Category: Uncategorized

Government, industry and individuals all have to play their part in enhancing cyber security practices

We all watched a few weeks ago as the chancellor set the new Budget, pledging an extra £1bn to boost UK defences, including cyber security. Add to that the proposed internet safety laws and new regulations around the collection and use of personal data, and in many ways we are on the right path to keeping the UK as a safe place to live and do business online.

But it is always worth reminding ourselves, whether we represent government, industry or the individual, of the key part we all have to play in creating the skills, practices and expectations of a safe online and working environment.

The objective of government should be to help create an environment in which industry and individuals are encouraged to expect and deliver good cyber security, and where the UK has the cyber skills and workforce it needs. This can be achieved through the levers available to government – legislation, policy and incentives.

One area where the government is leading on such efforts in the UK is in establishing new “secure by design” measures, encouraging manufacturers to embed security into the design of new technology rather than as a bolt-on or afterthought.

The Department for Digital, Culture, Media and Sport (DCMS) says there are expected to be more than 420 million internet-connected devices in use across the UK within the next three years, with the risk of poorly secured devices leaving people exposed to large-scale cyber attacks.

Such secure-by-design codes of practice, developed by the DCMS and the National Cyber Security Centre alongside industry, are not only key in driving innovation in technology, but in creating trust between government, industry and individuals through the development of products and services that keep people safe.

The role of government is also to set an example. According to EY’s 2018-19 Global information security survey, half of all local authorities in England still rely on unsupported server software.

In the face of emerging global cyber threats, and as the gatekeepers to our essential services, effective cyber security can only be tackled with the relevant technology and training rolled out across public sector departments, agencies and bodies to protect our critical assets.

 Cyber security awareness

EY’s survey found that 77% of organisations are still operating with limited cyber security and resilience. Asked what they saw as their top vulnerability, 34% of organisations said careless or unaware employees. This underscores the importance of cyber security awareness and culture as key aspects of the defence against cyber attacks.

So what can be done? Even if the board knows that cyber attacks are on the rise, is it prepared to make the necessary investments in people, processes and technology to tackle these issues? The survey is encouraging in this respect, with 53% of organisations saying they have increased their budgets this year and 65% planning an increase next year.

Despite this, most organisations admit they would be unlikely to step up their cyber security practices or spend more money unless they were hit by a breach or cyber incident. So a breach where no harm was caused would not lead to higher spending for most organisations. The problem is that in most cases, harm has been done – it simply has not come to the surface yet.

But there is an opportunity here. Many organisations now regard emerging technologies as a high priority for business growth, which implies that cyber security could, at last, be designed in. That includes more secure cloud and mobile computing, and also enablers such as cyber security analytics, robotic process automation and machine learning, which can provide early detection, prevention and resilience in the event of an attack.

Ultimately, the role of businesses is to protect their enterprise by building effective lines of defence around their business crown jewels, optimising cyber security by leveraging suitable technologies, and embedding cyber security as an enabler, rather than a barrier, to growth.

In an age when we manage most of our lives online, educating the public to be cautious when it comes to operational security can affect individuals positively, both as employees and consumers.

Finally, it is impossible not to mention the cyber skills deficit. With 30% of surveyed organisations saying they still don’t have the skills they need, cyber security must be promoted more strongly as a growing career path.

Government, industry and the individual all have their role to play in this – government in building the education infrastructure for IT; industry in creating the jobs that will encourage the workforce of the future; and individuals by taking the time to understand cyber security.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email assist@cyber139.com or complete the form on our contact page NOW

The increasing value of personal data presents the challenge of managing a personal data economy

At the start of the millennium, the value of online services was equated with the number of registered users, but that changed after the dot-com bubble burst, according to Jon Shamah, chairman of EEMA, the European association for e-identity and security.

Jon felt that since 2010, that understanding has evolved, and increasingly the true value has been recognised as data about those registered users. He told the EEMA ISSE 2018 cyber security conference in Brussels.

He want on to say that the reality was that personal data had value for the service providers, but people were blindly throwing information at these companies in exchange for services.

This approach has changed in recent times, he said, particularly after the Facebook – Cambridge Analytica data sharing scandal that highlighted the potential for personal data to be misused.

People are finally waking up to the value of the information they have so willingly given in the past and their eyes have started to open. The evolution of data analysis tools, including the incorporation of artificial intelligence, he said, means that data collected in the past is becoming useful in new ways and therefore even more valuable.

John mentioned that it also means that service providers are able to analyse users’ online activities, largely without users’ knowledge or consent, and use that to tailor advertising on web pages, creating new and direct revenue streams. Something had to be done, and if it has achieved nothing else, the EU’s General Data Protection Regulation has focused people’s minds and got company executives and board members to take this issue seriously because now they have to be accountable and declare breaches.

This means data protection in Europe, said Shamah, is no longer just the concern of technical teams in organisations, but also chief executives and shareholders.

In the light of the recent revelations about the misuse of data, everyone needs to consider what kind of digital footprint they want to leave; a permanent one like those left by the first astronauts on the surface of the moon or temporary like those left in the sand on a beach.

The aim, he said, should be for digital footprints that last only for as long as they are needed and then erased without a trace. In addition to being disposed of properly, personal data also has to be geographically safe because there are a lot of concerns about where data is stored and keeping it in home jurisdictions, and we need the trustees to be accountable and responsible.”

The issue going forward, said Shamah, is how well people and society will be able to adapt to the new reality that there are no free services without giving up personal data.

Perhaps the company will be able to control their own data through the application of things like self-sovereign identity, but ultimately the challenge is attaining a mixed and balanced personal data economy.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email assist@cyber139.com or complete the form on our contact page NOW

Average cost of recovering from a single DNS attack is $924,390 for a large financial services company, survey shows

The costs of restoring services after a DNS (Domain Name System) attack are higher for financial services firms than for companies in any other sector.

According to a survey of 1,000 large financial services firms in Europe, North America and Asia Pacific, the average cost of recovering from a single DNS attack is $924,390 for a large financial services company.

The survey, carried out by network automation and security supplier EfficientIP, and its subsequent 2018 Global DNS threat report found that the average cost of recovery for such finance firms had increased by 57% compared with last year.

It also revealed that financial services firms suffered an average of seven attacks each last year, and 19% of them were attacked more than 10 times.

The survey found that finance firms took an average of seven hours to mitigate a DNS attack and 5% of them spent a total of 41 working days mitigating attacks in 2017. More than a quarter (26%) lost business because of the attacks.

The most common problems caused by DNS attacks are cloud service downtime, compromised websites and internal application downtime.

David Williamson, CEO at EfficientIP feels that the DNS threat landscape is continually evolving, impacting the financial sector in particular. This is because many financial organisations rely on security solutions that fail to combat specific DNS threats.

Financial services increasingly operate online and rely on internet availability and the capacity to securely communicate information in real time. Therefore, network service continuity and security is a business imperative and a necessity.

The UK’s Financial Conduct Authority voices concerns about weaknesses in banks’ IT systems.

There was a 48% rise in the amount of money stolen from UK online banks in 2014, as criminals pilfered more than £60m. But IT security teams at large finance firms have to balance their resources in the face of increasing cyber threats. A survey commissioned by VMWare earlier this year showed that 90% of IT security professionals in financial services have to make compromises that could leave other areas of their organisation exposed to cyber threats, and half admitted doing this regularly.

Types of DNS attack include:

1. Zero day attack – the attacker exploits a previously unknown vulnerability in the DNS protocol stack or DNS server software.
2. Cache poisoning – the attacker corrupts a DSN server by replacing a legitimate IP address in the server’s cache with that of another, rogue address in order to redirect traffic to a malicious website, collect information or initiate another attack. Cache poisoning may also be referred to as DNS poisoning.
3. Denial of service – an attack in which a malicious bot sends more traffic to a targeted IP address than the programmers who planned its data buffers anticipated someone might send. The target becomes unable to resolve legitimate requests.
   Distributed denial of service – the attacker uses a botnet to generate huge amounts of resolution requests to a targeted IP address.
4. DNS amplification – the attacker takes advantage of a DNS server that permits recursive lookups and uses recursion to spread the attack to other DNS servers.
   Fast-flux DNS – the attacker swaps DNS records in and out with extreme frequency in order redirect DNS requests and avoid detection.

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 03333 393 139 or email assist@cyber139.com or complete the form on our contact page NOW