Tag Archives: risk

Webinar – Outsource Magazine – March 16th

Outsource magazine: thought-leadership and outsourcing strategyWe want to wish Outsource Magazine good luck as they relaunch their webinar program, Time to talk Talks.

This is the program in the words of the Editor,  Jamie Liddell…

Each month (the third Wednesday of every month, to be specific) I’ll be sitting down with four or five luminaries from different corners of the community, to discuss what’s hot (and what’s not) for them in a series of short one-on-one interviews, before throwing the panel to the mercy of the audience for some general Q&A in the second half of the show.

Mike Gillespie_headshotWe are also delighted that one of the luminaries on the launch webinar, will be our very own, Mike Gillespie. Don’t forget to email questions in ahead of the event and sign up via the link…

http://outsourcemag.com/time-to-talk-talks/

 

 

Advertisements

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.

 

In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection

 

MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.

 

april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015

The Insider that rarely gets questioned…

Insider Threat certainly isn’t going away, is it? Reading the continual survey results and news items I see published, it will still be an issue for a long time to come. We know that a lot of the Risk that Insiders bring can be mitigated with good policy and process combined with tech that is fit for purpose. But what of those insiders we don’t really like to  challenge? I speak of the C-Suite; our boards and senior management… surely they couldn’t possibly indulge in risky behaviour?

Risky behaviour is actually quite prevalent in our board rooms, security-wise I mean. (Check out https://uk.pinterest.com/pin/38632509277427972/) Unfortunately, some of the info assets that this level of colleague has access to is quite privileged and so in actual fact, the security around their behaviour actually needs to be tighter but in reality things are not always this watertight and IT security and other security functions will make huge exceptions, based upon the role and seniority instead of looking at the value of the information asset and how it needs to be protected. (Check out https://uk.pinterest.com/pin/38632509276681553/)

Its worth noting that senior execs are frequently the targets of spear phishing and given the level and sensitivity of assets they have access to, this is a huge risk to be taking with organisational security. Ransomware could also be deployed through this method and as a means of coercion. Whilst considering this level of access, we also need to think about the purpose of attack. If this was part of an industrial espionage type of operation, the plan might not be to steal data, it could be to destroy or invalidate it, in situ, in order to affect stock prices, for instance.  It is also worth noting that ex-execs or managers can still be a target and that means they still constitute a potential organisational threat.

Privileged access users like system administrators (sysadmins) also pose a potential threat in the same way as senior business users as there may little or no restrictions on what they can access or edit. A rogue sysadmin or similar could cause absolute chaos in an organisation, but the organisation might not even realise it, if they have also got the ability to cover their tracks. According to the Vormetric 2015 Insider Threat Report, the biggest risk group was privileged users and Executive Management categories were responsible for 83% of the overall risk from Insiders. Yet according to the same piece of research, only 50% have Privileged User Access Management in place and just over half had Data Access monitoring in place.

One more layer to add on top of this would be BYOD. Many businesses have considered whether BYOD is a good choice for them and many have decided to adopt it. Whilst data suggests it may contribute to data breach in adopting organisations, it can be a problem even for those who do not adopt it, as yet again senior execs are allowed latitude regarding the devices they use and may not be subject to the same scrutiny or oversight that general employees are. We know that almost a third of employees have lost up to 3 work mobile devices, we do not know how many have lost their own device also or whether it contained sensitive or valuable business data. We do know that some of these will be senior executives though and this, combined with other risky behaviours (check this out https://uk.pinterest.com/pin/38632509277975844/) will be a major contributor to the risk profile that they represent.

Are you still operating XP or Windows 2003? – A guest post from Julia McCarron, Advent IM Director

Whilst Microsoft’s utopia may be for us all to automatically upgrade every time there is a newAdvent IM Cyber Security Experts version of Windows, for many organisations this isn’t always an option. With some still coping with life after the recession the cost of upgrading to new platforms can be restrictive, especially if XP and Windows 2003 still works perfectly well and provides you with effective tools to operate business as usual. For others with large technical infrastructures, again the cost of upgrading can be a massive drain on time, resources and money and needs careful budgeting a planning over a period of time.

But with the withdrawal of support on Windows platforms and applications comes risk. Security patches no longer get issued, and as cyber security threats continue to be developed exponentially so these platforms become vulnerable to attacks.

Advent IM HMG accreditation concepts training

pics via digitalphotos.net

The obvious choice is upgrade as soon as possible. But if this is not an option you need to assess the risk of operating in a non-supported environment as part of your corporate risk strategy, and where required identify activities that can help you minimise risk. These could be more frequent external penetration tests, stricter acceptable usage policies, updates in security awareness programs or additional monitoring software. There are risk mediated options available but only if you go through the proper process of analysing the threats and impacts of not upgrading to your business.

But upgrade when you can …

Julia.

DDoS attacks cause an average jump of 36% in customer complaints

According to research commissioned by BT through Vanson Bourne, on average customer complaints to businesses increase by 36% in the aftermath of a Distributed Denial of Service (DDoS) attack.

It seems like a staggering uplift but when you consider that in the UK alone the same research revealed that almost 60% of businesses admitted DDoS attacks had bought down their systems for six hours or more…a whole working day, it becomes less staggering. Around half (49%) of UK organisations to not have a response plan in place, so in actual fact the damage from a DDoS attack could potentially continue for a considerable period after the event.Add to that the reputational damage and you can start to see why it is so vital for businesses to really get to grips with what they are dealing with.

So if a DDoS attack takes out a network or possibly a data centre for six hours and this is apparently increasing and becoming more sophisticated, surely this should be much higher up the boardroom agenda than it is? I recently read that Cyber security ranked third in importance in boardrooms (KPMG). This initially seemed a little ambitious to be honest. Though when I examine the statement more carefully…third in importance in the boardroom, so that means of the businesses that actually have cyber security represented in the board room (alongside other business functions such as HR or Finance), it is averaging in third place. However we know that around half of organistions don’t ever discuss Information Security at the top level of their organisation.(Ponemon Institute). So effectively what we are actually saying is that we have a handful of organisations discussing this as a Business critical function but even they don’t have it as top priority despite the fact it could effectively be a deal breaker in terms of customers and reputation…

Advent IM Cyber Security Experts

 

 

 

Technical Security Skill Shortfall Means Heightened Risk Levels For Business

First published in Outsource Magazine September 12 2013

A report commissioned by IBM concluded that Technical Information Security Skills are in short supply and that this is creating vulnerability and risk in business. The research, carried out by Forrester Research Inc., revealed that even mature organisations are facing increased risk exposure due to difficulty sourcing and retaining Information Security talent.

Overall, 80% of Chief Information Security Officers are finding it difficult or very difficult to recruit technical security staff that met all their needs, according to the research. A range of issues are feeding this difficulty and the resulting concerns about rising risk levels include some very disturbing elements, as unfilled roles create anxiety. Only 8% of respondents said that they didn’t have a problem with security staffing issues.

The remaining 92% identified some key areas for concern that any business should be considering, regardless of whether or not they think they have security talent issue. Whilst the solution for many businesses has been to recruit further down the experience ladder, you can see from the kind of pinch points identified here, that this is not a sustainable solution. Whilst it may ‘fill a security role’ it is not filling the right one.

  • external threats not understood or discovered (27%)
  • deadlines not met/projects taking longer to complete (27%)
  • a growing gap between threat and controls (24%)
  • technical control systems not fully effective (this is anti-malware and such like) (22%)
  • technical risks not identified (20%)
  • technical control systems not implemented (20%)
  • technical risks are unresolved (20%)
  • security road map is unclear (20%)
  • internal technical security audits are not undertaken (20%)
  • Process-based controls (e.g., segregation of duties, privilege review) are poorly defined, dated, or inefficient (18%)
  • concern that Security architecture is complied with (17%)
  • It has prevented adoption of new technology (e.g., cloud, BYOD) NB. Given some of the concerns we have seen in the list so far, this is probably a blessing. (16%)
  • External technical security audits are not undertaken (e.g., at service suppliers, supply chain)  (15%)
  • It has prevented business agility and/or growth (13%)
  • Security architecture is poorly defined (13%)

istock_000012299872medium.jpgThese result show us that not only that there is an increased risk to business from the skill shortage but that the kind of risk business is facing is not simply about architecture and cyber threat but also about the prevention of growth and agility. These are positive contributions that security can make and their inclusion as potential risks show a willingness to move security out of the cost column and into the investment column, but again this is being thwarted by the skill shortage. This may reveal itself in a lack of confidence in moving certain functions or activities to The Cloud or perhaps not instituting Bring Your Own Device (BYOD). Whilst it is better not to do these things if you do not know if they are within your organisation’s Risk Appetite, if you do not know what that Appetite is and there is no one sufficiently knowledgeable and skilled to be able to ascertain this and then mitigate the risk if appropriate, then an organisation may be disadvantaged. This might mean it becomes a less appealing choice for potential new and highly skilled employees for other parts of the organisation, who perhaps demand BYOD as standard along with the flexibility it brings.

Commercially, robust security and resilience is becoming a must have and increasingly organisations are being asked to demonstrate and prove themselves in these areas. Businesses that have worked with Her Majesty’s Government and the Public Sector will be familiar with their extensive security requirements for instance, but others are now finding that if they want to grow their business, the onus is on them to be able to prove their security credentials. This pressure is coming from larger organisations not just public bodies, as they realise how important it is for their supply chain to be resilient. Again this is a real stumbling block if you simply do not have the in-house skills to handle a project like ISO27001 certification or compliance. So the risks that are immediately apparent in terms of what might happen to a business without the appropriate level of security skill are actually more convoluted than they first appear.

A perception of security as a business enabler is one that many security professionals have tried to promote for a long time and the idea of growing a business within its Risk Appetite is common sense. For too long the perception of Security has been that Security will just say no to innovation, change and anything even vaguely risky-sounding. It is disappointing to think that just as the paradigm looks ripe to shift (in the right direction) that it is being stymied by a lack of high level skills. All of these challenges presuppose the organisation has the budget to be able to employ the skilled person they need.

Physical Security like manned guarding has been on the outsource list for many years, Information Security has not always been viewed the same way.  Depending on the level of challenge, size of organisation and actual (not perceived) threat and risk, there may be a viable alternative to a full time senior technical security person, through outsourcing. Perhaps if the challenge is to get through a particular project then the high level skillset may only be required at certain times, not constantly. If there is a tipping point at which the need for the skills is justified commercially this may come a lot sooner if there is an opportunity of filling the gap without actually having to finance an FTE with all of the cost that entails. Given the difficulty in sourcing the high level skills, the best talent is following the money, leaving many organisations in an uncertain security vacuum.  Outsourcing may be the solution on either a project or buy as you need type basis. It may provide a much more cost effective solution to a convoluted set of challenges that are not showing any sign of going away or simplifying. It may also mean a level of skill and experience far in excess of that which may have been within budget for an FTE.

Of course, making sure you are certain of your partner in any outsourcing endeavour is vital and due diligence on potential suppliers is vital. As a rough guide here are some questions you should be asking.

  • Does my partner understand my organisation and its business drivers and growth imperatives?
  • Can they provide qualifications, certifications, track record, references, case studies and a cultural fit?
  • Are they flexible enough for my needs? Are they able to flex up and down as required or am I going to be rigidly contracted to a number of days per month?
  • Do we have specialist or generalist needs?
  • Do we want access to an expert individual or a team of experts?
  • Do we want Strategy, Policy, Risk skills?
  • Do we want our partner to be capable of working successfully with C-level stakeholders or at the ‘coalface’ or both?

Security out- sourcing: anything to learn from the G4S experience?

Security out- sourcing: anything to learn from the G4S experience?

Advent IM in Outsource magazine 20.07.12

Spreading the risk – a more secure alternative?

Recent events with G4S and LOCOG/the Government’s procurement of security for the Olympics, will clearly not be leaving the headlines anytime soon. Indeed you could be forgiven for thinking this was a security event, not a sporting one. Is there anything to be learnt from the Olympic Security out-sourcing? A good place to start would be to understand how organisations source physical security.

We have always done it this way

Let’s be clear, out-sourcing security can work and work very well for end users. The impetus for out-sourcing any service should have a solid base in the desire for the best possible service from people who are experts in their field. If the motivation is always cost cutting rather than sourcing excellence to improve end user experience, then nine times out of ten you will simply get what you pay for.

Physical Security has a long standing relationship with out-sourcing.  That does not mean however, that because it has been out-sourced for so long that it is done well in all cases.  Frequently, we see providers specifying to clients what they can have based on their portfolio of services, rather than the client understanding what they need based on Threat and Risk Assessments and specifying this to the provider. This is a bit like visiting a car showroom and saying, “sell me the car I need.” You may find yourself returning a short time later asking why you can’t fit your six kids into your Aston Martin but if you didn’t specify your needs from the outset the car sales person will see you what he wants … One size never fits all, it may fit some but everyone prefers something that meets their needs when they can get it. So, how can something as important as security not be bespoke?

Facility Management and Security

In business, Physical Security has been moving for many years into the Facility Management arena.  It is a natural place in many ways, especially if this is not simply managing the manned guarding aspect but also equipment contracts such as CCTV and door entry systems, PIR’s etc.

In-house FM may manage an out-sourced contract for Physical Security provision.  An FM provider may manage a contract for a client, or an in-house FM may manage a contract with an FM provider who manages a Physical Security Contract with a provider.  There may be a separate contract for management of equipment contracts, that could be managed by the in-house FM, the out-sourced FM provider, the security provider it has been out-sourced to or possibly even further along the chain (still with me?) …That is a lot of moving parts in a chain that requires clear areas of accountability at all stages, not to mention governance (who is guardian of CCTV image management for instance, and is everyone clear on that along with Data Protection Act requirements?). Governance also includes relationship management and compliance checks. Remember it is only the function that is being out-sourced, not the responsibility … or the accountability.

Proactive or Reactive Procurement?

“Understanding the risks involved can save money and reputational damage. Keeping your supplier close and having an open, honest relationship ensures any danger of things going wrong is reduced, or at least spotted early and corrected,”

– CIPS CEO David Noble

Chartered Institute of Purchasing & Supply (CIPS) state that it is the job of the buyer to ensure that:

  • Materials of the right quality
  • Are delivered in the right quantity
  • To the right place
  • At the right time
  • For the right price
  • And the sixth right: from the      right source

Reactive Procurement is taking only one or his heavily biased toward one of these ‘rights’. Proactive procurement is based on strategic decisions of all the six ‘rights’, then the supplier will not have been selected on price alone, for instance.

When we examine how Physical Security is sourced the issues and potential pitfalls, start to emerge. If we go back to our example of G4S and the Olympics, Government Procurement decided not to split security provision, and thereby risk, across several smaller providers, but to go with one large provider.  So the focus appears to have been on procurement ie. cost. Whilst we want our Government (and in this case LOCOG also) to be cost sensitive with our hard earned taxes, we also want the job done correctly. This option appears to have introduced a ‘single point of failure’ because only one supplier was procured.

This is the difference between sourcing the service you want, need and are specifying with expert knowledge and procuring the cheapest or ‘most economically advantageous’ as Government procurement tender documents read.  Let’s be clear, to a supplier, procurement is there to hard bargain on cost, they are not there to provide any level of expertise or the associated judgment call, on the service being requested.

For a regular organisation understanding that all stages of the chain have to be carefully managed, is key.  KPIs based upon the threat and risk landscape should be in place to ensure performance is being measured against the correct metrics. They also need to make sure that their bespoke needs are the ones being answered and not what the provider is telling them they can have. The threat and risk landscape will change, will a client be penalised for changes to reflect mitigation of these changing risks?

One final thought on proactive vs. reactive, G4S are shouldering 100% of the responsibility for this debacle, not Government procurement. On a realistic business level for organisations considering their options for out-sourcing security, when things go wrong it is rarely the procurement team who get an unhappy phone call from the end user, it is normally the Facility Manager.

The future

Many Facility Managers and providers welcome the idea of system integration – Security Systems can easily be included in this model and can provide very valuable data back to an organisation across disciplines when part of a wider integrated function. For this to be realistically achieved, and the associated service and cost improvements to be reaped, the whole chain of supply and accountability needs to be resilient and transparent. There are real benefits to be had from out-sourcing Security and even more to be had by bringing everything together to provide a holistic management view.

Some pointers

  • See it as an investment in an organisation’s excellence – for that is what it is. If you view it purely as a cost saving exercise, you may come unstuck.
  • Take expert advice on your real threats and risks and specify accordingly.
  • Get the bespoke solution you need not the solution the out-sourcing provider wants you to buy.
  • For larger out-sourcing projects think about spreading the risk of a single point of failure – more than one provider may be the answer.
  • Ensure clear, accountability, resilience and due diligence throughout the chain and wherever possible limit multiple ‘moving parts’.

Originally published in Outsource Magazine 23.07.12, reproduced here with the kind permission of the Editor.

Ellie

www.advent-im.co.uk

www.youtube.com/adventimsecurity

0121 559 6699

bestpractice@advent-im.co.uk