Hey, Let’s Be Careful Out There!

Posted on : 10-06-2016 | By : Maria Motyka | In : Cloud, Cyber Security, Data, Innovation, IoT

Tags: , , , , ,

0

In the context of accelerated digitisation, especially the adoption of innovations in the areas of cloud computing, IoT and the growth of social networking, as well as with increased mobility of the workforce, organisational security and risk management need to be rethought.

The way we work is constantly changing; according to recent research by Gartner, within the next 1.5 – 2 years, ’25 per cent of corporate data traffic will flow directly from mobile devices to the cloud, bypassing enterprise security controls’. Digital users now spend 30% of all connected time, 2 hours a day, on social media (Global Web Index) – let’s not fool ourselves, some of it (whether it’d be using the seemingly innocent Messenger app or the boring meeting savior Instagram) is within the office environment. And it’s definitely not just the Millennials who are guilty of the Social Media at work crime! The Bring Your Own Device (BYOD) trend is also becoming more and more popular, even within the traditionally conservative work environments (employees who get to work on their own laptops/tablets are said to be happier and thus more productive than the company devices-strained ones). While (according to Code42’s 2016 Datastrophe study) 87% CIO and CISOs claim that their companies have a clearly defined BYOD policy in place, a shocking 67% of knowledge workers (organisation’s end users) disagree (Infosec Magazine). When things go wrong and the freedom to connect/work anyplace, anytime compromises organisational security, it is the company that takes the hit.

At the same time, organisations often primarily rely on CXOs to deliver enterprise security, managing the increasingly sophisticated threats, in times when companies (and devices used by employees, often at work and at home) are being constantly compromised. This is not sufficient. All employees, across all functions, are responsible for securing the organisations they are part of. As highlighted by Gartner in the Managing Risk and Security at the Speed of Digital Business report, it is crucial for organisations to apply resilience to not only processes and technology, but also people. We cannot afford to overlook the ‘human’ element of security. Best practices include regular training and digital security awareness campaigns for everyone, as well as extending protections to company’s employees within their home environments (Gartner), in response to the blurring of the tech we use for personal and professional purposes, as well as the flexible work trend. Gartner proposes a ‘people-centric security’, which is about aiming for a perfect balance between protecting the company with the need to allow increased employee agility and adopt new and often risky new tech to stay competitive.

For now, it seems like ‘seeking’ a balance and regular employee education is the best companies can do.

Laptops and smartphones get and will get lost or stolen (whether in a club on the way to work). Data which is stored on or can be accessed through these devices can often be worth a thousand times more than the actual device. This is not an exaggeration; one obvious example being the infamous iPhone, which stirred the Apple-FBI encryption dispute. Moreover, the punishment doesn’t seem to fit the crime – charges for stealing a phone or a laptop usually fail to take into account the value of potentially compromised data. This is going to have to change in the future, especially when the devices we carry will store more and more data (not only confidential due to being work-related but also highly intimate, for example health-related).

Striving for the sweet spot between data security and taking advantage of the opportunities offered by the new tech/following the new working trends also means being clever about WHAT to protect. Not all data needs to be equally secure. As stressed by Richard Gale during ISITC’s General Meeting‘s security panel, companies need to focus on protecting their ‘crown jewels’. Utilising cloud tech and allowing employees the freedom to work flexibly won’t stop you from identifying and investing in protecting crucial data. Detection and response is yet another element which ought not to be overlooked. What would be the worst-case scenario and what your organisation do if the CEO’s mobile phone/laptop went missing? What steps is your company going to take if a Social Media app sends out phishing messages to employees? While it’s impossible to perfectly protect all the data, it’s worth having an action plan for when things go wrong.

Let your employees bring your own devices and go on, embrace the cloud – when doing so however, train, educate, invest more in protecting what’s most valuable and be prepared for when data does get compromised!

 

Talking about BYOD and training your employees about how to be digitally secure – a few months ago we shared a Cybersecurity Manual with 10 hands-on security tips, which you can read here.

Broadgate at ISITC Europe General Meeting’s Security Panel

Posted on : 26-04-2016 | By : Maria Motyka | In : Cyber Security, Data, Finance, Innovation

Tags: , , ,

0

Last month, on Monday the 25th of April 2016, we had the pleasure to participate in the General Meeting of the International Securities Association for Institutional Trade Communication (ISITC Europe).

The voluntary organisation was founded in 1992 and “has lead operational and technical change over the past 25 years, contributing to the rise of efficiency in the securities markets to the mutual benefit of all participants”. ISITC’s members gather in work groups around innovative topics such as Blockchain, Standards, Regulation, Industry Engagement and – last but not least – Cybersecurity.

Nigel D Solkhon, CEO of ISITC Europe, whom we featured in our recent 5 Minutes With interview, initiated the event by highlighting the ISITC’s educational, innovative and operational role and was followed by a keynote speech from Edward Walace, MWR Infosecurity: Cybersecurity, what is there to fear?

The first panel discussion discussed the adoption of blockchain by the securities market. Anthony Culligan, co-founder of SETL, briefly explained the concept of blockchain to the audience by noting, that working in finance is very much different to how it is presented in the Wolf of Wall Street – “what we do is we keep very long lists of loans, assets, cash… and another thing that is exciting is that we change those lists. Blockchain technology is just a fantastic way to keep these lists. Maintain these lists, allowing each participant to make changes [to them].

As the three ‘pillars’ which pose a barrier to the adoption of blockchain, Justin Amos, Digital Asset Holdings, listed the lack of global standardisation, the network effect and regulation.

Mr. Vandenreydt also stressed the importance of the neutralisation of costs, which would potentially serve as an incentive for organisations to adopt blochchain; “now it is a global architecture and there is nothing more difficult to sell than an architecture”, he noted. Further challenges mentioned during the panel include identity management – there is a need to have an independent identity framework; standards (how can you smoothly operate if you work with a number of different countries of different jurisdictions?) and data privacy implications.

Once blockchain is adopted, who will be the winner who will be the loser? According to one view, the harsh reality is that the losers will be the employees, while the winners will be the shareholders. According to another, the winners will be those who are ‘close’ to their clients, those who understand them.

Richard Gale represented Broadgate during the event by joining the panel, which discussed: How can the Securities Market manage Cyber Security best?

The panel’s host, David Ewings, Threadneedle, opened the discussion by noting, that the cyber threat is ever-evolving, as well as stressing the need for us to recognise that it is impossible to ‘protect everything’ and the necessity to have ‘an approach and a desire’ to be cyber-secure.

Richard Gale highlighted the importance of ensuring that management understands the significance of building security into every project and everything you do within the organisation. An internal awareness of the consequences of a potential attack is key. Edward Wallace, Infosecurity, agreed by noting that companies should quantify the business risk (taking into consideration reputation risks/costs), stressed that security is not something that you can simply ‘stick on afterwards’, as well as noted that there is a mismatch between projects and work streams within organisations. The panelists shared the view, that organisations need to be aware of where exactly can external companies ‘plug into’ to get business assets from and where the most valuable data is held. While it is essential, that we realise that it is impossible to eliminate all the risks, companies need to “identify core assets, their crown jewels and keep them safe”. Clever security financing is also paramount – when setting budgets, organisations need to take into consideration the potential post-attack costs. As more data comes out, companies will likely increasingly benchmark themselves and make according security decisions – you’d rather not be as secure as you would wish than be out of business because of spending too much on security!

Yet another consideration for cybersecurity-aware organisations should be the risk they take on by taking on certain clients. Offsetting potential risk by working with contractors or maximising security measures in place at specific periods only are some of the solutions to dealing with client-deriving risks.

In regards to regulation in the area, it was noted, that regulators, while looking at technology, which will become available in the future, address risk in a retrospective manner. Organisations should be ahead of regulation. They need to do much more than simply comply with regulation – ensure that they protect their own assets, as a lot of regulation is about protecting others’ data.