Tag Archives: Advent

Phishing, accountability and security awareness

Phishing – do employees recognise it when they see it?

Advent IM cyber security expertsIn the last week I have received around twenty phishing emails. These have varied from Linkedin connection requests, to Bank Account reset instructions and Paypal alerts that my security had been compromised…the irony of the last one did not escape me. In this period, I also took a worried phone call from a friend who had been called by someone who said they were working on behalf of Windows and that his PC needed to be remote cleansed and could they have access to it please…. they gave him a fake website address and refused a phone number for call back, then hung up. Its a scam that has been doing the rounds since about 2008  ( I’m sure you’ll correct me if I’m wrong!) He was working from home at the time and connected to his businesses network.

So in the first cases of the emails, it was fairly clear to me that these were phishing attempts. They were not targeted at me or at Advent IM specifically, just chancers doing what chancers do.  The Paypal email was the most disturbing because it was better designed than the others. In all cases though, a brief visit to my Linkedin inbox, online bank account and paypal account respectively (and not through the ‘helpful’ links offered in the phishing emails) proved that each were fake and I reported them. It made me wonder how many businesses actually train their staff in recognising them as security threats and how to subsequently deal with them.  I saw a debate on Linkedin recently about holding individual employees responsible for security breaches and terminating their employment as a result. It included a poll. Many felt that if adequate (no definition included, sorry) training were supplied and a properly enforced and educated policy were in place, the breach was felt to be a result of employee negligence and therefore they should be held accountable. ‘Adequate’ is a relative term I appreciate, I do feel however that it should include ‘regular refresh and update’ within it as well as regular review of the scope – threat changes.

The other part of the example I mentioned at the start was altogether more sinister. This was an individual actually picking up the phone and posing as an IT expert, offering a free service on behalf of a household name. It is easy to see how many people could be duped by this. Working at home in this case, means that the person was connected to their company’s email systems and information network. Luckily, the person concerned smelled a rat and asked awkward questions which resulted in the phishers exiting as quickly as possible. Not everyone might realise this was actually an attack and the result could be not only the loss of their personal information or even financial compromise but also potential compromise of their employers network. In this case, no training had been given in spotting an attack of this kind. If the individual involved had not realised this was nefarious, would it be fair to penalise them? After all this kind of attack was not included in the ‘adequate’ security awareness training they received.

This IT support approach was also employed in the recent attacks on Barclays and Santander, when an individual actually entered branches of those banks and installed or attempted to install desktop cameras to enable a hack. The individual was posing as an IT repair engineer in both cases.  It is far more targeted and part of a concerted campaign. Phishing emails are also sometimes targeted toward individuals, again normally part of a broader campaign and not a scatter-gun phishing expedition to see who bites. This is more aligned to the Social Engineering approach. Specific information or access will be the target and so it differs from the mainstream approach and by definition makes it far more difficult to quantify and therefore provide training for awareness. That doesn’t mean that we shouldn’t do it. Particularly if we  are keen to move down the road toward individual accountability.

 Incidentally if anyone is interested in watching a video in which the ‘Windows/Microsoft” scammer tries it on the wrong person…..click here


Hacking Pacemakers, Traffic Systems and Drones – Cyber and Physical Worlds Collide

The Telegraph today ran a piece on a subject close to our hearts here at Advent IM, namely the cyber threat to our physical world. You can read it here

Regular readers will know we have expressed concern before that language can create barriers or false realities that can leave vulnerabilities and the prevalence of the use of the word ‘cyber’ is a good example of this. Cyber to most people conjures up the ethereal world of the hacker – that strange and dangerous electronic hinterland that few really grasp. Of course, this is dangerously inaccurate as many systems that control our physical world are networked and can therefore be hacked.

The late Barnaby Jack showed the world how he could hack into an insulin delivery system in a patient to effectively overdose that patient, he also managed to hack into an ATM system which then dispensed cash like a waterfall. The two worlds are converging quicker than our security awareness is growing.

Bringing the threat to our critical national infrastructure to the attention of the public at large is in one way unnerving but also very necessary.

Please have a look at our presentation on the topic, you will need sound…

Advent IM, Cyber Threat to Built Estate

Presentation with voice over from Mike Gillespie

SME Information Risk: 48% suffered reputational damage already from lost data

Originally published in Outsource Magazine August 2012

According to a recent survey by Iron Mountain and PricewaterhouseCoopers LLP (PWC), in Europe, mid-sized businesses are placing themselves at unnecessary Information Security risk.  The average index score for Information Risk maturity in this group was only 40.6 (a score out of 100), which sharply highlights the gap between what business is currently doing and what it is supposed to be doing.

Are businesses listening to the warnings about Insider Threat?

Are we listening yet?

Shockingly, 64% of the mid-sized businesses surveyed had no information risk strategy in place, which was effectively monitored.  Given that almost half of the businesses surveyed said they had already suffered reputational damage as a result of lost or misplaced data, this lack of information security appears cavalier at best. It could be your personal data or your organisations data being handled, managed or stored by these businesses.

According the Norwich Union Business Continuity survey (of which information security and reputational damage would be important elements) only 8% of businesses without a plan, which had suffered a serious incident, survived 5+ years, 40% never re-open after a serious incident. If the failings within mid-sized businesses are as widespread as the PWC data suggests this is very bad news for many businesses and could be the one area we start to see them over index, sadly.

Hiding in plain sight

So what does a small or medium sized business do to protect itself, its own valuable data and potentially that of its customers and supply chain? Well, Information Security issues are not like the monster under the bed, despite what the popular press may have us believe.  They don’t frequently leap out to shock you and grab your ankle. More frequently they hang around, waiting to be noticed by someone until it’s just too late and the worst has happened. No amount of finger crossing can spare you from its teeth by then – or the ICO’s teeth in this case. It is normally a series of failings or an extended period of time when risks have been ignored or misunderstood.

Being an SME can make an organisation more ‘fleet of foot’ than many larger businesses. The advantages of being reactive and able to quickly change course or take advantage of a sudden opportunity is a great flexibility to have. Potentially though, the risk side of things can be pushed to one side or ignored and then a lack of due diligence can mean that the new undertaking or direction is being done effectively ‘on the hoof’ and without the anchor of proper governance.  This can also be reflected in the approach to procurement when the questions about the correct checks and balances for security are simply not being asked.  This is possibly because there may not be a dedicated FTE for each role and employees wear several hats. It may be a naiveté about accountability and responsibility either from a legislative or industry requirement basis.  If your organisation is lucky enough to have employed someone with and Information Security or Data Protection background, then this is less of an issue. That is assuming that the resource to have an FTE with these expert skills is available. Generally this is not the case and whilst many businesses are more than familiar with the old outsource service of security, they do not necessarily make the connection to Information and Data.

“Sometimes I feel like the conversation itself is encrypted”

That is how it feels to have a conversation with a security guru. Within minutes the language becomes dense and acronym laden and the eyes of the non-security person may start to glaze or dart about like a frightened rabbit in car headlights.

The concept of Information Security is understandably daunting. Many businesses are put off by the language and apparent complexity. Everyone is put off by things they don’t’ understand but that is what outsourcing is for. Part of the issue is that organisations and those within them responsible for security of information, do not want to feel daft, the language and complex terminology they are coming up against makes them feel inadequate and sounds potentially expensive.

Although security has a long relationship with outsourcing, this has been largely around physical security and areas such as manned guarding. For some reason, outsourcing an organisation’s Information Security, Data Protection or Business Continuity appears to have passed many organisations by as a possibility.

When you think about it though, it makes perfect sense. Areas that are complex and needs and expert help, that may not require and FTE or be too cost sensitive to resource on an FTE basis or maybe required to move an organisation through an accreditation to assist with perhaps getting onto a Government supply framework, or supplying the NHS for instance. Whilst every organisation needs to be security aware and educate their staff effectively, understanding the accountabilities, policies and processes are far more relevant to an SME than having an inside out knowledge of security terminology and the dazzling amount of acronyms. Outsourcing is the natural choice.

One of the 64%?

So the data security inertia may not solely come from a lack of interest or concern about what happens to client, customer or internal information. True some organisations have a genuinely laissez-faire attitude, but many don’t and some of the lack of appropriate action can have come from fear, confusion and misinformation.

Given the ICO’s power to fine up to £500k for serious incidents, this could potentially see a number of the unprepared 64% close for good. It makes much more sense to find an expert outsource partner to translate and guide. Security is a business enabler. Once the security is in hand and under control, an organisation can go on with the business of growing in a secure environment for both the organisation and its partners. It allows organisation to tender for business that they may not normally have been in a position to. It brings likeminded businesses together, allowing them to partner and support each other knowing that they are on the same page and that their respective information assets are properly managed.

Outsourcing Information Security may be a newer area of outsourcing but as with all good outsourcing it is there to provide the expertise it would appear is lacking in the SME arena. Ensuring the best quality, independent advice from an outsource partner could provide the competitive edge and reassurance an SME needs to realise its true potential.

Data sources: PWC Iron Mountain survey “Beyond cyber threats: Europe’s first information risk maturity index” and Norwich Union Business Continuity Survey

Size Really Doesn’t Matter in Cyberspace

iStock_000015672441MediumSomething we have all long since suspected, today confirmed by Allianz – the insurance giant. Size does not matter. At least not when it comes to being a target of a malicious cyber attack.

According to Allianz, attackers are targeting large corporations by attacking their supply chains – smaller companies and SME’s that potentially offer more easily accessible ‘routes in’. Of course it is not always going to be the case but an SME perception of not being a viable target may be just that, a perception. Understanding what the real threat and therefore risk of an attack is, is vital. If you don’t fully understand what risk is posed to you and you potentially pose then you may be open to an incursion, even if you are not the prime target. You may not even know your systems have been used in this malicious manner.

So the question is, how robust is your security? Well, many large corporations are starting to demand evidence of stringent security as a matter of course. They understand some of the very real risks posed by their suppliers. According to an article in City AM today-

“Companies employing fewer than 250 employees are now almost twice as likely to be the subject of a targeted computer attack compared to 2011. By contrast, large organisations employing over 2,500 people have seen no increase in attacks over the same period”

A thorough independent and comprehensive Risk Assessment would be strongly advised in these circumstances. Being able to evidence your security posture is a positive enabler for many organisations, as it can open greater commercial opportunities up to work with larger corporations and Public bodies, however as the risk of these “piggy-back” attacks grows, these corporations are more and more likely to require evidence of the supply chain partners’ security.

Cyber Attack and Hack – Is Our Use of Language Creating Security Vulnerabilities in Our Thinking?

Hacking and Cyber attacks have hardly been off our media front pages for a long time. But are businesses and organisations misleading themselves by referring to these incidents as ‘hacks’ or as ‘cyber attacks’? Are businesses actually limiting their thinking and thereby creating vulnerabilities by mislabelling these important events? There is a strong indication this might sometimes be the case.

When we talk about hacking we think about a variety of activities, from the lone, disruptive back-room coder, to the determined and resource-laden gurus of cyberspace who can 


apparently enter our systems at will and remove whatever data they want – maybe government funded but definitely expert and dangerous. Of course, both of these exist but if recent surveys give us any indication of how much these remote threats actually affect our businesses and organisations on a daily basis, it would appear an important part of the threat puzzle is missing. 

According to the Verizon Data Breach Report 2013, more than three quarters of breaches utilised weak or stolen credentials. So either the malfeasant has taken a solid guess that the password will be ‘password’ or has potentially stolen a passcard to a server room or a myriad of other activities which are not hacking but are breach enablers. So the myth of the remote hacker is revealed, at least in the majority of cases to be just that, a myth. With 35% involving some kind of interaction in the physical world, such as card-skimming or theft it underlines the need to move the security focus away from solely cyber.

The same report showed that in larger organisations, ex employees were the same level of threat as existing managers. If we refer to the previous stat then a proportion of those stolen credentials could actually come from ex employees using their old credentials or credentials they had access to, in order to access company networks as happened in the ‘Hacker Mum’ story

Nearly a third of breaches involved some kind of Social aspect, this could be coercion of an existing employee, a phishing campaign or simply walking into a building and charming a staff member such as a receptionist (mines of information that they are) on a regular basis to get information on staff comings and goings etc. It could also involve surveillance of a business over an extended period, including its staff, visitors and contractors.

So the actual ‘hack’ or ‘cyber attack’ is quite an extensive way down the line in this kind of breach. It could have been in planning for months. On one hand this is worrying because our language has encouraged us to focus our attention on only one part of the process. It enables the already prevalent, ‘IT deals with security’ mindset, we have discussed in previous posts.  But in enabling this narrowed view, we are creating a vulnerability and ignoring the opportunities we will have had along the route of this breach to have halted it before anyone even logged on to anything.

A comprehensive program of Security Awareness training in-built into everyone’s role and that training being regular and refreshed, is one helping hand in preventing the attack reaching the actual hack stage. Simple things like ensuring everyone knows not to click on uninvited or suspicious looking links in emails for instance. Being aware of unfamiliar faces  in a building, regardless of whether they are wearing a high vis jacket or lab coat for instance. Social engineers love to hide in plain sight. 

So use of language has ruled out these elements being considered by all staff members, they hear the words ‘cyber’ and ‘hack’ and think it is IT’s responsibility and then carry on as normal. There are many points at which the hack could have been prevented by basic security hygiene or good practice.

It underlines to us that threat to our businesses and infrastructure are holistic and so should the response to that threat be. Yes, there is a threat from the faceless hacker, the determined and well funded professional as well as the random and opportunistic ‘back-bedroom warrior’. But many businesses and organisations are facing a people based threat first.  An old vulnerability being enabled in a new way – language.

Advent IM Cyber Threat and security consultants

Advent IM Security Cyber Security experts

 Advent IM cyber security experts

Advent IM Join G-Cloud

Advent IM Supplier to Government, G-Cloud

Advent IM – now available to procure directly via G-Cloud

Advent IM Ltd is pleased to announce its inclusion on the Government’s Cloud Store – G-Cloud. This is the newest Government Procurement Framework and gives the public sector access to highly discounted and exclusive Government framework pricing. This means confident procurement and avoids the need for expensive tendering, whilst offering reassurance that procurement rules and guidelines are being met.   It also offers the private sector an easier route to work with public bodies.

 Advent IM has a lengthy track record as a Security Consultancy for public bodies and Her Majesty’s Government.  The Advent IM Catalogue on G-cloud shows the full range of services available to both public and private sector organisations. G-Cloud is designed to make it easier and faster for those public bodies and departments to procure directly and that now includes expert Security Consultancy from the team of specialists at Advent IM. No longer having to face the convolutions and cost that the tender process can sometimes entail.

Advent IM consultants also work closely and very successfully with the private sector. This framework is a vehicle for the private sector to work with HMG more easily, especially small businesses for which the process of tendering may have been prohibitive.  The incentive for the private sector is clear; however there will be certain standards of security practice that will be expected of them and their systems, in order to be accepted onto the G-Cloud.  Advent IM can offer expert assistance and support to those private sector businesses seeking entry onto this framework, whether that be training, accreditation, Cyber Security and Information Assurance or a host of other areas that need to be considered for G-Cloud.

 “We are delighted to have been selected as a G-Cloud supplier. Although we have had an excellent relationship with the public sector over many years, this marks the start of a direct procurement communications path between Advent IM and potential new clients. It opens doors that were previously not available to us and we look forward to the framework fulfilling its promise of quicker and smoother purchasing processes for public bodies. We also relish the opportunity to help more organisations become G-Cloud suppliers themselves by sharpening their security practices and gaining access to public sector work they were previously unable to tender for.” – Julia McCarron, Advent IM Operations Director


If you are a public body and are interested in procuring security consultancy direct, you can search us here.




Upcoming Event – The Security Institute Annual Conference

The Security Insititute, Mike Gillespie, Advent IM Director

Mike Gillespie – Advent IM MD, and Director for The Security Institute

We are delighted to announce that Mike Gillespie will be one of the guest speakers at this important and prestigious event.

It will be held in London on June 19th and you can download the flyer with details of the event and how to book  here A5 Delegate Flyer.

Mike will be talking about Insider Threat, Social Engineering and Cyber Attack, details of the modules and other speaker topics are on the flyer. It promises to be a highly informative event with some excellent speakers and topical subject matter.

It is open to members and non-members and offers the conference, exhibition and dinner.

We hope to see you there and don’t forget if you would like to meet up you can tweet us on the day @Advent_IM

Sec Inst Supp logo CMYK