UK organisations not taking ransomware seriously

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.Cyber criminals simply have to infect computer systems with malware designed to lock up critical data by encrypting it and demand ransom in return for the encryption keys.

The occurrence of ransomware attacks nearly doubled, up by 172%, in the first half of 2016 compared with the whole of 2015, according to a recent report by security firm Trend Micro.

Ransomware, the report said, is now a prevalent and pervasive threat, with variants designed to attack all levels of the network.

Ransomware is typically distributed through phishing emails designed to trick recipients into downloading the malware, or through app downloads and compromised websites.

The business model is proving extremely successful for cyber criminals, as many organisations are not prepared for it, and paying the ransom is often the best or only option open to them.

Two separate studies have revealed that universities and NHS trusts in England have been hit hard by ransomware in the past year.

A freedom of information request by security firm SentinelOne revealed that 23 of 58 UK universities polled were targeted by ransomware in the past year, but all claim not to have paid any ransom.

In a similar study by security firm NCC Group, 47% of NHS Trusts in England admitted they had been targeted, while one single trust said it had never been targeted, and the rest refused to comment on the grounds of patient confidentiality. Only one trust said it had contacted the police.

While ransomware writers were sometimes careless in the past so there was often a way to retrieve files,  that is seldom the case now, making preparation even more important.

Security firm Sophos has developed a whitepaper advising businesses on how to stay protected against ransomware.

Here are a list of best practices that businesses and public sector organisations should apply immediately to prevent falling victim to ransomware:

  • Backup regularly and keep a recent backup copy off-site
  • Do not enable macros in document attachments received via email
  • Be cautious about unsolicited attachments
  • Do not give users more login power than they need
  • Consider installing Microsoft Office viewers to see what documents look like without opening them in Word or Excel
  • Patch early, patch often because ransomware often relies on security bugs in popular applications
  • Keep informed about new security features added to your business applications
  • Open .JS files with Notepad by default to protect against JavaScript borne malware
  • Show files with their extensions because malware authors increasingly try to disguise the actual file extension to trick you into opening them

Cyber attack recovery 300% dearer due to skills shortage

Large businesses are struggling to attract skilled IT security experts are paying up to three times more to recover from a cyber security incident.

Large businesses are struggling to attract skilled IT security experts are paying up to three times more to recover from a cyber security incident.As the gap between the available security skills continues to widen, a growing number of organisations are being forced to call in outside help to supplement in-house skills.

For a third of businesses, the improvement of specialist security expertise is one of the top three drivers for an additional investment in IT security, the report by Kaspersky Labs said.

The report combines the results of the survey with input from Kaspersky Lab’s experts and representatives of major universities. It shows that overcoming the lack of skills and shortage of talent in cyber security is a major challenge for companies.

The growing demand is not easy to meet, the report said, due to a lack of available specialists and increasingly complex requirements.

According to Kaspersky Lab’s own recruitment managers, on average only one applicant out of 40 (2.5%) meets the strict criteria for an expert position.

The research shows that 90% of companies looking to hire cyber security professionals in 2016 said it was difficult to find the right candidates for the jobs on offer.

However, the challenge is not limited to technical know how. According to Kaspersky Lab, the need for security managers is even greater.

In addition to deep technical knowledge, managers’ duties include communication with top management and overseeing the overall strategy, which are qualities that are especially important for large companies, the report said.

Higher education institutions recognise the need to revise their courses, but, at the same time, acknowledge the challenge of embedding security-oriented thinking into those courses.

The IT industry continues to evolve at a rapid pace, the report said, but notes that despite the obvious advancements in IT education, most graduates are not ready to help companies in ramping up security immediately.

Overall, the Kaspersky Lab report said 68.5% of companies polled expect an increase in the number of full-time security experts, with 18.9% expecting a significant increase in headcount.
Higher education is an important part of fulfilling such a demand, the report said, but this is also a call for a change in the security industry itself.

Security suppliers need to help universities with relevant experience and adapt research and development efforts towards the effective sharing of intelligence with corporate customers in the form of threat data feeds, security training and services.

A proper combination of security controls and intelligence, the Kaspersky Lab report said, will help corporate security teams to spend less time on regular cyber security incidents and focus on strategic security development and advanced threats.

Solving the different challenges of threat prevention, the detection of targeted attacks, incident response and prediction, said Levtsov, requires a lot of flexibility.

The report concludes that the problem of talent shortage will be solved through the efforts of education, evolution of the industry and adoption of intelligence sharing models.

UK data well protected after Brexit says new ICO head

UK data is well protected after the Brexit vote according to the new Information Commissioner.

UK data is well protected after the Brexit vote according to the new Information Commissioner.Elizabeth Denham made the observation in the first newsletter to be published by the Information Commissioner’s Office (ICO) since she took up the role on 18 July 2016.

“The result of the EU referendum and its impact on data protection reforms will undoubtedly create uncertainty, as any period of flux does,” she said. “It’s clear to me, though, that the UK is well equipped to navigate the changes ahead successfully.”

Indicating that she means to continue her predecessor Christopher Graham’s policy of engagement with stakeholders, Denham said data protection was a “team sport”.

“Effective regulation requires engagement with the public sector, with industry, with civil society and with the public at large,” she said. “We all have an important role to play in this.”

Although Graham left the ICO on 28 June 2016 after seven years, there was a delay in Denham taking over because of a failure by government to obtain the Queen’s consent for the appointment in time.

Graham’s deputy, Simon Entwistle, was acting information commissioner until Denham was able to take over the leadership of the ICO, which regulates the UK’s Data Protection Act, Freedom of Information Act and the rules around marketing calls and texts.

Denham was shortlisted in April 2016, and was approved for the post of information commissioner by the Parliamentary Committee for the Department of Culture, Media and Sport on 27 April.

She was appointed for a five year term as information commissioner after holding senior positions in privacy regulation in Canada for the past 12 years.

Since 2010, Denham has been the commissioner at the Office of the Information and Privacy Commissioner for British Columbia, Canada.

“Over more than a dozen years in this sector, I’ve seen the pace of the privacy regulator job quicken, and the scope of the work grows wider every day,” Denham wrote in the newsletter.

“Access to information and privacy touch nearly all aspects of public and commercial life and our work is at the centre of some of the most compelling issues of our time.”
ICO makes a difference

Denham noted that the ICO’s work makes a difference to citizens and consumers, employees and other rights holders.

In addition to helping navigate the changes necessitated by the Brexit vote, Denham is the first UK information commissioner since the European Union General Data Protection Regulation (GDPR), Network Information Security (NIS) Directive and EU-US Privacy Shield framework were approved.

Referring to these challenges, Denham said there was “a lot happening this side of the pond” but that the coming weeks would enable her to become more familiar with the work of the ICO and “get to grips” with the challenges ahead.

Denham, who has a track record of taking a proactive approach to enforcing data protection law and tackling government on privacy issues, will also have to deal with implications for UK business of the controversial Investigatory Powers Bill, which is well on its way to becoming law.