Monthly Archive May 2016

Up to £1,500 available to Scottish SMEs to develop Cyber Resilience

Businesses in Scotland can receive up to £1,500 to help develop their cyber security as part of a Cyber Resilience Programme. The Digital Scotland Business Excellence Partnership (DSBEP) has delivered a number of projects over the years, mainly designed to encourage Digital Participation. Its last project is the Cyber Resilience Programme to help businesses participate in a safe manner.

According to Digital Scotland vulnerability applies to: ‘Any company that relies on computerised systems for payroll, marketing via social media or a website, booking systems, databases of customer details including payment details and/or any Intellectual Property or Patent information that could be of value. Companies can also be targeted as a route in to businesses who they supply goods or services to.

‘A business does not need to be specifically targeted to become a victim; cyber criminals constantly scan websites, systems and/or devices to detect vulnerabilities. Therefore, if you are not taking the appropriate steps, you will flag up as an easy target during this scanning process.’

The first element of the programme is the Cyber Resilience Toolkit which brings together current information for businesses on how to be cyber resilient. Workshops promoting the Toolkit will be run from June 2016 to September 2016.

The second element is the Cyber Resilience Voucher which delivers up to £1,500 to eligible companies to secure the services of an industry expert to help them develop a cyber security strategy together with assistance in the self-assessment required for Cyber Essentials UK Government Standard.

The Cyber Resilience Voucher is available to businesses that are based in Scotland, meet the definition of an SME and are VAT registered. For more information see

Home grown talent makes SRM European leader in cyber security

Newcastle-based Security Risk management (SRM) Ltd is addressing the national shortage of top level qualified cyber security consultants by employing individuals with potential and then providing training in house.

Ken Rutherford (56) is the latest successful in-house candidate, gaining Quality Security Assessor (QSA) accreditation by the Payment Card Industry (PCI) Security Standards Council this month. Because Ken also has deep rooted digital forensic experience, and was already an accepted PFI Employee, his QSA qualification made him eligible to become a PCI Forensic Investigator (PFI) with immediate effect. SRM Ltd now boasts the largest number of QSAs and PFIs of any cyber security company in Europe.

QSAs are certified by the PCI Security Standards Council to audit merchants for Payment Card Industry Data Security Standard (PCI DSS) compliance. The process of qualification is rigorous and requires five years’ industry experience prior to any formal study programme.

Ken was allocated time within his work schedule at SRM to study and took the QSA PCI fundamentals course in March which then guaranteed him a place on the final QSA course in London. He is the sixth member of the SRM to gain this level of qualification.

Brian Fenwick, Director, says: “We are one of only 19 companies worldwide accredited by the Payment Card Industry to investigate breaches of credit card data and as one aspect of maintaining this standard we prioritise recruitment and training.

“We run an internal training programme as well as ensuring that those studying to become QSAs attend numerous client sites with an experienced QSA to assist with the practical elements of the course.”

The company also runs its own SRM Academy, delivering elements of cyber security training to colleges in the North East and providing employment opportunities for students.

EU Cyber Security Directive on Essential Services

Whatever the result of the EU Referendum, there are some aspects of our relationship with Europe that are unlikely to change, as long as we continue to engage in trade with our neighbours. Cyber security is a global issue and co-operation between states and continents is only likely to become greater over the coming years. A key area is cyber security for the operators of essential services and a new directive, due to come into force in August 2016, lays down a co-ordinated strategy for all EU member states.

When the Network and Information Security Directive comes into force it will further increase existing co-operation on cyber security. The proposed directive will require each EU country to designate one or more national authorities and to establish a strategy for dealing with cyber threats. It will set out the cyber security obligations for operators of essential services – such as energy, transport, finance and health – and digital service providers to manage cyber risks and report major security incidents.

The requirements and supervision for these operators will be stronger than for providers of digital services and reflects the degree of risk that any disruption to their services may pose to society and the economy.

EU member states will have 21 months from the directive’s entry into force to adopt the necessary national provisions. They will then have six further months to identify their operators of essential services.

What are the common failure points of repeat info-security assessments?


Maintaining Compliance with any Information Security Standard is often a long and winding journey. You never quite know what is over the horizon or around the bend, so what things should we look out for when the times comes for that difficult second audit?

Long and Winding road

‘To lose one parent may be regarded as a misfortune; to lose both looks like carelessness’. So said Oscar Wilde. Of course, he was referring to human relationships rather than info-security audits and, like Mr Worthing in ‘The Importance of Being Ernest’, sometimes it is no one’s fault when a second misfortune strikes. But in the case of repeat info-security audits, we can see from the common failure points that there are lessons to be learned.

Common failure points in repeat assessments are:

  • Staff are not accountable and as a result, various tasks have not been completed. For example, the six-monthly Firewall Review. If it has not been diarised and no one has been given the task, who will remember?
  • Internal scanning is not always performed with the same diligence as external scanning. In reality they both require the same approach.
  • Payment procedures have been introduced that are at odds with the established methods for processing card data. A defined payment strategy is a great help here.
  • System patching: critical patches have not been risk assessed and may not have been applied within the 30 day window. A robust patching procedure is essential to limit exposure to risk.
  • Vulnerability scanning has identified errors that have not been fixed within the correct timescale or have not followed the correct change control or remediation process. Please note, an auditable process is required here.
  • Storage of encrypted card data: as part of the data discovery process, unencrypted card data is often found on desktops and servers. This is often in the form of unsolicited emails but breakdown in the payment strategy can lead to staff using unapproved methods of communication with customers.

A repeat info-security assessment tells you that whatever you did first time round was not sufficient to keep your organisation compliant. Like an MOT, a security audit is only a ‘snapshot’ of an environment at a given time. All too often, a security assessment is seen as a ‘tick box’ exercise rather than a programme of ongoing maintenance. For more on developing an effective Info-Security strategy, read our blog on ‘Navigating the minefield of info-security compliance’.

Information Security Consultant, SRM's Principal PCI DSS QSA and Payment Card Industry expert, Paul B is a regular contributor to the SRM blog.

Cyber Security Accountability Does Pay

Cybercrime in 2015 was nothing short of epic. No one could have anticipated headline news stories such as Sony Pictures Entertainment hacked by a group allegedly sponsored by North Korea; a 15 year old member of a group behind the TalkTalk hack; and the FBI’s advice on ransomware – just pay the ransom!

So what can we expect in 2016?

Expect the typical cyber-criminal to be someone who is sophisticated, intellectual and aggressively innovative.  They are armed with intelligence and the mental capacity to constantly adapt, making them incredibly hard to track and control.

Expect organisations, not individuals, to be the targets of organised cyber-crime. Cyber-criminals are now seeking million dollar pay days. It can also be expected that cyber criminals will convert any stolen funds into crypto-currencies such as Bitcoin.

Expect more integrity and social engineering attacks – hacks with the purpose of gathering information. These hacks arm the hacker with the details required to launch a large and sustained attack in the future. These kind of attacks may go unnoticed initially, but can cause the wrong decisions to be made, including invoices being paid into the wrong accounts (usually those of the hackers).

Expect more malware attacks on portable devices like mobile phones and tablets. Malicious apps are being sold on the Dark Web – apps that mimic the graphic user interface of banking, eCommerce and other popular apps with the intention of tricking the user into providing card details.

Expect more ransomware attacks. The United States of America have seen a huge increase in the number of ransomware attacks in the last 12 months, and the numbers only look set to increase. The Cryptolocker gang grossed over $30 million with a very simple attack within just 100 days, with approximately 40% of Cryptolocker victims ending up paying the ransom. Unlike many other ransomware gangs, Cryptolocker does actually delete your files if you do not pay. You can say goodbye to you customer details, financial plans and other important documents. Thankfully, unlike other ransomware companies, if you do pay they restore your files within 48 hours.

There is also an expected increase in the number of users on the Dark Web, which will result in an increased volume of crime. As access to the Dark Web using a free, specialist browser allows users to mask their location, the likelihood of being caught buying or selling services is near enough impossible.

After all the news in 2015, what are organisations now doing differently?

Well according to recent reports, not much.

A recent study of 1,530 non-executive directors, C-level executives, Chief Information Officers, and Chief Information Security Officers from organisations across the United States, United Kingdom, Germany, Japan, Denmark, Norway, Sweden, and Finland, found that:

  • 91% of organisations that had a high level of vulnerability also had board members that could not interpret a cyber security report;
  • Only 10% of organisations with a high level of vulnerability are regularly updated with information about the types of threats to cybersecurity that are pertinent to their organisation;
  • Only 9% of organisations with a high level of vulnerability have their systems regularly updated in response to new cyber threats.

Events in 2015 have made it very apparent that Cyber-security should be a board level concern.  It threatens both the  financial capital and integrity  of companies, therefore it is worrying that the C-Suite play a small part  in decision making concerning Cyber-security. Hackers are only getting bolder – embarking on harsher attacks, some unrecoverable. For companies that continue to overlook the importance of Cyber-security,the risk is getting bigger and the consequences – less forgiving.

SRM Blog

SRM Blog