Investors target Board Directors for cyber security incidents PT2

Investors are growing concerned that directors are ill prepared for cyber security incidents and technological challenges.

Investors target Board Directors for cyber security incidents

An investor “We want the board to be tech savvy, but we wouldn’t just want it to be a tech board. Our fear is they appoint a tech expert but then no one else on the board is engaged. We want to understand the extent to which all the board is competent.”

Earlier this week, British Airways was forced to vow to compensate passengers after it revealed hackers had stolen data relating to about 380,000 customers from its website and mobile app during a two-week period in August. The data included personal and financial details.

Companies ranging from Equifax to JPMorgan Chase have all suffered data breaches in recent years. Meanwhile, large multinationals from Moller-Maersk to Reckitt Benckinser and FedEx were all forced to warn shareholders that the NotPetya cyber attack in 2017 had hurt profits, potentially costing each company hundreds of millions of dollars.

Ovidiu Patrascu, research analyst at Schroders, says it is crucial that companies have well-resourced cyber security teams that should ideally report directly to the highest levels of the organisation.

“As seen in a number of recent high-profile public failures, data breaches often uncover poor governance practices and weak management at the heart of companies, while also hitting their revenues and intangible assets such as reputation and trust,” he says.

“Cyber risk should also not just be the preserve of tech specialists — company boards also need to ensure they understand and can effectively oversee these very particular risks,” he adds.

A 2017 study by the Ponemon Institute, a research centre, found that there had been a 22.7 per cent rise in the cost of cyber security for businesses in just one year. It also found a 27.4 per cent rise in the number of data breaches at businesses, based on 2,182 interviews from 254 companies in seven countries — Australia, France, Germany, Italy, Japan, the UK and the US.

A follow-up study in 2018 found that the average cost of a data breach globally is $3.86m, a 6.4 per cent increase from the 2017 report. It also warned that so-called “mega breaches”, ranging from 1m to 50m records lost, could cost companies between $40m and $350m to deal with.

For many investors, the fact that a huge technology company such as Facebook could suffer a data breach has hit home how vulnerable smaller or less tech-savvy businesses could be. In July, Britain’s Information Commissioner’s Office hit Facebook with its first financial penalty over the data leak to Cambridge Analytica, accusing the social network of breaking the law.

A big investor at a large asset manager says that he wants boards to be able to explain where their key vulnerabilities are and whether they have stress tested the financial impact of tech issues. “We think every board member should be able to speak about this issue. They need to know where they are vulnerable, what the impact could be and how the board would respond,” he adds.

Mr Krefting says he wants the businesses M&G invests in to clearly outline in their reports and accounts what risks they face when it comes to technology and cyber security. “When we talk to companies about this, they often clam up — either because the CEO or chair doesn’t know about it or it is delegated to the chief information officer or someone below the board, or they say this is too sensitive.”

But he adds: “We want policies on governance and structures and how they are approaching cyber. We don’t necessarily need to know how many times they were faced with attempted hacks last week, but we want to see processes and that they are doing testing and that the right controls are in place.”

This article was first published by the Financial Times at https://www.ft.com/content/c70caa94-2d88-3ece-b802-79e9bac2f32c.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Investors target Board Directors for cyber security incidents

Investors are growing concerned that directors are ill prepared for cyber security incidents and technological challenges.

Investors are growing concerned that directors are ill prepared for cyber security incidents and technological challenges.

Facebook has been hit with a fine, a slowdown in user growth and a fall in its share price since news of the Cambridge Analytica data scandal broke in March.

In the months since, the social media company’s handling of the scandal — where data was improperly obtained from up to 87m users — has been heavily scrutinised by regulators, politicians and users.

Facebook chief operating officer Sheryl Sandburg last week testified before Congress, facing hours of questioning from the Senate Intelligence Committee. She said the company was “strengthening our defences” against targeted hacking and data collection.

It is also being closely watched by corporate governance specialists at big asset managers who are increasingly concerned that senior management and board directors at listed businesses across the world are ill-prepared for potential data breaches and other technology problems.

“We see cyber security as a key emerging risk,” says Rupert Krefting, head of corporate finance and stewardship at M&G Prudential, which oversees £342 billion in assets. “It is hard for us to judge if management and board directors at listed businesses really do know the technology risks because they are not prepared to talk about it.”

Now a growing number of investors are demanding that directors ensure they are well versed in the technology issues their companies could face.

number cyber data breaches by company type

Please use the sharing tools found via the share button at the top or side of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email [email protected] to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found here.
https://www.ft.com/content/c70caa94-2d88-3ece-b802-79e9bac2f32c

Leon Kamhi, head of responsibility at Hermes Investment Management, says the asset manager is engaging “heavily” on the issue. “Cyber security risk is a big issue,” he says. “IT skills on boards can be really important in order to challenge what a head of IT is doing at the inside. Boards need to be on top of it.”

“We want the board to be tech savvy, but we wouldn’t just want it to be a tech board. Our fear is they appoint a tech expert but then no one else on the board is engaged. We want to understand the extent to which all the board is competent.”

The introduction of stringent European data protection rules earlier this year has also prompted investors to ask tough questions about how well companies are coping with technological changes. The General Data Protection Regulation, which came into effect in the EU in May, has reshaped how companies can collect, use and store personal information. Companies face fines of up to 4 per cent of global turnover or €20m, whichever is greater, if they fall foul of GDPR.

Mr Kamhi says that if companies do not step up on cyber security issues there is a risk they will be hit with even more legislation.

Many investors believe the potential issues companies could face linked to technology are far reaching. As well as being “disrupted” — meaning technological solutions could be developed that upend their business model — companies that hold consumer information are at risk of data breaches. There are also concerns about hacks or cyber attacks which could damage business brands and cost businesses millions of dollars.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOW
Contact Cyber 139

Small business needs to reduce cyber security threat to payment card data

Small business’ cardholder data is a prime security target for cyber criminals – which is only likely to increase in the coming year.

Small business' cardholder data is a prime security target for cyber criminals - which is only likely to increase in the coming year.

Despite investment in security and compliance, 2018 shows no signs of high profile hacks slowing down, with most security suppliers predicting the ransomware attacks that dominated 2017 will continue, driven by an increase in the providers of ransomware as a service (RaaS).

This cyber criminal business model is expected to increase the potential for even non technical attackers to target poorly secured organisations and consumers – which means businesses will need to step up their cyber defences more than ever before.

However, this rising threat can be mitigated with the introduction of controls required to secure this data under the Payment Card Industry Data Security Standard (PCI DSS), according to secure payments firm PCI Pal.

Breached organisations demonstrated lower compliance with 10 out of the 12 PCI DSS key requirements, according to the Verizon 2017 payment security report.  Whilst compliance does not guarantee an organisation will not be breached, the data shows that failure to comply almost certainly means they will be breached.

“Businesses may not be able to reduce the number of incoming threats but, by ensuring PCI DSS compliance, they can certainly reduce the success rate,” said James Barham, chief commercial officer at PCI Pal.

To date, he said, the vast majority of security investment has focused firmly on keeping cyber criminals out, but that only works to a certain extent. “Because there is much greater impetus for the hackers to devise new methodologies to gain access and the security industry at large is only ever playing catch up, but we expect 2018 to see a step change in the mentality of data protection from trying to keep people out, to simply ensuring there is no data for them to take,” he said.

If businesses can remove the valuable data from their environments, said Barham, it no longer matters if there is a breach. “De-scoping PCI data will increasingly become the method of choice for businesses augmenting their intrusion prevention positions next year,” he said.

Businesses typically reduce the scope of their PCI DSS compliance by reducing or eliminating the cardholder data they store and switching to third party payment service providers.

Similar strategies can be used to reduce the likelihood of failure to comply with the EU’s General Data Protection Regulation (GDPR) after the compliance deadline of 25 May 2018.

Due to the significant financial penalties that will be imposed in the event of a breach, non-compliance will not be an option for the vast majority of businesses,” said Barham.

Another reason he believes businesses are likely to de-scope is that another round of changes to the PCI DSS is scheduled for July 2018.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

ICO fines Carphone Warehouse £400K over data loss

Carphone Warehouse has received one of the highest fines by the ICO after putting it’s clients’ personal data at risk.

Carphone Warehouse has received one of the highest fines by the ICO after putting it's clients' personal data at risk.

The UK privacy watchdog – the Information Commissioner’s Office (ICO) warns that more stringent data protection laws will apply from 25 May 2018, with potentially much greater fines.The Information

According to the ICO, the personal data at Carphone Warehouse was exposed in a cyber attack because of the company’s failure to protect the data from unauthorised access.

The compromised customer data included names, addresses, phone numbers, dates of birth, marital status and, for more than 18,000 customers, historical payment card details.

The records for some Carphone Warehouse employees, including name, phone numbers, postcode and car registration, were also exposed.

In determining the monetary penalty, the ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused.

Information Commissioner Elizabeth Denham said that a company as large, well resourced and established as Carphone Warehouse should have been actively assessing its data security systems and ensuring that systems were robust and not vulnerable to such attacks.

“Carphone Warehouse should be at the top of its game when it comes to cyber security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures,” said Denham.

Following a detailed investigation, the ICO identified multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information.

Using valid login credentials, intruders were able to access the system via an out of date version of WordPress software.

The incident also exposed inadequacies in the organisation’s technical security measures. The ICO said important elements of the software in use on the systems affected were out of date and the company had failed to carry out routine security testing.

The ICO said its investigation had revealed a serious contravention of Principle 7 of the Data Protection Act 1998, which requires appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

According to Denham, the real victims are customers and employees whose information was open to abuse by the malicious actions of the intruder.

“The law says it is the company’s responsibility to protect customer and employee personal information,” she said. “Outsiders should not be getting to such systems in the first place. Having an effective layered security system will help to mitigate any attack – systems can’t be exploited if intruders can’t get in.

“There will always be attempts to breach organisations’ systems and cyber attacks are becoming more frequent as adversaries become more determined. But companies and public bodies need to take serious steps to protect systems and, most importantly, customers and employees.”

From 25 May this year, the law will get more stringent as the General Data Protection Regulation (GDPR) compliance deadline is reached, the ICO said.

Data protection by design is one of the GDPR’s requirements, the regulator said, and must be in every part of information processing, from the hardware and software to the procedures, guidelines, standards and polices that an organisation has or should have.

Companies and public bodies should ensure strong IT governance and information security measures are in place, tested and refreshed to comply with the provisions of the law, the ICO said.

Failure to comply with the GDPR requirements will put companies at risk of fines of up to €20m or 4% of their global annual turnover.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Digital identity needs to be cyber security priority in 2018

Protecting digital identities and protecting employees are key cyber security challenges for 2018.

Protecting digital identities and protecting employees are key cyber security challenges for 2018

The issues of protecting digital identity, gaining data visibility and protecting employees are key cyber security challenges for 2018 according to the cyber security 2018 predictions report by security firm FireEye.

“The idea that you can get someone’s date of birth, and their Social Security number and steal their identity and do fraudulent tax refunds, or try to get a loan or credit card – that has to change,” FireEye said.

“This has to happen. Otherwise, every five months, we’re going to have another huge data breach,” they warned.

In addition to the imperative of finding a better way to manage identity, RedEye said it was also important to find a way of dealing with international privacy.

On the topic of nation state actors in the cyber realm, RedEye considers Iran the most interesting country to watch, rather than Russia, China or North Korea.

RedEye said while Iran started “acting at scale” in 2017, the extent of that activity was not really known. “We don’t know if we are seeing 5% of Iran’s activities, or 90% – although I’m guessing it’s closer to 5% – but they’re operating at a scale where, for the first time in my career, It feels to me that the majority of the actors we’re responding to right now are hosted in Iran, and they are state sponsored,” they said.

On the topic of cloud security, RedEye claimed better visibility was of paramount importance. I know that a lot of people are depending on the cloud, and we need visibility.

“Many of these cloud providers are providing it, but we don’t always have security operations that can take advantage of that visibility and see what’s happening,” he said.

An area many companies are still overlooking, RedEye said, is protecting employees from cyber attack.

He said companies needed to consider whether hackers could access corporate accounts through hacking employees’ private accounts, or if they could make it appear as though they have hacked the enterprise.

“There are hackers out there who will hack an employee at a company, and they will post any document they can get, and they will say they hacked the company even if they haven’t. It’s a reputational thing – while it’s hard to gauge the public response to these types of incidents, right now many companies are being deemed irresponsible or negligent or compromised when they are none of those things,” he said.

RedEye said all security professionals should be thinking about what employees are doing when they go home, how they can be secured, how they can be helped, what policies are needed and how those policies could be enforced.

They advised that all organisations moving into the cloud should know everything that is going on.

While there are bound to be new, interesting attacks in 2018, organisations should be preparing for modified versions of current attacks

“For instance, do you have places where documents are getting uploaded and then going into your back office? That’s a good place to ensure there is some high-grade detection, beyond an antivirus scanner. Because you essentially have unauthenticated input going directly into the key parts of your organisation.”

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Cyber security skills shortage can be addressed

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

There could be up to 1.8 million information security related roles unfilled worldwide by 2022, according to the latest Global information security workforce study from (ISC)2, but the organisation believes there are ways to address this potential shortfall.

“It makes no sense that we have employment issues for veterans and other communities on the one hand, and information security jobs being unfilled on the other,” according to John McCumber, director of cyber security advocacy at (ISC)2.

In this newly created role of advocacy for the information security profession, McCumber is engaging with the governments on issues such as workforce development and supporting information security professionals in the work they do.

McCumber, who has been working in information security in military, national security and civilian roles for the past 30 years, argues that in the light of the fact that there are jobs for people coming out of trade schools, there is no reason that aspects of cyber security cannot be turned into trades.

“By treating cyber security as a trade, it will enable school leavers to get some basic skills without having to do a four-year course and to provide valuable services in well-paid jobs in the cyber security field,” he said. “There are a lot of productive jobs in the cyber security field that do not need a four-year degree.”

The training is aimed at enabling veterans to join the (ISC)2 associate membership programme, which provides them with the experience required to qualify for various information security certifications.

“By enabling veterans to get certified as information systems security professionals, systems security practitioners and cloud security professionals, we are able to connect them with well-paying jobs,” said McCumber.

McCumber predicts that cyber security jobs will also begin changing in future as new technologies enable organisations to automate a lot of their cyber attack responses.

“Things like penetration testing are also likely to be automated with advances in so-called artificial intelligence, so (ISC)2 is working with information security professionals to position themselves for the new world of work and show organisations how they can help them understand their cyber risk and provide an objective way of managing that risk,” he said.

“As a result, that projected 1.8 million cyber security skills gap will not look as insurmountable in two to three years’ time,” he said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139