Posts Tagged :


UK government puts supply chain security on the agenda

960 640 Stuart O'Brien

New proposals to help British businesses manage cyber risks attached to supply chains are being considered by the government.

The Department for Digital, Culture, Media and Sport (DCMS) is calling for views on a number of measures to enhance the security of digital supply chains and third party IT services, used by firms for things such as data processing and infrastructure management.

DCMS research shows only 12 per cent of organisations review the cyber security risks coming from their immediate suppliers and only one in twenty firms (5 per cent) address the vulnerabilities in their wider supply chain.

The National Cyber Security Centre (NCSC) already offers a raft of support to help organisations assess the security risks of their suppliers, including the advice on identifying business-wide cyber security risks and vulnerabilities such as the Cyber Assessment Framework and provides specific Supply Chain Security and Supplier Assurance guidance.

The government says it has also helped organisations improve their cyber risk management during the pandemic, including through £500,000 of funding to enable critical suppliers in healthcare subsectors to boost their preparedness and resilience through the Cyber Essentials scheme.

But, as organisations increasingly move their operations online, digital supply chains and third party IT service operators are becoming vital to companies’ every day operations and are hugely important for business continuity and resilience. The government is looking at what more it can do to support UK firms.

Digital Infrastructure Minister Matt Warman said: “There is a long history of outsourcing of critical services. We have seen attacks such as ‘CloudHopper’ where organisations were compromised through their managed service provider. It’s essential that organisations take steps to secure their mission critical supply chains – and remember they cannot outsource risk.

“Firms should follow free government advice on offer. They must take steps to protect themselves against vulnerabilities and we need to ensure third-party kit and services are as secure as possible.

“We’re seeking views from firms that both procure and provide digital services, as a first step in considering whether we need updated guidance or strengthened rules.”

The government wants views on the existing guidance for supply chain cyber risk management and is also testing the suitability of a proposed security framework for firms which manage organisations’ IT infrastructure.

The proposals could require Managed Service Providers to meet the current Cyber Assessment Framework – a set of 14 cyber security principles designed for organisations that play a vital role in the day-to-day life of the UK.

The framework sets out measures organisations should take, such as:

  • Having policies to protect devices and prevent unauthorised access
  • Ensuring data is protected at rest and in transit
  • Keeping secure and accessible backups of data
  • Training staff and pursuing a positive cyber security culture.

The department seeks industry feedback on examples of good supplier risk management, building on government advice set out in the Supply Chain Security Guidance and Supplier Assurance Questions.

New security centre to help SMEs prevent cyber attacks

960 640 Stuart O'Brien

HOST, the Home of Skills & Technology at Media City, in partnership with Salford City Council is bringing to market a unique Security Operations Centre (SOC), which will offer an affordable cyber security subscription-based support service to SMEs innovating and adopting digital and cloud technologies.  

As part of this, it is partnering with the Cyber Resilience Centre for Greater Manchester (CRCGM) to offer Cyber MOTs, which will include security awareness training and a cyber security assessment.

The Cyber MOTs will be fully funded and initially available to businesses based in Salford. The package will also offer exclusive membership to businesses based or located near Media City. 

The Cyber MOTs will help scaling businesses and their teams to understand the risks of cyber crime and identify and prevent potential security issues through a comprehensive assessment, with recommendations on how to integrate security best practice. The HOST SOC is also partnering with Siemens to support manufacturing and engineering businesses with an Industrial Cyber MOT, offered exclusively to SME manufacturers that are members of the Greater Manchester Chamber of Commerce as part of their membership benefits. 

This follows the UK government’s recent Cyber Security Breaches Survey, which found that nearly four in 10 businesses (39 per cent) have reported a cyber attack, while the average cost to companies that have been hit by cyber attacks in the last 12 months is estimated to be £8,460.

All businesses are at risk of hidden cyber security breaches and with organisations finding it harder to monitor employees working from home during the pandemic, they may be less aware of the attacks their staff are facing.

In response to this demand, HOST is developing a state-of-the-art Innovation Lab, which will house the 24/7 SecurityOperations Centre (SOC) and Network Operations Centre (NOC) cyber support as a service. The centre will provide public sector organisations, enterprises and SMEs with a secure, tailored and scalable cyber solution.

HOST has also partnered with Lancaster University to develop collaborative activities to accelerate research, development and innovation with start-ups and SMEs through Innovate UK programmes such as the Knowledge Transfer Partnerships (KTPs) scheme.

The HOST SOC is unique as it comprises a Cyber Innovation Exchange, an open-source technology exchange that will also include a Cyber Innovation Sandbox, allowing for HOST’s incubated start-ups to accelerate and validate their IP across a real-world commercial environment. In the coming months, HOST will start to recruit up to 10 start-ups and scale-ups, looking to rapidly develop and commercialise disruptive cyber security solutions with AI and machine learning capabilities. 

“I’m excited to work with HOST to shape an environment that puts innovation at the heart of acceleration. By bringing together business growth support, labs, testing and validation environments, access to training data along with input and oversight from leading academics and commercial specialists, we will offer first-rate support for the next generation of intelligent cyber solutions,” said Saskia Coplans, Director of Innovation for cyber, data science and AI at HOST.

The HOST SOC and Cyber Innovation Exchange working with GCHQ and leading technology partners such as Microsoft, will further enhance Greater Manchester’s capability of making the UK a world leading security power through scalable innovation.

HOST, operated by IN4.0 Group, recently announced its partnership with The Raytheon Cyber Academy operating within the Skills City campus. HOST will also deliver the National Cyber Security Centre (NCSC) CyberFirst programme, inspiring girls at secondary schools to pursue careers in STEM. HOST also provides an 8-week placement for CyberFirst bursary students. 

Andy Beaden (above, left), co-founder of IN4.0 Group, said: “We are delighted to be working in collaboration with the Cyber Resilience Centre for Greater Manchester to help businesses in the region gain confidence in knowing that their operations have been thoroughly assessed for cyber threats, so they can take the appropriate actions to secure their business. Our Security Operations Centre is a perfect illustration of how public and private partnerships can forge a formidable infrastructure to support organisations to drive innovation and productivity, creating highly skilled jobs for local people.”  

Neil Jones, Director of the Cyber Resilience Centre for Greater Manchester, said “The Cyber Resilience Centre is excited to be working with HOST to deliver fully funded Cyber MOTs to help protect our business community from cybercrime. The cybercrime threat to SMEs has never been greater, with cybercriminals taking advantage of the pandemic to carry out damaging attacks on businesses of all sizes as they increasingly work online. Working in partnership is in our DNA and helps us provide trusted, government-backed, easily accessible and practical support where it’s most needed.”

Steven Fry (above, right), Chief Digital Officer at Salford City Council, said: “I am absolutely delighted that we have brought this collective together at HOST Salford to bring our knowledge and expertise to Salford businesses, creating new jobs and solutions to help shape the future of the country’s cyber defence.”

The CRCGM is a not-for-profit joint venture between Greater Manchester Police and Manchester Digital that helps to support and protect small businesses from the threat of cybercrime, which is estimated to cost the local economy over £860 million a year.

Why supply chains are today’s fastest growing cybersecurity threat

960 640 Guest Blog

By Steph Charbonneau, Senior Director of Product Strategy, HelpSystems

Business ecosystems have expanded over the years owing to the many benefits of diverse, interconnected supply chains, prompting organizations to pursue close, collaborative relationships with their suppliers. However, this has led to increased cyber threats when organizations expose their networks to their supply chain and it only takes one supplier to have cybersecurity vulnerabilities to bring a business to its knees. To this point governments around the world have highlighted supply chains as an area for urgent attention in tackling cyber risk in the coming years.

Looking beyond your own perimeter

Over the last few years, many organizations have worked hard to improve their cyber defenses and are increasingly “harder targets”.  However, for these well-defended organizations, now the greatest weaknesses in their defenses are their suppliers, who are typically less well defended but with whom they are highly interconnected. 

At the same time, the cyber threat landscape has intensified, and events of the past year have meant that security professionals are not only having to manage security in a remote working set up and ensure employees have good accessibility, they are also having to handle a multitude of issues from a distance whilst defending a much broader attack surface.  As a result, points of vulnerability have become even more numerous, providing an attractive space for bad actors to disrupt and extort enterprises.  Threats have escalated, including phishing and new variants of known threats, such as ransomware and Denial of Service (DDoS) attacks, as well as increases in supply chain attacks.

But where supply chains are concerned, it is nearly impossible to effectively manage this risk unless you know the state of your suppliers’ defences and continually ensure that they are comparable to your own.  Organizations must deeply understand the cyberrisks associated with the relationship and try to mitigate those risks to the degree possible.

However, that’s easier said than done. With the sending and receiving of information essential for the supply chain to function, the only option is to better identify and manage the risks presented.  This requires organizations to overhaul existing risk monitoring programs, technology investments and also to prioritize cyber and data security governance.

Ensuring the basics are in place

At the very least organizations should ensure that both they and their suppliers have the basic controls in place such as CyberEssentials, NIST and ISO 27001, coupled with good data management controls. They should thoroughly vet and continuously monitor supply chain partners. They need to understand what data partners will need access to and why, and ultimately what level of risk this poses. Likewise, they need to understand what controls suppliers have in place to safeguard data and protect against incoming and outgoing cyber threats. This needs to be monitored, logged, and regularly reviewed and a baseline of normal activities between the organization and the supplier should be established.

As well as effective processes, people play a key role in helping to minimize risk. Cybersecurity training should be given so that employees are aware of the dangers and know how to spot suspicious activity. They should be aware of data regulation requirements and understand what data can be shared with whom. And they should also know exactly what to do in the event of a breach, so a detailed incident response plan should be shared and regularly reviewed.

IT best practices should be applied to minimize these risks. IT used effectively can automatically protect sensitive data so that when employees inevitably make mistakes, technology is there to safeguard the organization.

Securely transferring information between suppliers

So how do organizations transfer information between suppliers securely and how do they ensure that only authorized suppliers receive sensitive data? Here data classification tools are critical to ensure that sensitive data is appropriately treated, stored, and disposed of during its lifetime in accordance with its importance to the organization. Through appropriate classification, using visual labelling and metadata application to emails and documents, this protects the organization from the risk of sensitive data being exposed to unauthorized organizations further down the line through the supply chain.

Likewise, data that isn’t properly encrypted in transit can be at risk of compromise, so using a secure and compliant mechanism for transferring data within the supply chain will significantly reduce risks. Managed File Transfer (MFT) software facilitates the automated sharing of data with suppliers. This secure channel provides a central platform for information exchanges and offers audit trails, user access controls, and other file transfer protections.

Layering security defenses

Organizations should also layer security defences to neutralize any threats coming from a supplier.  Due to its ubiquity, email is a particularly vulnerable channel and one that’s often exploited by cyber criminals posing as a trusted partner. Therefore, it is essential that organizations are adequately protected from incoming malware, embedded Advanced Persistent Threats, or any other threat that could pose a risk to the business.

And finally, organizations need to ensure that documents uploaded and downloaded from the web are thoroughly analyzed, even if they are coming from a trusted source. To do this effectively, they need a solution that can remove risks from email, web and endpoints, yet still allows the transfer of information to occur. Adaptive DLP allows the flow of information to continue while removing threats, protecting critical data, and ensuring compliance. It doesn’t become a barrier to business or impose a heavy management burden. This is important because traditional DLP ‘stop and block’ approaches have often resulted in too many delays to legitimate business communications and high management overheads associated with false positives.

Cyber criminal attacks set to rise

Many of the recent well publicized attacks have been nation state orchestrated. Going forward this is going to turn into criminal syndicate attacks. Cyber criminals already have the ransomware capabilities and now all they need to do is tie this up with targeting the supply chain.  Therefore, making sure you have the right technologies, policies and training programs in place should be a top priority for organizations in 2021. If you are interested in finding out more about protecting your supply chain, why not download our eGuide: Managing Cybersecurity Risk in the Supply Chain.”

Top 10 Cyber Security Predictions for 2021

960 640 Guest Blog

Looking forward to 2021, Fujitsu expects challenges to persist as organisations look to ensure their remote workforces’ security and productivity. It also expects a reset in the attitudes towards risk as organisations grapple with the dilemma of tackling new challenges with lower security budgets and anticipate the increased use of new technologies to open new security vulnerabilities.

The next 12 months will undoubtedly have its challenges. Still, organisations that are aware of these risks and take steps to mitigate their impact will be well-positioned to secure future growth in what is likely to be another interesting year.

Fujitsu’s Head of Enterprise and Cyber Security, Fiona Boyd’s top 10 cyber security predictions:

1)     Working from home has increased the attack surface

The proliferation of working from home has forced many organisations to expedite their digital strategies.

Employees have been forced to change their working habits and patterns, as many people are now working from home. This increases the so-called attack surface for any company – mainly if employees use personal devices to connect to corporate resources, since these may not have an enterprise-class level of protection. Spear-phishing emails, in particular, increase the threat to organisations. These often follow traditional attack profiles in terms of initial reconnaissance via social media before any attempt is made to compromise a user’s credentials. The end state is a crafted, targeted email. Increasingly, these emails appear to be more credible.

As home working looks set to continue, organisations should make sure employees are educated and alert for phishing emails.

2)     Success requires finding the right balance between security and user experience

The global pandemic has changed user behaviour in terms of how we are communicating, working, consuming, and spending our free time. This creates new requirements for the services we use. One common theme to all these changes and new demands is that all require our digital identities.

The sophistication of how organisations use, manage, and protect identities has not yet reached the so-called new normal. For many, this means that security controls surrounding identities still have a negative impact on user experience. Users find security to be complicated, cumbersome, and time-consuming. Consequently, frustration often results in users abandoning a service or bypassing security controls. The winners in the new normal will be those able to adapt to these new requirements and provide a strong user experience in a secure and trusted way.

3)     Risk appetites must be re-evaluated

Many security teams will enter 2021 with reduced budgets due to the impact of COVID-19.

This will require careful evaluation of spending priorities and will necessitate hard choices about which investments to cut. This will mean firms cannot evolve their security posture in line with changing security threats. Consequently, they will have to accept a higher risk that complex attacks will be successful and go undetected for longer.

4)     New life for ransomware attacks

Ransomware attacks are set to grow in scale and sophistication throughout the next year.

We are already seeing increasing numbers of attacks on previously untapped market sectors, such as healthcare. The nature of the damage of a ransomware attack is also changing. We see an increase in extortion in terms of the number of attackers threatening to release stolen data into the public domain (also known as Doxxing) rather than simply locking it away.

To compound these issues, we expect to see greater use of AI technology in ransomware attacks, as attackers seek to launch increasingly sophisticated, coordinated attacks to evade today’s detection measures. AI will be part of the problem. It also offers part of the solution, as it continues to develop greater capabilities to detect and flag suspicious behaviour.

5)     The age of disinformation attacks

The pandemic has had a significant impact on everyone and disrupted our social and work lives.

There has been one constant throughout: cybercriminals leveraging current topical themes, such as the UK’s withdrawal from the EU, elections and COVID-19. At their core, criminals are launching social engineering attacks designed to take advantage – and even create – panic and fear. In 2021, we will see new themes used to target businesses and individuals, focusing on pandemic-related topics such as mandatory vaccines, health passports, mass testing, and lockdowns. We anticipate a lot of disinformation on these topics. With the desire of many to return to post-pandemic normality, we expect multi-vector attacks built on these themes from both criminal gangs and nation-states. Some countries are already testing the use of machine learning to defend against disinformation campaigns.

6)     Security compromised while privacy preserved

DNS over HTTPS is set to become a common attack vector.

This has become a standard feature of mainstream web browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge. Effectively, this means security controls cannot analyse website requests. On the surface, this is a viable development in terms of user privacy. However, many cyber security attacks rely on access to an external website to retrieve malicious files as part of a multi-stage attack. DNS over HTTPS encrypts these requests, meaning that these requests are masked from security controls, and giving an attacker the upper hand before cyber defenders can react and respond.

Organisations should carefully evaluate whether to enable this feature on corporate devices and consider the new office dynamic, with an increasing number of workers connecting from home on personal devices to corporate infrastructure and services, increasing the opportunity for this attack type.

7)     5G will rapidly open more potential vulnerabilities

As 5G technology matures and telcos continue to roll out 5G networks, security concerns will also increase.

Among others, these will stem from an endless stream of insecure IoT devices that manufacturers are rushing to market, as well as the security requirements of critical national infrastructures. 5G security is and will remain a national security concern. It will increase enterprises’ need to revisit their security strategy for using public and untrusted mobile networks.

Organisations cannot ignore the opportunities that 5G provides. Nevertheless, to ensure their safety, they should adopt a secure-by-design mindset when exploring how to use 5G networks best.

8)     Security concerns for the Internet of Behaviours

As we develop new remote ways of going about our everyday business during the pandemic, the world is now connected more than ever.

The Internet of Things (IoT) has driven innovation in every area of life, including connected homes, internet-enabled and autonomous cars, health monitoring via smartwatches, and even the testing of drones to deliver our online shopping. However, the IoT exploded without a robust security framework. The proliferation of attacks meant that the privacy of CCTV cameras and some other IoT devices was compromised in huge DDoS attacks. 5G will accelerate the potential for the use of connected devices to track individuals’ everyday behaviour, observe where we go, who we see, where we shop, what we buy – and even to use facial recognition to work out our identity. 

This innovation must be coupled with robust data privacy controls, which should be evaluated up front rather than as an afterthought, so we can trust that the same data is not used nefariously and targeted by threat actors.

9)     Hitting where it hurts

Attacks that target characteristics specific to certain industries will continue to present more significant opportunities.

The number of attacks on connected cars has risen sharply in the last year, while in the manufacturing and utility sector, Operational Technology (OT) systems have seen a quadruple figure percentage increase in attacks. The targeting of these technologies is growing because they have less mature security controls. Many can directly impact an organisation’s operations. We expect this trend to continue in 2021.

On the positive side, we expect more organisations to recognise the value of cloud computing as a reliable means to deliver OT security to locations where it is not practical or feasible for a physical deployment.

10)  Cloud-centric does not equal threat free

Multi-layered cloud protection will take on new importance in 2021.

As organisations move toward a cloud-centric future, there will be continued disruption attempts for monetary, intellectual property, or political gain. In the first half of 2019, Netscout reported 4.8 million DDOS attacks. Ransomware attacks were also up 50% in Q3, according to data from Check Point. Such attacks can cripple businesses in very short timeframes, and the financial impact has seen companies willing to pay a ransom for their data or bring their services back online.

This trend is a cause for concern, and multi-layered cloud protection should be a focus area for many businesses in 2021 as they balance digitalisation and security.

41% of UK workers not provided with cyber security training

960 640 Stuart O'Brien

Cyber security remains one of the most challenging issues for business owners – large and small. And it seems data breaches cost UK enterprises an average of $3.88million per breach – according to IBM. 

And considering much of the global workforce is now remote, it has never been more important for employees to be cyber aware. 

Specops Software recently found that Clickjacking is the most common form of hacking in education at 66%. Whilst Phishing was extremely prevalent among other key industries at 71%.

This prompted the company to investigate the industries without sufficient cyber security training by surveying 1,342 businesses across 11 sectors across the UK. 

On average, 41% of employees across all sectors surveyed have not been provided adequate cyber security training. 

It is perhaps unsurprising that those working in Travel and Hospitality have not been adequately trained against cyber threats (84%). It comes after EasyJet was recently targeted in a serious cyber-attack whereby email addresses and travel details for around 9 million customers was breached. 

In second place is Education and Training. 69% of respondents who work in this industry claim they have not been trained sufficiently against cyber threats – a worrying statistic as breaches compromise student and staff safety. In fact, cyber attacks have been increasing year-on-year as more instances are reported, with four key reasons attackers target educational institutions: DDoS attacks, Data theft, financial gain, and espionage. 

Other key industries that have not provided sufficient training include Marketing, Advertising and PR (47%), Medical and Health (42%) and Charity and Voluntary Work with 29%. 

Understandably, the sectors with far more stringent cyber security training processes include Legal Services (16%) and Recruitment and HR (19%). 

Specops also sought to find out if the level of cyber security training had changed since the beginning of COVID-19.

Out of the 1,342 respondents, the results revealed the following:  

  • I have been trained a lot more since COVID-19 – 21%
  • I have been trained a little more since COVID-19 – 37%
  • I have not been trained since COVID-19 – 42%
Business Sector% of businesses that have since implemented cyber security training sessions since COVID-19 
Education and Training76%
Medical and Health65%
Computer and IT39%
Travel and Hospitality37%
Customer Service23%
Creative Arts and Design22%
Charity and Voluntary Work15%
Marketing, Advertising and PR13%
Legal Services13%
Accountancy, Banking and Finance10%
Recruitment and HR8%

Specops Software found on average just 29% of business sectors have initiated additional cyber security training. 

94% of respondents claimed it was the responsibility of their company to keep them up to date with cyber security training, whilst 79% could not identify if they were hacked.

To further complement the survey, Specops Software’s Cyber Security Expert Darren James has provided some expertise:

  1. Why is it important for all employees to be trained?

The fact of the matter is that you can put as many security systems and procedures in place as you wish, but usually the weakest link is always the human being involved. Providing cyber security training is essential. Subjects such as password hygiene, email scam/phishing/malware awareness, social media usage etc. are important and the more attention we can bring to it via training at work, the less likely people in general will fall victim to these crimes.

2. Should companies integrate training on a regular basis and how often?

Generally, it’s a good idea to provide basic training to everyone, and to all new employees, so everyone is at least on the same page. Then, it is a good idea to promote awareness through the use of a good password policy, and maybe when IT experience interactions with users e.g. service desk/desktop support etc. provide further reminders where appropriate. Some “high risk” users such as IT admins, HR and finance teams should have regular awareness training.

3. What can companies do to ensure training is kept up to date, especially now everyone is working from home? 

Working from home represents another challenge when providing training. You can send emails out or put something on an extranet/intranet page, but let’s be honest not many people are going to willingly go and look. Try arranging a “working from home cyber security awareness” call if possible – whether it is per team, or with team managers who can then pass on key information. 

Please see the full research here:

Online cyber security skills courses popular with girls

960 640 Stuart O'Brien

The number of girls looking to learn new cyber security skills has surged this summer after courses went online for the first time.

The National Cyber Security Centre (NCSC) confirmed that the number of young people taking part in this year’s CyberFirst summer courses rose to a record-breaking 1,770 after they moved from the classroom to online.

And while the number of applications from boys saw a significant 31% rise, it was the increase in the number of girls applying which really caught the eye – rising by a massive 60% on 2019.

CyberFirst aims to ensure greater diversity in the next generation of cyber security specialists, and the summer courses offer 14 to 17-year-olds the chance to learn about digital forensics, ethical hacking, cryptography and cyber security challenges.

The new figures come one month after the NCSC pledged to take action to improve diversity and inclusion in the cyber security sector, as just 15% of the UK’s cyber security workforce are women and 14% of employees are from ethnic minority backgrounds.

Chris Ensor, NCSC Deputy Director for Cyber Growth, said: “I’m delighted to see that more young people are exploring the exciting world of cyber security, and it’s especially encouraging to see such a level of interest from girls.

“Our online courses have provided new opportunities for teenagers of all backgrounds and we are committed to making cyber security more accessible for all.

“Ensuring a diverse talent pipeline is vital in keeping the UK the safest place to live and work online, and CyberFirst plays a key role in developing the next generation of cyber experts.”

Digital Infrastructure Minister Matt Warman said: “It’s great to see so many young people taking part in the CyberFirst summer courses. These fantastic experiences give teenagers an insight into the exciting and varied careers on offer in cyber security.

”We want our cyber sector to go from strength to strength, so it is vital we inspire the next generation of diverse talent to protect people and businesses across the country.”

This year 670 more places were made available for the CyberFirst summer courses. The number of boys applying rose from 1,824 in 2019 to 2,398 this year, while for girls it went from 930 to 1,492 over the same period.

The annual initiative is offered at three levels: CyberFirst Defenders (for those aged 14–15), CyberFirst Futures (15–16), CyberFirst Advanced (16–17) – all aimed at helping pupils develop digital and problem-solving skills and introduce them to the cyber threat landscape.

This autumn, pupils interested in cyber security and computer science can look forward to a whole raft of opportunities from CyberFirst, as part of its ongoing commitment to inspire the next generation of cyber talent.

Other CyberFirst programmes include:

  • CyberFirst bursaries and apprenticeship schemes, which offer financial help for university-goers and paid summer work placements with over a hundred organisations to kickstart careers in cyber security. Applications are now live.
  • Empower Digital Cyber Week (9th-13th November), where students can watch and join online cyber sessions given by speakers in academia, industry and government.
  • The annual CyberFirst Girls competition, open to teams who want a fun and challenging opportunity to test their cyber skills in a bid to be crowned the UK’s top codebreakers. Registrations for the 2020-21 Girls Competition open on 30th November. More details about this year’s competition can be found on the NCSC’s website.
  • The government’s online cyber skills platform Cyber Discovery launched its latest intake in June and has already attracted over 13,500 students, with more than a third of registrations from female students. The programme, for 13-18 year olds, is a free and fun way for teens to develop cyber security skills. Students can register to join here:

Fujitsu reveals 12 days of Christmas security predictions

960 640 Guest Blog

By Rob Norris, VP Head of Enterprise & Cyber Security EMEIA, Fujitsu

Marked by a shortage of cyber security talent and attackers willing to exploit any vulnerability to achieve their aims, this year emphasised the need for organisations to invest in security and understand their risk posture.

With the number of vendors in the cyber security market rapidly growing, rising standard for managing identities and access, and organisations investing more in security tools, 2020 will be a transformational year for the sector. 

We anticipate that 2020 will be a positive year for security, and encourage public and private sector to work together to bring more talent to the sector and raise the industry standards. As the threat landscape continues to expand with phishing and ransomware still popular, so will the security tools, leaving organisations with a variety of solutions. Next year will also be marked by a rush to create an Artificial Intelligence silver-bullet for cyber security and a move from old-fashioned password management practices to password-less technologies.

As cyber criminals continue to find new ways to strike, we’ll be working hard to help our customers across the world to prepare their people, processes and technology to deal with these threats. One thing to always keep in mind is that technology alone cannot stop a breach – this requires a cultural shift to educate employees across organisations about data and securitygovernance. After all, people are always at the front line of a cyber-attack.

In light of this, here are“12 Days of Christmas” security predictions for the coming year:

1.     A united front for cyber security talent development 

The shortage of cyber security talent will only get worse in 2020 – if we allow it to.

The scarce talent pool of cyber security specialists has become a real problem with various reports estimating a global shortage of 3.5 million unfulfilled positions by 2021. New approaches to talent creation need to be considered. 

The government, academia, law enforcement and businesses all have a part to play in talent identification and development and will need to work collaboratively to provide different pathways for students who may not ordinarily be suited to the traditional education route. Institutions offering new cyber security courses for technically gifted individuals are a great starting point, but more will need to be done in 2020 if the shortage is to be reduced. 

2.     Cloud adoption expands the unknown threat landscape

It will take time for organisations to understand their risk posture as the adoption of cloud services grows.

While the transition to cloud-based services will provide many operational, business and commercial benefits to organisations, there will be many CISO’s working to understand the risks to their business with new data flows, data storage and new services. Traditional networks, in particular, boundaries and control of services are typically very well understood while the velocity and momentum of cloud adoption services leaves CISO’s with unanswered questions. Valid concerns remain around container security, cloud storage, cloud sharing applications, identity theft and vulnerabilities yet to be understood, or exposed. 

3.     The Brexit effect

Brexit will have far-reaching cyber security implications for many organisations, in many countries.

The UK and European markets are suffering from uncertainty around the UK’s departure from the European Union, which will affect the adoption of cyber security services, as organisations will be reticent to spend until the impact of Brexit is fully understood. 

The implications of data residency legislation, hosting, corporation tax, EU-UK security collaboration and information sharing are all questions that will need to be answered in 2020 post-Brexit. There is a long-standing collaborative relationship between the UK and its EU counterparts including European Certs and Europol and whilst the dynamics of those working relationships should continue, CISO’s and senior security personnel will be watching closely to observe the real impact. 

4.     SOAR revolution

Security Orchestration, Automation and Response (SOAR) is a real game-changer for cyber security and early adopters will see the benefits in 2020 as the threat landscape continues to expand.

Threat intelligence is a domain that has taken a while for organisations to understand in terms of terminology and real business benefits. SOAR is another domain that will take time to be understood and adopted, but the business benefits are also tangible. At a granular level, the correct adoption of SOAR will help organisations map, understand and improve their business processes. By making correct use of their technology stack and associated API’s early adopters will get faster and enhanced reporting and will improve their security posture through the reduction of the Mean Time To Respond (MTTR) to threats that could impact their reputation, operations and bottom-line. 

5.     Further market fragmentation will frustrate CISOs 

The number of vendors in the cyber security market has been rapidly growing and that will continue in 2020, but this is leading to confusion for organisations.

The cyber security market is an increasingly saturated one, often at the frustration of CISO’s who are frequently asked to evaluate new products. Providers that can offer a combined set of cyber security services that deliver clear business outcomes will gain traction as they can offer benefits over the use of disparate security technologies such as a reduction in contract management, discount provisioned across services, single point of contacts and reduction in services and technologies to manage. 

Providers that continue to acquire security technologies to enhance their stack such as Endpoint Detection and Response (EDR) or technology analytics, will be best positioned to provide the full Managed Detection and Response (MDR) services that organisations need. 

6.     Artificial Intelligence (AI) will need real security

2020 will see a rise in the use of adversarial attacks to exploit vulnerabilities in AI systems.

There is a rush to create an AI silver-bullet for cyber security however, there is currently a lack of focus on security for AI. It is likely we will see a shift towards this research area as “adversarial” approaches to neural networks could potentially divulge partial or complete data points that the model was trained on. It is also possible to extract parts of a model leading to intellectual property theft as well as the ability to craft “adversarial” AI which can manipulate the intended model. Currently, it is hard to detect and remediate these attacks. 

There will need to be more focus on explainable AI, which would allow for response and remediation on what are currently black-box models.

7.     Organisations will need to understand how to make better use of security tools and controls at their disposal

Customers will need to take better advantage of the security measures that they already have available.  

The well-established cloud platforms already contain many integrated security features but organisations are failing to take advantage of these features, partly because they do not know about them.  A greater understanding of these features will allow organisations to make smarter investment decisions and we expect to see a growing demand for advice and services that allow organisations to optimally configure and monitor those technologies to ensure they have minimal risk and exposure to threats.

Fujitsu predicted last year that securing multi-cloud environments will be key going forward and organisations continue to need to find a balance of native and third-party tools to drive the right solution for their objectives.  

8.     Do you Wannacry again?

The end of support for Windows Server 2008 and Windows 7 will open the door for well-prepared attackers.

January 2020 sees the official end of support life for all variants of Windows Server 2008 and Windows 7, which share elements of the same code base. This means that both end-user devices and data center servers will be equally vulnerable to the same exploits and opens the possibility that organisations could be susceptible to attacks that cause large outages.

In 2017, Wannacry surfaced and caused some well-publicised outages including well-known organisations from across the healthcare, manufacturing, logistics and aerospace industries.  Microsoft had released patches two months before and recommended using a later version of the impacted components. We also learned in 2017, via Edward Snowden, that nation-states have built up an armoury of previously undisclosed exploits. These exploits are documented to target the majority of publicly available Operating Systems and so it stands to reason that cyber criminals could have also built a war chest of tools which will surface once the end of vendor support has passed for these Operating systems.  

9.     Rising the standard for managing identities and access

Federated Authentication, Single Sign-On and Adaptive Multi-Factor will become standard, if not required, practices in 2020.

2020 will see organisations continuing their adoption of hybrid and multi-cloud infrastructures and a ‘cloud-first’ attitude for applications.  This creates the challenge of managing the expanding bundle of associated identities and credentials across the organisation.

Identities and associated credentials are the key attack vector in a data breach – they are ‘keys to the kingdom’.  Without sufficient controls, especially for those with privileged rights, it is becoming increasingly difficult for organisations to securely manage identities and mitigate the risk of a data breach.  Capabilities such as Federation Authentication, Single Sign-On and Adaptive Multi-Factor address the challenge of balance between security and usability, and we see this becoming standard, if not required, practice in 2020.

10.  Extortion phishing on the rise

Taboo lures enhanced phishing and social engineering techniques will prey on user privacy.

We are seeing an increase in a form of phishing that would have a recipient believe their potentially embarrassing web browsing and private activity has been observed with spyware and will be made public unless a large ransom is paid.

Since their widespread emergence last year, the techniques used by these extortionists to evade filters continue to develop. Simple text-only emails from single addresses now come from ‘burnable’ single-use domains. Glyphs from the Cyrillic, Greek, Armenian and extended Latin alphabets are being used to substitute letters in the email to bypass keyword filters and Bitcoin wallets are rotated often and used to associate a recipient with a payment. 

The psychological tricks used in the wording of these emails will develop and likely aid their continued success.

11.  Passwords become a thing of the past

We will see increasing adoption of end-to-end password-less access, especially in scenarios where Privileged Access Management (PAM) is required.

Next year we will see a move from old-fashioned password management practices to password-less technologies. The increasing number of cases where privileged credentials and passwords are required, but are painful to manage in secure and cost effective, way will drive this shift. Passwords are easy to forget and the increasing complexity requirements placed upon users increases the chances of passwords having to be written down – which is self-defeating.  Biometric technologies and ephemeral certificates will provide a more secure and user-friendly way to manage credentials and ensure assets and data are kept secure. 

12.  Ransomware not so random

As more organisations employ negotiators to work with threat actors, ransomware is likely to decrease next year.

In 2019, we observed a shift in the way certain ransomware ransom notes were constructed. Traditionally, ransomware notes are generic template text informing the victim that their files are encrypted and that they must pay a set amount of Bitcoin in order to have their files unencrypted.

When threat actors successfully deploy ransomware network-wide and achieve other deployment objectives, they inform their victims their files are encrypted. Crucially, however, they do not reveal the price they demand for their decryption. Instead, threat actors seek to open a dialogue with the victim to discuss a price. This change has seen organisations employ negotiators to work with threat actors on managing and, hopefully, reducing the demand and we expect this to continue in 2020.

Image by 4924546 from Pixabay 

Younger workers most lax on cyber security best practice

960 640 Stuart O'Brien

Employees over the age of 30 are more likely to adopt cyber security best practice than younger colleagues.

That’s according to a new report published by the security division of NTT, ‘Meeting the expectations of a new generation. How the under 30s expect new approaches to cybersecurity’, which also reveals that the younger generation is more anxious about cybersecurity and their company’s ability to tackle the number of security threats.

The findings, part of NTT’s Risk:Value 2019 report, scored across 17 key criteria. It found that, on average, under-30s score 2.3 in terms of cybersecurity best practice, compared to 3.0 for over-30s. In the UK, under-30s (4.3) and over-30s (5.5) are among the highest scores globally.

The data suggests that employees who have spent longer in the workplace gaining knowledge and skills and have acquired ‘digital DNA’ during that time, sometimes have an advantage over younger workers.

Overall, under-30s expect to be productive, flexible and agile at work using their own tools and devices, but half of respondents think responsibility for security rests solely with the IT department. This is 6 percent higher than respondents in the older age categories.

General attitudes to cybersecurity in the UK found that: 

  • Younger workers are risk takers, with over half (52 percent) saying they would consider paying a ransom demand to a hacker, compared to just 26% of over-30s
  • Over half (58 percent) of under-30s believe their company does not have adequate skills and resources in-house to cope with the number of security threats. This compares to quarter (26 percent) of over-30s, and may be the result of growing up in a technology skills crisis
  • Under-30s estimate that it would take around three months (97 days) to recover from a cybersecurity breach – six days more than the time estimated by older respondents
  • 82 percent believe that cybersecurity should be a regular item on the boardroom agenda, compared to 90 percent of over-30s
  • More accepting of new tools and devices at work, younger workers consider the Internet of Things (IoT) as more of a security risk (69 percent) than older colleagues (65 percent)

Azeem Aleem, VP Consulting (UK&I) Security, NTT, said: “It’s clear from our research that a multi-generational workforce leads to very different attitudes to cybersecurity. This is a challenge when organisations need to engage across all age groups, from the oldest employee to the youngest. With technology constantly evolving and workers wanting to bring in and use their own devices, apps and tools, business leaders must ensure that security is an enabler and not a barrier to a productive workplace.

“Our advice for managing security within a multi-generational workforce is to set expectations with young people and make security awareness training mandatory. Then execute this training to test your defences with all company employees involved in simulation exercises. Finally, team work is key. The corporate security team is not one person, but the whole company, so cultural change is important to get right.”

Adam Joinson, Professor of Information Systems, University of Bath, an expert on the intersection between technology and behaviour, said: “There is no ‘one size fits all’ approach to cybersecurity. The insights from the NTT study demonstrate that treating all employees as posing the same risk, or having the same skills, is problematic for organisations. We do need to be careful not to assume that the under-30s simply don’t care so much about cybersecurity. While this may be true in some cases, in others it is more likely that existing security policies and practices don’t meet their expectations about ‘stuff just working’.

“If we want to harness the fantastic creativity and energy of younger workers, we need to think about security as something that enables their work, not something that blocks them from achieving their tasks. This is likely to mean security practitioners having to fundamentally rethink the way security policies operate, and finding ways to improve the fit between security and the tasks employees are required to undertake as part of their core work.”

NTT’s six cybersecurity best practice tips for a multi-generational workforce:

  • Security culture must include all generations and be supported by a diverse range of employee champions, which includes age
  • Build a panel of younger employees and listen to their views on cybersecurity
  • Younger employees can be at their best and most motivated in an agile, productive, flexible workplace environment, where they are most likely to buy into the desired culture and behaviours. Security should be designed to enable the business
  • Make cybersecurity everyone’s business. Security leaders should be approachable to employees, through one-to-one interaction and more formal company events
  • Where skills shortages are most acute, support learning programmes, mentoring and consider external support
  • Education is vital. Gamify security learning and make it fun for all

Attacks on IP-based CCTV on the rise

960 640 Stuart O'Brien

Trend Micro says it blocked five million cyber-attack attempts against internet protocol (IP) cameras during a five month period, further highlighting the risks impacting IP-based surveillance devices.

7,000 anonymously aggregated IP cameras were analysed by Trend Micro, with 75% brute force login attempts, showing a clear pattern of malicious attackers targeting IP surveillance devices with malware, such as  Mirai variants.

“More verticals are seeking connected, AI-powered video surveillance applications causing a clear paradigm shift from a relatively closed-off network to a more interconnected network operated heavily by cloud-based technologies,” said Oscar Chang, executive vice-president and chief development officer for Trend Micro. 

“Due to this shift in the landscape, manufacturers and users must pay attention to the security of these IoT devices.”

Dr Steve Ma, vice-president of engineering, Brand Business Group for VIVOTEK, said: “While the industry has known about cyber-risks, manufacturers have been unable to properly address the risk without knowing the root cause and attack methods.”

Trend Micro has suggested a shared responsibility model for all parties involved in video surveillance to help mitigate the potential impact of IoT-based threats, involving manufacturers, service providers system integrators and end users, with complete end-to-end protection and risk awareness key to a secured video system. 

Image by ElasticComputeFarm from Pixabay

Petition started for minimum IT security for UK business

960 640 Stuart O'Brien

Evaris has called for action to establish a mandatory minimum level of IT security for all businesses.

The Manchester-based business has launched a petition, backed by IT and cyber security professionals, to put pressure on the government to make the currently optional National Cyber Security Centre’s (NCSC’s) Cyber Essentials Scheme compulsory for businesses to protect them in the event of a cyber attack and reduce the cost of cyber crime to the UK economy, as well as the public.

According to the recent Cyber Security Breaches Survey, less than three in 10 (27%) businesses have a formal cyber security policy in place, while large companies reported an average of 12 attacks per year that they knew about. Six attacks per year were reported by medium-sized companies.

As a result, Evaris is calling for all businesses to take steps to prevent such attacks from occurring.

The petition aims to ensure small organisations with up to 50 employees and medium-sized firms with between 51 and 250 staff should meet at least the criteria for certification for the Cyber Essentials scheme. Large businesses (those with more than 250 employees) should at least meet the criteria for the Cyber Essentials Plus scheme.

Terry Saliba, Solutions Architect at Evaris, said: “Data shows that more than four in ten businesses experienced a cyber security breach in the past 12 months, and these are becoming increasingly sophisticated and costly for businesses across all industries.

“Unfortunately, we still see that many firms are failing to understand the extent of this issue, and so we believe this petition is vital for establishing a compulsory baseline adhered to by all businesses.

“We’re extremely pleased to see our campaign to make Cyber Essentials compulsory for all companies has gained the support of industry bodies. These organisations see the extent of the damage caused by a lack of IT security and training on a daily basis.”

Vince Warrington, CEO of Protective Intelligence, said: “I’m supporting the petition because I’ve had to deal with the consequences of cyber attacks and seen the destruction they can cause.

“At the moment, far too many companies still see cyber security as a ‘nice to have’ rather than an essential part of everyday business, or feel they don’t understand what they need to do to protect themselves. But cyber attacks are not going to simply disappear – the criminals behind them will target your business if you haven’t taken even the most basic steps to keep them out.

“By driving all companies to adopt Cyber Essentials the government can not only create a good level of basic cyber hygiene across UK Plc, but also create a regular flow of work small cyber security businesses can themselves bring onboard new staff and train them up, thus reducing the predicted shortfall in qualified cyber security experts that the country will need in the decades to come.”

In order to be certified by the Cyber Essentials Scheme, applicants must, as a minimum:

  • Use a firewall to secure their internet connection
  • Choose the most secure settings for their devices and software
  • Control who has access to data and services
  • Have protection against viruses and other malware
  • Keep devices and software up to date

Image by Gerd Altmann from Pixabay