DNS attacks cost finance firms millions of pounds a year

The average cost of recovering from a single DNS attack is £711,069 – $924,390 for a large financial services company a new survey.

The costs of restoring services after a DNS (Domain Name System) attack are higher for financial services firms than for companies in any other sector.

According to a survey of 1,000 large financial services firms in Europe, North America and Asia Pacific, the average cost of recovering from a single DNS attack is $924,390 for a large financial services company.

The survey, carried out by network automation and security supplier EfficientIP, and its subsequent 2018 Global DNS threat report found that the average cost of recovery for such finance firms had increased by 57% compared with last year.

It also revealed that financial services firms suffered an average of seven attacks each last year, and 19% of them were attacked more than 10 times.

The survey found that finance firms took an average of seven hours to mitigate a DNS attack and 5% of them spent a total of 41 working days mitigating attacks in 2017. More than a quarter (26%) lost business because of the attacks.

The most common problems caused by DNS attacks are cloud service downtime, compromised websites and internal application downtime.

“The DNS threat landscape is continually evolving, impacting the financial sector in particular,” said David Williamson, CEO at EfficientIP. “This is because many financial organisations rely on security solutions that fail to combat specific DNS threats.

“Financial services increasingly operate online and rely on internet availability and the capacity to securely communicate information in real time. Therefore, network service continuity and security is a business imperative and a necessity.”

Types of DNS attack include:

Zero day attack – the attacker exploits a previously unknown vulnerability in the DNS protocol stack or DNS server software.
Cache poisoning – the attacker corrupts a DSN server by replacing a legitimate IP address in the server’s cache with that of another, rogue address in order to redirect traffic to a malicious website, collect information or initiate another attack. Cache poisoning may also be referred to as DNS poisoning.
Denial of service – an attack in which a malicious bot sends more traffic to a targeted IP address than the programmers who planned its data buffers anticipated someone might send. The target becomes unable to resolve legitimate requests.
Distributed denial of service – the attacker uses a botnet to generate huge amounts of resolution requests to a targeted IP address.
DNS amplification – the attacker takes advantage of a DNS server that permits recursive lookups and uses recursion to spread the attack to other DNS servers.
Fast-flux DNS – the attacker swaps DNS records in and out with extreme frequency in order redirect DNS requests and avoid detection.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Nearly half of UK firms hit by cyber phishing attacks

Nearly  half of UK businesses have been compromised in the past two years using phishing attacks, despite high levels of cyber awareness and training.

Nearly  half of UK businesses have been compromised in the past two years using phishing attacks, despite high levels of cyber awareness and training.

Phishing attacks aimed at stealing legitimate user credentials have been used in the past 24 months to compromise 45% of UK organisations, according to research on behalf of cyber security firm Sophos.

Just over half (54%) of more than 900 IT directors polled in Western Europe said they had identified instances of employees replying to unsolicited emails or clicking on links contained within them, revealed a poll conducted by Sapio Research.

The study revealed that larger businesses are most likely to have been compromised by phishing attacks, despite also being most likely to conduct phishing and cyber threat awareness training.

Although businesses in the UK fell victim to phishing attacks at a similar rate to those in France (49%) and the Netherlands (44%), those in Ireland performed significantly better. Just 25% of Irish respondents said they had fallen victim to phishing in the past two years.

Across all respondents, 56% of companies employing between 500 and 750 people were identified as phishing victims in the past two years, while two-thirds (65%) had identified instances of employees replying to unsolicited emails or clicking on links contained within them.

By comparison, just 25% firms with fewer than 250 people and 36% of organisations with between 250 and 499 employees had been compromised by phishing in the same period.

Half of firms with fewer than 250 people offered training to help employees spot attacks, compared with 78% of those with between 500 and 1,000 people. And 79% of UK companies conduct regular cyber threat awareness training already, while 18% said they plan to offer it in the future.

Adam Bradley, UK managing director at Sophos, said criminals are adept at using social engineering to exploit human weakness, so while well-trained employees are an excellent deterrent, even the best user can slip up.

According to Bradley, phishing is one of the most common routes of entry for cyber criminals. As organisations grow, their risk of becoming a victim also increases as they become more lucrative targets and provide hackers with more potential points of failure.

Given the frequency of these attacks, organisations that don’t have basic infrastructure in place to spot people engaging with potentially harmful emails and whether their systems are compromised are likely to encounter some really significant problems.

Organisations should block malicious links, attachments and imposters before they reach users’ inboxes, said Bradley, and use the latest cyber security tools to stop ransomware and other advanced threats from running on devices even if a user clicks a malicious link or opens an infected attachment.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Use of Cyber Security Insurance increasing

The use of cyber security insurance is growing – but one in three companies is still ignoring the benefits.

Use of Cyber Security Insurance increasing

Cyber security insurance adoption is expected to continue to grow, but only 38% of companies polled in the US and Europe have active cyber insurance policies in place, a study has revealed.

Of those insured organisations, 45% purchased cyber security  cover in the past two years, 32% purchased their policy three to four years ago, and only 24% have been covered for more than five years, according to the study by IT industry networking organisation Spiceworks.

Despite the fact that the adoption of cyber security insurance policies to offset the recovery costs associated with security incidents continues to grow, the survey of nearly 600 organisations revealed that many organisations are still not sold on the benefits of cyber insurance and are hesitant to purchase a policy.

However, according to a separate poll in the Spiceworks Community, 11% of organisations without coverage plan to purchase a cyber insurance policy within the next two years.

Cyber security insurance drivers

The study shows that increased priority on security is a top driver of cyber insurance adoption, with 71% of organisations purchasing cyber insurance as a precautionary measure, while 44% cited an increased priority on cyber security as the reason they bought a policy.

The risk of managing large volumes of personal data also drove 39% of organisations to purchase cyber insurance. This is likely to be linked to the growing number of data protection requirements around the world, such as the EU’s General Data Protection Regulation (GDPR). However, less than 15% purchased a policy due to a recent security incident or data breach.

When comparing the prevalence of cyber security insurance policies in North America and Europe, the regulatory environment and impact of new regulations such as GDPR become apparent, the report said.

Only 4% of organisations in North America purchased cyber security insurance because of new data protection regulations, compared with 43% in Europe.

Across both regions, 52% of companies with cyber security insurance have a coverage limit between $1m and $5m, 19% have a coverage limit between $6m and $10m, and 16% are covered for more than $10m. However, the results showed only 7% had ever filed a claim with their cyber insurance provider.

Among the companies that do not carry cyber insurance, the lack of knowledge about cyber insurance was found to be one of the top three reasons why they have not purchased a policy. Some 36% of IT professionals said their organisation was not covered due to a lack of knowledge about cyber insurance, while 41% said it was not a priority at their organisation, and 40% said they didn’t have budget for it.

Additionally, 33% of organisations have not purchased a policy because they are not sold on the benefits, and 20% reported insufficient use cases for cyber insurance, while 12% said they were not confident claims would be paid out.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Small business needs to reduce cyber security threat to payment card data

Small business’ cardholder data is a prime security target for cyber criminals – which is only likely to increase in the coming year.

Small business' cardholder data is a prime security target for cyber criminals - which is only likely to increase in the coming year.

Despite investment in security and compliance, 2018 shows no signs of high profile hacks slowing down, with most security suppliers predicting the ransomware attacks that dominated 2017 will continue, driven by an increase in the providers of ransomware as a service (RaaS).

This cyber criminal business model is expected to increase the potential for even non technical attackers to target poorly secured organisations and consumers – which means businesses will need to step up their cyber defences more than ever before.

However, this rising threat can be mitigated with the introduction of controls required to secure this data under the Payment Card Industry Data Security Standard (PCI DSS), according to secure payments firm PCI Pal.

Breached organisations demonstrated lower compliance with 10 out of the 12 PCI DSS key requirements, according to the Verizon 2017 payment security report.  Whilst compliance does not guarantee an organisation will not be breached, the data shows that failure to comply almost certainly means they will be breached.

“Businesses may not be able to reduce the number of incoming threats but, by ensuring PCI DSS compliance, they can certainly reduce the success rate,” said James Barham, chief commercial officer at PCI Pal.

To date, he said, the vast majority of security investment has focused firmly on keeping cyber criminals out, but that only works to a certain extent. “Because there is much greater impetus for the hackers to devise new methodologies to gain access and the security industry at large is only ever playing catch up, but we expect 2018 to see a step change in the mentality of data protection from trying to keep people out, to simply ensuring there is no data for them to take,” he said.

If businesses can remove the valuable data from their environments, said Barham, it no longer matters if there is a breach. “De-scoping PCI data will increasingly become the method of choice for businesses augmenting their intrusion prevention positions next year,” he said.

Businesses typically reduce the scope of their PCI DSS compliance by reducing or eliminating the cardholder data they store and switching to third party payment service providers.

Similar strategies can be used to reduce the likelihood of failure to comply with the EU’s General Data Protection Regulation (GDPR) after the compliance deadline of 25 May 2018.

Due to the significant financial penalties that will be imposed in the event of a breach, non-compliance will not be an option for the vast majority of businesses,” said Barham.

Another reason he believes businesses are likely to de-scope is that another round of changes to the PCI DSS is scheduled for July 2018.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Cyber security skills shortage can be addressed

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

There could be up to 1.8 million information security related roles unfilled worldwide by 2022, according to the latest Global information security workforce study from (ISC)2, but the organisation believes there are ways to address this potential shortfall.

“It makes no sense that we have employment issues for veterans and other communities on the one hand, and information security jobs being unfilled on the other,” according to John McCumber, director of cyber security advocacy at (ISC)2.

In this newly created role of advocacy for the information security profession, McCumber is engaging with the governments on issues such as workforce development and supporting information security professionals in the work they do.

McCumber, who has been working in information security in military, national security and civilian roles for the past 30 years, argues that in the light of the fact that there are jobs for people coming out of trade schools, there is no reason that aspects of cyber security cannot be turned into trades.

“By treating cyber security as a trade, it will enable school leavers to get some basic skills without having to do a four-year course and to provide valuable services in well-paid jobs in the cyber security field,” he said. “There are a lot of productive jobs in the cyber security field that do not need a four-year degree.”

The training is aimed at enabling veterans to join the (ISC)2 associate membership programme, which provides them with the experience required to qualify for various information security certifications.

“By enabling veterans to get certified as information systems security professionals, systems security practitioners and cloud security professionals, we are able to connect them with well-paying jobs,” said McCumber.

McCumber predicts that cyber security jobs will also begin changing in future as new technologies enable organisations to automate a lot of their cyber attack responses.

“Things like penetration testing are also likely to be automated with advances in so-called artificial intelligence, so (ISC)2 is working with information security professionals to position themselves for the new world of work and show organisations how they can help them understand their cyber risk and provide an objective way of managing that risk,” he said.

“As a result, that projected 1.8 million cyber security skills gap will not look as insurmountable in two to three years’ time,” he said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Small businesses cyber success is balance of user experience, privacy and security

Small businesses need to balance user experience, privacy and security to achieve overall cyber success.

Small businesses need to balance user experience, privacy and security to achieve overall cyber success.

A change in approach will help businesses achieve the right balance between user experience, privacy and security more easily, says Martin Kuppinger, principal analyst at KuppingerCole.

“Most businesses are making the fundamental mistake of thinking inside-out, but by thinking outside-in, they will automatically put the consumer first,” he told Consumer Identity World Europe 2017 in Paris.

This means instead of thinking about what suits the business, the business looks at what will best suit its customers, what works best for customers and taking customer preferences into account.

“Most businesses need to switch from the approach where they are telling consumers what they want them to do, to making it clear they are willing to do things the way the consumer wants,” said Kuppinger.

“We do what you want, needs to be the message, because this is the best way to ensure that consumers will want to do the most with them,” he said.

In the light of the European Union’s (EU’s) General Data Protection Regulation (GDPR), Kuppinger said it is now even more important to get the balance right.

From a consumer perspective, this means ensuring that services and interactions with suppliers need to be simple, and as frictionless and transparent as possible.

“Aside from GDPR requirements, consumers are generally more willing to share data if the reward is clear and they know that organisations use their data only for the purpose it was originally collected for,” said Kuppinger.

From a business perspective, it is therefore important to ensure that there is a standard approach to customer data throughout the organisation and that personal data is collected only when necessary.

“They need to be clear about what they are collecting, what purpose they are collecting the data, and they must provide processes for consumers to withdraw consent if they wish.”

However, done correctly, collecting and managing consumer information can improve the customer experience, said John Tolbert, lead analyst at KuppingerCole.

“Consumer identity management can also enable new business models, such as freemium models where basic services are provided free with the option of upgrading to paid services or shared revenue models,” he said.

Tolbert also emphasised the importance of making it clear to consumers what they will get in exchange for agreeing to allow businesses to collect and user their data.

“Again, getting the balance right is important because the more data you collect the more friction you add, so collect just enough information to be useful to keep friction to a minimum,” he said.

Tolbert said it is always important to be explicit about information is being collected, collect only what is necessary, and reduce friction by avoiding pop-ups that continually ask for more data.

“Fine-tune how you interrupt visitors to your site, be conservative in the information you collect and always ensure you have good consent management processes to collect and store consent,” he said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Most small businesses (SMEs) not prepared for GDPR

There is still much work to be done before small businesses (SMEs) are fully prepared for the EU’s General Data Protection Regulation (GDPR).

There is still much work to be done before small businesses (SMEs) are fully prepared for the EU’s General Data Protection Regulation (GDPR).

With the GDPR compliance deadline just over six months away, the UK’s small business community remains unsure about a number of related issues.

Small businesses are struggling to come to grips with what “personal data” really means, their customers’ new and extended rights, and whether the permissions they currently have to contact customers will meet the requirements of GDPR.

This is one of the key findings of the Close Brothers Business Barometer, a quarterly survey that questions more than 900 SME owners and senior management across a range of sectors and regions in the UK and Republic of Ireland.

“GDPR is intended to strengthen and unify data protection for individuals within the EU, but will also affect the UK regardless of Brexit,” said Neil Davies, CEO of Close Brothers Asset Finance.

“It will ensure that all personal data has to be managed in a safe and secure way, has to be gathered lawfully, is only used for the purposes for which it was collected, and must be accurate and up to date.

Poor understanding of GDPR compliance requirements

“The figures from the barometer tell us that uncertainty persists on a number of key compliance issues, and SMEs are concerned about the implications for their business.”

Less than a third (31%) of SMEs answered “yes” to the question, “Are you clear what ‘personal data’ means in a business context?”, with 50% responding “sort of” and the remaining 19% saying “no”.

“On a positive note, 73% of firm owners categorically stated that they do not share customers’ personal data with third parties,” said Neil. “There are, however, companies openly admitting to sharing customers’ details (8%), and a further 18% conceding they were unsure of whether they do or not.”

Less than half (48%) of respondents said they understand the new and extended rights that customers have when it comes to collecting and utilising their personal information.

Despite the lack of clear understanding of the extended rights customers will have, 58% of SMEs are confident that the permissions they currently have to contact customers will meet the requirements of GDPR.

“This still leaves more than 40% of firms which are unconvinced about their readiness ahead of 25 May 2018,” said Neil. “How it works is that companies must get prior consent from data subjects – opt in – and record that consent. What’s more, the consent must relate specifically to the purposes of why a company needs that data – companies cannot get consent for one purpose and then use the gathered personal data for another.

“On top of this, consumers must be able to revoke their consent as easily as it was originally given, because many consumers complain that it is easy to opt in to data gathering, but difficult to unsubscribe or opt out.”

Of those polled, 44% said they had a process in place to ensure their firm was collecting data in the correct manner, against 35% who were “unsure” and 21% admitting they had no existing process in place

“Businesses have to be seen to be compliant, and this includes ensuring these sorts of processes are in place to ensure customers are fairly treated,” said Neil.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Business needs help to act on cyber security advice

Businesses need help to act on all the information they receive about cyber security according to the London Digital Security Centre,

Businesses need help to act on all the information they receive about cyber security according to the London Digital Security Centre,

Small businesses need help in tackling cyber crime and embracing cyber security, not just information, according to John Unsworth, chief executive of the London Digital Security Centre (DSC).

“Information is good, but action is better,” he told the Whitehall Media Enterprise Cyber Security Conference in London. “There is a lot of information, but businesses want help in implementing it.”

The London DSC was set up as a not-for-profit organisation in 2015 by the Mayor’s Office for Policing and Crime to help the city’s roughly one million small businesses protect themselves from cyber crime.

The centre is run as a joint venture between the Mayor of London, the Metropolitan Police Service and the City of London Police to protect small businesses that are at the heart of the economy.

“The point of the centre is to help businesses act on the wealth of information that is out there to take control of their cyber security by implementing controls that make a difference,” said Unsworth.

“Part of our role is also to cut through the noise and show businesses that the things that will make a difference for the majority of small businesses cost little or nothing to implement.”

Many of the things small businesses can do to improve their cyber security only have a cost in time and effort, said Unsworth. “Cyber security is not always about buying a technical solution,” he added.

Investments in security technologies depend on the size of the business, the business operating model and what the business is trying to achieve, he said. “So for businesses that handle sensitive information, there is a cost because they need to ensure that data is protected and demonstrate that they have a good security posture.”

The role of the London DSC is to identify and prioritise business needs in terms of cyber security controls, said Unsworth.

 

Underlining the need to support small business in the face of cyber crime, Unsworth said that although more than 50% of crime reported to police is cyber enabled in some way, only 0.1% of policing resources across England and Wales are dedicated to the prevention and detection of cyber crime.

This is symptomatic of the fact that not everyone recognises that cyber crime is a big problem and it tends to be under-reported, he said. “What we need to start doing is creating a little bit of evidence noise about what the issues are, so we can get the right type of response to all of this.”

 

“What we have got to change and shift is this behaviour, so what we have done is to set about getting face-to-face with small businesses and talk to them one-to-one rather than relying on social media campaigns to get businesses to take cyber security more seriously.”

“When you start speaking to them in simple language, they soon realise that all cyber security is really about is understanding what you are using, what you are connected to, and if you have got the right controls in place,” said Unsworth.

Small businesses in denial over cyber security threats

According to Unsworth, many small businesses are in denial when it comes to cyber crime – they tend to think it will not happen to them because they don’t understand why they might be targeted.

“We want to help businesses avoid the regret of not doing something that could have prevented a cyber attack by helping them to embrace cyber security and putting in appropriate controls,” he said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

National Cyber Securty Centre’s 2017 Annual Review

The National Cyber Security Centre (NCSC) celebrates its first anniversary of operations this week.

The National Cyber Security Centre (NCSC) celebrates its first anniversary of operations this week.

The Annual Review highlights the work it has done to make the UK the safest place to live and work online.

While there is still much work to be done, the NCSC’s first annual report says it has prevented thousands of cyber attacks since its inception.

The NCSC received 1,131 incident reports, with 590 classed as “significant”, according to the agency’s first annual review.

Those “significant attacks” ranged from attacks on key national institutions such as the National Health Service (NHS) and the UK and Scottish Parliaments, through to attacks on large and small businesses and other organisations, said Ciaran Martin, chief executive of the NCSC.

But, he said, so much of the NCSC’s work aims to make successful attacks less likely, and to that end the NCSC has so far produced more than 200,000 protective items for military communications; supported the Cabinet Office in developing more secure communications for key government organisations; and supported the Home Office in ensuring the security of new mobile communications for emergency services.

The NCSC, part of GCHQ, brought together elements of its parent organisation with previously separate parts of government and intelligence to create a single, one stop shop for UK cyber security, with the aim of making the UK the safest place to live and work online.

A crucial part of the NCSC’s role is to help everyone in the UK operate more securely online.

“Through a pioneering partnership with the private sector, tens of millions of suspicious communications in the UK are being blocked every month,” he said.

Martin highlighted the fact that the NCSC’s Active Cyber Defence programme has developed capabilities, which have seen the average lifetime for a phishing site hosted in the UK reduce from 27 hours to less than an hour.

He added that the NCSC’s information-sharing platform with industry, the Cyber Security Information Sharing Partnership (CiSP), grew 43% over the year.

However, he said the NSCS still has much to do in the years ahead to “counter this strategic threat to our values, prosperity and way of life” in collaboration with GCHQ and the UK intelligence community, law enforcement, wider government, industry and the rest of the world.

Martin said cyber security is crucial to the UK’s national security and prosperity. “We’re incredibly proud of what we have achieved in our first year, bringing together some of the best cyber security brains in the country in a single place.

“But the threat remains very real and growing – further attacks will happen and there is much more for us to do. We look forward to working with our partners at home and abroad in the year ahead in pursuit of that vital goal,” he said.

According to the review, tens of millions of cyber attacks are being blocked every week by industry partners implementing NCSC’s Active Cyber Defence programme

The programme currently includes the NCSC’s protected domain name server (DNS) service built by Nominet to block bad stuff from being accessed from government systems; the use and support of the domain-based message authentication, reporting and conformance protocol (Dmarc) to block bad emails pretending to be from government; and a phishing and malware countermeasures service to protect the UK, including government brands.

Similarly, while the number of IP-addresses associated with phishing around the world is up 47% this year, the UK share of those has gone down from 5.1% to 3.3%.