Wannacry cyber security money laundering attempt thwarted

August 9, 2017August 9, 2017 By Cyber SecurityNo Comments

The Wannacry cyber security ransomware hackers have tried to conceal who they are by using a virtual currency that is more anonymous than Bitcoin.

Victims paid more than £107,000 in bitcoins to recover files scrambled by Wannacry.

Earlier this week the gang behind the attack started to move the bitcoins out of the wallets they were paid into.

But the operators of the exchange they used to swap the bitcoins have now frozen the accounts they used.

Wannacry caught out thousands of firms around the world when it infected computers on corporate networks and encrypted their files, making them useless.

Victims were told to pay between £229 and £458 in bitcoins to have their files unscrambled and return computers to a working state.

Many security experts believed the money paid into three bitcoin wallets set up by the Wannacry creators would never be moved, because there was so much attention focused on who was behind the attack.

Moving the cash might expose key details about the attackers that could be used to track them down.

Whilst no one knows who owns the 3 accounts- the details of the acounts are known to the blockchain community as they can track the specific accounts.

But the bitcoins were moved earlier this week and some were piped to an exchange network called Shapeshift.io in an attempt to convert them to another virtual currency called Monero.

The Monero crypto-currency was set up to be more anonymous than Bitcoin and seeks to hide as much information as possible about every transaction.

The Wannacry gang is believed to have chosen Shapeshift.io for the digital cash transfer because the service can be used without signing up for an account.

However, the attempt to launder the cash via the platform seems to have been thwarted soon after Shapeshift was told what was happening.

Shapeshift said it would block any further attempts to change the Wannacry bitcoins into Monero or any other crypto-currency.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Defence minister opens £3m cyber security centre in

July 14, 2017July 21, 2017 By Cyber SecurityNo Comments

UK minister for defence procurement has opened a new cyber security centre aimed at boosting UK cyber defence capability and skills.

The Cyber Works centre, which employs 90 people, will enable Lockheed Martin to work more closely with UK partners to share knowledge and best practice, undertake research and develop new cyber defence capabilities.

In February 2017, Lockheed Martin announced that it would support the UK government’s CyberFirst scheme to inspire and support young people considering roles in cyber security.

The Cyber Works centre is designed to deliver cyber capabilities to UK government as well as support the development of skills and careers in cyber security and intelligence.

Harriett Baldwin, UK minister for defence procurement, said that with its £1.9 billion National Cyber Security Strategy, the country is a world leader in the field.

“The opening of today’s cutting-edge centre is a great example of how partnerships with industry are at the heart of that strategy,” she said. “Together, we are developing solutions to national security risks.”

A key part of the Cyber Security Strategy is partnerships with industry, with £10 million being invested in a new Cyber Innovation Fund to give startups the boost and partners they need

Baldwin said the UK is already leading Nato in its support for offensive and defensive operations in the fight against Islamic State (IS) and complex cyber threats. “This centre will further boost the UK’s cyber capabilities,” she said.

Lockheed Martin is the world’s largest aerospace and defence company and a longstanding leader in the fields of cyber security and intelligence.

The company pioneered the development of the cyber kill chain, an analysis method for cyber network defence that has been broadly adopted across industries and sectors.

Lockheed Martin is also a top provider of capabilities to defence and intelligence communities around the world and operates facilities to defend its own networks across 70 countries.

As well as investing in the new facility, Lockheed Martin plans to take part in the National Cyber Security Centre’s £6.5 million CyberInvest scheme to support cutting-edge cyber security research in the UK.

With National Offensive Cyber Planning allowing the UK to integrate cyber into all of its military operations, defence plays a key role in the country’s cyber security strategy, according to the Ministry of Defence (MoD).

Offensive cyber is being routinely used in the war against IS, not only in Iraq but also in the campaign to liberate Raqqa and other towns on the Euphrates, the MoD said.

In defence, the MoD said the £800m Innovation Initiative has already boosted investment in UK research and business, with multimillion-pound competitions to develop artificial intelligence and automated systems.

In January next year, the ministry will open a dedicated state-of-the-art Defence Cyber School at Shrivenham, bringing together all military joint cyber training into one place.

The MoD also has a key role to play in contributing to a culture of resilience, which is why the Defence Cyber Partnership Programme was set up to ensure its industrial partners protect themselves and meet robust cyber security standards, the ministry said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

UK firms still relying on perimeter defences for cyber security

July 11, 2017July 21, 2017 By Cyber SecurityNo Comments

Despite the increasing number of data breaches, many companies are still relying on perimeter defences and are underinvesting in technologies to keep data safe.

Some 96% of UK businesses feel as though their network perimeter security is effective at keeping unauthorised users out of their network, according to the fourth-annual Gemalto Data Security Confidence Index.

The global ransomware attack in May 2017 affected more than 200,000 computers in over 150 countries, including in the UK where the NHS was forced to restrict operations and turn away patients.

Across the 10 global regions surveyed, 94% of the more than 1,000 IT professionals said perimeter security is effective, but only 35% said they were extremely confident their data would be secure if perimeter defences were breached.

However, the survey also revealed that 46% of UK businesses are only protecting their customers’ data with passwords, and when considering their latest data breaches, 75% of the data stolen from businesses on average was not encrypted, with 11% of businesses not encrypting any of their data.

“As a security professional, it feels like I’ve been saying forever that basic perimeter security measures are no longer enough,” said Joe Pindar, director of data protection product strategy at Gemalto.

“So it’s worrying to see the UK is continuing to place ultimate faith in these systems, without thinking about what attackers actually want – their data,” he said.

Without a switch in mentality, and starting to protect the data at its source with robust encryption and two-factor authentication, the UK is like one of the three little pigs.

“Unfortunately, the one sitting in the straw house – not realising that when the time comes, passwords and perimeter security alone will not stand up to attackers,” he said.

The Gemalto report notes that many businesses are continuing to prioritise perimeter security without realising it is largely ineffective against sophisticated cyber attacks.

According to the research findings, 76% of global respondents said their organisation had increased investment in perimeter security technologies such as firewalls, intrusion detection and prevention, antivirus, content filtering, and anomaly detection to protect against external attackers.

Despite this investment, 68% believe unauthorised users could access their network, rendering their perimeter security ineffective.

These findings suggest a lack of confidence in the solutions used, especially when over a quarter (28%) of organisations polled have suffered perimeter security breaches in the past 12 months. The reality of the situation worsens when considering that, on average, only 8% of data breached was encrypted.

Businesses’ confidence is further undermined by over half of respondents (55%) not knowing where their sensitive data is stored. In addition, over a third of businesses do not encrypt valuable information such as payment (32%) or customer (35%) data.

According to the Gemalto report, this means that, should the data be stolen, a hacker would have full access to this information, and could use it for crimes including identify theft, financial fraud or ransomware.

“It is clear there is a divide between organisations’ perceptions of the effectiveness of perimeter security and the reality,” said Jason Hart, vice-president and chief technology officer for data protection at Gemalto.

“By believing that their data is already secure, businesses are failing to prioritise the measures necessary to protect their data, which is a company’s most valuable asset,” he said, adding that it is important to focus on protecting this resource. “Otherwise, reality will inevitably bite those that fail to do so.”

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Major cyber incidents accelerating, says NCSC

July 4, 2017July 21, 2017 By Cyber SecurityNo Comments

The UK is seeing an acceleration in major cyber security incidents, according to the country’s cyber security protection agency.

In the eight months since inception, the UK’s National Cyber Security Centre (NCSC) has recorded 480 major cyber incidents requiring its attention.

However, there has been big rise in these types of incidents in the past few months, in part due to an improved ability to spot them and a greater willingness to report them, according to John Noble, director of incident management at the NCSC.

“This increase in major attacks is mainly being driven by the fact that cyber attack tools are becoming more readily available, in combination with a growing willingness to use them,” he told The Cyber Security Summit in London.

Although the WannaCry ransomware attacks in May 2017 came very close, Noble said there had been no C1-level national cyber security incidents to date.

The majority of the major incidents the NCSC has dealt with were C3-level attacks, typically confined to single organisations. These account for 451 incidents to date.

The remaining 29 major incidents were C2-level attacks, significant attacks that typically require a cross-government response.

Across these nearly 500 incidents, Noble said there were five common themes or lessons to be learned.

1. There is still a need for organisations to get the basics right

“We are still seeing organisations that are not getting the basics right, like software security patching, antivirus updating and putting in basic protections and controls for system administrators, who are typically big targets for attackers to steal their credentials,” said Noble.

2. Failure to get the balance right between usability and security

“In the vast majority of incidents we see, victim organisations have got this balance wrong, leaning too far in the direction of convenience and usability leading to things like logging being turned off to optimise performance,” said Noble.

“The decision-making around where to strike that balance is typically confused because of the complexity of the enterprises being defended, and because of a lack of understanding about what they are trying to prevent and which data really matters,” he said.

3. Legacy systems and equipment

The existence of legacy systems and equipment in the enterprise presents opportunities to attackers, said Noble. “Often, when we investigate incidents, we find it is in the legacy systems that the compromise has begun,” he said.

4. Outsourcing

“In early 2017, we reported on a major compromise of managed service providers, which provide a tremendous opportunity for bad actors,” said Noble, alluding to Operation Cloud Hopper that was uncovered in April.

“MSPs enable attackers to obtain security credentials in one country, traverse across their network, and then compromise a company or series of companies in another country, and exfiltrate the data through a third country,” he said.

In response, Noble said the NCSC had published a list of questions organisations should ask their MSPs in terms of security.

“Similarly, organisations need to understand the security implications of their supply chains, who they are connecting up to, and what risks are involved,” he said.

5. Mergers and acquisitions

In mergers and acquisition, cyber security is often overlooked in the due diligence process, said Noble. “As a result, the cyber risk is not understood and not addressed effectively,” he said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Twenty years of online banking has increased financial awareness

June 6, 2017June 9, 2017 By Cyber SecurityNo Comments

Online banking is helping people manage their finances better and reduce their debt as a result

More than two-thirds of consumers can keep on top of their finances because of the arrival and evolution of online banking, and even more control is guaranteed as competition in the banking sector drives investment in technology.
Download this free guide
94.4% of cloud apps are not secure enough for enterprises

Twenty years after Nationwide launched the UK’s first online banking service, the building society has surveyed 2,000 people in the UK to find out how online banking has changed the way they manage their money.

The survey revealed that 22% of people are in less debt because they can keep a closer eye on their finances. Almost 70% of people said online banking helps them keep on top of their finances and 40% said it helps them budget better.

Saving time is another benefit identified for online banking, with 28% of people saving at least an hour a week by not having to carry out traditional banking tasks such as waiting at ATMs and visiting branches.

Although 10% of people still don’t use online banking services, the pace of take-up and use has accelerated in recent years as the fintech revolution leads to more customer acceptance. Nationwide itself has reported a 73% increase in the number of customer logins in 2016 compared with 2015.

James Smith, Nationwide’s director of mobile and digital, said: “People are using the ability to log on any time, anywhere to try to ensure they are staying well in control of their finances and attempting to avoid any unnecessary debt.”

Smith said consumers are increasingly being drawn to new ways of making their money management easier. “Innovation in personal finance is clearly something that intrigues people, as three in five believe we will be paying for everything via our thumbprint by 2037,” he said.

According to the survey, about half (55%) of people think phones or watches will be used to pay for everything by 2037, and 40% think cash will stop being used in the next 25 years.

But despite the undoubted consumer thirst for online banking services, a recent major survey of UK consumers revealed that bank branches are more important than mobile apps.

The report, conducted by PwC and the British Banking Association, surveyed 2,000 consumers in the UK about their banking preferences. It showed that 68% of consumers think a bank branch is essential when opening a new current account, compared with 25% who favour a mobile app.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Top UK firms’ websites violate key GDPR principle

June 1, 2017June 9, 2017 By Cyber SecurityNo Comments

Over one third of all the public web pages of leading UK companies that collect personal information violate a key principle of new European data protection

With just a year to go before the deadline to comply with the EU General Data Protection Regulation (GDPR), many UK firms’ websites are capturing personal data insecurely, a study shows.

More controls are needed because most data capture forms found on websites fall within the scope of the GDPR, according to new research by digital threat management firm RiskIQ.

h3::
The EU regulation requires that provisions should be in place to ensure that personally identifiable information (PII) is captured and processed securely.

In the UK, the Information Commissioner has provided guidance that, in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued.

The study revealed that 34% of web pages of FT30 firms that collect PII are doing so insecurely, 29% are not using encryption, 3.5% are using vulnerable encryptions algorithms, and 1.5% have expired security certificates.

While the insecure collection of PII is a violation of the GDPR, the study said the loss of personal data, profit and reputation resulting from the use of insecure forms is a legitimate concern for consumers and shareholders.

In addition to personal claim liability, Article 83 provides guidance on fines for GDPR faults, which start at €10m or 2% of global annual turnover for the preceding financial year, whichever is greater – or even double, depending on the infraction.

This applies to all companies actively engaging with European citizens, regardless of whether the firms have a physical presence in Europe.

The GDPR also requires companies to state clearly at the point of capture how they will use an individual’s data. Permission to use their data must be explicit and demonstrated through an action such as ticking a box – a significant departure from the “opt out” process most organisations currently have in place.

The challenge for large, global organisations is the sheer volume and complexity of websites and web applications that need to be accounted for, not only for security purposes, but also for regulatory compliance, such as the GDPR.

Information commissioner Elizabeth Denham called on businesses to see the benefits of sound data protection and act now to prepare for what she called “the biggest change to data protection law for a generation”.

However, 24% of companies polled in the UK and US expect to miss the GDPR compliance deadline and 30.6% said they had no timetable for being GDPR compliant, according to security firm Guidance Software.

Almost 18% said they were in the moderate planning stages and 11% said they were only in the initial stages of implementing processes to ensure compliance.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

People can be strongest link in cyber security, says NCSC

May 26, 2017June 9, 2017 By Cyber SecurityNo Comments

People are often seen as the weakest link when it comes to cyber security, but that must change, says the National Cyber Security Centre (NCSC).

Information security has traditionally been led by technology and, as a result, the role and value of people has been overlooked. That is the view of Emma W, people-centred security team lead at the UK’s National Cyber Security Centre.

From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy. Wake up and get the knowledge to get protected.

The perception of people as the weakest link is unfair and a natural consequence of a technology-led security culture.

“We have not always had people working in cyber security with a deep understanding of human behaviour or the input of psychologists, social scientists and the like to tell us why people behave the way they do.

“As a result, organisations tend to treat users as people who should do as they are told, but they don’t always, and often the reason is because they can’t.

“However, these reasons are often not recognised, and instead users are seen as either being unco-operative or stupid, but this is not true and is a perception that we have to turn around,” she said.

An example of where end-users are typically blamed for failures is around passwords, but many organisations have unreasonable expectations.

Most people find it challenging to remember multiple passwords, especially when organisations insist on long and complex passwords that must be changed regularly.

Instead of being critical of employees who fail to adhere to unreasonable password policies, organisations need to have a more sophisticated understanding of how humans can be a security asset, she said.

“They need to understand that if humans appear to be poor at security, it is because they are being required to do things that are difficult or impractical to do.”

The NCSC believes this indicates a need to reshape the relationship between the IT security team in an organisation and users of the IT systems.

While some information security professionals understand that their role is to support and enable the business, Emma W said less progress has been made in understanding how to relate to end-users.

Users still commonly see security as policing role, she said, and do not feel confident enough or too afraid to talk to security teams about the challenges they have and where they feel the need to bend or even flout security rules in order to get their jobs done, for fear of being sanctioned in some way.

“This is the relationship we need to reshape, and a critical part of that is enabling two-way communication between security teams and the rest of the organisation, rather than users’ current common perception that security just sits in its own silo and tells everybody else what they need to do,” she said.

“In reality, security professionals don’t have all the answers and users have a contribution to make in supplying some of the answers. Security professionals need to start listening to what users are trying to do and understand that they can be the strongest, not the weakest link in security.”

End-users should be viewed as a positive asset who have information that security professionals do not have about how the business runs and how it needs to run, rather than be seen as a liability that has to be managed, said Emma W.

“Security professionals need to review how they gather information about security, so they can get the right support to discover the real problems facing their business and fix them,” she said.

Security professionals also need to understand that occasional security awareness training and a poster-based awareness campaign are no substitute for meaningful two-way communication that enables them to know what people need from security and how security can help to support the business.

“It is about security teams finding out what is really going on in an organisation, and why people are not doing the things the security team want them to do – and it is probably not because people are weak, stupid or deliberately trying to sabotage security efforts,” said Emma W.

“Mostly people are well-intentioned and know what they are supposed to be doing, but they are trying to get a work task done and the organisation is not giving them the right way to do it,” she said, with the result that the task may be getting done, but not in the most secure manner possible.

Where employees feel they cannot work within the system or that they are running the risk of being punished for things beyond their control, they will look for alternative ways of working and that is what gives rise to shadow IT and real work processes being driven underground, she said.

For this reason, the NCSC is championing the view that people are potentially organisations’ strongest link when it comes to cyber security and are encouraging organisations to move towards generating positive, collaborative solutions that give users a chance to show that they are the greatest assets in security, as much as they are in business.

Users are typically blamed for failings around passwords, but this is mainly because most people find it difficult to follow company policies on passwords.

UK businesses urged to prepare for GDPR a year to day

May 25, 2017June 9, 2017 By Cyber SecurityNo Comments

With exactly one year to the compliance deadline, the Information Commissioner’s Office has urged UK firms to seize the business benefits of being GDPR-ready

There is no time for businesses to delay in preparing for the General Data Protection Regulation (GDPR), says the UK information commissioner.

In a video address to UK business leaders, Elizabeth Denham called on businesses to see the benefits of sound data protection and act now to prepare for what she termed “the biggest change to data protection law for a generation”.

It is not just western countries such as the US and the UK that are being targeted by hackers, as the rapidly developed and wealthy nations of the Middle East become targets of both politically and financially driven attacks.

“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.

“But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit,” she said.

Deputy commissioner Rob Luke also highlighted the business benefits of GDPR compliance at a discussion about the legislation hosted by IT industry body TechUK.

The best outcome, he said, would be where organisations take an approach to data protection that earns the trust of consumers in a more systematic way, and where that trust translates into competitive advantage for those who lead the charge.

Luke said that while the GDPR presents some opportunities for organisations, the ICO recognises that there are some challenges too, noting that the GDPR is an indicator of change as much as it is an instigator.

“The GDPR is part of the response to the challenge of upholding information rights in the digital age; of protecting the rights and interests of the individual in the context of an explosion in the quantity and use of data and in an environment of extremely rapid technological change,” he said.

Luke said that GDPR is going to be an important part of the global data protection landscape over the years ahead, with great relevance to UK organisations, the public and their data.

“The moment at which GDPR takes effect in the UK on 25 May 2018 will, of course, mark a change. In delivering legislation fit for the digital age GDPR confers new rights and responsibilities, and organisations need to be working now to prepare for them,” he said.

Luke said he hoped that UK organisations have already deployed the ICO’s 12 steps to take to prepare for GDPR and were familiar with the ICO’s Overview to GDPR, and were drawing on the ICO’s wider resources.

The ICO, he said, is working at pace to produce detailed guidance, both at a national and a European level, through the Article 29 EU Working Party.

While this guidance will continue to be developed, Luke said organisations should not wait for definitive guidance on every aspect of the GDPR before taking action.

“I urge you not to wait, nor to take a reactive approach to your GDPR preparations, motivated solely by a mindset of compliance or risk management. Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law.

Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong,” he said.

Preparation for compliance with the GDPR can be boiled down to transparency and accountability, said Luke.

“It is about being clear with individuals how their personal data is being used, and placing the highest standards of data protection at the heart of how you do business,” he said.

As a result, said Luke, this means GDPR compliance is a board-level issue for every size of organisation, not only because under the GDPR the ICO can fine companies up to €20m or 4% of a company’s total annual worldwide turnover for the preceding year, whichever is greater, but also because of potential brand damage.

“As we’ve seen in well-publicised examples, the cost to business of poor practice in this area goes above and beyond any fine we can impose. Losing your consumers’ trust could be terminal for your reputation and for your organisation,” he said.

The ICO recognises that data is the fuel that powers the digital economy, said Luke, and the GDPR is a response to this evolving landscape. The GDPR builds on previous legislation, he said, but brings a 21st century approach and delivers stronger rights in response to the heightened risks.

These new rights include individuals’ rights to:

Be informed about the use of their data;
Access their information and move that information around;
Rectify and erase data where appropriate;
Revoke consent;
Challenge automated decisions.

“Good practice tools that the ICO has championed for a long time, such as privacy impact assessments and ensuring privacy by design, are now legally required in certain circumstances,” said Luke.

Being transparent and providing accessible information to individuals about how you will use their personal data is another key element of the new law and our privacy notices code of practice is GDPR-ready, said Luke.

Luke also noted that data breach reporting would also change under the GDPR. Organisations will be required to notify the ICO, within 72 hours, of a breach where it is likely to result in a risk to the rights and freedoms of individuals.

The widespread availability of personal data on the internet and advances in technology, coupled with the capabilities of big data analytics, mean that profiling is becoming a much wider issue, he said.

According to the ICO, the GDPR is a principles-based law well equipped to take on the challenges of 21st century technology.

“It aims to be flexible – protecting individuals from harm while enabling you to innovate and develop services that consumers and businesses want,” said Luke.

In addition to gearing up the GDPR compliance within the ICO and the higher volume of activity that is bound to come as a result of mandatory breach notifications, Luke said the ICO is looking at how it might be able to engage more deeply with companies as they seek to implement privacy by design.

The ICO is also looking at how it can contribute to a “safe space” where companies can test their ideas and at how it can recognise good practice.

“We should be able to find ways to give credit where credit is due without that translating into a free pass for an individual organisation or practice. GDPR explicitly foresees wider use of tools such as codes of conduct and certification schemes, which potentially have an important role to play,” said Luke.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Travelling C-level executives are major risk to business security

May 23, 2017June 10, 2017 By Cyber SecurityNo Comments

C-suite executives logging on to unsecured public Wi-Fi hotspots seem to present one of the biggest security risks to enterprise networks

Close to half of enterprises believe that their C-level executives, including CEOs, present the biggest risk to the business of being hacked through extensive use of unsecured public Wi-Fi hotspots.

This is according to mobile connectivity provider and network aggregator iPass, which, in its latest annual Mobile security report, found that cafés and coffee shops were perceived as the number one risk venue on a list that included airports, hotels, exhibition centres and planes.

The supplier compiled responses from 500 enterprises in France, Germany, the UK and the US to get an overview of how businesses are approaching concerns around mobile device and hotspot security.

The vast majority – 93% of respondents all told – told iPass’ researchers that they were concerned about the security challenges posed by mobile workforces, and almost half said they were very concerned, up several percentage points on the 2016 edition of the report.

In addition, 68% of organisations told the researchers they had banned employee use of free public Wi-Fi hotspots to some extent, up 6% on 2016, and 33% had banned it outright, up 9% on 2016.

“The grim reality is that C-level executives are by far at the greatest risk of being hacked outside of the office. They are not your typical nine to five office worker. They often work long hours, are rarely confined to the office and have unrestricted access to the most sensitive company data imaginable,” said iPass VP of engineering, Raghu Konka.

“They represent a dangerous combination of being both highly valuable and highly available, therefore a prime target for any hacker.

“Cafés and coffee shops are everywhere and offer both convenience and comfort for mobile workers, who flock to these venues for the free high-speed internet as much as for the coffee. However, cafés invariably have lax security standards, meaning that anyone using these networks will be potentially vulnerable.”

Most businesses with concerns over public Wi-Fi were worried about man-in-the-middle attacks, but high numbers also cited a lack of encryption, unpatched network operating systems and hotspot spoofing as major concerns.

IPass said enterprises were more aware of mobile security threats with every year that goes by, but are still finding it hard to balance the need to keep safe – which is more acute than ever – with the productivity boost that being able to work from any location can bring.

In Konka’s view, unfortunately too many enterprises were choosing to simply ban employees from using hotspots outright, which he characterised as detrimental to business health, not to mention largely unenforceable.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Almost a quarter of UK and US firms likely to miss GDPR deadline

May 23, 2017June 10, 2017 By Cyber SecurityNo Comments

Some 24% of companies polled in the UK and US expect to miss the GDPR compliance deadline of 25 May 2018

Only 15.7% of more than 200 UK and US companies polled are in the advanced planning stages of complying with the EU General Data Protection Regulation (GDPR).

It is not just western countries such as the US and the UK that are being targeted by hackers, as the rapidly developed and wealthy nations of the Middle East become targets of both politically and financially driven attacks. Discover how cyber security expertise can help businesses in the Middle East navigate digital transformations and keep cyber criminals at bay.

Some 17.8% said they were in the moderate planning stages and 11% said they were only in the initial stages of implementing processes to ensure compliance, according to the survey by security firm Guidance Software.

But 24% of the organisations surveyed said they would not be ready by the 25 May 2018 deadline, and 30.6% said they had no timetable for being GDPR compliant, which could expose them to fines of up to €20m or 4% of their annual global turnover, whichever is greater.

Some 14.2% said they would divest EU operations instead of attempting to become compliant with the GDPR.

The survey revealed that bigger companies have made the most progress towards compliance. Some 43% of organisations with revenues of $1bn or more claimed to have processes in place already that can identify data records of any EU citizen and determine where that data is being processed, in comparison to just 26.8% of organisations with under $100m in sales.

The GDPR requires all organisations doing business in EU member countries to comply with new regulations governing the data privacy rights of EU citizens.

However, more than half of the companies surveyed have not yet begun to evaluate third-party products or developer processes to identify the data records of EU citizens.

When asked to prioritise the recruitment and training of a qualified data protection officer, 23.7% ranked it as a high priority, 18.1% said it was a medium priority, and 15.4% named it a low priority.

For all companies, the top three activities to becoming GDPR compliant are:

Use and maintain policies and procedures for the anonymisation and de-identification of personal data (24.9%).
Conduct a full audit of EU personal data manifestation (22.8%).
Evaluate all third party operational partners that access personal data transfers (21.4%).

“With nearly five billion data records exposed in the past four years alone, there is a clear trend towards stronger protection of consumer data, and GDPR is a major first step in that direction,” said Anthony Di Bello, senior director, products, at Guidance Software.

“This data suggests that many organisations are, on the whole, behind schedule for compliance. Security leaders must make GDPR a priority over the next year to avoid major financial penalties,” he said.

To prepare for GDPR compliance, organisations are advised to:

Understand and acknowledge the requirements of GDPR for each specific business.
Conduct an internal audit to determine internal practices that need to change.
Create an incident response plan, including testing and updating procedures.
Identify gaps in technology.
Appoint a qualified data protection officer (DPO).
If there is not already a plan for GDPR compliance, start now.

Guidance Software also advises organisations to:

Monitor efforts at EU level and in member states to prepare for enforcement of the GDPR.
Establish familiarity with the supervising authority or authorities most relevant to operations.
Monitor technical guidance and codes of conduct from relevant EU authorities.
Establish where customer personal data is located, why it is used, and how long it is kept.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW