’sLondonTechnologyCampaign outon14JuneintheCityA.M. WE TURN INTEREST INTO ACTION
AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET10 FUTUREOFTECH.CO.UK MEDIAPLANET Howtoblockthe fraudsters SUPPORTING EVENT Along with the explosion in ecommerce there has been an ex- plosion in efraud,with the industry urgently having to come up with a raft of new initiatives and strategies to keep ahead of the game. Social media doesn’t help: it has been making it easier for criminals to gather a lot of personal information about speci- fic individuals and clone their identities. But the cyber security industry is fighting back,with a series of initiatives designed to protect digital payments from becoming a way of committing fraud or identity theft. Zehra Chudry is the Head of Content for PaymentsWorld Series – who will be running PayExpo Europe in London this June. “So much information is online now that there has been a lot of clo- ning of identities,” she says. “Companies can get you online to say who you are but to date there have been limited ways of tra- cing back to make sure they are dealing with the real person, but that could be about to change.There are two major areas the in- dustry is looking into.The first concerns online identity and the- re are a number of start-ups which are beginning to check infor- mation people supply on, say, Facebook, LinkedIn andTwitter to make sure it comes from the same person and thus verifies and individual’s identity to make sure it hasn’t been cloned. It allows companies to ask about people’s friends and updates to authenti- cate yourself online.” The other major initiative concerns the problems caused by transferring information such as card details and addresses onli- ne. “Increasingly businesses are using a technology called block- chain,which encrypts information in such a way that only the receiving end will be able to see it and this is particularly useful for, say, money transfers,” says Chudry. “But there is a question about capacity.The reality at the moment is that how to integra- te this into a business has not yet been clearly defined.” But there is a great deal more to come.The battle to combat on- line fraud now encompasses robotics and artificial intelligence, with machines using algorithms to look at consumer patterns and spot changes in behaviour while elsewhere the industry is examining the viability of establishing a single set of cyber-crime standards. “Every country currently has its own values of what constitutes acceptable risk,” says Chudry. “So what we are asking is, ‘Is this achievable? Is it the way to look forward?’ Although it can feel like a battle just to keep your head above water in the fight against cybercrime as it becomes more intelligent, tech and software providers are also evolving faster than ever.” Zehra Chudry Head of Content, Payments World Series Cybervillains are everywhere. Companies and individuals alike must stay alert Cybercrime is a major issue these days: Google and McA- fee estimates there are 2,000 cyberattacks every day cos- ting the global economy about £300 billion a year. The problem cannot be overestimated and is becoming increasingly wides- pread. “We’ve been providing data se- curity standards since we launched in 2006tokeeptrackofpaymentcardda- ta online,” says Jeremy King, Interna- tionalDirectorofthePCISecurityStan- dards Council,which was formed as a global body to tackle payment securi- ty issues that surround the area of cy- bercrime.“We are dealingwith global- ly organised criminal gangs operating on a massive scale.Thieves are trying to steal any data they can, governme- ntsarelookingtoseewhatcanbedone to tackle the problem and over one bil- lionrecordsarestoleneveryyear.Atthe annualInfosecsecurityeventitwasre- ported that 90 per cent of large organi- sations suffered at least one security breachandonaveragetheyreported14 securitybreachesayear.” Many organisations, unfortunate- ly, have been in denial about the scale oftheproblem,especiallythosewhich are not actually involved in sales,King believes. However, boards are begin- ning to take it more seriously, accep- ting that this is not just an IT threat andaregraduallybecomingawarethat there are four major types of cyber th- reat, starting with compromised cre- dentials.“The main aimwhen protec- ting cardholder data is that you don’t storeitifyoudon’tneedtobutifyoudo keepitthenencryptit,”saysKing. Another type of attack involves ransomware. “The criminals insert malware, encrypt everything and then,forexample,say,giveusacertain amount in bitcoins and we’ll unlock your information,” says King. “Some US hospitals have been the victim of that. Or there can be a denial of servi- ces attackwhere so many requests are put into a system at once it can’t cope and runs slowly or shuts down.These typesofattackscanhaveamassiveim- pact:forexample,ifbettingfirmswere targetedduringtheGrandNational.” Cybercriminals also use spyware and keyloggers to get in to a system andthemostcommonwayhereisvia a phishing attack. Some of these are obvious; some, say, in the form of re- quests for bill payments, are a lot less so. Keyloggers, meanwhile, log eve- ry key stroke, thus revealing valuable credit card information and have in the past come to light when compa- nies have spotted cleaners behaving suspiciously. Training staff is more crucial than ever. “Some companies have asked for a friendly phishing at- tack in order to test staff awareness and something like 25 per cent of em- ployees fail,” King continues. “When that happens, typically a notice will pop up on screen saying, ‘You’ve fai- led, apply to personnel for further training.’ But it’s worse at board level where33percentfail.” Another issue stems from the fact that an increasing number of domes- ticappliancessuchasfridgesandkett- les are now connected to the internet, but while this may be convenient for the householder, white goods manu- facturers do not understand security andriskbroadcastingwifisecurityde- tailseverywhere. Small merchants, too, have pro- blems, with 1.3 million in the UK not having any IT services department. The Government is trying to address this, publishing 10 Steps to Cyber Se- curity, using deliberately non-techni- cal language to help. At PCI we have had a task force developing our own guide,thiswillbereleasedinJune. Another growth area is Card Not Present – CNP – fraud, which PWC predicts will grow from $2.9 billion in 2014 to $6.4 billion in 2019. “The UK Cards Association monitors and reports fraud figures and has seen a 26 per cent increase across all fraud, with the majority in CNP via internet purchases,” says King. The European Central Bank is taking action: it is in- troducing further requirements on businesses and there will be hefty fi- nesimposediftheydon’tprotecttheir customers’dataproperly. Adds King, “Improving security practices to identify and detect at- tacks quickly with the PCI Data Secu- rity Standard, and establishing an in- cidence response plan need to be top prioritiesfororganisationsin2016.” By Jeremy King INSPIRATION Jeremy King International Director, PCI Security Standards Council
Cyber Security small
Cyber Security small

More Related Content

PDF
Cyber Security small
byHenry Worth
 
PDF
TMHCC in Risk & Compliance 2017 Q4 - Cyber Mini-Roundtable
byLaura Tibbo
 
PDF
Financier Worldwide - Cyber Security annual review
byMorgan Jones
 
PDF
European Cyber Security Perspectives 2016
byOmer Coskun
 
PDF
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
bySarah Jarvis
 
PDF
2010 6 Things u need 2 know in 2010 Whitepaper Final
byLarry Taylor Ph.D.
 
PDF
Raise The Cybersecurity Curtain. Predictions 2021
byDr. Ludmila Morozova-Buss
 
PPTX
Threat Actors and Innovators - Webinar
bySparity Inc.
 
Cyber Security small
byHenry Worth
 
TMHCC in Risk & Compliance 2017 Q4 - Cyber Mini-Roundtable
byLaura Tibbo
 
Financier Worldwide - Cyber Security annual review
byMorgan Jones
 
European Cyber Security Perspectives 2016
byOmer Coskun
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
bySarah Jarvis
 
2010 6 Things u need 2 know in 2010 Whitepaper Final
byLarry Taylor Ph.D.
 
Raise The Cybersecurity Curtain. Predictions 2021
byDr. Ludmila Morozova-Buss
 
Threat Actors and Innovators - Webinar
bySparity Inc.
 

What's hot

PDF
idg_secops-solutions
byJonny Nässlander
 
PDF
Delusions of-safety-cyber-savvy-ceo
byJoão Rufino de Sales
 
PPTX
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
byBernard Marr
 
PDF
As telcos go digital, cybersecurity risks intensify by pwc
byMert Akın
 
PDF
CyberSecurityCompliance-Aug2016-V10 (002) final
byRobertPike
 
PDF
Volume2 chapter1 security
byat MicroFocus Italy ❖✔
 
PDF
Five Network Security Threats And How To Protect Your Business Wp101112
byErik Ginalick
 
PDF
Insights success the 10 best performing cyber security solution providers 4th...
byInsights success media and technology pvt ltd
 
PDF
Reducing-Cyber-Risk-Whitepaper-Email (UK)
byMark Baker
 
PPT
Security in Web 2.0, Social Web and Cloud
byITDogadjaji.com
 
PDF
CC_Futureinc_Cyber Security
byAlistair Blake
 
PDF
40 under 40 in cybersecurity. top cyber news magazine
byBradford Sims
 
PDF
IMC 618 - Public Relations Campaign
byStephanie Holman
 
PDF
sc_can0315_28373
byKatherine Thompson
 
PDF
How much security is enough?
bySherry Jones
 
DOCX
Trends_in_my_profession(revised)
byMantenso Skido-Achulo
 
PDF
deloitte-nl-fsi-cyber-value-at-risk
byDominika Rusek
 
PPTX
Lessons v on fraud awareness (digital forensics) [autosaved]
byKolluru N Rao
 
PDF
140707_Cyber-Security
byTara Gravel
 
idg_secops-solutions
byJonny Nässlander
 
Delusions of-safety-cyber-savvy-ceo
byJoão Rufino de Sales
 
The 5 Biggest Cybersecurity Trends In 2020 Everyone Should Know About
byBernard Marr
 
As telcos go digital, cybersecurity risks intensify by pwc
byMert Akın
 
CyberSecurityCompliance-Aug2016-V10 (002) final
byRobertPike
 
Volume2 chapter1 security
byat MicroFocus Italy ❖✔
 
Five Network Security Threats And How To Protect Your Business Wp101112
byErik Ginalick
 
Insights success the 10 best performing cyber security solution providers 4th...
byInsights success media and technology pvt ltd
 
Reducing-Cyber-Risk-Whitepaper-Email (UK)
byMark Baker
 
Security in Web 2.0, Social Web and Cloud
byITDogadjaji.com
 
CC_Futureinc_Cyber Security
byAlistair Blake
 
40 under 40 in cybersecurity. top cyber news magazine
byBradford Sims
 
IMC 618 - Public Relations Campaign
byStephanie Holman
 
sc_can0315_28373
byKatherine Thompson
 
How much security is enough?
bySherry Jones
 
Trends_in_my_profession(revised)
byMantenso Skido-Achulo
 
deloitte-nl-fsi-cyber-value-at-risk
byDominika Rusek
 
Lessons v on fraud awareness (digital forensics) [autosaved]
byKolluru N Rao
 
140707_Cyber-Security
byTara Gravel
 

Viewers also liked

PDF
an-analysis-of-the-carbon-limits-and-energy-for-america2019s-renewal-clear-ac...
byEric Williams
 
PPTX
Titulos valores 9
byMaricarmen Matienzo
 
PDF
Tabison company profile 2017
byTabison Research
 
PPTX
10 most classy and expensive blooms in the world
byFlora Williams
 
PPTX
Netiquette
byManindraMaju
 
DOCX
Katarzyna Szrejter
byKatarzyna Szrejter
 
PDF
8. Enfermedades de la infancia
byEmagister
 
PDF
Degree_Certificate_Dalarna_University
byASHENAFI WELDEMARIAM GEBRGIORGIS
 
DOC
Cv of ali raza wangani 2017
byAli Raza Wangani
 
PPTX
Semiotica 2011
byarqsas
 
PPT
Planeacion estrategica
byfredy ramos romero
 
PPTX
CenturyLink - IoE - Disrupt
byDurgesh Potnis
 
an-analysis-of-the-carbon-limits-and-energy-for-america2019s-renewal-clear-ac...
byEric Williams
 
Titulos valores 9
byMaricarmen Matienzo
 
Tabison company profile 2017
byTabison Research
 
10 most classy and expensive blooms in the world
byFlora Williams
 
Netiquette
byManindraMaju
 
Katarzyna Szrejter
byKatarzyna Szrejter
 
8. Enfermedades de la infancia
byEmagister
 
Degree_Certificate_Dalarna_University
byASHENAFI WELDEMARIAM GEBRGIORGIS
 
Cv of ali raza wangani 2017
byAli Raza Wangani
 
Semiotica 2011
byarqsas
 
Planeacion estrategica
byfredy ramos romero
 
CenturyLink - IoE - Disrupt
byDurgesh Potnis
 

Similar to Cyber Security small

PDF
The Secure Online Business E Commerce It Functionality and Business Continuit...
byufothladky
 
PDF
16231
byJames Grant
 
PDF
1. security 20 20 - ebook-vol2
byAdela Cocic
 
PDF
Cybersecurity Toolkit
byClaranet UK
 
PDF
Fall2015SecurityShow
byAdam Heller
 
PPTX
CRI "Lessons From The Front Lines" March 26th Dublin
byOCTF Industry Engagement
 
PDF
4th Digital Finance Forum, Simon Brady
byStarttech Ventures
 
PPTX
Showreel ICSA Technology Conference
byInstitute of Chartered Secretaries and Administrators
 
PDF
EnterpriseImmuneSystem
byAdam Toth-Fejel
 
PPTX
Why Traditional Security Fails Against Modern Threats
byHome
 
PDF
Get Prepared
byHewlett Packard Enterprise Business Value Exchange
 
PDF
Finding a Strategic Voice - IBM CISO Study
byIBMGovernmentCA
 
PDF
Cyber Security Privacy Brochure 2015
bysarah kabirat
 
PDF
Anatomy of a cyber attack
byMark Silver
 
PPTX
Achieving 360° view of security for complete situational awareness
byHappiest Minds Technologies
 
PPTX
Retail Excellence Ireland - Cyber Threats 2015 Overview
byOCTF Industry Engagement
 
PPTX
Strategies to Combat New, Innovative Cyber Threats - 2017
byPaladionNetworks01
 
PDF
Cyber risk reporting aicpa framework
byJames Deiotte
 
PPTX
What is Information Security and why you should care ...
byJames Mulhern
 
PDF
cybersecurity-250
byChris Crowe
 
The Secure Online Business E Commerce It Functionality and Business Continuit...
byufothladky
 
16231
byJames Grant
 
1. security 20 20 - ebook-vol2
byAdela Cocic
 
Cybersecurity Toolkit
byClaranet UK
 
Fall2015SecurityShow
byAdam Heller
 
CRI "Lessons From The Front Lines" March 26th Dublin
byOCTF Industry Engagement
 
4th Digital Finance Forum, Simon Brady
byStarttech Ventures
 
Showreel ICSA Technology Conference
byInstitute of Chartered Secretaries and Administrators
 
EnterpriseImmuneSystem
byAdam Toth-Fejel
 
Why Traditional Security Fails Against Modern Threats
byHome
 
Get Prepared
byHewlett Packard Enterprise Business Value Exchange
 
Finding a Strategic Voice - IBM CISO Study
byIBMGovernmentCA
 
Cyber Security Privacy Brochure 2015
bysarah kabirat
 
Anatomy of a cyber attack
byMark Silver
 
Achieving 360° view of security for complete situational awareness
byHappiest Minds Technologies
 
Retail Excellence Ireland - Cyber Threats 2015 Overview
byOCTF Industry Engagement
 
Strategies to Combat New, Innovative Cyber Threats - 2017
byPaladionNetworks01
 
Cyber risk reporting aicpa framework
byJames Deiotte
 
What is Information Security and why you should care ...
byJames Mulhern
 
cybersecurity-250
byChris Crowe
 

Cyber Security small

  • 1.
    REGISTER NOW SUMMIT LONDON 27APRIL 2016 http://tinyurl.com/RSASummit2016LondonT: +44 (0) 1344 781613 DISCOVER NEW STRATEGIES FOR SECURING MODERN IT Whatarethenextsteps towardscybersecurity? Readanextractfromthe UKCyberSecurityStrategy 2011-2016AnnualReport AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET APRIL FUTUREOFTECH.CO.UK READ Whatisthebiggest causeofacyberbreach?P4 INSIDE Howtoempowera commonriskconversationP6 ONLINE Whymodernvehicles couldbecomeatargetforcyberattack CybersecurityFUTUREOFTECH.CO.UK
  • 2.
    AN INDEPENDENT SUPPLEMENTBY MEDIAPLANET2 FUTUREOFTECH.CO.UK MEDIAPLANET T he greatest need is for training and awareness for all staff. A common routeintoasystem is via a member of staff clicking on a phishing email. Attacks can be very sophisticated, for example, looking as if it’s a note from the boss. It is on- ly via training that members of staff will understand how important the- se issues are and their role in helping preventthem. Here at the MoD, the DCPP advo- cates a three stage approach, starting with a risk assessment that is car- ried out on every contract. In some cases there will be no risk; in others we measure risk in four levels rising from low to very high. We give the supplier an assurance questionnaire primarily based on self-assessment and the controls we apply are appro- priateandproportionate.Thisisnota casewhereonesizefitsall. Onegrowingthreatatthemoment is the use of ransomware,when an e- criminal attacks and encrypts your information and only after you ha- ve paid up will they give you the key to unlock it. This has happened to a number of hospitals in the US, inclu- ding one in LA which was attacked, had not backed up its files and had to pay a $17,000 ransom to get their in- formationback. All companies are potential tar- gets for these and other attacks,whi- le the adversaries come from a num- ber of backgrounds; as well as e-cri- minals attacks can come from bored Don’t let cyberthieves in by the back door Cyber attacks, including cyber crime, are on the increase and affects every area of life. Nowhere does this apply more than the Ministry of Defence, where my focus is on the defence supply chain and the Defence Cyber Protection Partnership (DCPP), a joint initiative between the MoD and the business community READ MORE ON FUTUREOFTECH.CO.UK Playing catchup Piers Wilson outlines how the cyber security industry is addressing the skills shortage to get ahead of threats P4 “Not if, but when” Jon Buttriss on how to protect ourselves from the evolving professionalism of the cyber security industry P5 Catch him if you can Frank Abagnale Jr explains how cyber- crime and fraud is a threat to banking and financial services teenagers seeing what they can get away with, hacktivists who might have political agendas they wish to further, cyber terrorists or foreign in- telligenceservices. Challenges arise because each group has a different approach. Hack- ers might be trying at random to see what targets they are able to breach, without any specific organisation in mind,much as a car thief might stroll around a car park,trying car doors un- til they find one that is unlocked. If a company has basic cyber security protection in place – most easily achieved through the government’s Cyber Essentials Scheme, they will li- kely be thwarted and go off and try andfindeasiertargets.Otherattackers maybemoretargetedandpersistent. Suppliers need to be mindful of the scale of the risks they face. Last year 90 per cent of large organisations sur- veyed reported that they had suffered a security breach and the costs can be significant, rising into seven figures. Theycanalsobeattackedmorestrate- gically than before: there is a growing awareness that companies don’t ope- rate in isolation and that they can be vulnerable to attack via their supply chain.ThishappenedtotheTargetsu- permarketchainintheUS,whenthey wereattackedviaatheirheating,ven- tilation and air conditioning compa- ny. This turned into a significant breach which compromised the de- tails of 61 million customers. All of which means it has never been more important to have the appropriate controlsinplaceandaworkforcewho aretrainedandaware. Please RecycleFollow us facebook.com/MediaplanetUK @MediaplanetUK @MediaplanetUK Project Manager: Henry Worth E-mail: henry.worth@mediaplanet.com Content and Production Manager: Henrietta Hunter Business Developer: Rebecca Nicholson Designer: Juraj Príkopa Managing Director: Carl Soderblom E-mail: carl.soderblom@mediaplanet.com Mediaplanet contact information: Phone: +44 (0) 203 642 0737 E-mail: info.uk@mediaplanet.com IN THIS ISSUE Dan Selman Cyber Industry Deputy Head, Ministry of Defence
  • 3.
    AN INDEPENDENT SUPPLEMENTBY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 3 COMMERCIAL FEATURE COMMERCIAL FEATURE Mosthigh-profileattacks on corporate data centers and institu- tional networks have originated outside of the victimised organisations. But the network open- ings that allow outside cyber-attack- ers to burrow in, infect databases and potentially take down an organisa- tion’s file servers, overwhelmingly originatewithtrustedinsiders. According to a worldwide survey of Information Security Forum (ISF) members, the vast majority of those network openings were created inno- cently through accidental or inadvert- ent behaviour by insiderswithout any intention of harming their employer. Inanumberofcases,thatvulnerability was, ironically, the result of a trusted employee doing a seemingly run-of- Matthias Maier is a security specialist at Splunk, a plat- form for Operational Intelligence that helps customers to monitor, analyse and visualise machine-generated big data. “Fun- damentally, everything that is dig- ital can be exposed by cyber crimi- nals, cyber terrorists or malicious insiders. If we look at an emerging example,the majority of the health- care industry was not connected to the network 10 years ago, but now you can turn devices on and off remotely. Being able to do this has advantages, but it also represents a real opportunity for those with malicious intent to steal data or cause damage.” When trusted insiders are your biggest security threat Data driven security: Machine data is the first line of defence the-mill task like taking files home to workonintheirownsparetime. There are three types of risky insider behaviour. Malicious:Maliciousinsiderbehav- iour combines a motive to harm with adecisiontoactinappropriately. Negligent: Negligent behav- iour can occur when people look for ways to avoid policies they feel impede their work. Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones. Combatting the wholesale theft of databylimitingthetypesofinadvert- ent actions which could lead to its misappropriationshouldbeapriority In an environment of advanced threats, changing business demands and extensive technology infrastruc- ture, a traditional perimeter focused approached to ITsecurity is no longer effective. Maier believes that a totally new approach to cybersecurity is required. “Organisations need to adopt a data driven approach to cyber security if they are to stay ahead of external attacks, malicious insiders andpotentialfraud.” The evidence of an attack exists in machinedatawithinanorganisation, so security teams need to gain insight from that data to properly detect, analyse and respond. Attackers will attempt to use all possible mech- anisms to compromise an organ- isation, which may involve use of By Steve Durbin By Virginia Blackburn The modern professional life requires organisations to review not only the threat of malicious outsiders, but of negligent insiders too One of the major business trends from the past decade is the growing digitalisation of customer interactions.With all indus- tries looking at ways to take a more digital and integrated approach to how they work, there is a significant opportunity to improve customer services.At the same time, digitalisation presents a challenge as it opens up an organisation to a more diverse and threatening set of risks ble management step in safeguard- ing an organisation’s information assets. After new employees have been satisfactorily screened, con- tinue the trust-building process through onboarding by equipping them with the knowledge and skills required of trusted insid- ers. Expectations of trustworthy behaviour should be made explicit from the outset. Above all,a culture of trust built on shared values, ethical behaviour and truth begins at the top. The conduct of senior management sets a tone which reverberates from the C-suite to the shop floor. Having a culture of trust affects more than just informa- tionsecurity;itisalsofundamentalto the organisation’s prospects for futuresuccess. what’s happening within your secu- rity and IT environment, you can’t protectyourself.” Organisations like UniCredit and John Lewis have adopted Splunk to get answers out of machine and digi- talservicesgenerateddata.“Forthese organisations it’s critical that in a dynamic digital landscape they can apply big data technology to quickly get answers to their questions to in near real time,” says Maier. “This means they can react as soon as they detectanythingthatmightgivethem – or their customers – cause for con- cern.”With the threat landscape con- tinuing to evolve, it’s clear that machinedatawilltakeitsplaceasthe first line of defence for organisations inallindustries. for every organisation. Investment in technologies that can help to pre- ventintrusionsandprotectdatafrom attackers is essential. Management controls including segregation of duties,periodic reassessment of priv- ileges,andaudits,arealsoimportant. But the most fundamental ele- ment of threat is deeply human. It starts with the proper vetting of employees to look for signs that the individual has not, in the past, been a responsible steward of informa- tion entrusted to them. Applicants whosepastshaveincludedquestions over managing information should not be brought onboard. The trust factor Cultivating a culture of trust is likely to be the single most valua- identity, endpoints, servers, business apps,webandemailservers,aswellas non-traditionalsystemssuchasHVAC access control. The evidence of these activities is captured in the machine data from these systems, which makesalldatasecurityrelevant. “By continuously monitoring this data acrossyour entire infrastructure you can detect malicious activity as early as possible,” says Maier. “This could involve spotting anomalies, recognising unusual activity or iden- tifying indicators of compromised systems. As soon as you identify an issue you can determine the scope and impact of a threat before under- standing who is affected, what to do about it and how to ensure it doesn’t happen again.Ifyou aren’t able to see Steve Durbin Managing Director, Information Security Forum Matthias Maier Security specialist, Splunk
  • 4.
    AN INDEPENDENT SUPPLEMENTBY MEDIAPLANET4 FUTUREOFTECH.CO.UK MEDIAPLANET COLUMN Oneofthebiggestissuesfacingthecybersecurityindustrytodayisthe skillsshortage.Althoughtheneedtobecyber-safehasneverbeengreater, thereisstillalackofpeoplewiththenecessaryexpertise,somethingthe industryrecognisesandiskeentotackle understood it,” says Wilson. “On the other hand if a new security threat arisestomorrow, thecybersecurityin- dustry is immediately playing catch- up to understand it and be able to de- tectandrespond.” Thechallengesarenotsettogoaway. “There are some developments around machine learning and anomaly detec- tion where smart technologies can identify and diagnose threats and the logical next step for this is to see what systems can do to automate responses in a confident and safe way,” says Wil- son. “They are making security more efficient by removing the noise,distill- ing down the data to make decisions and enabling swift action that is con- sistent,repeatable and allows the busi- nesstoreactmorequickly. Thisfreesup time for other activities that improve security, like hunting for threats that are not yet apparent, improving the overall security posture and training anddevelopment.” There will always be an asymmetry between the at- tackers’capabilityandthede- fenders’,asinordertoprotect a system you need to cover all the vul- nerabilities, all of the time,” says Piers Wilson,director of IISP,the profession- al body for security professionals. “But budgets are finite; whereas to mount a successful attack you only have to find one exposed weakness and you can be as patient and spend as much effort as youfeelisworthwhile.” Education is key bothwith academ- ia and universities as well as within industry itself. This means keeping board members up to scratch as well asprovidingconstantretrainingforIT staff – because technology and poten- tialthreatsarechangingallthetime. Therearevariousoptionsopenforcy- ber training. “They range from formal courses comprising quick overviews to specific courses, to product and technology courses to full-time MSc programmes,”saysWilson. “It’salsoan industrythatgeneratesahugeamount of research and white paper materi- al – so training aside there is no short- ageofmaterialsavailableforself-learn- ingtoo. Whichofthosefitsaparticular organisational or individual need is a matter for debate.At the IISP we have been active in setting standards and running a training course accredita- tion and assessment programme.This way people can select courses that we can vouch for and also find out which topicareaswillbecovered.” The steady march of technology means that in IT everyone is always learning - 10 years ago the technolo- gies and hence the attackvectorswere different but now there are superior platforms,security controls andwork- ing knowledge of facilities. “Some are- ascanaffordtotakeamoreconsidered path: developers, for example might only migrate from one language to the next one once they feel they have Theurgentneedto combattheskills shortage By Virginia Blackburn In the field of HLS & Cyber, the Israeli industry provides an extensive array of outstanding and innovative technologies specifically designed to counter a variety of threats in an ever-changing world. Registration will open on June 1 on our website: www.israelhlscyber.com For more information about the 4th International HLS & CYBER Conference in Tel Aviv, please contact: Julia.Bayer@israeltrade.gov.il | http://itrade.gov.il/uk/ THE 4TH INTERNATIONAL CONFERENCE NOVEMBER 14–17, 2016 ISRAEL TRADE & FAIRS CENTER, TEL AVIV NEWS “ Piers Wilson Director, IISP Waqas Hashemi CEO, Whitehall Media Bewareofthe humanfactor I n this age of short term contracts allied to new working practices inclu- ding the cloud, mobi- le and flexible working hours, one of the biggest issues in the cyber security sector is managing employee identity. “When an individual joins an organisation, it usually marks a fusion of IT and human resour- ces,” says Waqas Hashemi, CEO of Whitehall Media, which runs a suite of conferences around se- curity and risk management as well as identity and access ma- nagement. “Emerging trends in the workplace are proving disruptive and are causing pro- blems with integrating access to the new technology.” The biggest problems of all when it comes to managing em- ployee identity is not malicious intent but negligence and the human factor, according to Reh- man. “Password management is also difficult,” she adds. “People still don’t use ones with suffi- cient complexity.” “To mount a successful cyber attack you only have to find one weakness”
  • 5.
    AN INDEPENDENT SUPPLEMENTBY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 5 “The cost of an attack far outstrips the ongoing cost of security” Thereisanever-growingawarenessofcybersecuritythreats,withalmostdailycoverageinthemedia.Evenlarge organisations,withtoptalentandsignificantresourcesdevotedtocyber-security,havesufferedmajorbreaches.The truism“it’snotif,butwhen”ringsintheearsofbusinessleadersandreinforcestheneedforskilledsecurityprofessionals tomitigateagainstthethreat.Thetruthiseveryorganisationisvulnerable,and100percentdefenceisnotpossible H aving identi- fied cyber se- curity as a na- tional priori- ty, in 2015 the UK Governme- nt announced an increase in cyber security spending to £1.9bn by 2020 – the only area of the budget to increase. This is reflected in business, with average salaries for se- curity professionals increasing 16 per centyearonyear. The reason for the increased invest- ment is simple; the cost of an attack far outstrips the ongoing cost of security. TheICOhashandedoutfinesashighas £980,000 –which is still less damaging than the customer loss and reputatio- naldamageasresultsofabreach. But despite increasing budget to counter the cyber threat,businesses are still struggling to recruit the skills they need to keep up. Unemployment in the securityindustryhasbeenreportedat0 per cent, with a 10 per cent increase in demand forecast each year to 2020. So how can we deliver the skills needed to address the current shortfall and also meetthegrowingdemand? This is a question being asked by government, organisations and professionals. It is the reason for the in- tensifying chatter surrounding professi- onalisationofthecybersecurityindustry. Professionalisation addresses this burning issue by establishing a stan- dard that enhances the quality of the workforce. By understanding, alig- ning and cultivating the most needed skills, the profession can raise the bar in the areas thatwill have the mostva- lue. This also establishes standardised roles and skills clusters.Businesses ha- ve a shared vocabulary to describe the skills they need that are recognised by potential applicants. New entrants are clearer on the skills they need and mindful of the need to continually self- develop. Structure, clarity and recog- nition make security a more attracti- ve career path,which in turn encoura- ges new entrants and grows the talent pool. This is perhaps the most critical of all – considering the evident need to step-change the number of workers in thefield. It is not always easy for professio- nals and potential entrants to naviga- te the skills and competencies requi- red at each stage of their careers. Em- ployersarenotalwaysclearthemselves on this so the demand cited in job ad- vertisements is not necessarily an accurate reflection of what is needed. This is where recognised skills frame- worksdevelopedbyprofessionalbodies comein.Andfromthisstandardisation and definition comes the ability to cul- tivatetheskillsonagreaterscale. For professionals wanting to demon- strate their capabilities against these frameworks, certification offers verifi- cation of their proficiency, clear step- ping stones for development and im- proved employment and earning pro- spects. For employers, certification helps to assure the calibre of the pro- fessionals they are recruiting, provided this is backed up by demonstrable ex- perience.It signifies that potential em- ployeeshavebeenindependentlyasses- sed,aidingemployersinrecruitingrele- vantskillsintotheirorganisations. As well as being a mark of technical capability,certificationalsocomespack- agedwithmembershiptoaprofessional body such as BCS, The Chartered Insti- tute for IT.These memberships demon- strate a commitment to self-develop- ment and require adherence to codes of professionalconduct. The combination of skills alignment, certification and continuous develop- ment comes together, in the form of professionalisation, to promote stan- dards and quality amongst cyber secu- rity professionals. There is little doubt that businesses need quality security professionals, and in greater numbers. Cybersecurityisnotachallengethatwe willsolveovernight,orwithanyoneso- lution.Neitherdoesithaveanenddate; we will have to continually assess the threat and work together to evolve best practicetostayahead. Theevolvingprofessionalism ofthecybersecurityindustry By Jon Buttriss IT has been gaining momentum within global business for decades and we’ve been there from the beginning, nurturing talent and shaping the profession. Today professionals & organisations work with us to exploit our unique in- sight and independent experience as we continue to set the standards of per- formance and professionalism in the industry. ABOUT BCS, THE CHARTERED INSTITUTE FOR IT FACTS Jon Buttriss CEO, BCS Learning and Development
  • 6.
    AN INDEPENDENT SUPPLEMENTBY MEDIAPLANET6 FUTUREOFTECH.CO.UK MEDIAPLANET “The UK is the most cyber- attacked country in Europe and the second most assailed in the world” INFOGRAPHIC Cybercrimeisontherisebuttherearemanywaystofightit.From addressingtheproblemsatboardleveltomakingsurestaffareproperly trained,SMEscannotguaranteetheywon’tbeattacked,buttheycan makeextensivepreparationsinadvance evidence you can such as a screen shots. Use back-ups.” Given that an attack is almost ine- vitable, Talal stresses that it is as im- portant for a company to be able to re- spond to a breach as it is to erect defen- cesagainstit.“Thereisnotjustoneway to respond across the board,” he says. “For example,TalkTalk notified custo- mers as to what was going on but that didn’t actually help as other opportu- nistic hackers saw this as an opportu- nitytomakefishingattempts.Theway to react depends on what type of orga- nisationyouare.Youshouldalwaysno- tify the authorities,which many com- panies still don’t do and it’s safer not to alwaysusethesameemailtemplate.” This is not a problem that is going to goaway any time soon and sothe cyber security industry continues to work overtimetofind,ifnotasolution,thenat least the heavy weaponry required to fight back. “One new trend is the in- creased use of data security analytics,” saysTalal.“Companiesareanalysingin- formationthatcomesinonadailybasis to foresee where the threat will come from next. And there will be further threats.As increasing numbers ofdevicesareinterconnectedandsmart cities continue to expand across the world,everincreasingnumbersofhack- ers will come after everyone. This goes down to individuals not companies: make sure in all your wearable devices thatsecurityisbuiltinbydesign.” A s the world beco- mes increasingly interconnected, cyber crime is a problem as never before. It is now a case of not if but when most companies get attacked and this is especially the case in this country, with the UK as the most cy- ber-attacked country in Europe and the second most assailed in the world, with attacks up 40 per cent,according to Symantic.They are at least aware of theproblem,withresearchbyEquinix showing that seven out of 10 compa- nies in the UK do not feel prepared for cyber-attacks.Sowhattodo? Talal Rajab is Programme Manager – Cyber, National Security and Criminal Justice at techUK. “Regardless of how much money is spent on products and services,attacksandthreatsareinevita- ble,”hesays.“Thesedaystoolstolaunch such an attack can be bought very cheaply on the dark web,as in theTalk Talk crisis, where it is widely believed the perpetrators were not much more thanchildren.Butatleasttheseattacks are increasing public awareness of the problem,asdidtheassaultsonSonyand AshleyMadison.However,althoughwe cantracetheregionthesecomefrom,it isdifficulttotrackdowntheactors.” One problem is that SMEs are often targeted because they are less likely to have basic security measures in place and a further issue is that many who do not offer online payments are safe. They are not. “Any company that has data on its system is threatened,” says Talal.“Thefirststepindealingwiththis istomakesurethatcybersecurityison the boardroom agenda.Many breaches stem from the fact that staff are not aware of best practice which means thattrainingandawarenessarecrucial. Manyarenotevenawareofthemostba- sic password security and the constant importance of updating systems and ensuring companies are not left with legacysoftware.”Checksthatshouldbe standard across every company inclu- de strong passwords, the regular upda- ting of software and regular back-ups, whether the company is a multi-natio- nalconglomerateoraone-manband. Many companies are at leastwaking up to the fact that this is no longer just anITproblem.“Traditionallyitwasthe case that responsibility for security lay solelywithIT,”saysTalal.“Anduntilre- cently, the IT person was essentially thechiefsecurityofficerbutnowincre- asing numbers are appointing dedica- tedCSOs.Theyarealsosendingfarmo- repeopleonsecuritycourses.” And so once an attack begins, how should a company respond? It is es- sential to plan ahead, and have the right staff and skills in place. “Be cy- ber streetwise,” says Talal. “Don’t continue using the system. Noti- fy the authorities. Get any forensic Fightingcyberthreatsis essentialforSMEstowin thewarwithcyberbreaches By Virginia Blackburn NEWS Talal Rajab Programme Manager – Cyber, National Security and Criminal Justice, techUK According to the 2014-2015 Cyber Governance Health Check of FTSE 350 companies: 88 %of companies now actively consider cyber security as a business risk have a basic or clear under- standing of where their critical information and data sets are shared with third parties The Winter 2015 FT-ICSA Boardroom Bellweather Survey found that regard the threat of cyber-attack to be increasing The UK’s domestic cyber security sector contributes over £17 billionto the economy The National Cyber Crime Unit (NCCU) is leading domestic and international operations to disrupt serious cyber crime The Metropolitan Police set up a Fraud and Crime Online (FALCON) team in 2014, which brings together their specialist cyber crime investigators to pursue and disrupt cyber criminals. The work of the FALCON team has resulted in 985 arrests, 431 people charged, 241 convicted and £3.1 million confiscated. Tackling online fraud is a top priority During 2012, HMRC took down almost 1000 fraudulent websites During 2015, that figure rose to more than 11,000 HMRC established a cyber security team in 2012. During 2014-2015, the team assisted in the prevention of frauds totalling more than 59 % 82 % 170 £103 million 1011 PHOTO: THINKSTOCK
  • 7.
    AN INDEPENDENT SUPPLEMENTBY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 7 John Cannon Commercial director – Fraud and ID, Callcredit Information Group COMMERCIAL FEATURE Under the forthcoming EU General Data Protection Regulation(GDPR),which comes into force in 2018, unless the data breach is unlikely to result in a high privacy risk for an individual,orifthedatawasappropri- ately encrypted, all organisations will have to inform their customers when a serious data breach occurs, and rec- ommend ways in which any adverse effects could be mitigated, and if they fail to do so could be fined up to four per cent of their global turnover. So what are the issues facing the indus- try and how can businesses work to overcome them? The first step is to understand who the potential hackers are. “They are quite wide ranging,” says John Can- non,commercial director – Fraud and ID of Callcredit Information Group. “From organised criminal gangs who are motivated by fraud, to terrorist groups and corporate and rogue state sponsored espionage with malicious intent. But the threat isn’t just from organised groups: hackers have all kinds of motives and could just be an individual flexing his/her intellectual muscles showing off to peers simply because they can.” There are now a number of security risks facing businesses today. “Many more of us are interacting digitally and data is increasingly important, meaning where and how it’s stored,” says Cannon. “Businesses that are migrating from their traditional modelintodigitalchannelsarepoten- tially not as well geared up to the threat.”They are having to accept the idea, he says, that there are threats posed both externally and internally, such as from rogue employees. As a result of all of this, however, New EU regulation highlights the risks of cybercrime companies are becoming increas- ingly aware of the potential dangers and many are taking action to try to alleviate the risks. “This is becoming increasingly high on the agenda at board level,” says Cannon. “Recent data breaches have clearly shown the financial and reputational impact to businesses and those not giving it focus risk being caught out by the introductionofthenewGDPR.” Theseareissuesindividualsmustbe awareof,too.Thereisamisconception that if hackers don’t manage to get hold of PINs and full card details then there is nothing to worry about. That is not the case. “We are seeing the rise of ‘social engineering’ techniques,” says Cannon. “This means that even if hackers exposed a low level of infor- mation, it could be used to gather the datatheyreallywant.Thesedays,most ofusarecluedupenoughtoknowthat if we get a phone call out of the blue asking for our bank details, then we shouldn’t hand them over. But if you werecontactedbyanorganisationyou hold an account with and they quoted that account number, you may be more likely to be tricked into handing overmoresensitiveinformation...” The new EU regulations are forcing companies to take cyber risk and data breaches a lot more seriously and to implement measures to guard against attack. “The first step is to make sure someone in the company is empow- ered to implement the relevant pro- cesses,” says Cannon. “Then start thinking about a plan. Come up with the worst case scenarios, think about whatdatayouholdandwhatisimpor- tant to the business. Play through the various scenarios and see what you can do to increase your protection and what to do afterwards. Think By Virginia Blackburn The rise of cybercrime is now one of the biggest issues affecting many businesses and the EU regulators have now taken actions to try to get the business community to act to protect itself breach. The service can be available to consumers within 48 hours of a breach occurring and consumers who sign up to the service can use it to help identify and respond to fraud- ulent activity, checking whether their credit profile is being damaged by criminals. Noddle Protect allows consumers to review their credit report for free and helps them to look out for people applying for credit in their name or using their details fraudulently, giving them peace of mind and ensuring they continue to trustinyourbrand.” The increase in data breaches in recent years coincides with the increase in consumers making use of digital channels due to the conveni- ence they offer.The value of your per- sonal data to fraudsters is increasing asitistheirwaytogainaccesstoyour digital accounts. Your data is their means to an end. “I often compare it to car security,” says Cannon. “In the past,if someone wanted to steal a car theywouldbreakintothecarandhot- wire it to drive away. As a result, car manufacturers have increased their security meaning it is now much harder.Theapproachofacarthiefhas shifted to stealing the car keys by breaking into your house. It’s similar in the digital world, as organisations increase security around services they offer through digital channels, fraudsters see your data as the key to unlockingyourdigitalaccountsusing techniquessuchasidentityfraudand accounttakeoverbeingabletobypass security.” In other words, while the benefits of life online are enormous, so are the risks and companies and individuals alike must take measures to protect themselves against the threatofcyber-crime. aboutwhatyouneedtoimplementto recoverfromanattackandmakesure employees are trained to understand whatabreachlookslike.” If a company is attacked, there are twostepsitmusttake.“First,establish and understand as much as you can about what’s happening,” says Can- non. “IT security must understand exactlywhat’sgoingon.Thenexecute the plan you have put in place. If you canestablishwheretheattackiscom- ingfromyoumay,say,beabletomake changestoyourfirewall.Orinextreme casesyoumayneedtoconsidertaking your system offline. Secondly, com- munication is key as everyone should be aware of what is happening both internallyandexternally.” Of course, after a data breach it is crucial for businesses to reassure their customers that the problem has been dealt with: damage to their corporate or brand reputation could prove a disaster in the longer run. “You should consider what has happened and give your customers the absolute confidence that you have done everything to mitigate the breach happening again in the future,” says Cannon. “Customers will understandably worry about their personal details being exposed and through education are becom- ing increasingly aware of the value of their personal data. Media stories highlighting anonymous forums used by fraudsters on the dark web are adding to their concern so you should proactively consider having a data breach response. For example, Noddle Protect enables businesses to put in place a fast and effective reme- diation plan to safeguard consumers who may have had their personal data compromised following a data PHOTO: THINKSTOCK
  • 8.
    Integral to ‘makingthe UK a secure place to do business ’ has been the call for industry to openly collaborate with each other in order to overcome the Cyber Threat. However, many organisations still seem to need to be convinced, despite losses being reported on an almost daily basis. A recent survey revealed that 68% of CEOs are reluctant to share security incidents externally , for fear that publically admitting a breach could have irreparable damage on the brand, reputation and share price of their business. Templar Executives’ CEO, Andrew Fitzmaurice, believes however that the current Cyber Security market is perpetuating a climate of ‘Project Cyber Fear’ which gener- ates two behaviours with the same outcome: a belief that stories are just scaremon- gering to promote sales and secondly, fear to discuss issues at all. “Business leaders are becoming apathetic to these scare stories and are asking us what we can do about it”, Fitzmaurice says. “We are changing the narrative from a glass half empty to a glass half full by promoting ‘Project Cyber Business’. Cyber Security needs to owned by the business, and addressed holistically within the organisation”. As a leadership issue, the C-suite need to lead their organisations by adopting ‘Project Cyber Business’ to deliver business excellence. Organisations who align Cyber Security best practice to business objectives by investing in proportionate controls, are optimising their businesses with better Cyber maturity. The benefits include gaining competitive advantage, winning new business contracts, as well as enhancing reputation and shareholder confidence. Fitzmaurice explains, “Templar has engaged continuously over the past 5 years with a client to develop and sustain their Cyber maturity and resilience, and as a result this client has won over £7.2 billion worth of new business”. As a direct impact of ‘Project Cyber Business’, businesses are seeing an increased return on their investment, as well as a rise in brand value and share price. The results speak for themselves. To optimise your business and join the success story, contact Templar Executives at Turning a cyber half glass empty into a half glass full – A Call to Action enquiries@templarexecs.com T he pace of change has accelerated ex- ponentially since then and will only continue to quick- en. Technology is a huge force for good, an opportunity from which we can all benefit. In 2010, the Internet of Thingswasstillinitsinfancy;in2016, oversixbillionconnecteddeviceswill be in use worldwide, enabling people to connect with people and govern- ments and businesses to deliver bet- ter services. By 2020, that number is settorisetoover20billion. The 2010 National Security Strate- gy identified cyber as one of the top threats to the UK. In response, the Government has invested £860 mil- lion since 2011 in a National Cyber Security Programme to: • Tackle cyber-crime and make the UKoneofthemostsecureplacesinthe worldtodobusinessincyberspace. • Make the UK more resilient to cyber-attack and better able to pro- tect our interests in cyberspace. • Help shape an open, vibrant and stablecyberspacethatsupportsopen societies and: • Build the UK’s cyber security knowledge, skills and capabili- ties. We have made tangible pro- gress against these vital objectives. In collaboration with our industry, academicandinternationalpartners, we have laid solid foundations for the future. We have significantly enhanced our national capabilities and technolo- gies to defend ourselves against tho- se who would do us harm. We have a national approach to incident re- sponse and secure information sha- ring on threats, through CERT-UK and the Cyber Security Information Sharing Partnership it hosts. Businesses of all sectors and sizes now have unprecedented levelsofexpertguidanceandtraining available to help them manage their cyberrisks.Governmentdigitalservi- cesaremoresecurethanever,andwe arebuildinginsecuritybydesignand taking robust action against at- tempts at online fraud. Through this, the UK is helping shape the international deba- te on the future of cyberspace. UK cyber security companies now have an increased market share in- ternationally. And we are on a long- er-termmissiontoensuretheUKhas the right cyber skills and knowledge, with interventions at every level of the education system and cutting- edge research in cyber security. But there is more to do. The 2015 National Security Strategy confirmed that cyber remains a top level threat to the UK’s economic and national security. That threat is increasing in scaleandcomplexity.Itisalsoincrea- sing at such a pace that we must run simply to stand still. The increased inter-connectedness of our everyday lives means that the range of targets is broader and the task of protecting themharder. Five years is a long time in cyberspace. When we published the UK’s first Cyber Security Strategy, digital technology was already having a transformational impact on how we consume, share and save information Thenextsteps towardscyber security By the Rt Hon Matthew Hancock MP INSPIRATION AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET8 FUTUREOFTECH.CO.UK We must build the UK’s cyber security knowledg and capabilities to become more resilient to cyber-a
  • 9.
    265x112 So we haveannounced that we will substantially increase our investment to £1.9 billion in protec- ting the UK from cyber-attack and developing our sovereign capabi- lities in cyberspace. Our new Pro- gramme, led by a new National Cyber Security Centre,will mark a re- doublingofoureffortstotacklethecy- berthreat.Butwecannotdothisalone. Everyone has a role to play in keep- ing our society safe. Continued, sus- tained and close collaboration bet- ween government, industry, acade- mic and international partners is vital and we must accept our indivi- dualandcollectiveresponsibilities. 2016 will see the launch of the UK’s second National Cyber Security Stra- tegy. This will define our vision and ambition for the next fiveyears.Whi- leweknowthescaleofthetaskahead, we also know we are building on a good platform.This report highlights the current Programme’s achieve- ments over the past year and the wi- der impact of the Programme since its inception. We should be proud of the foundations we have jointly laid through our first National Cyber Se- curityProgramme.Theyhavepositio- neduswellforthefuture. “We are on a long-term mission to ensure the UK has the right cyber skills and knowledge” PHOTO: THINKSTOCK AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET MEDIAPLANET 9 MindTheGap:Empowera CommonRiskConversation COLUMN C ommuters throughout London encounter a simple message about risk everyday.As one boards the rail or tube,Transport for London will advise them to “Mind the Gap”.The phrase serves as a simple and effective message to mitigate the risk of someone being injured. Next time the words are heard, consider a different gap - the gap that exists between strategies organisations use to manage their business and cyber risk. Today,we are more reliant on technology than ever before,with exposure from cyber threats constantly escalating, organisations are struggling to explain security in terms the business can understand. To be successful in today’s digital world and address advanced threats, companies must have a converged view of business and cyber risk. Organisations need to be able to determine what level of appetite they have for security risks. Business decisions must carefully consider the impact cyber has on the overall strategy and risk posture. Organisations need to approach this in three ways. Every employee should be engaged in active- ly managing risk. Security practitioners need to partner with and provide meaningful insight that resonates with the business. The business and security teams need to align taxonomies that enable a common conversation. To learn more about empowering a common risk conversation, new approaches to visibility, analysis, and action, and managing identities, attend the RSA London Summit on April 27th. Until then, please continue to “Mind the Gap” to prevent personal injury and to protect the business. Genaro Scalo GRC Senior Manager, Europe, Middle East and Africa, RSA Extract from the UK Cyber Security Strategy 2011-2016 Annual Report ge, skills attack LONDON TECH WEEK 20-26 JUNE ReadMediaplanet’sLondonTechnologyCampaign outon14JuneintheCityA.M. WE TURN INTEREST INTO ACTION
  • 10.
    AN INDEPENDENT SUPPLEMENTBY MEDIAPLANET10 FUTUREOFTECH.CO.UK MEDIAPLANET Howtoblockthe fraudsters SUPPORTING EVENT Along with the explosion in ecommerce there has been an ex- plosion in efraud,with the industry urgently having to come up with a raft of new initiatives and strategies to keep ahead of the game. Social media doesn’t help: it has been making it easier for criminals to gather a lot of personal information about speci- fic individuals and clone their identities. But the cyber security industry is fighting back,with a series of initiatives designed to protect digital payments from becoming a way of committing fraud or identity theft. Zehra Chudry is the Head of Content for PaymentsWorld Series – who will be running PayExpo Europe in London this June. “So much information is online now that there has been a lot of clo- ning of identities,” she says. “Companies can get you online to say who you are but to date there have been limited ways of tra- cing back to make sure they are dealing with the real person, but that could be about to change.There are two major areas the in- dustry is looking into.The first concerns online identity and the- re are a number of start-ups which are beginning to check infor- mation people supply on, say, Facebook, LinkedIn andTwitter to make sure it comes from the same person and thus verifies and individual’s identity to make sure it hasn’t been cloned. It allows companies to ask about people’s friends and updates to authenti- cate yourself online.” The other major initiative concerns the problems caused by transferring information such as card details and addresses onli- ne. “Increasingly businesses are using a technology called block- chain,which encrypts information in such a way that only the receiving end will be able to see it and this is particularly useful for, say, money transfers,” says Chudry. “But there is a question about capacity.The reality at the moment is that how to integra- te this into a business has not yet been clearly defined.” But there is a great deal more to come.The battle to combat on- line fraud now encompasses robotics and artificial intelligence, with machines using algorithms to look at consumer patterns and spot changes in behaviour while elsewhere the industry is examining the viability of establishing a single set of cyber-crime standards. “Every country currently has its own values of what constitutes acceptable risk,” says Chudry. “So what we are asking is, ‘Is this achievable? Is it the way to look forward?’ Although it can feel like a battle just to keep your head above water in the fight against cybercrime as it becomes more intelligent, tech and software providers are also evolving faster than ever.” Zehra Chudry Head of Content, Payments World Series Cybervillains are everywhere. Companies and individuals alike must stay alert Cybercrime is a major issue these days: Google and McA- fee estimates there are 2,000 cyberattacks every day cos- ting the global economy about £300 billion a year. The problem cannot be overestimated and is becoming increasingly wides- pread. “We’ve been providing data se- curity standards since we launched in 2006tokeeptrackofpaymentcardda- ta online,” says Jeremy King, Interna- tionalDirectorofthePCISecurityStan- dards Council,which was formed as a global body to tackle payment securi- ty issues that surround the area of cy- bercrime.“We are dealingwith global- ly organised criminal gangs operating on a massive scale.Thieves are trying to steal any data they can, governme- ntsarelookingtoseewhatcanbedone to tackle the problem and over one bil- lionrecordsarestoleneveryyear.Atthe annualInfosecsecurityeventitwasre- ported that 90 per cent of large organi- sations suffered at least one security breachandonaveragetheyreported14 securitybreachesayear.” Many organisations, unfortunate- ly, have been in denial about the scale oftheproblem,especiallythosewhich are not actually involved in sales,King believes. However, boards are begin- ning to take it more seriously, accep- ting that this is not just an IT threat andaregraduallybecomingawarethat there are four major types of cyber th- reat, starting with compromised cre- dentials.“The main aimwhen protec- ting cardholder data is that you don’t storeitifyoudon’tneedtobutifyoudo keepitthenencryptit,”saysKing. Another type of attack involves ransomware. “The criminals insert malware, encrypt everything and then,forexample,say,giveusacertain amount in bitcoins and we’ll unlock your information,” says King. “Some US hospitals have been the victim of that. Or there can be a denial of servi- ces attackwhere so many requests are put into a system at once it can’t cope and runs slowly or shuts down.These typesofattackscanhaveamassiveim- pact:forexample,ifbettingfirmswere targetedduringtheGrandNational.” Cybercriminals also use spyware and keyloggers to get in to a system andthemostcommonwayhereisvia a phishing attack. Some of these are obvious; some, say, in the form of re- quests for bill payments, are a lot less so. Keyloggers, meanwhile, log eve- ry key stroke, thus revealing valuable credit card information and have in the past come to light when compa- nies have spotted cleaners behaving suspiciously. Training staff is more crucial than ever. “Some companies have asked for a friendly phishing at- tack in order to test staff awareness and something like 25 per cent of em- ployees fail,” King continues. “When that happens, typically a notice will pop up on screen saying, ‘You’ve fai- led, apply to personnel for further training.’ But it’s worse at board level where33percentfail.” Another issue stems from the fact that an increasing number of domes- ticappliancessuchasfridgesandkett- les are now connected to the internet, but while this may be convenient for the householder, white goods manu- facturers do not understand security andriskbroadcastingwifisecurityde- tailseverywhere. Small merchants, too, have pro- blems, with 1.3 million in the UK not having any IT services department. The Government is trying to address this, publishing 10 Steps to Cyber Se- curity, using deliberately non-techni- cal language to help. At PCI we have had a task force developing our own guide,thiswillbereleasedinJune. Another growth area is Card Not Present – CNP – fraud, which PWC predicts will grow from $2.9 billion in 2014 to $6.4 billion in 2019. “The UK Cards Association monitors and reports fraud figures and has seen a 26 per cent increase across all fraud, with the majority in CNP via internet purchases,” says King. The European Central Bank is taking action: it is in- troducing further requirements on businesses and there will be hefty fi- nesimposediftheydon’tprotecttheir customers’dataproperly. Adds King, “Improving security practices to identify and detect at- tacks quickly with the PCI Data Secu- rity Standard, and establishing an in- cidence response plan need to be top prioritiesfororganisationsin2016.” By Jeremy King INSPIRATION Jeremy King International Director, PCI Security Standards Council