Posts by: Julia Wailes-Fairbairn
Why is a Business Continuity Plan important?
Why is a Business Continuity Plan important? It’s simple: because a business’ ability to recover from a cyber breach hinges on its ability to react quickly. Since the enactment of GDPR earlier this year, it is now a statutory requirement that a breach is reported within 72 hours of its discovery. But this is not the only thing to consider. As soon as a breach is identified, certain steps need to be taken to contain and mitigate the extent of the breach to safeguard the future of the business. This process will run much more smoothly if all aspects of the strategy are well known to those responsible and have been pre-planned and pre-agreed.
The impact of a breach is often significantly wider than people first think. It is not necessarily just about money or data being stolen, or the fines imposed by the Information Commissioner’s Office (ICO) as a result, but about the longer-term impact. Loss of trust and reputation can be equally, if not more, damaging over the following months and years.
So, with the threat of a successful (and costly) cyberattack being very real, what can be done? Well, firstly, and perhaps counter-intuitively, the most important thing is to accept the risk and plan for a worst-case scenario. Every robust defence should therefore include a Business Continuity Plan (BCP) which includes Incident Response (IR) and Disaster Recovery (DR) plans. These plans should be continually challenged and reviewed, and correctly-scoped simulation exercises will ensure that all key personnel are experienced in the steps that need to be taken.
However, this is just one piece of the business continuity puzzle. Evaluating your company’s ability to restore IT operations can be a good starting point for company-wide Business Continuity Plan. In fact, many business continuity planning efforts start by conducting a business impact analysis or risk assessment. These studies can reveal weaknesses in your organisation’s ability to continue operations that go far beyond IT. Good business continuity and disaster recovery planning should look at the business as a whole, with a goal to develop business resilience.
Of course, for most businesses in 2018, having a robust cyber defence is the first step and every precaution should be taken to ensure that potential hackers and cyber criminals are kept at bay. It seems reasonable to assume that the harder we make it, the less likely a hacker is to focus their attention on us. They will look to easier targets. But the sad truth about today’s digital environment is that breaches can and do occur, even to the best-defended organisations. After all, it can only take one employee to mistakenly open a phishing email to provide a potential hacker with a route in to an otherwise well-protected system.
Why is a Business Continuity plan important? Because speed is of the essence. The more quickly a breach can be identified and contained the less damage it will cause.
To discuss Business Continuity planning, contact the SRM team on 03450 21 21 51
To receive regular blogs on topics relating to information security, follow us on Linkedin.
To find out more visit our website.
Or read more:
Cyber insurance may be null and void without ‘due care’
Cyber resilience: it’s a board level issue
The key to GDPR is common sense
Protecting your cyber soul
By Tom Fairfax, Managing Director
If you were asked to sell your soul to a stranger…. what price would you ask?
The ancient Egyptians believed that a person’s soul had multiple parts, ranging from the spiritual to the physical; the bit they hadn’t discovered was the digital component. Regardless of one’s personal belief, each of us carries a very real and hugely valuable intangible asset in the form of our personal identity and the information that forms part of it. This asset is incredibly vulnerable in the cyber environment and once compromised is effectively irretrievable. Think of this as our cyber soul. It contains our very digital essence, our unique identity, our access to our resources and secrets, and represents the means to impersonate us or take control of parts of our life, our possessions or our good name and reputation.
The environment we call cyberspace represents a complex web of connected technology sharing information with and without human interaction. This environment is inaccessible to our naked senses; we cannot see, hear or feel in it without assistance. Critically, it is contested, and is populated by a global population of strangers, many of whom are explicitly seeking to compromise us. It is to this environment that we expose our cyber souls. The only question is – what protection or consideration do we give our valuable information assets before publishing them into the wild?
We are asked to share parts of our cyber souls on a daily basis. A myriad of commercial, official and social platforms request and sometimes require information. Some we hope we can trust – and in some cases we need to make a risk-based decision. But how much thought do you give before deciding what information to share and with whom you entrust this sliver of your essence? A brief glance at the Information Commissioner’s Office (ICO) enforcement page is instructive and shows that no organisation can be assumed to be safe. A brief perusal of the causes of breach shows that breaches are not confined to failures of technology but often result from individual and collective human frailty. This is not new.
This raises another, possibly more important question. How much explicit effort do you spend on protecting the personal information that other people and businesses entrust to you? The ICO website shows a number of instances where something as seemingly innocent as a breach of email etiquette has resulted in the exposure of personal information, and a direct, if inadvertent compromise of people’s sensitive information. Fines and sanctions are damaging, but we must not forget the fundamental breach of trust.
Information Security and data protection are disciplines that enable us to protect our own cyber souls and those with which we have been entrusted by others. They are still seen by many as an administrative irritation but they are a fundamental part of our personal responsibility as members of society. No-one can guarantee that they will be 100 per cent safe; indeed such a claim is a good indication that the problem has not been understood.
We can, however, exert a degree of critical judgement on every occasion that we are asked to share parts of our soul. Trust should not be assumed.
Why the prioritisation of breach identification and containment are crucial elements of every cyber defence strategy
One of the most significant elements of the current cyber threat landscape is the amount of time it takes to actually detect and contain a breach. In a study published last year by IBM security and the Ponemon Institute, the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics were used to assess the effectiveness of an organisation’s incident response and containment processes. The research found that it took an average of 168 days to identify a data breach and 67 days to contain it.
The key problem is that in today’s climate few attacks are aimed solely on an organisation’s external defences. This is because, with data security legislation at the strongest it has ever been, external defences like firewalls and network security are usually reasonably robust. So cyber criminals use more subtle tactics, exploiting human error. If an employee opens a malware-laden phishing email or some deceptive social engineering has enabled an attacker to infiltrate malicious codes, the effects may not be evident for some time. This gives malicious attackers the opportunity to explore and exploit the system from within, delivering even more devastating consequences over time.
Given that the current MTTI metrics show that breaches can remain undetected for an average of five and a half months, this provides hackers with ample time to develop their strategy and exploit the weaknesses they detect. So although it will always be necessary to have robust external defences in place, organisations would do well to push the identification of attacks further up the priority list.
The other issue is, of course, containment. The current MTTC metrics show that the average breach, once identified, takes over two months to be contained. The reputational and financial implications of this delay cannot be underestimated.
While building both an external and internal defence is a priority, making detailed plans for how to handle a crisis is equally important. It is perhaps counter-intuitive to plan for a successful attack, but the maxim ‘expect the best but plan for the worst’ is sound advice. Knowing how to react in the unfortunate event of a data breach is a crucial business benefit. An experienced Retained Forensics company will be able to assist you with your plans and help to get everyone into the right mind-set. If the worst does happen, then staff will have a framework to refer to, ensuring that vital steps are taken, and valuable time is not lost.
At SRM, our consultants use their vast expertise to proactively protect systems before an attack occurs. Working with a Retained Forensics specialist facilitates a strategic approach; from analysing potential weaknesses, to making detailed plans in the event of a breach. This is done in a number of ways, including through the process of Test and Exercise, starting with automated penetration testing to identify potential internal vulnerabilities. Manual testing is then employed to exploit and develop these weaknesses, so the gaps can be plugged. The synergy of these tests provides valuable intelligence about where existing vulnerabilities lie, including the human element, and helps a business to build an agile defence around them.
To find out more about SRM’s Retained Forensics and Incident Response services contact Mark Nordstrom on 03450 21 21 51 or firstname.lastname@example.org
To receive notification of other blogs relating to issues in the world of information security, follow us on Linkedin.
Or read more from our blog:
Retained Forensic & Incident Response Service: how planning for the worst can add value to your business
Three stages to building a robust defence against external threats
Cyber insurance may be null and void with ‘due care’
Pen testing: seeing both the wood and the trees
Schools are being targeted by cyber criminals: 6 ways to shore up online defences
In 2017 the Independent Schools’ Bursars Association (ISBA), which supports over 1,000 senior management staff in schools, stated that cyberattacks in schools can no longer be considered ‘isolated incidents’. ISBA’s Chief Exec David Woodgate went on to say that he is concerned that fraudsters are ‘one step ahead’.
He is absolutely right. While schools lag behind universities in their approach to cyber defence, cyber criminals are constantly evolving and refining their skills. Unlike most people employed in the education system, they do not have day jobs to distract their focus. So what can school authorities do to protect against such ingenious criminal minds? Here are six important things to consider.
1. Accept responsibility
Firstly, school boards must embrace the responsibility. A Department for Education spokesperson recently reiterated that ‘schools are directly responsible for the security of all digital information they collate, store and retain.’ This does not, however, simply refer to the IT department but should extend to the board of governors, the school administrators, the staff, the pupils and the parents. Above all, however, it is the senior leadership that is responsible for safeguarding in schools and, as such, cyber security should be on the agenda at every meeting of school governors and senior teams.
2. Know your system
Knowing precisely what hardware and software is being used on the networks is important but senior leadership should also ensure that configuration changes are authorised, documented and implemented appropriately. It is crucial that only approved users can make changes. Software updates and security patches should also be implemented quickly, and systems monitored for unusual activity which could be an indication of an intruder. Criminal incidents should be reported to the police. Breaches must be reported to the relevant statutory authorities within 72 hours under the terms of GDPR.
3. Control user profiles
Access to sensitive information should only be given to specific individuals. Wherever possible, the ability to share information should also be limited to these specified people. Where individuals are provided with access, their privileges should be managed, and they should be provided with the minimum level of access required to do their job. When staff leave, their access should be revoked promptly.
4. Protect the system
Strong firewalls and internet gateways should be in place to protect school networks and these should be constantly monitored and regularly tested.
It is essential to ensure that antivirus software and security mechanisms are up to date and that protocols for frequent password changes and the use of multifactor authentication for sensitive information is enforced. This means that if a criminal does obtain access to a system, their progress is stalled by encryption tools.
It is not just the internal system which requires protection. Consider the physical security of a system: the hard drives, internet routers, servers and other devices on which data can be stored. School equipment can be targeted by thieves during holiday periods so any device holding sensitive data should be encrypted and stored in an appropriate security cabinet constructed for the purpose.
It is also advisable to limit the use of public-cloud-based services such as OneDrive and Dropbox as well as the widespread use of portable storage devices such as SD cards and memory sticks but, if there is no alternative, such mechanisms must use strong encryption and robust key management procedures.
5. Invest in expertise
The school bursar is not expected to be solely responsible for every aspect of financial planning. Professional accountancy firms provide additional resource and support. In a similar way, those responsible for a school’s data protection require support at both the strategic and practical levels from industry specialists.
6. Be proactive
Rather than wait for a cybercriminal to test the school’s defences, be proactive: conduct regular penetration testing on the system. When done correctly, this is not an off-the-shelf exercise, but employs a synergy of automated and manual testing to deliver the best results. A specialist consultancy will be able to scope the exercise and conduct the testing in a cost-effective and non-disruptive manner.
Red Team engagement can prove highly useful to further investigate vulnerabilities that have been identified. By using simulated exercises around social engineering, all staff can be briefed on best practise, and their role in the team, should an incident arise. The intelligence gained from these exercises means that a proactive and robust defence can be developed, protecting your data as well as your reputation.
To discuss improving your cyber resilience, contact the SRM team on 03450 21 21 51
To receive regular blogs on topics relating to information security, follow us on Linkedin.
To find out more visit our website.
Or read more:
How phishing scams are getting schools in deep water
Cyber resilience: it’s a board level issue
The key to GDPR is common sense
GDPR and data security in the gambling industry
This article first appeared in the Q3 edition of Casino & Gaming International (CGi )(www.cgimagazine.com/latestedition) and appears here with their kind permission.
As the implications of the General Data Protection Regulation sink in, Paul Brennecker examines its impact on the gambling industry and explains how it is not simply a compliance exercise but an industry-wide altered mind-set that is the key to effective data security.
The gambling industry has always been a target for criminals, both in reality and in fiction. From The Sting to Ocean’s Eleven and Lock, Stock and Two Smoking Barrels, the world of cinema has long relished the idea of cunning criminals taking on the casino and winning. There is something inherently satisfying about attractive and engaging rogues beating seemingly anonymous gambling enterprises in what is perceived to be an almost victim-less crime. In the fictional world of Hollywood, the inevitable sequels roll out reflecting, probably unintentionally, the reality of the situation: that repeated breaches are increasingly experienced by casinos and gaming enterprises. What they do not necessarily show, however, is the other reality: that in the new era of online gambling the victims are very real. They are the individuals whose personal data is stolen.
Cyber-attacks come in many forms but they can broadly be categorised into those that disrupt operations, such as distributed denial of service (DDOS) attacks, where infected computers flood the network with traffic. There are also those that are aimed at data theft, targeting customer data, especially financial information like credit card details, which can be sold on the dark web or used for identity fraud, and ransomware attacks. This type of credential abuse is particularly concerning in the gaming industry because it leads to loss of reputation and clients transferring their online business to other providers.
Although the adversarial threat is significant, the threat posed by insiders, often trusted employees, can pose an even greater risk to a business. With privileged access employees can intentionally or unintentionally be involved in a targeted breach of data. Staff in the gambling industry have a tendency to switch roles between competitors, requiring a robust ‘Joiners, Movers, Leavers’ process. It also necessitates a heightened awareness of data leakage from within each organisation.
GDPR & PCI DSS
Under the new GDPR framework which became EU law in May of this year, in the event of a data breach, firms can be fined up to 4% of revenue (or 20m Euros, whichever is higher). Since the terms of GDPR were first known, much has been written about it and the impact it has on the way companies manage their data. Yet, there is an important misconception which need to be addressed.
Contrary to current public perception, there is actually no such thing as GDPR compliance. It is a regulation which requires data systems to be safe but it is open to interpretation and provides nothing in the way of detailed guidance. Nor is there an annual review to validate compliance.
On the other hand, the Payment Card Industry (PCI) Data Security Standard (DSS), which regulates the gaming industry to ensure that payment card details are used with best practice and kept secure, does provide a detailed framework which specifies what needs to be done and how. PCI DSS even provides regular updates and guidance on reviews. Those who are PCI DSS compliant are therefore well on the way to meeting the requirements of GDPR. It is the role of Chief Information Security Officers (CISOs), Data Protection Officers (DPOs) and their advisers to work out where the gaps exist to ensure that an organisation adheres to GDPR in practice.
While the PCI DSS compliance process is undeniably useful, it must be likened to an MOT; it only applies to a given moment in time. One ill-conceived change of control request or alteration to the process can render that compliance invalid. Ongoing testing and maintenance is essential and this is best managed through an altered corporate mind-set which embeds data security at every level of the organisation.
A BOARD LEVEL APPROACH TO EFFECTIVE DATA SECURITY
GDPR and PCI DSS complement one another and, if managed holistically, can deliver immense benefits to efficiency and reputation, while also mitigating the potential damage of a breach. But given the fact that PCI DSS compliance simply provides validation of compliance at a given moment in time, the key to data security is not to focus on specific compliance targets, following a tick box exercise once a year, but to develop a corporate mind-set which features a ‘compliance out of the box’ approach and has ongoing updating and maintenance built in.
This altered mind-set requires a company-wide strategy which is developed at board level and then disseminated in practical, simple form to each and every employee or partner of the business. For this to be a realistic goal, the responsibility for data security cannot simply be devolved to the CISO or DPO; nor should it be seen as something which is only in the scope of the IT department. To be truly effective, it is the responsibility of the each and every member of the board to drive and oversee the organisation’s data security responsibilities. Data security should be on the agenda at every board meeting.
Realistically, however, given the complexity of data security and compliance processes, specific ownership will be in the hands of these technically qualified individuals. Yet they will not be able to effectively exert influence at board level unless they are provided with the specialist support and resource. Much like the support provided to the financial department by corporate accountants or the support given to the legal department by specialist legal teams, the CISO needs to have access to specialist data security support to provide strategic guidance and technical abilities to enhance the scope of the operation.
THE ROLE OF PENETRATION TESTING, RED TEAMING AND RETAINED FORENSICS IN DEVELOPING A DATA SECURITY STRATEGY
One of the key elements of data security is the development of a robust defence strategy. It is not enough, however, to develop a strategy and build a defence based on what is already known. Cyber criminals are ingenious and exploit not simply known threats and vulnerabilities, but they also have ways to detect those which are not yet known or understood. Those who only use their own understanding to develop a defence will therefore be limited by the extent of their own knowledge. Testing and challenging that knowledge on an ongoing basis is an essential element. This is where a continual programme of Threat Monitoring, Penetration Testing and the use of Retained Forensics comes in.
Threat monitoring is the process of observing the changing nature of cyber-attacks. All commercial websites will be probed for vulnerabilities, initially by automated tools and once something significant is found, a more concerted manual attack may be launched. Having alerts and being set up to monitor the nature of these attacks and countering them is essential for players in the online gaming space.
The next step is regular Penetration Testing, which needs to include both automated and manual elements. After all, the criminal community uses both advanced scanning tools to identify potential areas of weakness as well as the additional sophistication of the human mind to develop and explore these vulnerabilities.
Imagine a room with an almost limitless number of doors. The automated penetration test will identify which doors conceal potential vulnerabilities. The manual tester then prises these doors open and looks at what is behind them.
Taking the analogy a step further, Red Teaming will push the doors wide open and delve and explore into what is behind them. Red Team testers have ethical hacking qualifications from industry respected bodies such as CREST and OSCP and use their sophisticated skills to root around and uncover hitherto unforeseen vulnerabilities.
Armed with this information, the process of closing off potential opportunities for cyber criminals before they are even exposed can begin. In this way a data security strategy can be developed which anticipates vulnerabilities before they are discovered, rather than simply reacting to those which are already known.
These experts will work in partnership with a specialist Retained Team to manage the defence process. In some specialist consultancies the Red Team will also be part of the Retained Forensic capability to help ensure that the process is be an ongoing one, with regular exposure to testing built in. Engaging a Retained Forensics team not only assists in managing a continually evolving the strategic defence but builds in resilience to potential attack.
Given the unrelenting ingenuity of attackers, it is impossible to ever consider an organisation to be immune from attack. The strategy should therefore include detailed plans if this eventuality occurs, particularly for the prompt reporting in the event of a breach. GDPR requires any breach to be reported to the relevant regulatory authority within 72 hours and failure to do so will result in punitive action being taken.
When it comes to issues of business continuity, disaster recovery and containment, having a Retained Forensics team on hand, with a thorough knowledge of the organisation’s systems, means they will be able to manage this process swiftly, thereby limiting any potential damage.
It is also worth noting that not only will the engagement of a Retained Forensics team facilitate the ongoing testing of system security and provide strategic intelligence for effective maintenance and development, it also demonstrates to the relevant authorities that a robust, ongoing process is in place, thereby reducing the level of potential fines.
GDPR should not be considered an encumbrance or an onerous chore. It has been developed to build in safeguards to data security systems protecting both the organisations and their customers from cybercrime. Those who embrace it with enthusiasm, building an ongoing test and exercise regime into their systems, will benefit from enhanced reputation and customer loyalty. Those who make data security the responsibility of all members of the board and who develop a constantly evolving defence strategy can demonstrate to both customers and the regulatory authorities that they take security seriously. They are also in the best possible shape to resist potential attacks, or deflect or reduce the impact of one, making an investment in GDPR and cyber resilience a sound business decision.