SRM Blog

It’s not a question of if, but when

Why board level commitment is a vital part of cyber defence

It is difficult to defend against an attacker who only needs to succeed once. Security systems might defend an organisation 99 times out of 100 but faced with a relentless campaign which identifies and targets any cracks, it is almost inevitable that at some point, somewhere, the attacker will succeed.

Data and personal information are valuable commodities and their theft is the most common form of cyberattack. Recent high profile hacks have demonstrated the vulnerability of even very large organisations like TalkTalk and the NHS. These prompted the Government in November 2016 to announce a £1.9 billion investment to help UK businesses protect themselves.

Imminent new legislation is also in place to help provide organisations with a robust data protection framework in which to operate. If the hackers are the criminals, these are the laws that the relevant authorities (the Information Commissioner’s Office) enforce. Failure to comply with the new Data Protection Bill and General Data Protection Regulation (GDPR) from May 2018 will result in significantly higher levels of fines. And this has certainly focused the attention of many of the FTSE 350 boards surveyed in the recent Government Cyber Health Check.

The report found that awareness of GDPR is good, with 97 per cent of firms saying they are aware of the new regulation. But levels of readiness vary. 71 per cent said they are ‘somewhat prepared’ to meet the requirements of GDPR but only 6 per cent are confident that they are fully prepared.

This is perhaps not surprising given that only 13 per cent say that GDPR is regularly considered at board meetings. This is dangerous thinking. When it comes to data protection it is simply not reasonable or effective to make it the sole responsibility of the IT department. The same is true of cyber defence. These are board level issues and need to be embedded into the board’s approach.

It is no longer acceptable to simply be reactive; every board should be proactive and include an assessment of the current risk and review any potential security issues on its agenda on a regular basis. A security sub group can effectively manage this vital aspect of the business but it must have board level endorsement and input. The aim should be to implement a company-wide cyber security strategy which is constantly challenged and re-enforced.

Given the fact that the threat landscape is always changing, another essential element of every organisation’s cyber defence should include a strategic plan in the event of breach. To minimise its impact swift remedial action is vital. A strategic plan will help to ensure effective business continuity and protect from loss of income and reputation. This plan may include working with Retained Forensics (PFI) experts. Not only can they assist the board in the implementation of a robust and strategic defence, but if (or when) a breach occurs their detailed knowledge of a company’s systems will ensure business continuity and minimise the damage to finances and reputation.

How a retained PFI can mitigate risks

Government 2017 Cyber Security Health Check reveals many FTSE 350 companies are not prepared

Today: new UK Data Protection Bill published

The new UK Data Protection Bill, published today, will come into force next May. As part of the multi-million pound National Cyber Security Strategy, the new legislation will effectively bring the European Union’s General Data Protection Regulation (GDPR) into UK law, helping Britain to prepare for a successful Brexit. The new legislation will come into effect in May 2018, coinciding with the enactment of the GDPR in Europe.

Minister for Digital Matt Hancock says: ‘As the UK leaves the EU we will ensure we have one of the most robust systems for protection of intellectual property anywhere in the world, for all civilised societies are based on the fair and equal protection of property rights.’

He adds: ‘Our task is to strike the right balance between freedoms and responsibilities online, such that the solutions can be applied globally, and the whole free world can emulate our approach. That is our plan.’

The drive behind the bill is to protect the online data of people and businesses. According to Mr Hancock: ‘We must build an internet based on liberal and not libertarian values, where we cherish freedom yet prevent harm to others’.

The bill contains steps to clamp down on cyber-bullying and child protection as well as protecting individuals’ and companies’ data online.

The key provisions also include:

  • Providing a simpler process for individuals to withdraw consent for their personal data to be used;
  • Giving individuals the right to request that their personal data is deleted;
  • Allowing for the re-identification of people from anonymised or pseudonymised data if a criminal offence is suspected.

The last point refers to one significant difference between the UK Data Protection Bill and the European legislation where some ‘vital’ exemptions have been made in cases where public interest is served. This includes areas relating to ‘freedom of expression’ where journalists access personal data to expose wrongdoing. They will also be allowed to preserve the anonymity of their sources and to access personal data without consent if it is deemed to be in the public interest.

In addition, the new Data Protection Bill allows anti-doping agencies to access personal data when pursuing suspected drug cheats or, in the case of financial services companies, where there are suspicions of terrorist financing or money laundering. But to safeguard the innocent, new criminal will be created to deter organisations form either intentionally or recklessly creating situations where someone could be identified from anonymised data.

While the Data Protection Bill will become law for all UK organisations, the GDPR will be a legal requirement of any organisation handling any data relating to EU citizens, which in today’s online world is almost everybody. Thankfully the overlap between the two is total in the areas relating to the handling of personal data in the business context. The financial penalties in the event of data breaches or non-compliance are equally severe, equating to fines of up to £17m or 4 per cent of global turnover.

The important fact to consider is that May 2018 is not far away so the process of integrating the new data protection laws should be well underway. If looking for strategic and practical input in developing up to date data protection policies, SRM’s team includes GCHQ approved GDPR practitioners who have the expertise to work with clients to build robust and cost-effective defences.

The Equifax breach and how it impacts the UK

Cyberattacks do not recognise national boundaries, as the latest breach concerning the US credit rating firm Equifax proves. So although the company has now reported the breach of 143 million customer records to US law enforcement agencies, albeit five weeks after the event, individuals in the UK and Canada are also affected. In these countries data regulations are different. Consequently UK and Canadian regulators are also becoming involved to manage the next steps in their respective countries.

Although Equifax’s core consumer and commercial credit databases were not accessed, it is apparent that the names, social security numbers, birth dates and addresses of over 143 million customers have been obtained. It is also believed that 209,000 customers had driving license numbers and credit card details illegally obtained by hackers. This is not simply an American problem because the breach is not limited to the company’s US operations. It affects British customers too, including those who have accounts with BT and British Gas. The exact number of British customers at risk has not been established but the Information Commissioner’s Office (ICO) is investigating and has requested that Equifax contacts all UK customers as soon as possible.

James Dipple-Johnstone, ICO Deputy Commissioner says: ‘Reports of a significant data loss at US-based Equifax and the potential impact on some UK citizens gives us cause for concern’. The ICO also states that,‘In cyberattack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens’.

Thought to have been accessed through a website application vulnerability, the Equifax breach is one of the largest ever reported in the United States. Another massive global data breach which originated in the US was the attack on Yahoo which exposed 1 billion records. This also affected its UK customers.

In a world where global brands are constantly under threat it is worth noting that the American data protection law is very different to our own. It is becoming more permissive, with President Trump signing a new law on 3rd April making more personal data legally available. Meanwhile in Europe organisations are facing even stricter data protection procedures under the forthcoming General Data Protection Regulation (GDPR) which comes into force on 25th May 2018.

GDPR requires UK companies to observe new procedures and take even greater responsibility for how they collect, share, use and store customers’ data. Embracing the stringent rules of GDPR need not be onerous. With the right advice and guidance they can be met in a way that actually enhances a business. GDPR may also present British companies with a competitive advantage because data held in countries adhering to the requirements of GDPR will inevitably be safer.

Data protection – the gap widens across the Atlantic

Time running out for GDPR compliance

The new Data Protection Bill and GDPR

University CISOs face tough challenges in the next academic year

University Chief Information Security Officers (CISOs) have had a tough time lately. According to information acquired under the Freedom of Information Act by The Times newspaper, some of the UK’s top universities have seen cyber security breaches double in the 2016-17 period, suffering a total of 1,100 cyber security breaches. These include instances of research data compromise. Given the value of data and research projects in particular, it is likely that this trend will continue into the next academic year.

With an institution’s reputation at stake, the CISO is often judged not on what he or she successfully does, but on what they don’t. But this is also true of any business which conducts its business online. Increasingly, the corporate world looks to specialist CISO support to enhance and support the resident CISO. Universities are also beginning to see the advantages of using additional professional CISO support.

In a similar way to their corporate counterparts, the university CISO’s role is not limited to managing a robust defence of the institution’s systems. To really be effective, their role needs to go beyond a thorough understanding of information technology and cyber defence. They also need to be business leaders, garnering support across all departments. They need to have influence at the highest level and the industry knowledge to anticipate future trends. Few individuals have the skills or resources to fulfil all these roles without additional resource.

Just as the finance department works with professional accountants and the legal department works with specialist lawyers, so the CISO benefits from a collaborative relationship with information security specialists whose role is to support, enhance and resource the CISO function within the university.

At SRM we have a professional team with a high level of expertise and experience in supporting the CISO function. We offer VirtualCISOTM which is a totally bespoke service, providing as much or as little as is required depending on the individual organisation. We are also able to provide a tailored package to support university CISO’s with their specific role, focusing on strategic guidance in the definition and maintenance of an effective security strategy and business continuity plan.

Because we are immersed in the information security industry we are also able to provide a proactive approach to keeping up-to-date with ever-changing threats including the latest social engineering threat vectors. We provide training of all relevant personnel in how to manage change to the broad spectrum of legal requirements such as data protection, emerging GDPR legislation and computer misuse.

In addition we are able to assist in the development and delivery of senior-level presentations detailing an organisation’s security posture to key stakeholders, while also providing a full range of other services including information security testing and incident response.

US statistics warn of new trends in cybercrime: how a retained PFI can mitigate the risks

Statistics provide useful evidence of the trends developing within the world of information security. Figures compiled from reported attacks in the United States for July 2017 give us a breakdown of attacks sector by sector, providing some useful insight into the minds of cyber attackers and their motivation. As we all know, cybercrime is international and these trends are likely to be reflected in the UK in the coming months. The key figures from this latest research show an increasing trend towards attacks on individuals and an increase in the number of attacks motivated by crime.

In fact, the number of cyberattacks on individuals in the US doubled between June and July 2017. In June 14.1 per cent of recorded attacks were targeted at single individuals but in July this figure had increased to 27.5 per cent. Of course, this still means that other sectors account for nearly three quarters of all cyberattacks. Industry (26.1%), Government (8.7%), Healthcare (8.7%) and Finance (5.8%) were the other major targets.

As for motivation, that 84.1 per cent of attacks in July 2017 were motivated by cybercrime is no great surprise. The fact that this particular motivation has increased by 15.3 per cent since June, however, is worthy of note. Rogue individuals with the requisite skill set have long been attracted by financial reward, yet in the past Cyber Espionage, Cyber Warfare and Hacktivism figures more significantly in these statistics. So theft is on the increase.

What does this mean for UK businesses? Given that the trend is toward an increase in crimes on individuals it may not be obvious. But we have noticed a correlation between an escalation in individual attacks and a heightened awareness among the business community. This is perhaps due to the power of the media but also to the even greater power of word-of-mouth. Because when a businessman becomes aware that someone they know has had their account hacked, he or she will be more likely to look to their business’ online security.

As far as we are concerned, any news of this type is helpful. Because the fact is that cybercrime is on the increase. Whether it is the slow and subtle syphoning off of funds from an unsuspecting retailer or a massive much publicised hack demanding ransoms like the one inflicted on HBO, theft is nowadays more likely to be an online activity than a physical one.

If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. That is why increased awareness is always a good thing. The more businesses that retain an information security consultant to ensure their defences are robust, the fewer will be hacked. Those who trade online also benefit from a PCI Forensic Investigator (PFI) to protect their card payments.

SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We also provide a bespoke retained PFI service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.

Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a company’s systems, remediation is rapid and disruption minimal.