Data breaches cost tens of millions off UK firms’ market valueData breaches cost tens of millions off UK firms’ market value

By Cyber SecurityNo Comments

Security experts say the fact that data breaches at FTSE 100 firms cost on average £120 million in market value should be a wake-up call for boards to ensure they have an adequate cyber security strategy.

Security experts say the fact that data breaches at FTSE 100 firms cost on average £120 million in market value should be a wake-up call for boards to ensure they have an adequate cyber security strategy

Cyber attacks on top UK companies are leading to losses of 1.8% of share price or £120 million on average, according to a study on the effects of data breaches on share prices.
This has doubled in the past 18 months, according to the report released by global advisory firm Oxford Economics and IT and business process services firm CGI.
The report is based on a study of 65 severe or catastrophic breaches at FTSE 100 companies in the past four years and indicates that investors are now punishing companies more harshly for cyber attacks.
The cyber value connection report, which is aimed at helping senior business people understand the impact of cyber breaches on company market value, reveals that investors have lost at least £42bn since 2013 due to the severe public domain cyber security incidents used for the study.
However, the report notes that this figure includes only 65 publicly known severe breaches, which means the true amount of company value lost due to cyber attacks is likely to be far higher.
The report examines factors such as how new regulations for mishandling data will also strongly impact the public visibility of future breaches and therefore how organisations will plan for, manage and report cyber crime as incidents continue to rise.
A good example of the effects of data breaches on company value is Yahoo, which was forced to discount by $350 million the sale price of its core business to Verizon after revelations of data breaches in 2013 and 2014 affecting one billion and 500 million accounts, and of hackers forging cookies to gain access to customer accounts.
The cost of cyber attacks to investors is likely to skyrocket in the near future, said Rogoyski, as the General Data Protection Regulation (GDPR) and Network Information Security (NIS) directive mean that firms dealing with European citizens’ data must disclose all breaches of that data.
They estimate that only around 10% to 20% of the major breaches companies suffer in Europe are currently made public, so lost shareholder value across European markets could rise by as much as a factor of 10 when the new regulations take effect in May 2018.

CGIís recommends eight steps to achieve effective cyber security governance:

1. Appoint someone at board level to be responsible for cyber security with the authority and know-how to address the risks and demonstrate leadership during times of crisis.
2. Include cyber security on every board agenda, reporting on: risk to the business, nature of sensitive data and mitigation progress at a minimum.
3. Treat cyber security as a company-wide business risk and assess as you would with other key business risks such as major safety issues, environmental disasters and accounting scandals,
4. Ensure that the company understands the rapidly developing legal landscape that applies to cyber risk ñ in particular, begin preparing for the GDPR and NIS directive now.
5. Get specialist expertise to advise and inform the board, whether from internal teams or external advisors.
6. Set a programme of work to manage cyber risk, allowing a realistic time and budget.
7. Encourage discussion about risk appetite, risk avoidance, risk mitigation and cyber security insurance.
8. Assume you have already been breached but you might not yet know about it. Take action to reassure yourself no such attack has taken place, but plan on the assumption that they have.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email
assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

UK businesses need to up cyber security with one in five hit by attacks

By Cyber SecurityNo Comments

Big UK businesses are targeted by cyber attacks more heavily, but all need to improve cyber security with one in five UK firms falling victim in the past 12 months.

Big UK businesses are targeted by cyber attacks more heavily, but all need to improve cyber security with one in five UK firms falling victim in the past 12 months  

Out of the 20% of UK businesses hit by cyber attacks in the past year, 42% were companies with more than 100 staff, compared with 18% with fewer than 99 employees, according to the survey of more than 1,200 businesses by the British Chambers of Commerce (BCC).

The results indicate that 63% of businesses are reliant on IT providers to resolve issues after an attack, compared with just 12% of banks and financial institutions and 2% of police and law enforcement organisations.

The findings show that while 21% of businesses believe the threat of cyber crime is preventing their company from growing, only a quarter of businesses have cyber security accreditations in place, such as the UK governmentís Cyber Essentials Scheme or ISO 27001.
Smaller businesses are far less likely to have accreditation, with 10% of sole traders and 15% of those with 1 to 4 employees having accreditations, compared with 47% of businesses with more than 100 employees.
Of the businesses that do have accreditations, nearly half believe it gives their business a competitive advantage over rival companies, and a third consider it important in creating a more secure environment when trading with other businesses.
Businesses that use personal data should be mindful that they will have to comply with the General Data Protection Regulation (GDPR) from 25 May 2018.
In October 2016, the Payment Card Industry Security Standards Council (PCI SSC) warned that UK businesses could face up to £122 billion in penalties for data breaches under the GDPR, which will introduce fines for groups of companies of up to Ä20m or 4% of annual worldwide turnover, whichever is greater ñ far exceeding the current maximum of £500,000.
Using UK data breach statistics for 2015 and a maximum fine of 4% of global turnover, the fines paid to the European regulator could see a near 90-fold increase, from £1.4bn in 2015 to £122bn, the PCI SSC calculated.
The cyber threat to UK business is significant and growing, according to a joint report by the UK National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) published in March 2017.
However, the report said UK businesses should not be defeatist. There are ways of mitigating attacks, the report said, adding that the NCSC is working with government agencies, tech companies and industry to fix some lower-level threats automatically and at scale to enable information security professionals to focus on the most damaging threats.
The report also said businesses should improve basic defences. Cyber attack is inevitable, the report said, adding that even basic cyber defences can protect against most of the attacks affecting businesses and that weak defences are likely to invite repeated attacks.
Businesses should handle all data assets as potential targets because there is a market value for all data that can be exploited by criminals, the report said. It also recommended promoting awareness of stronger basic ìcyber hygieneî to customers and employees.
Businesses should be more open to sharing knowledge and expertise, as all businesses can benefit from doing so in a secure, confidential and timely manner through services such as the Cyber-security Information Sharing Partnership (CiSP), the report said.
Developing cyber skills and awareness was another key piece of advice. Partnership work between law enforcement and industry, the report said, has led to the improvement of cyber knowledge for the wider public and industry.
Finally, businesses should report the crime to Action Fraud. If cyber attacks are reported, the report said law enforcement agencies can investigate, arrests can be made and preventative actions can be taken.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email
assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

What to do first when hit by a cyber attack

By Cyber SecurityNo Comments

At some point, your business may have to deal with a cyber security incident. But when you are under pressure and your team is stressed, people make mistakes.

At some point, your business may have to deal with a cyber security incident. But when you are under pressure and your team is stressed, people make mistakes.

Delaying too long in making critical response decisions may exacerbate the impact of the incident but, conversely, making knee-jerk decisions can cause further damage to the business or hinder a complete response.
There are many ways you may suspect that a security incident has happened, from detecting unusual activity through proactive monitoring of critical systems or during audits, to outside notification from law enforcement and compromised data located in the wild.
However, indicators such as unusual CPU (central processing unit) and network usage on a server may have multiple potential causes, many of which are not information security incidents. So it is vital to investigate further before jumping to conclusions.
Do you have any corroborating evidence? For example, if the IDS (intrusion detection system) detects a brute force attack against the website, do web logs support this having occurred? Or, if a user reports a suspected phishing attack, has this email been received by other users and did the user click on links or open documents?
You also need to think about answering questions about the nature of the incident. Is it a generic malware infection, or an active system hack?  Is there an intentional denial of service (DoS) attack in progress and is this an incidence of deliberate insider action?
Once you have confirmed an incident has occurred, you need to take time out from initial response activities to prioritise your actions and decide, definitively, what the business objectives are for the response operation. Incident triage generally consists of classifying the incident in terms of impact and urgency and how it should be handled. The incident response team can then use the impact, urgency and priority evaluation to define the objectives for the incident response operation and assign actions or further investigation, as required.
Impact classifications defined by the National Cyber Security Centreís (NCSC) GovCertUK and adopted by Crest, the body that represents the technical security industry, may provide a useful point of reference for initial classification based on the perceived or established impact.

These incidents will usually cause the degradation of vital service(s) for a large number of users, involve a serious breach of network security, affect mission-critical equipment or services or damage public confidence in the organisation.
It is not necessary to report on incidents with little or no impact or those affecting only a few users, such as isolated spam or antivirus alerts, minor computer hardware failure and loss of network connectivity to a peripheral device, such as a printer.

 

Isolated anti-virus alert or spam email.

The urgency of an incident should also be assessed along with the impact. Some incidents are unlikely to worsen over time, such as the discovery of a historical compromise by a former employee. But in other cases, such as a ransomware outbreak, it may be absolutely critical to respond rapidly to isolate the infection.
Mobilising full emergency incident response capabilities may not be applicable or appropriate in every situation. You need to understand as much about what you are dealing with as you can. For example, who is the attacker? How was the attack introduced? When did the attack occur? What data or systems have been compromised? Is the attack ongoing? Why were we the target of the attack?

The goal of triage is to understand the methodology and the extent of the attack as fully as possible, in the shortest possible time.

Information about the incident, the impact, urgency and business impact analysis for the affected data or systems will guide the incident response operation. If possible, the business priorities should be pre-determined and documented in incident response plans.
For organisations with known advanced threat actors, continued covert observation of an attacker to determine their goals and modus operandi may be an objective of the incident response operation for intelligence-gathering purposes, even if the urgency for containment is high. Experienced internal or external incident handlers should be used to inform these decisions.
Once the priority of the incident and the objectives of the response have been defined, it is time to act and allocate activities to the incident response teams.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email
assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

GCHQ-developed phone security open to surveillance

By Cyber SecurityNo Comments

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

The security protocol is used to encrypt Voice Over Internet Protocol (Voip) calls.
In a blog, University College London researcher Steven Murdoch said the encryption process was vulnerable.
GCHQ said it was “totally wrong” to suggest there was a “backdoor” into conversations.
Dr Murdoch did not say that the vulnerability would give direct access to conversations, but that it would make it possible to undermine the system’s security.
The network operator could listen in to calls, or authorise someone else to, and anyone who hacked the system would be able to eavesdrop, he said.

One of Dr Murdoch’s chief concerns was that the security standard has “key escrow” by design – meaning, for example, that a third party has access to data sent between two people in a conversation.

This, he said, is an example of a backdoor. In this case, it could allow an intelligence agency, or the organisation which is using the standard, to intercept phone calls, Dr Murdoch said.
“I think this comes from a conflict of interest within GCHQ in that they are there to prevent spying but they are also there to spy – so they facilitate spying,”
Dr Murdoch added that he was aware of two products which use the standard, both of which are government certified. “They could be in use inside government,” he said.

The protocol in question is known as Mikey-Sakke (Sakai-Kasahara key encryption in multimedia internet keying).

It works by generating encryption keys that are used to encrypt and decrypt voice conversations. Although it is technically possible to create these keys on two separate computers and only share part of those keys publicly, the Mikey-Sakke protocol does not do this.
Instead, keys are distributed by a third party to the conversation participants – the process known as key escrow – meaning that they are much more vulnerable to interception.
It was up to GCHQ, he said, to make the scope of the protocol clear.
“If you don’t explain how you’re going to use it, what systems it’s going to be used in, what the scope and limit of the escrow facility is, then you’re going to get bad publicity,” he said.
A spokesman for GCHQ said: “We do not recognise the claims made in this paper.
“The Mikey-Sakke protocol enables development of secure, scalable, enterprise grade products.”
In a statement, GCHQ added: “Organisations using Mikey-Sakke do not share a common Key Management Server, so it is totally wrong to suggest there is a secret master key or ‘backdoor’ that would allow GCHQ or any other third party to access real time or historic conversations.

What to do first when hit by a cyber attack

By Cyber SecurityNo Comments

At some point, the chances are growing that your business will have to deal with a cyber security incident.

At some point, the chances are growing that your business will have to deal with a cyber security incident.
But when you are under pressure and your team is stressed, people make mistakes.

Crisis patterns over the past decade have changed dramatically. 10 years ago elements such as civil war and oil prices were the top global risks to take into account. Now we see water crisis and extreme weather events taking control of keeping us up at night.

Delaying too long in making critical response decisions may exacerbate the impact of the incident but, conversely, making knee-jerk decisions can cause further damage to the business or hinder a complete response.

There are many ways you may suspect that a security incident has happened, from detecting unusual activity through proactive monitoring of critical systems or during audits, to outside notification from law enforcement and compromised data located in the wild.

However, indicators such as unusual CPU (central processing unit) and network usage on a server may have multiple potential causes, many of which are not information security incidents. So it is vital to investigate further before jumping to conclusions.

Do you have any corroborating evidence? For example, if the IDS (intrusion detection system) detects a brute force attack against the website, do web logs support this having occurred? Or, if a user reports a suspected phishing attack, has this email been received by other users and did the user click on links or open documents?

You also need to think about answering questions about the nature of the incident. Is it a generic malware infection, or an active system hack? Is there an intentional denial of service (DoS) attack in progress and is this an incidence of deliberate insider action?

Once you have confirmed an incident has occurred, you need to take time out from initial response activities to prioritise your actions and decide, definitively, what the business objectives are for the response operation. Incident triage generally consists of classifying the incident in terms of impact and urgency and how it should be handled. The incident response team can then use the impact, urgency and priority evaluation to define the objectives for the incident response operation and assign actions or further investigation, as required.

Impact classifications defined by the National Cyber Security Centre’s (NCSC) GovCertUK and adopted by Crest, the body that represents the technical security industry, may provide a useful point of reference for initial classification based on the perceived or established impact.

Many minor types of incident can be capably handled by internal IT support and security. All events should be reported back to the information security team who will track occurrences of similar events. This will improve understanding of the IT security challenges and may raise awareness of new attacks.

It is not necessary to report on incidents with little or no impact or those affecting only a few users, such as isolated spam or antivirus alerts, minor computer hardware failure and loss of network connectivity to a peripheral device, such as a printer.

The urgency of an incident should also be assessed along with the impact. Some incidents are unlikely to worsen over time, such as the discovery of a historical compromise by a former employee. But in other cases, such as a ransomware outbreak, it may be absolutely critical to respond rapidly to isolate the infection.

Mobilising full emergency incident response capabilities may not be applicable or appropriate in every situation. You need to understand as much about what you are dealing with as you can. For example, who is the attacker? How was the attack introduced? When did the attack occur? What data or systems have been compromised? Is the attack ongoing? Why were we the target of the attack?

The goal of triage is to understand the methodology and the extent of the attack as fully as possible, in the shortest possible time.

Information about the incident, the impact, urgency and business impact analysis for the affected data or systems will guide the incident response operation. If possible, the business priorities should be pre-determined and documented in incident response plans.

Objectives for the incident response team could include:

Resumption of service as quickly as possible, where the affected system is critical in terms of availability for the business.
Rapid ring-fencing and protection of confidential information, where the affected system or network is critical in terms of confidentiality for the business.
Integrity checking of the affected systems, where integrity of data is critical for the business.
Preservation of evidential integrity, where criminal activity is suspected and prosecution is likely to be an outcome of the incident, or where culpability must be established definitively.
Identification of the origin of the threat and gathering intelligence about the activities being conducted during the incident.

For organisations with known advanced threat actors, continued covert observation of an attacker to determine their goals and modus operandi may be an objective of the incident response operation for intelligence-gathering purposes, even if the urgency for containment is high. Experienced internal or external incident handlers should be used to inform these decisions.

Once the priority of the incident and the objectives of the response have been defined, it is time to act and allocate activities to the incident response teams.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Average DDoS attacks fatal to most businesses, report reveals

By Cyber SecurityNo Comments

Criminal activity is top motivation for DDoS attacks as average attacks become strong enough to down most businesses.

Criminal activity is top motivation for DDoS attacks as average attacks become strong enough to down most businesses.

Average intensity distributed denial of service (DDoS) attacks are now great enough to knock most businesses offline, a report has revealed.
According to Arbor Networksí annual Worldwide Infrastructure Security Report, the largest attack reported in the past year was 500Gbps, representing a 60 times increase in 11 years.

There were also reports of attacks of 450Gbps, 425Gbps and 337Gbps, but these are fairly rare, said Gary Sockrider, principal security technologist at Arbor Networks.

Another significant change, he said, is that for the first time in several years criminal activity has replaced hacktivism and vandalism as the top motive for DDoS attacks.

DDoS attacks are being used mostly by cyber criminals to demonstrate attack capabilities, mainly for extortion purposes.
A growing number of businesses are also seeing DDoS attacks being used as a distraction or smokescreen for installing malware and stealing data.
Arbor Networksí survey of more than 350 network operators, including service providers and enterprises, also revealed that complex attacks are increasing.
More than half of respondents reported multi-vector attacks that targeted infrastructure, applications and services simultaneously, up from 42% the previous year.
A third of respondents saw attacks targeting their cloud-based services, up from 19% in 2013 and 29% in 2014, while just over half of datacentre operators saw DDoS attacks saturate their internet connectivity. There was also a 10% increase from 2014 in datacentres seeing outbound attacks from servers within their networks to 34%.
According to the report, firewalls continue to fail during DDoS attacks, with more than half of enterprise respondents reporting a firewall failure as a result of a DDoS attack, up from a third the year before.
Firewalls add to the attack surface and are prone to becoming the first victims of DDoS attacks as their capacity to track connections is exhausted, the report said.
The proportion of enterprise respondents seeing malicious insiders is up on the previous year, from 12% to 17%, and the proportion of respondents reporting security incidents relating to employee-owned devices more than doubled from the previous year to 13%.
However, nearly 40% of all enterprise respondents still do not have tools deployed to monitor employee-owned devices on the network, the report said.
Response to attacks improving
On the positive side, the survey showed an increasing focus on better response, with 57% of enterprises looking to deploy systems to speed the incident response process.
Also, a third of service providers have reduced the time taken to discover an advanced persistent threat (APT) in their network to under one week, and 52% stated their discovery to containment time has dropped to under one month.
Advanced threats are one of the top concerns for enterprise organisations, the survey revealed. Loss of personal information and/or disruption of business processes are perceived as the top business risks from an advanced threat.
2015 also saw an increase in the proportion of enterprise respondents who had developed formal incident response plans, and dedicated at least some resources to respond to such incidents, up from around two-thirds to 75%.
However, it remains a challenge for companies to recruit people with the right cyber security skills to enable them to improve incident preparedness and response, with only 38% of respondents looking to expand their internal teams, down from 46% the year before.
As a result, the report showed an increasing reliance on managed services and outsourced support, with 50% of enterprises and 60% of service providers having contracted an external organisation for incident response and 74% seeing more demand from customers for managed services.

Nearly 30pc SME staff lack cyber threat training

By Cyber SecurityNo Comments

Some 27% of small to medium sized enterprises (SMEs) are failing to educate staff on the threat of a cyber attack.

Some 27pc of small to medium sized enterprises (SMEs) are failing to educate staff on the threat of a cyber attack.

According to research by cyber insurance provider CFC this is despite the fact that nearly fourty per cent of CFC’s claims in 2016 were caused by phishing attacks that could have been avoided with better education and training.

According to CFC, the main reason given for this it that SMEs are “not sure where to start”, which could be a result of not understanding their cyber risk profile, with 20% of SMEs never assessing the business exposure to cyber risk.

In September 2016, a Juniper Research report revealed that 74% of UK SMEs think they are safe from cyber attack, despite half of them admitting having suffered a data breach.

There is still naivety about the significance of a data breach, according to the report, which showed that although 69% of respondents would contact someone immediately if they discovered a cyber breach, 18% would wait until the next working day if they did not consider it a big problem.

CFC reported a 78% rise in cyber claims from 2015 to 2016, with 90% of claims by volume coming from businesses with less than £50 million in revenue, highlighting just how vulnerable SMEs are to relatively unsophisticated cyber attacks.

When SMEs were asked what poses the biggest threat to their business, cyber crime came in second, topped only by Brexit.

Some 31% of IT companies report cyber crime as the main threat, followed by 25% in the manufacturing sector. By comparison, just 8% overall are concerned about traditional crime. Despite these worries, 80% of SMEs still do not buy cyber insurance.

At CFC’s recent Cyber Symposium, Inga Beale, CEO of Lloyd’s, said: “It’s one of the most high profile risks businesses are facing at the moment, and yet CEOs seem to be in denial about its impacts and their ability to deal with it.

“Businesses are either not looking for solutions, or if they are, they don’t know where to find them or understand the value of them. Insurers need to explain the benefits cyber insurance can bring.”

Graeme Newman, chief innovation officer at CFC, said it was worrying to see that 56% of SMEs do not have an incident response plan in place that outlines roles and responsibilities in the event of a cyber attack.

“SMEs must take a two-pronged approach to guarding against an attack – implementing good security and risk management practices along with a strong cyber insurance policy,” he said.

“For SMEs that are time-poor and cash-strapped, cyber insurance policies exist not only to pay for financial losses should their systems be compromised, but also to help them handle and resolve incidents quickly and effectively.”

However, Newman predicted that although only 9% of SMEs are worried about regulatory fines as a result of a cyber attack, that figure is likely to increase once companies are required to comply with the EU’s General Data Protection Regulation (GDPR) from 25 May 2018.

Whereas the UK’s privacy watchdog, the Information Commissioner’s Office, is currently able to issue penalties of up to £500,000, the GDPR will introduce fines of up to €20 million or 4% of an organisation’s annual global turnover, whichever is greater.

This means that if data breaches remain at 2015 levels, the fines paid to the European regulator could see a near 90 fold increase, from £1.4 billion in 2015 to £122 billion, the Payment Card Industry Security Standards Council (PCI SSC) has calculated, based on the maximum fine of 4% of global turnover.

For UK SMEs, this could see regulatory fines for data breaches rise to £52 billion, a 57 fold increase, averaging £13,000 per SME.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Only 5% of FT 100 cos have cyber board member expertise

By Cyber SecurityNo Comments

Only 5% of FT 100 company boards have a board director with specialist technology or cyber security experience, according to research by Deloitte.

Only 5% of FT 100 company boards have a board director with specialist technology or cyber security experience, according to research by Deloitte.This is despite cyber risk being identified as a principal risk by the vast majority of them. Of the type of cyber attacks disclosed as a threat, unauthorised access to systems ranked most common (19%), followed by hacking (13%) and malware (13%). Distributed denial of service (DDoS) attacks were only mentioned by five companies, despite Deloitte predictions that we could see ten million DDoS incidents in 2017.

More than half of companies mentioned cyber contingency, crisis management or disaster recovery plans in their annual report. Of these, however, only 58% disclosed that these plans had been simulated in test scenarios over the year.

The most commonly disclosed potential impacts of cyber breaches were business disruption (68%), reputational damage (58%), and data loss (45%).

Clearly, the more frequently and stringently mitigation plans are tested, the more resilient and responsive the company. Interestingly, very few reports identified employee action as one of their cyber security threats. Company employees are, knowingly or unintentionally, the most common cause of a cyber breach.

Deloitte’s analysis proposes seven principles to improve cyber disclosure when finalising reporting:

  • Every sector, although not every company, identifies cyber as a principal risk – think carefully if you have not done so.
  • The value destruction capability of cyber risk is very high, ranging from remediation demands to huge reputational damage. Detailed disclosure is therefore worthwhile to highlight the risks to shareholders and let them know you are taking it seriously.
  • The better disclosures are company specific, year specific and provide sufficient detail to give meaningful information to investors and other stakeholders.
  • Boards and board committees are increasingly educating themselves about the cyber threat and challenging management on how they are dealing with the risk.
  • Companies should take credit for what they are doing, including describing who has executive responsibility, board level responsibilities, the policy framework, internal controls, and disaster recovery plans.
  • Boards should think about what could be missing from their disclosures, for example a clear indication of the main threats facing the company, who poses those threats, the likelihood, possible impact and detail about what the company – and the board – is doing to manage or mitigate those particular risks.
  • Finally, if your disclosure does not look strong enough after taking credit for what the company is doing already, it is time to ask whether you are actually doing enough to manage cyber risk.

The report can be found at: https://www2.deloitte.com/uk/en/pages/press-releases/articles/just-5-of-ftse-100-companies-disclose.html

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Cost of Yahoo hack shows executive cyber security responsibilities

By Cyber SecurityNo Comments

Yahoo’s recent hacks reinforces the responsibilities on board executives for cyber security as the data losses have  cost its top lawyer his job, CEO Marissa Mayer millions in bonuses, and $350 million off its sale price.

Cost of Yahoo hack shows executive cyber security responsibilitiesThe Yahoo board has decided to withhold CEO Marissa Mayer’s 2016 annual bonus in connection with a series of data breaches and accepted her offer to forego her 2017 stock award.

The SEC filing also revealed that general counsel Ronald Bell has resigned without severance pay after an independent committee brought in to investigate the breaches concluded that the Yahoo management team failed to respond effectively to the breach discovered in 2014.

The investigation report said that although Yahoo’s security team had uncovered evidence that a hacker backed by an unnamed foreign government had breached user accounts in 2014, executives “failed to act sufficiently” and that the incident “was not properly investigated and analysed at the time.”

The investigation revealed that at the time the breach was discovered, Yahoo notified only 26 people that their accounts had been breached.

“The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters,” according to the SEC filing.

Yahoo did not disclose the 2014 breach until September 2016, when it began notifying holders of 500 million accounts that associated email addresses, birth dates, security question answers, and other personal information may have been stolen.

Don’t forget that this hack also effected BT and Sky email users- as they use the Yahoo email system as the backbone for their own white label systems.

Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about one billion accounts.

However, the SEC filing revealed that 32 million user accounts have also been accessed over the past two years by state-sponsored hackers using forged cookies. Evidence of the intrusions was discovered by an external forensic team investigating the previously disclosed breaches.

According to some security commentators, the news of the 32 million compromised accounts indicates that Yahoo is probably still struggling to understand the true scope of the breaches.

After months of speculation, Verizon announced in February 2017 a revised deal for acquiring Yahoo’s core business that was $350 million less than the original due to revelations of two major data breaches that were made after the deal was signed in July 2016.

The business cost of poor cyber security has been further underlined by the fact that more than 40 lawsuits have been filed seeking damages for the breaches, and Yahoo is facing an SEC probe into whether it appropriately disclosed information about the data breach.

The impact of the breaches hows that a cyber attack could also have a significant impact for companies in merger and acquisition discussions.

While the damage to reputation and brand has always been a primary reason for concern for organisations that were not seen to be implementing sufficient housekeeping and security controls, the real damage to Yahoo’s valuation will ensure that cyber security related issues become an even higher priority.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOWContact Cyber 139

The National Cyber Security Centre officially opens for business

By Cyber SecurityNo Comments

The Queen officially opened the National Cyber Security Centre (NCSC) yesterday- the single, central body for cyber security at a national level.

The Queen officially opened the National Cyber Security Centre (NCSC) yesterdayThe NCSC is core to the government’s National Cyber Security Strategy, which was unveiled on 1 October 2016.

Staff in Victoria, central London, will be joined by experts from GCHQ and the private sector to help identify threats.

At the time, Chancellor of the Exchequer Philip Hammond said: “The new National Cyber Security Centre will provide a hub of world-class, user-friendly expertise for businesses and individuals, as well as rapid response to major incidents.”

Hammond said the government’s 2015 Strategic Defence and Security Review classified cyber as a Tier One threat to the UK, and outlined the actions the government needed to take to secure the country.

According to the National Cyber Security 2016-2021 report, NCSC’s role will be to manage national cyber incidents, provide an authoritative voice and centre of expertise on cyber security, and deliver tailored support and advice to government departments, the devolved administrations, regulators and businesses.

“The NCSC will analyse, detect and understand cyber threats, and will also provide its cyber security expertise to support the government’s efforts to foster innovation, support a thriving cyber security industry, and stimulate the development of cyber security skills,” the report said.

There were 188 cyber attacks classed by the NCSC as Category Two or Three during the last three months.

And even though the UK has not experienced a Category One attack – the highest level, an example of which would have been the theft of confidential details of millions of Americans from the Office of Personnel Management – there is no air of complacency at the NCSC’s new headquarters.

Ciaran Martin, the centre’s chief executive, said “We have had significant losses of personal data, significant intrusions by hostile state actors, significant reconnaissance against critical national infrastructure – and our job is to make sure we deal with it in the most effective way possible.”

As well as protecting against and responding to high-end attacks on government and business, the NCSC also aims to protect the economy and wider society.

The UK is one of the most digitally dependent economies, with the digital sector estimated to be worth over £118 billion per year – which means the country has much to lose.

It is not just a crippling cyber-attack on infrastructure that could turn out the lights which worries officials, but also a loss of confidence in the digital economy from consumers and businesses, as a result of criminals exploiting online vulnerabilities.

A sustained effort was required by government and private sector working together to make the UK the hardest possible target, officials say.

Russia has been the focus of recent concern, following claims it used cyber-attacks to interfere with the recent US presidential election.

“I think there has been a significant change in the Russian approach to cyber-attacks and the willingness to carry it out, and clearly that’s something we need to be prepared to deal with,” Mr Martin said.