The London Digital Security Centre (LDSC) along with its Marketplace partners, will be promoting our mission by providing world-class online advice and free guidance to all UK businesses over the next 12 months. We will be hosting live webinars, podcasts, blogs, video content and more throughout the year, on the most pressing cyber security challenges for businesses.
Our mission is to enable businesses to innovate, grow and prosper through improving your digital security and resilience to cyber-crime and online threats.
Cyber threats routed via the supply chain are, sadly, very real and common. In a recent speech to the CBI Cyber Conference, Ciaran Martin, CEO of the National Cyber Security Centre advised that, “over the past two years NCSC have seen a major systemic attack on IT service providers- and through them; their clients.” And it’s not just IT service providers who are vulnerable. With many cyber criminals targeting innocent suppliers as the pathway to their intended target(s), it’s paramount that supply chain risks form part of your cyber security considerations regardless of which sector you operate in.
Many businesses assess suppliers on traditional factors such as quality, delivery times and price (or value!). Comparatively few will question their suppliers’ security controls, yet, if a supplier is the cheapest but has no cyber security, they could well turn out to be the most expensive.
There are reassuring signs that this is changing as purchasing professionals increasingly recognise the importance of cyber security in practical procurement. The Ministry of Defence, (MoD), for example, will require their main supplier to have appropriate controls in place proportionate to the risk of the respective contract. In fact, MoD go one step further and require the prime supplier and their respective supply chain to have controls such as Cyber Essentials as a pre-requisite of the tender. Thankfully, many FTSE 350 businesses also recognise the supply chain threat and actively encourage suppliers to evidence cyber security certifications of reassurance.
If you’ve invested time, money and resource in your own cyber-security, it’s only right that you require your suppliers to do likewise. If they are not, they are leaving a door wide open through which cyber-criminals can potentially access your systems. A determined attacker who attempts to access your own data or systems directly may be thwarted by the controls you have implemented. If, however, s/he is resolute, they will look for alternative vulnerabilities. As security is only as good as the weakest link, this could well be via a supplier.
So, when you evaluate suppliers, in addition to asking pertinent questions re price, delivery, compliance with statutory requirements, environmental controls and quality policies, why not ask if they have Cyber Essentials, IASME Governance or 27001?
The NCSC has a useful infographic regarding good practice when assessing supply chain risks. ‘Principles of Supply Chain Security’ classifies 12 principles under the four main headers of
You can find a copy of the guidance here.
Don’t be afraid to broach the subject of cyber security with your potential supplier. If they value your business they will listen to, and address, the factors that are important to you. By specifying security pre-requisites, you may be encouraging them to implement controls that help guard their own business against the ever-growing cyber threats. You may actually be doing them a big favour and be saving them from the expensive and damaging effects of a future cyber-attack.
Similarly, if you’re the supplier, there are considerable benefits in promoting the fact that you have cyber security certifications and controls in place. By making your current and future clients aware of your proactive approach to security, you can provide clients with added peace of mind and differentiate yourselves from the competition.
When talking of ‘supply chain’ in this article, we refer to both your own suppliers and your own business being a supplier to others. Whether buyer or supplier, there are definite business benefits to considering appropriate cyber security measures. From improving your own resilience to securing tender opportunities, investing in cyber security is investing in the future of your business.
Innovation vs. Risk
Incredible innovation across the technology space has transformed the way we communicate, conduct business, and live our lives. We are more connected than ever before, and are able to achieve near instant gratification when accessing information, making a purchase, and doing our jobs. For businesses and organisations, this revolution has brought exciting new ways to interact with the world, mobilise the workforce, and innovate at speed. It has also created a wildly diverse risk landscape that requires Security, IT, and Development teams to unite via the practice of SecOps to share visibility into their data for a stronger defence.
The Expanding Attack Surface
The modern network consists of a myriad of device types: traditional workstations, servers, and laptops through to cloud infrastructure, virtual, mobile, and the incredibly broad spectrum of IoT. Employees are often on the move, connecting to the internet from cafes, airports, and hotspots outside of the relative safety of the corporate network. Data is everywhere; we take it with us in our pockets wherever we go, and since the dawn of removable media the task of truly controlling the flow and residency of data has become almost impossible. The old world of storing information only on (maybe) access controlled file shares on physical servers, or even mainframes, is long dead. Reviewing risk in the modern network is not simple.
Eyes Wide Open
The first step in conquering this challenge is gaining visibility, as without it risk is incalculable. Live data holds the keys to the visibility castle – solid analytics capabilities can fuel ongoing operational efficiency. Risk exists across users, devices, and applications, so the reach of visibility must extend accordingly. Additionally, today’s risk will potentially be different from tomorrow’s, which means risk reviews must be dynamic in nature, otherwise teams may be left chasing ghosts. Visibility is also necessary to understanding whether remediation efforts and countermeasures are functioning correctly.
Business Context is Vital to Prioritisation
Reducing risk is not a moment in time, whether it’s the ongoing patching of vulnerable systems, updating security tools, or reviewing configurations and access rights. Prioritising what to fix, how to fix it, and when (or when not) to fix it works best when multiple factors are considered, and business context is a critical piece of the puzzle. Every organisation has a degree of uniqueness, and having the capabilities to feed IT and security tools with this valuable information will allow for better decision making.
When the Fan Takes a Hit
Discovering that incident response plans aren’t fit for purpose when they are most needed is not a fun experience. Incident response plans need regular review and, ideally, testing for weaknesses via realistic scenarios such as tabletop exercises. Threat modelling helps organisations understand what is more likely to impact them, which helps drive documenting and testing of the response plans. Possibly most important of all, up to date hard copies of incident response plans must be available in case the worst happens and network access is lost. An inaccessible plan is a non-existent plan.
Reviewing your risks and your action plans
Risk assessments are not new and have been used very effectively in a number of situations, for example to reduce the incidence of serious injury in the world of health and safety. It is often the starting point for any plans for the choice of actions taken to address the risks, thereby helping to determine cost-effective solutions to the risks an organisation faces. Many will recall the “4 Tees” ways of dealing with risk:
In the health and safety world consideration is given to potential events, their potential effect (damage) and the potential reduction of the risk by good management. In general, risk management relates to the likelihood and the impact. The greater these two are, the more likely we are to spend money and time on managing the risk. This means that in general, whilst we might consider the possibility of the devastating accident of the proverbial airplane landing on the roof of the factory, in reality, we pay little attention to it. It is recognised that, whilst it could result in a serious business impact, perhaps even business closure, the likelihood is so small it is not worth worrying about too much.
In cyber security, however, there is a slight problem with risk assessment and we perhaps need to rethink how it is done when applying it to the cyber world. The future security of a system of computers, telephones, personal device such as phones, laptops and tablets that are going to be implemented effectively relies on good protective measures rather than risk assessment.
The likelihood of almost any risk caused by a cyber-attack (in the broadest sense of the word) is virtually 100% likely. Someone at some time is likely to try to attack each and every one of the organisations connected to the internet somewhere in the world. It is true that some attacks are more likely than others and so there is some merit in thinking about defending against those first, but to ignore others (like the proverbial aircraft crash) is a much greater risk than in other business areas.
The reason is that most cyber-attacks are relatively easy to do and, whilst there are those that require more effort, a lot of help and advice is available to achieve successful results – “crime as a service” if you will. Sending out a million spam emails may seem pointless (and costs almost nothing), but one email might generate a large sum of money and make it all worthwhile. There is also a more serious issue that the cyber world is developing new attacks all the time and so, whilst we might take actions to defend against today’s probable attacks, we have very little idea what tomorrow’s attack will look like.
So the traditional risk assessment is much less useful and indeed in many cases is not very helpful in identifying the actions to take to defend against cyber-attack. What is required is a way of determining which cyber-defence controls are the most effective against the known attacks and how well those controls are going to defend the organisation, not only against the attacks seen today, but against any attack that might be thrown at those defences tomorrow.
The Cyber Defence Capability Assessment Tool (CDCAT) was developed by the Defence Scientific and Technical Laboratory (Dstl) on behalf of the MOD to assess the maturity and effectiveness of the controls defending all their systems. Quick to complete, and with a fully comprehensive report produced, it can ensure the right protections are in place for any system – thereby helping to ensure the always-limited budgets are spent in the right places. This assessment can then provide the basis of the plans for the organisation to undertake the continuous improvement in their cyber-security measures that is critical if they are to continue defending themselves successfully in the future.
Lead Cyber Security Assessor for APMG International.
A quick check of an online dictionary will give a definition of social engineering as something along the lines of, “the use of centralised planning to make societal changes and to regulate the development and behaviour of a society”. There is often a second definition given in the context of cyber security and that is something like, “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes”.
The former is often scary potentially resulting in ethnic cleansing, the removal of the poor or disadvantaged, or the apparent desire to breed children with high IQ or other attributes. But the second definition should also cause us all real concern. We have all been affected by social engineering to a greater or lesser extent. We have all been asked to share a password to give someone else easier access to a document, a spreadsheet or something similar. We have all been offered rewards for entering a quiz, completing a survey or reviewing a product and these are all examples of social engineering. Admittedly, some are fairly innocuous and we don’t mind too much, but the real problem is that we are seemingly becoming less and less able to differentiate between “acceptable” social engineering and “unacceptable” or potentially dangerous examples.
Unless we understand the risks of sharing information inappropriately, or without due cognisance of how it might be used against us, there is a significant danger of criminals in particular having the necessary tools to do us harm, usually financially. Suppose you have some junk mail inviting you to have a new credit card. If this is stolen from your letter box or the waste bin, then with the address and perhaps a little research on social media, a criminal would have enough information to generate a new card in your name but with their address. They then receive the card and use it to buy expensive items like flights, consumer goods or fuel before the fraud is noticed. When the credit card company follow up the non-payment, it is the use of your name that gets you a bad financial record and so could cause later problems.
Criminals have plenty of time to undertake the detailed research necessary to find out who the senior people in a company might be. They will discover names and addresses, email addresses and perhaps even be able to work out (perhaps from Facebook or Instagram postings) when they are on holiday or abroad. Then an email to a junior clerk in the finance department asking for a bill, perhaps even a legitimate invoice, to be paid urgently and giving slightly different bank account details sometimes reaps huge rewards. Often the payment will be untraceable and certainly it’s unlikely to be covered by either insurance or the goodwill of the bank.
Despite cyber security being the major issue on many people’s minds, general security and the checking of standard business processes is, if anything, even more important. Having two people check major payments for accuracy, only allowing named individuals with significant experience to change a client’s bank account details, or shredding all information that could be used fraudulently, are not new processes nor are they difficult to achieve. They could be the difference between continuing in business and going bankrupt through a loss of cash.
15 Jun 18
Lead Cyber Security Assessor for APMG International.
Social engineering is a way in which people can be tricked into divulging key information or giving bad guys access to company systems without realising it. It can allow carefully considered cyber security solutions to become compromised, facilitating uncontrolled access to your systems and enabling untold financial and reputational damage!
Ok, a flippant interpretation! Yet the principal and the outcomes are, sadly, true and worrying. If we consider that social engineering includes the all-too-common crime of phishing, then one begins to realise its magnitude and the importance of implementing vital protections.
The National Cyber Security Centre’s glossary carries a tighter definition for social engineering – “manipulating people into carrying out specific actions, that are of use to an attacker.” Whichever way we define it, the reality is social engineering is a wide spread crime that can cause real and significant inconvenience to an organisation.
On a basic level, organisations need to implement appropriate technical solutions to protect against increasingly frequent and sophisticated cyber-threats. Anti-malware tools, applying software updates in a timely manner (patching) and encryption, all have vital roles to play in protecting your IT infrastructure and the sensitive data within.
But, a truly holistic and effective information security package needs to combine these technical controls with pro-active governance measures. In other words, the number of incidents could be dramatically reduced by working with your greatest asset – your staff!
When it comes to tackling social engineering, the training of your staff should be the central pillar of any governance programme. It’s vital to carry out a risk assessment of your business to identify which departments present the greatest risks of social engineering and to allow you to focus resources in these areas.
An initial risk management exercise may take the form of a fake phishing campaign aimed at your employees. This will allow you, in a safe and controlled way, to identify how many and/or which of your staff/teams are particularly susceptible to phishing. From this, you may identify that certain departments or certain personnel require more focused training than others. Equally, you may review who has access to what information and decide that those personnel with access to particularly sensitive information have a more concentrated, or regular, training programme.
Training can take many guises, from general awareness programmes for all staff through to a more interactive and concentrated approach for staff who have access to more sensitive data. It may range from induction training through to annual refresher training. The package that is applicable for your organisation should account for factors such as the sensitivity of the data you hold, the exposure level of your organisation and the susceptibility of your employees to social engineering attacks.
Adopting a no-blame culture can also benefit an organisation. Social engineering is carefully crafted and cleverly disguised, so it is important to encourage staff to inform immediately if, for example, they feel they may have clicked on a dubious link. You should give staff a clear point of contact for this and create a plan of action for what to do if an incident is reported. A culture of fear or blame will mean that you don’t discover a breach until several days or even months after the incident. The quicker an incident is identified the quicker it can be addressed and mitigating actions taken.
Raising awareness of the potential pitfalls of social media should also be considered. Staff social media profiles can provide fraudsters (social engineers) with valuable clues as to the employees’ business life which can help them to create more convincing social engineering attacks. For example, personal social media posts, may openly and innocently signpost to clues as to employee passwords such as pet names, mothers’ maiden names, schools attended etc. It might also let people know when key members of staff are on holiday, which provides a great context for the social engineer to create a misleading email that will slip under the radar. Encouraging your staff to act securely in their home environment will provide you with the benefit of them bringing that same awareness and good practice back into the work environment.
Whilst there can be no guarantees of 100% protection, the harder we make it for the cyber-criminal, the more likely they are to move on to a softer target. The areas covered above, when used in conjunction with other measures appropriate to the individual organisation, can make a real difference; ultimately the difference between an organisation’s demise or its survival!
Risk management and training to address social engineering are key elements of any good governance standard. Both elements feature in ISO 27001 and IASME’s own Governance standard. The latter is written along similar lines to the former yet is more practical for SMEs; a copy of the question set is available via the IASME website.
Remember, your staff really are your greatest asset in this arena. With the appropriate training, they will solidify, complement and reinforce the technical measures you adopt.
Communication is key to managing a breach: before, during and after
Managing the fall out of a data breach is a team effort, making communication vital. Every employee with an email address can be targeted by increasingly sophisticated phishing scammers – making the protection of an organisation’s data the responsibility of everyone, not just the IT department. High profile cases such as Yahoo, Equifax and more recently MyFitnessPal tend to dominate headlines, but smaller businesses are at risk too. 61% of breaches in 2017 happened to businesses with under 1,000 people according to Verizon Data Breach Investigations Report, therefore it is imperative that every organisation of any size is ready to manage a breach when, not if, it happens.
The crucial first step should be taken before a cyber attack has even happened. Communication can become difficult when ransomware has blocked access to email, so having incident management conversations before a breach happens can help facilitate a swifter response. Channels of communication need to be open between IT, HR, legal, financial and customer service departments as a part of preparing for a breach. Having a cross-department team with clear leadership ready to deal with a cyber attack is the best way to ensure a successful response.
However, planning for a breach is not always enough. When your cyber defences have been compromised, communication is still the most valuable tool to make sure your best laid plans do not go awry. Again, without access to emails, you will need to ensure that you have an independent channel of communication and access to the details of everyone you need to get in touch with, both internal and external contacts (suppliers, third party IT specialists, clients etc).
Once the facts have been established and shared with employees and the technical steps of disaster recovery are underway, the next phase of managing the breach is communication with the outside world. GDPR comes into effect this May, and introduces “a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.” Failure to notify the ICO of a breach can land you with fines of 2% of your global turnover or €10 million, so missing this key piece of communication could be a costly mistake. Also set out in GDPR is the need to communicate the breach with all of your stakeholders, customers and whoever else may have been affected.
The goal when alerting people of the data breach is to give apologetic, honest communication with your organisation’s wider community of customers and stakeholders. Take responsibility, be transparent about the steps you did take and are taking to minimise the damage and be an active presence in the media, including social media. All of these steps are, of course, much easier and smoother if they have been pre-planned and the resources (i.e. press statements) shared with all staff according to a communication plan.
Although no plan is ever perfect, and cyber attacks are increasingly engineered to get past our careful planning, communication plays an all-important role in managing every stage of a breach. The best incident management happens long before the incident does. Clear, fast communication is the key to ensuring your people are empowered to give an effective, professional response that could protect your reputation and assets following a breach.
A potentially more secure future via Blockchain
Your digital identity is the gateway to your data, and increasingly, this includes most facets of your everyday life. Whether it’s your social media accounts, bank details, chat history or your shopping habits.
With so many accounts to manage and protect, maintaining constant access across multiple devices whilst keeping them all secure can be a complex task.
With data more valuable than ever, these large collections of personal information are very attractive targets to criminals.
Recent breaches show that vital personal information for vast numbers of people often give hackers the key information they need to unlock access to even greater volumes of data or even worse, the ability to use a victim’s identity.
So, what is the answer? Well, one answer gaining more credibility is to move the control of identity information from the companies to us as individuals, giving us the ability to control which aspects of our personal data is used and when.
To achieve this, two things are needed:
To achieve the first, a simple and well-understood approach can be used; hashing. Hashing is a mechanism used to generate a value from some existing information, using a mathematical function. If you were to change any of the original information and rerun the hash, it would output a hash completely different to the original.
Hashing is also a one-way function meaning that reversing it is virtually impossible. This, therefore, makes hashing an effective mechanism for hiding underlying data whilst ensuring it hasn’t been changed in transit.
By utilising a hash of your identity, it’s possible to authenticate yourself without revealing the personal data you used to create it. This protects the security of your data.
Creating a hash of an identity is not very useful, however, if no one can use or interact with it. This is where a secure, ubiquitous, transactional system is required and a relatively new one is showing signs of being a good candidate: Blockchain.
A ‘Blockchain’ allows parties to transact securely without any third-party involvement, removing the need for complex (and sometimes costly) intermediaries to enable direct peer-to-peer interaction.
Each transaction is independently verified before it makes it on to the Blockchain ledger which means there is no centralised authority and thereby no single point of failure. This decentralisation is one of the potential benefits from a security perspective. Once the data has been entered in to the blockchain, no one can change it and so it provides verifiable proof of the integrity of the transaction. It also removes the need for human involvement thereby eliminating the need for passwords.
By combining a digital identity verification service using hashing with the decentralised blockchain principle, a digital ID can be created from either all or parts of your ID which can then be used to transact for services. For example, you could just authorise the hashed part of your ID that provides your age for purchasing alcohol or just your address for having goods delivered to your home from a courier.
With both a verified ID to authenticate against and a secure platform to transact with, there is no need for your personal information to be disclosed, you just need to set the conditions of what you want to authorise, when you want to authorise it and to who.
Whilst large-scale adoption and interoperability of verification services using Blockchain is yet to take place, the ability to build services in to blockchains is becoming more ubiquitous and some companies are already selling ID services in this area. Therefore, don’t be surprised if you start to see accelerated progression towards self-managed digital IDs soon, especially with GDPR just around the corner.
Daryl Flack, Co-Founder & CIO, BLOCKPHISH
Typical Issues Around End of Life Asset Disposal
This time of year is the period when many organisations dispose of their company’s old assets so that budgets can be spent before the end of their Financial Year.
There is always a desire to get new Information Systems up and running as quickly as possible so that the benefits of using them can be realised and a return on investment achieved. This means that the focus particularly of the IT department may be on the shiny new computer systems rather than on the old ones that are being ripped out to make way for them.
The fact that end of life IT systems can contain sensitive data which either belongs fully to the organisation or may be about their customers and users is often overlooked. The temptation is to dispose of the old equipment as quickly as possible in order to free up available space particularly in busy and city centre offices. Because of its nature, this task is frequently delegated down the organisation hierarchy to a level where the individual organising the disposal may not be aware of all the risks involved.
The temptation is to take a quick look online and find the company offering the cheapest price available to dispose of the old equipment. There is an inherent danger here. Even companies that offer bargain basement rates for disposal need to make their crust somehow – and so they do this by reselling as much of the kit as they can to second-hand users often with little or no regard for the data that may still be on the devices.
Even those who understand that a desktop computer or laptop will contain sensitive data on their hard drives often may overlook the data held on other devices such as photocopiers, fax machines and printers. Many multifunction devices contain a computer hard drive which retains a soft copy of all of the documents it has ever scanned, printed or faxed.
The data stored on IT equipment is usually the most sensitive held by an organisation. Its existence, location, storage and destruction should be managed as a controlled process with director level oversight.
The need for this is heightened by the General Data Protection Regulation being enacted in May 2018 which will dramatically increase fines for companies who suffer data leaks by failing to dispose of their old data bearing assets in an appropriate manner.
Secure disposal of end of life assets should be managed by a full audit trail of all the assets being disposed of. One should search for a company which is independently accredited – ideally by an HM Government body such as the Ministry of Defence. The chosen supplier should explain clearly exactly how data will be destroyed, for example by shredding, overwriting with software or degaussing (demagnetizing), and the ultimate outcome/destination your old assets in terms of recycling. The supplier should also carry professional indemnity cover of at least £1 million to underwrite his service offering. For more information see www.dataeliminate.com.
By Julian Fraser, Director, Data Eliminate Ltd
Podcast by: Data2Vault
Behaviours & Devices
For decades businesses have been using tape backup as a way of preventing their data being lost. From the smallest to the largest businesses, data backup is consistently budgeted as a “keeping the lights on” item.
Tape has been the media of choice for data backup since the 1960’s. During the 1980’s tape started to find its way into mainstream use, with the Walkman and VHS or Betamax video. Over the last 10 years consumers have rapidly adopted iPod’s and iPhones and Sky+ or TiVo, abandoning tape, but the IT industry had doggedly retained its reliance on tape as a backup, or more latterly a Disaster Recovery media
The digital world is changing fast, digital data volumes are growing by 42% per annum (according to IDC research), regulations to protect data are already in place, and with GDPR the regulations and penalties are being strengthened. Critical business data is being held across a mixture of Cloud services, on-premises systems and mobile devices, all this adds up to a data protection landscape that is becoming much more complex for businesses to address.
Most businesses are not aware that cloud application providers, like Microsoft with Office365, Salesforce and Google do not backup your data in their services. The protection of the data is the responsibility of the customer
Even as many organisations move to local disk based backup devices, backup tapes are still being used to move a daily or weekly copy of the latest data offsite, for Disaster Recovery purposes. These systems typically make use of image backup, snapshots of the whole application or virtual machine. Ideal for rapid restoration to get the business back up and running. But with GDPR organisations need to be looking at how all personal information is stored and managed. Image and snapshot backup does not easily allow the identification and deletion of individual files related to a person, now the right to be forgotten is incorporated into GDPR.
The continued use of tape media and the associated human intervention to handle, transport and store backup tapes create a huge vulnerability. Eliminating tape can significantly improve recovery rates and reduce recovery times.
Flexible Data Protection services that offer both image backup for rapid Disaster Recovery and granular recovery for individual files, emails or mailboxes, and long-term retention plus protection of data in Cloud applications will become the standard. When you add in Data loss Insurance cover from £1,000,000, all delivered within a certified security environment supporting GDPR compliance, Advanced Data Protection is available today.
The old way – tape, insecure in clear text, transported, stored and recovered manually and image based backup for long-term retention
The new way – Advanced Data Protection, integrated Disaster Recovery and granular file backup for long term data retention. Secure, automated with Data Insurance.
Mark Savile, Director, Data2Vault
Podcast by: DataEliminate
With the worse of the winter hopefully behind us, thoughts naturally start turning to the Spring; a time for throwing out the old to pave way for the new.
For businesses, many of the new challenges will unfortunately come as an addition to the old and not simply as a replacement. Amongst the new challenges will be the General Data Protection Regulation (GDPR). Remaining as an old challenges is the very prevalent cyber threat.
At first glance, GDPR and cyber threats appear very separate. They are however, linked. In fact, in a speech at the CBI Cyber Conference last year, the Information Commissioner described cyber security and data protection as being ‘inextricably linked’. So, if we can link challenges, maybe there is the opportunity for businesses to take a new approach to addressing them.
Debate as to who holds responsibility for IT security is not new. Is it purely the responsibility of the IT team or does it lie with the Company Directors? With each party putting forward numerous, yet reasoned arguments, the detail of the debate is subject for an altogether different Blog.
Yet, however good the assertions of both sides, the most practical solution is for both parties to share responsibility. After all, IT can’t implement appropriate defences without the support of the Board and the Board cannot make informed decisions without the expert input from IT. As the cliché goes, ‘a problem shared is a problem halved’!
Accountability is actually much wider than a simple bi-partisan relationship with responsibility for cyber security falling to all employees. The best security, jointly agreed by IT and the Board, becomes worthless if a simple click on a fraudulent link bypasses considered security measures.
A new culture which includes awareness training for all staff may prove a valuable benefit for any organisation. If training can work in partnership with a ‘no blame’ culture then all the better. Encouraging staff to report an erroneous click on a suspicious link enables investigation and positive action to be taken, hopefully before it is too late.
A proactive approach to cyber security may also form part of a new culture for many organisations. Unfortunately, too many businesses have placed cyber security on the too complicated, too expensive or, the it will never affect us pile, only to be addressed once an incident occurred. As those businesses will testify, that is the point at which it is too late and the very point at which it does become inconvenient, complicated and expensive.
Improved security doesn’t have to be complicated and can be built in to everyday good business practice. The Government backed Cyber Essentials guides businesses to address areas that can protect against 80% of online threats. With the addition of good information Governance, such as IASME Governance, which also includes a GDPR readiness assessment, even greater protection can be achieved.
So, whilst this Spring, we may face new business challenges, we can introduce a new culture for the benefit of the whole organisation. Cyber security has as important a role to play in business as any other function. With the right measures in place, a business can solicit new opportunities whilst simultaneously protecting what it has worked so hard to achieve. Get it wrong and the effect on a business can be devastating.
GDPR provides us with the perfect opportunity to ensure the protections we currently have in place are appropriate and facilitates the perfect excuse to make any necessary changes to business practice and business culture.
By: Chris Pinder, IASME
Analysis shows that human actions are overwhelmingly at the heart of many vulnerabilities, and cyber attackers are activity seeking to exploit our human weaknesses to compromise target systems. Often this is through an employee being tricked using social engineering. For example, up to 91% of cyber-attacks begin with a phishing or spear phishing email. If we can reduce our susceptibility to these attack methods, it will significantly improve our cyber security.
The act of phishing is to try and illicit a response from a person or group of people via mediums such as:
The reason why this form of attack is so successful is because the structure and content of these communications are specifically designed to prey on basic human behaviours that we all exhibit. They borrow from the same techniques that people have used for centuries to try and influence others either consciously or unconsciously.
Some examples of the techniques include:
If the subject matter is compelling enough, it can be hard to resist the urge to carry out the attacker’s request. This is one of the challenges for tacking threats such as phishing; we don’t see a simple every day task such as opening and responding to emails as being a threat.
To address this, there needs to be a greater understanding of what the threat is, the affect it could have, how we can help to stop it, and most importantly; to feel like we have an active part to play. Ensuring employees have responsibility for cyber security within their role is the key to staff being an active part of your cyber defences rather than a part of the vulnerability.
However, to empower that individual, you need to provide them with awareness so ensuring you have the right awareness programme in place to affect real changes to your staff’s behaviours is critical?
A good approach is to start out in a single area such as phishing and progressively expand it over time to include other areas such as password security, social media, information handling and other relevant subjects.
Technology will always your first line of defence and it is incredibly valuable in protecting your organisation from the cyber threats you face.
However, there will be times when the attackers get through and then it is up to your staff to protect you. Only once you have a cyber aware workforce with a security culture embedded within your organisation, can you be confident in their ability to be your last line of defence.
By: Daryl Flack, CIO and co-founder of BlockPhish
Company Number : 09639299
Mail to : firstname.lastname@example.org
Address : One Wood Street, London,
United Kingdom, EC2V 7WS.