Small business needs to reduce cyber security threat to payment card data

Small business’ cardholder data is a prime security target for cyber criminals – which is only likely to increase in the coming year.

Small business' cardholder data is a prime security target for cyber criminals - which is only likely to increase in the coming year.

Despite investment in security and compliance, 2018 shows no signs of high profile hacks slowing down, with most security suppliers predicting the ransomware attacks that dominated 2017 will continue, driven by an increase in the providers of ransomware as a service (RaaS).

This cyber criminal business model is expected to increase the potential for even non technical attackers to target poorly secured organisations and consumers – which means businesses will need to step up their cyber defences more than ever before.

However, this rising threat can be mitigated with the introduction of controls required to secure this data under the Payment Card Industry Data Security Standard (PCI DSS), according to secure payments firm PCI Pal.

Breached organisations demonstrated lower compliance with 10 out of the 12 PCI DSS key requirements, according to the Verizon 2017 payment security report.  Whilst compliance does not guarantee an organisation will not be breached, the data shows that failure to comply almost certainly means they will be breached.

“Businesses may not be able to reduce the number of incoming threats but, by ensuring PCI DSS compliance, they can certainly reduce the success rate,” said James Barham, chief commercial officer at PCI Pal.

To date, he said, the vast majority of security investment has focused firmly on keeping cyber criminals out, but that only works to a certain extent. “Because there is much greater impetus for the hackers to devise new methodologies to gain access and the security industry at large is only ever playing catch up, but we expect 2018 to see a step change in the mentality of data protection from trying to keep people out, to simply ensuring there is no data for them to take,” he said.

If businesses can remove the valuable data from their environments, said Barham, it no longer matters if there is a breach. “De-scoping PCI data will increasingly become the method of choice for businesses augmenting their intrusion prevention positions next year,” he said.

Businesses typically reduce the scope of their PCI DSS compliance by reducing or eliminating the cardholder data they store and switching to third party payment service providers.

Similar strategies can be used to reduce the likelihood of failure to comply with the EU’s General Data Protection Regulation (GDPR) after the compliance deadline of 25 May 2018.

Due to the significant financial penalties that will be imposed in the event of a breach, non-compliance will not be an option for the vast majority of businesses,” said Barham.

Another reason he believes businesses are likely to de-scope is that another round of changes to the PCI DSS is scheduled for July 2018.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Cyber security skills shortage can be addressed

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

The shortage of cyber security skills can be addressed according to the information security professional training and certification body (ISC)2

There could be up to 1.8 million information security related roles unfilled worldwide by 2022, according to the latest Global information security workforce study from (ISC)2, but the organisation believes there are ways to address this potential shortfall.

“It makes no sense that we have employment issues for veterans and other communities on the one hand, and information security jobs being unfilled on the other,” according to John McCumber, director of cyber security advocacy at (ISC)2.

In this newly created role of advocacy for the information security profession, McCumber is engaging with the governments on issues such as workforce development and supporting information security professionals in the work they do.

McCumber, who has been working in information security in military, national security and civilian roles for the past 30 years, argues that in the light of the fact that there are jobs for people coming out of trade schools, there is no reason that aspects of cyber security cannot be turned into trades.

“By treating cyber security as a trade, it will enable school leavers to get some basic skills without having to do a four-year course and to provide valuable services in well-paid jobs in the cyber security field,” he said. “There are a lot of productive jobs in the cyber security field that do not need a four-year degree.”

The training is aimed at enabling veterans to join the (ISC)2 associate membership programme, which provides them with the experience required to qualify for various information security certifications.

“By enabling veterans to get certified as information systems security professionals, systems security practitioners and cloud security professionals, we are able to connect them with well-paying jobs,” said McCumber.

McCumber predicts that cyber security jobs will also begin changing in future as new technologies enable organisations to automate a lot of their cyber attack responses.

“Things like penetration testing are also likely to be automated with advances in so-called artificial intelligence, so (ISC)2 is working with information security professionals to position themselves for the new world of work and show organisations how they can help them understand their cyber risk and provide an objective way of managing that risk,” he said.

“As a result, that projected 1.8 million cyber security skills gap will not look as insurmountable in two to three years’ time,” he said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Small businesses cyber success is balance of user experience, privacy and security

Small businesses need to balance user experience, privacy and security to achieve overall cyber success.

Small businesses need to balance user experience, privacy and security to achieve overall cyber success.

A change in approach will help businesses achieve the right balance between user experience, privacy and security more easily, says Martin Kuppinger, principal analyst at KuppingerCole.

“Most businesses are making the fundamental mistake of thinking inside-out, but by thinking outside-in, they will automatically put the consumer first,” he told Consumer Identity World Europe 2017 in Paris.

This means instead of thinking about what suits the business, the business looks at what will best suit its customers, what works best for customers and taking customer preferences into account.

“Most businesses need to switch from the approach where they are telling consumers what they want them to do, to making it clear they are willing to do things the way the consumer wants,” said Kuppinger.

“We do what you want, needs to be the message, because this is the best way to ensure that consumers will want to do the most with them,” he said.

In the light of the European Union’s (EU’s) General Data Protection Regulation (GDPR), Kuppinger said it is now even more important to get the balance right.

From a consumer perspective, this means ensuring that services and interactions with suppliers need to be simple, and as frictionless and transparent as possible.

“Aside from GDPR requirements, consumers are generally more willing to share data if the reward is clear and they know that organisations use their data only for the purpose it was originally collected for,” said Kuppinger.

From a business perspective, it is therefore important to ensure that there is a standard approach to customer data throughout the organisation and that personal data is collected only when necessary.

“They need to be clear about what they are collecting, what purpose they are collecting the data, and they must provide processes for consumers to withdraw consent if they wish.”

However, done correctly, collecting and managing consumer information can improve the customer experience, said John Tolbert, lead analyst at KuppingerCole.

“Consumer identity management can also enable new business models, such as freemium models where basic services are provided free with the option of upgrading to paid services or shared revenue models,” he said.

Tolbert also emphasised the importance of making it clear to consumers what they will get in exchange for agreeing to allow businesses to collect and user their data.

“Again, getting the balance right is important because the more data you collect the more friction you add, so collect just enough information to be useful to keep friction to a minimum,” he said.

Tolbert said it is always important to be explicit about information is being collected, collect only what is necessary, and reduce friction by avoiding pop-ups that continually ask for more data.

“Fine-tune how you interrupt visitors to your site, be conservative in the information you collect and always ensure you have good consent management processes to collect and store consent,” he said.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Most small businesses (SMEs) not prepared for GDPR

There is still much work to be done before small businesses (SMEs) are fully prepared for the EU’s General Data Protection Regulation (GDPR).

There is still much work to be done before small businesses (SMEs) are fully prepared for the EU’s General Data Protection Regulation (GDPR).

With the GDPR compliance deadline just over six months away, the UK’s small business community remains unsure about a number of related issues.

Small businesses are struggling to come to grips with what “personal data” really means, their customers’ new and extended rights, and whether the permissions they currently have to contact customers will meet the requirements of GDPR.

This is one of the key findings of the Close Brothers Business Barometer, a quarterly survey that questions more than 900 SME owners and senior management across a range of sectors and regions in the UK and Republic of Ireland.

“GDPR is intended to strengthen and unify data protection for individuals within the EU, but will also affect the UK regardless of Brexit,” said Neil Davies, CEO of Close Brothers Asset Finance.

“It will ensure that all personal data has to be managed in a safe and secure way, has to be gathered lawfully, is only used for the purposes for which it was collected, and must be accurate and up to date.

Poor understanding of GDPR compliance requirements

“The figures from the barometer tell us that uncertainty persists on a number of key compliance issues, and SMEs are concerned about the implications for their business.”

Less than a third (31%) of SMEs answered “yes” to the question, “Are you clear what ‘personal data’ means in a business context?”, with 50% responding “sort of” and the remaining 19% saying “no”.

“On a positive note, 73% of firm owners categorically stated that they do not share customers’ personal data with third parties,” said Neil. “There are, however, companies openly admitting to sharing customers’ details (8%), and a further 18% conceding they were unsure of whether they do or not.”

Less than half (48%) of respondents said they understand the new and extended rights that customers have when it comes to collecting and utilising their personal information.

Despite the lack of clear understanding of the extended rights customers will have, 58% of SMEs are confident that the permissions they currently have to contact customers will meet the requirements of GDPR.

“This still leaves more than 40% of firms which are unconvinced about their readiness ahead of 25 May 2018,” said Neil. “How it works is that companies must get prior consent from data subjects – opt in – and record that consent. What’s more, the consent must relate specifically to the purposes of why a company needs that data – companies cannot get consent for one purpose and then use the gathered personal data for another.

“On top of this, consumers must be able to revoke their consent as easily as it was originally given, because many consumers complain that it is easy to opt in to data gathering, but difficult to unsubscribe or opt out.”

Of those polled, 44% said they had a process in place to ensure their firm was collecting data in the correct manner, against 35% who were “unsure” and 21% admitting they had no existing process in place

“Businesses have to be seen to be compliant, and this includes ensuring these sorts of processes are in place to ensure customers are fairly treated,” said Neil.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Business needs help to act on cyber security advice

Businesses need help to act on all the information they receive about cyber security according to the London Digital Security Centre,

Businesses need help to act on all the information they receive about cyber security according to the London Digital Security Centre,

Small businesses need help in tackling cyber crime and embracing cyber security, not just information, according to John Unsworth, chief executive of the London Digital Security Centre (DSC).

“Information is good, but action is better,” he told the Whitehall Media Enterprise Cyber Security Conference in London. “There is a lot of information, but businesses want help in implementing it.”

The London DSC was set up as a not-for-profit organisation in 2015 by the Mayor’s Office for Policing and Crime to help the city’s roughly one million small businesses protect themselves from cyber crime.

The centre is run as a joint venture between the Mayor of London, the Metropolitan Police Service and the City of London Police to protect small businesses that are at the heart of the economy.

“The point of the centre is to help businesses act on the wealth of information that is out there to take control of their cyber security by implementing controls that make a difference,” said Unsworth.

“Part of our role is also to cut through the noise and show businesses that the things that will make a difference for the majority of small businesses cost little or nothing to implement.”

Many of the things small businesses can do to improve their cyber security only have a cost in time and effort, said Unsworth. “Cyber security is not always about buying a technical solution,” he added.

Investments in security technologies depend on the size of the business, the business operating model and what the business is trying to achieve, he said. “So for businesses that handle sensitive information, there is a cost because they need to ensure that data is protected and demonstrate that they have a good security posture.”

The role of the London DSC is to identify and prioritise business needs in terms of cyber security controls, said Unsworth.

 

Underlining the need to support small business in the face of cyber crime, Unsworth said that although more than 50% of crime reported to police is cyber enabled in some way, only 0.1% of policing resources across England and Wales are dedicated to the prevention and detection of cyber crime.

This is symptomatic of the fact that not everyone recognises that cyber crime is a big problem and it tends to be under-reported, he said. “What we need to start doing is creating a little bit of evidence noise about what the issues are, so we can get the right type of response to all of this.”

 

“What we have got to change and shift is this behaviour, so what we have done is to set about getting face-to-face with small businesses and talk to them one-to-one rather than relying on social media campaigns to get businesses to take cyber security more seriously.”

“When you start speaking to them in simple language, they soon realise that all cyber security is really about is understanding what you are using, what you are connected to, and if you have got the right controls in place,” said Unsworth.

Small businesses in denial over cyber security threats

According to Unsworth, many small businesses are in denial when it comes to cyber crime – they tend to think it will not happen to them because they don’t understand why they might be targeted.

“We want to help businesses avoid the regret of not doing something that could have prevented a cyber attack by helping them to embrace cyber security and putting in appropriate controls,” he said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

National Cyber Securty Centre’s 2017 Annual Review

The National Cyber Security Centre (NCSC) celebrates its first anniversary of operations this week.

The National Cyber Security Centre (NCSC) celebrates its first anniversary of operations this week.

The Annual Review highlights the work it has done to make the UK the safest place to live and work online.

While there is still much work to be done, the NCSC’s first annual report says it has prevented thousands of cyber attacks since its inception.

The NCSC received 1,131 incident reports, with 590 classed as “significant”, according to the agency’s first annual review.

Those “significant attacks” ranged from attacks on key national institutions such as the National Health Service (NHS) and the UK and Scottish Parliaments, through to attacks on large and small businesses and other organisations, said Ciaran Martin, chief executive of the NCSC.

But, he said, so much of the NCSC’s work aims to make successful attacks less likely, and to that end the NCSC has so far produced more than 200,000 protective items for military communications; supported the Cabinet Office in developing more secure communications for key government organisations; and supported the Home Office in ensuring the security of new mobile communications for emergency services.

The NCSC, part of GCHQ, brought together elements of its parent organisation with previously separate parts of government and intelligence to create a single, one stop shop for UK cyber security, with the aim of making the UK the safest place to live and work online.

A crucial part of the NCSC’s role is to help everyone in the UK operate more securely online.

“Through a pioneering partnership with the private sector, tens of millions of suspicious communications in the UK are being blocked every month,” he said.

Martin highlighted the fact that the NCSC’s Active Cyber Defence programme has developed capabilities, which have seen the average lifetime for a phishing site hosted in the UK reduce from 27 hours to less than an hour.

He added that the NCSC’s information-sharing platform with industry, the Cyber Security Information Sharing Partnership (CiSP), grew 43% over the year.

However, he said the NSCS still has much to do in the years ahead to “counter this strategic threat to our values, prosperity and way of life” in collaboration with GCHQ and the UK intelligence community, law enforcement, wider government, industry and the rest of the world.

Martin said cyber security is crucial to the UK’s national security and prosperity. “We’re incredibly proud of what we have achieved in our first year, bringing together some of the best cyber security brains in the country in a single place.

“But the threat remains very real and growing – further attacks will happen and there is much more for us to do. We look forward to working with our partners at home and abroad in the year ahead in pursuit of that vital goal,” he said.

According to the review, tens of millions of cyber attacks are being blocked every week by industry partners implementing NCSC’s Active Cyber Defence programme

The programme currently includes the NCSC’s protected domain name server (DNS) service built by Nominet to block bad stuff from being accessed from government systems; the use and support of the domain-based message authentication, reporting and conformance protocol (Dmarc) to block bad emails pretending to be from government; and a phishing and malware countermeasures service to protect the UK, including government brands.

Similarly, while the number of IP-addresses associated with phishing around the world is up 47% this year, the UK share of those has gone down from 5.1% to 3.3%.