UK businesses urged to prepare for GDPR a year to day

With exactly one year to the compliance deadline, the Information Commissioner’s Office has urged UK firms to seize the business benefits of being GDPR-ready

With exactly one year to the compliance deadline, the Information Commissioner’s Office has urged UK firms to seize the business benefits of being GDPR-ready

There is no time for businesses to delay in preparing for the General Data Protection Regulation (GDPR), says the UK information commissioner.

In a video address to UK business leaders, Elizabeth Denham called on businesses to see the benefits of sound data protection and act now to prepare for what she termed “the biggest change to data protection law for a generation”.

It is not just western countries such as the US and the UK that are being targeted by hackers, as the rapidly developed and wealthy nations of the Middle East become targets of both politically and financially driven attacks.

“If your organisation can’t demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your organisation open to enforcement action that can damage both public reputation and bank balance.

“But there’s a carrot here as well as a stick: get data protection right, and you can see a real business benefit,” she said.

Deputy commissioner Rob Luke also highlighted the business benefits of GDPR compliance at a discussion about the legislation hosted by IT industry body TechUK.

The best outcome, he said, would be where organisations take an approach to data protection that earns the trust of consumers in a more systematic way, and where that trust translates into competitive advantage for those who lead the charge.

Luke said that while the GDPR presents some opportunities for organisations, the ICO recognises that there are some challenges too, noting that the GDPR is an indicator of change as much as it is an instigator.

“The GDPR is part of the response to the challenge of upholding information rights in the digital age; of protecting the rights and interests of the individual in the context of an explosion in the quantity and use of data and in an environment of extremely rapid technological change,” he said.

Luke said that GDPR is going to be an important part of the global data protection landscape over the years ahead, with great relevance to UK organisations, the public and their data.

“The moment at which GDPR takes effect in the UK on 25 May 2018 will, of course, mark a change. In delivering legislation fit for the digital age GDPR confers new rights and responsibilities, and organisations need to be working now to prepare for them,” he said.

Luke said he hoped that UK organisations have already deployed the ICO’s 12 steps to take to prepare for GDPR and were familiar with the ICO’s Overview to GDPR, and were drawing on the ICO’s wider resources.

The ICO, he said, is working at pace to produce detailed guidance, both at a national and a European level, through the Article 29 EU Working Party.

While this guidance will continue to be developed, Luke said organisations should not wait for definitive guidance on every aspect of the GDPR before taking action.

“I urge you not to wait, nor to take a reactive approach to your GDPR preparations, motivated solely by a mindset of compliance or risk management. Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law.

Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong,” he said.

Preparation for compliance with the GDPR can be boiled down to transparency and accountability, said Luke.

“It is about being clear with individuals how their personal data is being used, and placing the highest standards of data protection at the heart of how you do business,” he said.

As a result, said Luke, this means GDPR compliance is a board-level issue for every size of organisation, not only because under the GDPR the ICO can fine companies up to €20m or 4% of a company’s total annual worldwide turnover for the preceding year, whichever is greater, but also because of potential brand damage.

“As we’ve seen in well-publicised examples, the cost to business of poor practice in this area goes above and beyond any fine we can impose. Losing your consumers’ trust could be terminal for your reputation and for your organisation,” he said.

The ICO recognises that data is the fuel that powers the digital economy, said Luke, and the GDPR is a response to this evolving landscape. The GDPR builds on previous legislation, he said, but brings a 21st century approach and delivers stronger rights in response to the heightened risks.

These new rights include individuals’ rights to:

Be informed about the use of their data;
Access their information and move that information around;
Rectify and erase data where appropriate;
Revoke consent;
Challenge automated decisions.

“Good practice tools that the ICO has championed for a long time, such as privacy impact assessments and ensuring privacy by design, are now legally required in certain circumstances,” said Luke.

Being transparent and providing accessible information to individuals about how you will use their personal data is another key element of the new law and our privacy notices code of practice is GDPR-ready, said Luke.

Luke also noted that data breach reporting would also change under the GDPR. Organisations will be required to notify the ICO, within 72 hours, of a breach where it is likely to result in a risk to the rights and freedoms of individuals.

The widespread availability of personal data on the internet and advances in technology, coupled with the capabilities of big data analytics, mean that profiling is becoming a much wider issue, he said.

According to the ICO, the GDPR is a principles-based law well equipped to take on the challenges of 21st century technology.

“It aims to be flexible – protecting individuals from harm while enabling you to innovate and develop services that consumers and businesses want,” said Luke.

In addition to gearing up the GDPR compliance within the ICO and the higher volume of activity that is bound to come as a result of mandatory breach notifications, Luke said the ICO is looking at how it might be able to engage more deeply with companies as they seek to implement privacy by design.

The ICO is also looking at how it can contribute to a “safe space” where companies can test their ideas and at how it can recognise good practice.

“We should be able to find ways to give credit where credit is due without that translating into a free pass for an individual organisation or practice. GDPR explicitly foresees wider use of tools such as codes of conduct and certification schemes, which potentially have an important role to play,” said Luke.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Travelling C-level executives are major risk to business security

C-suite executives logging on to unsecured public Wi-Fi hotspots seem to present one of the biggest security risks to enterprise networks

C-suite executives logging on to unsecured public Wi-Fi hotspots seem to present one of the biggest security risks to enterprise networks

Close to half of enterprises believe that their C-level executives, including CEOs, present the biggest risk to the business of being hacked through extensive use of unsecured public Wi-Fi hotspots.

This is according to mobile connectivity provider and network aggregator iPass, which, in its latest annual Mobile security report, found that cafés and coffee shops were perceived as the number one risk venue on a list that included airports, hotels, exhibition centres and planes.

The supplier compiled responses from 500 enterprises in France, Germany, the UK and the US to get an overview of how businesses are approaching concerns around mobile device and hotspot security.

The vast majority – 93% of respondents all told – told iPass’ researchers that they were concerned about the security challenges posed by mobile workforces, and almost half said they were very concerned, up several percentage points on the 2016 edition of the report.

In addition, 68% of organisations told the researchers they had banned employee use of free public Wi-Fi hotspots to some extent, up 6% on 2016, and 33% had banned it outright, up 9% on 2016.

“The grim reality is that C-level executives are by far at the greatest risk of being hacked outside of the office. They are not your typical nine to five office worker. They often work long hours, are rarely confined to the office and have unrestricted access to the most sensitive company data imaginable,” said iPass VP of engineering, Raghu Konka.

“They represent a dangerous combination of being both highly valuable and highly available, therefore a prime target for any hacker.

“Cafés and coffee shops are everywhere and offer both convenience and comfort for mobile workers, who flock to these venues for the free high-speed internet as much as for the coffee. However, cafés invariably have lax security standards, meaning that anyone using these networks will be potentially vulnerable.”

Most businesses with concerns over public Wi-Fi were worried about man-in-the-middle attacks, but high numbers also cited a lack of encryption, unpatched network operating systems and hotspot spoofing as major concerns.

IPass said enterprises were more aware of mobile security threats with every year that goes by, but are still finding it hard to balance the need to keep safe – which is more acute than ever – with the productivity boost that being able to work from any location can bring.

In Konka’s view, unfortunately too many enterprises were choosing to simply ban employees from using hotspots outright, which he characterised as detrimental to business health, not to mention largely unenforceable.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Almost a quarter of UK and US firms likely to miss GDPR deadline

Some 24% of companies polled in the UK and US expect to miss the GDPR compliance deadline of 25 May 2018

Some 24% of companies polled in the UK and US expect to miss the GDPR compliance deadline of 25 May 2018

Only 15.7% of more than 200 UK and US companies polled are in the advanced planning stages of complying with the EU General Data Protection Regulation (GDPR).

It is not just western countries such as the US and the UK that are being targeted by hackers, as the rapidly developed and wealthy nations of the Middle East become targets of both politically and financially driven attacks. Discover how cyber security expertise can help businesses in the Middle East navigate digital transformations and keep cyber criminals at bay.

Some 17.8% said they were in the moderate planning stages and 11% said they were only in the initial stages of implementing processes to ensure compliance, according to the survey by security firm Guidance Software.

But 24% of the organisations surveyed said they would not be ready by the 25 May 2018 deadline, and 30.6% said they had no timetable for being GDPR compliant, which could expose them to fines of up to €20m or 4% of their annual global turnover, whichever is greater.

Some 14.2% said they would divest EU operations instead of attempting to become compliant with the GDPR.

The survey revealed that bigger companies have made the most progress towards compliance. Some 43% of organisations with revenues of $1bn or more claimed to have processes in place already that can identify data records of any EU citizen and determine where that data is being processed, in comparison to just 26.8% of organisations with under $100m in sales.

The GDPR requires all organisations doing business in EU member countries to comply with new regulations governing the data privacy rights of EU citizens.

However, more than half of the companies surveyed have not yet begun to evaluate third-party products or developer processes to identify the data records of EU citizens.

When asked to prioritise the recruitment and training of a qualified data protection officer, 23.7% ranked it as a high priority, 18.1% said it was a medium priority, and 15.4% named it a low priority.

For all companies, the top three activities to becoming GDPR compliant are:

Use and maintain policies and procedures for the anonymisation and de-identification of personal data (24.9%).
Conduct a full audit of EU personal data manifestation (22.8%).
Evaluate all third party operational partners that access personal data transfers (21.4%).

“With nearly five billion data records exposed in the past four years alone, there is a clear trend towards stronger protection of consumer data, and GDPR is a major first step in that direction,” said Anthony Di Bello, senior director, products, at Guidance Software.

“This data suggests that many organisations are, on the whole, behind schedule for compliance. Security leaders must make GDPR a priority over the next year to avoid major financial penalties,” he said.

To prepare for GDPR compliance, organisations are advised to:

Understand and acknowledge the requirements of GDPR for each specific business.
Conduct an internal audit to determine internal practices that need to change.
Create an incident response plan, including testing and updating procedures.
Identify gaps in technology.
Appoint a qualified data protection officer (DPO).
If there is not already a plan for GDPR compliance, start now.

Guidance Software also advises organisations to:

Monitor efforts at EU level and in member states to prepare for enforcement of the GDPR.
Establish familiarity with the supervising authority or authorities most relevant to operations.
Monitor technical guidance and codes of conduct from relevant EU authorities.
Establish where customer personal data is located, why it is used, and how long it is kept.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

WannaCry biggest incident to date for National Cyber Security Centre

The WannaCry ransomware attack that started on 12 May 2017 is the biggest single incident that the new UK National Cyber Security Centre (NCSC) has faced.

The WannaCry ransomware attack that started on 12 May 2017 is the biggest single incident that the new UK National Cyber Security Centre (NCSC) has faced.

Although the global ransomware attack that heavily affected the NHS was unwelcome, it has provided an opportunity to test systems and raise awareness on key issues, according to Alex Dewdney, director for engagement and advice at the National Cyber Security Centre (NCSC).

“If you wanted to mount a national communications programme to make people sit up and take notice, you couldn’t have designed one better than this,” he told the Security Innovation Network (Sinet) Global Cybersecurity Innovation Summit in London.

“I never thought I would hear so many ministers using the word ‘patch’, which has now become part of everyday conversation, so we need to take that opportunity and to build on that.”

Dewdney emphasised that the NHS was not targeted specifically, although NHS networks were affected significantly in the UK. Other UK organisations were affected, but the diversity of victim organisations was much greater in other countries around the world, including Russia.

Although the spread of the ransomware has slowed, it spread initially very quickly by using a specific vulnerability in the Microsoft file sharing protocol sever message block known as SMB to propagate in and between networks.

“In March 2017, Microsoft issued a patch for supported operating systems, and following the attack they issued emergency patches for unsupported operating systems as well,” said Dewdney, noting that while these patches prevent the spread of the infection, they do not help organisations to get back encrypted data.

Dewdney confirmed that the attackers behind the ransomware are still unknown, but he said the level of sophistication is well within the reach of “criminal entities” requiring the NCSC to work at an extremely high tempo. “It is easily the biggest and most complex cyber incident the NCSC has had to manage so far,” he said.

In response to the attacks, the NCSC’s incident management function was called into action. The initial focus was on understanding the technical characteristics of the attack, how it was spreading, and who the victims were.

The incident management team was also working to establish who was behind the attack and what the initial attack vector was, but these questions remain unanswered to a high level of confidence five days after the attack.

The NCSC also started looking at ways to protect victims and potential victims in terms of publishing advice on how to immunise against the ransomware and contain its spread, as well as what to do if already a victim. The NCSC was also working directly with some victim organisations to help put guidance into practice and help remediate.

The incident underlined the importance of partnerships for the NCSC, said Dewdney, including partnerships that were formed to scale the response and make inroads into this problem in a way that the NCSC could not have done on its own.

“We are still working very closely with the National Crime Agency (NCA), which has staff embedded in our teams. The NCA was able to deploy on the ground with victims at scale. They are also a vital source of information and forensic data, as well as analytic and investigative effort,” he said.

The NCSC is also still working with NHS digital and Care Cert. “The size and complexity of the health sector meant that we needed that central docking point to work with, and they did a fantastic job under very difficult circumstances,” said Dewdney.

The role of the NCSC’s industry partners was also absolutely critical, he said. “I cannot emphasise enough how grateful we are for the extent to which our partners in the cyber security industry really leaned in to help and pool the information they were gathering.”

According to Dewdney, the Cisp cyber information sharing platform “really came into its own”, both as a platform for sharing information and for discussion. “We need to build on that as a really key way of getting stakeholders to have live discussions about this kind of problem,” he said.

There was an international aspect too, said Dewdney, including the information that was provided to the international computer emergency response network and collaboration with the US.

At the same time, he said it was a truly national response, with the NCSC quickly establishing contact with authorities in Northern Ireland, Wales and Scotland.

Dewdney also highlighted the importance and the challenges of the media. “I think we did pretty well at pace in briefing senior politicians to speak, preparing ourselves directly in broadcast media, and using our web presence and social media to get the right messages across at the right time.

“LinkedIn proved to be a really important and useful platform, but we didn’t really engage in that, and that is an important lesson for us,” he said.

Overall, Dewdney said the NCSC bringing various organisations together under one roof also really proved its worth.

“There was a lot of consistency in what government was saying – officials, ministers and across our platforms. We achieved a greater consistency and therefore a greater sense of authoritativeness in what we were saying than we would have achieved before the NCSC was set up. We were able to get the messages out quite quickly and provide the assurance that patients’ confidential data had not been stolen,” he said.

However, he admitted that producing specific, usable and helpful guidance was a challenge. “How do you get messages across that are sufficiently technically detailed to be of practical use, but also easy to understand and follow.”

The NCSC decided therefore to publish a set of guidance for enterprises and another set for small to medium-sized enterprises (SMEs) and consumers, which is continually being refined and updated in response to feedback from those communities.

“We are really in the market for feedback around how we are getting those messages across and how they can be improved and made more useful,” said Dewdney.

One of the key lessons learned, he said, was about the power as well as the limitation of advice and guidance.

Dewdney said people are continually told to patch and update the systems, “but the fact is that people don’t always do it, so what we have got to realise as cyber security practitioners is that advice and even instruction is much easier to give than it is to follow”.

“We have to recognise that in the real world competing pressures and hard choices can easily get in the way. So we will continue with those exhortations, but as we mobilise campaigns to really make this happen across government, business, critical infrastructure and for consumers, we need to find the right mix of the ‘stick’ on the one hand and help to overcome those hurdles on the other,” said Dewdney.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

ICO reports record number of data breaches and fines

The UK Data Protection privacy watchdog reports that it has dealt with more data breach reports and issued more fines in the past year than ever before.

The UK Data Protection privacy watchdog reports that it has dealt with more data breach reports and issued more fines in the past year than ever before.

The Information Commissioner’s Office (ICO) has dealt with a record number of data protection incidents, nuisance marketing cases and individual complaints in the past year, according to its latest annual report.

The ICO’s annual performance statistics for 2016/17 also reveal that the regulator received more reported data protection breaches and fined more companies for unlawful activities than any previous year. The rpory can be found at: https://ico.org.uk/about-the-ico/our-information/annual-operational-reports-201617/

It seems that from a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy.

Wake up and get the knowledge to heep your data protected.

The record numbers are in part ascribed to the fact that the ICO’s free telephone helpline, live chat service and online reporting tool all helped make it easier for the public to report their concerns to the regulator, and the fact that audits and new self-assessment tools helped increase organisations’ awareness of their responsibilities.

The statistics show that data protection complaint cases rose to 18,354, around 2,000 more than the previous year. Some 2,565 self-reported data breaches resulted in 16 civil monetary penalties totalling £1,624,500 for serious breaches across a range of public, private and voluntary sectors.

The ICO received more than 166,000 reports about nuisance calls and texts. The ICO issued a record number of 23 fines in this regard, totalling £1,923,000, and issued nine enforcement notices and placed 31 organisations under monitoring.

More than 5,400 freedom of information (FOI) cases were received and 5,100 closed during the year, with 1,351 decision notices, which was “broadly similar” to the previous year, the ICO said.

“We have continued to monitor compliance and raised the threshold for our intervention, taking action if fewer than 90% of their FOI responses fall in the statutory timescale,” the ICO said.

The statistics show the ICO received more enquiries about the legislation it deals with than in the year before.

“Although calls to our helpline were slightly down on last year at 189,942, this was more than made up by new channels including our live chat service, which received 18,864 contacts. Letter and email contacts remained similar to last year,” the ICO said.
People at heart of ICO, says deputy commissioner

The ICO expects its work to intensify next year in the run up to deadline for compliance with the EU’s General Data Protection Regulation (GDPR) on 25 May 2018.

The GDPR introduces a more rigorous data protection regime and stricter penalties for breaches of up to €20m or 4% of annual global turnover, whichever is greater.

Deputy commissioner Simon Entwisle said: “We have advised and educated organisations to help them work within the law and we have taken action when they’ve fallen short of the mark.”

People will continue to be at the heart of what the ICO does as it looks to the future, he said, with the GDPR giving people greater control over their own data.

“We are working closely with organisations to help them understand their obligations and be ready for the new rules,” he said.

Entwisle said ICO staff at every level deserve credit for the contribution they have and continue to make. “Information commissioner Elizabeth Denham’s programme to strengthen the team – in both numbers and expertise – will equip the ICO to meet the challenges ahead.”

Testifying to the House of Lords EU Home Affairs Sub-Committee in a hearing on the new EU data protection package, Denham planned to expand the ICO’s staff to deal with the extra work burden to be imposed by the GDPR.

This includes plans to recruit 200 additional staff to take the total number to around 700 in the next three years, with the most pressing staff needs being in relation to the increased duties imposed by the GDPR and the need to educate people about the implications of the regulation.

Denham said Brexit had also added work for the ICO’s policy staff to ensure they can give advice to government and to parliament about what the various impacts would be of different regulatory arrangements post-Brexit.

In addition to the new work related to the GDPR and Brexit, Denham said the UK is increasing the work it is doing internationally regarding data protection enforcement.

“The ICO is one of the largest regulators globally. We have 35 years’ experience in this space and we have a newly developed international strategy,” she said.

“We are going to continue to lean in and engage deeply in work with our European colleagues on the implementation of the GDPR, but at the same time we are engaging in global enforcement work beyond Europe, which involves building bridges with other regulators around the world.”

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Russian cyber espionage highlights need to improve email security

Security experts are advising political parties and businesses to pay more attention to email security after the latest revelations about a Russian cyber espionage group.

Security experts are advising political parties and businesses to pay more attention to email security after the latest revelations about a Russian cyber espionage group

Email’s renewed popularity as a means of attack is driven by the fact that it does not rely on vulnerabilities and uses simple deception to lure victims into opening attachments, clicking links or disclosing credentials, according to Symantec’s latest threat report.

In particular, credential phishing has been a key part of many cyber attacks by Pawn Storm on armed forces, the defence industry, news media, politicians and dissidents, according to a report by security researchers at Trend Micro.

They have found that the group is creating phishing emails that are highly sophisticated, almost perfectly replicating legitimate URLs and using a technique called “tabnabbing” which swaps inactive open tabs with a phishing site.

Pawn Storm was widely linked to cyber attacks on the Democratic National Committee and Hillary Clinton’s campaign in the 2016 US presidential election, and more recently was found to be targeting French presidential candidate Emmanuel Macron, the report said.

Pawn Storm is also believed to have targeted the German political party Christian Democratic Union (CDU), the Turkish parliament, the parliament in Montenegro, and the World Doping Agency (WADA).

These activities have raised concerns about the cyber security of political parties, with several elections due across Europe in 2016, including the UK in June.

At a minimum, there is no excuse not to implement the Dmarc (domain-based message authentication, reporting and conformance) email authentication policy to help identify and block malicious emails impersonating trusted domains.

Implementation of Dmarc is mandatory for public sector bodies as part of the active cyber defence programme led by the National Cyber Security Centre (NCSC).

However, other advanced precautions also need to be taken, with an emphasis on verifying the identity of the sender.

Candidates for public office and political parties, like businesses, create and store a lot of data in vulnerable places, he said.

According to the 2017 Varonis Data Risk Report, on average organisations have 20% of folders open to every employee, and 47% have at least 1,000 or more files containing sensitive personal or financial data accessible to every user.

One compromised account or system can compromise a massive amount of data, and possibly an election.

If the highly targeted phishing attacks on French presidential candidate Emmanuel Macron’s campaign had been successful in stealing credentials, the attackers would have become virtual “insiders”, gaining access to files and emails that could influence the election.

The Trend Micro report on Pawn Storm recommends that organisations improve the security of their email and defend against credential theft by considering the following:

Even though two-factor authentication improves security, it does not make social engineering impossible because all temporary tokens can be phished by an attacker.
Even when two-factor authentication is used, an attacker only has to phish for the second authentication token once or twice to get semi-permanent access to a mailbox. They can set up a forwarding address or a token that allows third-party applications full access to the system.
Mandatory logging in to a company VPN network does raise the bar for an attacker. However, VPN credentials can also be phished, and targeted attackers may specifically go after VPN access credentials.
Authentication with a physical security key makes credential phishing virtually impossible unless the attacker has physical access to the target’s equipment. When a target uses a physical security key, the attacker either has to find an exploit to get unauthorised access, or has to get physical access to the security key and the target’s laptop.
To add to authentication methods that are based on what you know and what you have, authentication can be added is based on what you are: fingerprints or other biometric data. Biometrics have already been used by some laptops and phone suppliers, and have also been a common authentication method in datacentres for more than a decade.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

How cyber warfare is escalating- machines v hackers

There is a gaping hole in the digital defences that companies use to keep out cyber thieves.

There is a gaping hole in the digital defences that companies use to keep out cyber thieves.

 

The hole is the global shortage of skilled staff that keeps security hardware running, analyses threats and kicks out intruders.

Currently, the global security industry is lacking about one million trained workers, suggests research by ISC2 – the industry body for security professionals. The deficit looks set to grow to 1.8 million within five years, it believes.

The shortfall is widely recognised and gives rise to other problems, says Ian Glover, head of Crest – the UK body that certifies the skills of ethical hackers.

“The scarcity is driving an increase in costs,” he says. “Undoubtedly there’s an impact because businesses are trying to buy a scarce resource. And it might mean companies are not getting the right people because they are desperate to find somebody to fill a role.”

While many nations have taken steps to attract people in to the security industry, Mr Glover warns that those efforts will not be enough to close the gap.

Help has to come from another source: machines.

That is a problem when the analysts expected to defend companies are “drowning” in data generated by firewalls, PCs, intrusion detection systems and all the other appliances they have bought and installed, he says.

Automation is nothing new, but now machine learning is helping it go much further.

The analytical power of machine learning derives from the development of algorithms that can take in huge amounts of data and pick out anomalies or significant trends.

These “deep learning” algorithms come in many different flavours.

Some, such as OpenAI, are available to anyone, but most are owned by the companies that developed them. So larger security firms have been snapping up smaller, smarter start-ups in an effort to bolster their defences quickly.

Simon McCalla, chief technology officer at Nominet, the domain name registry that oversees the .uk web domain, says machine learning has proven its usefulness in a tool it has created called Turing.

This digs out evidence of web attacks from the massive amounts of queries the company handles every day – queries seeking information about the location of UK websites.

Mr McCalla says Turing helped analyse what happened during the cyber-attack on Lloyds Bank in January that left thousands of customers unable to access the bank’s services.

The DDoS attack generated a huge amount of data to handle for that one event, he says.

“Typically, we handle about 50,000 queries every second. With Lloyds it was more than 10 times as much.”

Once the dust had cleared and the attack was over, Nominet had handled a day’s worth of traffic in a couple of hours.

Turing absorbed all the information made to Nominet’s servers and used what it learned to give early warnings of abuse and intelligence on people gearing up for a more sustained attack.

It logs the IP addresses of hijacked machines sending out queries to check if an email address is “live”.

“Most of what we see is not that clever, really,” he says, but adds that without machine learning it would be impossible for human analysts to spot what was going on until its intended target, such as a bank’s website, “went dark”.

The analysis that Turing does for Nominet is now helping the UK government police its internal network. This helps to block staff accessing dodgy domains and falling victim to malware.

There are also even more ambitious efforts to harness the analytical ability of machine learning.

At the Def Con hacker gathering last year, Darpa, the US military research agency, ran a competition that let seven smart computer programs attack each other to see which was the best at defending itself.

The winner, called Mayhem, is now being adapted so that it can spot and fix flaws in code that could be exploited by malicious hackers.

Machine learning can correlate data from lots of different sources to give analysts a rounded view of whether a series of events constitutes a threat or not, says Mr Tavakoli.

It can get to know the usual ebbs and flows of data in an organisation and what staff typically get up to at different times of the day.

So when cyber thieves do things such as probing network connections or trying to get at databases, that anomalous behaviour raises a red flag.

But thieves have become very good at covering their tracks and, on a big network, those “indicators of compromise” can be very difficult for a human to pick out.

Data breaches cost tens of millions off UK firms’ market valueData breaches cost tens of millions off UK firms’ market value

Security experts say the fact that data breaches at FTSE 100 firms cost on average £120 million in market value should be a wake-up call for boards to ensure they have an adequate cyber security strategy.

Security experts say the fact that data breaches at FTSE 100 firms cost on average £120 million in market value should be a wake-up call for boards to ensure they have an adequate cyber security strategy

Cyber attacks on top UK companies are leading to losses of 1.8% of share price or £120 million on average, according to a study on the effects of data breaches on share prices.
This has doubled in the past 18 months, according to the report released by global advisory firm Oxford Economics and IT and business process services firm CGI.
The report is based on a study of 65 severe or catastrophic breaches at FTSE 100 companies in the past four years and indicates that investors are now punishing companies more harshly for cyber attacks.
The cyber value connection report, which is aimed at helping senior business people understand the impact of cyber breaches on company market value, reveals that investors have lost at least £42bn since 2013 due to the severe public domain cyber security incidents used for the study.
However, the report notes that this figure includes only 65 publicly known severe breaches, which means the true amount of company value lost due to cyber attacks is likely to be far higher.
The report examines factors such as how new regulations for mishandling data will also strongly impact the public visibility of future breaches and therefore how organisations will plan for, manage and report cyber crime as incidents continue to rise.
A good example of the effects of data breaches on company value is Yahoo, which was forced to discount by $350 million the sale price of its core business to Verizon after revelations of data breaches in 2013 and 2014 affecting one billion and 500 million accounts, and of hackers forging cookies to gain access to customer accounts.
The cost of cyber attacks to investors is likely to skyrocket in the near future, said Rogoyski, as the General Data Protection Regulation (GDPR) and Network Information Security (NIS) directive mean that firms dealing with European citizens’ data must disclose all breaches of that data.
They estimate that only around 10% to 20% of the major breaches companies suffer in Europe are currently made public, so lost shareholder value across European markets could rise by as much as a factor of 10 when the new regulations take effect in May 2018.

CGIís recommends eight steps to achieve effective cyber security governance:

1. Appoint someone at board level to be responsible for cyber security with the authority and know-how to address the risks and demonstrate leadership during times of crisis.
2. Include cyber security on every board agenda, reporting on: risk to the business, nature of sensitive data and mitigation progress at a minimum.
3. Treat cyber security as a company-wide business risk and assess as you would with other key business risks such as major safety issues, environmental disasters and accounting scandals,
4. Ensure that the company understands the rapidly developing legal landscape that applies to cyber risk ñ in particular, begin preparing for the GDPR and NIS directive now.
5. Get specialist expertise to advise and inform the board, whether from internal teams or external advisors.
6. Set a programme of work to manage cyber risk, allowing a realistic time and budget.
7. Encourage discussion about risk appetite, risk avoidance, risk mitigation and cyber security insurance.
8. Assume you have already been breached but you might not yet know about it. Take action to reassure yourself no such attack has taken place, but plan on the assumption that they have.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email
assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

UK businesses need to up cyber security with one in five hit by attacks

Big UK businesses are targeted by cyber attacks more heavily, but all need to improve cyber security with one in five UK firms falling victim in the past 12 months.

Big UK businesses are targeted by cyber attacks more heavily, but all need to improve cyber security with one in five UK firms falling victim in the past 12 months  

Out of the 20% of UK businesses hit by cyber attacks in the past year, 42% were companies with more than 100 staff, compared with 18% with fewer than 99 employees, according to the survey of more than 1,200 businesses by the British Chambers of Commerce (BCC).

The results indicate that 63% of businesses are reliant on IT providers to resolve issues after an attack, compared with just 12% of banks and financial institutions and 2% of police and law enforcement organisations.

The findings show that while 21% of businesses believe the threat of cyber crime is preventing their company from growing, only a quarter of businesses have cyber security accreditations in place, such as the UK governmentís Cyber Essentials Scheme or ISO 27001.
Smaller businesses are far less likely to have accreditation, with 10% of sole traders and 15% of those with 1 to 4 employees having accreditations, compared with 47% of businesses with more than 100 employees.
Of the businesses that do have accreditations, nearly half believe it gives their business a competitive advantage over rival companies, and a third consider it important in creating a more secure environment when trading with other businesses.
Businesses that use personal data should be mindful that they will have to comply with the General Data Protection Regulation (GDPR) from 25 May 2018.
In October 2016, the Payment Card Industry Security Standards Council (PCI SSC) warned that UK businesses could face up to £122 billion in penalties for data breaches under the GDPR, which will introduce fines for groups of companies of up to Ä20m or 4% of annual worldwide turnover, whichever is greater ñ far exceeding the current maximum of £500,000.
Using UK data breach statistics for 2015 and a maximum fine of 4% of global turnover, the fines paid to the European regulator could see a near 90-fold increase, from £1.4bn in 2015 to £122bn, the PCI SSC calculated.
The cyber threat to UK business is significant and growing, according to a joint report by the UK National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) published in March 2017.
However, the report said UK businesses should not be defeatist. There are ways of mitigating attacks, the report said, adding that the NCSC is working with government agencies, tech companies and industry to fix some lower-level threats automatically and at scale to enable information security professionals to focus on the most damaging threats.
The report also said businesses should improve basic defences. Cyber attack is inevitable, the report said, adding that even basic cyber defences can protect against most of the attacks affecting businesses and that weak defences are likely to invite repeated attacks.
Businesses should handle all data assets as potential targets because there is a market value for all data that can be exploited by criminals, the report said. It also recommended promoting awareness of stronger basic ìcyber hygieneî to customers and employees.
Businesses should be more open to sharing knowledge and expertise, as all businesses can benefit from doing so in a secure, confidential and timely manner through services such as the Cyber-security Information Sharing Partnership (CiSP), the report said.
Developing cyber skills and awareness was another key piece of advice. Partnership work between law enforcement and industry, the report said, has led to the improvement of cyber knowledge for the wider public and industry.
Finally, businesses should report the crime to Action Fraud. If cyber attacks are reported, the report said law enforcement agencies can investigate, arrests can be made and preventative actions can be taken.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email
assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

What to do first when hit by a cyber attack

At some point, your business may have to deal with a cyber security incident. But when you are under pressure and your team is stressed, people make mistakes.

At some point, your business may have to deal with a cyber security incident. But when you are under pressure and your team is stressed, people make mistakes.

Delaying too long in making critical response decisions may exacerbate the impact of the incident but, conversely, making knee-jerk decisions can cause further damage to the business or hinder a complete response.
There are many ways you may suspect that a security incident has happened, from detecting unusual activity through proactive monitoring of critical systems or during audits, to outside notification from law enforcement and compromised data located in the wild.
However, indicators such as unusual CPU (central processing unit) and network usage on a server may have multiple potential causes, many of which are not information security incidents. So it is vital to investigate further before jumping to conclusions.
Do you have any corroborating evidence? For example, if the IDS (intrusion detection system) detects a brute force attack against the website, do web logs support this having occurred? Or, if a user reports a suspected phishing attack, has this email been received by other users and did the user click on links or open documents?
You also need to think about answering questions about the nature of the incident. Is it a generic malware infection, or an active system hack?  Is there an intentional denial of service (DoS) attack in progress and is this an incidence of deliberate insider action?
Once you have confirmed an incident has occurred, you need to take time out from initial response activities to prioritise your actions and decide, definitively, what the business objectives are for the response operation. Incident triage generally consists of classifying the incident in terms of impact and urgency and how it should be handled. The incident response team can then use the impact, urgency and priority evaluation to define the objectives for the incident response operation and assign actions or further investigation, as required.
Impact classifications defined by the National Cyber Security Centreís (NCSC) GovCertUK and adopted by Crest, the body that represents the technical security industry, may provide a useful point of reference for initial classification based on the perceived or established impact.

These incidents will usually cause the degradation of vital service(s) for a large number of users, involve a serious breach of network security, affect mission-critical equipment or services or damage public confidence in the organisation.
It is not necessary to report on incidents with little or no impact or those affecting only a few users, such as isolated spam or antivirus alerts, minor computer hardware failure and loss of network connectivity to a peripheral device, such as a printer.

 

Isolated anti-virus alert or spam email.

The urgency of an incident should also be assessed along with the impact. Some incidents are unlikely to worsen over time, such as the discovery of a historical compromise by a former employee. But in other cases, such as a ransomware outbreak, it may be absolutely critical to respond rapidly to isolate the infection.
Mobilising full emergency incident response capabilities may not be applicable or appropriate in every situation. You need to understand as much about what you are dealing with as you can. For example, who is the attacker? How was the attack introduced? When did the attack occur? What data or systems have been compromised? Is the attack ongoing? Why were we the target of the attack?

The goal of triage is to understand the methodology and the extent of the attack as fully as possible, in the shortest possible time.

Information about the incident, the impact, urgency and business impact analysis for the affected data or systems will guide the incident response operation. If possible, the business priorities should be pre-determined and documented in incident response plans.
For organisations with known advanced threat actors, continued covert observation of an attacker to determine their goals and modus operandi may be an objective of the incident response operation for intelligence-gathering purposes, even if the urgency for containment is high. Experienced internal or external incident handlers should be used to inform these decisions.
Once the priority of the incident and the objectives of the response have been defined, it is time to act and allocate activities to the incident response teams.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email
assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139