Be Good or be Safe – The Cyber Monday Security Manual

Posted on : 27-11-2015 | By : Jack.Rawden | In : Cyber Security

Tags: ,

0

In the aftermath of Black Friday and as millions immerse themselves into today’s Cyber Monday shopping extravaganza, data security becomes a major concern for both consumers and (online) retailers.

Especially in the context of recent cyber attacks, with the infamous breaches at TalkTalk, JPMorgan, Ashley Madison and Morrison’s making the headlines all over the world, Brits are increasingly aware of the threats awaiting them in the online environment.

Sensitive data, from consumers’ credit card details to their cheating history is revealed, causing hassle and hearbreak; according to recent research by Deloitte, as many as 21 per cent of people living in the UK had their bank accounts used for purchase as results of cyber security breaches. Companies, which fail to protect themselves from having consumer data stolen, face financial and reputation consequences, including loss of consumer confidence.

Nevertheless, the sense of impending doom will neither stop consumers from shopping online till they drop today, nor will it prevent e-retailers from taking advantage of this unique pre-Christmas online sales pushing opportunity. Data from Experian and IMRG reveals that Cyber Monday online traffic is up by 60% year-on-year. The 2014 online sales holiday drove 161m visits to UK e-commerce websites, exceeding predictions with a 40% rise compared to 2013, with UK shoppers spending an estimated £720m.

As online shoppers, what can we do to stay safe? Let’s protect ourselves (not only this Monday) by following these 10 tips:

1. Make sure the device you are using for online purchases is protected with anti-virus software or a full security suite of products.

2. Regularly update software for your operating system and applications.

3. Don’t get tempted to click on the weblinks in unsolicited e-mails. Cyber criminals will use Cyber Monday as an opportunity to send out fake deals to your inbox.

4. Ensure that your computer’s phishing protections are switched on.

5. Refrain from using a debit card – credit cards, PayPal and gift cards are significantly more secure for online purchases.

6. Before you click the ‘buy’ button, triple-check the legitimacy of the website you are using to shop; the website URL should start with ‘https’ and a padlock icon indicating a secure network should appear.

7. Watch out for fake retail apps – cyber criminals are becoming increasingly sophisticated when disguising themselves and now create fake applications, which closely resemble original ones!

8. If something seems too good to be true, it’s a scam – Apple would not be able to build a viable business model by selling iPads for a quid!

9. As the majority of retail websites now require you to sign in to buy the items in your basket, make sure that the passwords you create are strong and unique. It’s not just a cliche – to be safe, your passwords really need to include upper and lower cases, numbers and special characters.

10. Free Wi-Fi is always a treat, however it’s better not to risk using it when you shop online – it’s OK to use it for browsing around retailers’ websites to identify those not-to-miss deals, but before you proceed to payment, always switch to a secure connection.

While some of the above tips, including the use of sophisticated passwords and regularly updating software, are highly relevant to enhancing security in the corporate environment, protecting companies from cyber threats is of course a much more complex process. The good news is that we are here to help. If you would like to strengthen your organisation’s security, why not start from analysing its current security risk maturity level through our ASSURITY Assessment? Click here to find out about our innovative three-step tool.

Five minutes with…

Posted on : 27-11-2015 | By : Maria Motyka | In : 5 Minutes With, Cloud, Cyber Security, Innovation

Tags: , , , , , , , ,

0

We are doing a series of interviews with leaders to get their insight on the current technology market and business challenges. Here in our first one, we get thoughts from Stephen O’Donnell, who recently took up the post of CIO for UK & Ireland at G4S.

Which technology trends do you predict will be a key theme for 2016?

“The key trend is the adoption of cloud technology moving from the SME market space, where it is already strong, to really making an impact in the enterprise space.

We’ve seen cloud and SaaS being adopted by smaller companies and now it will be adopted by bigger enterprises. We’ve also seen support for cloud based services from major system integrators and software suppliers like Microsoft, SAP and so on. The time for IT delivered as a service has come and the cloud is about to become all-encompassing across the entire IT world.

This has big implications in the ways that CIO’s and business leaders need to manage their systems, away from low-level management of infrastructure into the management of services and concerns about service integration.

Fundamentally it’s a bit like the Hollywood movie industry moving from the silent movie era to the talking era. Not all of the actors made it through – they did not have the skills and experience and I think this is what will happen in the IT industry. Some IT leaders will have difficulties, others will be more successful thanks to their deeper understanding of the business impact of IT, how automation and cloud based services can really help businesses drive competitiveness and agility, reduce risk and cut costs.”

 

You recently joined G4S as CIO, the worlds leading international security solutions group. What is your vision for the future of technology services there?

“G4S are adopting the cloud very aggressively. We have 622,000 employees, we’re a really large entity and we have stopped using Microsoft technology and are now using Google and the cloud instead. This consists of Google Apps for work, Google Docs for word processing, Google Sheets for spreadsheets and Gmail for email and collaboration platforms. In terms of the cloud, we use Google Drive for storage, everything is now in the cloud and we access it through a browser.

You have no idea how much simpler the world becomes. All of the complexities fade away. It’s now very much about managing the cloud contract and ensuring that the end-users are familiar with the technology and are appropriately supported. It’s very simple, it integrates extremely well with any device. We’ve seen very happy customer experience – whether using a chromebook, a Mac, a PC with a browser – people can access the systems in the same way and just as securely. Wifi capabilities in the office also become a lot simpler and we don’t have to be worried about highly secured corporate networks.

I think everyone would agree that the world is moving away from landlines to mobile communications. From standard telephone calls to IP-based telephone calls: using – in the consumer space Skype and WhatsApp, in the business space Google Hangouts, Skype for Business and so on – we see a massive adoption of that in business. We’ve really adopted Google Hangouts for collaboration and conferencing and have moved away from desk phones to cellphones.

Even when you look at the shape of our business… we have a huge number of people and the vast majority of them are working on customer site because they are security guards there, they do facility management, they’re doing cash in transit. They’re working in public services, working for hospitals… Having landlines just doesn’t make sense.

The whole company has gone mobile I don’t have a desk phone and – actually – you know what? I don’t miss it at all. I have a cellphone and it works extremely well, when I want to collaborate I use some of the internet-based tools like Hangouts. Equally –  why do you need a fax? When was the last time you’ve sent or received a fax…?

Migration from fixed to mobile has been a key change in the workplace and I’ll be surprised if more companies don’t adopt this. It’s all about simplifying the environment and being more economical.”

 

In your opinion, what are the greatest challenges IT leaders face in terms of securing organisations’ critical data?

“It’s a very relevant question. In the aftermath of the Paris attacks by ISIS someone said the terrorists only have to be lucky once and the authorities need to be lucky all of the time. I think the same applies to corporate and corporate data security.

Everyone is under absolutely intense attack and due to the complex systems, we have to make assumptions that, regardless what we do, some of our critical data will become exposed.

It could be through employees or through contractors whom we trust who might choose to do the wrong thing, or it might be via external agents, who manage to overcome our security systems either by using technology or by stealth, for example phishing attacks getting access to our data.

I think the key things are that we can put all the peripheral protections on our data: firewalls, secure data centres, the man guards on the gates etc. but we have to encrypt the data.

We have to adopt digital rights management so that we can restrict the data to those who are supposed to see it and ensure that anyone who steals it won’t be able to use it due to encryption.

If you can’t publish your corporate data on the internet and know it’s safe, then it’s not safe. So it really needs to be encrypted and protected. That’s the core principle.”

 

You spent two years at Broadgate, what was the most rewarding client project you delivered working with them as a consultant?

“That’s a really difficult question as all my projects at Broadgate have been quite exciting. If you don’t mind I’ll tell you about the highlights of the things that I did as a Broadgate Consultant.

I worked in the insurance business for as Chief Technology Officer and I took a massive 2 year development backload and cut it down to delivering in real time. My change programme involved taking the company from being a waterfall software delivery shop into being an agile delivery shop.

It involved the entire Development Team and Project Managers and the end result was that in a very short period of 6 months, we changed the business and its view on the IT departments ability to deliver. A very positive outcome.”

 

It’s interesting how your work was also about changing businesses’ view on the importance of IT protection?

“I very much agree. I think that very often businesses wrongly focus merely on cost-cutting.

It is also worth noting, that a radical process, such as operating model change can be difficult for incumbent teams to deliver. Bringing in a fresh pair of hands, someone who doesn’t have the business-as-usual activities to get on with and can focus on change really accelerates such projects and helps business.

At a large retail bank, I went into the voice communications department. The organisation was spending £55m a year on third party costs – telecommunications, calls etc.. My work there was to introduce a new operating model – consolidating business into a single telecoms entity and cutting costs. In a very short period of time (11 months), I saved the company £27m and simultaneously dramatically improved service levels offered by the business, so it was a real success.

Another engagement was really a short but exciting project at a wealth management client who had a business imperative to modernise their IT platforms. It was a really exciting piece of work working with the CIO and we made the decision not to modernise IT platforms but migrate functionality into the cloud. The piece of work I was set to do was responsible for the new cloud strategy: assessing costs, determine what the approach should be, identifying critical success factors and considering the things that might get in the way of the client executing on their vision.”

 

What do you see as the biggest technology disrupters in data centre services?

“Just like everything else in the world, IT is commoditising and lately we’ve seen this accelerating.

Everyone uses IT, the younger generation check their Facebook and Instagram several times an hour, it’s an absolutely essential business tool – try to work without email – absolutely impossible.

The industry commoditises and consolidates and IT is becoming a service. We see large global organisations delivering IT services that are ready to be consumed, you don’t have to self-assemble them. If you buy a car you expect it to come with tyres and a steering wheel. That’s not how IT has been consumed – you had to buy all the parts separately and assemble them. That’s changing. It is all commoditising, it’s becoming holistic, delivered as a service.”

 

Broadgate Innovation Dinner Summary

Posted on : 27-11-2015 | By : Jack.Rawden | In : Innovation

Tags: ,

0

Broadgate recently hosted it’s second annual innovation dinner. We hosted a variety of clients, partners and security experts in an open and frank discussion over dinner.  The below was the general structure for the evening:-

Current Challenges

•Trends
•Current Protection Levels
•Challenges (Non-Technology, Budgets, Perceptions, Appetite for change etc)

Current Threats

•What are the biggest threats out there?
•What are the current trends?
•How should you neutralise any threats?

In the Future? What will things look like in the next 3/5 years

•What are the emerging threats
•What products are emerging to counter these threats
•What ways are the market/industry trending towards

CLIENT CHALLENGES

The client challenge is dependent on the organisation, its structure, and its attitude to cyber risk. Organisations are divided into two categories:-

  • Those that are focused, interested and allocate budget to Information/Cyber Security. It’s identified as a major issue and one that they are actively discussing, managing and remediating.
  • Those organisations that are either in denial as to the consequences of a cyber attack, or simply don’t have the budget to allocate to an event whose probability they see as hard to define. Cyber Security often struggles to get the budget approval and support at senior level.

Within this challenge there is a clear split between the types of technology adopted dependant on organisation.  Typically, heavily regulated organisations (Finance, Legal) have a tendency to avoid “cloud” products and lean towards in house solutions.  However, as the cloud develops and attitudes about its security improves then cloud products are likely to be more widely adopted by organisations.

Interestingly, technology investment often isn’t the issue holding back an organisations cyber security.  It is often the processes, policies and procedures that are in place which need reviewing and updating regularly.

Another key challenge for most organisations is data and its classification.  Companies must identify their critical data and who can access.

TRAINING/EDUCATION

Remains a priority for organisation and can lead to a significant reduction in the level of risk that they face (particularly though phishing and other social engineering attacks).  However, alone it’s not enough to protect an organisation but together with other remediation measures it plays a crucial role.

PRODUCTS/APPROACH/THREATS

As well as advanced and new threats it’s often the old threats that are still out there and continue to cause damage.  The Talk Talk hack was not a new one, but a basic SQL injection attack.  Often attacks can be prevented by simple system hygiene measures.

Palo Alto commented that the aim is to keep the threats at the perimeter but also believe in a fully integrated approach which will result in the majority of attacks being prevented. They believe in “zero trust” policy so that anything on a network is not automatically trusted. The Cyber Threat Alliance and the sharing of knowledge between organisations is crucial and only by sharing knowledge is it possible to effectively counteract the threats.

Menlo believes in isolating threats from the endpoint and stopping them impacting the machine.  Analysis of the Top 50 sites, including #17 a well-known malware domain, shows that a large amount of executable code with vulnerabilities is executed on your machine.  A particularly bad offender is the Telegraph which downloads up to 5.5mb of code to execute from various sources. Users are accessing these sights regularly so it’s another important area to focus on.

 

Future

There was mutual agreement that cyber security isn’t a trend or a buzz word but a key area for the future with threats impacting organisations more and more.   The ‘Bad Guys’ are well funded, resourced and will keep going as long as there is a market for stolen data.

As ever, the future is hard to predict especially the ways in which the market might move next.  Areas of focus for clients are continued investment into cyber threat detection, protection and remediation. This means investing in the right technology in the right areas of your business.

ALL ATTENDEES AGREED THAT IT’S NOT A CASE OF IF YOU WILL BE BREACHED BUT “WHEN” YOU WILL BE BREACHED…

Why Company Boards must take Cyber Security out of the too difficult pile!

Posted on : 27-11-2015 | By : Jack.Rawden | In : Cyber Security

Tags: , , , , , ,

0

Lady Barbara Judge was recently quoted as saying that the “whole issue of cyber security is so overwhelming to boards that they often put it in the ‘too difficult’ category”.

A recent survey of the UK’s FTSE350 companies showed that although companies are worried about cyber security about a quarter of them fail to take any action.  In the age of a growing cyber security threat landscape and the resulting rise in litigation this a risk that boards can no longer afford to ignore!

So what are the reasons for this complacency?  The  FT/ICSA Boardroom Bellwether survey  found that companies simply feel they have bigger fish to fry and there are more important risks to be concerned about.  Politics and the debate about the UK leaving the EU together with litigation were considered more critical risk factors.  Is this because, fundamentally as Lady Judge said, boards often lack the knowledge to understand the cyber threat and all that it entails?

Cyber security is seen as a buzz word associated with scaremongering and not a reality.  Members of boards are baffled by cyber threat terminology, not understanding the IT language in which cyber security is often communicated. In the cases where directors do accept that a cyber attack is likely to happen, they think that financially they can afford to “take the hit”.  However, with the increasing litigation over cyber security breaches and the fact that litigation generally is high on their risk list, companies will be forced to take more proactive approach to their information security.

UK Companies are governed by the UK Corporate Governance Code which states that Directors are expected to assess and mitigate principal risks facing the company, with UK listed firms required to make a statement to this effect in their Annual Company Report.  Although this is not legally binding the Institutional Share Services organisation can recommend, under extraordinary circumstances, to vote against individual directors for material failure of governance of stewardship and risk oversight.

After the Target breach in the US the CIO and CEO resigned as a result of public and shareholder pressure.  Whilst most litigations a result of a cyber attack have been in the US it is only a matter of time before we see a significant case in the UK.  This shows us that shareholders are not afraid to scrutinise company directors and the board for their role in not taking adequate steps to protect their information and prevent the damage.

Litigation in the UK until now has been rare, the main reason being the difficulty in establishing the nature and extent of financial loss in the aftermath of a breach. However, in the case of Google v Vidal – Hall  earlier this year the court found that the claimants could claim for distress without having to prove pecuniary loss. This has greatly increased the scope for compensation claims in the future.

Regulators are also keen to be seen to be taking tougher action on data loss with fines from the Information Commissioners Office (ICO)  and the Financial Conduct Authority (FCA) on the increase. At the moment the ICO has the ability  to set fines of up to £500,000.  When the EU Data Protection regulation comes into force we will see fines of up to 5% of annual worldwide turnover or 100M Euros whichever is the greater.  

Directors in the UK are under increasing pressure to account for any failures of their company’s data protection policies.  They must reassess their duties to exercise reasonable skill and care to mitigate the principal risks to their business. This now means reviewing their information security risks, protecting their most critical information and putting robust plans in place to deal with a breach when it happens!

To find out how Broadgate might assist with this, please visit our Assurity page.  We specialise in working with boards to identify their key cyber security risks and how to protect them.