Information security professionals not too worried by Brexit

The UK’s decision to leave the European Union (EU) has raised concerns in the information security world, but most professional organisations are urging calm and pragmatism.

The UK’s decision to leave the European Union (EU) has raised concerns in the information security world, but most professional organisations are urging calm and pragmatism.According to The Security Institute, the Brexit decision may have significant implications for the security profession and will inevitably present fresh challenges.

However, the organisation’s vice-president Alison Wakefield said security professionals pride themselves on being able to take the objective view, to put aside emotion and to focus instead on the hard facts of a situation.

“One thing we categorically disagree with is Michael Gove’s assertion that people in this country have had enough of experts,” she said.

“As an organisation that numbers a great many security experts in its membership, we believe the changes Brexit will bring mean that we, as a nation, will more than ever rely on these experts.”

Whatever cyber security challenges lie ahead as a result of Brexit, Wakefield said they will be met and overcome by the application of expertise and the diligent efforts of experts.

“The Security Institute’s raison d’être is to promote the professionalisation of security. Now that our country has chosen to go through a period of economic and political turbulence, let’s collectively – as experts in our field – do our utmost to re-emphasise professionalism, and redouble our efforts to help nurture security practitioners who can carry the ‘expert’ label with justification, pride and the external recognition they are due,” she said.

Adrian Davis, European managing director at security certification body (ISC)2, said information security is well-recognised as an international concern that has motivated levels of co-operation that already transcend national boundaries and politics.

“There is no reason to believe that this will come to an end or even be significantly interrupted by the Brexit vote,” he said, despite concerns by some information security professionals the cyber threat intelligence sharing may be impeded.

According to Davis, information security professionals in the UK and across Europe have at least two years to understand the practicalities that will affect their day-to-day job, and there is a good chance that quite a lot of what is anticipated over this time will not change.

The need in the UK to comply with the EU’s General Data Protection Regulation (GDPR) for example, will remain the same, he said, as UK businesses will continue handling EU citizens’ data.

“The march of technical innovation reflects global trends and will continue to shape the challenges we face on the front lines, and we all understand that threats and attacks are international. The work we do as a profession already ensures that the standards and practices required to face them account for differences in markets and regulatory expectations. I’m confident that, as a profession, information security professionals right across Europe will continue to work together,” said Davis.

UK consumers want fines for firms that lose personal data

Most UK consumers want the government to fine companies who don’t protect personal information.

Most UK consumers want the government to fine companies who don't protect personal information.A majority of UK consumers would like to see government fines for companies that fail to provide sufficient safeguards for personal information, a survey has revealed.

Some 86% of more than 1,000 UK consumers polled by the Institute of Customer Service (ICS) think the government should review data protection laws, while 77% feel it should do more to protect data from cyber attacks.

The findings of the survey are in line with the recommendations by the Department of Culture, Media and Sport (DCMS) Committee’s inquiry into the October 2015 data breach at TalkTalk, which saw the personal information of 155,000 people compromised.

The committee has published a set of recommendations in its inquiry report for improving data security in the UK, including the introduction of escalating fines for delays in reporting breaches of personal data.

The report also recommends that the government initiates a public awareness-raising campaign about online scams and allocate more resources to the Information Commissioner’s Office (ICO), the UK’s data protection authority.

Although most UK consumers would like to see more government action on data protection, 62% also believe businesses should do more to safeguard personal information, according to the ICS survey, which was included in a written submission to the DCMS committee’s inquiry.

The ICS survey shows only 13% of respondents are confident that their personal information is protected and only 15% trust organisations do everything possible to prevent security breaches.

“Businesses need to accept responsibility, rather than offer excuses, if customer data is exposed in a cyber security breach” said Jo Causon, chief executive of the ICS.

“Almost one in four consumers say nothing can restore their trust after a data breach, so if cyber security attacks continue at the current pace, business performance will suffer as concerned customers swap loyalty for personal data safety,” she said.

The ICS survey shows that 22% of respondents no longer trust companies that have suffered a breach, while 28% said they avoid organisations that have suffered a breach. In the event of a breach, 41% seek immediate notification, 23% want compensation and 10% look for an apology.

To reassure customers, the ICS outlines a series of actions businesses can take in its response to the DCMS Committee inquiry.

These include ensuring staff have the appropriate skills to communicate how data is protected and what is happening in the event of a cyber-attack; setting out the approach taken to protect customers’ data so consumers are fully informed and able to make a decision about what to share; and following a consistent set of standards across an organisation so that customer data is continuously protected no matter where it is held or analysed.

Police ask for early contact of cyber crime

Businesses should contact the Police as early as possible about cyber crime- even before they are targeted.

Businesses should contact the Police as early as possible about cyber crime- even before they are targeted“The sooner we can become involved the better,” said Garry Lilburn, detective inspector, cyber crime unit, Metropolitan Police.

Current reporting mechanisms are “clunky” and there plans to replace them, he said, but in the meantime, businesses can make direct contact with the cyber divisions of the National Crime Agency (0370 496 7622) UK-wide or the Met Police for cyber crime in London (0207 230 8129) or 01452 752644 in Gloucestershire.

“Businesses can call us to discuss what is happening and get advice without having to officially report a crime and without fear of it leaking to the media or regulators,” said Lilburn, adding that some of the biggest cyber crime cases his unit has worked on have never been reported in public.

“If businesses contact us about cyber crime in action, we can advise them on how to mitigate the attack, preserve evidence, and how to communicate with cyber extortion gangs and even the media if necessary in the case of high-profile attacks,” he said.

However, Lilburn said businesses should engage with police even before they are targeted by cyber criminals.

“We offer a service of conducting table-top exercises with businesses so they can experience what it is like to work with the police in the event of an attack by cyber criminals and learn what kind of information we will need and the kind of questions we will ask,” he said.

Businesses should also develop plans for engaging with law enforcement before they are targeted by cyber criminals, and practice those plans in the same way they do fire drills, said Kurt Pipal, assistant legal attaché, office of the legal attaché at the FBI.

“Businesses should ensure they understand what law enforcement can do for them, what investigators are likely to ask for, and what they can do to help any investigation,” he said, adding that they should get their legal counsel involved because they are going to be one of the first points of contact with the police in the event of a cyber criminal attack.

“Many firms fear reputational damage and media exposure, but engaging early with law enforcement before anything happens often alleviates many of these types of concerns and makes them more comfortable in working with law enforcement when they are attacked,” said Pipal.
Police encourage information sharing

Cyber crime is almost always international in nature, but that should not put businesses off reporting cyber criminal activities, even if they appear to be coming from overseas or conducted through anonymising proxies, said Lilburn.

Many of the recent botnet takedowns involving the FBI have been the result of international law enforcement agencies working together, said Pipal.

“While cyber criminals may be based in countries where we cannot reach them, they also like to go on vacation, and often they go to countries where we do have the ability to make arrests, so businesses should talk to law enforcement about the cyber criminal activities they are seeing,” he said.

“Law enforcement should learn from this and also begin to find ways to collect information about bad actors that can be queried by law enforcement agencies around the world,” he said.

“Just because cyber criminals are located in other countries or appear to be anonymous, businesses should not assume we will not be interested or that we will not be able to take action against those responsible”

Many of these third parties are small and medium enterprises that work as suppliers or partners to larger organisations, but these businesses typically do not have the same level of security awareness or resources as their bigger partners, said Ferguson.

“While large organisations have the resources to understand and respond to threat intelligence gathered through industry forums and the government-sponsored cyber security information sharing partnership (Cisp) and the national computer emergency response team, Cert-UK, smaller businesses do not,” he said.

Indeed Cyber Security Force are part of theGloucestershire Safer Cyber Forum- which is founded and run by the Gloucestershire Constabulary.

NCSC- National Cyber Security Centre for cyber expertise

NCSC- the National Cyber Security Centre for cyber expertise review.

NCSC- the National Cyber Security Centre for cyber expertise review.Following on from the Cyber Security Force’s news post yesterday outline NCSC- the National Cyber Security Centre, the UK government plans to make the NCSC the centre of its expertise on what is happening in cyber space, combining the knowledge gathered from incidents and intelligence with that shared with industry, academia and international partners.

The NCSC will aim to use that knowledge to provide best practice advice and guidance and to tackle systemic vulnerabilities to enhance cyber security for all.

The NCSC will support the most critical organisations in the UK across government and the private sector to secure and defend their networks. This will include the provision of bespoke advice and guidance, help to design and test networks and exercise response arrangements.

When a serious cyber incident occurs, the NCSC will work with victims to minimise the damage, help with recovery and learn lessons to reduce the chance of recurrence and minimise future impact.

According to the prospectus, this help will include connecting victims with commercial companies that are recognised as being excellent at cyber incident response, and ensuring that the wider response of government and law enforcement is well co-ordinated.

In the case of very serious incidents, the NCSC’s response may include communicating publicly about consequences and the steps people and businesses should take to protect themselves.

The establishment of the NCSC will bring a new level of coherence and effectiveness to how government does cyber security. It seeks to partner with government agencies and departments, the devolved administrations, and the wider public and private sectors.

The NCSC will also work in close partnership with law enforcement to support their efforts to tackle cyber crime, and with the UK’s security and intelligence agencies and the Ministry of Defence to identify and counter the full range of threats in cyber space.

The NCSC will support the government’s wider security and prosperity agenda by engaging with international partners on incident handling, situational awareness, building technical capabilities and capacity and contributing to broader cyber security discussions.

For organisations that have their own networks, the NCSC will run the Cyber Security Information Sharing Partnership (CiSP). This is aimed at enabling organisations to share information with each other and the NCSC about what they are seeing on their networks, and provide a forum for discussion from beginner through to expert level.

The NCSC will produce tailored advice and guidance to identified sectors and proactively work with companies on this. However, it will initially focus on sectors which form the critical national infrastructure and those of strategic or significant economic importance or tied to the delivery of key public services.

The NCSC will not offer an enquiries line for the general public and Action Fraud will continue to be the first port of call for victims to report suspected cyber crime.

However, when there is a significant cyber incident affecting the UK, the NCSC will have the leading role for government in communicating to the public, to provide reassurance and guidance on what individuals and organisations can do to better protect themselves.

The NCSC’s specialist teams will work with the Ministry of Defence – and other users of very secure communications – to ensure that operational needs are met. It will also ensure the capabilities needed to operate both independently and with the UK’s allies are available in the future.

The NCSC will work with the cyber security industry to help ensure organisations of all kinds can find cyber security products and services that are high quality and meet their needs.

UK gov’s plans for National Cyber Security Centre

The UK government has outlined what the National Cyber Security Centre (NCSC) will do, how it will work and who it will work for.

The UK government has outlined what the National Cyber Security Centre (NCSC) will do, how it will work and who it will work for.The NCSC is set to open in October 2016 and will be based in London. The NCSC will be led by CEO Ciaran Martin, formerly director general of government and industry cyber security at intelligence agency GCHQ. The technical director for the NCSC will be Ian Levy, formerly technical director of cyber security at GCHQ.

Chancellor George Osborne announced the NCSC in November 2015 as part of the government’s National Cyber Security strategy for the next five years, supported with £1.9 billion funding.

The NCSC is at the heart of that strategy and will be the “bridge” between industry and government, said Matthew Hancock, minister for the Cabinet Office.

It will simplify the “current complex structures, providing a unified source of advice and support, including on managing incidents. It will be a single point of contact for the private and public sectors alike,” he wrote in foreward to the prospectus for the NCSC.

Hancock said it is “vital” that the NSCS works with industry from the very start, and called on UK businesses to give feedback on the centre’s proposed design.

NCSC CEO Ciaran Martin invited UK industry to engage with his team about what they would like to get out of working with the NCSC.

“The government has set out its intent to address the cyber threat, to put tough and innovative approaches in place, and to be a world leader in cyber security.”

“The National Cyber Security Centre will be at the heart of this approach, bringing together the capabilities already developed by CESG – the information security arm of GCHQ, the Centre for the Protection of National Infrastructure, Cert-UK and the Centre for Cyber Assessment.

“This will allow us to build on the best of what we already have, while significantly simplifying the current arrangements,” he said.

According to the prospectus, the NCSC will have four key objectives:

  • To understand the cyber security environment, share knowledge, and use that expertise to identify and address systemic vulnerabilities.
  • To reduce risks to the UK by working with public and private sector organisations to improve their cyber security.
  • To respond to cyber security incidents to reduce the harm they cause to the UK.
  • To nurture and grow national cyber security capability, and provide leadership on critical national cyber security issues.

Cyber Security Force will detail more information on the NCSC in our next news post.