Cyber attacks on SMEs – the risk of attack is VERY real

SMEs are very attractive to cyber criminals: they have poorer security and limited resources, making them easier to attack than their larger counterparts, and are often part of larger supply chains, making them an easy point of access into larger corporations’ systems.

The Department for Business, Innovation & Skills/PwC’s most recent Information Security Breaches Survey found that 74% of small businesses suffered a security incident in 2015 (up from 60% in 2014).

The impact of an attack is clear

Reputational damage is a very real concern for SMEs. According to KPMG and Be Cyber Streetwise, 89% of breached SMEs said the attack affected their reputation, damaging their ability to win new business and maintain relationships with existing clientele.

What SMEs can do to protect their reputation?

SMEs should look to the government’s Cyber Essentials scheme to protect their reputation. Cyber Essentials sets out five security controls that, according to the UK Government, could prevent ‘around 80% of cyber attacks’. These controls provide a basic level of protection from the vast majority of cyber-attacks, and improve business efficiency in the process.  A double win!

Certification to the scheme demonstrates that you’ve implemented these basic cyber security controls, reassuring your customers, stakeholders and staff that you have taken the precautions necessary to reduce cyber risks, as well as putting you on route to helping you with cyber insurance if you are considering taking this out.


Hactivists unmasked over BBC website collapse on New Year’s Eve 2015

“New World Hacking” finally claimed responsibility two days into 2016, following the attack on the BBC website which was a relatively common Distributed Denial of Service (“DDoS”) cyber attack.  The high profile targeting ensured that the BBC’s news service, iPlayer online TV and radio services were down for several hours on 31st December 2015, resulting in an error message being shown instead of the BBC homepage.

A DDos attack is where a website becomes overloaded with a surge of traffic it cannot handle, with result that the website’s servers stop responding to requests.

The targeting of the BBC was purportedly friendly fire!  The hactivists claim to concentrate on taking down websites supporting ISIS (Daesh) or sites affiliated to the terror group – and this exercise against the BBC was just to test the capabilities of their machines, because of the BBC’s high capacity to respond to traffic.  No doubt this made the BBC feel very comforted.

Amicus ITS security specialist Mark Heather added:  “This has been described as a DDoS attack but it appears to have been designed as a scoping exercise; not to attack the BBC per se, but to give the hactivists more insight as to their efficacy.  Unfortunately, there is little that companies can generally do to thwart this type of attack. But threat management can be deployed as part of a wider cyber security protection strategy”.

“Organisations can take certain preventative positive measures to thwart, circumvent or manage cyber threats.  ‘Threat analysis’ can be undertaken as part of an ongoing reputation exposure exercise. Your cyber security team can look out for any ‘Dark Chat’ underground threads published on web hactivist forums for example – and with this intelligence, then direct traffic towards a ‘honeypot’ mechanism for example” (see below)


Honeypots can be used to check content before anything is passed through the firewall, as one of an organisation’s strategic steps to beefing up their data security.  As Mark comments:  “Much like the weather, you cannot stop rain from happening, but you can wrap yourself up warm and get your umbrella out knowing what the forecast is likely to be”. 


New US survey dispels notion that US Boards attitudes have changed around cyber security risks

In the United States, the 2015 US State of Cybercrime Survey appears to have reversed the findings of a number of previous surveys there over the last 12 months showing that despite talking the talk, many US boardrooms are in denial about the importance of engaging or engaging meaningfully in any information security decision making process.

Out of a pool of 500 US business execs, law enforcement services, and government agencies surveyed, there were three tiers of outcomes with regard to Board alignment:  “horrendous, adequate and excellent”.

Out of the bad and moderately sufficient returns:

• 28% said their security leaders make no presentations at all to the board
• 26% of Chief Information Security Officers (CISOs) or their organisation’s equivalent, said they provided an annual presentation to the Board.  Whilst
• 30% confirmed their security experts offered quarterly cyber security reports.

As one would expect, larger organisations appear take a more proactive view on countering cyber threats, but this is not uniform.  When looked at responses on size alone:

• 33% of smaller enterprises acknowledged there was no advice to the Board at all. However
• 18% (or nearly one fifth) of larger enterprise CISOs reported that they too offered no advice to the Board.

This is a gross overlook from the business community that needs redressing.  The IT security decision maker in any organisation today must be given the necessary tools, resources and external security consultancy opportunities if needed, in order to be able to best advise the Board and deploy the most appropriate up to date security measures.

There appears to be a real disconnect in the relationship between the Board and the CISO as these equally divided results show:

• 42% of respondents viewed cyber security as a corporate governance issue, but equally
• 42% did not see cyber security as a corporate governance issue.

Q.  Following on from this then, how often should a Board be updated by their IT security experts?

A.  Realistically, with today’s threats happening so much more frequently, in more sophisticated ways and more perniciously – this should be monthly at each main Board meeting.  Only then can a proper relationship be formed, trust developed and a proper digest of the state of resilience, identification of any threats in the last 30 days (+ how dealt + lessons learned), plus forecasts from gap risk analysis to identify what if any additional security measures or software are reasonably required.

CISO and Senior Vice President at global investment and advisory firm Blackstone, Jay Leek, added:  “I’m telling (the Boards) that it’s not possible to stop everything and that some threats are going to get in, and why it’s so important to be able to respond effectively. It’s very important just to get boards to understand that”.  Let’s just hope for a ripple effect across the international business community.


Microsoft Rolling Out ‘Advanced Threat Analytics’

Following Microsoft’s acquisition of enterprise security firm Aorato in November 2014, it is using their technology to launch Advanced Threat Analytics (ATA), a new cyber security service to customers available from August 2015.  This on-premise product seeks to ID advanced persistent threats BEFORE they can cause damage.

For Brad Anderson, corporate VP of Enterprise Client & Mobility at Microsoft, the traditional IT security solutions of monitoring and security have become less effective once a breach is discovered and the length of time it takes to identify the intruder too arduous in sifting through the sheer mass of data in an inbox or console. In Anderson’s view:

•         Compromised identity is the No.1 cause of the breaches from organisations worldwide.
•         BYOD is a root cause of many security problems as an employee’s use of their own device is often less couched in the same protective software and governance as corporate devices.
•         Security tools are too cumbersome, with complicated reports and too many false positive results.

ATA uses identity as the fulcrum for spotting potential attack, with machine learning and behavioural analytics to detect security threats fast.  Anderson is proud of the user friendly nature of this on premise new toolset which uses an “easy-to-consume, and simple-to-drill-down, social media-like feed timeline”.

With data security a dominant issue for organisations and increasingly an unavoidable subject for employees with an active CISO, having an accessible toolset is an attractive advance, but one which should be considered hand in hand with educating the workforce to identify and report cyber threats.

Organisations need to be prepared and practice for such an event in order that employees can gain a greater understanding of the commercial fallout  – and ensure that personal responsibility is not abrogated, allowing a cyber attack to happen.


This week’s technology news from Amicus ITS – Friday 12th July 2013

GCHQ Monitoring Increased Infrastructure Cyber Threats
GCHQ has thrown up a warning flag to highlight the potential threats from cyber attack to the UK’s national infrastructure. A suspected incident relating to the electrical grid prior to the Olympic Games in 2012, triggered the research. The report has revealed that technical reconnaissances have occurred across the UK’s infrastructure. An increased reliance on the internet by utilities makes security a national priority. In March 2013, the Government set up a Cyber Security Information Sharing Partnership to help businesses and Government share information in real time. However, when 80% of utility organisations in the UK are run by the private sector, enforcing security governance around data requires a pro-active approach and is a wake up call for all businesses to review their data policies.

Google’s slapped wrist
The UK’s privacy watchdog the ICO has joined data protection authorities in several European countries in criticising Google after the internet giant’s privacy policy failed to comply with the UK Data Protection Act. UK users of Google’s services do not currently have a clear definition of how their data is collected and used across their products. Google bundled 60 privacy policies into one agreement and hoped this would absolve them from criticism. However, the lack of response from Google as to what it is using personal data for, and how long it is held, has led to various actions against them. Google faces penalties from the CIO if it does not rewrite its policy by 20 September 2013. It is important for business that this is resolved satisfactorily given the number of employees using the internet.

Huge Android security-hole discovered
Last week Bluebox Security uncovered a security flaw with Android phones and tablets, potentially affecting up to 900 million devices. An App downloaded outside the official Google Play store, could modify a pre-existing system App on devices. The flaw uses the special permissions for malicious purposes. Google stated this week that the bug has been caught and they are urgently working with their partners to push out correct patches. The key lessons for information security governance are to stick to official App stores and keep devices up to date with the latest software updates to keep information protected.

Nokia’s 41 megapixel monster
On Thursday Nokia held their ‘Zoom Reinvented’ event where they announced the arrival of the Lumia 1020, a smartphone with a whopping 41 megapixel (MP) camera, powered by Windows Phone 8. In comparison the iPhone 5 has a camera of 8 MP and the Galaxy S4 is 13MP. In addition to staggering image quality the advantage of such a high megapixel is the ability to zoom in to a picture even after the moment is captured. Such a leap over the competition in this field, makes choice simple for anyone whose top priority is the camera in a smartphone. Microsoft must be happy about the partnership they have built with Nokia, as it is exclusive flagship phones such as the Lumia 1020 that will build Windows Phone market share worldwide.


This week’s technology news from Amicus ITS – Friday 19th April 2013

UK SMBs Main Target For Cyber Threats
Symantec’s latest Threat Report shows cyber attacks having risen by 42% in 2012, with the UK being the subject of 20% of all global threats. Whilst smaller businesses with weaker security systems are traditionally the initial target, these are seen merely as stepping stones for larger company breaches. BYOD trends have added to the headache with virtualisation, mobility and cloud requiring security across all devices (32% of all mobile threats were aiming to steal information). Even if companies have not been directly attacked, their websites have been compromised, spreading malware (30% up on the previous year). We believe companies must be more proactive and create “defence in depth” security measures, as it is no longer an option to ignore this issue if they are to stave off future attacks.

Microsoft obtains its largest patent licensee with Foxconn
Microsoft will be celebrating this week with the news it has secured its largest ever patent licensee with Taiwanese phone maker Hon Hai, owners of Foxconn. Although details of the deal are currently scarce, Microsoft will be getting a flat fee per Android device produced, accounting for 40% of Smart Phones worldwide including Kindle Fire. These patents include how file names are implemented, data management and contact databases. Microsoft already extracts royalties from most big name Android manufactures such as Samsung, LG and HTC. Adding Foxconn gives Microsoft a highly profitable new revenue stream, which is more per device than the manufacturers make on the sale of phones themselves.

Amazon takes on Google with their App Store
Amazon has announced over the next few months it will be extending support to almost 200 countries from their app store that runs on top of Android for the Kindle Fire tablets. The Amazon Appstore for Android will support more countries than the native app store available on other Android tablets, such as Samsung and HTC. Indicating Amazon’s commitment and momentum in the mobile sector it will drive sales of Kindle devices in countries where Google’s app store is not supported. In our opinion, it also fuels rumours of Amazon’s move to the Smart Phone sector later this year. Without the support of additional countries, the company would have trouble launching worldwide.

Sony streams in to lay claim to world’s fastest home internet
Google Fiber has been generating internet chatter with its rollout of 1Gbs internet access in America. However Sony have announced what they claim is the ‘world’s fastest commercially-provided home internet service’, which launched in Japan this week providing 2Gbps downloads. We think Sony may be using the service to help the launch of their next-gen HD streaming service later in the year, driven by their acquisition of Gaikai. The launches of these super speed internet connections could make the commercial and business thin client PCs mainstream. From our point of view, it is no coincidence that Google and Sony who would be interested in delivering these services, are preparing the groundwork to make this a reality.

Money on a flashstick
Bitcoin a new virtual currency is making waves. Whilst used for buying goods and services online its distinct feature is its anonymity and independence. Hard to regulate and with transactions tough to trace, it’s a growing honeypot for black marketeers. It’s also an interesting alternative to cash if you are in a country caught in a crisis. Largely disliked by banks and governments, it appealed sufficiently however to the Wikelvoss twins, who went public this week claiming to own 1% of the internet currency worldwide ($11m). They have preserved security from hackers by keeping their digital cash on flashsticks in safe deposits in different banks. Anonymity is a big attraction, however the risk due to wild fluctuation in bitcoin value will keep the meek at bay. We consider that if it continues to grow, it could signal a new player in the global economy. In the meantime, businesses will be more comforted by traditional forms of payment for services, rather than in kind.