Posts Tagged :

Research

Code

GUEST BLOG: Securing SMEs for the future

960 640 Stuart O'Brien

By David Navin, Head of Corporate, Smoothwall

Cyber-attacks are nothing new, with a new threat, attack or breach making a regular occurrence on the news agenda. With a number of high profile attacks on large corporations such as Yahoo, Sony, TalkTalk and Camelot, it is easy to think that cyber criminals only go after the big fish.

In fact, security expert Dr. Emma Philpott recently stated: “There’s a lot of great talk, but most SMEs do nothing about cyber-security. It’s shocking.”

Although it may sound harsh, Philpott was actually simply confirming what the majority of the security industry will tell you; that SMEs rarely have clear, actionable measures in place which present a rather inviting opportunity to hackers and threat actors.

Research last year found that 48 per cent of SMEs fell victim to at least one cyber-attack in the past year, with 10 per cent targeted multiple times. It begs the question, therefore: why do SMEs not consider their cyber security as important an issue as large enterprises?

Last year in the UK there were 5.4 million SMEs, making up over 99 per cent of all UK businesses, making them absolutely crucial for the UK economy. With such importance placed on UK SMEs, it highlights the sheer importance as to why the security problem is so serious and needs to be addressed.

It isn’t that SMEs are over-confident or ignorant to the threat of cybercrime. The majority of SMEs suffer from an inferiority complex and believe they are not at risk because they are not big or important enough to be a target for hackers.

They could not be more wrong.

Consumers share their data with SMEs on a daily basis, with many large companies working with SMEs as part of their supply chain. This makes SMEs a very attractive proposition for criminals looking to get hold of valuable data – be it corporate or personal. By playing a part in the supply chains of larger companies, they can be exploited as back doors into their larger partners, providing cyber criminals with a passage to attack the ‘bigger fish’. Security is another issue as well. Aside from the value of the data they hold, SMEs provide a bullseye for threat actors as they tend not to have the same level of security in place as their larger counterparts. This means they are not only an appealing option to hackers, they are often an easy one.

Constant vigilance

With the increasingly common Advanced Persistent Threat (APT), there is more chance that a cyber-attack has been set out to steal data rather than to cause damage to the network or organisation.

Mitigating against such attacks is very challenging and larger businesses invest in highly complex security systems to protect themselves. It is often the case that SMEs don’t feel they can afford such investment, but the truth is that there are some security measures that can be taken without huge cost.

There are five fundamental security measures every business should have in place: web security with perimeter firewall, application control, network segmentation, IPS (Intrusion Prevention Systems) and email security. By implementing these, SMEs can begin to build a defence with these security pillars as their foundation. As the business grows, further investment can be then made and built on top of this. 

Go small to win big

SMEs can take no chances. If found to be the weak link in a large organisation’s security defence, it is likely that they will lose that partner and the hundreds of customers that come with them, and the reputational and financial damage that will result could be catastrophic to a small business. We have already seen how a cyber-attack can affect a company’s prospects, with Yahoo’s acquisition by Verizon cut significantly as a result of its 2014 hack, and SMEs can be subject to the same consequences as well.

This is why, alongside having the core five defences in place, SMEs must adhere fully to security regulation. We know compliance is a painful process for SMEs – it can be time-consuming and therefore costly. There is no avoiding compliance, even if it does not necessarily lead to better security, but what it will always do is protect relationships with larger partners. Coupled with at least a basic level of security, the SME becomes far less appealing to a hacker.

Companies, no matter their size, need to have all the measures in place so as to keep their data watertight and relationships safe. Reputation for any company is built from the bottom up: prevention before cure, or face the ignominy of a potential debacle, TalkTalk-style.

Credit-Card

NCA: “Peer pressure and kudos” key reason youngsters lured into cybercrime

960 640 Stuart O'Brien

A new study by the National Crime Agency, titled Pathways Into Cybercrime, reports that the key reason that youngsters become involved in online crime is peer pressure and kudos, rather than any financial gain.

Based on debriefs with young offenders, the report shows that the sense of accomplishment at completing a challenge and proving oneself to peers in order to increase online reputations were the most important reasons behind the decision to commit cybercrime.

Another factor was the availability of free and easy-to-use taking tools such as DDoS-for-hire services and Remote Access Trojans (RATs).

The report shows that the average age of hackers that come to the attention of the NCA is just 17 years old. It also provides insight and advice on education and opportunities available to the youngsters so that they might use their skills positively.

“There is great value in reaching young people before they ever become involved in cybercrime, when their skills can still be a force for good,” said Richard Jones, head of the National Cyber Crime Unit’s Prevent team.

“The aim of this assessment has been to understand the pathways offenders take, and identify the most effective intervention points to divert them towards a more positive path. That can be as simple as highlighting opportunities in coding and programming, or jobs in the gaming and cyber industries, which still give them the sense of accomplishment and respect they are seeking.”

The report has been praised by security firms for its positive outlook in providing young people mixed up in cybercrime with an effective strategy of rehabilitation, channeling young people with a skill set of computer science into productive activity and not online criminal activity.

www.nationalcrimeagency.gov.uk

Hacking

Report: Hacks on UK businesses costing investors £42 billion

960 640 Stuart O'Brien

A new report from CGI and Oxford Economics claims that hacks on UK businesses are costing investors £42 billion, with FTSE 100 companies incurring average costs of £120 million with each breach.

Furthermore, the study also found the share prices of companies that have been hacked  fall by an average of 1.8 per cent on a permanent basis following a severe breach involving large amounts of sensitive information – equivalent to £120 million.

Oxford Economics used the Gemalto Breach Index as the basis of its research, looking at 315 ‘breach events’ with a focus on 65 ‘severe’ and ‘catastrophic’ breaches since 2013 ta companies listed on seven global stock exchanges.

The sheer size of the financials revealed in the research will sharpen focus on hacking, with Wonga the latest UK firm to be dealing with a high-profile incident.

Meanwhile, ABI Research recently asserted that damages from cyber attacks would surpass $1 trillion globally.

www.oxfordeconomics.com

Esoteric

INDUSTRY SPOTLIGHT: Reduce risk of insider threat with counter-eavesdropping solutions

960 640 Stuart O'Brien

In a recent survey by Vormetric a whopping 89% of respondents said they felt their company was at risk from insider attack, with 34% saying they felt very or extremely vulnerable.

Senior management are most concerned by the potential for damage, caused either maliciously or through neglect, by trusted employees. This anxiety is supported by the Ponemon Institute who reported that 62% of employees have access to company data they shouldn’t.

To help reduce risk to exposure companies might want to consider:

  • Who specifically requires access to particular information and what for (can the information they require be found from another source)
  • What controls are in place to limit access to only those who need it to carry out their job roles
  • How to identify unauthorised access
  • What information is of value to others

In order to be productive companies need to give employees freedom to work without impediment. Balancing access to information whilst protecting what’s confidential can be achieved through the introduction of simple security systems, including the evaluation of risk from electronic eavesdropping – now the highest growth area of insider attack.

Having a proactive Technical Surveillance Counter Measures (TSCM) program in place, demonstrates a best practice approach which will reassure board members, clients and stakeholders. As well as locating and identifying hostile electronic surveillance devices, an effective TSCM program is designed to detect technical security hazards, physical security weaknesses or security policy and procedural inadequacies that would allow premises to be technically or physically penetrated.

For further information on how to keep your company’s confidential information confidential, call Esoteric on 01483 740423. Or email mail@esotericltd.com

Human decision making still the most trusted method in cybersecurity

960 640 Stuart O'Brien

A report aggregating insight from more then 400 interviews with leading cybersecurity researchers and security experts on Artificial Intelligence (AI), Machine Learning (ML) and Non-Malware Attacks has found that 87 per cent of those polled still don’t trust AI or ML to replace human decision making in security.

Commissioned by endpoint security specialists Carbon Black, the report also revealed the following trends:

  • 93 per cent of cybersecurity researchers said non-malware attacks pose more of a business risk than commodity malware attacks.
  • 64 per cent of cybersecurity researchers said they’ve seen an increase in non-malware attacks since the beginning of 2016. There non-malware attacks are increasingly leveraging native system tools, such as WMI and PowerShell, to conduct nefarious actions, researchers reported.
  •  AI is considered by most cybersecurity researchers to be in its nascent stages and not yet able to replace human decision making in cybersecurity. 87 per cent of the researchers said it will be longer than three years before they trust AI to lead cybersecurity decisions.
  •  74 per cent of researchers said AI-driven cybersecurity solutions are still flawed.
  •  70 per cent of cybersecurity researchers said ML-driven security solutions can be bypassed by attackers. 30 per cent said attackers could “easily” bypass ML-driven security.
  •  Cybersecurity talent, resourcing and trust in executives continue to be top challenges plaguing many businesses.

“Based on how cybersecurity researchers perceive current AI-driven security solutions, cybersecurity is still very much a ‘human vs. human’ battle, even with the increased levels of automation seen on both the offensive and defensive sides of the battlefield,” said Carbon Black Co-founder and Chief Technology Officer, Michael Viscuso. “And, the fault with machine learning exists in how much emphasis organisations may be placing on it and how they are using it. Static, analysis-based approaches relying exclusively on files have historically been popular, but they have not proven sufficient for reliably detecting new attacks. Rather, the most resilient ML approaches involve dynamic analysis – evaluating programmes based on the actions they take.”

In addition to key statistics from the research, the report also includes a timeline of notable non-malware attacks, recommendations for incorporating AI and ML into cybersecurity programs and an ‘In Their Own Words’ section, which includes direct quotes from cybersecurity researchers and unique perspectives on the evolution of non-malware attacks.

“Non-malware attacks will become so widespread and target even the smallest business that users will become familiar with them,” said one cybersecurity researcher. “Most users seem to be familiar with the idea that their computer or network may have accidentally become infected with a virus, but rarely consider a person who is actually attacking them in a more proactive and targeted manner.”

www.carbonblack.com

Forum Insight: Savvy SEO tips for start-ups that won’t break the bank…

800 450 Jack Wynn

With 50 per cent of new businesses failing within five years, recent research has revealed that many small businesses are missing out on opportunities to market online due to a lack of digital knowledge.

The research from 123 Reg found that 73 per cent said they did not advertise online and 42 per cent reported having no digital presence. SEO and other terminology also stumped 48 per cent of business owners surveyed, and only 53 per cent said their websites were easily readable via a mobile device.

“Being digitally savvy is especially important for start-ups. It can be the difference between your business being seen in the right places by the right people, and even small changes can have a huge impact,” comments Alex Minchin, founder and director of SEO agency Zest Digital.

Here, Alex shares three instantly achievable tips for small businesses looking to get started with SEO:

  1. Sign up to Google Analytics and Google Search Console and add the necessary code to your website: These are two free tools that will enable you to measure performance, even if you don’t understand it all immediately. You cannot improve something that you’re not measuring, and these tools will measure things such as; the number of visitors landing on your website, the best performing content, keywords driving traffic, any broken links or pages, and the links from other websites that are pointing back to your website.
  2. Start local: Most searches in the micro and small business world include local modifiers such as your city or county, e.g. “Plumbers in Croydon”. An easy way to start to build some gravitas towards your website is to feature on business directories. This creates ‘citations’ (mentions) of your business name and confirms your address and other details, in addition to pointing a link back to your website. It’s crucial to make sure your information is kept consistent, so finalise your details and use the same information as a template for all directories. These things will help to increase the strength and trust of your website. Just be sure to focus on reputable directories such as Touch Local, 192, Freeindex, and Opendi for example.
  3. Focus on the real basics and design each META title and description for each of the key pages on your website as a minimum: The title tag and descriptor underneath the search result is considered as a ranking factor by Google, and can positively influence your rankings for a particular keyword. Your title should include your keyword and brand name as a minimum, but try to be as creative as possible with the character limit (55 is the defacto) that you have available.  In the META description, it’s more important to include your value proposition and key information, for example “free delivery on all orders”, or “free quotation”. Remember, you’re trying to stand out to win a greater share of the clicks against the other websites competing for the same keyword so details and USPs are key.

“It’s widely reported that somewhere around 90 per cent of all purchasing decisions begin with a search engine and a search query.  SEO can therefore play a huge part in the marketing strategy of a small business.

Alex continues. “Sharing your expertise through content and delivering value to your target market is the name of the game, and it’s a playground that, whilst dominated by some larger brands, isn’t policed by them. It’s entirely possible for a small business to compete and win on this channel, and doesn’t have to involve a huge cost in doing so.”

Online retailers must be transparent after a data breach, says NTT Security…

800 450 Jack Wynn

Online shoppers in the UK are demanding retailers to be honest and transparent on whether they have suffered a security breach, a survey commissioned by NTT Security has revealed.

When asked what retailers could do to help build consumer trust whilst online shopping, 80 per cent of the 500 survey respondents said they expect more transparency following a breach, as well as more secure payment options and for retailers to insist on regularly changing and using strong passwords.

Further to worrying about the risk of paying online and identity fraud, the majority are also concerned about the privacy of personal information (63 per cent), a site being fake (63 per cent) and the risk of being sent ‘phishing emails’ that link to malware (60 per cent).

Stuart Reed, director at NTT Security said: “The retail sector is among one of the most targeted industries for attacks and, with one of the busiest trading periods of the year now upon us, it makes sense that both consumers and retailers are diligent in terms of data security.

“While some shoppers are happy to continue using sites, even when they have been breached, they are also anxious for retailers to let customers know when they have been hacked. Consumers certainly seem to be growing in security awareness when online; more savvy, they are willing to take responsibility for their own security to some extent, but they are also more demanding of retailers and expect to see privacy and security polices displayed clearly on websites.”

However, only 18 per cent would permanently stop using a retailer’s website if a security breach was exposed and a third admit they would carry on using an online store but would upgrade their security.

More than 40 per cent believe retailers should publish their privacy policies to allow customers to see how data is being stored and managed, while a third (32 per cent) want stores to listen and respond to customer concerns via social media to help build consumer trust.

 

Read more on the research, including five top tips on how retailers can mitigate cyber risks here

Majority of organisations ‘victimised’ by cyber-attacks, new research claims…

800 450 Jack Wynn

A joint study carried out by the technology leader in application networking, A10 Networks and in partnership with the Ponemon Institute has found that the high risk of cyber-attacks to financial services, healthcare and other industries stems from the growing reliance on encryption technology.

The study, ‘Hidden Threats in Encrypted Traffic: A Study of North America & EMEA’, surveyed 1,023 IT security practitioners in Europe and North America, highlighting the increasing challenges these professionals face in the fight to prevent and detect attacks on encrypted traffic in and out of their organisations’ networks.

Nearly half of respondents (47 per cent) cited a lack of enabling security tools as the primary reason for not inspecting decrypted web traffic; closely followed by 45 per cent stating insufficient resources and degradation of network performance. However, 80 per cent claimed their organisations have previously been victims of cyber-attacks during the last 12 months, and nearly half say that the attackers used encryption to evade detection.

Director of cyber operations at A10 Networks, Dr. Chase Cunningham, said: “IT decision makers need to think more strategically. The bad guys are looking for ROI just like the good guys, and they don’t want to work too hard to get it. Instead of focusing on doing everything right 100 percent of the time, IT leaders can be more effective by doing a few things very strategically with the best technology available. It’s the cyber security equivalent of the zombie marathon — as long as you can avoid being the slowest in outrunning the zombies, you minimise risk.”

Although the study pinpoints that 75 per cent of survey respondents say their networks are at risk from malware hidden inside encrypted traffic, an estimated two-thirds admitted their company is ‘unprepared’ to detect malicious SSL traffic; leaving them vulnerable to costly data breaches and the loss of intellectual property.

Kaspersky Lab: Brit residents ‘top targets’ of ransomware attacks…

800 450 Jack Wynn

New data released by security software company, Kaspersky Lab, claims that British residents are constantly being targeted in a wave of ransomware attacks.

The research suggests that mobile ransomware is becoming more commonplace, and reveals that the company put a stop to 136,532 ransomware attacks between March 2015 and March 2016; an almost four-fold increase on the 35,413 attacks in the previous 12 months.

In addition, Kaspersky’s data shows that UK citizens are among the most likely to be targeted by mobile ransomware; with an estimated 16 per cent of all mobile ransomware attacks hitting users in this country.

Read more on the research here

Work-fixated Brits continually placing corporate data at risk…

800 450 Jack Wynn

OneLogin, a leader in cloud-based Identity & Access Management (IAM) has revealed that work-obsessed UK employees are consistently placing corporate data at risk due to an increase in individuals accessing work records during out-of-office hours.

Although three-quarters of employees currently have security software set up on their work devices – which could potentially be down to an organisation’s security policy – OneLogin found that employees are constantly sidestepping simple security procedures. 11 per cent claimed they would willingly give colleagues access to their work device, and a further 9 per cent would grant their partners access.

VP of EMEA at OneLogin, Per Uhd Stritich, said: “Remote and desk-less employees are of course largely beneficial to organisations in terms of productivity and scaling down on costs. However, the correct measures need to be put in place to ensure remote workforces are accessing data securely and that it’s not placed in the hands of others. For example, single sign-on technologies and IAM solutions will ensure only the employee can access work data, no matter who else gets their hands on the device.”

Furthermore, 35 per cent admitted that they would actually share their passwords for work-related technology, such as apps, emails and devices, with close friends and family.