There is no such thing as free Wi-Fi

Every day thousands of business travellers arrive at their destination searching for the “free Wi-Fi” sign so that they can stay in touch. What most people don’t realise is this creates an excellent opportunity for the cyber criminals to get their hands on your personal information and sensitive corporate data. We are all familiar with some high profile hacks – Sony and Talk Talk to name just a few but there isn’t a week that goes by without another hitting the headlines.  It is all too easy to see cyber security as problem only for large corporates and not something that we mere mortals have to deal with.  An expression very familiar to most cyber security experts is; “why would anyone be interested in me or my information…”

If you have a device with information stored on it, and/or you send information over the internet this is exactly what the cyber criminals are looking for! 

Remember the phrase “one man’s trash is another man’s treasure”!

Why Do Cyber Criminals Want Your Information

So why are cyber criminals so keen to get their hands on your information?  They want your personal details, your clients or suppliers’ details, your trade secrets, or simply a list of email addresses. All of these details are highly valuable when traded on the dark web. The value of a laptop maybe $600 but if you have confidential merger plans on the disk then the PC could be worth millions of dollars to a criminal or business rival.

Even if you think you don’t have any of this information you may still be of interest.

You may be a target as the weakest link and the way in to a more valuable target further up the supply chain.

How Do They do It?

One of the most common way for hackers to steal your data is to use software to intercept the Wi-Fi network at which point they can see everything on a fellow free Wi-Fi user’s screen. They can then see all the traffic travelling to and from to extract important information.

Another popular method used by hackers is to set up rogue Wi-Fi hotspots in areas where large numbers of users are likely to be searching for a connection. These hotspots can use generic names like “free Wi-Fi” to cause trusting users to connect, at which point their personal information can be collected.

The easiest way for thieves get their hands on your data is get the device itself. Home Depot and Pfizer suffered from huge data compromise due to laptops holding confidential information that had been stolen from laptops left in the back of a taxi. A recent study found that nearly half of all executives have lost a device in the past year!  It is estimated that over 2 million laptops are lost or stolen in the US each year.

It’s nearly impossible to secure against an opportunistic thief or simple forgetfulness, so it’s important to take precautionary steps..

 

 

What Steps Can You Take to Protect Your Devices And Your Information

There are a number of steps that you can take to protect your information when you travel.

Before You Go

Back Up

Save all the information on the devices that you are required to take on your trip.

Do You Need The Device/Data for the Trip

Think about the device you are taking and what information is on that device. Ask yourself are you travelling with data that you cannot afford to lose?

Be suspicious of emails you receive

Before you travel especially if they are linked to large international events.

Do not post your travel plans on any social networking site.

Many of the CEO email scams where scammers impersonate the CEO email to defraud the company happen while the executives are out of the country.

 

Whilst Travelling

Protect Your Device

Never pack it in the hold, or leave it on a hotel table while you grab a coffee.  If you do need to leave it behind then lock it away in the hotel safe. Always pin code/ password your device. Last year a report found that 50 per cent of executives had lost their device.

Install Anti-Virus Software

There are a number of mobile device security software solutions available. Install on all your devices for added protection.

Disable Bluetooth Access

When you allow access to a device via Bluetooth connection, once connected this connection stays open and data can flow freely with very little or no user confirmation. How often have you connected your phone to the Bluetooth in a hire care, when you connect your phone you can see details of the previous which if still in range would enable access to their data.

Don’t Use Public Wi-Fi

Public Wi-Fi networks are available everywhere these days. The traveller should use with extreme caution as they are often poorly protected and easily imitated by cyber criminals who set up their own “hotel” networks. The names of Wi-Fi networks are manually created so anyone can set up using any network name. Criminals might set up a network called “official hotel Wi-Fi”.  Once you click and connect to the scammers rogue network they have their hands on all of your data. Always verify with the hotel, café, airport lounge etc. that you are connecting to the official network and check that it has the padlock sign in the top bar. If possible avoid using any public network.

Don’t Use Shared Computers

Often hotel lobby’s will have some shared computers with internet access.  You have no idea how safe the network is so again avoid using wherever possible.

Don’t Do Any Financial/Sensitive Transactions

Take extra precautions whilst connecting to Wi-Fi. Do not send any financial information or business critical information whilst abroad and save it until you are back in the office safely within your secure network.

 

When You Return

Change all your password in case they have been stolen.

Look out for any suspicious emails

When The Unthinkable happens – What to Do If Your Data Is Lost Whilst Travelling

Assess – What has happened, what is the potential impact?

If your laptop has been stolen with company data on then; if it was password protected, encrypted and you have the ability to track and remote ‘wipe’ the disk then you are probably in a reasonable position. The cost will be a new laptop not a new career.

Conversely if you had sent your corporate takeover plans to Dropbox, uploaded them onto your personal un-protected iPad and lost that then the significance of loss is much higher.

Inform – Relevant people about what has happened.

Depending on what has been lost this could be your IT department, management, bank, customers, suppliers, partners, police, insurance firm and potentially shareholders.

Forward looking firms have a policy explaining what to do in this situation with contact and help points. The main point is to make sure relevant people are aware and so can help make the right decisions to minimize the consequences of loss.

Remediate – Resolve the problem as quickly and effectively as possible

Change your passwords immediately. This may help prevent criminals accessing your emails and sensitive information.

Disable the lost device if possible and wipe data from it. Track it and keep law enforcement and your IT department informed.

If you think banking/financial information may be compromised then inform your bank and accounts department.

Monitor activity. It may be useful to explain to customers/suppliers what has happened so they can monitor too. An all too common fraud is to imitate a CFO and give customers new bank account details to send their payments to.

Replace compromised, lost equipment

Review policies and ensure they are communicated and enforced

 

Losing information whilst travelling be very worrying, the main thing is not to panic. Having a clear understanding of how to protect yourself helps significantly to reduce this and the likelihood of loss in the first place.

 

Raising Awareness

The most important tool in the battle against the cyber criminals is awareness. Training is crucial in helping people to understand what the issues are, what is at stake and the simple steps they can take to drastically reduce the risk.

Develop a cyber security culture that becomes a part of everyday corporate life whether in the office or on the road.

Posted on : 15-01-2020 | By : kerry.housley | In : Uncategorized

0

Are you ready to make digital transformation a success?

Digital Transformation is a phrase that businesses are all too familiar with but there are many interpretations of what it means. Companies large or small feel this is an opportunity that they cannot afford to miss!

All too often a decision is made at the top when an executive says we must do “more digital” with little understanding of what this involves and how this will affect their daily business operations. Companies are under huge pressure to get onboard with this process, they fear that if they do not, they will be left behind and watch their competitive edge slip away

Traditional organisational change failure rates are already reported to be 60-80 %, when it comes to digital transformation the story is much worse. A Bain survey reported that just 5% of companies involved in digital transformation achieved or exceeded the expectations that they had set themselves. Many of these companies had settled for very little return on investment and mediocre performance.

There are many reasons for such poor outcomes but one of the reasons is that many firms jump on this bandwagon far too early without thinking it through at a higher strategic level.  Often the starting point is “we need to go digital”, looking for areas of the business to implement the technology, usually this is a strong pain point that they want to fix.  Digital transformation is not about fixing isolated pain points but more about finding ways in which a company can improve their customer journey and provide the best level of service they can. Companies overlook this and go straight ahead putting digital solutions into various parts of the business rather than thinking of this as an enterprise wide initiative.

Another reason for failure is a total lack of investment in areas outside the digital arena. In order to successfully implement any change, there must be a clear reason for doing so. This message must be communicated throughout the organisation from the Board level at the top through to the workers on the frontline. It is here that many companies fail to invest the time and money required, and without the understanding and buy-in of all involved success will very difficult to achieve.

Technology is constantly improving, and companies are keen to be seen as the leaders in their field. There is no doubt for those who are successful in their digital transformation the rewards are immense in terms improved customer service and increased revenue. The problem is that not every company needs or indeed will benefit from digital transformation. Technology is not a one size fits all. Often, companies are so keen to be seen as innovators so they rush into it and buy the “next big thing” without any clear idea how they will use it and what the benefits might be.

Introducing traditional change into an organization is no easy feat, and digital transformation with all it entails is a far greater challenge.

The operating model is a crucial starting point, what does it look like and how can technology work within this model to give the best results. Many organisations are operating based on models that are out of date with their business goals and not agile enough to keep up with the fast pace of customer expectations and technology change.

All the business departments must work together to confirm the business processes and look at how these processes can benefit from digital intervention.

In the Broadgate office we often talk about people, process and technology and it is the people part here which will ensure that the innovations proposed will benefit what is actually happening in the business on a day to day basis. These are the people who have the understanding to see how a process can be improved and they are the people who can ensure your success. As we said earlier, investing heavily in the planning process and getting the culture and the environment ready for change cannot be underestimated but is often overlooked.

From the boardroom to the post room everyone must understand the business, what your business is trying to achieve so that everyone can understand the benefits of the digital change.

Digital transformation is not a one-time project but an ongoing improvement strategy.  Organisations should always be thinking how they can keep improving their business and how they can offer their customers the best experience.

Is your business ready for digital transformation?

  • Is your operating model ready?
  • Are your business processes ready?
  • Is your board ready?
  • Are your employees ready?
  • Is your company culture ready?

If the answer is yes to all the above, then you have a good basis on which to start and might just be in with a chance of success!

Posted on : 15-01-2020 | By : kerry.housley | In : FinTech, Innovation

Tags: , , ,

0

Is it time to reconnect offshore?

At the end of last year I travelled to India to assess the capability of a potential supplier for our clients. Over the years I have always both enjoyed and been impressed with my trips India. The culture, capability of the people I meet, their client focus and general level of friendliness have always made my trips ones that I look forward to.

This trip was no different and reconfirmed my views. However, I did return with one nagging question;

Why do many corporations not extend their technology services operating model to include partnerships with offshore providers?

Our Broadsheet publication has discussed the changing face of sourcing models many times over the years. Through the late 90’s and over the subsequent 20 or so years much of the focus was on cost reduction. As the efficiency agenda bit into available budgets, many leaders looked towards the labour arbitrage benefits that India could offer, either through their own captive operations, or via sourcing partners to help address the squeeze.

Offshoring business cases often paid lip service to the potential added benefits in areas such as access to skills, quality of delivery or agility, and innovation was often not mentioned at all

So companies transformed their operating model to offshore delivery models throughout this period. Initially the focus was on Business Process Outsourcing (“BPO”) and Information Technology (“ITO”) with back office operations roles and development forming the lion share of the skills transfer. As the model matured, more sophisticated roles in each were shifted offshore in more “value add” areas such as research development and production, as well as infrastructure operations to manage the emerging cloud delivery models through Google, Amazon and Microsoft platforms.

However, with the acceleration in technology innovation over the last few years in areas such as Artificial Intelligence, Machine Learning and Automation, there does appear to be a huge opportunity to harness the talent that the offshore providers have developed?

The first movers in the India offshore business have both an advantage and disadvantage in the new digital  economy. Labour arbitrage largely fuelled wave one of the model, enabling companies like TCS, Infosys, Cognizant and HCL to grow their workforce dramatically (TCS now employ c.425k staff at the top end and HCL have c.120k at the lower). However, whilst this is growth has been good on one hand it also means that these organisations will have a difficult transformation to go through with their own operating model through areas such as automation. Their capability is without question, but they now face the same challenges as their clients in how to introduce the new technology without eroding their core business.

So let’s look at the next tier of offshore providers. Here we find companies such as MindTree, UST Global and Zensar, all of which still have significant staff numbers, but sub 30k. Naturally these providers have focused their service offerings around digital rather than increasing headcount.

In my view, this puts them at a significant advantage when it comes to engaging with clients for the delivery of new disruptive technology. By building new platforms to automate operations they can take on new clients without the need to hire at the rate required by the previous Indian offshore pioneers, thus limiting the challenge of what to do with what may become a significant surplus of skills.

So what about tapping into this capability for new technology? Offshoring is something that still divides opinions a lot. Yes, there are probably as many tales of woe as there are of delight. However, this is something that we also find with the more traditional onshore models. In truth, when both sides enter into the model as a partnership and understanding what needs to change in the engagement, roles and responsibilities, strengths and weakness and a shared ambition, then it can really benefit both the client and offshore partner tremendously.

One of the key success factors is to set up the operating model with a common shared interest, irrespective of organisational and geographic boundaries

One of the things that struck me on my visit was just the depth and scale of the talent in new technology, not only within the providers I visited, but also in the very visible growth for big name companies, consultancies and technology mainstays. AI, Dev Ops, Cloud and ML are core to this revolutionary growth.

In our view, the next few years will bring opportunities to develop partnerships, or even new “captive” type models, with those organisations that are on the pioneering end of the digital growth. Organisations should ask themselves “Why build the capability themselves?”. Often the answer to this question has been coloured by the perceived overhead of managing service provider delivery, through vendor management, security oversight, service delivery management etc.

However, organisations should take a “green field” thought approach to tapping into the offshore provider capability. Core platforms can be delivered by technology and service providers with business services layered on top. Also, this should not be structured as a linear end-to-end service chain, coupled together with hand-offs between the parties, but through a Joint Product Led team. This helps to drive efficiencies, a more agile delivery and an end product aligned more closely with expected business outcomes.

We should say something about the wider macro considerations to using Indian offshore talent. Firstly, from a security perspective there is a noticeable increase in the level of physical security when entering almost all establishments (in response to events over the last 10-15 years). This used to be consigned mainly to corporate access, but this is now visible at hotels, shopping malls and the like. Not an issue, just an observation.

Secondly, India is under pressure to retain its offshore status not just from the nearshore providers, but also from areas such as the Philippines and most notably China. However, this is simply a natural evolution and the competition will provide more choices.

It certainly seems like this decade will bring further opportunities to tap into this offshore digital talent for those that chose to look for it.

Posted on : 15-01-2020 | By : john.vincent | In : General News, Innovation

Tags: , , , , , , ,

0

Extreme Outsourcing: A Dangerous Sport?

Recently I’ve thought about an event I attended in the early 2000’s, at which there was a speech that really stuck in my mind. The presenter gave a view on a future model of how companies would source their business operations, specifically the ratio of internally managed against that which would be transitioned to external providers (I can’t remember exactly the event, but it was in Paris and the keynote was someone you might remember, named Carly Fiorina…).

What I clearly remember, at the time, was a view that I considered to be a fairly extreme view of the potential end game. He asked the attendees:

Can you tell me what you think is the real value of organisations such as Coca Cola, IBM or Disney?

Answer: The brand.

It’s not the manufacturing process, or operations, or technology systems, or distribution, or marketing channels, or, or… Clearly everything that goes into the intellectual property to build the brand/product (such as the innovation and design) is important, but ultimately, how the product is built, delivered and operated offers no intrinsic value to the organisation. In these areas it’s all about efficiency.

In the future, companies like these would be a fraction of the size in terms of the internal staff operations.

Fast forward to today and perhaps this view is starting to gain some traction…at least to start the journey. For many decades, areas such as technology services have be sourced through external delivery partners. Necessity, fashion and individual preference have all driven CIOs into various sourcing models. Operations leaders have implemented Business Process Outsourcing (BPO) to low cost locations, as have other functions such the HR and Finance back offices.

But perhaps there are two more fundamental questions that CEOs or organisations should ask as they survey their business operations;

  • 1) What functions that we own actually differentiate us from our competitors?
  • 2) Can other companies run services better than us?

It is something that rarely gets either asked or answered in a way that is totally objective. That is of course a natural part of the culture, DNA and political landscape of organisations, particularly those that have longevity and legacy in developing internal service models. But is isn’t a question that can be kicked into the long grass anymore.

Despite the green shoots of economic recovery, there are no indications that the business environment is going to return to the heady days of large margins and costs being somewhat “consequential”. It’s going to be a very different competitive world, with increased external oversight and challenges/threats to companies, such as through regulation, disruptive business models and innovative new entrants.

We also need to take a step back and ask a third question…

  • 3) If we were building this company today, would we build and run it this way?

Again a difficult, and some would argue, irrelevant question. Companies have legacy operations and “technical debt” and that’s it…we just need to deal with it over time. The problem is, time may not be available.

In our discussions with clients, we are seeing that realisation may have dawned. Whilst many companies in recent years have reported significant reductions in staff numbers and costs, are we still just delaying the “death by a thousand cuts”? Some leaders, particularly in technology, have realised that not only running significant operations is untenable, but also that a more radical approach should be taken to move the bar much closer up the operating chain towards where the real business value lies.

Old sourcing models looked at drawing the line at functions such as Strategy, Architecture, Engineering, Security, Vendor Management, Change Management and the like. These were considered the valuable organisational assets. Now. I’m not saying that is incorrect, but what often has happened is that have been treated holistically and not broken down into where the real value lies. Indeed, for some organisations we’ve heard of Strategy & Architecture having between 500-1000 staff! (…and, these are not technology companies).

Each of these functions need to be assessed and the three questions asked. If done objectively, then I’m sure a different model would emerge for many companies with trusted service providers running much on the functions previously thought of as “retained”. It is both achievable, sensible and maybe necessary.

On the middle and front office side, the same can be asked. When CEOs look at the revenue generating business front office, whatever the industry, there are key people, processes and IP that make the company successful. However, there are also many areas where it was historically a necessity to run internally but actually adds no business value (although, of course still very key). If that’s the case, then it makes sense to source it from specialist provider where the economies of scale and challenges in terms of service (such as from “general regulatory requirements”) can be managed without detracting from the core business.

So, if you look at some of the key brands and their staff numbers today in the 10’s/100’s of thousands, it might only be those that focus on key business value and shed the supporting functions, that survive tomorrow.

Posted on : 27-09-2019 | By : kerry.housley | In : Uncategorized

Tags: , , , ,

0

Why are we still getting caught by the ‘Phisher’men?

Phishing attacks have been on the increase and have overtaken malware as the most popular cyber attack method. Attackers are often able to convincingly impersonate users and domains, bait victims with fake cloud storage links, engage in social engineering and craft attachments that look like ones commonly used in the organisation.

Criminal scammers are using increasingly sophisticated methods by employing more complex phishing site infrastructures that can be made to look more legitimate to the target. These include the use of well-known cloud hosting and document sharing services, established brand names which users believe are secure simply due to name recognition. For example, Microsoft, Amazon and Facebook are top of the hackers list. Gone are the days when phishing simply involved the scammer sending a rogue email and tricking the user into clicking on a link!

And while we mostly associate phishing with email, attackers are taking advantage of a wide variety of attack methods to trick their victims. Increasingly, employees are being subjected to targeted phishing attacks directly in their browser with highly legitimate looking sites, ads, search results, pop-ups, social media posts, chat apps, instant messages, as well as rogue browser extensions and free web apps

HTML phishing is a particularly effective means of attack where it can be delivered straight into browsers and apps, bypassing secure email gateways, next-generation antivirus endpoint security systems and advanced endpoint protections. These surreptitious methods are capable of evading URL inspections and domain reputation checking.

To make matters worse, the lifespan of a phishing URL has decreased significantly in recent years. To evade detection, phishing gangs can often gather valuable personal information in around 45 minutes. The bad guys know how current technologies are trying to catch them, so they have devised imaginative new strategies to evade detection. For instance, they can change domains and URLs fast enough so the blacklist-based engines cannot keep up. In other cases, malicious URLs might be hosted on compromised sites that have good domain reputations. Once people click on those sites, the attackers have already collected all the data they need within a few minutes and moved on.

Only the largest firms have automated their detection systems to spot potential cyberattacks. Smaller firms are generally relying on manual processes – or no processes at all. This basic lack of protection is a big reason why phishing for data has become the first choice for the bad actors, who are becoming much more sophisticated. In most cases, employees can’t even spot the fakes, and traditional defences that rely on domain reputation and blacklists are not enough.

By the time the security teams have caught up, those attacks are long gone and hosted somewhere else. Of the tens of thousands of new phishing sites that go live each day, the majority are hosted on compromised but otherwise legitimate domains. These sites would pass a domain reputation test, but they’re still hosting the malicious pages. Due to the fast-paced urgency of this threat, financial institutions should adopt a more modern approach to defend their data. This involves protections that can immediately determine the threat level in real-time and block the phishing hook before they draw out valuable information..

  • Always check the spelling of the URLs in email links before you click or enter sensitive information
  • Watch out for URL redirects, where you’re subtly sent to a different website with identical design
  • If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply
  • Don’t post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media

We have started to work with Ironscales, a company which provides protection utilising machine learning to understand normal behaviours of users email interactions. It highlights (and can automatically remove) emails from the user’s inbox before they have time to open them. They cross reference this information with a multiple of other sources and the actions of their other client’s SOC analysts. This massively reduces the overhead in dealing with phishing or potential phishing emails and ensures that users are aware of the risks. Some great day to day examples include the ability to identify that an email has come from a slightly different email address or IP source. The product is being further developed to identify changes in grammar and language to highlight where a legitimate email address from a known person may have been compromised. We really like the ease of use of the technology and the time saved on investigation & resolution.

If you would like to try Ironscales out, then please let us know?

 

Phishing criminals will continue to devise creative new ways of attacking your networks and your employees. Protecting against such attacks means safeguarding those assets with equal amounts of creativity.

Posted on : 26-09-2019 | By : kerry.housley | In : Cyber Security, data security, Finance, Innovation

Tags: , , , , , , ,

0

Artificial Intelligence – Explaining the Unexplainable

The rise of Artificial Intelligence (AI) is dramatically changing the way businesses operate and provide their services. The acceleration of intelligent automation is enabling companies to operate more efficiently, promote growth, deliver greater customer satisfaction and drive up profits. But what exactly is AI? How does it reach its decisions? How can we be sure it follows all corporate, regulatory and ethical guideline? Do we need more human control? 

Is it time for AI to explain itself? 

The enhancement of human intelligence with AI’s speed and precisiomeans a gigantic leap forward for productivity. The ability to feed data into an algorithm black box and return results in a fraction of the time a human could compute, is no longer sci fi fantasy but now a reality.  

However, not everyone talks about AI with such enthusiasmCritics are concerned that the adoption of AI machines will lead to the decline of the human role rather than freedom and enhancement for workers.   

Ian McEwan in his latest novel Machines Like Me writes about a world where machines take over in the face of human decline. He questions machine learning referring to it as

“the triumph of humanism or the angel of death?” 

Whatever your view, we are not staring at the angel of death just yet!  AI has the power to drive a future full of potential and amazing discovery. If we consider carefully all the aspects of AI and its effects, then we can attempt to create a world where AI works for us and not against us. 

Let us move away from the hype and consider in real terms the implications of the shift from humans to machines. What does this really mean? How far does the shift go?  

If we are to operate in world where we are relying on decisions made by software, we must understand how this decision is calculated in order to have faith in the result.   

In the beginning the AI algorithms were relatively simple as humans learned how to define them. As time has moved on, algorithms have evolved and become more complex. If you add to this machine learning, and we have a situation where we have machines that can “learn behaviour patterns thereby altering the original algorithm. As humans don’t have access to the algorithms black box we are no longer in charge of the process.   

The danger is that where we do not understand what is going on in the black box and can therefore no longer be confident in the results produced.

If we have no idea how the results are calculated, then we have lost trust in the process. Trust is the key element for any business, and indeed for society at large. There is a growing consensus around the need for AI to be more transparent. Companies need to have a greater understanding of their AI machines. Explainable AI is the idea that an AI algorithm should be able to explain how it reached its conclusion in a way that humans can understand. Often, we can determine the outcome but cannot explain how it got there!  

Where that is the case, how can we trust the result to be true, and how can we trust the result to be unbiased?  The impact of this is not the same in every case, it depends on whether we are talking about low impact or high impact outcomes. For example, an algorithm that decides what time you should eat your breakfast is clearly not as critical as an algorithm which determines what medical treatment you should have.  

As we witness a greater shift from humans to machines, the greater the need for the explainability.  

Consensus for more explainable AI is one thing, achieving it is quite another. Governance is an imperative, but how can we expect regulators to dig deep into these algorithms to check that they comply, when the technologists themselves don’t understand how to do this. 

One way forward could be a “by design” approach – i.e., think about the explainable element at the start of the process. It may not be possible to identify each and every step once machine learning is introduced but a good business process map will help the users the define process steps.  

The US government have been concerned about this lack of transparency for some time and have introduced the Algorithmic Accountability Act 2019. The Act looks at automated decision making and will require companies to show how their systems have been designed and built. It only applies to the large tech companies with turnover of more than $50M dollars, but it provides a good example that all companies would be wise to follow.  

Here in the UK, the Financial Conduct Authority is working very closely with the Alan Turing Institute to ascertain what the role of the regulator should be and how governance can be  appropriately introduced.

The question is how explainable and how accurate the explanation needs to be in each case, depending on the risk and the impact.  

With AI moving to ever increasing complexity levels, its crucial to understand how we get to the results in order to trust the outcome. Trust really is the basis of any AI operation. Everyone one involved in the process needs to have confidence in the result and know that AI is making the right decision, avoiding manipulationbias and respecting ethical practices. It is crucial that the AI operates within public acceptable boundaries.  

Explainable AI is the way forward if we want to follow good practice guidelines, enable regulatory control and most importantly build up trust so that the customer always has confidence in the outcome.   

AI is not about delegating to robots, it is about helping people to achieve more precise outcomes more efficiently and more quickly.  

If we are to ensure that AI operates within boundaries that humans expect then we need human oversight at every step. 

Posted on : 23-09-2019 | By : kerry.housley | In : Finance, FinTech, General News, Innovation

Tags: , , , , , ,

0

AI in Cyber Security – Friend or Foe?

Artificial intelligence has been welcomed by the cyber security industry as an invaluable tool in the fight against cyber crime, but is it a doubleedged sword? One that is both a powerful defender but potentially a potent weapon for the cyber criminals.

The same artificial intelligence technologies that are used to power speech recognition and self-driving cars have the capability to be turned to other uses, such as creating viruses that morph faster than antivirus companies can keep up, phishing emails that are indistinguishable from real messages written by humans, and intelligently attacking an organisation’s entire defence infrastructure to find the smallest vulnerability and exploit any gap.

Just like any other technology, AI has both strengths and weaknesses that can be abused when in the wrong hands.  

In the AI-fuelled security wars, the balance of power is currently in the hands of the good guys, but undoubtedly set to change.  

Until now, attackers have been relying on mass distribution and sloppy security. The danger is that we will start to see more adversaries, especially those that are well funded, start to leverage these advanced tools and methods more frequently. It is concerning to know that nation-state attackers like Russia and China have almost unlimited resources to develop these tools and make maximum use of them. 

The dark web acts as a clearing house for the cyber criminals where all manner of crypto software is available.  

There are many ways in which the hackers seek to benefit from your information but the biggest reward is the password which opens up their world to a whole new set of vulnerabilities to exploit. Algorithms can crack millions of passwords within minutes.  

Threat Analytics firm Dark Trace has seen evidence of malware programs showing signs of contextual awareness in trying to steal data and hold systems to ransom. They know what to look for and how to find it by closely observing the infrastructure and they can then work out the best way for them to avoid detection. This means the program no longer needs to maintain contact with the hacker through command and control servers or other means, which is usually one of the most effective means of tracking the perpetrator.

Recently, Microsoft was able to spot an attempted hack of it’s Azure cloud when the AI in the security system identified a false intrusion from a fake site. Without the introduction of AI this would have gone unnoticed had they been using rule based protocols.  AI’s ability to learn and adapt itself to new threats should dramatically improve the enterprise’s ability to protect itself even as data and infrastructure push past the traditional firewall into the cloud and the internet of things. 

Human effort won’t scale – there are too many threats, too many changes, and too many network interactions. 

As cybercrime becomes more and more technologically advanced, there is no doubt that we will witness the bad guys employing AI in various additional sophisticated scenarios. 

It’s time for cybersecurity managers to make sure they’re doing everything they can to reduce their attack surface as much as possible, put cutting-edge defenses in place, and replace time-consuming cybersecurity tasks with automation. 

We should all be concerned that as we begin to see AI-powered chatbots, and extensive influence weaving through social media, we face the prospect of the internet as a weapon to undermine trust and control public opinionThis is a very worrying situtuation indeed!  

Posted on : 28-06-2019 | By : richard.gale | In : Uncategorized

0

When a picture tells a 1000 words – An image is not quite what it seems

Steganography is not a new concept, the ancient Greeks and Romans used hidden messages to outsmart their opponents and thousands of years later nothing has changed. People have always found ways of hiding secrets in a message in such a way that only the sender can understand. This is different from cryptography as rather than trying to obscure content so it cannot be read by anyone other than the intended, steganography’s aim is to conceal the fact that the content actually exists in the first place. If you take a look at two images one with cryptography and one without there will be no visible difference. It is a great way of sending secure messages where the sender can be assured of confidentiality and not be concerned about unauthorised viewing in the wrong hands. However, like so many technologies today, steganography can be used for good or for bad. When the bad guys get in on the act we have yet another threat to explore in the cyber landscape!

Hackers are increasingly using this method to trick internet users and smuggle in malicious code past security scanners and firewalls. This code can be hidden in harmless software and jump out at the users when they least expect it. The attackers download the file with the hidden data, extract for use in the next step of the attack.

Malvertising is one way in which the cyber criminals exploit the use of steganography. They buy advertising space on trustworthy websites, post their ads which appear legitimate, hiding their harmful code inside. Bad ads can redirect users to malicious websites or install malware on their computers or mobile devices. One of the most concerning aspects of this technique is that users get infected even if they don’t click on the image, often just loading the image is enough. Earlier this year, millions of Apple Mac users were hit when hackers used advertising campaigns to hide malicious code in ad images to avoid detection on the laptops. Some very famous names such as the New York Times and Spotify have inadvertently displayed theses criminal ads, putting their users at risk.

Botnets are another way in which hackers use steganography by using the hidden code to communicate on the inbound traffic flow and download malicious code to general malware. Botnet controllers employ steganography techniques to control target endpoints. They hide commands in plain view – perhaps within images or music files distributed through file sharing or social networking websites. This allows the criminals to surreptitiously issue instructions to their botnets without relying on an ISP to host their infrastructure and minimising the chances of discovery.

It’s not only the cyber criminals who have realised the potential of steganography, the malicious insider too is an enthusiast!  Last year a Chinese engineer was able to exfiltrate sensitive information  from General Electric by stegging it into images of sunsets. He was only discovered when GE Security officials became suspicious of him for an unrelated reason and started to monitor his office computer.

Organisations should be concerned about the rise of the steganography from both malicious outsiders and insiders. The battle between the hackers and security teams is on and one that the hackers are currently winning.  There are so many different steganography techniques that it is almost impossible to find one detection solution that can deal with them all. So, until the there is a detection solution it’s the same old advice. Always be aware of what you are loading and what you are clicking.

There is an old saying “the camera never lies” but sometimes maybe it does!

Posted on : 28-06-2019 | By : richard.gale | In : Uncategorized

0

How secure are your RPA Processes?

Robotic Process Automation is an emerging technology with many organisations looking at how they might benefit from automating some or all, of their business processes. However, in some companies there is a common misconception that letting robots loose on the network could pose a significant security risk. The belief being that robots are far less secure users than their human counterparts.  

In reality, a compelling case could be made that robots are inherently more secure than people 

Provided your robots are treated in the same way as their human teammates i.e. inherit the security access and profile of the person/role they are programmed to simulate there is no reason why a robot should have be any less secure. In other words, the security policies and access controls suitable for humans should be applied to the software robots in just the same way.  

There are many security advantages gained from introducing a robot into your organisation.  

  • Once a robot has been trained to perform a task, it never deviates from the policies, procedures and business rules in place
  • Unlike human users, robots lack curiosity (so they won’t be tempted to open phishing emails), cannot be tricked into revealing information or downloading unauthorised software. 
  • Robots have no motives which might could turn them into a disgruntled employee by ignoring existing policies and procedures.  

So, we can see that on the contrary- in many ways the predictable behaviour of the robot makes them your most trusted employee! 

RPA certainly represents an unprecedented level of transformation and disruption to “business as usual” – one that requires careful preparation and planning. But while caution is prudent, many of the security concerns related to RPA implementation are overstated. 

The issue of data security can be broken down into two points;  

  • Data Security 
  • Access Security 

This means ensuring that the data being accessed and processed by the robot remains secure and confidential. Access management of the robots must be properly assigned and reviewed similar to the review and management of existing human user accounts. 

Here are some of the key security points to consider: 

  1. Segregating access to data is not any different than when granting access to normal users, which is based on what the robot should actually do, and not providing domain admin permissions and/or elevated access, unless absolutely necessary. 
  2. Passwords should be maintained in a password vault and service accounts’ access should be reviewed periodically. 
  3. Monitoring the activity of the robots and logon information via a “control room” (e.g. monitoring of logon information and any errors). 
  4. An RPA environment should be strictly customised via active directory integration, which will increase business efficiency as access management is centralised. 
  5. Encryption of credentials. 
  6. Performing independent code audits and reviews, no different than with any other IT environment. 
  7. Robots are programmed using secure programming methods. 
  8. Security testing against policy controls. 

 

All these points must be considered from the outset. This is security by design, that must be embedded in the RPA process from the start. It must be re-emphasised that the security of RPA is not just about protecting access to the data but securing the data itself. 

Overall, RPA lowers security-related efforts associated with training employees and teaching them security practices (e.g. password management, applications of privacy settings etc) because it ensures a zero-touch environment. By eliminating manual work, automation minimizes security risks at a macro level, if the key controls are implemented at the beginning. 

In addition, an automated environment removes biases, variability and human error. The lack of randomness and variability can increase uniform compliance of company requirements built in the workflows and tasks of the automation. 

Besides security risks, the zero-touch environment of RPA also helps mitigate other human-related risks in business operations. An automated environment is free from biases, prejudices or variability, all of which are human work with the risk of error. Because of this, RPA ensures less risky and consistent work with trustworthy data. 

Therefore, RPA should be wisely implemented, which basically amounts to a choice of a stable RPA product or provider, backed by proper, constant monitoring of security measures. Providing role-based access to confidential data, monitoring access and data encryption are the most salient means to deal with security risks. 

Posted on : 17-06-2019 | By : richard.gale | In : Uncategorized

0

Are you able to access all the data across your organisation?

For many years data has been the lifeblood of the organisation and more recently, the value of this commodity has been realised by many companies (see our previous article “Data is like oil”).

Advances in technology, processing power and analytics means that companies can collect and process data in real time. Most businesses are sitting on vast amounts of data and those that can harness it effectively can gain a much deeper understanding of their customers, better predict and improve their customer experience.

Our survey revealed that whilst most companies understand the value of their data and the benefits it can bring, many clients revealed a level of frustration in the systems and processes that manage it. Some respondents did qualify that “most of the data” was available, whilst others admitted some was stranded.

 “Data is in legacy silos, our long-term goal is to provide access through a consistent data management framework”

The deficiencies that we also discuss in this newsletter regarding legacy systems are partly responsible for this, although not wholly. This is a particular issue in financial services where many organisations are running on old systems that are too complex and too expensive to replace. Critical company data is trapped in silos, disconnected and incompatible with the rest of the enterprise.

These silos present a huge challenge for many companies. Recalling a comment of one Chief Data Office at a large institution;

“If I ask a question in more than one place, I usually get more than one answer!”

Data silos are expanding as companies collect too much data which they hold onto for longer than they need to. Big data has been a buzz word for a while now, but it is important that companies distinguish between big data and big bad data! The number of data sources are increasing all the time so the issue must be addressed if the data is to be used effectively to return some business value. Collecting a virtually unlimited amount of data needs to be managed properly to ensure that all data stored has a purpose and can be protected.

Shadow data further exacerbates the issue. This data is unverified, often inaccurate and out of date. Oversharing of this data results in it being stored in areas that are unknown and unable to be traced. Creating yet more data silos hidden from the wider enterprise. This data is viewed as a valid data source relied upon and then used as input into other systems, which can ultimately lead to bad business decisions being made.

A robust data governance and management strategy is something which the importance of cannot be underestimated, particularly for those serious about the digital agenda and customer experience. This is also a topic where the combination of business and IT leadership aligning on the product strategy and underlying “data plumbing” is a must.  This is not just about systems but also about the organisation’s attitude to data and its importance in the life of every business process. It is important that companies implement a data management strategy which encompasses not only the internal platforms and governance but also the presentation layer for business users, consumers and data insights.

Posted on : 31-03-2019 | By : richard.gale | In : Data, Finance

0