Category Archives: risk assessment

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

Advertisements

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

New Whitepapers added to the Website…

Go to the Advent IM Website for FREE downloads of these and other Whitepapers from Advent IM specialists

 Independent_schools

Security in Independent Education Sector – this whitepaper discusses some of the challenges and threats that Independent Education facilities need to consider along with some advice and guidance

_

Security for SMEs – this whitepaper looks at the highly diverse sector of SMEs and looks for cost effective security methodologies to improve the security posture of small organisations.

Are you still operating XP or Windows 2003? – A guest post from Julia McCarron, Advent IM Director

Whilst Microsoft’s utopia may be for us all to automatically upgrade every time there is a newAdvent IM Cyber Security Experts version of Windows, for many organisations this isn’t always an option. With some still coping with life after the recession the cost of upgrading to new platforms can be restrictive, especially if XP and Windows 2003 still works perfectly well and provides you with effective tools to operate business as usual. For others with large technical infrastructures, again the cost of upgrading can be a massive drain on time, resources and money and needs careful budgeting a planning over a period of time.

But with the withdrawal of support on Windows platforms and applications comes risk. Security patches no longer get issued, and as cyber security threats continue to be developed exponentially so these platforms become vulnerable to attacks.

Advent IM HMG accreditation concepts training

pics via digitalphotos.net

The obvious choice is upgrade as soon as possible. But if this is not an option you need to assess the risk of operating in a non-supported environment as part of your corporate risk strategy, and where required identify activities that can help you minimise risk. These could be more frequent external penetration tests, stricter acceptable usage policies, updates in security awareness programs or additional monitoring software. There are risk mediated options available but only if you go through the proper process of analysing the threats and impacts of not upgrading to your business.

But upgrade when you can …

Julia.

SMEs and Security or How SMEs can impact UK PLC Security (image)

BIS visual v2.0

Hacking Pacemakers, Traffic Systems and Drones – Cyber and Physical Worlds Collide

The Telegraph today ran a piece on a subject close to our hearts here at Advent IM, namely the cyber threat to our physical world. You can read it here

Regular readers will know we have expressed concern before that language can create barriers or false realities that can leave vulnerabilities and the prevalence of the use of the word ‘cyber’ is a good example of this. Cyber to most people conjures up the ethereal world of the hacker – that strange and dangerous electronic hinterland that few really grasp. Of course, this is dangerously inaccurate as many systems that control our physical world are networked and can therefore be hacked.

The late Barnaby Jack showed the world how he could hack into an insulin delivery system in a patient to effectively overdose that patient, he also managed to hack into an ATM system which then dispensed cash like a waterfall. The two worlds are converging quicker than our security awareness is growing.

Bringing the threat to our critical national infrastructure to the attention of the public at large is in one way unnerving but also very necessary.

Please have a look at our presentation on the topic, you will need sound…

Advent IM, Cyber Threat to Built Estate

Presentation with voice over from Mike Gillespie

SME Information Risk: 48% suffered reputational damage already from lost data

Originally published in Outsource Magazine August 2012

According to a recent survey by Iron Mountain and PricewaterhouseCoopers LLP (PWC), in Europe, mid-sized businesses are placing themselves at unnecessary Information Security risk.  The average index score for Information Risk maturity in this group was only 40.6 (a score out of 100), which sharply highlights the gap between what business is currently doing and what it is supposed to be doing.

Are businesses listening to the warnings about Insider Threat?

Are we listening yet?

Shockingly, 64% of the mid-sized businesses surveyed had no information risk strategy in place, which was effectively monitored.  Given that almost half of the businesses surveyed said they had already suffered reputational damage as a result of lost or misplaced data, this lack of information security appears cavalier at best. It could be your personal data or your organisations data being handled, managed or stored by these businesses.

According the Norwich Union Business Continuity survey (of which information security and reputational damage would be important elements) only 8% of businesses without a plan, which had suffered a serious incident, survived 5+ years, 40% never re-open after a serious incident. If the failings within mid-sized businesses are as widespread as the PWC data suggests this is very bad news for many businesses and could be the one area we start to see them over index, sadly.

Hiding in plain sight

So what does a small or medium sized business do to protect itself, its own valuable data and potentially that of its customers and supply chain? Well, Information Security issues are not like the monster under the bed, despite what the popular press may have us believe.  They don’t frequently leap out to shock you and grab your ankle. More frequently they hang around, waiting to be noticed by someone until it’s just too late and the worst has happened. No amount of finger crossing can spare you from its teeth by then – or the ICO’s teeth in this case. It is normally a series of failings or an extended period of time when risks have been ignored or misunderstood.

Being an SME can make an organisation more ‘fleet of foot’ than many larger businesses. The advantages of being reactive and able to quickly change course or take advantage of a sudden opportunity is a great flexibility to have. Potentially though, the risk side of things can be pushed to one side or ignored and then a lack of due diligence can mean that the new undertaking or direction is being done effectively ‘on the hoof’ and without the anchor of proper governance.  This can also be reflected in the approach to procurement when the questions about the correct checks and balances for security are simply not being asked.  This is possibly because there may not be a dedicated FTE for each role and employees wear several hats. It may be a naiveté about accountability and responsibility either from a legislative or industry requirement basis.  If your organisation is lucky enough to have employed someone with and Information Security or Data Protection background, then this is less of an issue. That is assuming that the resource to have an FTE with these expert skills is available. Generally this is not the case and whilst many businesses are more than familiar with the old outsource service of security, they do not necessarily make the connection to Information and Data.

“Sometimes I feel like the conversation itself is encrypted”

That is how it feels to have a conversation with a security guru. Within minutes the language becomes dense and acronym laden and the eyes of the non-security person may start to glaze or dart about like a frightened rabbit in car headlights.

The concept of Information Security is understandably daunting. Many businesses are put off by the language and apparent complexity. Everyone is put off by things they don’t’ understand but that is what outsourcing is for. Part of the issue is that organisations and those within them responsible for security of information, do not want to feel daft, the language and complex terminology they are coming up against makes them feel inadequate and sounds potentially expensive.

Although security has a long relationship with outsourcing, this has been largely around physical security and areas such as manned guarding. For some reason, outsourcing an organisation’s Information Security, Data Protection or Business Continuity appears to have passed many organisations by as a possibility.

When you think about it though, it makes perfect sense. Areas that are complex and needs and expert help, that may not require and FTE or be too cost sensitive to resource on an FTE basis or maybe required to move an organisation through an accreditation to assist with perhaps getting onto a Government supply framework, or supplying the NHS for instance. Whilst every organisation needs to be security aware and educate their staff effectively, understanding the accountabilities, policies and processes are far more relevant to an SME than having an inside out knowledge of security terminology and the dazzling amount of acronyms. Outsourcing is the natural choice.

One of the 64%?

So the data security inertia may not solely come from a lack of interest or concern about what happens to client, customer or internal information. True some organisations have a genuinely laissez-faire attitude, but many don’t and some of the lack of appropriate action can have come from fear, confusion and misinformation.

Given the ICO’s power to fine up to £500k for serious incidents, this could potentially see a number of the unprepared 64% close for good. It makes much more sense to find an expert outsource partner to translate and guide. Security is a business enabler. Once the security is in hand and under control, an organisation can go on with the business of growing in a secure environment for both the organisation and its partners. It allows organisation to tender for business that they may not normally have been in a position to. It brings likeminded businesses together, allowing them to partner and support each other knowing that they are on the same page and that their respective information assets are properly managed.

Outsourcing Information Security may be a newer area of outsourcing but as with all good outsourcing it is there to provide the expertise it would appear is lacking in the SME arena. Ensuring the best quality, independent advice from an outsource partner could provide the competitive edge and reassurance an SME needs to realise its true potential.

Data sources: PWC Iron Mountain survey “Beyond cyber threats: Europe’s first information risk maturity index” and Norwich Union Business Continuity Survey