Protecting personal information has never been more important and organisations must implement robust operational policies to keep sensitive data safe and secure.

A clearly defined and continually improving information protection strategy is central to effective risk management and demonstrates that a security services provider operates to the highest possible standards.

The volume of global data has increased exponentially over the last decade and this trend is set to continue. Not surprisingly, it is now considered an asset and a key element in the operation of modern businesses.

Organisations of all sizes are therefore becoming increasingly aware of the importance of data protection and the serious adverse consequences that can result from the disclosure of confidential information.

Up close and personal

A recent Axway survey revealed that 85 per cent of respondents had serious concerns over how their data is stored and secured, while 53 per cent said a data security incident would be a reason to end the customer relationship. All data that relates to an identifiable individual that a business stores or handles therefore needs to be protected. This includes names, addresses, emails, telephone numbers, bank and credit card details, as well as information regarding ethnicity, religious and political beliefs, health and sexual orientation. This doesn’t just apply to employees but customers too.

With the greater use of technology within security services provision, it’s not just CCTV footage that has to be considered either. The use of biometrics is coming under intense scrutiny, as it uses face, fingerprint, voice, signature, DNA, iris pattern and even whole body recognition. Such uniquely personal information clearly needs to be handled in a way that does not compromise privacy.

Fine time

Those responsible for collecting and using personal data now have to follow strict rules. The Data Protection Act 2018 – the UK’s implementation of the General Data Protection Regulation (GDPR) – controls how personal information is used. In the event of a breach the financial penalties are significant. The higher maximum amount is £17.5m or four per cent of total annual worldwide turnover and affected customers can, in some cases, pursue financial compensation.

No organisation falls outside the scope of the Data Protection Act 2018. In late 2021 the Information Commissioner’s Office (ICO) fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online. It was found guilty of failing to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of information.

Policy document

In addition to ensuring that any security risks, threats and vulnerabilities are identified, prioritised and managed, it’s important to demonstrate to customers, third parties and internal stakeholders that their data is protected. This also helps to protect intellectual property and reduce the cost of downtime from data breaches, while offering a competitive advantage that can help maintain and win new business.

Avoiding the possibility of information being compromised cannot be left to chance and requires strategic planning, which is why organisations should configure a corporate data protection policy to set out how they protect personal information. It is a set of principles, rules and guidelines that informs how ongoing compliance with data protection laws will be achieved and how data is consumed, managed and stored.

Number crunching

One of the most effective ways to put a data protection strategy in place is via United Kingdom Accreditation Service (UKAS) certification to ISO 27001 – the international standard for information security management systems (ISMS). It is simply the most rigorous standard of its kind and covers cybersecurity, physical security and everything in between. Certification is tough to achieve and requires genuine and demonstrable commitment throughout all aspects of a company’s operation.

ISO 27001 certification provides a comprehensive framework that facilitates the continued accessibility, confidentiality and integrity of information, as well as legal compliance, continual improvement, and corrective and preventive action. It comprises a six-part planning process – define a security policy, define the scope of the ISMS, conduct a risk assessment, manage identified risks, select control objectives and controls to be implemented, and prepare a statement of applicability.

Safety first

Those looking to procure security services need to ascertain how their prospective partner will protect their information. ISO 27001 certification serves as an excellent starting point in the selection process and, given the importance of robust information management, should be considered a prerequisite.

How seriously a company takes the issue can also be highlighted in its internal structure. For example, investing in a dedicated data protection officer who initiates and promotes best practice and understands the latest legislation in this area is a good sign that an organisation will take a similar approach with its customers. It is also worth checking to see if a potential supplier has a clearly defined and articulated privacy policy on its website. This should evidence how it uses personal data, confirm regulatory compliance to the wider privacy agenda and form an integral part of the overall risk management process.

Not worth the risk

The loss of personal information can lead to operational downtime, reputational damage and financial penalties – any of which could harm business continuity and even put an organisation’s very existence in jeopardy. With this in mind, a rigorous, dynamic and continually evolving information security management strategy should be a vital element of any security services provider’s business model and approach to risk management.

Barry Spriggs Data Protection Officer, and Darren Salmon IT Director

Wilson James

www.wilsonjames.co.uk

For more articles on information protection see our related categories:

GDPR and Data Privacy

Cyber Security

The post Information Protection Strategy for Security Service Providers appeared first on City Security Magazine.

Until recently, most nations and corporations around the world were living with different threat and risk profiles. This year, we are all dealing with a global pandemic which is having a wide-reaching impact and threatens life as we know it.

In the realm of security, the facets of this threat have become clearer over recent months and especially so as we’ve navigated periods of lockdown.

Here we explore some of these threats, consider whether COVID-19 has simply unveiled them or indeed created them, and examine how this specifically affects the confidentiality of our information.

China & Russia – the dual threat to national security

China’s role in the discovery of COVID-19 will be scrutinised over the months to come, but in the meantime, suspicions and conspiracy theories swell as we tot up the reports of cyberattacks, foreign agents and espionage cases across the globe. The decision by the UK government to follow the US’S decision to remove Huawei’s 5G infrastructure is seen by many as an affirmation that China-UK relations are at a crossroads as we assess China’s influence and interwoven reach into our nation.

At the same time, we’ve also gained affirmation of the threat posed by Russia. The publication of the Russia Report confirmed what we all knew – Russia poses a threat to UK national security – while also exposing the fundamental error in countering the threat: essentially, no one is doing so as they don’t feel it is their responsibility. On a strategic level, the need for a more unified, simplified and internationally connected model of national security management is the key takeaway and we can see how this would benefit when tackling other threats.

Protecting the search for a vaccine

Health terrorism is not new, but it has really come to the fore with the search for a COVID-19 vaccine. Pharmaceutical industry espionage has been well-documented, more so now as the NCSC issues reports of Russian hacking attempts.

The sharing of incident reports and the ensuing ability to leverage a holistic view of the threat will play a big role in being able to identify health terrorism and counter it effectively. It’s interesting, some say disappointing, how the race to a vaccine for the health of the world has fast become one governed by economic market factors and purchasing power.  It remains to be seen whether any cohesion will be achieved.

A rush to lockdown

In the corporate environment, the period of lockdown has proven especially challenging to information security. For those organisations who weren’t already set up for remote working or hadn’t prepared a response as part of a business continuity plan, there was a rushed shift to full remote working.

Recent reports have highlighted poor IT practices, and the need to educate home workers, resulting in reams of guidance on safe remote working practices from institutions such as the NCSC and CISA. The lockdown of offices and working environments has also created the perfect opportunity for adversaries to carry out targeted technical attacks, including the installation of eavesdropping devices.

Home office security

An increased level of remote working necessitates the need to review home offices for the level of protection they offer to confidential conversations in the same way as secure office spaces such as boardrooms do. More C-suite and senior executives are working from home than ever before so conversations on highly sensitive topics such as restructures, mergers and the like, have now moved to home offices, plus those working in industries or within roles which require confidentiality by their very nature have had to decamp from their protected working environments.

There has been an increase in residential survey requests. However, assuring confidentiality is – and always has been – a holistic affair. The detection of electronic eavesdropping threats, which many assume Technical Surveillance Counter-Measures (TSCM) constitutes, is only one element; for true protection, an evaluation of both the physical and cyber vulnerabilities and a strategy and measures to defend against these in the most effective way possible are needed.

Adapting to a new post-COVID-19 world

In order to stay competitive, we must consider how we continue to protect our information and conversational data. In security, we are intrinsically primed to understand and assess the threat to ensure we are prepared for the unpredictable, so arguably we are already well placed to support our organisations and colleagues to combat the threat posed by COVID-19.

With many companies now signalling a move to complete or increased remote working in the long term, there is now the need to consider how best to both maintain a high level of alert by employees and train them on the new threats which emerge. As the timeline of the pandemic has developed, the threat of malicious cyber activity has increased exponentially with attackers exploiting COVID-19 as a means of gaining access to information and financially scamming businesses and individuals.

Arguably then, there is a significant need to support colleagues with security training and security awareness briefings, and the market for effective virtual training and tailored awareness briefings is only set to grow.

As the economy takes a downturn, previous experience of recessions tells us that these times of increased personal and professional stress and uncertainty generate a higher level of insider threat. An incident of social engineering has already hit the headlines recently with the hack at Twitter, and there is no doubt that adversaries will be looking to prey on employees’ vulnerabilities for their own gains.

A combined programme of system and information access review, monitoring and recording, as well as education and timely employee leaver access revocation protocols will help to protect your most valuable assets.

Esoteric Ltd has a series of four content guides available on its website to help organisations to protect their confidential information during COVID-19 and beyond, featuring practical tips and guidance for security professionals.

The guides can be downloaded via https://www.esotericltd.com/register-for-covid-19-security-guides/

Emma Shaw CSyP

www.esotericltd.com

The post Information confidentiality post lockdown appeared first on City Security Magazine.

There is much talk in the cyber security world about what is termed the insider threat. To those not in the know however, the term can be misleading and conveys different things to different people.

The ‘Insider Threat’ is simply someone who works within your company or organisation who has access to your systems and your data, combined with the recognition that there is a risk or a threat associated with that access.

The insider threat is made up of four groups of people:

• The Malicious Insider
• The Flight Risk
• The Unwitting Insider
• The Un-Trusted Insider

The Malicious Insider

The risk posed from a ‘Malicious Insider’ is, compared to the others, quite minimal. It’s the person who wants to do something bad with your data, your clients or your company assets. The reality is that thankfully, there are relatively few of these people around.

The Flight Risk

The ‘Flight Risk’ is the employee who has secured a job with a competitor or who may want to set up their own business in competition with yours, and in doing so use your data or your intellectual property in this new business venture to give them a head start – at your expense.

The Unwitting Insider

The ‘Unwitting Insider’ is the biggest risk. It is, for example, the person who mistakenly cc’s your entire client list to everybody else on that list, instead of bcc’ing them.

Or it’s the employee who finds a USB stick in a communal area and decides to plug it in to their desktop machine, in a kind act to find out who it belongs to and in the process of so doing, they inadvertently infect your systems with what was either a ‘planted’ device or simply an infected one.

The Un-Trusted Insider

The ‘Un-Trusted Insider’ might be the IT person you ‘let go’ last month, but because you were being nice, you allowed them to finish out the working week before restricting or terminating their access, during which time they created a backdoor into your systems, using false credentials, or they changed the system settings, deleting your backups. Or they planted malicious software in your systems, with a time delay, set to activate a few weeks after they have left and after everyone has forgotten about them.

So, how do we deal with the insider threat?

Fundamentally, it’s about:

• Building security into the entire employment life-cycle.
• Pre-employment screening, on boarding, introduction and socialisation.
• Recognising changes in employees’ personal circumstances.
• Emphasising the importance of culture, reporting and communications.

Insider Threat Management incorporates performance management, supervision and staff appraisals. It’s about having exit strategies and procedures to deal with termination of employment (a termination checklist, for example).

Managing the supply chain

A recent survey (Cyber Readiness Report 2019) by insurer Hiscox identified that supply chain incidents are now commonplace, with nearly two-thirds of firms (65%) having experienced cyber-related issues in their supply chain in the past year.

This means Insider Threat Management is also about the integrity of your suppliers, contractors and other third parties, making sure that they treat your data, or your client’s data, the way you or perhaps more importantly, your clients would expect it to be treated.

Unhappy employees

One of the biggest factors in mitigating the insider threat is by methodically treating all employees with fairness and transparency, working to avoid any form of ‘disgruntlement’ in the workforce.

The disgruntled employee is ‘home-grown’. They don’t join a company being disgruntled, and they don’t become disgruntled overnight. They are made, over a period of time, and they can be identified.

Everyone knows an employee who is unhappy at work or struggling with personal issues. Someone looking for another job. We all know who the bad managers are. These are some of the warning signs for a potential insider risk. It doesn’t mean to say that any of these people will become a threat. It just means that there is an increased risk of threat. Your ability to manage this risk is about having visibility of the risk.

An integrated approach

You need to be able to profile user behaviour and map it against the vulnerabilities in your organisation. This visibility also includes knowledge of your employees’ well-being, gained through a welfare support programme combined with a whistleblowing facility.

When this is all integrated within a properly structured and recognised security and business resilience or continuity framework such as ISO27001 and ISO22301, combined with risk profiling, user awareness, and organisational mapping, you are then able to work out the ‘context’ of that behaviour. And it is context that is the key to managing your insider threat.

Put simply… you need to know what your employees are doing with your data and why.

Gary Peace

CEO & Founder ESID Consulting,

Specialising in Insider Threat, Cyber & Information Security.

www.esid.co.uk

See also

The Insider Threat: Protecting Trade Secrets

Tackling the Insider Threat in the Retail Sector

The Cyber Threat and Social Engineering

The post Managing the insider threat appeared first on City Security Magazine.

Business cloud services can provide access to data and applications at all times from any location, bringing great commercial benefits.

But does this mean cloud security considerations can lag behind?

Three of the most profitable and valuable companies in the world – Amazon, Microsoft and Google – all operate in the cloud sector. For the largest of these, Amazon, their business cloud services platform – AWS (Amazon Web Services) – delivers their greatest growth and now accounts for over half of Amazon’s revenue. Similar stories pervade at Microsoft, with the growth of Microsoft Azure and Office 365, with over 31 million paying subscribers and growing exponentially.

On average we will find in excess of 1,000 cloud applications in use across a medium- sized business, with many employees using at least 30 applications per month, often sharing the same password across multiple applications and users.

The work place is no longer a place

People work differently today, expecting to work from any place, at any time and on any device, sharing information and collaborating in real time and accessing and sharing sensitive data in the process in order to get the job done.

Remote access to data – yesterday and today

In the past, access to data was controlled mostly by IT and stored inside a protected perimeter. Remote access to the data was permission-based and almost always through a VPN. Threats were focused on the network and endpoint. With a defined perimeter, IT was able to tightly control access to data and assess the risk.

Fast forward to today… with over 50% of access to business applications happening off network, remote access is expected and visibility into these applications is limited. The focus in many businesses is on speed to market, collaboration, sharing and business enablement, with security considerations often lagging behind.

Security – a shared responsibility

While many of the major cloud service providers, such as Amazon, Microsoft and Google, throw huge amounts of resources and money on cloud security – it is the customer that is responsible for securing their data in the cloud environment, for ensuring compliance of that data and ultimately, it’s the customer who is liable for the financial and brand damage caused by any data security breaches. The cloud service provider protects the infrastructure; how you protect access to and control of the data inside the platform is your concern.

Responsibility throughout the organisation

Cloud security isn’t just an IT Problem, it concerns all levels of the C-Suite, from the CEO who is looking to drive innovation, the CFO (Chief Financial Officer) who is trying to control costs and utilise resources efficiently, the DPO (Data Protection Officer) or General Counsel who is concerned about compliance and regulations such as GDPR, PCI or the FCA, as well as understanding what Intellectual Property the company needs to protect, through to the CMO (Chief Marketing Officer) who is concerned about protecting the brand, the CIO (Chief Information Officer) who is trying deliver a platform to keep pace with innovation and finally, the CISO (Chief Information Security Officer) who needs to remain compliant.

Four steps to cloud security

To understand what you are really up against when it comes to cloud security, it is important to undertake a Cloud Risk Assessment for a 360-degree view of your business’s cloud presence across both your sanctioned and unsanctioned applications.

This will enable you to identify threats to your data security, make sure you’re compliant with industry regulations and identify compromised accounts and malware infections.

You can incorporate this Risk Assessment in a four-step process, closely aligned to Gartner’s 4 pillars of Cloud Security, to become cloud confident:

• Discovery: identify the true costs and risks you face – including unsanctioned and shadow IT that will compromise security, harm your reputation and impact on profits.
• Awareness: create the right cloud access, usage and security policies – and educate your people on the threats faced, raising awareness and changing behaviour.
• Control: police and enforce your cloud access and security policies; monitoring, management and alerts to take action quickly and ensure regulatory compliance.
• Confidence: ongoing scrutiny and regular refresh of your cloud access, security and data protection policies through a cost-effective managed service.

Summary

The Cloud provides business with many well documented advantages, ranging from cost reduction to increased agility and productivity. This enables businesses of all sizes to be competitive by providing enterprise technology for everyone. For most businesses, it is already an important part of their day-to-day operations, and it is estimated that over 90% of businesses are already adopting the Cloud in one form or another.

This could be for basic email services such as Gmail or Office 365, document storage such as Dropbox, online accounting and expenses such as Xero, right the way through to complex HR and CRM systems such as Workday and Salesforce.

However, with the many advantages offered through cloud adoption, it is important businesses are aware of the associated risks and take steps to control or mitigate these risks where appropriate.

Paul Richards CCSP

Director of Technology

EveryCloud Security

www.everycloud.co.uk

See also:

• Our archive of articles on Information Security 
• What is phishing and how does it work?
• Combating digital threats with open source investigation

The post Four steps to cloud security for business appeared first on City Security Magazine.

You wouldn’t let a thief enter your home, but what if the thief was masquerading as someone familiar, such as a postman, and tricked you into opening the door? Phishing works in a similar way – people open the doors to their personal data, giving up login details, passwords or even payment details to malicious e-mails, links or websites designed to look like they’re authentic. That information can then be used to commit fraud and cyber crime.

Holy Mackerel – Phishing is a huge problem

Phishing attacks are a common security challenge that both individuals and companies across the UK face on a regular basis. Verizon’s 2018 ‘Data Breach Investigations Report’ showed that more than 90% of all malware is still delivered to victims via email. Between April 2018 and March 2019, social media and email account compromises were the most reported form of cyber crime to Action Fraud with victims losing a combined total of £19m – our analysis shows that phishing emails were a common enabler for these compromises. That’s why on National Fish and Chip Day (7th June) City of London Police’s Cyber Protect team worked alongside police forces across the UK, Government departments and industry partners to deliver a national campaign on how people can protect themselves from phishing.

Beat scam calls and messages – here’s how. 

Some of the most reported scams to Action Fraud start with an unsolicited text, email or call. From emails and text messages asking you to “verify” account details to cold callers claiming to be from your bank, the goal of a phishing attack is usually the same, to trick you into revealing personal and financial information.

Criminals are constantly evolving the tactics they use to carry out these phishing attacks, which is why it’s sometimes difficult for people to know what to look out for.  We’ve got some simple advice that can help you protect yourself from most of the common attacks – don’t click on the links or attachments in suspicious emails, and never respond to unsolicited messages and calls that ask for your personal or financial details. It’s as simple as that. If you think the communication might be genuine, then contact the company directly using contact details you know to be correct, such as the phone number on official correspondence, and never the contact information  provided in the message.

For more simple tips on how to protect yourself online, visit cyberaware.gov.uk. If you have been a victim of fraud or cyber crime, report it to Action Fraud at actionfraud.police.uk.

The post What is phishing and how does it work? appeared first on City Security Magazine.

In an era of considerable social and digital growth, the world’s largest community is no longer only land-based. It exists online too.

Marketing and PR have embraced the world of social media and the Internet; however, in my view, the security industry is only just starting to penetrate these channels, having fallen a little behind in this field.

The security industry collectively has made some progress towards digital resilience; however, standards are now in need of development. Investment and high level solutions are required to truly mitigate and understand imposing threats.

When we think of digital threats, we immediately think of cyber threats: ransomware, viruses and malware. Globally, companies have invested significantly in tackling these ever-growing battles. But why stop there?

From a personal perspective, I’ve dedicated my career to understanding and investigating the social aspect of online activity. Generally, I have found that organisations are wary of combating the Internet or investing their time and finances into the area, because they don’t fully understand it.

Generations of people, worldwide, have access to the Internet to communicate and socialise through social media. Therefore, a greater focus on these platforms is needed to combat potential new threats.

Open source investigation

Law enforcement agencies understand that intelligence can be gleaned through open source investigation. Though the security industry has made some headway in this arena, I have found that many organisations can do a lot more to investigate this pool of information.

Social media platforms are a primary source of communication for many, meaning there is an enormous amount of information and intelligence in the cyber sphere. People report suspicious behaviour, post images and videos of terror attacks, acid attacks and a whole host of interesting topics; they even report 101 information to the police through social channels.

So, what does open source investigation bring to the table? In the first instance, we can begin to combat the dreaded Insider Threat, providing an enhanced level of vetting for particular roles that have a heightened requirement for discretion.

It is widely understood that companies look at an applicant’s overt social media use to see if there are any obvious concerns regarding their employment. But is this enough?

Digging deeper

Many people will change their name or handle in order to mitigate potential employers identifying their social footprint. Therefore, we need to train Vetting Officers to dig deeper and identify key indicators which may suggest a potential employee may not have honest intentions.

Additionally, we can begin to understand how organisations are perceived by the public, and in particular by individuals or groups that wish to target them for attack. This is something I am currently developing in my own organisation and hope to bring to the forefront as an industry standard.

Fake news

It is true that the Internet is full of what has become known as fake news, which is often taken at face value. The recent Oxford Circus “terror attack” on Black Friday was, in fact, a brawl between two passengers on the London Underground.

Reported initially as a potential terrorist incident, panic spread like wildfire online, demonstrating the power of social media. On the busiest day in the retail calendar, it seemed a logical target for a potential attack; however, this was not the case.

This is where open source investigation comes into its own, corroborating and validating information before panic spreads.

We all know that the Internet can be a dark and grey area; you can buy weapons, or drugs and learn how to make IEDs.  Potential terrorists can also connect online with other like-minded individuals.

So my question is, how do we get on the forefront of managing a potential attack instead of playing catch up?

We are developing software to give us a head start on combating social terrorists. From my experience, there’s no right or wrong way to address this issue; however, by investing in open source development, we can understand the powerful impact the online world plays in our everyday lives.

We also need to invest in the right monitoring software. No individual can sit in front of Twitter or Facebook and watch the millions of posts shared every second across the world. We must identify ways to filter information to provide valuable intelligence; blogs, websites and community pages are all examples of the vast amount of valuable public information which can be utilised for our benefit.

It is widely publicised in the press that terrorist and social activist groups target vulnerable individuals and recruit through social media and other open source avenues. Let’s address this threat head first and give our organisations the best possible chance of preventing terrorism.

J. Ross

Securitas Security Services UK

www.securitas.uk.com

The post Combating digital threats with open source investigation appeared first on City Security Magazine.

Hugo Rosemont reviews current cyber security strategy, regulation and initiatives, calling for greater support for public-private engagement.

Government strategy

The UK Government’s Cyber Security Strategy of 2016 was an extremely welcome document because it recognised clearly, in line with other Government speeches and policy statements, that effective public-private cooperation is an essential component of tackling cyber attacks and crime conducted via digital means. Indeed, the emergence of such robust cooperation is arguably more essential in the area of cyber security than it is in any other field of security policy today, such is the level of dependency between the state and companies in protecting the digital commons.

The National Cyber Security Centre (NCSC)

Similarly, it was also a very welcome development that, flowing from the strategy, the National Cyber Security Centre (NCSC) established in October 2016 has been provided with a very clear mandate to ensure that all sectors of the economy – including but extending well beyond the Critical National Infrastructure (CNI) – are provided with additional support, advice and guidance to help realise the Government’s ambition that the UK should be the safest place to work and do business online.

More to do for optimum support structure

Despite these positive developments, there is more work to do to ensure that all sectors of the economy, including the CNI, receive greater support, and that public-private engagement on cyber security issues is improved: cooperation between Government departments and agencies (such as the NCSC) and different parts of the private sector is not yet optimally structured. In the same way that ‘Government’ is not a single entity, the structure of ‘industry’ in the UK is extremely disaggregated, not a homogeneous bloc. The UK’s cyber security strategy will therefore only be successful if it takes account of the diverse character of both Government and industry, and facilitates more effective coordination across different sectors and organisations.

Related directives and regulations

New regulations coming into force in the UK in May 2018 – specifically the security of Network and Information Systems (NIS) Directive and the General Data Protection Regulation (GDPR) – offer significant potential to strengthen cyber security across the CNI and the wider economy respectively. Whilst concerns exist around the late timing of the publication of practical guidance that can help companies implement their provisions, and clarity emerging only recently in the case of NIS around which organisations will regulate the cyber security arrangements of the relevant companies, they are important because they promise to place on a much more formalised footing the need to develop cyber security as a core part of any business’s operations.

Skilled individuals needed

It will be important to ensure against this backdrop, and in the context of rapid technological evolution, that regulators develop, or are able to draw upon, a sufficiently skilled cadre of individuals who can help them fulfil their responsibilities. More generally, it is imperative that the UK does not accidentally introduce a suboptimal system of compliance that diverges largely from arrangements elsewhere, or that resembles a superficial ‘box-ticking’ culture. Provided that in its implementation the Government and nominated regulators engage with the realities of business models operating across industry, the NIS Directive in particular offers an excellent opportunity to strengthen resilience across the UK’s essential services. Much will come down to how companies themselves choose to invest in, and implement their own security measures.

Limited resources are available in Government to help cover any cyber security costs bearing upon the private sector, with the £1.9bn UK cyber security budget largely allocated elsewhere, so it remains Government policy to see the costs ‘lie where they fall’. It is important for policymakers to understand, however, that industrial investment is also constrained. It is for this reason that there would be benefits in designing, developing and then delivering alongside this new regulatory framework a more agile, nimble and collegiate system of collaboration that can bring together in a more coordinated way the multiple stakeholders across both the public and private sectors that all play important roles in effective cyber security.

Enabling dialogue between key actors – including the private sector

In particular, there is now an opportunity to design a more structured system that can systemise dialogue between Government departments and agencies (such the NCSC), operational security actors (such as the CNI), the Regulators of Industries (such as Ofcom and Ofgem), and the UK cyber security industry – some of the world’s most innovative security suppliers. Historically, security industry engagement with technology innovators has mainly been conducted by Government for Government purposes; in its engagements with the CNI it has tended to decline to involve companies supplying technical solutions directly. The time is right to join this dialogue because the digital capabilities developed by suppliers are as relevant (if not more so) to protecting CNI operators and the wider economy as they are to Government and law enforcement agencies, yet there is a shortage of strategic dialogue between the respective communities.

Strengthening the framework under development for public-private cyber security cooperation in the UK is now an urgent priority in the context of the potential vulnerability of national infrastructure to attacks in this domain by state and non-state actors. Placing an emphasis on developing a more coordinated, whole-of-government and industry approach to the implementation of the UK’s cyber security strategy is the next logical step.

Dr Hugo Rosemont

Director of Security and Resilience, ADS Group

www.adsgroup.org.uk

The post Public–private cooperation in cyber security strategy appeared first on City Security Magazine.

Cryptocurrencies

The finance industry has been going through radical changes for decades, the latest of which is embodied in the disruption caused by cryptocurrencies, such as BitCoin and RScoin, and the technologies that enable them, such as blockchains. These technologies are being heralded as the solution to a wide range of challenges facing the financial sector.

Cryptocurrencies control the generation and transfer of funds without the need for a central authority, such as a bank. Blockchain technology underpins these digital currencies by acting as a decentralised distributed database, able to record a list of transactions which reportedly protects against tampering and revision.

Smart Contracts are computer programmes, powered by blockchain technology, that automatically enforce and execute the terms of a contract. These contracts could revolutionise many types of financial transactions, specifically those around illiquid assets, such as property and antiques.

A digital finance sector

Looking beyond these recently disruptive technologies, it is often surprising to some that the finance sector has been digital for at least the last 40 years, if not longer. Banks are comfortable using information to represent currency to transfer funds, and with the advent of online banking now so is the end consumer.

What is interesting is that information is such an essential part of the modern finance sector; not only digital representations of currency, but information about how those funds flow. Significant effort is spent in the modern financial enterprise analysing trading patterns, customer behaviour and sentiment, broader economic and governmental trends.

This analysis of data, currently referred to as data science or Big Data, provides a competitive market advantage for companies; both in customer protection to identify fraudulent transactions, and in money making activities such as trading. This reliance on information informs a position that the finance sector uses information as a raw material which it processes in order to make money. In fact, it has been observed that some large financial institutions are really IT companies that manage money.

Cyber security

This idea that a financial company’s business is the processing of raw information opens a wider view of the security of that company, specifically in terms of cyber security. Much of the cyber security discussion regarding the finance sector has been about protecting businesses’ systems and processes from malicious attack which would disrupt their operation or leak sensitive information.

However, this assumes that the business is a closed bubble, it does not take in any external information. It would be possible, for example, to establish a significant set of online accounts in social media platforms, operate those for a period of 24 months or more to establish credibility, and then use those to taint sentiment regarding a specific company in order to increase the profit from stock market trades. Examples of this can be seen from 2012 with the fake bomb blast in the White House announcement, or the accidental resurgence of an old news story on Google regarding an incident with an American Airlines plane. Both had significant impacts on the stock market. Fortunately, the UK is a leader in understanding the complexities of cyber security and the development in new countermeasures and a key part of that is the academic community in the UK providing cutting edge research. The Government Communication HQ (GCHQ) has adopted an approach of recognising this capability with 13 Academic Centres of Excellence in Cyber Security Research (ACE-CSR) Programme, and the three Cyber security research institutes.

These provide a wealth of ideas and technologies that can assist in protecting the raw information the financial sector relies on to operate.

Research at Lancaster University

Lancaster University’s research approach uses natural language processing to identify anomalous group and individual behaviour online, and indications of online precursor activity which indicates an offline action is about to take place. We have technologies based on psychological models that can identify likely insider threat. Our work in understanding resilience, fragility and mapping interconnections in cyberphysical critical national infrastructure can be used to map the complex interconnections between systemic financial institutions to understand where there may be weakness that could be exploited.

The research conducted at Lancaster and the other ACEs and RIs is directly applicable to help the sector to navigate the increasing complex world of legislation and regulation and to support the sector in understanding disruptive technologies such as blockchain and crypto currencies.

Ultimately, the financial sector is interconnected to form a complex industry processing, exchanging, storing and understanding information, acting as a powerhouse for the UK economy. Its novel and extensive use of information exposes new risks to the sector and in partnership and collaboration with universities we can minimise those risks to take full advantage of the opportunities of an increasingly information aware society.

Dr. Daniel Prince

Associate Director for Business Partnership and Enterprise Security, Lancaster University

www.lancaster.ac.uk/security-lancaster

The post The finance sector and the digital age appeared first on City Security Magazine.

We asked leading figures from the world of cyber security to focus on key ways that small businesses and individuals can contribute to their own and their business’s cyber resilience.

Refresh your knowledge of how to maintain your personal cyber resilience by heeding the advice here.

Test your security systems and processes

Commander Chris Greany, National Coordinator for Economic Crime City of London Police

The City of London Police sees the threat from cyber daily as we run Action Fraud, the national fraud and cyber reporting centre. With the average financial loss from cyber now reaching £45k we see businesses and livelihoods destroyed and the most frustrating part of most of these crimes is that they were preventable. Far too many still see the threat as too complex or for others to worry about, and this needs to change.

Businesses of all sizes have plans for emergencies like a fire with all employees knowing what their role is through robust and tested procedures. But ask many businesses of all sizes and sectors if they have plans for a data breach or some other form of attack and many will look blank and refer you to their IT department or provider.

Help to test your systems and processes isn’t difficult to find either. The Mayor’s Office for Policing and Crime has set up the London Digital Security Centre, which aims to secure and protect London’s small and medium sized businesses against cyber risks and threats.

Beware of Phisherman

John Wilson, Field CTO Agari

Just as it is the default business communication tool, email has also become the most popular tool for cyber criminals. Phishing, which sees the criminal impersonate an individual or brand to trick a target, is a cyber-criminal’s preferred method of obtaining sensitive information or money from businesses or individuals. These attacks have become both more sophisticated and more prevalent, and this is set to continue into 2017.

There are a number of methods used with phishing emails. One example is where the perpetrator sends an email from what appears to be a legitimate organisation like a bank or a vendor, with a link to a fake website. Often these websites are infected with malware, a type of malicious software which is able to gain access to your private computer system and gather sensitive information – bank details, credit card numbers and so on. The sender uses something called spoofing, the creation of email messages with a forged sender address, to trick the receiver into thinking it’s from a genuine sender.

A more elaborate, and harder to detect, method is Business Email Compromise (BEC). Again, the email address will be spoofed, usually so it looks as though it is from the CEO or another high ranking executive. The attacker will often target the finance department and request a large amount of money be transferred to pay an invoice, or another similar request. The attacker, posing as the CEO, will give the details of a fraudulent bank account and will often state that they are held up in a meeting and the invoice needs paying immediately to rush the target into skipping usual policies.

One of the largest instances of a phishing attack this year was at Snapchat’s HQ. A scammer sent an email to the payroll department impersonating the CEO and requested confidential information on current and former employees. Neither the targeted employee nor the security team spotted the fake, and the data was handed over.

These attacks should be dealt with using a combination of technology and employee education. Humans are the weakest link, and attackers know this, so they will continue to evolve and develop their methods for deceiving people.

Employee education and training is an important factor in identifying and preventing these breaches. Employees should receive regular training in identifying a number of potential cyber attacks and what to do if they suspect they have detected one. The organisation should have clear policies and procedures in place on how to handle sensitive information and the sharing of it, as well how to deal with the transfer of funds. However, social engineering techniques are being adopted by the fraudsters to circumvent employee training and company policies. Therefore, emphasis for prevention of targeted attacks must be placed on other, technology-based methods of detecting and blocking these emails from reaching their intended targets.

Protecting data in the Cloud

Jonathan Sander, VP of Product Strategy Lieberman Software

The consumer’s view of good security is much like their view of good health – they know they ought to get lots of exercise and use unique passwords on every website, yet they’re not really doing either. They’re both hard to do regularly. One good thing about all the breaches in the news is it has forced news programmes to repeatedly bash good practice into most people’s heads. My aging relatives can tell me they are supposed to use complex, different passwords everywhere and be careful about the emails and links they click on.

While this awareness is growing and it’s encouraging to see, at the same time, people have been given conflicting advice. They’re told to watch out for how much sites like Facebook can invade their privacy, then also that using social login like the now ubiquitous Facebook button may be more secure. They’re told to protect special accounts like their Microsoft or Google account if they use those for their primary email, but then that makes them feel they can’t hit the “Login with Google” button without compromising that security.

Even Apple, which once had the reputation of being the most secure, has been hit with attackers trying to prove it wrong and hacking into celebrity iCloud accounts and leaking personal data.

Clever people can be forgiven for getting easily confused by all the details one has to master to do personal security well on today’s internet. As the internet morphs into the internet of things, pulling in more and more devices to be connected and services to be offered, it’s likely to get a lot more confusing before it’s done.

However, one crucial step people can take to protect their accounts is to use multi factor authentication whenever it’s available. iCloud accounts, for example, offer turning on the Apple ID two step verification. Most other major online vendors – Google, Amazon, Yahoo, and more – have their own version of this process. The single most common mistake users of public cloud make is to not take advantage of the security protections being offered to them. When you have the option of using two factor authentication to make cloud storage safer, use it. While it might seem slightly more inconvenient as an extra step to security, think about the data that could be stolen. Locking the door to your house is an extra step, but one that we all know is well worth the extra time it takes.

Keeping your smartphone safe

Richard Patterson, Director, Comparitech

Smartphones have grown from allowing users to simply browse the internet, check email or socialise to doing online banking, shopping and controlling home appliances (and even vehicles) when paired with other devices.

Our smartphones contain sensitive information from personal photos to business contacts and password logins. And due to people’s reliance on and wide usage of those devices, they have become an appealing target for cyber criminals. Thus, understanding how to keep smartphones safe is crucial.

First of all, make sure that the manufacturer (Google, Apple, etc.) hasn’t granted unnecessary access to any private data. Indeed, every time you install a new app, don’t just scroll past the permissions page and hit accept. Especially if the app is from a less well-known publisher – ask yourself whether it really needs all those permissions. In addition, you could switch off permissions such as location tracking or access to camera/microphone as these are features that you don’t need all the time.

VPNs are another important aspect to consider when looking at mobile devices protection, because they aim to encrypt internet traffic to and from a device, in order to keep the web browsing and app usage private. Indeed, many socialising apps such as WhatsApp, Viber, Snapchat and Facebook Messenger have some level of encryption. Yet whether your messages remain private depends on how difficult it is for a hacker to reverse engineer the app or how easily the company gives into government coercion.

With all the recent cases of IoT devices being hacked due to weak passwords, the importance of strong passwords in smartphone security is undeniable. In addition to having strong, varied passwords, you could use a password manager that encrypts and stores all passwords into a single app.

When you’re backing up your phone data in case your phone is lost or stolen make sure all sensitive information is encrypted. Boxcryptor, Viivo and Cloudfogger all make free apps that you can use to encrypt files locally before uploading to your cloud storage. Similarly, always remember to remove your SIM card when repairing your phone, as it can be used to make purchases or sign up for accounts.

Finally, keeping the device software up to date will nullify vulnerabilities in deprecated or obsolete older versions. We recommend you stick to the latest stable release, but there’s generally no need to use beta or nightly versions that are still being tested.

Modern day Dick Turpin – Ransomware

Troy Gill, Manager of Security Research AppRiver

Ransomware catapulted into the news in 2013 when CryptoLocker started holding people’s files to ransom. Since, we’ve seen a number of other programs making a name for themselves. With unprecedented levels of ransomware circulating this year, victims have to make the hard decision of losing their data or paying the cyber criminal’s demands.

Or do they?

What is Ransomware?

Ransomware pretty much does what it says on the tin. It is a malicious program that encrypts a victim’s computer and then displays a message from the criminals demanding payment in return for the decryption keys. Having paid, the victim receives a file that will unlock the machine – if they’re lucky.

How serious the problem is depends on which ransomware is involved. Locky and Zepto are still some of the reigning champs, as far as ransomware volume goes, but here are a few others making a name for themselves:

Princess: this ransomware stands out due to its high ransom price and the pink tiara it boasts once you are infected. The usual asking price for most ransomware is around the $300 mark, however Princess has a starting price of around $1800. If you’re too slow to pay, that doubles to around $3,600 (or 6 bitcoins) to get the key.

EduCrypt: This one was aimed at teaching users a lesson as, once the virus ran and encrypted files, it would let the user know that a key had been hidden on their computer and they just needed to find it to get their files back and decrypt them. The note that pops up has some often recommended advice of not downloading random things on the internet.

Internet of Things Ransomware: Hackers were able to demonstrate that they could successfully infect a thermostat with ransomware. While this is a very specific situation with a certain model of a thermostat, it brings up a point that security researchers have been trying to bring to light: the Internet of Things can be a security nightmare.

MarsJoke (aka Polyglot): The newest ransomware, this one is aimed at targeting government agencies and educational institutions. The attack has mainly been seen via links in email messages that lead to the malicious download.

If you’re unlucky enough to fall victim to the modern day highwaymen, and thinking of paying the demands, remember that these thieves are often associated with larger criminal organisations, which use your money to fund their illegal activities.

Instead, before you do anything else, take the time today to back up your files, update your software and hardware, and make sure you have layered security, then you won’t find yourself caught between a rock and a hard place.

The post Cyber resilience: advice from leading figures appeared first on City Security Magazine.

The average cost for big businesses averaged from £1,500,000 – £3,100,000

It is hard to get away from the presence and scale of the cyber security threat. The mainstream and social media are full of stories of companies who have been hit by a data breach, but there are many more you will never hear about.

TalkTalk and Sony hit the headlines worldwide in 2015, but the US National Guard, Harvard University and Blue Cross Blue Shield also lost the personal data of millions of their employees and customers. Beyond this are literally thousands of smaller organisations who have suffered data breaches that they will never make public for fear of the impact on their reputation.

Here in the UK, government figures from the Information Security Breaches Survey 2015 indicate that the average cost of the most severe online security breaches for big business ranges from £1.5 to £3.1 million and for SMEs the cost averages from £75,000 to £311,000. The same survey also shows that 90% of large organisations and 74% of SMEs reported they had suffered an information security breach during the year.

The changing nature of the threat: social engineering

So the scale of the threat is vast and growing, but even more important for corporate security professionals to note is that the nature of the threat is also changing. Firstly, as the profits from cyber crime have grown, so it has attracted the attention of more organised groups with more human resources available to them, including governments, organised crime and even terrorist organisations. Secondly, as the technology response to the cyber threat has become more sophisticated, with robust firewalls and virus monitoring software now standard, cyber criminals have had to find new ways past corporate perimeter security.

The increased difficulty of breaching perimeter security and the increased human resources available to cyber criminals have combined to produce a new point of attack. This point of attack is focused on the weakest link in the corporate security chain, human beings rather than technology. The UK government data confirms this, pointing to 75% of large businesses and 30% of small business which have suffered staff-related data breaches in the last year.

This is what used to be known as the “insider threat”, but that inadequate terminology suggests complicity by employees in cyber crime, which is usually not the case. Instead, a more appropriate new term has been coined to describe the threat, which is “social engineering”. Social engineering has been described as an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is also defined as the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.

Social engineering techniques

There are a number of common social engineering techniques employed by cyber criminals. These include:

Spear phishing

This is probably the most common social engineering technique and is a more sophisticated version of the well-known phishing scam, where speculative e-mails are sent to large numbers of people, pretending to be from legitimate organisations, in the hope of tricking them into parting with sensitive data. Spear phishing targets known companies and individuals and first builds up a picture of them from social media, or other open sources, before seeking to extract information about their passwords in order to access a corporate data network.

This can be in the form of an e-mail message or even a remote attempt to guess a password based upon researched personal information such as dates of birth and names of family members. The attack may begin by hacking into a less secure system such as private e-mail or Twitter, but the real target is the employee’s corporate network.

Pretexting

This is a variation on phishing in which a sophisticated scenario is invented to engage a targeted victim in order to trick them into disclosing confidential security data. This social engineering engagement can often take the form of a phone call that pretends to be from their bank or a law enforcement agency, or even from their company helpdesk. Like spear phishing, this attack will usually involve some legitimate personal data that has been obtained elsewhere, which helps to create confidence in the victim that the call is genuine.

Baiting

This is a less complicated social engineering trick that relies on physical media, such as a USB stick or floppy disk loaded with malware, which is left in a location that is likely to be found by employees of the target company. This could be a smoking area, elevator, bathroom or even parking lot. A corporate logo or interesting label, such as “2015 salary details”, will increase the apparent legitimacy of the disk and sooner or later someone will pick it up and insert it into their disk drive. Once this happens the malware will immediately be installed on the system and the job is done. Compromised media can also be sent through the post to an intended victim.

Tailgating

An even more primitive form of social engineering attack can be via the device of tailgating. This is where an attacker, seeking entry to a restricted area via say an unattended electronic gate, simply walks in behind a person with legitimate access credentials. This ruse can be supported by the attacker carrying papers or a coffee and wearing shirtsleeves and no jacket, as if they had just popped out. If challenged they may even present a fake access card, without actually using it.

Once inside the premises the attacker will seek out a vacant desk and insert a disk into it or look for evidence of passwords lying around. A more complex version of this full frontal attack is someone entering the premises acting as a courier or a cleaner, or even an actual temporary employee who has been recruited for just this purpose.

Mitigating actions

So, what can be done from a corporate security perspective to protect your company against the new social engineering threat? Here are six good practice security tips that can help to mitigate, if not eliminate, the threat:

• Train your employees and create awareness amongst them about the social engineering threat. Warn them about information they make public on social media and about the threat from e-mails, hyperlinks and phone calls. Forewarned is forearmed.
• Protect all of your devices against viruses and other malicious code through the use of up-to-date anti-virus software. Out-of-date versions are no use at all. Also ensure that you have a bring-your-own-device policy which guards against employees introducing viruses to your network through mobile devices that they bring to work.
• Secure your network from the internet by using a firewall. Avoid using Wi-Fi, if possible, and if you have to, then make sure it is securely configured. If employees work from home, make sure that they have security on their own systems, including a firewall. Only allow secure VPN connections with employees outside the office.
• Require employees to use unique, hard to guess, passwords and make sure that your security policy requires password changes at regular intervals. Ensure that you revoke all passwords and other forms of secure access as soon as an employee leaves the company.
• Ensure physical access to your business is restricted. Compromise of your physical security may allow hackers to access your critical system components such as servers, routers and desktops. It can also lead to the loss of confidential files and security information. Warn employees about baiting and tailgating, always enforce access policies and challenge strangers on your premises, politely of course.
• Finally, a tested and foolproof backup system is now a basic business requirement. Ensure that your backups are stored securely and test them on a regular basis. Malware can encrypt all of your sensitive data until you pay a ransom demand. A regular backup will allow you to wipe and restore rather than pay the ransom, as well as guarding against other data loss issues. Having at least one offsite or cloud backup is also essential.

System monitoring

Unfortunately, these simple steps, whilst important, are not enough on their own to guard completely against the social engineering threat. If rogue employees have been inserted inside your company, or existing employees have become disgruntled, then they will be on the inside of all of your security perimeters, no matter how robust they are.

That is when you need the additional assurance that one of the new cyber security system monitoring solutions can provide. There are now plugin devices available on the market that take only a couple of hours to configure, which can provide the normal anti-virus and malware scanning, but which also monitor your network for signs of suspicious insider activity and failed attempts to hack into the system, via multiple incorrect passwords and the like. These solutions can provide invaluable intelligence that can be acted upon proactively to nip a successful hack or insider threat in the bud.

The monitoring system will look out for failed password attempts, visits to dubious websites and other suspicious activity, such as the downloading of data unrelated to an individual’s role which is then not used for any obvious purpose. It can scan the network and identify which user login and which terminal the activity has originated from. If you have your own suspicions over an individual, you can even ask the system to retrospectively go back over data audit trails to find out if past behaviour by an individual can provide you with evidence.

The scale and nature of the cyber threat can now be overwhelming for many companies that cannot afford a full-time IT team of half-a-dozen people or more. But a few simple precautions and the use of a plugin system monitoring device can go a long way towards mitigating the social engineering threat.  Don’t let yourselves be caught out, or held to ransom, by cyber criminals.

Sonny Sehgal

Head of Cyber Security, Transputec

www.transputec.com

The post The cyber threat and social engineering. appeared first on City Security Magazine.