Cyber attacks on SMEs – the risk of attack is VERY real

SMEs are very attractive to cyber criminals: they have poorer security and limited resources, making them easier to attack than their larger counterparts, and are often part of larger supply chains, making them an easy point of access into larger corporations’ systems.

The Department for Business, Innovation & Skills/PwC’s most recent Information Security Breaches Survey found that 74% of small businesses suffered a security incident in 2015 (up from 60% in 2014).

The impact of an attack is clear

Reputational damage is a very real concern for SMEs. According to KPMG and Be Cyber Streetwise, 89% of breached SMEs said the attack affected their reputation, damaging their ability to win new business and maintain relationships with existing clientele.

What SMEs can do to protect their reputation?

SMEs should look to the government’s Cyber Essentials scheme to protect their reputation. Cyber Essentials sets out five security controls that, according to the UK Government, could prevent ‘around 80% of cyber attacks’. These controls provide a basic level of protection from the vast majority of cyber-attacks, and improve business efficiency in the process.  A double win!

Certification to the scheme demonstrates that you’ve implemented these basic cyber security controls, reassuring your customers, stakeholders and staff that you have taken the precautions necessary to reduce cyber risks, as well as putting you on route to helping you with cyber insurance if you are considering taking this out.

Cyber-Essentials-logo-HiRes

Week’s Technology News – 27th February 2015

Boards acknowledge cyber risk on their 2015 agenda

Back in 2013, following a KPMG report that cyber leaks at FTSE 350 firms were putting the UK’s economic growth and national security at risk, the heads of UK intelligence agencies MI5 and GCHQ then asked leading businesses to take part in a Cyber Governance Health Check.  The results were a stark wake up call.

As we reported in our blog on 19th December, Board engagement is pivotal to the success of any cyber security plan and thwarting the eye popping 80% of preventable attacks in 2014.

The 2015 Cyber Governance Health Check has just been published and reveals that 88% of companies are including cyber risk on their Risk Register with 58%+ anticipating an increased risk over the next 12 months.  However, only 21% say their boards get comprehensive information and only 17% regard themselves as having a full understanding of the risks. This is clearly insufficient in the light of the continuing squeeze on data security and compliance measures.

You do not have to be a FTSE 350 to want continued trust from clients and the comfort of having up to date data security measures.   So wake up and smell the budding roses of 2015 and do your own health check review now:

  • Re-evaluate what the unique crown jewels of your organisation are (key information and data assets) as they may have changed in in the 12 months.
  • Review risk from any 3rd party suppliers and avoid contractual complacency – get into active compliance.
  • Be pro-active about risk and create a competitive advantage of rivals.
  • Arrange for a ‘pen test’ and get in shape to be security fit for purpose in 2015.

GCHQ


Windows Server 2003 is dying – but Windows Server 2012 will offer an elixir

With the forthcoming end of life for Windows Server 2003 and cessation of support from Microsoft on 15th July 2015, the effect will be severe for the many business still running this server in their data centre with exposure to cyber attack, unless considered steps are taken now to plan for upgrade.

Microsoft’s own survey recently confirmed that there were 22 million ‘instances’ (database environments) with WS2003 still running.

Organisations clearly need to plan their migration strategy – and quickly – if they are going to protect their infrastructure. End of support means no patches, no safe haven and no compliance.  Any company continuing to run WS2003 beyond July will fail regulatory compliance audits which could result in losing commercial contracts. So delays are not only expensive but highly risky.

The advances in the data centre with Windows Server 2012 RT offer integrated virtualisiation of compute, storage and networking along with enterprise class scalability and security.  The Cloud options of Microsoft Azure and Office 365 will deliver applications faster and increase productivity and flexibility – and take away risk.

Security implications

  • Software and Hardware compatibility – If you are running a mixture of physical and virtualised servers, then priority should go to addressing physical assets, as most WS2003 licences are tied to the physical hardware.
  • Compliance against many industry requirements has moved from a best practice ‘good to have’, to a mandatory requirement, so no option.
  • Payment Card Industry Data Security Standard (PCI DSS) v2, v3 – providing adequate assurance levels to meet the requirements of PCI will fail.
  • UK Government – connecting to the Public Services Network (PSN), whether through an assured connection or via an Inter Provider Encryption Domain (IPED) will be a headache if updates cannot be supported securely.
  • Industry standards Industry standards such as ISO 27001:2013 and the Cloud Security Alliance all require you ensure your systems and applications are up to date.
  • Disaster Recovery and Resilience  How do you re-start servers that are no longer supported? If DR is key to you business then migrating is a necessity will be fairly expensive.

Planning to move

  • Integrate your servers and their lifecycle into your strategy and risk management process.
  • Check what the servers do for you and do data mapping, flow and services exercise.
  • Identify your core assets and check them against confidentiality, integrity, availability and likelihood of compromise to help future design and investment decisions.
  • Create fit-for-purpose security architecture within your Cloud (ie should you need to retain legacy data which is rarely used – create security zones using layered firewalls, ingress and egress controls, file integrity and protective monitoring.
  • Test – lots – and then get a 3rd party certified security professional to conduct an ethical hack.
  • Failure to plan is planning to fail – do not let your business suffer by putting your head in the sand.

885284

The Week’s Technology News – 12th December 2014

 

 

Have you planned IoT into your business strategy in 2015?
Increasingly it is now possible to connect any powered device to a network.   The Internet of Things (IoT) is an enormous technical development to comprehend let alone incorporate. However, from a business point of view, the real value in IoT will not just be in the connection of ‘things’, but the opportunity (if done properly), to manage the data and bring the customer needs into focus, alongside the product or services on offer.  This suddenly makes it a transformative technology applied through hardware and software and becomes highly interesting commercially.

Cisco’s Internet Business Solutions Group estimates that next year there will be around 25 billion connected devices, which will double to 50 billion by 2020 and Gartner recently suggested that IoT is peaking now in its ‘Hype Cycle’ of expectation around the subject.

If intelligent services are applied from the insights gathered from collated data and interrogated, this has the potential to radically improve customer experience and cost savings in the long run through prompt performance, increased trust and access (given the right security procedures and policies) and bond an existing relationship more more strongly between provider and customer.

Seen in practical terms, an IoT print-enabled supplier, could remotely monitor their customer’s ink levels to advise on re-supply, simultaneously run diagnostics for updates or repairs needed and advise, upsell improved models matching day-to-day needs and immediately have higher level feedback on how the customer is physically using the equipment in real-time.

From an MSP perspective applying three simple concepts, ‘connecting’, ‘managing’ and ‘engaging’ will create a proactive environment and a more bonded relationship attracting because of the intelligent assistance given.  To get there you have to have an agile infrastructure providing quick, simple and secure connections.  Some businesses worry about how to build the infrastructure to connect their devices. There are admittedly many aspects to consider ie. storage; messaging and routing protocols; security; directories; analysis; automation; and APIs to name a few.

According to a recent global KPMG survey of technology business leaders, 20% of businesses find the concept of implementing IoT too complex looked at from the outside without expert help.  However, by utilising ready-built networks, offering fast, secure and scalable connections alongside a range of tools provided as a Platform as a Service (PaaS), businesses can concentrate their efforts on creating innovative connected products.   Now that sounds like a plan!

internet-of-things-IoT

Sony hacked again – one week later

Last week Sony Pictures Entertainment was hit by a huge cyber-attack, leaking unreleased films and 47,000 personal records.

Since then even more data has been leaked including confidential E-mails between Sony Pictures Chair, Amy Pascal and well known Hollywood film producer Scott Rudin. The e-mails in question mock Barack Obama in an exchange of racist messages, with Pascal asking producer Scot Rudin what she should ask Obama at an upcoming event.  “Although this was a private communication that was stolen, I accept full responsibility for what I wrote and apologize to everyone who was offended.”

This week a new attack aimed at Sony’s PSN (PlayStation Network) took the service down on Monday. The attack came in the form of a Distributed Denial-Of-service (DDOS). Although the timing comes hot off the heels from the Sony Pictures attack they did not come from the same source. The PSN attack came from a group called Lizard Squad who boasted about the attack on their Twitter account.

With fresh information still leaking, including plans for unannounced films, Sony may be playing damage control for some time.  These events only highlight the need for stringent malware protection and tightened defences against ever increasing DDoS attacks, as well as perhaps a pertinent reminder to staff about the appropriate use of email content, which in this case could have saved several blushes.

Sony

Data breach red flags for 2015
Global information services company Experian have published their Second Annual Data Breach Industry Forecast for 2015 after reviewing cyber attacks of 3,000 organisations.  In their report, Experian details a change of attitude amongst business leaders when it comes to cybersecurity.  This will affect organisations and regulators in the year ahead.

Not only is reputation critically at stake alongside security and trust, but the demand by consumers for more communication, as well as remedies in restoring the status quo, whilst ‘data fatigue’ from an expectation of resolution against personal apathy for individuals to take more vigilant steps personally.  With almost 50% of businesses having suffered at least one data breach in 2014, the need to increase investment in security technologies and policy planning and guidelines around this is paramount and accountability goes right to the top of the Board.  A company now without a data breach response plan could be the first to fall largest victim to unscrupulous criminal targeting.

New trends are anticipated for 2015.   These are anticipated to include:
• New payment technology
• The continued rapid expansion of Cloud and e-commerce
• The consistently high value of healthcare data on the blackmarket
• Employees as one of biggest threats
• Internet of Things (IoT)

1. Payment technology   The deadline for retailers to adopt EMV (Chip and PIN) credit card technology is October 2015  if they want to accept Visa or MasterCard payments. As a result, breaches may increase as the window for hackers closes.

2. Cloud technology   With the increased adoption of Cloud technology, businesses can do much to ensure they protect theirs and their customer’s data, as the value of consumer online credentials continues to grow.  A great starting point is to take extra steps to safeguard passwords, as hackers will be seeking to target progressively more Cloud data as the volume of data explodes exponentially by companies in the Cloud.  This involves the capability and measures to re-set passwords on an enormous scale and to communicate with affected users to advise them to maintain transparency as part of maintaining trust in the relationship.

3. Healthcare data   In the US, the increased number of access points to Protected Health Information (PHI), sensitive data via electronic medical records and increasing popularity of wearable technology, makes the entire healthcare industry vulnerable and attractive for cybercriminals.  On top of this, the FBI reportedly sent a private notice in 2014 to the healthcare industry that their cyber security systems were lax compared to other sectors.  Given the budget constraints facing the healthcare sector in the UK, it would be remarkable given how many have legacy IT infrastructures and constant downward pressure on budgets, to be able to avoid breaches entirely.

4. Human error   One of the least reported issues is the impact from employee breach – either through human error or malicious endeavour.   They remain the leading cause of breaches, accounting for 59% of reported cases – and companies should therefore take the necessary steps to have policies in place to circumvent or minimise any impact.

5. Internet of Things   With the expansion of the Internet of Things, businesses will be seeking to benefit from reviewing data to optimise performance and consumerisation response.  So with more devices being created with Wi-Fi capabilities and sensors that create the opportunity for everyday items eg. car keys, alarm system or wearable devices – these will relay confidential information over the Internet and communicate with each other. Cyber attacks will therefore likely increase via data accessed from third-party vendors.

Takeaway – so, what action is required?  There will be an expectation for Board members to have a better understanding of their organisation’s data breach response plan and comprehension of new technologies and security protocols in the workplace, along with a clearly defined chain of response should such a breach occur.  Currently less than 17% of Board executives surveyed knew if their organisation had suffered a breach in the previous 12 months. Alongside this, should be security awareness training for employees as legal and regulatory scrutiny is anticipated to increase in 2015.

padlock