• Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Posts Tagged :

Cyber-security

41% of UK workers not provided with cyber security training

960 640 Stuart O'Brien

Cyber security remains one of the most challenging issues for business owners – large and small. And it seems data breaches cost UK enterprises an average of $3.88million per breach – according to IBM. 

And considering much of the global workforce is now remote, it has never been more important for employees to be cyber aware. 

Specops Software recently found that Clickjacking is the most common form of hacking in education at 66%. Whilst Phishing was extremely prevalent among other key industries at 71%.

This prompted the company to investigate the industries without sufficient cyber security training by surveying 1,342 businesses across 11 sectors across the UK. 

On average, 41% of employees across all sectors surveyed have not been provided adequate cyber security training. 

It is perhaps unsurprising that those working in Travel and Hospitality have not been adequately trained against cyber threats (84%). It comes after EasyJet was recently targeted in a serious cyber-attack whereby email addresses and travel details for around 9 million customers was breached. 

In second place is Education and Training. 69% of respondents who work in this industry claim they have not been trained sufficiently against cyber threats – a worrying statistic as breaches compromise student and staff safety. In fact, cyber attacks have been increasing year-on-year as more instances are reported, with four key reasons attackers target educational institutions: DDoS attacks, Data theft, financial gain, and espionage. 

Other key industries that have not provided sufficient training include Marketing, Advertising and PR (47%), Medical and Health (42%) and Charity and Voluntary Work with 29%. 

Understandably, the sectors with far more stringent cyber security training processes include Legal Services (16%) and Recruitment and HR (19%). 

Specops also sought to find out if the level of cyber security training had changed since the beginning of COVID-19.

Out of the 1,342 respondents, the results revealed the following:  

  • I have been trained a lot more since COVID-19 – 21%
  • I have been trained a little more since COVID-19 – 37%
  • I have not been trained since COVID-19 – 42%
Business Sector% of businesses that have since implemented cyber security training sessions since COVID-19 
Education and Training76%
Medical and Health65%
Computer and IT39%
Travel and Hospitality37%
Customer Service23%
Creative Arts and Design22%
Charity and Voluntary Work15%
Marketing, Advertising and PR13%
Legal Services13%
Accountancy, Banking and Finance10%
Recruitment and HR8%

Specops Software found on average just 29% of business sectors have initiated additional cyber security training. 

94% of respondents claimed it was the responsibility of their company to keep them up to date with cyber security training, whilst 79% could not identify if they were hacked.

To further complement the survey, Specops Software’s Cyber Security Expert Darren James has provided some expertise:

  1. Why is it important for all employees to be trained?

The fact of the matter is that you can put as many security systems and procedures in place as you wish, but usually the weakest link is always the human being involved. Providing cyber security training is essential. Subjects such as password hygiene, email scam/phishing/malware awareness, social media usage etc. are important and the more attention we can bring to it via training at work, the less likely people in general will fall victim to these crimes.

2. Should companies integrate training on a regular basis and how often?

Generally, it’s a good idea to provide basic training to everyone, and to all new employees, so everyone is at least on the same page. Then, it is a good idea to promote awareness through the use of a good password policy, and maybe when IT experience interactions with users e.g. service desk/desktop support etc. provide further reminders where appropriate. Some “high risk” users such as IT admins, HR and finance teams should have regular awareness training.

3. What can companies do to ensure training is kept up to date, especially now everyone is working from home? 

Working from home represents another challenge when providing training. You can send emails out or put something on an extranet/intranet page, but let’s be honest not many people are going to willingly go and look. Try arranging a “working from home cyber security awareness” call if possible – whether it is per team, or with team managers who can then pass on key information. 

Please see the full research here: https://specopssoft.com/blog/uk-business-sectors-lacking-cyber-security-training/

Online cyber security skills courses popular with girls

960 640 Stuart O'Brien

The number of girls looking to learn new cyber security skills has surged this summer after courses went online for the first time.

The National Cyber Security Centre (NCSC) confirmed that the number of young people taking part in this year’s CyberFirst summer courses rose to a record-breaking 1,770 after they moved from the classroom to online.

And while the number of applications from boys saw a significant 31% rise, it was the increase in the number of girls applying which really caught the eye – rising by a massive 60% on 2019.

CyberFirst aims to ensure greater diversity in the next generation of cyber security specialists, and the summer courses offer 14 to 17-year-olds the chance to learn about digital forensics, ethical hacking, cryptography and cyber security challenges.

The new figures come one month after the NCSC pledged to take action to improve diversity and inclusion in the cyber security sector, as just 15% of the UK’s cyber security workforce are women and 14% of employees are from ethnic minority backgrounds.

Chris Ensor, NCSC Deputy Director for Cyber Growth, said: “I’m delighted to see that more young people are exploring the exciting world of cyber security, and it’s especially encouraging to see such a level of interest from girls.

“Our online courses have provided new opportunities for teenagers of all backgrounds and we are committed to making cyber security more accessible for all.

“Ensuring a diverse talent pipeline is vital in keeping the UK the safest place to live and work online, and CyberFirst plays a key role in developing the next generation of cyber experts.”

Digital Infrastructure Minister Matt Warman said: “It’s great to see so many young people taking part in the CyberFirst summer courses. These fantastic experiences give teenagers an insight into the exciting and varied careers on offer in cyber security.

”We want our cyber sector to go from strength to strength, so it is vital we inspire the next generation of diverse talent to protect people and businesses across the country.”

This year 670 more places were made available for the CyberFirst summer courses. The number of boys applying rose from 1,824 in 2019 to 2,398 this year, while for girls it went from 930 to 1,492 over the same period.

The annual initiative is offered at three levels: CyberFirst Defenders (for those aged 14–15), CyberFirst Futures (15–16), CyberFirst Advanced (16–17) – all aimed at helping pupils develop digital and problem-solving skills and introduce them to the cyber threat landscape.

This autumn, pupils interested in cyber security and computer science can look forward to a whole raft of opportunities from CyberFirst, as part of its ongoing commitment to inspire the next generation of cyber talent.

Other CyberFirst programmes include:

  • CyberFirst bursaries and apprenticeship schemes, which offer financial help for university-goers and paid summer work placements with over a hundred organisations to kickstart careers in cyber security. Applications are now live.
  • Empower Digital Cyber Week (9th-13th November), where students can watch and join online cyber sessions given by speakers in academia, industry and government.
  • The annual CyberFirst Girls competition, open to teams who want a fun and challenging opportunity to test their cyber skills in a bid to be crowned the UK’s top codebreakers. Registrations for the 2020-21 Girls Competition open on 30th November. More details about this year’s competition can be found on the NCSC’s website.
  • The government’s online cyber skills platform Cyber Discovery launched its latest intake in June and has already attracted over 13,500 students, with more than a third of registrations from female students. The programme, for 13-18 year olds, is a free and fun way for teens to develop cyber security skills. Students can register to join here: https://joincyberdiscovery.com/

Fujitsu reveals 12 days of Christmas security predictions

960 640 Guest Blog

By Rob Norris, VP Head of Enterprise & Cyber Security EMEIA, Fujitsu

Marked by a shortage of cyber security talent and attackers willing to exploit any vulnerability to achieve their aims, this year emphasised the need for organisations to invest in security and understand their risk posture.

With the number of vendors in the cyber security market rapidly growing, rising standard for managing identities and access, and organisations investing more in security tools, 2020 will be a transformational year for the sector. 

We anticipate that 2020 will be a positive year for security, and encourage public and private sector to work together to bring more talent to the sector and raise the industry standards. As the threat landscape continues to expand with phishing and ransomware still popular, so will the security tools, leaving organisations with a variety of solutions. Next year will also be marked by a rush to create an Artificial Intelligence silver-bullet for cyber security and a move from old-fashioned password management practices to password-less technologies.

As cyber criminals continue to find new ways to strike, we’ll be working hard to help our customers across the world to prepare their people, processes and technology to deal with these threats. One thing to always keep in mind is that technology alone cannot stop a breach – this requires a cultural shift to educate employees across organisations about data and securitygovernance. After all, people are always at the front line of a cyber-attack.

In light of this, here are“12 Days of Christmas” security predictions for the coming year:

1.     A united front for cyber security talent development 

The shortage of cyber security talent will only get worse in 2020 – if we allow it to.

The scarce talent pool of cyber security specialists has become a real problem with various reports estimating a global shortage of 3.5 million unfulfilled positions by 2021. New approaches to talent creation need to be considered. 

The government, academia, law enforcement and businesses all have a part to play in talent identification and development and will need to work collaboratively to provide different pathways for students who may not ordinarily be suited to the traditional education route. Institutions offering new cyber security courses for technically gifted individuals are a great starting point, but more will need to be done in 2020 if the shortage is to be reduced. 

2.     Cloud adoption expands the unknown threat landscape

It will take time for organisations to understand their risk posture as the adoption of cloud services grows.

While the transition to cloud-based services will provide many operational, business and commercial benefits to organisations, there will be many CISO’s working to understand the risks to their business with new data flows, data storage and new services. Traditional networks, in particular, boundaries and control of services are typically very well understood while the velocity and momentum of cloud adoption services leaves CISO’s with unanswered questions. Valid concerns remain around container security, cloud storage, cloud sharing applications, identity theft and vulnerabilities yet to be understood, or exposed. 

3.     The Brexit effect

Brexit will have far-reaching cyber security implications for many organisations, in many countries.

The UK and European markets are suffering from uncertainty around the UK’s departure from the European Union, which will affect the adoption of cyber security services, as organisations will be reticent to spend until the impact of Brexit is fully understood. 

The implications of data residency legislation, hosting, corporation tax, EU-UK security collaboration and information sharing are all questions that will need to be answered in 2020 post-Brexit. There is a long-standing collaborative relationship between the UK and its EU counterparts including European Certs and Europol and whilst the dynamics of those working relationships should continue, CISO’s and senior security personnel will be watching closely to observe the real impact. 

4.     SOAR revolution

Security Orchestration, Automation and Response (SOAR) is a real game-changer for cyber security and early adopters will see the benefits in 2020 as the threat landscape continues to expand.

Threat intelligence is a domain that has taken a while for organisations to understand in terms of terminology and real business benefits. SOAR is another domain that will take time to be understood and adopted, but the business benefits are also tangible. At a granular level, the correct adoption of SOAR will help organisations map, understand and improve their business processes. By making correct use of their technology stack and associated API’s early adopters will get faster and enhanced reporting and will improve their security posture through the reduction of the Mean Time To Respond (MTTR) to threats that could impact their reputation, operations and bottom-line. 

5.     Further market fragmentation will frustrate CISOs 

The number of vendors in the cyber security market has been rapidly growing and that will continue in 2020, but this is leading to confusion for organisations.

The cyber security market is an increasingly saturated one, often at the frustration of CISO’s who are frequently asked to evaluate new products. Providers that can offer a combined set of cyber security services that deliver clear business outcomes will gain traction as they can offer benefits over the use of disparate security technologies such as a reduction in contract management, discount provisioned across services, single point of contacts and reduction in services and technologies to manage. 

Providers that continue to acquire security technologies to enhance their stack such as Endpoint Detection and Response (EDR) or technology analytics, will be best positioned to provide the full Managed Detection and Response (MDR) services that organisations need. 

6.     Artificial Intelligence (AI) will need real security

2020 will see a rise in the use of adversarial attacks to exploit vulnerabilities in AI systems.

There is a rush to create an AI silver-bullet for cyber security however, there is currently a lack of focus on security for AI. It is likely we will see a shift towards this research area as “adversarial” approaches to neural networks could potentially divulge partial or complete data points that the model was trained on. It is also possible to extract parts of a model leading to intellectual property theft as well as the ability to craft “adversarial” AI which can manipulate the intended model. Currently, it is hard to detect and remediate these attacks. 

There will need to be more focus on explainable AI, which would allow for response and remediation on what are currently black-box models.

7.     Organisations will need to understand how to make better use of security tools and controls at their disposal

Customers will need to take better advantage of the security measures that they already have available.  

The well-established cloud platforms already contain many integrated security features but organisations are failing to take advantage of these features, partly because they do not know about them.  A greater understanding of these features will allow organisations to make smarter investment decisions and we expect to see a growing demand for advice and services that allow organisations to optimally configure and monitor those technologies to ensure they have minimal risk and exposure to threats.

Fujitsu predicted last year that securing multi-cloud environments will be key going forward and organisations continue to need to find a balance of native and third-party tools to drive the right solution for their objectives.  

8.     Do you Wannacry again?

The end of support for Windows Server 2008 and Windows 7 will open the door for well-prepared attackers.

January 2020 sees the official end of support life for all variants of Windows Server 2008 and Windows 7, which share elements of the same code base. This means that both end-user devices and data center servers will be equally vulnerable to the same exploits and opens the possibility that organisations could be susceptible to attacks that cause large outages.

In 2017, Wannacry surfaced and caused some well-publicised outages including well-known organisations from across the healthcare, manufacturing, logistics and aerospace industries.  Microsoft had released patches two months before and recommended using a later version of the impacted components. We also learned in 2017, via Edward Snowden, that nation-states have built up an armoury of previously undisclosed exploits. These exploits are documented to target the majority of publicly available Operating Systems and so it stands to reason that cyber criminals could have also built a war chest of tools which will surface once the end of vendor support has passed for these Operating systems.  

9.     Rising the standard for managing identities and access

Federated Authentication, Single Sign-On and Adaptive Multi-Factor will become standard, if not required, practices in 2020.

2020 will see organisations continuing their adoption of hybrid and multi-cloud infrastructures and a ‘cloud-first’ attitude for applications.  This creates the challenge of managing the expanding bundle of associated identities and credentials across the organisation.

Identities and associated credentials are the key attack vector in a data breach – they are ‘keys to the kingdom’.  Without sufficient controls, especially for those with privileged rights, it is becoming increasingly difficult for organisations to securely manage identities and mitigate the risk of a data breach.  Capabilities such as Federation Authentication, Single Sign-On and Adaptive Multi-Factor address the challenge of balance between security and usability, and we see this becoming standard, if not required, practice in 2020.

10.  Extortion phishing on the rise

Taboo lures enhanced phishing and social engineering techniques will prey on user privacy.

We are seeing an increase in a form of phishing that would have a recipient believe their potentially embarrassing web browsing and private activity has been observed with spyware and will be made public unless a large ransom is paid.

Since their widespread emergence last year, the techniques used by these extortionists to evade filters continue to develop. Simple text-only emails from single addresses now come from ‘burnable’ single-use domains. Glyphs from the Cyrillic, Greek, Armenian and extended Latin alphabets are being used to substitute letters in the email to bypass keyword filters and Bitcoin wallets are rotated often and used to associate a recipient with a payment. 

The psychological tricks used in the wording of these emails will develop and likely aid their continued success.

11.  Passwords become a thing of the past

We will see increasing adoption of end-to-end password-less access, especially in scenarios where Privileged Access Management (PAM) is required.

Next year we will see a move from old-fashioned password management practices to password-less technologies. The increasing number of cases where privileged credentials and passwords are required, but are painful to manage in secure and cost effective, way will drive this shift. Passwords are easy to forget and the increasing complexity requirements placed upon users increases the chances of passwords having to be written down – which is self-defeating.  Biometric technologies and ephemeral certificates will provide a more secure and user-friendly way to manage credentials and ensure assets and data are kept secure. 

12.  Ransomware not so random

As more organisations employ negotiators to work with threat actors, ransomware is likely to decrease next year.

In 2019, we observed a shift in the way certain ransomware ransom notes were constructed. Traditionally, ransomware notes are generic template text informing the victim that their files are encrypted and that they must pay a set amount of Bitcoin in order to have their files unencrypted.

When threat actors successfully deploy ransomware network-wide and achieve other deployment objectives, they inform their victims their files are encrypted. Crucially, however, they do not reveal the price they demand for their decryption. Instead, threat actors seek to open a dialogue with the victim to discuss a price. This change has seen organisations employ negotiators to work with threat actors on managing and, hopefully, reducing the demand and we expect this to continue in 2020.

Image by 4924546 from Pixabay 

Younger workers most lax on cyber security best practice

960 640 Stuart O'Brien

Employees over the age of 30 are more likely to adopt cyber security best practice than younger colleagues.

That’s according to a new report published by the security division of NTT, ‘Meeting the expectations of a new generation. How the under 30s expect new approaches to cybersecurity’, which also reveals that the younger generation is more anxious about cybersecurity and their company’s ability to tackle the number of security threats.

The findings, part of NTT’s Risk:Value 2019 report, scored across 17 key criteria. It found that, on average, under-30s score 2.3 in terms of cybersecurity best practice, compared to 3.0 for over-30s. In the UK, under-30s (4.3) and over-30s (5.5) are among the highest scores globally.

The data suggests that employees who have spent longer in the workplace gaining knowledge and skills and have acquired ‘digital DNA’ during that time, sometimes have an advantage over younger workers.

Overall, under-30s expect to be productive, flexible and agile at work using their own tools and devices, but half of respondents think responsibility for security rests solely with the IT department. This is 6 percent higher than respondents in the older age categories.

General attitudes to cybersecurity in the UK found that: 

  • Younger workers are risk takers, with over half (52 percent) saying they would consider paying a ransom demand to a hacker, compared to just 26% of over-30s
  • Over half (58 percent) of under-30s believe their company does not have adequate skills and resources in-house to cope with the number of security threats. This compares to quarter (26 percent) of over-30s, and may be the result of growing up in a technology skills crisis
  • Under-30s estimate that it would take around three months (97 days) to recover from a cybersecurity breach – six days more than the time estimated by older respondents
  • 82 percent believe that cybersecurity should be a regular item on the boardroom agenda, compared to 90 percent of over-30s
  • More accepting of new tools and devices at work, younger workers consider the Internet of Things (IoT) as more of a security risk (69 percent) than older colleagues (65 percent)

Azeem Aleem, VP Consulting (UK&I) Security, NTT, said: “It’s clear from our research that a multi-generational workforce leads to very different attitudes to cybersecurity. This is a challenge when organisations need to engage across all age groups, from the oldest employee to the youngest. With technology constantly evolving and workers wanting to bring in and use their own devices, apps and tools, business leaders must ensure that security is an enabler and not a barrier to a productive workplace.

“Our advice for managing security within a multi-generational workforce is to set expectations with young people and make security awareness training mandatory. Then execute this training to test your defences with all company employees involved in simulation exercises. Finally, team work is key. The corporate security team is not one person, but the whole company, so cultural change is important to get right.”

Adam Joinson, Professor of Information Systems, University of Bath, an expert on the intersection between technology and behaviour, said: “There is no ‘one size fits all’ approach to cybersecurity. The insights from the NTT study demonstrate that treating all employees as posing the same risk, or having the same skills, is problematic for organisations. We do need to be careful not to assume that the under-30s simply don’t care so much about cybersecurity. While this may be true in some cases, in others it is more likely that existing security policies and practices don’t meet their expectations about ‘stuff just working’.

“If we want to harness the fantastic creativity and energy of younger workers, we need to think about security as something that enables their work, not something that blocks them from achieving their tasks. This is likely to mean security practitioners having to fundamentally rethink the way security policies operate, and finding ways to improve the fit between security and the tasks employees are required to undertake as part of their core work.”

NTT’s six cybersecurity best practice tips for a multi-generational workforce:

  • Security culture must include all generations and be supported by a diverse range of employee champions, which includes age
  • Build a panel of younger employees and listen to their views on cybersecurity
  • Younger employees can be at their best and most motivated in an agile, productive, flexible workplace environment, where they are most likely to buy into the desired culture and behaviours. Security should be designed to enable the business
  • Make cybersecurity everyone’s business. Security leaders should be approachable to employees, through one-to-one interaction and more formal company events
  • Where skills shortages are most acute, support learning programmes, mentoring and consider external support
  • Education is vital. Gamify security learning and make it fun for all

Attacks on IP-based CCTV on the rise

960 640 Stuart O'Brien

Trend Micro says it blocked five million cyber-attack attempts against internet protocol (IP) cameras during a five month period, further highlighting the risks impacting IP-based surveillance devices.

7,000 anonymously aggregated IP cameras were analysed by Trend Micro, with 75% brute force login attempts, showing a clear pattern of malicious attackers targeting IP surveillance devices with malware, such as  Mirai variants.

“More verticals are seeking connected, AI-powered video surveillance applications causing a clear paradigm shift from a relatively closed-off network to a more interconnected network operated heavily by cloud-based technologies,” said Oscar Chang, executive vice-president and chief development officer for Trend Micro. 

“Due to this shift in the landscape, manufacturers and users must pay attention to the security of these IoT devices.”

Dr Steve Ma, vice-president of engineering, Brand Business Group for VIVOTEK, said: “While the industry has known about cyber-risks, manufacturers have been unable to properly address the risk without knowing the root cause and attack methods.”

Trend Micro has suggested a shared responsibility model for all parties involved in video surveillance to help mitigate the potential impact of IoT-based threats, involving manufacturers, service providers system integrators and end users, with complete end-to-end protection and risk awareness key to a secured video system. 

Image by ElasticComputeFarm from Pixabay

Petition started for minimum IT security for UK business

960 640 Stuart O'Brien

Evaris has called for action to establish a mandatory minimum level of IT security for all businesses.

The Manchester-based business has launched a petition, backed by IT and cyber security professionals, to put pressure on the government to make the currently optional National Cyber Security Centre’s (NCSC’s) Cyber Essentials Scheme compulsory for businesses to protect them in the event of a cyber attack and reduce the cost of cyber crime to the UK economy, as well as the public.

According to the recent Cyber Security Breaches Survey, less than three in 10 (27%) businesses have a formal cyber security policy in place, while large companies reported an average of 12 attacks per year that they knew about. Six attacks per year were reported by medium-sized companies.

As a result, Evaris is calling for all businesses to take steps to prevent such attacks from occurring.

The petition aims to ensure small organisations with up to 50 employees and medium-sized firms with between 51 and 250 staff should meet at least the criteria for certification for the Cyber Essentials scheme. Large businesses (those with more than 250 employees) should at least meet the criteria for the Cyber Essentials Plus scheme.

Terry Saliba, Solutions Architect at Evaris, said: “Data shows that more than four in ten businesses experienced a cyber security breach in the past 12 months, and these are becoming increasingly sophisticated and costly for businesses across all industries.

“Unfortunately, we still see that many firms are failing to understand the extent of this issue, and so we believe this petition is vital for establishing a compulsory baseline adhered to by all businesses.

“We’re extremely pleased to see our campaign to make Cyber Essentials compulsory for all companies has gained the support of industry bodies. These organisations see the extent of the damage caused by a lack of IT security and training on a daily basis.”

Vince Warrington, CEO of Protective Intelligence, said: “I’m supporting the petition because I’ve had to deal with the consequences of cyber attacks and seen the destruction they can cause.

“At the moment, far too many companies still see cyber security as a ‘nice to have’ rather than an essential part of everyday business, or feel they don’t understand what they need to do to protect themselves. But cyber attacks are not going to simply disappear – the criminals behind them will target your business if you haven’t taken even the most basic steps to keep them out.

“By driving all companies to adopt Cyber Essentials the government can not only create a good level of basic cyber hygiene across UK Plc, but also create a regular flow of work small cyber security businesses can themselves bring onboard new staff and train them up, thus reducing the predicted shortfall in qualified cyber security experts that the country will need in the decades to come.”

In order to be certified by the Cyber Essentials Scheme, applicants must, as a minimum:

  • Use a firewall to secure their internet connection
  • Choose the most secure settings for their devices and software
  • Control who has access to data and services
  • Have protection against viruses and other malware
  • Keep devices and software up to date

Image by Gerd Altmann from Pixabay

UK businesses warned to take action to prevent cyber attacks

960 640 Stuart O'Brien

Stats from the Department for Digital, Culture, Media and Sport (DCMS) have shown a reduction in the percentage of businesses suffering a cyber breach or attack in the last year.

The 2019 Cyber Security Breaches Survey shows that 32% of businesses identified a cyber security attack in the last 12 months – down from 43% the previous year.

The reduction is partly due to the introduction of tough new data laws under the Data Protection Act and the General Data Protection Regulations (GDPR). 30% of businesses and 36% of charities have made changes to their cyber security policies and processes as a result of GDPR coming into force in May 2018.

However, of those businesses that did suffer attacks, the typical median number of breaches has risen from 4 in 2018 to 6 in 2019. Therefore, businesses and charities suffering cyber attacks and breaches appear to be experiencing more attacks than in previous years.

Where a breach has resulted in a loss of data or assets, the average cost of a cyber attack on a business has gone up by more than £1,000 since 2018 to £4,180. Business leaders are now being urged to do more to protect themselves against cybercrime.

The most common breaches or attacks were phishing emails, followed by instances of others impersonating their organisation online, viruses or other malware including ransomware.

Digital Minister Margot James said: “Following the introduction of new data protection laws in the UK it’s encouraging to see that business and charity leaders are taking cyber security more seriously than ever before. However, with less than three in ten of those companies having trained staff to deal with cyber threats, there’s still a long way to go to make sure that organisations are better protected.

“We know that tackling cyber threats is not always at the top of business and charities list of things to do, but with the rising costs of attacks, it’s not something organisations can choose to ignore any longer.”

Through the CyberFirst programme, the Government is working with industry and education to improve cyber security and get more young people interested in taking up a career in cyber.

The Cyber Discovery initiative has already encouraged 46,000 14 to 18 year olds to get on a path towards the cyber security profession, over 1,800 students have attended free CyberFirst courses and nearly 12,000 girls have taken part in the CyberFirst Girls competition. The Government’s initial Cyber Skills Strategy, published in December, will be followed by a full strategy later this year.

Business and charity leaders are being encouraged to download the free small business guide and free small charity guide to help make sure that they don’t fall victim to cyber attacks. This is available through the National Cyber Security Centre (NCSC).

Clare Gardiner, Director of Engagement at the NCSC, said: “We are committed to making the UK the safest place to live and do business online, and welcome the significant reduction in the number of businesses experiencing cyber breaches.

“However, the cyber security landscape remains complex and continues to evolve, and organisations need to continue to be vigilant.”

The NCSC has a range of products and services to assist businesses, charities and other organisations to protect themselves from cyber attacks, and to deal with attacks when they occur. These include the Board Toolkit providing advice to Board level leaders, and guides aimed at small businesses and small charities.

The threat of cyber attacks remains very real and widespread in the UK. The figures published today also show that 48% of businesses and 39% of charities who were breached or attacked, identified at least one breach or attack every month.

Cyber security is becoming more of a priority issue, especially for charities. Those charities who treated cyber security as a high priority has gone up to 75% in 2019, compared with just 53% the year before, and is now at the same level as businesses.

Small businesses and charities are being urged to take up tailored advice from the National Cyber Security Centre. All businesses should consider adopting the Ten Steps to Cyber Security, which provides a comprehensive approach to managing cyber risks. Implementation of the 10 Steps will help organisations reduce the likelihood and cost of a cyber attack or cyber related data breach.

Organisations can also raise their basic defences by enrolling on the Cyber Essentials initiative and following the regularly updated technical guidance on Cyber Security Information Sharing Partnership available on the NCSC website.

Thales announces £20m Wales security hub

960 640 Stuart O'Brien

The Welsh Government is working with Thales to establish a £20m cyber centre which will sit at the heart of its Tech Valleys programme.

The National Digital Exploitation Centre (NDEC) will be the first research and development facility of its kind in Wales, and will provide a home for SMEs and microbusinesses to test and develop their digital concepts.

It will also provide a research lab in which big multinationals can develop technology and will connect Wales to major tech centres across the UK and globally.

Not only will the cyber centre help Wales to exploit the global opportunities of digital transformation, it will also equip businesses with the skills and knowledge they need to win a greater share of large regional and national projects.

The NDEC, located in Blaenau Gwent will be delivered by Thales in collaboration with the University of South Wales (USW).

The University will run an Advanced Cyber Institute at the Centre that will provide a base for major, multi million pound, academic research, and will also operate a Digital Education Centre that will enable SMEs, schools and individuals with the skills they need to protect themselves online.

As well as providing a vital facility for Welsh SMEs and academic research, the NDEC will also root technology giant Thales firmly in the South Wales valleys. The centre will be managed by a small team, some of whom have already been recruited from the local community.

Both the Welsh Government and Thales have committed £10m each to the project which is expected to generate significant income. All elements, apart from the educational aspects of the centre, are expected to be fully self-sufficient within five years.

TheWelsh Government’s Economy Minister Ken Skates said: “The centre will help ensure that Wales exploits the global opportunities of digital transformation, provide a base for ground breaking research and will equip businesses of all shapes and sizes with the skills and knowledge they need to win a greater share of large regional and national projects.”

“I am confident that through our partnership with Thales and the University of South Wales we will work to stimulate and create employment in high value technology businesses – an ambition that is right at the heart of our Tech Valleys project.”

Gareth Williams, Vice President, Secure Communications and Information Systems, Thales, said: “We are very pleased to be working with the Welsh Government, University of South Wales and Blaenau Gwent Council to develop and deliver the NDEC. This will act as a cornerstone of our cyber security capabilities in the UK, providing a test bed for our technology, whilst also providing a catalyst for regeneration in the region.

“This highly technical and accessible facility will be a centre of cyber and digital development and education, and a connection for South Wales to major technology centres across the United Kingdom.”

Professor Julie Lydon, University of South Wales (USW) Vice-Chancellor, said: “USW is already a recognised expert in cyber security, with our Newport-based National Cyber Security Academy (NCSA) working closely with businesses to give students real-life experience in the sector.

“This expertise in preparing students for a career in industry means we are ideally placed to support the NDEC’s aim of harnessing academic research and graduate education to develop market insight, enhance technological capability, and develop a skilled labour force in Ebbw Vale and the wider South Wales region through its educational outreach, CPD courses, and support for SMEs.

“This project will be a significant step in building the region’s reputation in the ever-expanding global market for cyber graduates and research expertise.”

The Tech Valleys project is a key commitment of the Ministerial Taskforce for the South Wales Valleys.

Demand for cyber security professionals on the rise

960 540 Stuart O'Brien

A new report has revealed that nearly 40% of European firms are looking to grow their cyber security teams by at least 15% over the next 12 months.

Commissioned by security certification body (ISC)2, The 2017 Global Information Security Workforce Study was based on a survey of 19,000 global cyber security professionals, including 3,700 European security professionals.

The report also goes on to say that while European companies have the most ambitious plans for hiring security professionals, two-thirds say they have too few cyber security professionals, with Europe facing a shortage of 350,000 security professionals by 2022.

92% of the respondents admitted that they looked for previous cyber security experience when choosing candidates, with most recruitment coming from their own professional networks. Social and professional networks are preferred (48%) followed by the company’s HR department (47%).

The report calls for employers to be more proactive when it comes to embracing newcomers and a changing workforce.

Globally, the report revealed that 70% of employers are looking to increase the size of their cyber security staff by the end of 2017. However strong recruitment targets, a shortage of talent and lack of training have all contributed to the skills shortages.

“The combination of virtually non-existent unemployment, a shortage of workers, the expectation of high salaries, and high staff turnover that only increases among younger generations, creates both a disincentive to invest in training and development and a conundrum for prospective employers of how to hire and retain talent in such an environment,” the report says.

Adrian Davis, managing director for Europe, the Middle East and Africa at (ISC)2 said: “There are real structural concerns hampering the development of the job market today that must be addressed.

“It is particularly concerning that employers appear reluctant to invest in their workforce and are unwilling to hire less-experienced candidates. If we cannot be prepared to develop new talent, we will lose our ability to protect the economy and society.”

The 2017 Global Information Security Workforce Study can be viewed here.

CEO Phone

75% of CEOs using unapproved programs and applications

960 640 Stuart O'Brien

A study by data security experts Code42 has revealed that 75% of CEOs admit that they are using applications and programs that are not approved by their IT departments, playing a game of chance with critical corporate data.

Despite the known risks facing organisations today, such as data breaches, business decision makers (BDMs) and CEOs are putting critical data at jeopardy, according to the report.

Three quarters of CEOs and more than half (52%) of BDMs admit that they use applications/programs that are not approved by their IT department. This is despite 91 percent of CEOs and 83 percent of BDMs acknowledging that their behaviours could be considered a security risk to their organisation.

IT decision makers (ITDMs) say that half (50%) of all corporate data in the enterprise is held on laptops and desktops, instead of in the data centre or centralised servers. In the U.S., this rises to as much as 60%.

Simultaneously, the significance of this data to the productivity and security of the business is well understood at the top of the organisation — with 63% of CEOs stating that losing this data would destroy their business. But, awareness of the risk is doing little to change adherence to proper security practices.

“Modern enterprises are fighting an internal battle between the need for productivity and the need for security—both of which are being scrutinised all the way to the CEO,” said Rick Orloff, VP and CSO at Code42. “By using unauthorised programs and applications, business leadership is challenging the very security strategies they demanded be put in place. This makes it clear that a prevention-based approach to security is not sufficient; recovery must be at the core of your strategy.”

www.code42.com