Search

Brian Pennington

A blog about Cyber Security & Compliance

More fines next year for nuisance call companies

Companies making nuisance calls have been warned to expect more fines in 2016.

The ICO imposed more than a million pounds worth of penalties for nuisance calls and text messages in 2015, with the same amount in the pipeline for early 2016.

The fines included:

  • £295,000 of fines for companies offering call blocking or nuisance call prevention services
  • A £80,000 fine to a PPI claims firm that sent 1.3million text messages
  • A £200,000 fine to a solar panels company that made six million nuisance calls
  • A £130,000 fine to a pharmacy company that was selling customer details to postal marketing companies

Total fines related to nuisance marketing in 2015:

  • £400,000 fines for nuisance texts (Help Direct UK Ltd; Oxygen Ltd; UKMS Money Solutions Ltd)
  • £575,000 fines for nuisance calls (Direct Assist Ltd; Point One Marketing Ltd; Cold Call Elimination Ltd; Home Energy & Lifestyle Management Ltd (HELM); Home Energy & Lifestyle Management Ltd;  Nuisance Call Blocker Ltd; Telecom Protection Service Ltd)
  • £130,000 fine for selling customer records for marketing (Pharmacy 2U Ltd)
  • £30,000 fine for sending marketing email (Telegraph Media Group Ltd)

Total: £1,135,000. 

Andy Curry, ICO Enforcement Group Manager, said:

Nuisance marketing calls frustrate people. The law is clear around what is allowed, and we’ve been clear that we will fine companies who don’t follow the law. That will continue in 2016. We’ve got 90 ongoing investigations, and a million pounds worth of fines in the pipeline

The ICO received around 170,000 concerns in 2015 from people who’ve received nuisance calls and texts, a similar number to the previous year (2014: 175,330). PPI claims prompted the most complaints, followed by accident claims. Areas identified as emerging sectors for nuisance calls and texts included call blocking services, oven cleaning services and industrial hearing injury claims.

The following are examples of complaints showed the level of distress that calls can cause:

Telecom Protection Service:

“I was recovering from major surgery at the time and the call caused me distress. The caller was very smooth talking and did not make it clear that he was selling a commercial service that was nothing to do with the TPS. The call was frankly misleading.”

HELM:

“I am receiving daily updates regarding a friend in hospital, and am expecting the worst. When these calls come in I expect it to be from the hospital.”

Cold Call Elimination:

“This company has ‘conned’ my mother out of £84.99 for an unnecessary service … my parents are 87 and 86 respectively; my father is suffering from dementia.”

“I am looking after my elderly mother who has terminal cancer. She initially answered and I could see I needed to intervene as I could hear the sales guy not giving up. I took the phone and asked him who he was and what he wanted. He got quite annoyed that I had intervened and I told him we were not interested.”

Point One Marketing:

“Very upset and angry that my mum, who has dementia, was talked into giving credit card details when it would have been obvious to the caller that she had dementia. This caused my mum distress because I had to explain why her debit card had to be cancelled and what she had done. This has caused both of us great distress. Had I not checked her call log and … the number that had called her I would not have known it had happened at all.”

Utilities Oil Gas Risk Infograph

PCI SSC revises date for migrating off vulnerable SSL and early TLS encryption

Following significant feedback from the global PCI community and security experts, the Payment Card Industry Security Standards Council (PCI SSC) has announced a change to the date that organizations who process payments must migrate to TLS 1.1 encryption or higher.

The original deadline date for migration, June 2016, was included in the most recent version of the PCI Data Security Standard, version 3.1 (PCI DSS 3.1), which was published in April of 2015. The new deadline date, June 2018, will be included in the next version of the PCI Data Security Standard, which is expected in 2016.

Early market feedback told us migration to more secure encryption would be technically simple, and it was, but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks,” said Stephen Orfei, General Manager, PCI SSC. “We want merchants protected against data theft but not at the expense of turning away business, so we changed the date. The global payments ecosystem is complex, especially when you think about how much more business is done today on mobile devices around the world. If you put mobile requirements together with encryption, the SHA-1 browser upgrade and EMV in the US, that’s a lot to handle. And it means it will take some time to get everyone up to speed. We’re working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in.

Some payment security organizations service thousands of international customers all of whom use different SSL and TLS configurations,” said Troy Leach, Chief Technology Officer, PCI SSC. “The migration date will be changed in the updated Standard next year to accommodate those companies and their clients. Other related provisions will also change to ensure all new customers are outfitted with the most secure encryption into the future. Still, we encourage all organizations to migrate as soon as possible and remain vigilant. Staying current with software patches remains an important piece of the security puzzle

In addition to the migration deadline date-change, the PCI Security Standards Council has updated:

  • A new requirement date for payment service providers to begin offering more secure TLS 1.1 or higher encryption
  • A requirement for new implementations to be based on TLS 1.1 or higher
  • An exception to the deadline date for Payment Terminals, known as “POI” or Points of Interaction.

Merchants are encouraged to contact their payment processors and / or acquiring banks for detailed guidance on upgrading their ecommerce sites to the more secure encryption offered by TLS 1.1 or higher.

PCI Security Standards council announces 2016 special interest group election results

The Payment Card Industry Security Standards Council (PCI SSC), has announced the election results for its 2016 Special Interest Group (SIG) project. 

Special Interest Groups are community-led initiatives that address important security challenges related to PCI Security Standards. One new Special Interest Group is selected every year, but groups may run for more than 12 months in order to complete the agreed-upon goals. 

PCI member organizations, including merchants, financial institutions, service providers and associations, voted on five proposed Special Interest Group topics submitted by their peers. The winning topic selected for 2016 was, “Best Practices for Safe E-Commerce 

The new Special Interest Group is slated to kick off in January 2016

The Council invites PCI member organizations and assessors interested in getting involved in this SIG project to register on the PCI SSC website by 4 January 2016.  

The community choose from among five strong proposals, so it was certainly not an easy decision,” said Jeremy King, International Director, PCI SSC. “We are encouraged by how many Participating Organizations were involved in the submission and election process this year. SIGs continue to be an excellent vehicle for putting their expertise to work to improve payment card security globally

 

How to Hack a Car – an infograph

How a Car Hack Attack Is Happening [Infographic]

how-car-hack-attacks-are-happening-infographic-large

Originally posted on Coinspeaker, here.

Are British Businesses over confident about the threat of data breaches?

Ilex International have launched their Breach Confidence Index. The Index is a benchmark survey created to monitor the level of confidence that British businesses have when it comes to security breaches. The Index shows high confidence levels

  • 24% of IT decision makers surveyed very confident
  • 59% fairly confident that their business is protected against a data security breach

The Breach Confidence Index raises major concerns for British businesses. Businesses are not currently required to report security breaches and in many cases, may not even know that they have experienced one. The survey found that 49% said their business has not experienced a security breach. In comparison to actual statistics shared at the 2015 Cyber Symposium, there is a major gap between the perception and reality of security breaches among businesses.

According to the survey the most common weaknesses resulting in a Data Breach were
22% MALWARE VULNERABILITIES
21% EMAIL SECURITY
15% EMPLOYEE EDUCATION
12% CLOUD APPLICATIONS
12% INSIDER THREATS
8% ACCESS CONTROL
8% BYOD OR MOBILE ACCESS
6% NON-COMPLIANCE TO CURRENT REGULATIONS

Weaknesses relating to identity and access management considerably increase as organisations expand their workforce. Some of the most common issues highlighted by large businesses include:

  • 44% insider threats
  • 42% employee education
  • 26% access control
  • 24% BYOD or mobile access

All figures in the Ilex International Breach Confidence Index, unless otherwise stated, are from YouGov Plc. Total sample size was 530 IT Decision Makers. Fieldwork was undertaken between 6th – 12th August 2015. The survey was carried out online.

DataMotion_IG4_BriefHistoryofHCDataBreaches_092915

500 European Business Leaders attend the PCI Security Standards Council Community Meeting

This week business leaders and security professionals gathered in Nice, France to discuss payment based security and especially PCI DSS and P2Pe. 

Jeremy King PCI Security Standards Council International Director said, The new European Commission Payment Services Directive 2 along with the European Banking Authority Guidelines for Securing Internet Payments have clear and detailed requirements for organisations in protecting cardholder data. Add to that the soon to be released General Data Protection Regulation which covers all data security, and you have a massive increase in data security, which when implemented will impact all organisations in Europe and beyond, 

These regulations will force organisations to take security seriously, and PCI provides the most complete set of data security standards available globally. Establishing good data security takes time and effort. Organisations need to know these regulations are coming and put a plan in place now for ongoing security

With 70% of all card fraud coming from Card-Not-Present (CNP), a figure that surpasses the previous 2008 record which was set during the EMV chip migration, it is a critical time for the industry. 

A significant amount of the conference was spent on new and developing technologies including::

  • Cloud – Daniel Fritsche of Coalfire presented on Virtualisation and the Cloud
  • Mobile – several presentations including the Smart Payments Association
  • Point to Point Encryption (P2PE) – Andrew Barratt of Coalfire delivered a panel discussion
  • Tokenisation – A presentation by Lufthansa Systems 

Jeremy King added. PCI is committed to helping organisations globally improve their data security. Our range of standards, and especially our supporting documents, are designed to help all companies improve and protect their data security. The annual Community Meeting is a big part of our efforts to engage with companies from all sectors, sharing and exchanging information to ensure they have the very best level of security 

We must work together to tackle card-not-present fraud with technologies such as point-to-point encryption and tokenisation that devalue data and make it useless if stolen by criminals.

Attendees included experts from Accor Hotels, , British Telecommunications, Capita, Coalfire Systems Limited, Accor Hotels, Lufthansa, Virgin Trains, Vodat International and hundreds of others.

ICO response to ECJ ruling on personal data to US Safe Harbor

The ICO has issued a statement in response to the European Court of Justice ruling about the legal basis for the transfer of personal data to businesses that are members of the US Safe Harbor

Deputy Commissioner David Smith said:

“Today’s ruling is clearly significant and it is important that regulators and legislators provide a considered and clear response. This ruling is about the legal basis for the transfer of personal data to businesses that are members of the US Safe Harbor. It does not mean that there is an increase in the threat to people’s personal data, but it does make clear the important obligation on organisations to protect people’s data when it leaves the UK.

“The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this.

“It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers. We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them. Businesses should check the ICO website for details over the coming weeks.

“Concerns about the Safe Harbor are not new. That is why negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement. We understand that these negotiations are well advanced.”

Policy problems with cloud Storage revealed by survey

UK companies are placing themselves at risk of cyberattacks and data breaches as a result of rampant use of cloud storage services and unclear or non-existent corporate policies according to research released today by WinMagic Inc. The survey, conducted by CensusWide, of 1,000 office workers in organisations of 50 or more employees revealed widespread, and often unilateral employee use of cloud storage services could be leaving businesses with poor visibility of where their data is stored, placing potentially confidential data at risk.

Key Findings

  • 65% of employees don’t have or don’t know the company policy on cloud storage
  • 1 in 10 employees who use cloud storage services at least once a week have no confidence in the security of their data saved and accessed from the cloud
  • Cloud storage use varies widely – 41% use cloud services at least once a week, whilst 42% never use these services at all
  • 1 in 20 employees who use cloud services at least once a week, do so despite these services being restricted by their company
  • 35% of employees used a company sanctioned service
  • 43% were unaware of their employer’s policy on the use of these services. In addition, of those that use cloud storage at least once a week
  • 50% of respondents use personal equipment to access work information and services at least one a week
  • 47% of employees use company-issued equipment at home at least once a week

Darin Welfare, EMEA VP at WinMagic, said: “This survey highlights the challenge businesses face when managing data security in the cloud. IT teams have had to cede a level of control as employees have greater access to services outside corporate control and this research indicates that IT must take additional steps to protect and control company data in this new technology landscape. The wide range of employee adoption of these services also means an additional layer of complexity when devising corporate policies and education programmes for the use of cloud storage services.”

Employees are increasingly accessing work documents and services outside the office, particularly among regular users of cloud storage. The survey revealed 70% of employees who use cloud storage at least once a week will also use work equipment at home at least once a week, significantly higher than the UK average of 47%.

The WinMagic survey highlights a clear disparity between employee use of cloud services and company IT policy, which suggests that businesses must increase focus on devising clearer security policies and better staff training programmes in order to minimise the risk for the business.

Darin Welfare added: “One of the key steps that any organisation can take to mitigate the risk from the widespread use of unsanctioned cloud services is to ensure that all company data is encrypted before employees have the opportunity to upload to the cloud. In the eventuality that the cloud vendor does not adequately put in place control mechanisms and procedures to ensure security across their infrastructure, sensitive and valuable corporate data is still encrypted and cannot be accessed and understood beyond those who have the right to. This approach provides the company with the assurance that the IT team is in control of the key and management of all company data before any employees turn to cloud storage services.”

“This survey should serve as a wake-up call for IT teams to focus resources on crafting the stringent security policies, and employee education programmes that will help the business stay secure. It also indicates that this is not something that is only down to employee behaviour. Businesses need better training for all staff on the potential dangers of cloud services. Businesses must catch up with the employee cloud revolution or risk potentially catastrophic data loss.”

The full press release can be found here.

Payment Card Industry issues new guidance to help organizations respond to data breaches

For any organization connected to the internet, it is not a question of if but when their business will be under attack, according to a recent cybersecurity report from Symantec, which found Canada ranked No. 4 worldwide in terms of ransomware and social media attacks last year. These increasing attacks put customer information, and especially payment data at risk for compromise.

When breaches do occur, response time continues to be a challenge. In more than one quarter of all breaches investigated worldwide in 2014 by Verizon, it took victim organization weeks, or even months, to contain the breaches. It is against this backdrop that global cybersecurity, payment technology and data forensics experts are gathering in Vancouver for the annual PCI North America Community Meeting to address the ongoing challenge of protecting consumer payment information from criminals, and new best practices on how organizations can best prepare for responding to a data breach. 

A data breach now costs organizations an average total of $3.8 million. However, research shows that having an incident response team in place can create significant savings. Developed in collaboration with the Payment Card Industry (PCI) Forensic Investigators (PFI) community, Responding to a Data Breach: A How-to Guide for Incident Management provides merchants and service providers with key recommendations for being prepared to react quickly if a breach is suspected, and specifically what to do contain damage, and facilitate an effective investigation. 

The silver lining to high profile breaches that have occurred is that there is a new sense of urgency that is translating into security vigilance from the top down, forcing businesses to prioritize and make data security business-as-usual,” said PCI SSC General Manager Stephen W. Orfei. “Prevention, detection and response are always going to be the three legs of data protection. Better detection will certainly improve response time and the ability to mitigate attacks, but managing the impact and damage of compromise comes down to preparation, having a plan in place and the right investments in technology, training and partnerships to support it

This guidance is especially important given that in over 95% of breaches it is an external party that informs the compromised organization of the breach,” added PCI SSC International Director Jeremy King. “Knowing what to do, who to contact and how to manage the early stages of the breach is critical

At its annual North America Community Meeting in Vancouver this week, the PCI Security Standards Council will discuss these best practices in the context of today’s threat and breach landscape, along with other standards and resources the industry is developing to help businesses protect their customer payment data. Keynote speaker cybersecurity blogger Brian Krebs will provide insights into the latest attacks and breaches, while PCI Forensic Investigators and authors of the Verizon Data Breach Investigation Report and PCI Compliance Report, will present key findings from their work with breached entities globally. Canadian organizations including City of Calgary, Interac and Rogers will share regional perspectives on implementing payment security technologies and best practices. 

Download a copy of Responding to a Data Breach: A How-to Guide for Incident Management here 

The original PCI SSC press release can be found here.

Standard & Poor’s labeled holes in cybersecurity a financial risk in a report

Banks with weak cybersecurity controls could be downgraded even if they haven’t been attacked, Standard & Poor’s said Monday in a report.

While it hasn’t yet downgraded a bank based on its computer security, the ratings company said it would consider doing so if it determined the lender was ill-prepared to withstand a data breach. It would also drop a bank’s rating if an attack caused reputational harm or resulted in losses that hurt profit, S&P said.

We view weak cybersecurity as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades

S&P analysts led by Stuart Plesser wrote in the report.

Cyberattacks have become a growing threat for banks, with more than a dozen U.S. depository institutions reporting hacks in 2012 and 2013 that prevented consumers from accessing their websites, according to the report. Last year, the personal data of tens of millions of JPMorgan Chase & Co. customers were compromised in a breach. The bank spent $250 million on cybersecurity in 2014 and will increase that to $450 million by next year, S&P said.

Hostile nation-states, terrorist organizations, criminal groups, activists and, in some cases, company insiders are behind most of the global cyberattacks on banks, S&P said. South Korea financial institutions have experienced security breaches in recent years, while a Russian security company working with law enforcement said it uncovered a two-year, billion-dollar theft from banks around the world by a gang of cybercriminals, according to the report, which didn’t identify the lenders.

‘Continual Battle’

S&P classified the global risk of cyberattacks as “medium,” saying large banks have taken steps to mitigate the danger. Bigger institutions have an advantage over smaller ones because their revenue base can defray some expenses, according to the report.

Few banks have disclosed the amount they’re spending to guard against attacks, S&P said. Still, any cuts to technology units as part of larger cost-savings efforts would be “disconcerting.”

Cyberdefense is a continual battle, particularly as technology evolves,” according to the report. “Many tech experts believe that if a hostile nation-state put all its resources into infiltrating a particular bank’s tech system, it would probably prove successful

The original article was published in Crain”s New Yokr Business.

Mobile Payments Data Breaches will Grow

An ISACA survey of more than 900 cybersecurity experts shows that

  • 87% expect to see an increase in mobile payment data breaches over the next 12 months
  • 42% of respondents have used this payment method in 2015

The 2015 Mobile Payment Security Study from global cybersecurity association ISACA suggests that people who use mobile payments are unlikely to be deterred by security concerns.

Other data from the survey show that cybersecurity professionals are willing to balance benefits with perceived security risks of mobile payments:

  • 23% believe that mobile payments are secure in keeping personal information safe.
  • 47% say mobile payments are not secure and 30% are unsure.
  • At 89%, cash was deemed the most secure payment method, but only 9% prefer to use it.

Mobile payments represent the latest frontier for the ongoing choice we all make to balance security and privacy risk and convenience,” said John Pironti, CISA, CISM, CGEIT, CRISC, risk advisor with ISACA and president of IP Architects. “ISACA members, who are some of the most cyber-aware professionals in the world, are using mobile payments while simultaneously identifying and contemplating their potential security risks. This shows that fear of identity theft or a data breach is not slowing down adoption and it shouldn’t as long as risk is properly managed and effective and appropriate security features are in place

Reports say that contactless in-store payment will continue to grow. Overall, the global mobile payment transaction market, including solutions offered by Apple Pay, Google Wallet, PayPal and Venmo, will be worth an estimated US $2.8 trillion by 2020, according to Future Market Insights.

ISACA survey respondents ranked the major vulnerabilities associated with mobile payments:

  1. Use of public WiFi (26%)
  2. Lost or stolen devices (21%)
  3. Phishing/shmishing (phishing attacks via text messages) (18%
  4. Weak passwords (13%)
  5. User error (7%)
  6. There are no security vulnerabilities (0.3%)

What Consumers Need to Know

According to those surveyed, currently the most effective way to make mobile payments more secure is using two ways to authenticate their identity (66%), followed by requiring a short-term authentication code (18%). Far less popular was an option that puts the onus on the consumer installing phone-based security apps (9%).

CSX-Mobile-3-lg

People using mobile payments need to educate themselves so they are making informed choices. You need to know your options, choose an acceptable level of risk, and put a value on your personal information,” said Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, international president of ISACA and group director of information security for INTRALOT. “The best tactic is awareness. Embrace and educate about new services and technologies

Understand your level of risk: Ask yourself what level of personal information and financial loss is acceptable to balance the convenience of mobile payments.

Know your options: Understand the security options available to manage your risk to an acceptable level. Using a unique passcode should be mandatory, but also look into encryption, temporary codes that expire and using multiple ways to authenticate your identity.

Value your personal information: Be aware of what information you are sharing e.g., name, birthday, national identification number, pet name, email, phone number. These pieces of information can be used by hackers to gain access to accounts. Only provide the least amount of information necessary for each transaction.

Security Governance for Retailers and Payment Providers

In the emerging mobile payment landscape, ISACA notes that there is no generally accepted understanding of which entity is responsible for keeping mobile payments secure—the consumer, the payment provider or the retailer. One approach is for businesses to use the COBIT governance framework to involve all key stakeholders in deciding on an acceptable balance of fraud rate vs. revenue. Based on that outcome, organizations should set policies and make sure that mobile payment systems adhere to them.

Members of the IT or information security group taking part in the discussion should also ensure they are keeping up to date with the latest cybersecurity developments and credentials. A joint 2015 ISACA/RSA study shows that nearly 70% of information security/information technology professionals require certification when looking for candidates to fill open security positions.

The full ISACA Press Release can be found here.

Security and the Internet of Things – Infograph

Security-and-the-Internet-of-Things_jpg

An Infograph by ComputerScienceZone.org from here.

In cloud environments, 75% of the security risk can be attributed to just 1% of users

Cybercriminals continue to focus their efforts on what is widely considered to be the weakest link in the security chain: the user. Consequently, developing a comprehensive understanding of user behavior and the implications thereof becomes paramount to corporate security strategy.

In analysing user behavior across 10 million users, 1 billion files, and over 91,000 cloud applications, CloudLock surfaced surprising trends.

In this report, Cloudlock examine cloud cybersecurity trends across three primary dimensions: users, collaboration, and applications. The Pareto Principle, the “80/20” rule, holds true across all three dimensions, revealing a truth with surprising implications for security professionals.

Key Findings

Users: 1% of users create 75% of cloud cybersecurity risk, signalling abnormal user behavior whether unintentional or malicious.

  • Collaboration: While organizations on average collaborate with 865 external parties, just 25 of these account for 75% of cloud-based sharing per organization. Unexpectedly, 70% of sharing occurs with non-corporate email addresses security teams have little control over.
  • Apps: 1% of users represent 62% of all app installs in the cloud – a high concentration. Without security awareness, this small user base introduces a high volume of risk. Additionally, 52,000 installs of applications are conducted by highly privileged users – a number that should be zero given privileged accounts are highly coveted by malicious cybercriminals.

4 Actionable Takeaways for a more secure cloud environment

The findings of this report show disproportionate cloud cybersecurity risk across users, collaboration, and applications. Consider the four following risk remediation strategies.

1. Focus on the User Behavior

Focusing on the riskiest subset of users, security professionals can efficiently and dramatically reduce risk. Any abnormal behavior by data-dense and risky users should be prioritized providing the security team with valuable direction on what truly requires attention and resolution immediately.

2. Focus Security on Organizations You Collaborate With Most

Given that, on average, 75% of inter-organizational sharing is with 25 external organizations, focus on the frequent collaborative organizations to eliminate the bulk of risk, then address the long tail of remaining organizations.

3. Take Application Security beyond Discovery

Discovering third-party applications that reside on the network is only the tip of the iceberg. Elevate your security game beyond app discovery through enforcement capabilities, policy-driven app control, and end-user education. If users are blocked, they will find a way around.

4. Correlate Insights Across Cloud Environments

With multi-cloud intelligence, security teams can correlate security events across platforms, preventing cybercriminal exploits from slipping through the cracks. Consider an individual logging into Salesforce in San Francisco and ServiceNow in Kuala Lumpur using the same credentials simultaneously, indicating account compromise. Avoid point security solutions in favor of platforms offering multi-cloud insights across not only SaaS applications, but also laaS, PaaS, and IDaaS environments.

Internal Audit is having an ever increasing role in Cyber Security

According to a report by the Institute of Internal Auditors Research Foundation, cyber preparation at most organizations follows a classic bell curve.

Asked, for instance, how prepared their organizations would be to respond to a cyber-attack;

  • 29% of respondents said “extremely” or “very”
  • 44 % said “moderately”
  • 23% said “slightly” or an ominous “not at all”

As organizations increase spending on tech tools to address cyber risks, internal auditors are advocating a holistic approach that includes policies, response planning and board involvement to develop a broader view of an organization’s cyber risks and defences.

Helped by their understanding of organization controls and risk management, internal audit can bring various functions together and help them address cyber threats more effectively, the study says.

“Boards and audit committees also must … be kept up-to-date on technologies that not only can help meet business objectives, but also may make an organization more vulnerable to attack. When properly resourced and supported, internal audit will develop the skills and perspective to provide review and assurance services in this area,” the study says.

Key Components

The report identifies five key components to cyber risk management and says internal audit can play a key role in supporting each element:

  1. Protection: Internal audit can help organizations test security controls related to bring-your-own-device (BYOD) policies, review third-party contracts for compliance with security protocols, and perform IT governance assurance services.
  2. Detection: IIA’s 2015 Global Internal Audit Common Body of Knowledge (CBOK) study found that five in 10 respondents use data mining and data analytics for risk and control monitoring, as well as fraud identification. The cyber preparedness study says audit executives should partner with IT and information security pros to develop and monitor key risk indicators and validate security-related controls.
  3. Business Continuity: Just as they plan for natural disasters or other corporate crises, organizations have to develop plans to serve customers and other stakeholders during cyber-attacks. Internal audit can help provide enterprise-wide perspective and provide assurance about the expected effectiveness of response plans.
  4. Crisis Communications: Similar to response plans, it’s important to keep customers, shareholders, regulators and other interested parties informed during (and immediately after) a cyber breach.
  5. Continuous Improvement: If an organization experiences a cyber-attack, internal audit can play a valuable role in helping the organization assess the effects and outline strategies and protocols to defend against the next attack.

The study also suggests corporate boards increase their ability to assess and defend against cyber risks. This may involve recruiting board and committee members with cyber-related experience or expertise, or bringing in third-party security experts to educate board members about evolving cyber threats and governance practices.

The full article can be downloaded here.

Data Breaches: Are You Prepared?

Data privacy and security continues to be a growing concern for many organizations. With cyber attacks increasing each year, businesses must be mindful of how data breaches occur in order to prevent the exposure of confidential information. Recognizing vulnerabilities in data security efforts can help minimize the effects a cyber attack may have on an organization.

Thomson Reuters data-breaches

Original produced here by Thomson Reuters.

Cost of Phishing and Value of Employee Training

The Ponemon Institute has presented the results of it’s study the Cost of Phishing and Value of Employee Training sponsored by Wombat Security. The purpose of this research is to understand how training can reduce the financial consequences of phishing in the workplace.

Phishing

The research reveals the majority of costs caused by successful phishing attacks are the result of the loss of employee productivity. Based on the analysis described later in this report, Ponemon extrapolate an average improvement of 64% from six proof of concept training projects. This improvement represents the change in employees who fell prey to phishing scams in the workplace before and after training.

As a result of effective training provided by Wombat, Ponemon estimate a cost savings of $1.8 million or $188.4 per employee/user. If companies paid Wombat’s standard fee of $3.69 per user for a program for up to 10,000 users, Ponemon determine a very substantial net benefit of $184.7 per user, for a remarkable one-year rate of return at 50X.

To determine the cost structure of phishing, Ponemon  surveyed 377 IT and IT security practitioners in organizations in the United States. 39% of respondents are from organizations with 1,000 or more employees who have access to corporate email systems.

The topics covered in this research include the following:

  • The financial consequences of phishing scams
  • The financial impact of phishing on employee productivity
  • The cost to contain malware
  • The cost of malware not contained & the likelihood it will cause a material data breach
  • The cost of business disruption due to phishing
  • The cost to contain credential compromises
  • Potential cost savings from employee training

Phishing scams are costly. Often overlooked is the potential cost to organizations when employees are victimized by phishing scams. Ponemon’s cost analysis includes the cost to contain malware, the cost not contained, loss of productivity, the cost to contain credential compromises and the cost of credential compromises not contained. Based on these costs, the extrapolated total annual cost of phishing for the average-sized organization in Ponemon’s sample totals $3.77 million.

Summarized calculus on the cost of phishing. Estimated cost.
Part 1. The cost to contain malware $208,174
Part 2. The cost of malware not contained $338,098
Part 3. Productivity losses from phishing $1,819,923
Part 4. The cost to contain credential compromises $381,920
Part 5. The cost of credential compromises not contained $1,020,705
Total extrapolated cost $3,768,820

The average total cost to contain malware annually is $1.9 million. The first step in understanding the overall cost is to analyze the six tasks to contain malware infections. Drawing from the empirical findings of an earlier study, Ponemon  were able to derive cost estimates relating to six discrete tasks conducted by companies to contain malware infections in networks, enterprise systems and endpoints. The table below summarizes the annual hours incurred for six tasks by the average-sized organization on an annual basis. The largest tasks incurred to contain malware involve the cleaning and fixing of infected systems and conducting forensic investigations.

Documentation and planning represents the smallest tasks in terms of hours spent each year.

Six tasks to contain malware infections. Estimated hours per annum.

Planning 910
Capturing intelligence 3,806
Evaluating intelligence 2,844
Investigating 10,338
Cleaning & fixing 11,955
Documenting 671
Total hours 30,524

The annual cost to contain malware is based on the hours to resolve the incident. These cost estimates are based on a fully loaded average hourly labor rate for US-based IT security practitioners of $62. As can be seen, the extrapolated total cost to contain malware is $1.89 million.

The adjusted cost of malware containment resulting from phishing scams is $208,174 per annum. The final step in determining the cost of malware containment attributable to phishing is to calculate the percentage of malware incidents unleashed by successful phishing scams.

Response to the survey question, “What percent of all malware infections is caused by successful phishing scams?” The percentage rate of malware infections caused by phishing scams was based on Ponemon’s  independent survey of IT security practitioners. As can be seen, the estimated range is less than 1% to more than 50%. The extrapolated average rate is 11%.

Drawing from the above analysis, Ponemon estimate the cost of malware containment as 11% of the previously calculated total cost of $1.9 million.

Cost of malware not contained

In this section, Ponemon estimate the cost of malware not contained at the device level to be $105.9 million. In other words, this cost occurs because malware evaded traditional defenses such as firewalls, anti-malware software and intrusion prevention systems. In this state Ponemon  assume the malware becomes weaponized for attack.

Following are two attacks caused by weaponized malware:

  1. Data exfiltration (a.k.a. material data breach)
  2. Business disruptions

Ponemon determine a most likely cost using an expected cost framework, which is defined as:

Expected cost = Probable maximum loss (PML) x Likelihood of occurrence [over a 12-month period].

Respondents in Ponemon’s  survey were asked to estimate the probable maximum loss (PML) resulting from a material data breach (i.e., exfiltration) caused by weaponized malware. Ponemon’s research shows the distribution of maximum losses ranging from less than $10 million to more than $500 million.

The extrapolated average PML resulting from data exfiltration is $105.9 million.

What is the likelihood of weaponized malware causing a material data breach? In the context of this research, a material data breach involves the loss or theft of more than 1,000 records. Respondents were asked to estimate the likelihood of this occurring. According to the research the probability distribution ranges from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.9 percent over a 12-month period.

The cost of business disruption due to phishing is $66.9 million. Respondents were asked to estimate the PML resulting from business disruptions caused by weaponized malware. Business disruptions include denial of services, damage to IT infrastructure and revenue losses. The research shows the distribution of maximum losses ranging from less than $10 million to $500 million. The extrapolated average PML resulting from data exfiltration is $66.9 million.

How likely are business disruptions due to weaponized malware? Respondents were asked to estimate the likelihood of material business disruptions caused by weaponized malware. The research shows the probability distribution ranging from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.6% over a 12-month period.

The table below shows the expected cost of malware attacks relating to data exfiltration ($2 million) and disruptions to IT and business processes ($1.1 million). The total amount of $3.1 million is adjusted for the 11% of malware attacks originating from phishing scams, which yields an estimated cost of $338,098 per annum.

Recap for the cost of malware not contained Calculus
Probable maximum loss resulting from data exfiltration $105,900,000
Likelihood of occurrence over the next 12 months 1.90%
Expected value $2,012,100
Probable maximum loss resulting from business disruptions (including denial of services, damage to IT infrastructure and revenue losses) $66,345,000
Likelihood of occurrence over the next 12 months 1.60%
Expected value $1,061,520
Total cost of malware not contained $3,073,620
Percentage rate of malware infections caused by phishing scams 11%
Adjusted total cost attributable to phishing scams $338,098

Employees waste an average of 4.16 hours annually due to phishing scams. As previously discussed, the majority of costs (52%) are due to the decline in employee productivity as a result of being phished. In this section, Ponemon estimate the productivity losses associated with phishing scams experienced by employees during the workday. Drawing upon Ponemon’s  survey research, Ponemon  extrapolated the total hours spent each year by employees/users viewing and possibly responding to phishing emails.

The research shows the distribution of time wasted for the average employee (office worker) due to phishing scams. The range of response is less than 1 hour to more than 25 hours per employee each year.

What is the cost to respond to a credential compromise? In this section, Ponemon estimate the costs incurred by organizations to contain credential compromises that originated from a successful phishing attack, including the theft of cryptographic keys and certificates. Ponemon’s  first step in this analysis is to estimate the total number of compromises expected to occur over the next 12 months. The range of responses includes zero to more than 10 incidents.

How likely will a material data breach occur if the credential compromise is not contained? Respondents were asked to estimate the likelihood of a material data breach caused by credential compromise. Ponemon’s research shows the probability distribution ranging from less than .1% to 5%. The extrapolated average likelihood of occurrence is 4% over a 12-month period.

In this section, Ponemon estimates the potential cost savings that result from employee education that provides actionable advice and raises awareness about phishing and other related topics. As a starting point to this analysis, Ponemon obtained six proof of concept studies completed for six large companies.

These reports provided detailed findings that show the phishing email click rate for employees both before and after training. Ponemon provides the actual improvements experienced by companies, ranging from 26 to 99%, respectively. The average improvement for all six companies is 64%.

As a result of Wombat’s training on phishing that includes mock attacks and follow-up with indepth training, Ponemon estimate a high knowledge retention rate. Based on well-known research, training that focuses on actual practices should result in an average retention rate of approximately 75%. Applying this retention rate against the average improvement shown in the six proof of concept studies, Ponemon  estimate a net long-term improvement in fighting phishing scams of 47.75%.

Proof of concept results Improvement %
Company A 99%
Company B 72%
Company C 54%
Company D 26%
Company E 62%
Company F 69%
Average improvement 64%
Expected diminished learning retention over time (1-75%) 25%
Average net improvement 47.75%

The figures below provides a simple analysis of potential cost savings accruing to organizations that use an effective training approach to mitigating phishing scams. As shown before, Ponemon estimate a total cost of phishing for an average-sized organization at $3.77 million.

Assuming a net improvement of 47.75%, Ponemon estimate a cost savings of $1.80 million or $188.40 per employee/user. At a fee of $3.69 per employee/user, Ponemon determine a very substantial net benefit of $184.71 per user, or a one-year rate of return of 50X.

Calculating net benefit of Wombat training on phishing Calculus
Total cost of phishing $3,768,820
Estimated cost savings assuming net improvement at 47.75% $1,799,612
Extrapolated headcount for the average-sized organization 9,552
Estimated cost savings per employee $188.40
Estimated fee of Wombat training per user $3.69
Estimated net benefit of Wombat training per user $184.71
Estimated one-year rate of return = Net benefit ÷ Fee 50X

UK Businesses unprepared for changes to the Data Protection Act

Crown Records Management survey of IT decision makers reveals companies are woefully unprepared for EU General Data Protection Regulation.

European politicians met on the 24th June 2015 in a bid to ratify huge changes in data protection regulation, but a survey has revealed UK businesses are woefully unprepared.

The EU General Data Protection Regulation aims to unify data protection across Europe with a single law and will be fine-tuned in Brussels at a ‘trilogue’ meeting of the EU Commission, European Parliament and the Council of the EU.

Once passed, it will bring with it huge fines (up to 100m Euros or 2% of global turnover) for companies that breach the regulation – as well as a raft of new rules about collecting, editing and processing the personal data of European citizens. Many companies will also be compelled to employ at Data Protection Officer for the first time.

Experts predict it will affect every single company that operates from within the EU, does business with companies inside the EU, stores its data in EU member countries or handles the personal data of European citizens.

A Crown Records Management Censuswide survey of IT decision makers at UK companies with more than 200 employees revealed businesses here are painfully unprepared – and one in five hasn’t even heard of the Regulation.

Results include:

  • 19.6% are totally unware of the changes
  • 29.4% of decision makers aged 55+ know nothing about the challenges ahead
  • 25.3% will wait for the final details of the Regulation before taking any action at all
  • 52% who know about the Regulation still aren’t currently reviewing policies
  • 42.5% of decision makers in companies with a turnover of more than £500m are ‘not really concerned’ or ‘not concerned at all’ about the impact of the new structure.
  • 63% have not yet appointed a Data Protection Officer, which will soon become compulsory for many companies
  • 59% have no plans in place to train staff despite the changes looming

Reproduced from Crown Records Management.

Read my 2012 review of the Proposed European Data Protection Act here 

Who breached the Data Protection Act in 2014 (UK)? Find the complete list here.

Who breached the Data Protection Act in 2013(UK)? Find the complete list here.

Who breached the Data Protection Act in 2012(UK)? Find the complete list here.

Cyber insurance: trying to quantify risks

Bloomberg Intelligence August 24, 2015

This analysis is by Bloomberg Intelligence analysts Charles Graham and Edmond Christou.  It originally appeared on the Bloomberg Professional Service.

Personal data theft, cyber-attacks whet appetite for insurers

The value of personal data stored on corporate databases is rapidly increasing. For EU citizens it is set to reach 1 trillion euros ($1.4 trillion) by 2020, according to Boston Consulting Group. This is raising the need for greater protection. The increased incidence of data breaches and misuses as hackers become more sophisticated has also imposed greater regulatory requirements on businesses. Companies are seeking new products from insurers to limit the cost of interruption, reputational damage and penalties.

Companies Impacted: While cyber risk potentially affects many classes of business, there are a number of providers including AIG, Allianz, Munich Re, Swiss Re and Zurich Insurance Group, as well as specialist insurers like Beazley and Hiscox, which have developed specific cyber products.

Photographer: Craig Warga/Bloomberg

Insurers view industry as ill-prepared for risk of cyber theft

Cyber theft is top of the list of risks for which businesses are least prepared, according to Allianz’s 2015 Risk Barometer Survey. Companies need to understand the potential effect of a cyber-attack on their supply chain, the liability they could face if they can’t deliver products on time and the legal penalties if they lose customer data. While computer systems can be improved, it is impossible to make them entirely secure. This is creating opportunities for insurers.

Companies Impacted: Allianz’s 4th Risk Barometer Survey was conducted among global businesses and risk consultants, underwriters, senior managers and claims experts within Allianz in October and November 2014. Insurers offering cyber-risk cover include AIG, Allianz, Zurich, Beazley and Hiscox.

Swelling cyber-attack costs are driving wider insurance coverage

The average cost of a data breach has increased to $3.79 million, according to a study by the Ponemon Institute based on a survey of 350 companies in 11 countries. This cost has increased by 23% since 2013. The average cost for each lost or stolen record containing sensitive information rose to $154 this year from $145 in 2014. Concerns about data breaches and privacy have led to legal reforms in the U.S. and Europe, which may help drive demand for cyber-insurance.

Companies Impacted: Increasing cyber-attacks have driven insurers such as AIG, Allianz, Beazley, Hiscox and Zurich Insurance, to expand their product offerings to include first- and third-party coverage for cyber-risk.

Retailers face biggest threat from cyber theft, data breaches

Retailers face the biggest threat from data breaches, according to figures compiled by Zurich Insurance. The food and beverage industry is second in line for hackers followed by hospitality, finance and professional services. Carphone Warehouse discovered on Aug. 5 that personal data of 2.4 million of its customers and encrypted credit card details for 90,000 clients may have been accessed in a data breach. Insurers are tailoring products to meet different industries cyber risks.

Companies Impacted: Insurers work with companies to identify best practices in data privacy and security to help to minimize the financial cost should a breach occur. AIG, Allianz, Beazley, Hiscox, Zurich Insurance are among the companies to have developed cyber-insurance coverage.

Die hard 4.0 cyber scenario could cost more than $1 trillion

A cyber-attack on the U.S. power grid could cost $243 billion rising to more than $1 trillion in the most extreme scenario, according to a study by Lloyd’s of London and the University of Cambridge. The report examines the insurance implications of a major cyber-attack. It depicts a scenario where hackers shut parts of the grid, plunging 15 U.S. states and Washington DC into darkness, leaving 93 million people without power. Insurers are just starting to wake up to the scale of potential losses.

Companies Impacted: Cyber-insurance risks are widely underwritten at Lloyd’s with 47 managing agents offering cover, including quoted groups Beazley, Hiscox and Novae. Lloyd’s introduced new risk codes for data and privacy breaches and cyber-related property damage in 2015.

Swiss re joins forces with IBM to fight cyber threat

Munich Re has partnered with Hewlett-Packard and Swiss Re with IBM to develop solutions that offer clients cyber protection and provide support in the event of a security breach. IBM will assess clients’ external and internal vulnerability to cyber-attacks and offer options for mitigating these risks. IBM’s security platform provides intelligence to help organizations protect their clients’ data, applications and infrastructure.

Peer Comparison: Swiss Re’s Corporate Solutions business is one of a number of insurers offering cyber coverage. Other companies include AIG, Allianz and Zurich Insurance.

Blog at WordPress.com. | The Baskerville Theme.

Up ↑

Follow

Get every new post delivered to your Inbox.

Join 1,877 other followers

%d bloggers like this: