Cyber attacks on SMEs – the risk of attack is VERY real

SMEs are very attractive to cyber criminals: they have poorer security and limited resources, making them easier to attack than their larger counterparts, and are often part of larger supply chains, making them an easy point of access into larger corporations’ systems.

The Department for Business, Innovation & Skills/PwC’s most recent Information Security Breaches Survey found that 74% of small businesses suffered a security incident in 2015 (up from 60% in 2014).

The impact of an attack is clear

Reputational damage is a very real concern for SMEs. According to KPMG and Be Cyber Streetwise, 89% of breached SMEs said the attack affected their reputation, damaging their ability to win new business and maintain relationships with existing clientele.

What SMEs can do to protect their reputation?

SMEs should look to the government’s Cyber Essentials scheme to protect their reputation. Cyber Essentials sets out five security controls that, according to the UK Government, could prevent ‘around 80% of cyber attacks’. These controls provide a basic level of protection from the vast majority of cyber-attacks, and improve business efficiency in the process.  A double win!

Certification to the scheme demonstrates that you’ve implemented these basic cyber security controls, reassuring your customers, stakeholders and staff that you have taken the precautions necessary to reduce cyber risks, as well as putting you on route to helping you with cyber insurance if you are considering taking this out.

Cyber-Essentials-logo-HiRes

The true costs of cyber security breaches starts to emerge

Pharmacy2U

We have been covering cyber security breaches and their financial costs for several years. But beyond strict fines meted out to organisations whose customers’ details are forcibly taken – what about those who sell this information on willingly? There is the cost to company reputation, additional to any fines which also needs to be considered when calculating the real cost of any cyber security breach.

Pharmacy2U, the UK’s largest NHS-approved online pharmacy, was fined £130,000 this week for selling information collected about its own customers to 3rd party marketing companies.  The ruling was simple; the online drug seller had not obtained permission from customers that their data could be sold on in any form.  Pharmacy2U has apologised, calling the sales a “regrettable incident”,  However the impact to its reputation will be a lot larger than the penalty from the Information Commissioner’s Office (ICO).

This week also saw Sony agreeing to pay up to $8m in compensation to its employees over the loss of their personal data in the 2014 hacking scandal surrounding the release of the film The Interview.  The story which we covered back in December 2014, Sony Picture Entertainment found itself the victim of a large scale cyber-attack with unreleased films leaking, in addition to personal data of 47,000 people employed or associated with Sony.  The $8m settlement still needs approval but sees Sony paying to reimburse current and former employees for losses, preventative measures and legal fees relating to the incidents.

In a further twist, this week saw the disclosure of a Sydney-based professional service business which is seeking to remain anonymous after having been infected by ransomware.  The malicious software found its way onto their system after an infected zip file from a client was opened. The virus then worked its way through their organisation locking everyone’s documents and with users being directed to a website asking for a ransom to unlock the files.  The company decided that instead of paying the ransom, they would wipe the data and recover it from their backup server. The problem with this plan was that even though all their backups which were supplied by and assured by their outsourced IT supplier as being okay, when they attempted to recover from the backups it was discovered that these had in fact been failing for some time and more than seven months of company data was lost. The business has since undertaken the tedious and time consuming task of recreating this data from emails and attachment. This has cost the business A$10,000 in man hours alone for the rebuild, but the cost in terms of damage to reputation remains hard to quantify.  In reference to the original ransomware price (currently unknown), the MD stated, “I might just pay next time”.

With the increasing costs to business resulting from cyber-attacks and a growing appetite for protection, many companies will be investigating cyber insurance, but even this is an emerging market which has its limits and will not cover all ultimate costs. For example, it could be difficult to get a pay-out due to the often vague definition of business disruption  – and cyber insurance does not cover the all-important reputation costs.  Cyber insurance can give peace of mind on large pay out fees but it cannot protect reputation and is simply not a substitute to heightened network security, employee training and regularly tested backup strategy.

This week’s technology news – 20th March 2015

The Windows 10 launch party welcomes all including pirates

Microsoft has announced that Windows 10 will be launching this summer to 190 countries. A new feature of the system called Windows Hello was also demo’d for the first time. It also lets users log in via fingerprint, face recognition or iris recognition.

To get ready for Windows 10’s big launch party, Microsoft has been teaming up with app service providers worldwide including Chinese internet giant Tencent who will bring their hugely popular (over 32 million active players) online game ‘League of Legends’ onto the Windows 10 store and their QQ social app which has over 800 million active users.

Microsoft sees China as a huge opportunity for Windows 10 and getting companies onboard in providing relevant and highly successful apps, games and services to the Windows 10 store will go a long way to securing Chinese users to upgrade to Windows 10 this summer.

The biggest challenge has always been getting users to adopt genuine Windows instead of pirated versions. Currently two-thirds of all PCs in China run pirated versions, not purchased from Microsoft.

In an unprecedented move, Microsoft will be allowing these ‘non-genuine’ versions of Windows to also be upgraded to Windows 10 for free. Those who do upgrade in this fashion will still have non-genuine, non-supported systems, but will have access to the new features of Windows 10 – most importantly for Microsoft, being the new Windows 10 store where Microsoft takes 30% of all profits made.

Microsoft continues to be very aggressive in its push of the upcoming Windows 10.  It’s strategy of allowing pirated system upgrades and free upgrades in general, is tactically cunning, showing that its first goal is to get as many people as possible using the new system, sooner rather than later and gain maximum marketshare.

windows 10

Amicus ITS explores a trio of cyber security stories in this week’s roundup of technology news:

US healthcare provider Premera not so premier following cyber attack

The FBI were recently called in by Premera Blue Cross, a US non-profit health insurance company which posted revenues in 2013 of $7.6 billion, to investigate a cyber attack on their IT systems which occurred over an eight month period without detection from May 2014.  It is not clear yet how the attackers broke in and the company has not identified how the breach was discovered. However, 1.8 million records were illegally accessed, with medical records, personal data and employee data exposed, as well as any company which did business with Premera Blue Cross.   The data penetrated included:  access to names, dates of birth, addresses, telephone numbers, email addresses, Social Security numbers, member identification number, medical claims information and financial information (though no customer credit card information was held).

This comes on top of another huge cyber attack on Blue Cross Shield insurance giant Anthem, which recently had 78.8 million customer records illegally accessed.

The correct professional PR stance of both Premera and Anthem has been to publish a direct response on the front pages of their websites to try and assuage customer concerns by advising of their remedial steps with their security partners, including offering 24 months of free credit monitoring and ID protection services.

Whether either company will fully regain the trust of their clientele only time will tell, but at least the right reactive steps were taken to tackle the issue head on with its customers.

Premera-logo-jpg

Get me insured – I’m under attack!

The US Department of Homeland Security (US DHS) has started a wholesale review of cybersecurity insurance, as it has emerged that security issues have been marginalised and are not forming a core part of an organisation’s enterprise risk management framework.

Cyber insurance is a relatively new aspect for the financial markets and given the rise in cyber attacks and major data breaches worldwide in recent months, it seeks to offer an olive branch to the financial toll companies can face from the fall out of attack.  However, delivering the insurance is another matter as data to evaluate the threat landscape is thin on the ground.

Senior Cybersecurity Strategist at the US DHS Tom Finan comments:  “Perhaps unsurprisingly, companies are not publicly disclosing their own damages from cyber incidents they’re experiencing….. big data about cyber incidents could be a potential treasure trove that would aid their efforts (to get insured) immensely.”

Meanwhile in the UK, HM Government in its November 2014 summit between Government departments, leading UK insurers, trade and industry representatives and GCHQ, agreed a joint statement to commit industry and government to closer working to develop the UK’s cyber insurance market. They also recognised the role insurers can play in driving improvements in cyber security risk management.  The cyber insurance market report will be supplied to the Cabinet Office in April 2015.  In the meantime, practical measures for businesses to undertake include:

• Detailed insurance gap analysis
• Network security survey
• Security policy review and development
• Cyber risk identification and quantification exercise
• Risk financing optimisation.

Plus, evaluation by experts on internet and network exposures, including:

• Liability: privacy and confidentiality
• Copyright, trademark, defamation
• Malicious code and viruses
• Business interruption: network outages, computer failures
• Attacks, unauthorised access, theft, website defacement and cyber extortion
• Technology errors and omissions
• Intellectual property infringement.

Clearly, Finan adds, “CISOs need to be a central part of any business risk management discussion going forwards,” he said. “And until they do so, businesses will miss out on otherwise more extensive cybersecurity insurance offerings than would otherwise be available to them.”

Insurance-desk-services-bus

World Economic Forum publishes cyber threat risk framework

The World Economic Forum (WEF) launched a new framework in collaboration with Deloitte recently based on resiliency, to help companies calculate the risk of cyberattacks. The risk calculation involves three components:

• An assessment of a company’s vulnerabilities and defences
• The potential cost of data breaches and
• A profile of the attacker

Understanding the risk vs cost is still very difficult even amongst expert voices.  However, it should force Boards globally to sit up and work through the problem, identifying risk areas within their organisation as they try to get inside the mind of a potential attacker.

The lack of historical data required to estimate the probability of attacks from particular types of attackers in particular industry sectors is a stumbling block. However, if, as the WEF have proposed, businesses globally start to openly share information about cyberthreats, instead of burying their shame, all businesses will gain.  Mass learning will ensure companies start to deploy better strategies, policies and more resilient tactics including education, training and staff awareness which can only be a good thing.

Amicus ITS is part of the new Government led UK IT Cyber Security Forum.  Any enterprise seeking advice about major infrastructure security concerns is invited to contact JP Norman or one of the Sales team on 02380 429429.
wef-logo

Samsung and Blackberry team up for new secure tablet     

Blackberry has announced a new tablet called SecuTABLET for the public sector and government use.

The SecuTABLET differs greatly from the company’s only previous tablet, the ‘Playbook’, which launched in early 2011. Unlike the Playbook which ran on Blackberry’s own OS and hardware, this new tablet runs on Android for the OS and the hardware is being provided by Samsung.

Samsung is also providing part of the security with its KNOX security layer which helps separate personal and professional apps and data, by having two distinct modes that the user can switch between.

The now Blackberry-owned ‘Secusmart’ is providing encryption, including an inhouse built secured microSD card, equipped with a range of encryption features.

Finally, IBM is providing a software wrapper for secure apps to keep the data of each app separated and protected from others apps and services.

Altogether the SecuTABLET comes with an impressive list of security features, built on-top of a reliable Samsung tablet foundation – but these do come at a cost. The tablet won’t be available for general consumer purchase – and the reported retail price will be $2,380!   This incredibly high price point makes the SecuTABLET very hard to recommend.

Although the amount of security features is impressive, each of the three core security components seem to overlap in actual usage. Blackberry is going to have an uphill battle convincing organisations to go with one of their new tablets instead of, for the same price, three Samsung tablets with KNOX – or even a Microsoft Surface 3.

secusmart-tablet-640x480