Can Decision Cycles help us maintain the initiative in cyberspace?
As our world gets increasingly complex we must choose the levers we use to influence it with care. One way to look at this is through the lens of decision cycles.
For those not familiar with this concept, decision cycles are the cyclic process through which we perceive a stimulus, understand its implications, decide on a response and implement that decision. (There are a number of models and references). Simplistically, if we can make effective decisions quicker than our opponents, then we will, theoretically, hold the initiative.
The decision cycle lens is a useful one for those responsible for making decisions about cyber related issues as it throws any dangerous policies into harsh relief.
Most businesses work in a world where their policies, and here I’m talking about management intent rather than paperwork, refresh on a 12 month cycle based on standards which tend to refresh on a 5 year cycle. I note many will be smiling ruefully at this optimistic view!
In today’s information environment many of our risks are changing on a much smaller (faster) cycle, measured in days and weeks rather than months. Our operational tempo is defined not just by the speed of change, but by the way that the speed of change is accelerating.
This presents us with an exciting challenge; if we rely on static policy and processes – and many organisations still do – then we must expect our adversaries to outmanoeuvre us, and our risks to out evolve.
Where does this take us? Decision Cycle theory gives us a number of areas where we can hard wire agility into our business systems.
* Firstly, we can ensure that our warning, reporting, alarm and monitoring systems (Technical and Procedural) are tuned to report those events that most concern us.
* Secondly, we can ensure that we fully understand our own vulnerabilities and sensitivities, and the impact that adverse events will have on our operations. We can test and exercise those scenarios that most concern us. We can challenge our own assumptions. This will enable us to understand impacts and qualify outcomes more quickly.
* Thirdly, we do need to understand our own options, their limitations, and review these on a regular basis. This will enable us to make decisions more quickly.
* Finally, we need to ensure that our implementation of these decisions are well planned and where possible, practiced. We must also review effectiveness at every level and make changes that are required at any part of the cycle.
All of this would seem to be common sense… though is often not done in practice. There are many reasons for this, ranging from technical inertia to process stagnation. The important thing is that we acknowledge and track our challenges – then we can mitigate the changing risks.
If we are able to design agility into our business systems and processes, and if we tune our organisations so that we can take a proactive posture, then we can keep the initiative. The simple decision cycle model then gives us an easy way to challenge our posture on a regular basis to establish where and when change is required.
This is not rocket science, but many of us do seem to find it surprisingly hard. This simple model is one way of stepping forward and bringing effect to bear in our defence.
Client files on home computers must be encrypted
Barrister fined by ICO for data protection breach
A recent ruling by the Information Commissioner’s Office highlights the responsibility of professionals to safeguard client data held on their home computers. Because while work systems are usually well-protected, oversights on non-work systems can put clients’ data at risk. The ICO has just released details of a penalty imposed on a barrister who had created work documents on her home computer but had not encrypted these files.
The case for the prosecution: a lady barrister held sensitive client information on a desktop which was also used by her husband. Although the computer was password protected the files were unencrypted. This ignored the guidance issued in January 2013 by the Bar Council and her Chambers that a computer used by family members or others may in addition require encryption.
The barrister’s husband updated software on the shared desktop and to back up the files temporarily uploaded them to an online directory to back them up. He assumed the documents were safe.
However, the documents were visible to an internet search engine and 15 documents were cached and indexed. Six of the 15 documents contained ‘confidential and highly sensitive’ information relating to clients involved in proceedings. Although the husband immediately removed the files from the online directory and the internet service provider removed the cache the next day, the ICO found that the barrister contravened the provisions of the Data Protection Act.
The contravention was considered to have run from the date of the January 2013 Bar Council guidance to 5 January 2016 when remedial action was taken. The files contained confidential and highly sensitive information relating to between 200 and 250 individuals.
Due to the number of individuals affected and the sensitive nature of the information, the ICO consider the contravention sufficient to cause ‘distress’ to the clients and that there were justifiable concerns that the information would be further disseminated, ‘even though those concerns did not actually materialise’.
The Commissioner considered that, in her defence, she did not intend to contravene the DPA, and her actions were a ‘serious oversight’ rather than deliberate intent to ignore or bypass the DPA, she should have realised that there was a risk. Taking all this into account the Commissioner decided on a penalty of £1,000.
When the new Data Protection Bill and the EU General Data Protection Regulation (GDPR) come into effect in May 2018 the ICO will have the right to impose significantly larger fines. The scale will be much higher than under current legislation. At the moment the theoretical maximum the ICO can impose is £500,000 but under GDPR it will be 20 million Euros. This equates to a 79 times increase. Theoretically, therefore, the barrister could have been fined up to £79,000 if the contravention had occurred next year.
So while organisations are working toward the new compliance, it is important that individuals also realise that the same principles apply to home computers. Security protocols should be clearly outlined in every corporate strategy and be made known to all individuals working remotely.
SRM has operated in the information security environment since 2002 and our consultants are skilled at performing security assessments and managing strategic compliance projects. Our GDPR team is GCHQ trained and works with clients to achieve all types of ongoing compliance.
US statistics warn of new trends in cybercrime: how a retained PFI can mitigate the risks
Statistics provide useful evidence of the trends developing within the world of information security. Figures compiled from reported attacks in the United States for July 2017 give us a breakdown of attacks sector by sector, providing some useful insight into the minds of cyber attackers and their motivation. As we all know, cybercrime is international and these trends are likely to be reflected in the UK in the coming months. The key figures from this latest research show an increasing trend towards attacks on individuals and an increase in the number of attacks motivated by crime.
In fact, the number of cyberattacks on individuals in the US doubled between June and July 2017. In June 14.1 per cent of recorded attacks were targeted at single individuals but in July this figure had increased to 27.5 per cent. Of course, this still means that other sectors account for nearly three quarters of all cyberattacks. Industry (26.1%), Government (8.7%), Healthcare (8.7%) and Finance (5.8%) were the other major targets.
As for motivation, that 84.1 per cent of attacks in July 2017 were motivated by cybercrime is no great surprise. The fact that this particular motivation has increased by 15.3 per cent since June, however, is worthy of note. Rogue individuals with the requisite skill set have long been attracted by financial reward, yet in the past Cyber Espionage, Cyber Warfare and Hacktivism figures more significantly in these statistics. So theft is on the increase.
What does this mean for UK businesses? Given that the trend is toward an increase in crimes on individuals it may not be obvious. But we have noticed a correlation between an escalation in individual attacks and a heightened awareness among the business community. This is perhaps due to the power of the media but also to the even greater power of word-of-mouth. Because when a businessman becomes aware that someone they know has had their account hacked, he or she will be more likely to look to their business’ online security.
As far as we are concerned, any news of this type is helpful. Because the fact is that cybercrime is on the increase. Whether it is the slow and subtle syphoning off of funds from an unsuspecting retailer or a massive much publicised hack demanding ransoms like the one inflicted on HBO, theft is nowadays more likely to be an online activity than a physical one.
If an incident occurs, swift action is required to minimise the impact of an individual attack. But prevention is always better than cure. That is why increased awareness is always a good thing. The more businesses that retain an information security consultant to ensure their defences are robust, the fewer will be hacked. Those who trade online also benefit from a PCI Forensic Investigator (PFI) to protect their card payments.
SRM offers a full range of services to protect the online environment. Using a range of tools from penetration testing to vulnerability assessments and network security testing, we enhance risk mitigation and ensure that the online environment of our clients is as robust as it is possible to be. We also provide a bespoke retained PFI service, working proactively through regular strategic reviews to develop enhanced risk mitigation. Anticipating the potential risk areas for attack, we provide highly-targeted cost-effective solutions.
Given the constantly evolving world of cybercrime and the ingenuity of hackers, attacks can and do happen, however. But with a retained PFI already familiar with a company’s systems, remediation is rapid and disruption minimal.
How poor data-stripping can expose organisations to Spear Phishing attacks
A survey for the BBC has discovered that poor data-stripping on websites leaves information in place which provides valuable intelligence for Spear Phishing attackers. By not removing key metadata, organisations are providing potential hackers with a doorway into systems which are otherwise well-defended.
This survey comes at a time when the number and extent of breaches continues to rise, with hacking reportedly accounting for 41% of disclosed breaches. At the same time, organisations are racing to comply with the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018. With significantly larger fines in prospect, many organisations will do well to include data-stripping in their information security defence strategy or risk being unknowing victims of a sophisticated breach.
In the BBC’s research, target websites were ‘scraped’ for several days, with samples taken from files, pictures, PDFs, spreadsheets and other publicly available documents. During this process, metadata was retrieved which betrayed key information about the people who created the files, when they did it, and the version of the software and machine which they used.
This type of data cache provides a perfect starting point for a sophisticated Spear Phishing attacker to relate the names buried in the documents to real people. Using social media, useful information on individuals can be obtained. The more information hackers can obtain, the better they will be able to customise their attack.
Emails are then sent out which appear to the majority of recipients to be authentic. But they contain booby-trapped attachments. In some cases, the virus code that attackers bury in the malicious attachments can lurk until it hits the device used by a particular target.
This is because Chief Executives and senior directors are rarely targeted directly. It is much more usual for their assistants or teams to be the first point of contact. These people are often in positions where they will have access to company sensitive information or records as well as direct online access to the real targets. Sometimes even passwords are secured this way and all this happens long before any breach is discovered. Emails requesting information will not in these instances be seen as suspicious and once armed with details a range of criminal activities can be undertaken from re-directing payments to the criminals’ bank accounts to demanding ransomware payment from the organisation itself.
It is, of course, wise to include meta-searching for information from website files and stripping out data as part of routine security. While it is policy in many firms to do so, however, there is not always the due diligence and process to do it. A public information search can, however, be included as a phase within a penetration test. Penetration tests conducted by qualified experts will provide intelligence on specific areas of weakness within a system. If included in the scope, meta-searching and data-stripping can ensure that the company’s digital footprint leaves no traces for potential hackers to exploit.
Bespoke Penetration Testing
How US internet giants are tackling the issue of GDPR compliance
It is rare that anyone ever feels much sympathy towards the behemoths of the internet, Facebook and Google. But spare a thought for these giants when it comes to them implementing the upcoming General Data Protection Regulation (GDPR). Due to become law for all organisations handling the data of EU citizens from 25th May 2018, the GDPR’s reach extends much wider than Europe itself, meaning that in spite of the fact that US data protection laws are significantly less onerous, global companies will be compelled to fall into line. With the capacity to impose fines of up to £17m or 4 per cent of global turnover (whichever is higher) even Facebook and Google are having to sit up and take notice. Yet the two companies are currently handling the issue of data protection very differently.
One of the main principles of GDPR is the ‘right to be forgotten’. Under GDPR people must give explicit consent for their personal information to be collected online, meaning that ‘opt out’ boxes will be replaced with ‘opt in’. Individuals will also be able to ask for any personal data held by companies to be deleted and details of any information held must be easily available and at no cost.
Google has publicly stated that it will be ready. Two Google executives blogged in May that “Our users can count on the fact that Google is committed to GDPR compliance across G Suite and Google Cloud Platform service when the GDPR takes effect on May 25, 2018… We’re working to make additional operational changes in light of the new legislation, and will collaborate closely with our customers, partners and regulatory authorities throughout this process”. Given the scope of Google’s business this commitment will require detailed process and a significant investment but it will no doubt have a beneficial impact on the organisation’s worldwide reputation.
Facebook has made no such promises. Having already dropped into hot water when the European Commission fined it £95m for providing misleading information when they purchased WhatsApp in 2014, it was also fined £129,000 by French authorities in May 2017. This was because of its questionable data sharing and user tracking. In Italy, its new acquisition WhatsApp was recently fined 3 million Euros for making users agree to share personal data with Facebook. In addition, Facebook is also being investigated by authorities in Belgium, the Netherlands, Germany and Spain for data privacy violations around the tracking of users and non-users and the use of their data for advertising. This is all before GDPR becomes law.
Facebook’s seemingly cavalier attitude toward data protection is perhaps better understood in the context of the new American administration. On 3rd April 2017 President Trump signed a new law making more personal data legally available. Overturning the previous legislation, Internet Service Providers in the United States are now able to access and use all but the most sensitive personal information. Much of this personal data is likely to be harvested and sold to digital advertisers. Yet as long as its reach is global, Facebook is still bound to the legislation in Europe, just like the rest of us. Mark Zuckerberg would be wise to embrace the change rather than fight it, because the cost of non-compliance will be immense.
Data protection – the gap widens across the Atlantic
GDPR – General Data Protection Regulation
Time running out for GDPR compliance