Cyber Themes 2018

The London Digital Security Centre (LDSC) along with its Marketplace partners, will be promoting our mission by providing world-class online advice and free guidance to all UK businesses over the next 12 months.  We will be hosting live webinars, podcasts, blogs, video content and more throughout the year, on the most pressing cyber security challenges for businesses.

 

Our mission is to enable businesses to innovate, grow and prosper through improving your digital security and resilience to cyber-crime and online threats.

May: Ensuring Compliance

Week 4
Week 3
‘Ensuring Compliance’ themed evening presentations.

This month’s ‘Ensuring Compliance’ themed evening presentations by Rapid7, ThinkingSafe & Symphonic can be viewed here.

Week 2
Week 1

April: Managing a Breach

Week 1

Communication is key to managing a breach: before, during and after

Managing the fall out of a data breach is a team effort, making communication vital.  Every employee with an email address can be targeted by increasingly sophisticated phishing scammers – making the protection of an organisation’s data the responsibility of everyone, not just the IT department. High profile cases such as Yahoo, Equifax and more recently MyFitnessPal tend to dominate headlines, but smaller businesses are at risk too. 61% of breaches in 2017 happened to businesses with under 1,000 people according to Verizon Data Breach Investigations Report, therefore it is imperative that every organisation of any size is ready to manage a breach when, not if, it happens.

The crucial first step should be taken before a cyber attack has even happened. Communication can become difficult when ransomware has blocked access to email, so having incident management conversations before a breach happens can help facilitate a swifter response. Channels of communication need to be open between IT, HR, legal, financial and customer service departments as a part of preparing for a breach. Having a cross-department team with clear leadership ready to deal with a cyber attack is the best way to ensure a successful response.

However, planning for a breach is not always enough. When your cyber defences have been compromised, communication is still the most valuable tool to make sure your best laid plans do not go awry. Again, without access to emails, you will need to ensure that you have an independent channel of communication and access to the details of everyone you need to get in touch with, both internal and external contacts (suppliers, third party IT specialists, clients etc).

Once the facts have been established and shared with employees and the technical steps of disaster recovery are underway, the next phase of managing the breach is communication with the outside world. GDPR comes into effect this May, and introduces “a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.” Failure to notify the ICO of a breach can land you with fines of 2% of your global turnover or €10 million, so missing this key piece of communication could be a costly mistake. Also set out in GDPR is the need to communicate the breach with all of your stakeholders, customers and whoever else may have been affected.

The goal when alerting people of the data breach is to give apologetic, honest communication with your organisation’s wider community of customers and stakeholders. Take responsibility, be transparent about the steps you did take and are taking to minimise the damage and be an active presence in the media, including social media. All of these steps are, of course, much easier and smoother if they have been pre-planned and the resources (i.e. press statements) shared with all staff according to a communication plan.

Although no plan is ever perfect, and cyber attacks are increasingly engineered to get past our careful planning, communication plays an all-important role in managing every stage of a breach. The best incident management happens long before the incident does. Clear, fast communication is the key to ensuring your people are empowered to give an effective, professional response that could protect your reputation and assets following a breach.

Author:

Yudu: https://www.yudu.com/

Week 2
Week 3
‘Managing A Breach’ themed evening presentations.

This month’s ‘Managing A Breach’ themed evening presentations by Yudu and Yoti can be viewed here.

March: Proving Your Credentials

Week 1
Week 2

A potentially more secure future via Blockchain

Your digital identity is the gateway to your data, and increasingly, this includes most facets of your everyday life. Whether it’s your social media accounts, bank details, chat history or your shopping habits.

With so many accounts to manage and protect, maintaining constant access across multiple devices whilst keeping them all secure can be a complex task.

With data more valuable than ever, these large collections of personal information are very attractive targets to criminals.

Recent breaches show that vital personal information for vast numbers of people often give hackers the key information they need to unlock access to even greater volumes of data or even worse, the ability to use a victim’s identity.

So, what is the answer? Well, one answer gaining more credibility is to move the control of identity information from the companies to us as individuals, giving us the ability to control which aspects of our personal data is used and when.

To achieve this, two things are needed:

  • A way to prove your identity without divulging sensitive data
  • A way to authenticate you are who you say you are

To achieve the first, a simple and well-understood approach can be used; hashing. Hashing is a mechanism used to generate a value from some existing information, using a mathematical function. If you were to change any of the original information and rerun the hash, it would output a hash completely different to the original.

Hashing is also a one-way function meaning that reversing it is virtually impossible. This, therefore, makes hashing an effective mechanism for hiding underlying data whilst ensuring it hasn’t been changed in transit.

By utilising a hash of your identity, it’s possible to authenticate yourself without revealing the personal data you used to create it. This protects the security of your data.

Creating a hash of an identity is not very useful, however, if no one can use or interact with it. This is where a secure, ubiquitous, transactional system is required and a relatively new one is showing signs of being a good candidate: Blockchain.

A ‘Blockchain’ allows parties to transact securely without any third-party involvement, removing the need for complex (and sometimes costly) intermediaries to enable direct peer-to-peer interaction.

Each transaction is independently verified before it makes it on to the Blockchain ledger which means there is no centralised authority and thereby no single point of failure. This decentralisation is one of the potential benefits from a security perspective. Once the data has been entered in to the blockchain, no one can change it and so it provides verifiable proof of the integrity of the transaction. It also removes the need for human involvement thereby eliminating the need for passwords.

By combining a digital identity verification service using hashing with the decentralised blockchain principle, a digital ID can be created from either all or parts of your ID which can then be used to transact for services. For example, you could just authorise the hashed part of your ID that provides your age for purchasing alcohol or just your address for having goods delivered to your home from a courier.

With both a verified ID to authenticate against and a secure platform to transact with, there is no need for your personal information to be disclosed, you just need to set the conditions of what you want to authorise, when you want to authorise it and to who.

Whilst large-scale adoption and interoperability of verification services using Blockchain is yet to take place, the ability to build services in to blockchains is becoming more ubiquitous and some companies are already selling ID services in this area. Therefore, don’t be surprised if you start to see accelerated progression towards self-managed digital IDs soon, especially with GDPR just around the corner.

Author:

Daryl Flack, Co-Founder & CIO, BLOCKPHISH

Website: http://www.blockphish.com/

February: Out with the old, In with the new

Week 1

Typical Issues Around End of Life Asset Disposal

This time of year is the period when many organisations dispose of their company’s old assets so that budgets can be spent before the end of their Financial Year.

There is always a desire to get new Information Systems up and running as quickly as possible so that the benefits of using them can be realised and a return on investment achieved. This means that the focus particularly of the IT department may be on the shiny new computer systems rather than on the old ones that are being ripped out to make way for them.

The fact that end of life IT systems can contain sensitive data which either belongs fully to the organisation or may be about their customers and users is often overlooked. The temptation is to dispose of the old equipment as quickly as possible in order to free up available space particularly in busy and city centre offices. Because of its nature, this task is frequently delegated down the organisation hierarchy to a level where the individual organising the disposal may not be aware of all the risks involved.

The temptation is to take a quick look online and find the company offering the cheapest price available to dispose of the old equipment. There is an inherent danger here. Even companies that offer bargain basement rates for disposal need to make their crust somehow – and so they do this by reselling as much of the kit as they can to second-hand users often with little or no regard for the data that may still be on the devices.

Even those who understand that a desktop computer or laptop will contain sensitive data on their hard drives often may overlook the data held on other devices such as photocopiers, fax machines and printers.  Many multifunction devices contain a computer hard drive which retains a soft copy of all of the documents it has ever scanned, printed or faxed.

The data stored on IT equipment is usually the most sensitive held by an organisation.  Its existence, location, storage and destruction should be managed as a controlled process with director level oversight.

The need for this is heightened by the General Data Protection Regulation being enacted in May 2018 which will dramatically increase fines for companies who suffer data leaks by failing to dispose of their old data bearing assets in an appropriate manner.

Secure disposal of end of life assets should be managed by a full audit trail of all the assets being disposed of. One should search for a company which is independently accredited – ideally by an HM Government body such as the Ministry of Defence. The chosen supplier should explain clearly exactly how data will be destroyed, for example by shredding, overwriting with software or degaussing (demagnetizing), and the ultimate outcome/destination your old assets in terms of recycling. The supplier should also carry professional indemnity cover of at least £1 million to underwrite his service offering.  For more information see www.dataeliminate.com.

Author:

By Julian Fraser, Director, Data Eliminate Ltd

Website:  www.secure-data-destruction.co.uk

Podcast by: Data2Vault

Week 2

Behaviours & Devices

For decades businesses have been using tape backup as a way of preventing their data being lost. From the smallest to the largest businesses, data backup is consistently budgeted as a “keeping the lights on” item.

Tape has been the media of choice for data backup since the 1960’s. During the 1980’s tape started to find its way into mainstream use, with the Walkman and VHS or Betamax video. Over the last 10 years consumers have rapidly adopted iPod’s and iPhones and Sky+ or TiVo, abandoning tape, but the IT industry had doggedly retained its reliance on tape as a backup, or more latterly a Disaster Recovery media

The digital world is changing fast, digital data volumes are growing by 42% per annum (according to IDC research), regulations to protect data are already in place, and with GDPR the regulations and penalties are being strengthened. Critical business data is being held across a mixture of Cloud services, on-premises systems and mobile devices, all this adds up to a data protection landscape that is becoming much more complex for businesses to address.

Most businesses are not aware that cloud application providers, like Microsoft with Office365, Salesforce and Google do not backup your data in their services. The protection of the data is the responsibility of the customer

Even as many organisations move to local disk based backup devices, backup tapes are still being used to move a daily or weekly copy of the latest data offsite, for Disaster Recovery purposes. These systems typically make use of image backup, snapshots of the whole application or virtual machine. Ideal for rapid restoration to get the business back up and running. But with GDPR organisations need to be looking at how all personal information is stored and managed. Image and snapshot backup does not easily allow the identification and deletion of individual files related to a person, now the right to be forgotten is incorporated into GDPR.

The continued use of tape media and the associated human intervention to handle, transport and store backup tapes create a huge vulnerability. Eliminating tape can significantly improve recovery rates and reduce recovery times.

Flexible Data Protection services that offer both image backup for rapid Disaster Recovery and granular recovery for individual files, emails or mailboxes, and long-term retention plus protection of data in Cloud applications will become the standard. When you add in Data loss Insurance cover from £1,000,000, all delivered within a certified security environment supporting GDPR compliance, Advanced Data Protection is available today.

The old way – tape, insecure in clear text, transported, stored and recovered manually and image based backup for long-term retention

The new way – Advanced Data Protection, integrated Disaster Recovery and granular file backup for long term data retention. Secure, automated with Data Insurance.

Author:

Mark Savile, Director, Data2Vault

Website: http://www.data2vault.com/

Podcast by: DataEliminate

Week 3

Be Ready

With the worse of the winter hopefully behind us, thoughts naturally start turning to the Spring; a time for throwing out the old to pave way for the new.

For businesses, many of the new challenges will unfortunately come as an addition to the old and not simply as a replacement.  Amongst the new challenges will be the General Data Protection Regulation (GDPR).  Remaining as an old challenges is the very prevalent cyber threat.

At first glance, GDPR and cyber threats appear very separate.  They are however, linked.  In fact, in a speech at the CBI Cyber Conference last year, the Information Commissioner described cyber security and data protection as being ‘inextricably linked’.  So, if we can link challenges, maybe there is the opportunity for businesses to take a new approach to addressing them.

Debate as to who holds responsibility for IT security is not new.  Is it purely the responsibility of the IT team or does it lie with the Company Directors?  With each party putting forward numerous, yet reasoned arguments, the detail of the debate is subject for an altogether different Blog.

Yet, however good the assertions of both sides, the most practical solution is for both parties to share responsibility.  After all, IT can’t implement appropriate defences without the support of the Board and the Board cannot make informed decisions without the expert input from IT.  As the cliché goes, ‘a problem shared is a problem halved’!

Accountability is actually much wider than a simple bi-partisan relationship with responsibility for cyber security falling to all employees.  The best security, jointly agreed by IT and the Board, becomes worthless if a simple click on a fraudulent link bypasses considered security measures.

A new culture which includes awareness training for all staff may prove a valuable benefit for any organisation.  If training can work in partnership with a ‘no blame’ culture then all the better.  Encouraging staff to report an erroneous click on a suspicious link enables investigation and positive action to be taken, hopefully before it is too late.

A proactive approach to cyber security may also form part of a new culture for many organisations.  Unfortunately, too many businesses have placed cyber security on the too complicated, too expensive or, the it will never affect us pile, only to be addressed once an incident occurred.  As those businesses will testify, that is the point at which it is too late and the very point at which it does become inconvenient, complicated and expensive.

Improved security doesn’t have to be complicated and can be built in to everyday good business practice.  The Government backed Cyber Essentials guides businesses to address areas that can protect against 80% of online threats.  With the addition of good information Governance, such as IASME Governance, which also includes a GDPR readiness assessment, even greater protection can be achieved.

So, whilst this Spring, we may face new business challenges, we can introduce a new culture for the benefit of the whole organisation.  Cyber security has as important a role to play in business as any other function.  With the right measures in place, a business can solicit new opportunities whilst simultaneously protecting what it has worked so hard to achieve.  Get it wrong and the effect on a business can be devastating.

GDPR provides us with the perfect opportunity to ensure the protections we currently have in place are appropriate and facilitates the perfect excuse to make any necessary changes to business practice and business culture.

Author:

By: Chris Pinder, IASME

Website: https://www.iasme.co.uk/

Week 4

Analysis shows that human actions are overwhelmingly at the heart of many vulnerabilities, and cyber attackers are activity seeking to exploit our human weaknesses to compromise target systems. Often this is through an employee being tricked using social engineering.  For example, up to 91% of cyber-attacks begin with a phishing or spear phishing email. If we can reduce our susceptibility to these attack methods, it will significantly improve our cyber security.

The act of phishing is to try and illicit a response from a person or group of people via mediums such as:

  • Email
  • Text (also known as ‘smishing’)
  • Phone calls/voicemails (also known as ‘vishing’)
  • Social media or,
  • a combination of some or all the above.

The reason why this form of attack is so successful is because the structure and content of these communications are specifically designed to prey on basic human behaviours that we all exhibit. They borrow from the same techniques that people have used for centuries to try and influence others either consciously or unconsciously.

Some examples of the techniques include:

  • An urgent request
  • Instruction from someone in authority
  • Curiosity
  • Appealing to your compassion

If the subject matter is compelling enough, it can be hard to resist the urge to carry out the attacker’s request.  This is one of the challenges for tacking threats such as phishing; we don’t see a simple every day task such as opening and responding to emails as being a threat.

To address this, there needs to be a greater understanding of what the threat is, the affect it could have, how we can help to stop it, and most importantly; to feel like we have an active part to play. Ensuring employees have responsibility for cyber security within their role is the key to staff being an active part of your cyber defences rather than a part of the vulnerability.

However, to empower that individual, you need to provide them with awareness so ensuring you have the right awareness programme in place to affect real changes to your staff’s behaviours is critical?

A good approach is to start out in a single area such as phishing and progressively expand it over time to include other areas such as password security, social media, information handling and other relevant subjects.

Technology will always your first line of defence and it is incredibly valuable in protecting your organisation from the cyber threats you face.

However, there will be times when the attackers get through and then it is up to your staff to protect you. Only once you have a cyber aware workforce with a security culture embedded within your organisation, can you be confident in their ability to be your last line of defence.

Author:

By: Daryl Flack, CIO and co-founder of BlockPhish

Website: http://www.blockphish.com/

Header with founders logos
Cyber Themes 2018 - London Digital Security Centre
MENU