GDPR – A Never Ending Story

Posted on : 28-06-2018 | By : richard.gale | In : compliance, Consumer behaviour, Cyber Security, Data, data security, GDPR

Tags: , , , , , ,

0

For most of us, the run up to the implementation of GDPR meant that we were overwhelmed by privacy notices and emails begging us to sign up to mailing lists. A month on, what is the reality of this regulation and what does it mean for businesses and their clients?

There was much agonising by companies who were racing to comply, concerned that they would not meet the deadline and worried what the impact of the new rules would mean for their business.

If we look at the regulation from a simple, practical level all GDPR has done is to make sure that people are aware of what data they hand over and can control how it’s used. That should not be something new.

Understanding where data is and how it is managed correctly is not only fundamental to regulatory compliance and customer trust, but also to providing the highly personalised and predictive services that customers crave. Therefore, the requirements of regulation are by no means at odds with the strategies of data-driven finance firms, but in fact are perfectly in tune.

Having this knowledge is great for business as clients will experience a more transparent relationship and with this transparency comes trust. Businesses may potentially have a smaller customer base to market to, but this potential customer base will be more willing and engaged which should lead to greater sales conversion.

The businesses that will see a negative impact on their business will be the companies that collect data by tricking people with dubious tactics. The winners will be the companies that collect data in open and honest ways, then use that data to clearly benefit customers. Those companies will deliver good experiences that foster loyalty. Loyalty drives consumers to share more data. Better data allows for an even better, more relevant customer experiences.

If we look at the fundamentals of financial services, clients are often handing over their life savings which they are entrusting to companies to nurture and grow. Regardless of GDPR, business shouldn’t rely on regulation to keep their companies in check but instead always have customer trust at the top of their agenda. No trust means no business.

The key consideration is what can you offer that will inspire individuals to want to share their data.

Consumers willingly give their financial data to financial institutions when they become customers. An investment company may want to ask each prospect how much money she is looking to invest, what her investment goal is, what interests she has and what kind of investor she is. If these questions are asked “so we can sell to you better,” it is unlikely that the prospect will answer or engage. But, if these questions are asked “so that we can send you a weekly email that describes an investment option relevant to you and includes a few bullets on the pros and cons of that option,” now the prospect may happily answer the questions because she will get something from the exchange of data.

Another advantage of GDPR is the awareness requirement. All companies must ensure that their staff know about GDPR and understand the importance of data protection. This is a great opportunity to review your policies and procedures and address the company culture around client information and how it should be protected.  With around 50% of security breaches being caused by careless employees, the reputational risks and potential damage to customer relationships are significant, as are the fines that can be levied by the ICO for privacy breeches.

Therefore, it is important to address the culture to make sure all staff take responsibility for data security and the part that they play. Whilst disciplinary codes may be tightened up to make individuals more accountable, forward thinking organisations will take this opportunity to positively engage with staff and reinforce a culture of genuine customer care and respect.

A month on, it is important to stress that being GDPR ready is not the same as being done! Data protection is an ongoing challenge requiring regular review and updates in fast moving threat environment.

With some work upfront, GDPR is a chance to clean your data and review your processes to make everything more streamlined benefiting both your business and your clients.

Everyone’s a winner!

 

kerry.housley@broadgateconsultants.com

 

Battle of the Algorithms Quantum v Security

Posted on : 28-03-2018 | By : kerry.housley | In : Cyber Security, data security, FinTech, Innovation, Predictions

Tags: , , , , ,

0

Like black holes, quantum computing was for many years nothing more than a theoretical possibility. It was something that physicists believed could exist, but it hadn’t yet been observed or invented.

Today, quantum computing is a proven technology, with the potential to accelerate advances in all aspects our lives, the scope is limitless. However, this very same computing power that can enhance our lives can also do a great deal of damage as it touches many of the everyday tasks that we take for granted. Whether you’re sending money via PayPal or ordering goods online, you’re relying on security systems based on cryptography. Cryptography is a way of keeping these transactions safe from cyber criminals hoping to catch some of the online action (i.e. your money!). Modern cryptography relies on mathematical calculations so complex—using such large numbers—that attackers can’t crack them. Quantum could change this!

Cybersecurity systems rely on uncrackable encryption to protect information, but such encryption could be seriously at risk as quantum develops. The threat is serious enough that it’s caught the interest of the US agency National Institute of Standards and Technology (NIST). Whilst acknowledging that quantum computers could be 15 to 20 years away, NIST believes that we “must begin now to prepare our information security systems to be able to resist quantum computing.”

Many believe that quantum computers could rock the current security protocols that protect global financial markets and the inner workings of government. Quantum computers are so big and expensive that—outside of global technology companies and well-funded research universities—most will be owned and maintained by nation-states. Imagine the scenario where a nation-state intercepts the encrypted financial data that flows across the world and are is able to read it as easily as you are reading this article. Rogue states may be able to leverage the power of quantum to attack the banking and financial systems at the heart of the western business centres.

The evolution of the quantum era could have significant consequences for cyber security where we will see a new phase in the race between defenders and attackers of our information. Cryptography will be the battlefield in which this war of the future will be fought, the contenders of which are already preparing for a confrontation that could take place in the coming years. The evolution of quantum computing will crack some cryptography codes but how serious is the threat?

In theory, a quantum computer would be able to break most of the current algorithms, especially those based on public keys. A quantum computer can factor at a much higher speed than a conventional one. A brute-force attack (testing all possible passwords at high speed until you get the right one) would be a piece of cake with a machine that boasts these characteristics.

However, on the other hand, with this paradigm shift in computing will also come the great hope for privacy. Quantum cryptography will make things very difficult for cybercriminals. While current encryption systems are secure because intruders who attempt to access information can only do so by solving complex problems, with quantum cryptography they would have to violate the laws of quantum mechanics, which, as of today, is impossible.

Despite these developments we don’t believe there is any cause for panic. As it currently stands the reality is that quantum computers are not going to break all encryption. Although they are exponentially more powerful than standard computers, they are awkward to use as algorithms must be written precisely or the answers they return cannot be read, so they are not easy to build and implement.

It is unlikely that hacktivists and cybercriminals could afford quantum computers in the foreseeable future. What we need to remember is that most of attacks in today’s threat landscape target the user where social engineering plays as large, if not larger a part than technical expertise. If a human can be persuaded to part with a secret in inappropriate circumstances, all the cryptography in the world will not help, quantum or not!

It is important that organisations understand the implications that quantum computing will have on their legacy systems, and take steps to be ready. At a minimum, that means retrofitting their networks, computers, and applications with encryption that can withstand a quantum attack.

Quantum computing presents both an unprecedented opportunity and a serious threat. We find ourselves in a pre-quantum era, we know it’s coming but we don’t know when…

Are you ready for Y2Q (Years to Quantum)?

INTERNET 1 – INTERNET OF THINGS 3

Posted on : 28-02-2018 | By : richard.gale | In : Cyber Security, data security, IoT

Tags: , , ,

0

Each month we will be taking a more in depth look at our Broadgate Predictions for 2018.

Is there anything left which is not internet connected? Two years ago, there were very few people that had any interest in communicating with a lightbulb – apart from flicking a light-switch. Now IoT connected lightbulbs appear be everywhere and the trend will grow and grow. The speed at which this is happening is accelerating and the scope of connected devices is expanding beyond belief. Who would have thought we needed a smart hairbrush!

Use of IoT Devices Surges to 49%

Consequently, in the same way the Internet of Things has transformed our home lives, it has proved to be highly beneficial for organisations speeding up business processes, improving efficiency, service and process management. Gartner predicts the use of IoT devices will have surged to 49% by the end of this year.  As companies race ahead to become more connected in this way, few organisations are pausing to think about the enormous risks they face by embracing this technology. We are allowing these devices to listen, see, control parts of our lives and the data they gather has value both for good and bad reasons. There is no ‘culture of security’ for IoT. Many of the devices are cheaply designed and manufactured with no thought towards security or data privacy. We are allowing these devices into our lives and we don’t really know what they know and who knows what they know.

Devices Poorly Protected

For business the danger is that the adoption of these mobile devices creates an influx of additional entry points into the corporate network, using WiFi or Bluetooth technology creating a major security risk. These devices are poorly protected with little or no security measures applied. It is not always easy or even possible to install anti-virus software on all your IoT devices and there are no common security standards to follow which makes it very difficult for organisations to create an end to end security solution.

Hackers New Target

It is estimated that by 2020 25% of all cyber attacks will be via IoT.  In most cases hackers aren’t targeting the user, instead they use this lack of security loophole as a gateway into an organisations wider corporate network. This scenario was used in the well known Target attack where hackers stole valuable personal customer data by gaining access to the Target store system network via the internet enabled store heating system. Not all attacks are of this scale but it illustrates how easy it is to use these devices to gain unauthorised access to an organisation.

The  “Gold Rush”

The IoT is inherently insecure as the convenience far outweighs the security concerns. The current IoT landscape can be compared to the early days of the internet, when viruses, worms, and email spam plagued users. Many companies raced to join the internet ‘gold rush’ without necessarily considering the importance of internet security. We are now in a world where firms may need to double or treble their IT security budget, just to protect against the threat from wireless light bulbs and thermostats.

These maybe clichéd examples, but there are essential applications that organisations use IoT for, which include managing heating across locations and financial transactions. IoT is also be used in manufacturing, where devices operating in a machine-to-machine (M2M) environment, without underlying security, have the potential to cause major security breaches.

Standardisation

So, we can see that the very technology that can greatly improve the performance of your business is the same technology that if exploited poses a great security threat to your information. It is crucial that steps are taken to tackle this security issue but this is unlikely unless government, industry and consumers work together to drive forward the necessary changes to provide much needed safeguards.

In 2017, the United States proposed a new bill that would introduce standards for IoT devices purchased by the US government. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require IoT vendors to ensure the devices can be patched when security updates are available; that the devices do not use hard-coded (unchangeable) passwords; and that devices are free from known vulnerabilities when sold. This is a good start but many people think that legal enforcement of the bill maybe difficult with a great deal of reliance on individual users to adhere to the legislation.

Some industry leaders are also starting to take the issue seriously such as Cisco who are proposing an IoT’s Framework. 

Secure the IoT Revolution

There is no doubt that IoT can revolutionise the way we work, bringing many benefits to the way organisations operate. However, it’s crucial that the security concerns are addressed to prevent them from doing more harm than good.

For 2018, standardisation of IoT devices is a must. It is essential that devices are secure by design, rather than included as an afterthought. The failure of any business to act now to protect themselves is incomprehensible. If they don’t, they are sleep-walking into a security crisis.

GDPR – The Countdown Conundrum

Posted on : 30-01-2018 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, data security, Finance, GDPR, General News, Uncategorized

Tags: , , , , , , , , , , , , ,

0

Crunch time is just around the corner and yet businesses are not prepared, but why?

General Data Protection Regulation (GDPR) – a new set of rules set out from the European Union which aims to simplify data protection laws and provide citizens across all member states with more control over their personal data”

It is estimated that just under half of businesses are unaware of incoming data protection laws that they will be subject to in just four months’ time, or how the new legislation affects information security.

Following a government survey, the lack of awareness about the upcoming introduction of GDPR has led to the UK government to issue a warning to the public over businesses shortfall in preparation for the change. According to the Digital, Culture, Media and Sport secretary Matt Hancock:

“These figures show many organisations still need to act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill”

GDPR comes into force on 25 May 2018 and potentially huge fines face those who are found to misuse, exploit, lose or otherwise mishandle personal data. This can be as much as up to four percent of company turnover. Organisations could also face penalties if they’re hacked and attempt to hide what happened from customers.

There is also a very real and emerging risk of a huge loss of business. Specifically, 3rd-party compliance and assurance is common practice now and your clients will want to know that you are compliant with GDPR as part of doing business.

Yet regardless of the risks to reputation, potential loss of business and fines with being non-GDPR compliant, the government survey has found that many organisations aren’t prepared – or aren’t even aware – of the incoming legislation and how it will impact on their information and data security strategy.

Not surprisingly, considering the ever-changing landscape of regulatory requirements they have had to adapt to, finance and insurance sectors are said to have the highest awareness of the incoming security legislation. Conversely, only one in four businesses in the construction sector is said to be aware of GDPR, awareness in manufacturing also poor. According to the report, the overall figure comes in at just under half of businesses – including a third of charities – who have subsequently made changes to their cybersecurity policies as a result of GDPR.

If your organisation is one of those who are unsure of your GDPR compliance strategy, areas to consider may include;

  • Creating or improving new cybersecurity procedures
  • Hiring new staff (or creating new roles and responsibilities for your additional staff)
  • Making concentrated efforts to update security software
  • Mapping your current data state, what you hold, where it’s held and how it’s stored

In terms of getting help, this article is a great place to start: What is GDPR? Everything you need to know about the new general data protection regulations

However, if you’re worried your organisation is behind the curve there is still have time to ensure that you do everything to be GDPR compliant. The is an abundance of free guidance available from the National Cyber Security Centre and the on how to ensure your corporate cybersecurity policy is correct and up to date.

The ICO suggests that, rather than being fearful of GDPR, organisations should embrace GDPR as a chance to improve how they do business. The Information Commissioner Elizabeth Denham stated:

“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice. Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right”

If you require pragmatic advice on the implementation of GDPR data security and management, please feel free to contact us for a chat. We have assessed and guided a number of our client through the maze of regulations including GDPR. Please contact Thomas.Loxley@broadgateconsultants.com in the first instance.

 

The 2018 Broadgate Predictions

Posted on : 19-12-2017 | By : richard.gale | In : Predictions

Tags: , , , , , , , , , ,

1

Battle of the Chiefs

Chief Information Officer 1 –  Chief Digital Officer 0

Digital has been the interloper into the world of IT – originating from the Marketing Department through the medium of Website morphing into Ecommerce. The result was more budget and so power with the CDiO than the CIO and the two Chiefs have been rubbing along uncomfortably together, neither fully understanding the boundaries between them. 2018 will see the re-emergence of CIO empire as technology becomes more service based (Cloud, SaaS, Microservices etc) and focus returns to delivering high paced successful transformational change.

 

Battle of the Algorithms

Quantum 2 – Security 1

All the major Tech companies now have virtual Quantum computers available (so the toolkits if not the technology). These allow adventurous techies to experiment with Quantum concepts. Who knows what the capabilities are of Quantum but through its enormous processing power it will have the capability to look at every possible combination of events for a giving situation at once. That is great in terms of deciding which share to buy or how people interacting on Facebook but it will also have the potential to crack most current encryption mechanisms. Saying that it will enable another level of secure access too!

 

Battle of the Search Engines

Voice 2 – Screen 0

OK Google, Alexa, Siri…. There’s a great video of Google talking to Alexa on infinite loop. That’s all fun but in 2018 Voice will start to become a dominant force for search and for general utility. Effectively stopping what you are doing and typing in a command or search will start to feel a little strange and old-fashioned. OK in the office we may not all start shouting at our computers (well not more than normal) but around the home, car using our phones it is the obvious way to interact. This trend is already gathering momentum. VR and especially AR will add to this, the main thing holding it back is the fact you look like an idiot with the headset on. Once that is cracked then there will be no stopping it.

 

RoboWars – to be continued…

Robots 1 – People 1

AI and ‘robot process automation’ RPA are everywhere. Every services firm worth its salt has process automation plans and the hype around companies such as Blue Prisim is phenomenal.  This is all very exciting and many doomsayers have been predicting the end of most jobs (and some the end of most people!). Yes. Automation of processes is here. It’s been here for years – that is what most ERP (aka workflow) systems do. It makes absolute sense to automate mundane processes and if you can build in a bit of intelligence to deal with slight differences in the pattern then all the better. Will it result in the loss of millions of jobs… well maybe and probably in the short-term but once again, as every time in the past, technology will replace human endeavour whilst humans will be busy building the next creative, innovative wave.

 

The Lightbulb Moment

Internet 1 – Internet of Things 3

Is there anything left which is not internet connected? Two years ago, there were very few people that had any interest in communicating with a lightbulb – apart from flicking a light-switch. Now IoT connected lightbulbs appear be everywhere and the trend will grow and grow. The speed this happening is accelerating and the scope of connected devices is expanding beyond belief. Who would have thought we needed a smart hairbrush? This is all fine and will enrich our lives in ways we probably haven’t even thought about yet but there is a cost. We are allowing these devices to listen, see, control parts of our lives and the data they gather has value both for good and bad reasons. There is no ‘culture of security’ for IoT. Many of the devices are cheaply designed and manufactured with no thought towards security or data privacy. We are allowing these devices into our lives and we don’t really know what they know and who knows what they know. This may be a subtler change for 2018 – the securing of ‘the Thing’ – well lets hope so!

 

Welcome to our ESports Day

Call Of Duty 2 – Premiership Football 1

Sport is a big business. From Curling to Swimming to Indy Car racing it has a thousand differing forms, millions of participants and billions of armchair viewers. Top class athletes in a popular sport can earn millions of dollars a year both from performing and through product endorsements.

Video games have been popular for years. They started as single, two player games and now are worldwide multiplayer extravaganzas where you can battle, race or fight against people throughout the world. A number of superstars or EAthletes have emerged, first through winning competitions and then through youtube etc where their tournaments are recorded and watched again and again. This business has now broken the $1B mark – still way off ‘real’ sport but its growing massively and some point soon will become part of the mainstream.

Could You Boost Your Cybersecurity With Blockchain?

Posted on : 28-11-2017 | By : Tom Loxley | In : Blockchain, Cloud, compliance, Cyber Security, Data, data security, DLT, GDPR, Innovation

Tags: , , , , , , , , , , , , , , ,

0

Securing your data, the smart way

 

The implications of Blockchain technology are being felt across many industries, in fact, the disruptive effect it’s having on Financial Services is changing the fundamental ways we bank and trade. Its presence is also impacting Defense, Business Services, Logistics, Retail, you name it the applications are endless, although not all blockchain applications are practical or worth pursuing. Like all things which have genuine potential and value, they are accompanied by the buzz words, trends and fads that also undermine them as many try to jump on the bandwagon and cash in on the hype.

However, one area where tangible progress is being made and where blockchain technology can add real value is in the domain of cybersecurity and in particular data security.

Your personal information and data are valuable and therefore worth stealing and worth protecting and many criminals are working hard to exploit this. In the late 90’s the data collection began to ramp up with the popularity of the internet and now the hoarding of our personal, and professional data has reached fever pitch. We live in the age of information and information is power. It directly translates to value in the digital world.

However, some organisations both public sector and private sector alike have dealt with our information in such a flippant and negligent way that they don’t even know what they hold, how much they have, where or how they have it stored.

Lists of our information are emailed to multiple people on spreadsheets, downloaded and saved on to desktops, copied, chopped, pasted, formatted into different document types and then uploaded on to cloud storage systems then duplicated in CRM’s (customer relationship management systems) and so on…are you lost yet? Well so is your information.

This negligence doesn’t happen with any malice or negative intent but simply through a lack awareness and a lack process or procedure around data governance (or a failure to implement what process and procedure do exist).

Human nature dictates we take the easiest route, combine this with deadlines needing to be met and a reluctance to delete anything in case we may need it later at some point and we end up with information being continually copied and replicated and stored in every nook and cranny of hard drives, networks and clouds until we don’t know what is where anymore. As is this wasn’t bad enough this makes it nearly impossible to secure this information.

In fact, for most, it’s just easier to buy more space in your cloud or buy a bigger hard drive than it is to maintain a clean, data-efficient network.

Big budgets aren’t the key to securing data either. Equifax is still hurting from an immense cybersecurity breach earlier this year. During the breach, cybercriminals accessed the personal data of approximately 143 million U.S. Equifax consumers. Equifax isn’t the only one, if I were able to list all the serious data breaches over the last year or two you’d end up both scarred by and bored with the sheer amount. The sheer scale of numbers here makes this hard to comprehend, the amounts of money criminals have ransomed out of companies and individuals, the amount of data stolen, or even the numbers of companies who’ve been breached, the numbers are huge and growing.

So it’s no surprise that anything in the tech world that can vastly aid cybersecurity and in particular securing information is going to be in pretty high demand.

Enter blockchain technology

 

The beauty of a blockchain is that it kills two birds with one stone, controlled security and order.

Blockchains provide immense benefits when it comes to securing our data (the blockchain technology that underpins the cryptocurrency Bitcoin has never been breached since its inception over 8 years ago).

Blockchains store their data on an immutable record, that means once the data is stored where it’s not going anywhere. Each block (or piece of information) is cryptographically chained to the next block in a chronological order. Multiple copies of the blockchain are distributed across a number of computers (or nodes) if an attempted change is made anywhere on the blockchain all the nodes become are aware of it.

For a new block of data to be added, there must be a consensus amongst the other nodes (on a private blockchain the number of nodes is up to you). This means that once information is stored on the blockchain, in order to change or steel it you would have to reverse engineer near unbreakable cryptography (perhaps hundreds of times depending on how many other blocks of information were stored after it), then do that on every other node that holds a copy of the blockchain.

That means that when you store information on a blockchain it is all transparently monitored and recorded. Another benefit to using blockchains for data security is that because private blockchains are permissioned, therefore accountability and responsibly are enforced by definition and in my experience when people become accountable for what they do they tend to care a lot more about how they do it.

One company that has taken the initiative in this space is Gospel Technology. Gospel Technology has taken the security of data a step further than simply storing information on a blockchain, they have added another clever layer of security that further enables the safe transfer of information to those who do not have access to the blockchain. This makes it perfect for dealing with third parties or those within organisations who don’t hold permissioned access to the blockchain but need certain files.

One of the issues with blockchains is the user interface. It’s not always pretty or intuitive but Gospel has also taken care of this with a simple and elegant platform that makes data security easy for the end user.  The company describes their product Gospel® as an enterprise-grade security platform, underpinned by blockchain, that enables data to be accessed and tracked with absolute trust and security.

The applications for Gospel are many and it seems that in the current environment this kind of solution is a growing requirement for organisations across many industries, especially with the new regulatory implications of GDPR coming to the fore and the financial penalties for breaching it.

From our point of view as a consultancy in the Cyber Security space, we see the genuine concern and need for clarity, understanding and assurance for our clients and the organisations that we speak to on a daily basis. The realisation that data and cyber security is now something that can’t be taken lighted has begun to hit home. The issue for most businesses is that there are so many solutions out there it’s hard to know what to choose and so many threats, that trying to stay on top of it without a dedicated staff is nearly impossible. However, the good news is that there are good quality solutions out there and with a little effort and guidance and a considered approach to your organisation’s security you can turn back the tide on data security and protect your organisation well.

GDPR & Cyber-threats – How exposed is your business?

Posted on : 28-11-2017 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, Data, data security, GDPR

Tags: , , , , , , , , , , , ,

0

With the looming deadline approaching for the ICO enforcement of GDPR it’s not surprising that we are increasingly being asked by our clients to assist in helping them assess the current threats to their organisation from a data security perspective. Cybersecurity has been a core part of our services portfolio for some years now and it continues to become more prevalent in the current threat landscape, as attacks increase and new legislation (with potentially crippling fines) becomes a reality.

However, the good news is that with some advice, guidance, consideration and a little effort, most organisations will find it easy enough to comply with GDPR and to protect itself again well against the current and emerging threats out there.

The question of measuring an organisations threat exposure is not easy. There are many angles and techniques that companies can take, from assessing processes, audit requirements, regulatory posture, perimeter defence mechanisms, end-user computing controls, network access and so on.

The reality is, companies often select the approach that suits their current operating model, or if independent, one which is aligned with their technology or methodology bias. In 99% of cases, what these assessment approaches have in common is that they address a subset of the problem.

At Broadgate, we take a very different approach. It starts with two very simple guiding principles:

  1. What are the more critical data and digital assets that your company needs to protect?
  2. How do your board members assess, measure and quantify secure risks?

Our methodology applies a top-down lens over these questions and then looks at the various inputs into them. We also consider the threats in real-world terms, discarding the “FUD” (Fear, Uncertainty and Doubt) that many service providers use to embed solutions and drive revenue, often against the real needs of clients.

Some of the principles of our methodology are:

  • Top Down – we start with the boardroom. As the requirements to understand, act and report on breaches within a company become more robust, it is the board/C-level executives who need the data on which to make informed decisions.

 

  • Traceability – any methodology should have a common grounding to position it and also to allow for comparison against the market. Everything we assess can be traced back to industry terminology from top to bottom whilst maintaining a vocabulary that resonates in the boardroom.

 

  • Risk Driven – to conduct a proper assessment of an organisations exposure to security breaches, it is vital that companies accurately understand the various aspects of their business profile and the potential origin of threats, both internal and external. For a thorough assessment, organisations need to consider the likelihood and impact from various data angles, including regulatory position, industry vertical, threat trends and of course, the board members themselves (as attacks are more and more personal by nature). Our methodology takes these, and many other aspects, into consideration and applies a value at risk, which allows for focused remediation plans and development of strategic security roadmaps.

 

  • Maturity Based – we map the key security standards and frameworks, such as GDPR, ISO 27001/2, Sans-20, Cyber Essentials etc. from the top level through to the mechanics of implementation. We then present these in a non-technical, business language so that there is a very clear common understanding of where compromises may exist and also the current state maturity level. This is a vital part of our approach which many assessments do not cover, often choosing instead to present a simple black and white picture.

 

  • Technology Best Fit – the commercial success of the technology security market has led to a myriad of vendors plying their wares. Navigating this landscape is very difficult, particularly understanding the different approaches to prevention, detection and response.

At Broadgate, we have spent years looking into what are the best fit technologies to mitigate the threats of a cyber-attack or data breach and this experience forms a cornerstone of our methodology. Your business can also benefit from our V-CISO service to ensure you get an executive level of expertise, leadership and management to lead your organisation’s security. Our mantra is “The Business of Technology”. This applies to all of our products and services and never more so when it comes to really assessing the risks in the security space.

If you would like to explore our approach in more detail, and how it might benefit your company, please contact me at john.vincent@broadgateconsultants.com.

Why are more women not choosing technology as a career?

Posted on : 13-07-2017 | By : Aimee Rankine | In : Cyber Security, General News

Tags: , , , , ,

0

I recently attended a ‘Women in Cybersecurity’ talk at InfoSec. Being relatively new to the world of IT and thought it would be a good way to start educating myself. It was exciting for me to see so many women talking so passionately about a subject and I felt like I had made a good choice in pursuing a career in IT. Unfortunately, as I learnt during the course of the morning, not that many women agree with me.

Women make up 47% of the UK workforce, yet only make up 21% of the workforce in Core STEM (science, technology, engineering and maths) fields. In ICT women account for less than 20% of the workforce.

As the STEM sectors continue to grow, women are not taking up the newly created positions at the same rate as men. However, it is in a company’s best interest to attract women to these roles. Research consistently shows that groups perform to a higher standard if the gender balance is even, or when women outnumber men. For example, Catalyst research found that companies with high-level female representation on boards significantly outperformed those with sustained low representation by 84% on return on sales, 60% on return on invested capital, and 46% on return on equity.

The Women’s Business Council predicts that we could add 10% (that is over £150bn) to our GDP by 2030 if all the women that wanted to work were employed. These are significant numbers, so why are STEM companies still struggling to get women involved and what can be done to make these environments more appealing?

I once read, “men are interested in things, and women are interested in people”. I put this theory to the test by looking at a group of my closest friends. One out of the five is in a STEM field, the others are all in fields such as hospitality and education, so that theory seems like it has a leg to stand on. Then I posed the question “why didn’t you fancy a job in a STEM field?” to the other four and the immediate response was “because it’s boring”. A blunt answer, but when I thought about it, STEM subjects were not the lessons any of us most looked forward to at school, and if you did not enjoy it in school why would you pursue you it as a career later on in life? Maybe that is why only 16% of graduates in computer science last year were female. In recent years, organisations such as TechFutureGirls and CoderDojo have been created to provide free courses for schools to give young people the skills they need for future careers in tech and maintain an interest in the field as they progress through their education.

Another possible contributing factor is implicit or unconscious bias which happens when our brains making incredibly quick judgments and assessments of people and situations without us realising.

In 2012, a study by Corinne Moss-Racusin was conducted where science faculties asked staff to review a number of applications which were identical apart from the gender of the name. The study found that science faculties were more likely to rate male candidates as better qualified, give them a higher starting salary’ and invest more in their development than the female candidates and overall hire the male over the female.

Women are 45% more likely to leave within a year than men are, they sight such reasons as a hostile macho culture, the feeling of isolation and lack of effective sponsors. With more women leaving the industry, senior female role models become harder to come by.

Sometimes, women often feel like they have to make a choice between having a career and having a family. In a recent study, 85% of 716 women surveyed who have left the tech industry cite maternity leave policy as a major factor in their decision to leave. Tech employers who are not supportive of their female staff and do not offer flexibility in working can only further discourage females from joining up. Allowing flexible working directly correlates with more women in management positions. Rigid working patterns can prevent women from moving into senior management positions as “presenteeism” can restrict the balance between work and childcare priorities. Flexible working is an effective means of retaining this talent. An alternative is allowing fathers to take extended paid maternity leave. If maternity leave is shared, it could blur that gender divide.

Another option for larger companies is to provide onsite childcare, Goldman Sachs provide an onsite nursery offering a few weeks free childcare then a paid service. Women are then free to pop down to see their child at any time. Some companies have introduced a ‘babies at work’ policy, where parents can bring their child to work every day, allowing them to return to work much earlier, but not tech companies.

To attract women into the tech industry, companies need to keep women interested in IT throughout education and their careers with training, mentorship, flexibility and policies that give women the opportunity to succeed.

So, to summarise;

  • Currently women make up less than 20% of the IT workforce
  • Staff recruitment and retention in IT is a huge problem, and even worse with women
  • When women make up more than half of the board, revenue increases

The IT staff resource pool is limited. Low retention increases cost. So why not kill two birds with one stone. If you can attract women that would not normally work in STEM and create an environment they enjoy being a part of, you have struck gold. High staff retention and a female presence on the board would have great impact. Offering shared parental leave and flexible working hours are just some of the steps companies can take to achieve this.

Scammers Go Phishing For Fake News

Posted on : 31-05-2017 | By : richard.gale | In : Cyber Security, Uncategorized

Tags: , , ,

0

Fake news is everywhere these days. It may seem like a new phenomenon, but the concept of propaganda is not a new one. Stock markets thrive on the latest headlines and traders throughout history have attempted to manipulate markets by releasing information to influence prices. Today fake news combined with social media has changed the game with powerful consequences. This potent combination of false and misleading information online flooding the internet can cause devastating effects to your company and should be something that Information Security departments take seriously. During the US Presidential campaign a false story was propagated which said that Pepsi refused to serve Trump supporters at a rally. The story did a huge amount of damage to Pepsi’s brand and reputation which can be a costly business!

 
Tackling the fake news problem and controlling the flow of fake information in and out of an organisation is a huge task. There are tools already available that can monitor traffic so it could possible to extend this to include external activity on social media sites such as Twitter, Facebook and LinkedIn. There are companies and technology products available in the market which can trawl these sites looking for malicious or misleading links. But technology is only one way of looking at the problem. More important are the other influences that drive our behaviour. It is critical to look at people and the processes that drive our behaviour.

 
Trust is a key feature which allows fake or misleading news into an organisation. Take a scenario where a friend or colleague sends you a link, you instinctively trust the information and click on the link. The same applies to brands that we trust. If you take the Microsoft pop up which is a favourite with scammers. They send a fake pop up to your screen. Most people trust this established branded name see the Microsoft Badge and click thinking this must be true. These unsuspecting users click on the box or call a fake hotline number thereby generating a malware event opening the door for scammers straight into your organisation.

 
Email is another example of a very trusted way of communication, making it a hot spot for scammers looking to retrieve your information or get you to click on a malicious link. A popular route for scammers is to send emails that pretend to be from the IT Department asking employees to do a certain task such as reset your password. You click the reset button and the scammers are in.

 
Phishing scams are one of the most commonly used ways in which your organisation can be infiltrated. User training which includes sending out a phishing email will find that 10-20% of emails are clicked on each time the test is run. Even after training this stays fairly consistent so alternative ways of dealing with the problem need to be investigated. Some technology firms such as Menlo Security isolate the user from the internet and can capture most of these types of issues.

 
These technology options offer some valuable tools to protect organisations but ultimately there is no magic piece of software that can filter out the fake news and ward off the scammers. The only way to deal with the problem is education. Companies need to invest in proper cyber security training for all their employees. The traditional annual training update is not enough. Training needs to be done on a more regular basis with a more modern approach that can produce long term behavioural changes.

 
It is crucial to remember that staff are the front-line defence against the fraudsters and we need to ensure that they are armed with the right knowledge to combat the threat. In a week where we have seen the Governor of the Bank of England fall prey to a fraudster who emailed the Governor impersonating a Bank of England colleague this is no easy task!

Gen-Y Professionals – Cyber Attacks, Bothered?

Posted on : 26-05-2017 | By : jo.rose | In : Cyber Security

Tags: , ,

0

Whilst many of us are concerned about the threat of Cyber-attacks, its seems that the Gen-Y professionals have a more relaxed view. This is because they have grown up with technology and social media more than any other generation. They seem to be born understanding how the latest technology works, what’s the coolest social media app, and, if even the most up to date one doesn’t work, they try something else until they find the solution that works best for them.

Young professionals can be naïve to the sensitivity of company data and the value it could have to cyber-criminals. Surveys show that almost a fifth believe an attacker would be able to do nothing with their company’s data if hacked or a device stolen, or realise that a stolen device can be manipulated to make future attacks.
And it’s because of this that is leaving organisations more open to Cyber-attacks. A lot of Gen-Y’s have a blasé attitude towards cyber security, due to a blurring of home and the workplace, therefore unconcerned about the effects of hacking or losing data.

Almost half young professionals connect their own potentially infected devices to their company’s network, whilst others use work devices for personal use. It’s also not uncommon practice for work devices to be lent to people outside of the organisation. If they are connecting their own devices to the company network then one approach could be for the organisation to have in place appropriate personal security. One way could be through choose-your-own-device policies which would give back more control to the IT team. Accessing the network through their own devices, they could be given a choice from a select set of products which would be regularly updated and security already installed.

Many are unaware of, or don’t believe their company has an IT security policy. A way blend the two would be for company IT security teams to engage with the younger employees to help in the creation of security policies that suit the need of both employer and employee. It appears that young professionals want to engage with their organisations’ IT security teams to help develop policies. It would surely make for a clearer understanding of what is expected of them and what they need from their organisation.

In a survey completed by ESET the following data points were found:

  • 70% are unaware that hacked devices can be manipulated to make further future attacks
  • 52% are unaware that stolen data could be used against their company
  • 50% believe it’s nearly always their organisation’s responsibility to ensure the safety of data.
  • 49% are unaware hackers would be looking to sell their company’s data
  • 47% use work devices for personal use 44% of young professionals have connected, or are unsure if they have connected, their own devices, potentially infected with malicious malware, to their company’s network
  • 38% are unaware of, or don’t believe, their company has an IT security policy
  • 29% indicate a complete lack of concern over the effects upon their company and its data if a work device is hacked, lost or stolen
  • 30% of those who are aware of the existence of an IT security policy do not know what it is
  • 18% believe an attacker wouldn’t be able to do anything with their company’s data if was stolen or a device hacked
  • 10% admit they may have shared access to their company’s network with third parties

So it seems silly to think Gen-Y’s are viewed as the most tech savvy when it comes to their personal brand, yet when it comes to their business lives, they are some of the most unreliable. Bothered? We should be!!