Defence minister opens £3m cyber security centre in

July 14, 2017July 21, 2017 By Cyber SecurityNo Comments

UK minister for defence procurement has opened a new cyber security centre aimed at boosting UK cyber defence capability and skills.

The Cyber Works centre, which employs 90 people, will enable Lockheed Martin to work more closely with UK partners to share knowledge and best practice, undertake research and develop new cyber defence capabilities.

In February 2017, Lockheed Martin announced that it would support the UK government’s CyberFirst scheme to inspire and support young people considering roles in cyber security.

The Cyber Works centre is designed to deliver cyber capabilities to UK government as well as support the development of skills and careers in cyber security and intelligence.

Harriett Baldwin, UK minister for defence procurement, said that with its £1.9 billion National Cyber Security Strategy, the country is a world leader in the field.

“The opening of today’s cutting-edge centre is a great example of how partnerships with industry are at the heart of that strategy,” she said. “Together, we are developing solutions to national security risks.”

A key part of the Cyber Security Strategy is partnerships with industry, with £10 million being invested in a new Cyber Innovation Fund to give startups the boost and partners they need

Baldwin said the UK is already leading Nato in its support for offensive and defensive operations in the fight against Islamic State (IS) and complex cyber threats. “This centre will further boost the UK’s cyber capabilities,” she said.

Lockheed Martin is the world’s largest aerospace and defence company and a longstanding leader in the fields of cyber security and intelligence.

The company pioneered the development of the cyber kill chain, an analysis method for cyber network defence that has been broadly adopted across industries and sectors.

Lockheed Martin is also a top provider of capabilities to defence and intelligence communities around the world and operates facilities to defend its own networks across 70 countries.

As well as investing in the new facility, Lockheed Martin plans to take part in the National Cyber Security Centre’s £6.5 million CyberInvest scheme to support cutting-edge cyber security research in the UK.

With National Offensive Cyber Planning allowing the UK to integrate cyber into all of its military operations, defence plays a key role in the country’s cyber security strategy, according to the Ministry of Defence (MoD).

Offensive cyber is being routinely used in the war against IS, not only in Iraq but also in the campaign to liberate Raqqa and other towns on the Euphrates, the MoD said.

In defence, the MoD said the £800m Innovation Initiative has already boosted investment in UK research and business, with multimillion-pound competitions to develop artificial intelligence and automated systems.

In January next year, the ministry will open a dedicated state-of-the-art Defence Cyber School at Shrivenham, bringing together all military joint cyber training into one place.

The MoD also has a key role to play in contributing to a culture of resilience, which is why the Defence Cyber Partnership Programme was set up to ensure its industrial partners protect themselves and meet robust cyber security standards, the ministry said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Major cyber incidents accelerating, says NCSC

July 4, 2017July 21, 2017 By Cyber SecurityNo Comments

The UK is seeing an acceleration in major cyber security incidents, according to the country’s cyber security protection agency.

In the eight months since inception, the UK’s National Cyber Security Centre (NCSC) has recorded 480 major cyber incidents requiring its attention.

However, there has been big rise in these types of incidents in the past few months, in part due to an improved ability to spot them and a greater willingness to report them, according to John Noble, director of incident management at the NCSC.

“This increase in major attacks is mainly being driven by the fact that cyber attack tools are becoming more readily available, in combination with a growing willingness to use them,” he told The Cyber Security Summit in London.

Although the WannaCry ransomware attacks in May 2017 came very close, Noble said there had been no C1-level national cyber security incidents to date.

The majority of the major incidents the NCSC has dealt with were C3-level attacks, typically confined to single organisations. These account for 451 incidents to date.

The remaining 29 major incidents were C2-level attacks, significant attacks that typically require a cross-government response.

Across these nearly 500 incidents, Noble said there were five common themes or lessons to be learned.

1. There is still a need for organisations to get the basics right

“We are still seeing organisations that are not getting the basics right, like software security patching, antivirus updating and putting in basic protections and controls for system administrators, who are typically big targets for attackers to steal their credentials,” said Noble.

2. Failure to get the balance right between usability and security

“In the vast majority of incidents we see, victim organisations have got this balance wrong, leaning too far in the direction of convenience and usability leading to things like logging being turned off to optimise performance,” said Noble.

“The decision-making around where to strike that balance is typically confused because of the complexity of the enterprises being defended, and because of a lack of understanding about what they are trying to prevent and which data really matters,” he said.

3. Legacy systems and equipment

The existence of legacy systems and equipment in the enterprise presents opportunities to attackers, said Noble. “Often, when we investigate incidents, we find it is in the legacy systems that the compromise has begun,” he said.

4. Outsourcing

“In early 2017, we reported on a major compromise of managed service providers, which provide a tremendous opportunity for bad actors,” said Noble, alluding to Operation Cloud Hopper that was uncovered in April.

“MSPs enable attackers to obtain security credentials in one country, traverse across their network, and then compromise a company or series of companies in another country, and exfiltrate the data through a third country,” he said.

In response, Noble said the NCSC had published a list of questions organisations should ask their MSPs in terms of security.

“Similarly, organisations need to understand the security implications of their supply chains, who they are connecting up to, and what risks are involved,” he said.

5. Mergers and acquisitions

In mergers and acquisition, cyber security is often overlooked in the due diligence process, said Noble. “As a result, the cyber risk is not understood and not addressed effectively,” he said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

UK needs urgent response to online fraud, says NAO

June 30, 2017July 21, 2017 By Cyber SecurityNo Comments

Online fraud is the most common crime in England and Wales and needs an urgent response according to the Parliament’s public spending watchdog.

While tackling online fraud is complex, the Home Office’s response is not proportionate to the threat, according to the National Audit Office (NAO).

Although the City of London Police is the national lead force for online fraud and runs the Action Fraud national centre for reporting fraud, police and crime commissioners and chief constables are responsible for policing in their local areas.

Despite the fact the face of crime is changing, the NAO’s report said police forces take different approaches to tackling online fraud and for some it is not a priority. Only 27 out of 41 police and crime commissioners refer to online fraud in their most recent annual police and crime plans.

“For too long, as a low value but high volume crime, online fraud has been overlooked by government, law enforcement and industry,” said Amyas Morse, head of the National Audit Office.

“It is now the most commonly experienced crime in England and Wales and demands an urgent response. While the Home Office is not solely responsible for reducing and preventing online fraud, it is the only body that can oversee the system and lead change.

“The launch of the Joint Fraud Taskforce in February 2016 was a positive step, but there is still much work to be done. At this stage, it is hard to judge that the response to online fraud is proportionate, efficient or effective,” he said.

In the year ending 30 September 2016, the Office for National Statistics (ONS) estimated that there were 1.9 million estimated incidents of cyber-related fraud in England and Wales, or 16% of all estimated crime incidents.

Online fraud includes criminals accessing citizens’ and businesses’ bank accounts, using their plastic card details, or tricking them into transferring money.

“Hidden” crimes require new and different responses yet, despite the level of economic crime, statistics suggest police forces remain more focused on traditional crimes, the report said, highlighting that in 2016, one in six police officers’ main function was neighbourhood policing, while only one in 150 police officers’ main function was economic crime.

According to the NAO, the Joint Fraud Taskforce set up by the Home Office to raise awareness of online fraud, reduce card not present fraud and to return money to fraud victims is a positive step. But the report said the Home Office faces a challenge in influencing other partners such as banks and law enforcement bodies to take on responsibility for preventing and reducing fraud. The report said £130mis held in banks that cannot accurately be traced back and returned to fraud victims.

In addition, without accurate data, the report said the Home Office does not know whether its response is sufficient or adequate.

Measuring the impact of campaigns and the contribution government makes to improving online behaviours is challenging, according to the NAO.

According to the NAO, the growing scale of online fraud suggests that many people are still not aware of the risks and that there is much to do to change behaviour. In addition, the report said that different organisations running campaigns, with slightly different messages, can confuse the public and reduce the campaigns’ impact.

While educating consumers is sensible, the NAO said government and industry still have a responsibility to protect citizens and businesses. The report said the protection banks provide varies, with some investing more than others in educating customers and improving their anti-fraud technology. The ways banks work together in responding to scams also needs to improve.

Although there are examples of good practice in protecting people against online fraud, such as Sussex Police’s initiative to help bodies such as banks and charities identify potential victims, the NAO said there is no clear mechanism for identifying, developing and sharing good practice to prevent people becoming victims.

The government wants the police and judiciary to make greater use of existing laws, but the NAO found that stakeholders had mixed views on the adequacy of current legislation. The international and hidden nature of online fraud makes it difficult to pursue and prosecute criminals because of the need for international co-operation and an ability to take action across borders, the report said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

How to prevent cyber security attacks and protect your organisation

June 15, 2017July 1, 2017 By Cyber SecurityNo Comments

Taking action in 10 key areas can prevent cyber security attacks and protect your organisation against the risk of breaches.

A classic example of this is that attackers are relying less on malware and using administrative tools built into operating systems such as Microsoft Windows instead.

Similarly, fewer attackers are using round the clock communications with their command and control servers to avoid detection by security tools that monitor for such communications.

Attackers are also developing anti-forensics techniques, by determining what artefacts such tools are using and then either avoiding using them or ensuring that they wipe then as part of the attack.

Increasingly common ways of getting into organisations, include carrying out phishing attacks through compromised email accounts of the friend, partners, clients and colleagues of their target person and through subscribed mailing lists that tend to be trusted by recipients.

We are also seeing the use of publicly available information from a variety of sources to be able to reset account passwords to take control or to create subdomains of legitimate organisations to trick people into sharing their usernames and passwords.

Cyber defenders should also be aware that attackers are increasingly breaching branch or overseas office networks so they can use various techniques to hop over to the main network and exploiting undisclosed vulnerabilities in publicly available portals, such as password reset portals.

We are seeing attackers using a webshell on web servers to issue commands, using tools such as Mimikatz and Mimikittenz to extract passwords from computer memory, using task scheduler to execute commands, using tunnelling tools such as Tunna Webshell on a compromised webserver to hop around networks, and using signed binaries to run malicious code in dynamic link libraries (DLLs).

Steps to improve your cyber security protection

1) There needs to be a mindset shift. Organisations need to understand that if they have any data of value, attackers will come after them. Having a protection plan of highest risk assets is one thing, but organisations need to ask if they can detect unauthorised access to the assets.
2) Know where there is a security risk. We often hear that organisations are unaware of the existence of a server or that it contained sensitive data.
3) Organisations need to understand that it is not enough to secure the data on servers because there is a lot of sensitive data on endpoints. Organisations often overlook data in emails, spreadsheets, browser password and session cookies.
4) Avoid single factor authentication, not just for the main VPN access, but whatever other public portals an organisation has, such as Outlook Web Access (OWA).
5) Consider advanced threat detection systems to get more context on threats. Remember, real attacks start when attackers get inside the environment and pose like insiders.
6) Avoid burn out for cyber security administrators. When you hire top talent for security innovations, don’t give them the day to day stuff that consumes most of their time as continuity in a security team is a good thing as it ensures defenders know as much or more than attackers about their IT environment, instead of the other way around.
7) Pay attention to systems that have propagation capabilities. This includes security tools like antivirus servers, Microsoft SCCM and file integrity management servers because attackers like to use a victim’s security tools against them.
8) Whitelisting security systems are not enough. Defenders need to understand what built-in Windows applications could cause them harm. Monitor logs like you mean it, not just for compliance. Network metadata should be retained for monitoring and investigations.
9)Invest in a threat hunting programme to scan proactively for attackers’ techniques, tactics and procedures. The goal should be to stop attackers before they complete the full attack.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Europe faces shortage of 350,000 cyber security professionals by 2022

June 6, 2017June 9, 2017 By Cyber SecurityNo Comments

European companies are expected to go on the world’s biggest cyber security hiring spree in the next 12 months, driving demand for cyber talent that will far outstrip supply, a report has revealed

Nearly 40% of European firms want to grow their cyber security teams by at least 15% in the next year, according to the latest report based on the 2017 Global Information Security Workforce Study.

The study, commissioned by information security certification body (ISC)2, is based on a survey of 19,000 cyber security professionals around the world, including nearly 3,700 respondents in Europe.

Although European organisations have the most ambitious hiring targets in the world, two thirds say they currently have too few cyber security professionals.

Europe faces a projected skills gap of 350,000 workers by 2022, according to the report, which calls for employers to do more to embrace newcomers and a changing workforce.

The study revealed that 92% of hiring managers admit they prioritise previous cyber security experience when choosing candidates, and that most recruitment comes from their own professional networks.

Hiring managers also admitted that they are relying on their social and professional networks (48%), followed closely by their organisation’s HR department (47%), as their primary source of recruitment.

Globally, the report shows that strong recruitment targets, a shortage of talent, and disincentives to invest in training are contributing to the skills shortage, with 70% of employers around the world looking to increase the size of their cyber security staff this year.

The demand is set against a broad range of security concerns that continue to develop at pace, the report said, with the threat of data exposure clearly identified as the top security concern among professionals around the world.

Concern over data exposure is linked to new regulations aimed at enhancing data protection around the world, including Europe’s General Data Protection Regulation (GDPR).

The deadline for compliance with the GDPR is 25 May 2018. After that date, organisations found in breach of the regulation faces fines of up to €20m or 4% of global turnover, whichever is greater.

The report describes a revolving door of scarce, highly paid workers with an unemployment rate of just 1% in Europe.

Organisations are struggling to retain their staff, with 21% of the global workforce saying they have left their jobs in the past year, and facing high salary costs, with 33% of the workforce in Europe in particular making more than £78,000 ($100,000) a year.

“The combination of virtually non-existent unemployment, a shortage of workers, the expectation of high salaries, and high staff turnover that only increases among younger generations creates both a disincentive to invest in training and development and a conundrum for prospective employers of how to hire and retain talent in such an environment,” the report says.

The report recommends that organisations adapt their approach to recruitment and draw from a broader pool of talent. This is backed by findings that show workers with non-computing-related backgrounds account for nearly one-fifth of the current workforce in Europe and that they hold positions at every level of practice, with 63% at manager level or above.

The report also highlights a mismatch between the skills recruiters are looking for and workers’ priorities for developing a successful career, suggesting skillsets may not be keeping pace with requirements.

Currently, the top two skills workers are prioritising include cloud computing and security (60%) and risk assessment and management (41%), while employers prioritise looking for communication (66%) and analytical skills (59%). Only 25% and 20% of workers are prioritising communication and analytical skills, respectively.

Other recommendations include:

Looking beyond social and professional networks as the main channel of recruitment to open doors for new, younger and more diverse talent.
Accepting the need to invest in development and training because more talent is needed to stem the high levels of movement on job markets.
Better communication of current employer requirements because workers prioritise different skills for their professional development than what employers look for in the workforce.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Top UK firms’ websites violate key GDPR principle

June 1, 2017June 9, 2017 By Cyber SecurityNo Comments

Over one third of all the public web pages of leading UK companies that collect personal information violate a key principle of new European data protection

With just a year to go before the deadline to comply with the EU General Data Protection Regulation (GDPR), many UK firms’ websites are capturing personal data insecurely, a study shows.

More controls are needed because most data capture forms found on websites fall within the scope of the GDPR, according to new research by digital threat management firm RiskIQ.

h3::
The EU regulation requires that provisions should be in place to ensure that personally identifiable information (PII) is captured and processed securely.

In the UK, the Information Commissioner has provided guidance that, in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued.

The study revealed that 34% of web pages of FT30 firms that collect PII are doing so insecurely, 29% are not using encryption, 3.5% are using vulnerable encryptions algorithms, and 1.5% have expired security certificates.

While the insecure collection of PII is a violation of the GDPR, the study said the loss of personal data, profit and reputation resulting from the use of insecure forms is a legitimate concern for consumers and shareholders.

In addition to personal claim liability, Article 83 provides guidance on fines for GDPR faults, which start at €10m or 2% of global annual turnover for the preceding financial year, whichever is greater – or even double, depending on the infraction.

This applies to all companies actively engaging with European citizens, regardless of whether the firms have a physical presence in Europe.

The GDPR also requires companies to state clearly at the point of capture how they will use an individual’s data. Permission to use their data must be explicit and demonstrated through an action such as ticking a box – a significant departure from the “opt out” process most organisations currently have in place.

The challenge for large, global organisations is the sheer volume and complexity of websites and web applications that need to be accounted for, not only for security purposes, but also for regulatory compliance, such as the GDPR.

Information commissioner Elizabeth Denham called on businesses to see the benefits of sound data protection and act now to prepare for what she called “the biggest change to data protection law for a generation”.

However, 24% of companies polled in the UK and US expect to miss the GDPR compliance deadline and 30.6% said they had no timetable for being GDPR compliant, according to security firm Guidance Software.

Almost 18% said they were in the moderate planning stages and 11% said they were only in the initial stages of implementing processes to ensure compliance.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

People can be strongest link in cyber security, says NCSC

May 26, 2017June 9, 2017 By Cyber SecurityNo Comments

People are often seen as the weakest link when it comes to cyber security, but that must change, says the National Cyber Security Centre (NCSC).

Information security has traditionally been led by technology and, as a result, the role and value of people has been overlooked. That is the view of Emma W, people-centred security team lead at the UK’s National Cyber Security Centre.

From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy. Wake up and get the knowledge to get protected.

The perception of people as the weakest link is unfair and a natural consequence of a technology-led security culture.

“We have not always had people working in cyber security with a deep understanding of human behaviour or the input of psychologists, social scientists and the like to tell us why people behave the way they do.

“As a result, organisations tend to treat users as people who should do as they are told, but they don’t always, and often the reason is because they can’t.

“However, these reasons are often not recognised, and instead users are seen as either being unco-operative or stupid, but this is not true and is a perception that we have to turn around,” she said.

An example of where end-users are typically blamed for failures is around passwords, but many organisations have unreasonable expectations.

Most people find it challenging to remember multiple passwords, especially when organisations insist on long and complex passwords that must be changed regularly.

Instead of being critical of employees who fail to adhere to unreasonable password policies, organisations need to have a more sophisticated understanding of how humans can be a security asset, she said.

“They need to understand that if humans appear to be poor at security, it is because they are being required to do things that are difficult or impractical to do.”

The NCSC believes this indicates a need to reshape the relationship between the IT security team in an organisation and users of the IT systems.

While some information security professionals understand that their role is to support and enable the business, Emma W said less progress has been made in understanding how to relate to end-users.

Users still commonly see security as policing role, she said, and do not feel confident enough or too afraid to talk to security teams about the challenges they have and where they feel the need to bend or even flout security rules in order to get their jobs done, for fear of being sanctioned in some way.

“This is the relationship we need to reshape, and a critical part of that is enabling two-way communication between security teams and the rest of the organisation, rather than users’ current common perception that security just sits in its own silo and tells everybody else what they need to do,” she said.

“In reality, security professionals don’t have all the answers and users have a contribution to make in supplying some of the answers. Security professionals need to start listening to what users are trying to do and understand that they can be the strongest, not the weakest link in security.”

End-users should be viewed as a positive asset who have information that security professionals do not have about how the business runs and how it needs to run, rather than be seen as a liability that has to be managed, said Emma W.

“Security professionals need to review how they gather information about security, so they can get the right support to discover the real problems facing their business and fix them,” she said.

Security professionals also need to understand that occasional security awareness training and a poster-based awareness campaign are no substitute for meaningful two-way communication that enables them to know what people need from security and how security can help to support the business.

“It is about security teams finding out what is really going on in an organisation, and why people are not doing the things the security team want them to do – and it is probably not because people are weak, stupid or deliberately trying to sabotage security efforts,” said Emma W.

“Mostly people are well-intentioned and know what they are supposed to be doing, but they are trying to get a work task done and the organisation is not giving them the right way to do it,” she said, with the result that the task may be getting done, but not in the most secure manner possible.

Where employees feel they cannot work within the system or that they are running the risk of being punished for things beyond their control, they will look for alternative ways of working and that is what gives rise to shadow IT and real work processes being driven underground, she said.

For this reason, the NCSC is championing the view that people are potentially organisations’ strongest link when it comes to cyber security and are encouraging organisations to move towards generating positive, collaborative solutions that give users a chance to show that they are the greatest assets in security, as much as they are in business.

Users are typically blamed for failings around passwords, but this is mainly because most people find it difficult to follow company policies on passwords.

Travelling C-level executives are major risk to business security

May 23, 2017June 10, 2017 By Cyber SecurityNo Comments

C-suite executives logging on to unsecured public Wi-Fi hotspots seem to present one of the biggest security risks to enterprise networks

Close to half of enterprises believe that their C-level executives, including CEOs, present the biggest risk to the business of being hacked through extensive use of unsecured public Wi-Fi hotspots.

This is according to mobile connectivity provider and network aggregator iPass, which, in its latest annual Mobile security report, found that cafés and coffee shops were perceived as the number one risk venue on a list that included airports, hotels, exhibition centres and planes.

The supplier compiled responses from 500 enterprises in France, Germany, the UK and the US to get an overview of how businesses are approaching concerns around mobile device and hotspot security.

The vast majority – 93% of respondents all told – told iPass’ researchers that they were concerned about the security challenges posed by mobile workforces, and almost half said they were very concerned, up several percentage points on the 2016 edition of the report.

In addition, 68% of organisations told the researchers they had banned employee use of free public Wi-Fi hotspots to some extent, up 6% on 2016, and 33% had banned it outright, up 9% on 2016.

“The grim reality is that C-level executives are by far at the greatest risk of being hacked outside of the office. They are not your typical nine to five office worker. They often work long hours, are rarely confined to the office and have unrestricted access to the most sensitive company data imaginable,” said iPass VP of engineering, Raghu Konka.

“They represent a dangerous combination of being both highly valuable and highly available, therefore a prime target for any hacker.

“Cafés and coffee shops are everywhere and offer both convenience and comfort for mobile workers, who flock to these venues for the free high-speed internet as much as for the coffee. However, cafés invariably have lax security standards, meaning that anyone using these networks will be potentially vulnerable.”

Most businesses with concerns over public Wi-Fi were worried about man-in-the-middle attacks, but high numbers also cited a lack of encryption, unpatched network operating systems and hotspot spoofing as major concerns.

IPass said enterprises were more aware of mobile security threats with every year that goes by, but are still finding it hard to balance the need to keep safe – which is more acute than ever – with the productivity boost that being able to work from any location can bring.

In Konka’s view, unfortunately too many enterprises were choosing to simply ban employees from using hotspots outright, which he characterised as detrimental to business health, not to mention largely unenforceable.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Almost a quarter of UK and US firms likely to miss GDPR deadline

May 23, 2017June 10, 2017 By Cyber SecurityNo Comments

Some 24% of companies polled in the UK and US expect to miss the GDPR compliance deadline of 25 May 2018

Only 15.7% of more than 200 UK and US companies polled are in the advanced planning stages of complying with the EU General Data Protection Regulation (GDPR).

It is not just western countries such as the US and the UK that are being targeted by hackers, as the rapidly developed and wealthy nations of the Middle East become targets of both politically and financially driven attacks. Discover how cyber security expertise can help businesses in the Middle East navigate digital transformations and keep cyber criminals at bay.

Some 17.8% said they were in the moderate planning stages and 11% said they were only in the initial stages of implementing processes to ensure compliance, according to the survey by security firm Guidance Software.

But 24% of the organisations surveyed said they would not be ready by the 25 May 2018 deadline, and 30.6% said they had no timetable for being GDPR compliant, which could expose them to fines of up to €20m or 4% of their annual global turnover, whichever is greater.

Some 14.2% said they would divest EU operations instead of attempting to become compliant with the GDPR.

The survey revealed that bigger companies have made the most progress towards compliance. Some 43% of organisations with revenues of $1bn or more claimed to have processes in place already that can identify data records of any EU citizen and determine where that data is being processed, in comparison to just 26.8% of organisations with under $100m in sales.

The GDPR requires all organisations doing business in EU member countries to comply with new regulations governing the data privacy rights of EU citizens.

However, more than half of the companies surveyed have not yet begun to evaluate third-party products or developer processes to identify the data records of EU citizens.

When asked to prioritise the recruitment and training of a qualified data protection officer, 23.7% ranked it as a high priority, 18.1% said it was a medium priority, and 15.4% named it a low priority.

For all companies, the top three activities to becoming GDPR compliant are:

Use and maintain policies and procedures for the anonymisation and de-identification of personal data (24.9%).
Conduct a full audit of EU personal data manifestation (22.8%).
Evaluate all third party operational partners that access personal data transfers (21.4%).

“With nearly five billion data records exposed in the past four years alone, there is a clear trend towards stronger protection of consumer data, and GDPR is a major first step in that direction,” said Anthony Di Bello, senior director, products, at Guidance Software.

“This data suggests that many organisations are, on the whole, behind schedule for compliance. Security leaders must make GDPR a priority over the next year to avoid major financial penalties,” he said.

To prepare for GDPR compliance, organisations are advised to:

Understand and acknowledge the requirements of GDPR for each specific business.
Conduct an internal audit to determine internal practices that need to change.
Create an incident response plan, including testing and updating procedures.
Identify gaps in technology.
Appoint a qualified data protection officer (DPO).
If there is not already a plan for GDPR compliance, start now.

Guidance Software also advises organisations to:

Monitor efforts at EU level and in member states to prepare for enforcement of the GDPR.
Establish familiarity with the supervising authority or authorities most relevant to operations.
Monitor technical guidance and codes of conduct from relevant EU authorities.
Establish where customer personal data is located, why it is used, and how long it is kept.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

WannaCry biggest incident to date for National Cyber Security Centre

May 18, 2017June 3, 2017 By Cyber SecurityNo Comments

The WannaCry ransomware attack that started on 12 May 2017 is the biggest single incident that the new UK National Cyber Security Centre (NCSC) has faced.

Although the global ransomware attack that heavily affected the NHS was unwelcome, it has provided an opportunity to test systems and raise awareness on key issues, according to Alex Dewdney, director for engagement and advice at the National Cyber Security Centre (NCSC).

“If you wanted to mount a national communications programme to make people sit up and take notice, you couldn’t have designed one better than this,” he told the Security Innovation Network (Sinet) Global Cybersecurity Innovation Summit in London.

“I never thought I would hear so many ministers using the word ‘patch’, which has now become part of everyday conversation, so we need to take that opportunity and to build on that.”

Dewdney emphasised that the NHS was not targeted specifically, although NHS networks were affected significantly in the UK. Other UK organisations were affected, but the diversity of victim organisations was much greater in other countries around the world, including Russia.

Although the spread of the ransomware has slowed, it spread initially very quickly by using a specific vulnerability in the Microsoft file sharing protocol sever message block known as SMB to propagate in and between networks.

“In March 2017, Microsoft issued a patch for supported operating systems, and following the attack they issued emergency patches for unsupported operating systems as well,” said Dewdney, noting that while these patches prevent the spread of the infection, they do not help organisations to get back encrypted data.

Dewdney confirmed that the attackers behind the ransomware are still unknown, but he said the level of sophistication is well within the reach of “criminal entities” requiring the NCSC to work at an extremely high tempo. “It is easily the biggest and most complex cyber incident the NCSC has had to manage so far,” he said.

In response to the attacks, the NCSC’s incident management function was called into action. The initial focus was on understanding the technical characteristics of the attack, how it was spreading, and who the victims were.

The incident management team was also working to establish who was behind the attack and what the initial attack vector was, but these questions remain unanswered to a high level of confidence five days after the attack.

The NCSC also started looking at ways to protect victims and potential victims in terms of publishing advice on how to immunise against the ransomware and contain its spread, as well as what to do if already a victim. The NCSC was also working directly with some victim organisations to help put guidance into practice and help remediate.

The incident underlined the importance of partnerships for the NCSC, said Dewdney, including partnerships that were formed to scale the response and make inroads into this problem in a way that the NCSC could not have done on its own.

“We are still working very closely with the National Crime Agency (NCA), which has staff embedded in our teams. The NCA was able to deploy on the ground with victims at scale. They are also a vital source of information and forensic data, as well as analytic and investigative effort,” he said.

The NCSC is also still working with NHS digital and Care Cert. “The size and complexity of the health sector meant that we needed that central docking point to work with, and they did a fantastic job under very difficult circumstances,” said Dewdney.

The role of the NCSC’s industry partners was also absolutely critical, he said. “I cannot emphasise enough how grateful we are for the extent to which our partners in the cyber security industry really leaned in to help and pool the information they were gathering.”

According to Dewdney, the Cisp cyber information sharing platform “really came into its own”, both as a platform for sharing information and for discussion. “We need to build on that as a really key way of getting stakeholders to have live discussions about this kind of problem,” he said.

There was an international aspect too, said Dewdney, including the information that was provided to the international computer emergency response network and collaboration with the US.

At the same time, he said it was a truly national response, with the NCSC quickly establishing contact with authorities in Northern Ireland, Wales and Scotland.

Dewdney also highlighted the importance and the challenges of the media. “I think we did pretty well at pace in briefing senior politicians to speak, preparing ourselves directly in broadcast media, and using our web presence and social media to get the right messages across at the right time.

“LinkedIn proved to be a really important and useful platform, but we didn’t really engage in that, and that is an important lesson for us,” he said.

Overall, Dewdney said the NCSC bringing various organisations together under one roof also really proved its worth.

“There was a lot of consistency in what government was saying – officials, ministers and across our platforms. We achieved a greater consistency and therefore a greater sense of authoritativeness in what we were saying than we would have achieved before the NCSC was set up. We were able to get the messages out quite quickly and provide the assurance that patients’ confidential data had not been stolen,” he said.

However, he admitted that producing specific, usable and helpful guidance was a challenge. “How do you get messages across that are sufficiently technically detailed to be of practical use, but also easy to understand and follow.”

The NCSC decided therefore to publish a set of guidance for enterprises and another set for small to medium-sized enterprises (SMEs) and consumers, which is continually being refined and updated in response to feedback from those communities.

“We are really in the market for feedback around how we are getting those messages across and how they can be improved and made more useful,” said Dewdney.

One of the key lessons learned, he said, was about the power as well as the limitation of advice and guidance.

Dewdney said people are continually told to patch and update the systems, “but the fact is that people don’t always do it, so what we have got to realise as cyber security practitioners is that advice and even instruction is much easier to give than it is to follow”.

“We have to recognise that in the real world competing pressures and hard choices can easily get in the way. So we will continue with those exhortations, but as we mobilise campaigns to really make this happen across government, business, critical infrastructure and for consumers, we need to find the right mix of the ‘stick’ on the one hand and help to overcome those hurdles on the other,” said Dewdney.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW