Posts Tagged :

IT

Top five security predictions for 2022

1024 682 Stuart O'Brien

With the COVID-19 pandemic continuing to put businesses and society at risk, Andy Robertson, Head of Enterprise & Cyber Security, at Fujitsu UK&I, has laid out his top five predictions for 2022…

In these unprecedented times, organisations have needed to vastly adapt their security processes to the new ways of working and living. But just because the current security defences are able to withstand attackers now, that doesn’t mean cyber criminals won’t strike again in the future. Cyber criminals are always developing unique tactics to find and exploit new weaknesses.

As the UK still faces the COVID-19 pandemic, businesses are facing a hacking epidemic. For example, The National Cyber Security Centre’s (NCSC) 2021 annual review found that there were three times as many ransomware attacks in the first quarter of 2021 than in the whole of 2019. Current remote working practices have significantly changed the securitylandscape, but the need to keep everything connected and secure hasn’t changed. Businesses need to focus on embedding revised security measures right from the start so that their employees can keep operating securely, wherever they are in the world.

As we enter the third year, where the pandemic continues to impact organisations, here are my top five predictions cyber security in the coming 12 months…

  1. Trust will be maintained by Zero Trust Architecture in the hybrid working world  

2020 and the early part of 2021 were all about remote working. Moving into 2022, I expect to see more organisations embrace and establish hybrid working as the norm. New data from Glint reveals that 87% of employees would prefer to stay remote at least half of the time, even after it was safe to return to their workplace.

As organisations adapt to different working patterns and locations, this fairly new hybrid working approach introduces new security risks. A login from a remote location late at night – once considered suspicious – is now a much more common occurrence as hybrid workers balance work and life priorities.

To help reduce the risks and the burden of monitoring those risks, organisations should consider implementing a Zero Trust approach. It’s a remarkably simple concept. Businesses must assume that there will be a breach, that anything can be compromised, and that no-one is really who they say they are or is acting responsibly. This does not mean you don’t trust your employees, partners, suppliers, or customers – as people. It’s actually about knowing who they are, what they are doing, what technology they are using, and what level of authorisation they have for each thing they do, every time they do it, wherever they are doing it.

 

This means that data, systems, and equipment are treated equally and securely. It doesn’t matter where they are located, in your network or outside it. Nothing is trusted until you know it can be trusted.

  1. IT and OT cyber security will both be the CISOs concern 

In 2022, Operational Technology (OT) cyber security will be recognised as being as important as IT security for assuring business continuity. The number of large-scale attacks on OTs has grown in volume in 2021 – with 83% of critical infrastructure companies experiencing breaches in the last three years. I expect to see this continue in 2022 as cyber criminals seek to further exploit these potentially vulnerable systems that control critical processes – making them lucrative targets.

IT and OT cyber security will become a greater concern for the CISO as they seek to reduce overall risks for their organisation. The good news is that satisfying the new end-to-end cyber security paradigm brings benefits beyond pure risk mitigation. The cyber security measures an organisation deploys will become a key quality characteristic, which organisations will be required to demonstrate in order to be admitted to digitised supply chains.

CISOs will need to give the same attention to their OT security as they do IT to gain all of these benefits.

  1. True Business Continuity will require greater levels of collaboration and real-time insights

The COVID-19 pandemic reached an unprecedented scale and longevity that rippled through the way organisations operate, communicate, and safeguard against future disruptions. And these weren’t the only factors testing organisations’ continuity plans in the last 2 years. Society also simultaneously experienced civil unrest, wildfires, and hurricanes. This exposed weaknesses in organisations and demonstrated how historically siloed approaches to resiliency put organisations in grave danger. For instance, ransomware hackers targeted three US water facilities in 2021, which is concerning against the backdrop of droughts.

No one had a plan robust enough for 2020. It also prompted volatile and unpredictable market conditions. The pandemic not only demonstrated the interdependence of multiple areas of risk but showed organisations they must be vigilant about all disciplines simultaneously and holistically.

As we move into 2022, I expect to see more uncertainty and volatility that will stretch continuity plans. Organisations that want to build resilience and stability should bring together multiple disciplines such as business continuity, IT continuity/Disaster Recovery, risk management and procurement (supply chain) to collaborate on wider-reaching plans that facilitate real-time decision-making based on data instead of historic trends.

I also expect to see industries collaborating and regulators taking a greater interest in resilience across critical industries. A primary example of this is the operational resilience directive, released by the UK’s financial regulatory bodies, the Financial Conduct Authority (FCA), in partnership with Prudential Regulation Authority (PRA) and the Bank of England (BoE). This directive comes into effect in March 2022 for implementation, with full compliance being required in March 2025.

  1. The strongest form of defence… will come from being attacked 

To build organisational resilience against a rising tide of cyber threats in 2022, organisations will have to learn to think like cyber criminals. Cyber criminals are on the offensive and will always look for ways to exploit any weakness they find, without any regard for law and ethics. They rely on exploiting complacency and organisations focusing on agility at the expense of security.

One of the most critical vulnerabilities to watch out for in the years to come is the open source software Log4j. This vulnerability is currently leading to the compromise of systems and data and will continue to do so in 2022. Attackers will iterate on and develop exploits to target this vulnerability and deploy ransomware and bitcoin miners to successfully compromise systems. Log4j will likely be a target of further scrutiny by attackers and vulnerability researchers looking to identify other weaknesses within the logging utility.

To build the right defences, organisations must learn how to think like a cyber-hacker so that they can close down any gaps that could be exploited. Organisations should embrace attack simulations and wargaming, with a trusted security partner. That way, it will help them set up realistic scenarios, run them, and then learn from the results. A wargame is the simplest and best way to find gaps in your defences. What you learn in action strengthens your ability to avoid needing to take serious action in the future.

Working with security service providers that can deliver Breach & Attack Simulation services helps test the vulnerabilities and see how effective an organisation’s security posture is and where it needs to be strengthened, or even changed completely.

  1. Turning the tide on security alert fatigue

Covid has added to the urgency of many businesses’ migration to the cloud and boosted consumer adoption of cloud services, and that’s set to continue for a long time. One estimate predicts that the cloud computing market size will reach $1.2 trillion by 2028. Increased cloud consumption has been accompanied by an equally rapid increase in the number of threats and alerts from across those platforms.

Inevitably, in 2022 we will see more security alerts which will exacerbate the problem of ‘alert fatigue’ where IT security teams can become overwhelmed and miss the signs of a significant attack. The continuing skills shortage in the cyber industry combined with this fatigue means the organisations will need to think differently and provide greater incentive to explore the use of security automation solutions that can prioritise alerts and even enact pre-defined responses to reduce the burden for security professionals.

IT Security vacancies in demand

960 640 Stuart O'Brien

The Association of Professional Staffing Companies (APSCo) has released figures which show that the number of IT security vacancies increased by 6.2 per cent by the end of April 2017.

There was strong demand for IT Security staff from the Accountancy (40%), Retail and Education sectors, all of whom hold huge amounts of sensitive data.

The largest industry increase in terms of vacancies came from Professional Services, driven by the demand for Accountancy jobs.

Across the country, the Greater London region dominated the IT Security sector, with vacancies up 12% up year-on-year, thereby accounting for just over of UK vacancies (51%). Elsewhere, the figures found that Yorkshire and Humber had the fastest growth in vacancies in percentage terms, with a 41% increase in demand, despite accounting for only 5% of the UK’s vacancies in this sector.

Ann Swain, chief executive of APSCo, commented on the report saying:

“As the recent WannaCry attacks on the NHS have demonstrated, the importance and profile of IT Security roles has never been greater. Our figures show that IT Security is taking on a life of its own, challenged only by the financial services sector, as it continues to expand.

“This growing trend is backed by Kroll’s 2017 Annual Global Fraud and Risk Report where 92% of UK executives said their firm had suffered a cyber security attack in the last 12 months, which is a huge number of attacks for firms to be subjected to. It’s clear that firms, in whatever business they are in, are taking this growing threat seriously and looking at increasing their staffing levels, to cope with the higher threat levels.”

To read Kroll’s 2017 Annual Global Fraud and Risk Report click here

 

NATO-Foreign-Ministers

NATO to upgrade its IT & satellite technology for 3 billion Euros

960 640 Stuart O'Brien

A senior official at the NATO Communications and Information Agency has revealed how the organisation are set to spend over 3 billion euros (£2.6 billion) upgrading its satellite and computer technology over the next three years.

Plans include a 1.7 billion euro investment upgrading satellite communications  in a bid to support troops more effectively, along with aiding the use of Unmanned Aerial Vehicles (UAVs) or ‘drones’.

The investment is a result of realisation by the North Atlantic Treaty Organisation (NATO) that modern warfare is fought as much online as in traditional air, sea and land combat, with the new technology helping to deter hackers and cyber terrorism.

It is not yet clear whether NATO allies would fund a new military communications satellite to be launched into space, or whether an increase in broadband capacity could be gained from existing US and other allied satellites.

Back in January of this year, non-NATO member Japan launched its first military communications satellite to help boost the broadband capacity of its Self Defence Forces, reinforcing an island chain stretching along the southern edge of the East China Sea.

The NATO official also revealed that proposals include around 800 million euros invested in upgrading computer systems that help command air and missile defences, although some of the funding was yet to be approved by NATO governments.

Improving the protection of NATO’s 32 main locations from cyber attacks would cost 71 million euros. A further 180 million euros is to be spent to provide more secure mobile communications for alliance soldiers in the field.

The proposals are likely to attract major Western defence contractors including Airbus Group, Lockheed martin Corp and Raytheon.

NATO prevents contractors from non-NATO companies of bidding, although Russian or Chinese suppliers are allowed if there is a specific need that allied companies cannot provide.

www.nato.int

Guest Blog, Markus Bekk: EU General Data Protection rules will hit soon – are you prepared?

800 450 Jack Wynn

Did you ever try to set-up and execute a transformation programme in just 18 months that will change your global processes, involve all divisions, affect most of your supplier and client contracts, and bear the risk of fines as high as four per cent of your global turnover?

That is what many are probably facing as they prepare for the General Data Privacy Regulation (GDPR), which the EU enacted in 2016 and comes into effect mid-2018. I can already hear shouts of “But Brexit!” However, if an enterprise offers services to the EU market, it is still involved. And now things have gotten even more complex…

What’s the buzz about GDPR?

Given the patchwork of data protection directives created since 1995, the EU decided to harmonise standards, increase cooperation between institutions, and provide clear points of contact. This was backed by a 2015 study showing 89 per cent of Europeans said it was important to have the same rights and protections over their personal information, regardless of the country in which the entity offering services is based.

The most important GDPR updates include:

Privacy by design: Design processes need to incorporate ”privacy by design,“ which means appropriate technical and organisational measures to implement data-protection principles, e.g. applying principles for personal data minimisation, early pseudonymizing of personal data, and data protection security features.

Right to be forgotten: Subjects can request erasure if no legal ground or purpose still exists, or their consent has been withdrawn. Online enterprises are obliged to inform third parties to remove links or duplicates of the data to be erased.

Data portability: In case of automated data processing, data subjects have the right to request and receive data in ”a structured, commonly used, machine-readable and interoperable format” that can be transferred to a different provider.

Notification in case of data breaches: In cases of risks to the rights of data subjects, the supervisory authority needs to be informed within 72 hours. In cases of high-risk data subjects need to be informed with recommendations to mitigate the risk.

Review and Recertification of data: Users may view and update their personal data, free of charge (if not misused).

Rules for consent of data subject: Processing based on consent has been update. It needs to ensure that sufficient consent can be demonstrated; existing consent either fulfils all new requirements or needs to be renewed. Consent may not be conditional for the performance of a contract, must be in clear and plain language, and easily withdrawn in the future. Consent for processing of sensitive data needs to be explicit.

Processing documentation: Data controllers and processors need to maintain processing documentation of various aspects, e.g. representative contact, data protection officer, processing purpose, data categories, data recipients, safeguards in third countries, time limits for erasure, and security measures.

Data Protection Officers (DPO):  Necessary in a variety of circumstances. They require expertise, need to remain independent, and shall directly report to the highest management level. 

Transparency to data subject: When personal data is acquired the subject needs to be informed about various aspects, e.g. identity of the processor, DPO, recipients, international transfers, storage period, several data protection rights, and if data is used for automated decision-making.

Data processing risk assessments:  GDPR requires establishment of effective procedures and mechanisms that focus on processing operations that are likely to result in high-risk to allow effective risk mitigation (in some cases with supervisory authority).

International transfers to non-EU countries: Have been modified and need to be revisited. 

Explicit obligations of data processors: Data processors (processing on behalf of a data controller) are now explicitly required to fulfil certain rules, like documentation requirements, DPO, EU representatives, or data breach notification.

What should be done?

You should get the detailed requirements from the regulation, check how far the regulation is applicable, perform a gap-analysis and launch the most important transformation initiatives. 

This could include:

  • Review communication channels and appoint necessary roles
  • Ensure proper consent of data subjects
  • Update notices, standards and policies
  • Verify and streamline your processes
  • Design processes (privacy by design) 
  • Risk assessment and security measures 
  • Data subject requests (erasure/portability) 
  • Notification and reporting (PDA/data subjects) 
  • Documentation 
  • Evaluate your contracts
  • With your data subjects 
  • With your data processors 
  • Monitor for local GDPR amendments and any updates issued by the European Commission orthe European Data Protection Board.  

Markus Bekk, CISA, PMP, ITIL Expert is a hands-on professional in IT governance, risk and compliance management, and specialises in sourcing and third-party management. He has delivered numerous transformation, transition and innovation projects and programmes with international players mainly in the financial and insurance industry. Bekk is determined to overcome the gaps between traditional IT management disciplines and distributed, international, agile business requirements.

Industry Spotlight: How can we address the cyber security skills shortage?

800 450 Jack Wynn

Various industry research studies suggest that many businesses of all sizes are ill-equipped to address cyber security threats, leaving them vulnerable to hackers.

According to NTT Security’s Risk:Value 2016 report, while most decision makers admit they will be breached at some point, just half agree information security is ‘good practice’. This raises the question as to why businesses are holding back from minimising the effects of an impending breach. Some argue there is a lack of internal resource to keep up with the growing threats, indicating that it is no longer possible for many organisations to tackle all aspects of security in-house.

Organisations are left under-skilled and under-resourced in security terms, and this is evidenced by a recent cyber security talent report, which estimates there are 1m unfilled security jobs worldwide. This is unlikely to change in the near future and could get worse – with Frost & Sullivan predicting there will be 1.5m unfilled jobs by 2020.

According to the firm, security analyst tops the list of positions that are in most demand, with 46 per cent reporting a staffing deficiency at that position, followed by security auditor (32 per cent), forensic analyst (30 per cent) and incident handler (28 per cent).

Information security needs to be seen as a career choice, with greater awareness in schools and colleges globally in order to attract more people into the profession. Until then, companies need to think carefully about a future that relies on getting by with existing resources or outsourcing some or all of their security operations.

An organisation’s IT team will be grounded in IT fundamentals and daily business operations, so would be well placed to take on roles in cybersecurity. Security experts need a great mix of technical and soft skills, which are usually honed over many years. They need to know how to communicate effectively with non-IT colleagues and understand business processes, compliance and analytics. They also need to have a genuine interest in cybersecurity.

Training staff is a long-term investment, but technology products change faster than an organisation can train its team. A commitment to training and professional development is a strategic decision needing budget. There’s the cost of training, as well as the length of time it takes to train each person while keeping skills and certifications up-to-date. Plus, when people leave, you have to start the process over again.

Investing in internal resources therefore isn’t an option for a large number of organisations. Almost half of companies worldwide lacked in-house security skills, according to Frost & Sullivan’s 2015 (ISC)2 Global Information Security Workforce Study, while a third plan to use managed and professional services to address these skills shortages.

Outsourcing some or all of an organisation’s security operations to a Managed Services Provider can alleviate the problem. A trusted provider will know how and where to find the right experts, invest in training and improving professional qualifications, and continuously monitor an organisation’s network round the clock. If companies find they don’t need to fully outsource their security operations, they can use an MSSP to fill specific gaps, such as incident response.

There’s no silver bullet in terms of training internal resources or hiring new resources, but there’s never been a more important time to address the skills gap.  

 

Words by Stuart Reed, senior director at NTT Security

Guest Blog, Adrian Crawley: Transforming security skills for a changing industry landscape…

800 450 Jack Wynn

Talk to any security specialist and they will tell you that, today, the number of different security attacks they potentially face is overwhelming. It’s the direct result of two trends. Firstly, professional hackers have become more sophisticated in their approach using automated attacks, whereby robots are used to launch very advanced persistent attacks, and secondly, the new wave of ‘off the shelf’ hacks that can be bought for as little as £20 are able to cause untold damage to a network. 

Of course, Bots aren’t new, but this year alone the industry has seen an extraordinary rise in their use, posing a big question to company security experts – can we cope? And the simple answer is no. Trying to respond to bots and make complex decisions quickly enough is something the human brain is simply not equipped to deal with; nor is it capable of managing high intensity attacks for days on end.

In response, more and more companies are employing good bots to fight back in a bid to move their security experts from the front line to more strategic development roles.

Strategy is such a fundamental part of security today. No longer is it possible to react on the spot; you need to anticipate the threats and stay ahead. Plus, it needs to be done in line with the overall company strategy and in conjunction with suppliers.

Suppliers are often overlooked, but today skills need to extend beyond your organisation and ensure that your internet service provider (ISP) for example won’t be the ‘cyber domino’ that takes you down. ISPs are one of the most targeted facilities because they are an easy route to attacking hundreds of companies at a time – attack once, damage many. The development of contracts that cover this risk is common practice and should not be underestimated.

In terms of company strategy, if you are moving to an internet of things model, or have ambitious plans to expand market share, your networks, and your partners’ networks, this will inevitably need to change and be able to manage a new level of demand to ensure consistent delivery and a great customer experience.

That’s why finding the tools that will always detect and mitigate the risks is an essential part of network and application delivery today. However, it’s also a necessity to know what the risks will be; they change so rapidly and it can be an impossible task to monitor the risks when you already have other responsibilities.

It’s thought that more than 20 per cent of companies are now turning to ex-hackers for help (37 per cent say they are considering it). As risky as it may sound, many IT directors have identified that they are able to tap into sources in the ‘darker’ web and listen into conversations that are happening between individual hackers, and organised groups. They are also able to spot the malicious technology developments and even tell you the next target, well before they hit.

As I say, for security professionals that have built a reputable career, this whole approach can seem an oxymoron. Why potentially cultivate an enemy within? It’s therefore important to have the right checks and balances, and day-to-day management skills in place to ensure conduct is above board at all times. Or indeed, assess if a security partner who employs the skill is a better option.

Whatever path you choose, the future will be constantly changing, and when security attacks are a question of when not if, every company needs a plan in place. How they are shaped will be down to the organisation and the sector it operates in, but understanding how technology and skill are blended will be an essential part of a successful strategy.

Adrian Crawley is responsible for the Northern EMEA region at Radware, specialising in network and application security. He oversees the cyber security for international brands as well as medium sized enterprises in a mix of sectors including finance and insurance, retail, utility, public sector and telcos and ISPs. 

WinMagic logo Microsite

WinMagic: Your guide to the new EU GDPR legislation…

800 450 Jack Wynn

The long-anticipated EU General Data Protection Regulation (GDPR) has been adopted in Brussels after years of negotiations and speculation about how it will affect businesses of all sizes.

The new legislation gives citizens more control over their personal information, and makes companies responsible for keeping their data secure – with fines of up to £20 million (or 4% of turnover) and huge consequences for a breach.

Businesses now need to realise this is not just an IT problem, but a significant organisational issue that senior management need to actively engage with.

Find out what you can do now to prepare with WinMagic’s guide