Category Archives: staff vetting

Security Predictions for 2016

As 2015 draws to a close, we asked the Advent IM Staff to ponder the challenges for next year. 2015 saw some huge data and security fumbles and millions of people had their personal information exposed as hack after hack revealed not only how much this activity is on the increase, but also how  the security posture of some businesses is clearly unfit for purpose.

Over to the team…

Image courtesy of Vlado at FreeDigitalPhotos.net

Vlado at FreeDigitalPhotos.net

 

Dale Penn – I predict that with the recent introduction of Apple Pay and Google’s Android Pay we will see a large upswing in mobile device targeted attacks trying to get at our bank accounts.

Del Brazil – Attacks will be pushing in from the Siberian peninsular coupled with additional attacks from the orient- this will bring a chill to the spines of organisations.  These attacks are likely to be followed by sweeping phishing scams from the African continent.  There is also the likelihood that attacks towards HMG assets from Middle Eastern warm fronts will further identify/expose weaknesses within organisations. Closer to home is the ever increasing cold chill developing within organisations as the realisation that the threat from insiders is on the rise. In summary it’s going to be a mixed bag of events for a number of wide ranging organisations. However on the whole, as long as organisations grab their security blanket they will be best placed to ward off the majority of attacks.

Chris Cope – If 2015 saw a significant number of high profile information security breaches, then expect 2016 to be more of the same.  Attackers are getting cleverer at exploiting weaknesses; most notably those presented by people.  I confidently predict that a significant number of incidents in 2016 will feature poor security decisions made by employees.  I also predict a significant challenge for many organisation which hold personal data.  The forthcoming EU regulation on data protection will provide significant challenges on the protection of personal information of EU citizens.  With a significant increase in financial sanctions highly likely, the importance of safeguarding personal data has increased dramatically for any organisation, even those who were not challenged by the penalties previously awarded by the Information Commissioners Office (ICO).  Could this be the start of a wider regulatory drive to improve information security – probably not, at least not yet. Finally, with continuing uncertainty across key areas of the globe, particularly the Middle East, we will also see more examples of ‘cyber warfare’ as this nascent capability continues to be exploited.  This will lead to a flurry of reports on how cyber war is about to doom us all or is irrelevant (depending on one’s viewpoint); surely an opportunity to educate the wider populace, and key decision makers, on what information security, and its potential consequences, could actually mean?

Mark Jones – I predict…

  • Cloud security becomes even more important as more and more businesses move services there – more demand for ISO27017
  • Related to the above, more Data Centre Security certifications due to contractor (customer) requirements
  • More BYOD-related security incidents with more mobile malware found on all platforms with China the main source – mobile payments being a prime target
  • Cyber Essentials leads to more demand for ISO27001 certifications from SMEs
  • Privileged insider remains the main Threat Source & Actor
  • More incidents relating to online cyber-extortion / ransomware
  • With increasing demand for infosec specialists and/or DPOs organisations will find it more difficult to recruit than ever
  • More incidents relating to the Internet of Things – smart devices such as drones falling out of the sky causing harm; more car computers hacked resulting in more car theft

Ellie Hurst – Media, and Marcomms Manager – I predict the growth of ransomware  in business.  Ransomware, is mainly (though not exclusively) spread by phishing and given the success of phishing as an attack vector and that one in four UK employees don’t even know what it is (OnePoll for PhishMe), I think it will continue to be the most likely form of ransomware proliferation. Of course, it can also be spread by use of inappropriate websites and so businesses that do not have, or enforce a policy or exercise restrictions in this area, will also find themselves victims of this cynical exploit.

A word from our Directors…

Julia McCarron

Julia McCarron – Advent IM Operations Director – I predict a RIOT – Risks from Information Orientated Threats.

 

 

Mike Gillespie_headshot

 

Mike Gillespie – Advent IM Managing Director – I predict an escalation in the number and severity of data breach in the coming year. Recent failures, such as TalkTalk, VTech and Wetherspoons highlight that many businesses still do not appreciate the value of the information assets they hold and manage. Business needs to increase self-awareness and looking at the Wetherspoons breach, ask the difficult question, “Should we still be holding this data?”

I think the buzz phrase for 2016 will be Information Asset Owners and if you want to know more about that, then you will have to keep an eye on what Advent IM is doing in 2016!

Advertisements

Aviva 2nd Data Breach

Advent IM Security Consultant Del Brazil, gives us his thoughts on the Aviva data breach.

iStock_000015672441MediumFor the second time in less than two years Aviva have reported a data breach in which customer data has been released to person(s) unknown.  It is unclear at this time as to whether it a procedural issue, a technical misconfiguration or an actual hacking attack.  Although Aviva has been quick to admit to the breach, they have yet to confirm its full extent and the number of affected customers. 

The previous breach in February 2014 was the result of two employees selling customer data to external agencies. These two employees have since been arrested and released on bail pending charges related to suspicion of fraud by abuse of position.

Is it possible to prevent this kind of incident occurring or re-occurring? In essence no, they is no way that you can completely prevent this type of insider threat; however you can put measures in place in an attempt to deter or detect dishonest/disgruntled staff from carrying out illegal activities.  Potential measures include but are not limited to protective monitoring, staff awareness and staff vetting.  Let’s look at each one of these possible measures:-

istock_000011991144medium.jpgProtective Monitoring – Briefly put, protective monitoring is where a company monitors its staff computer use and network activities.  It’s not a ‘Big Brother’ approach but has certain levels of monitoring to identify any suspicious activities such as large data transfers or inappropriate user activity, such as logging on at unusual times. If you would like to learn about the employer responsibilities around monitoring of staff and compliance with legislation such as the Data Protection Act, we have a presentation on this link, you will need sound.

Business Development Consultant - Cyber Security.

Staff Awareness – This involves educating staff in a number of things, for instance reporting out-of- character mood swings or habits or just inappropriate computer or device related activities. Staff can also be educated on other potential threats to increase their awareness and how to report any suspicious activity.  An example of this maybe when a normally bubbly person suddenly becomes a recluse which may indicate that they have some personal problem that they are struggling with.  It is appreciated that it maybe a personal problem but highlighting it to the management chain may firstly prompt extra or additional support made available to that person but secondly, dependent upon the personal problem, may warrant additional safeguard measures being introduced to highlight/detect inappropriate or suspicious activity.

 Access DeniedStaff Vetting – Vetting or Security Checking staff does provide an element of assurance; however it is never 100% effective; just like a car’s MOT is really only valid on the day it’s issued. Vetting provides a snapshot of a member of staffs suitability to hold a position of responsibility and unless properly maintained loses its credibility.  Vetting can include a number of checks into an individual’s personal life and/or circumstances such as their finances, nationality, last employment and/or personal references.  The degree of vetting carried out is dependent upon the role of the individual within the organisation.  For example IT staff with enhanced privileges could have a more in-depth vetting check carried out to provide a degree of assurance that they are less likely to be susceptible to bribery, coercion etc.; although this is not mandatory it can be a risk management decision made by an organisation.

Possible next steps for Aviva

  1. Fully investigate the breach and establish as to how, why, where, who and what was taken.
  2. Inform all affected customers
  3. Look for trends and patterns related to previous incidents
  4. Identify appropriate additional controls that may assist in re-occurrence
  5. Ensure all breaches are reported to the ICO accordingly
  6. Remind all staff of their responsibility to report irregularities or suspicious activity
  7. Educate staff on the current threats

Is it actually possible to prevent this from happening again?  Insiders will always make great efforts to circumnavigate controls and safeguards and if your insider has privileged access (such as System Admins or senior management) then the problem can increase exponentially. The key is to try and make it so difficult for these kind of insiders to succeed or increase their perception of likelihood they will be revealed. We know we cannot make 100% of networks 100% secure 100% of the time but if we make it difficult enough then we can reduce the risk of it happening even if we can never guarantee it won’t happen again.