• Covid-19 – click here for the latest updates from Forum Events & Media Group Ltd

Posts Tagged :

Cyber-security

UK businesses lacking in cyber-attack protection…

800 450 Jack Wynn

More than a quarter of British businesses (26 per cent) have left themselves open to the clear and present danger of a cyber-attack, independent research from Advanced has exposed.

Despite recent government research finding that two thirds of large businesses experienced a cyber breach or attack in the last 12 months, Advanced revealed that nearly half (46 percent) of the 1,000 professionals surveyed claim that data security is not a deciding factor in adopting digital technology.

The report also acknowledges the potential implications of Brexit, with 51 per cent agreeing that Brexit is an opportunity for growth and prosperity for British businesses, and 61 per cent claiming to be well prepared. However, 60 per cent agree that the biggest impact will only be felt in the next 18 months to two years.

Gordon Wilson, CEO at Advanced said: “This research was designed to uncover the biggest concerns that UK businesses are facing today. It’s clear from these findings that businesses are grappling with the level of change. However, is it right that Brexit should be distracting business, when the outcome is still to be determined?

“In the meantime, the disruption from digital is becoming increasingly complex and pervasive. Given the numerous examples of high profile businesses being crippled by cyber-attacks, it raises the question as to why this isn’t at the top of the priority list for every business leader.”

Leadership readiness also came under the spotlight. When asked to rank the most important attributes of a business leader: 86 per cent stated an ability to re-imagine and adapt its business; 71 per cent chose ‘act with pace’; 61 per cent picked ‘take bold decisions’; and only 45 per cent selected a ‘strong digital skill-set’.

Wilson concludes: “Business leaders need to up their digital game. It appears that they are failing to recognise the need to adapt their mindset and tran34EPsform their leadership strategy to tackle the changes effectively in this digital era.

“Although an openness and ability to reimagine their business is vital, if it isn’t combined with a strong digital DNA, they will be left vulnerable to new threats and struggle to survive, let alone grow and prosper.”

Download the full report here

UK start-up reveals ‘secret’ to solving identity fraud crisis…

800 450 Jack Wynn

ShowUp, a new British start-up which claims to be taking an ‘entirely independent approach’ to online digital identification, has created a solution to combat the rising issue whereby individuals can take a selfie with the company’s newly-created app.

By taking a selfie via the ShowUp app, a friend or family member proves the image of the person is correct, which is then securely stored on file as the reference photo. Therefore, when an individual logs into their online account, they take another ShowUp selfie whilst reading out a randomly generated phrase displayed on the screen; ensuring the selfie is unique to that moment, and that the camera is pointing at a live person.

The company removes the need for the complex mix of pins and passwords of memorable information that supposedly protect consumers across banking, social media and other secure interactions where despite these burdensome login processes, identity fraud still takes place.

Founder and executive director at ShowUp, Jeremy Newman, said: “ShowUp exploits the fact that for the first time nearly everyone has a camera connected to the internet. We work on the principle that organisations don’t know people, people know people. Therefore instead of relying on passwords or any other data to verify identity, we can now draw upon the natural ability of people to recognise one another.

He continued: “With mobiles, ShowUp and social collaboration, ordinary people become the source of true identity, rather than being the victims of outdated and flawed practices forced upon them by organisations.”

ShowUp is attracting investment from senior executives in key industries who are helping the company build and scale this new technology to the whole population.

 

Learn more about ShowUp here

Guest Blog – Dr. Alex Vovk, Ph.D: 3 ways to improve hospitality data security…

800 450 Jack Wynn

The hospitality industry is a magnet for cyber criminals. Hotel chains have global networks, large workforces, as well as complex and often decentralised IT infrastructures. On top of all this, they regularly store and process high volumes of personal and financial data. This data can include customer credit card details, names, driving license numbers, addresses, passport numbers, phone numbers and other personally identifiable information (PII).

When these documents end up in the wrong hands, the regulatory, financial and legal consequences can be crippling; not to mention the reputational damage that you simply cannot afford in such a competitive industry.

This is why securing the integrity of customer and other business-critical data is a top priority in the hospitality trade.

Although the hospitality industry is similar to retail in many ways, it has been slower to adopt advanced security solutions.

Many large hotel chains — Trump, Hilton, Hyatt, Starwood, Mandarin Oriental and others — have recently disclosed problems with cyber-attacks. In many cases, the exact number of records breached has not been made public, nevertheless the overall impact has to be significant.

Despite the breaches, many hospitality businesses keep making the same basic security mistakes. Here are the main steps they can take to reduce the risk:

1: Data security applies across the board

Many smaller hotels operate as franchises or small independent businesses. Often data security is not as high on the agenda as it should be. In some cases, they do not comply with recommended industry security standards, or have IT security teams or even use basic data protection tools.

Actions

  • The reputation of the hospitality trade can only be improved if establishments take responsibility to protect customer PII seriously right across the board. This includes educating employees and adopting the right technology.
  • Compliance with the PCI DSS standard is the bare minimum required. Other essentials are a firewall, regular system updates and patches, encryption, a strong password policy, PCI-compliant applications and POS systems, restricted access to POS computers, and anti-virus, anti-spyware and anti-malware software.
  • IT systems also need to be regularly tested and assessed for vulnerabilities. When vulnerabilities are discovered, they need to be fixed immediately.

2: Insiders can be the biggest cyber security risk

Insider misuse is all too common in the hospitality sector. Contributing factors include high staff turnover rates, lack of appropriate security training, easy access to customer payment data, and lack of adequate controls and user behaviour monitoring.

According to Netwrix’s own 2016 Visibility Report, 65 per cent of organisations across various industries lack visibility into user activities in their corporate networks.

Insider wrongdoing does not always result in a massive data breach. It can take the form of a few individual thefts or many small thefts over long periods of time.

The overall outcome is the same as for external attacks: lasting damage to customer perception and lost trade.
Actions:

  • No matter how much you trust your workforce, make sure access to sensitive data is restricted to individuals who need it to perform their daily duties.
  • Monitor user activity — including privileged users – to see if they have tried to access critical files.
  • Follow up any suspicious activity, such as multiple failed access attempts, because they could be a sign of insider misuse or hacking of user accounts by attackers.
  • Implement a strong password policy.

3: Do not outsource everything

The hospitality industry is a highly competitive one that is always on the lookout for ways to cut costs.

It is hugely tempting to outsource parts of IT to external cloud services, and benefit from reduced hardware/software development costs and eliminating the need to retain a 24/7 in-house IT department.

But organisations who transition their business-critical data to a third party often forget to put strong security controls in place. For example, the 2016 Visibility Report found that as many as 75 per cent of organisations from various industries have no visibility into what is happening to their data in the cloud.

Actions

  • Before outsourcing any sensitive data to the cloud make sure that data will be remain secure in its new environment.
  • Carefully vet the cloud provider, holding them to the same standard as your internal security policies.
  • Also implement user behaviour monitoring, strong multi-factor authentication, remote session monitoring and advanced encryption.
  • Unless you have these security measures, you are not ready to move your critical data to the cloud.

In summary, hospitality businesses are responsible for all of the customer data they collect. Inevitably, this is a challenge, but there is no need to reinvent the wheel; numerous standards, solutions and best practices are available to help.

A lot of security mistakes happen because changes and anomalies in the network have gone unnoticed.

Use tools that help you stay aware of any abnormal or malicious activity in your IT network and in the cloud. Only by having clear insight into what is happening can you detect threats, minimise the risk of data exfiltration and secure your most valuable assets.

 

Dr. Alex Vovk, Ph.D has gained an impressive 15-years’ experience in software expertise, leadership and operational management. Prior to Netwrix, he worked at Aelita Software, where he served as the architect for the company’s key technologies. Dr. Vovk holds a master’s degree and a Ph.D in information security.

New cyber security centre will have an ‘open door’ policy to advise UK businesses…

800 450 Jack Wynn

Based in London’s Victoria, the opening of the new National Cyber Security Centre (NCSC) will aim to protect the country from potential hackers after it was recently revealed that the government records an approximate 200 ‘national security-level cyber incidents’ a month.

Overseeing 700 staff members, the centre is headed by the former director general for cyber at the Government Communications Headquarters (GCHQ), Ciaran Martin, and the current technical director for cyber security at the GCHQ, Dr. Ian Levy. 

The NCSC’s first project is with the Bank of England to create guidelines in advising the financial sector on effective methods to handle such attacks. The centre will also look to introduce a national DNS filter, which will effectively produce a large firewall to block websites and content through major network partnerships in the UK. 

Martin said in a statement made last month: “We’re exploring a flagship project on scaling up DNS filtering. What better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?” 

 

Find out more about the National Cyber Security Centre here 

Industry Spotlight: How can we address the cyber security skills shortage?

800 450 Jack Wynn

Various industry research studies suggest that many businesses of all sizes are ill-equipped to address cyber security threats, leaving them vulnerable to hackers.

According to NTT Security’s Risk:Value 2016 report, while most decision makers admit they will be breached at some point, just half agree information security is ‘good practice’. This raises the question as to why businesses are holding back from minimising the effects of an impending breach. Some argue there is a lack of internal resource to keep up with the growing threats, indicating that it is no longer possible for many organisations to tackle all aspects of security in-house.

Organisations are left under-skilled and under-resourced in security terms, and this is evidenced by a recent cyber security talent report, which estimates there are 1m unfilled security jobs worldwide. This is unlikely to change in the near future and could get worse – with Frost & Sullivan predicting there will be 1.5m unfilled jobs by 2020.

According to the firm, security analyst tops the list of positions that are in most demand, with 46 per cent reporting a staffing deficiency at that position, followed by security auditor (32 per cent), forensic analyst (30 per cent) and incident handler (28 per cent).

Information security needs to be seen as a career choice, with greater awareness in schools and colleges globally in order to attract more people into the profession. Until then, companies need to think carefully about a future that relies on getting by with existing resources or outsourcing some or all of their security operations.

An organisation’s IT team will be grounded in IT fundamentals and daily business operations, so would be well placed to take on roles in cybersecurity. Security experts need a great mix of technical and soft skills, which are usually honed over many years. They need to know how to communicate effectively with non-IT colleagues and understand business processes, compliance and analytics. They also need to have a genuine interest in cybersecurity.

Training staff is a long-term investment, but technology products change faster than an organisation can train its team. A commitment to training and professional development is a strategic decision needing budget. There’s the cost of training, as well as the length of time it takes to train each person while keeping skills and certifications up-to-date. Plus, when people leave, you have to start the process over again.

Investing in internal resources therefore isn’t an option for a large number of organisations. Almost half of companies worldwide lacked in-house security skills, according to Frost & Sullivan’s 2015 (ISC)2 Global Information Security Workforce Study, while a third plan to use managed and professional services to address these skills shortages.

Outsourcing some or all of an organisation’s security operations to a Managed Services Provider can alleviate the problem. A trusted provider will know how and where to find the right experts, invest in training and improving professional qualifications, and continuously monitor an organisation’s network round the clock. If companies find they don’t need to fully outsource their security operations, they can use an MSSP to fill specific gaps, such as incident response.

There’s no silver bullet in terms of training internal resources or hiring new resources, but there’s never been a more important time to address the skills gap.  

 

Words by Stuart Reed, senior director at NTT Security

GCHQ to certify cyber security BA degrees for the first time…

800 450 Jack Wynn

Following the certification of 18 cyber security master’s degrees from 14 different universities within the last two years, GCHQ has opened the next round of applications for certification, and the organisation has announced that this year, it will be looking to certify BA degrees for the first time; in addition to further master’s and integrated master’s courses.

As students embark on the challenge of searching for a proactive course, it can prove difficult to choose from the vast range of cyber security degree programmes on offer in the UK. Therefore, for students at schools and universities, GCHQ certification can greatly influence the choice of cyber security course as GCHQ certification indicates the degree will provide ‘well-defined and appropriate content’.

Furthermore, students currently studying a GCHQ-certified degree programme will be given an additional form of recognition, stating that the individual has successfully completed a GCHQ-certified degree; increasing employment prospects post-graduation.

 

The closing date for all course applications is Friday, January 13 2017 at 16.00.
Read a full breakdown of the master degrees GCHQ currently certify here

Guest Blog, Dr. Alex Vovk: Facing up to the threat insiders pose to organisations…

800 450 Jack Wynn

Building a robust and effective information security system is a never-ending process. One area that needs further promotion by security professionals is that not all enemies come from outside; rather, an attack may just as easily come from one of your most trusted users inside the company.

Too many companies focus on trying to build a bullet-proof wall to protect their most critical assets from external attack, but fail to adequately control what’s going on inside the corporate network. Such a one-sided approach is asking for trouble; everyone knows how much damage an insider threat can cause. The Mossack Fonseca breach is perhaps the most notable recent example.

Many insider security incidents go unnoticed due to lack of monitoring and detection tools. According to Verizon’s 2016 Data Breach Investigation Report (DBIR), about 66 per cent of insider misuse cases involve privilege abuse, and most of them can be attributed to the human factor. This indicates that the most vulnerable part of any security strategy is not hardware or software, but people. Intentionally or unintentionally, employees use sensitive data in inappropriate ways.

Too many employees think nothing of sending corporate information to personal email accounts, uploading corporate data to personal devices, sharing passwords and so on. One careless mouse click can derail even the best security efforts. For example, in October, 2015, it was reported that Vacaville Housing Authority admitted one of its employees had accidentally sent an email containing private client data to an unauthorised person. The incident was successfully resolved, but it took the organisation a long time to win back customers’ trust.

The main reason insiders are so dangerous is that they don’t need to hack the system or hijack credentials; they already have access to sensitive data as part of their day-to-day work. Just one user with access rights and malicious intentions can be more harmful for businesses than any attack from the outside. According to the Netwrix 2016 IT Risks Report the human factor is the most common cause of increased security risks, either from accidents (47 per cent) or from deliberate abuse of privileges (13 per cent). This makes the detection of human errors and insider misuse a pressing task for the majority of respondents.

Blind trust, even in employees with a long and loyal service record, can come at a high price for the business. For example, a CVS pharmacy employee who had been employed for seven years recently stole patient data and passed it to a property manager, who then used it to obtain credit and credit cards.

Of course, even the very best security practices cannot guarantee complete protection against insider threats. Nevertheless, there are steps organisations can take to protect sensitive information from insider activities:

  • Use a data-centric approach: When it comes to data protection, there is no such thing as too much security. However, rather than trying to protect absolutely everything, determine which assets are the most important and concentrate your efforts on them.
  • Ensure visibility into user behaviour: Staying aware about what is changing in your IT infrastructure will help you spot suspicious activity in a timely fashion so you can take appropriate counter-measures. Continuous monitoring will also help you prove to compliance auditors that all changes to system configuration and access to sensitive data are easily traceable.
  • Keep your history: Retain your audit trails for a long period of time and make sure they are easily accessible. Being able to review exactly what happened and drill for more details will help you investigate incidents.
  • Limit access: Grant users only the access necessary to perform their daily duties. Regularly review access permissions and remove permissions that are unused or inappropriate.
  • Monitor attempts to access critical data: Track attempts to access critical files and folders, both successful and failed, to spot malicious activity.
  • Promote cyber security by making it everybody’s business: Incorporate security policies into your employee handbook and make sure everybody in your company is aware of them. Conduct regular meetings about cyber security. Warn employees that violating security policies will result in a written warning, bonus loss, or termination of employment.

Insider threat is one of the top five data breach threats in Experian’s 2016 Third Annual Data Breach Industry Forecast, and it almost certainly will stay on that list. As you build your cyber security strategy, make protection against insider attacks one of your top priorities. While there is no way to make your organisation immune to insider threats, implementing the best practices outlined here will minimise the risk of data breaches.

 

About Netwrix

Netwrix Corporation provides IT auditing software that delivers complete visibility into IT infrastructure changes and data access, including who changed what, when and where each change was made and who has access to what. Netwrix is the first company to introduce a visibility and governance platform that supports both on-premises and hybrid cloud IT environments. Over 150,000 IT departments worldwide rely on Netwrix to audit IT infrastructure changes and data access, prepare reports required for passing compliance audits, and increase the efficiency of IT operations.

 

Dr. Alex Vovk has gained an impressive 15-years’ experience in software expertise, leadership and operational management. Prior to Netwrix, he worked at Aelita Software, where he served as the architect for the company’s key technologies. Dr. Vovk holds a master’s degree and a PhD in information security.

Cyber-security talent shortage major concern for global organisations, new report claims…

800 450 Jack Wynn

In partnership with the Center for Strategic and International Studies (CSIS), has just released Hacking the Skills Shortagereport, Intel Security has released a global report, which outlines the talent shortage crisis impacting the cyber-security industry across nations and companies.

Conducted by the independent technology market research specialist, Vanson Bourne, the report found that 82 per cent of respondents admit to a shortage of cyber-security skills; as well as with 71 per cent citing the responsibility for direct and measurable damage to organisations whose lack of talent makes them more desirable hacking targets the reason behind the shortage.

Senior vice president and director at CSIS, James A Lewis, commented on the findings: “A shortage of people with cyber-security skills results in direct damage to companies, including the loss of proprietary data and IP. This is a global problem; a majority of respondents in all countries surveyed could link their workforce shortage to damage to their organisation.”

 

Read the full report here

Guest Blog, Brian Foster: Cyber-security – don’t get caught out!

800 450 Jack Wynn

When running a business, finance and technology are often top of the list of concerns, so it’s surprising that the prospect of cyber-security is often not considered to be a priority. Contemplate this: your business is up and running, you have the necessary finances, you’re scaling exponentially and technology is meeting that demand, and then the unexpected happens, your app is hacked – taking down your online business and the personal and private details of your trusting customers. The security of your business could make all the difference when it comes to a positive customer experience versus a damaging negative one.

In fact, a recent Ponemon study (in collaboration with Neustar) revealed that the three main contributors to a poor online customer experience are: inaccurate content (91 per cent), website downtime (88 per cent) and overly simple identity and authentication procedures (75 per cent), and ultimately this will lead to distrust. These findings reflect the converging role that a brand’s marketing, IT and security groups must play to deliver a safe, trusted and seamless customer experience.

As the cybersecurity landscape is constantly evolving, it is crucial for protection solutions to adapt to an attacker’s modus operandi. With this said, businesses and specifically e-retailers, should take the following steps to ensure their IT infrastructure is an impenetrable fortress.

 

Avoiding Domain Name System (DNS) Attacks

Often customers trying to access a brand’s website can get hijacked to bogus pages where their logins, passwords and payment details are siphoned off; commonly known as cache poisoning or DNS spoofing.

To protect against this, businesses can create digital signatures that ensure DNS responses are identical to those from the authoritative server, providing protection against forged or manipulated data. Managed DNS services with hardened security features, administer the most effective protection and the best solution should offer this protection at no extra cost. Also, non-open source resolvers (unlike BIND) are less prone to malware, viruses and attacks.

 

Mitigating on-premise DDoS

On-premise DDoS mitigation should be focused around a well-documented incident response plan. For this, organisations need to take precautionary steps such as, making themselves as unappealing to attacks as possible. By raising the costs of an attack and reducing the ROI for criminals, organisations with strong encryption, distributed data sources and compartmentalisation of customer data can protect themselves. Online brands should implement countermeasures with purpose-built DDoS protection, combining on-premise hardware and cloud-based traffic scrubbing.

It’s also important to ensure that there are measures and systems in place to detect when a breach occurs as early as possible and to follow a response plan for attacks that has been developed in advance. This includes everything from preparing public statements for customers and employees, as well as regulatory and press notifications.

 

Backing-up website messages and systems are also important duties to be dealt with in advance, as well as arranging alternative payment methods to mitigate a breach.Finally, the response plan needs to be rehearsed. The sooner the breaches are recognised and the faster the response process is launched, the less damage is likely to result from it. The standard of care for dealing with cyber-attacks is to implement ‘hybrid’ DDoS protection, involving both on-premise DDoS mitigation appliances along with services from DDoS protection providers who can help mitigate larger attacks.

 

With the adoption of these protection measures, improvements won’t happen overnight but they could make a significant positive difference in the long-term. The online community should develop and incorporate standard of care mechanisms to raise the cost of an attack, as a deterrent for opportunistic attackers.

 

Brian Foster is the senior vice president of Product Information Services, managing the complete lifecycle of Neustar’s Information Services products. In this role, Foster drives the overall roadmap for Neustar’s products and ensures all services continue to exceed the needs of customers.

 

BeCyberSure joins EEMA to provide ‘strong security’ education…

800 450 Jack Wynn

The cyber security information company, BeCyberSure, has been welcomed by the not-for-profit think tank, EEMA, which specialises in identification, privacy, risk management, authentication, cyber security, mobile applications and the Internet of Things (IoT), as its newest member.

It follows an appearance made by BeCyberSure in June at the two-day Trust in the Digital World (TDW) conference in The Hague, hosted by EEMA, TDL and IDnext. The company participated in a seminar which focused on cyber security for small and medium-sized enterprises (SMEs), and provided an opportunity to become involved in initiatives such as Information Security Solutions Europe (ISSE), Trust in the Digital World (TDW) and EEMA’s high-level fireside briefings.

Chairman of EEMA, Jon Shamah, commented: “We’re delighted to welcome BeCyberSure as members of EEMA. The company’s knowledge and expertise in assisting business throughout Europe with regards to their information security strategies makes it an important addition to our expanding network.”

 

To find out more about EEMA membership, click here