Search

Brian Pennington

A blog about Cyber Security & Compliance

Author

brianfpennington

Experienced IT professional currently helping businesses achieve a range of GRC standards.

THE HISTORY AND FUTURE OF PASSWORDS – Infographic

history-and-future-of-passwords (2)

The Infographic is from Beyond Identity

 

1380px-OWASP_2018_IoT_Top10_Final

21 Significant 21st Century Data Breaches – Infographic

OptimumSecurity has created an infographic that is a great representation of many significant data breaches.

21 Biggest Breaches

how-do-we-stop-the-widening-cybersecurity-gap-infographic

11 Cyber Security Questions Every Small Business Should Ask

2018 changes to PCI DSS v3.2

Several PCI DSS requirements from version 3.2 come into effect at the end of January, 2018 (that’s just five months from now!).

Here is a list of some of the changes that will come into effect:-

3.5.1: Full documentation of all cryptographic architecture (service providers only)

6.4.6:  Change management processes that include verification of any PCI DSS impact for changes to systems or networks

8.3.x:  MFA for all non-console access to CDE.  This requirement has been the subject of much discussion, and we expect many entities to require remediation.

10.8:   Detection and reporting of all critical security control system failures (service providers only)

11.3.4.1: Penetration testing must now be performed every 6 months, as well as after any segmentation changes. (service providers only)

12.4.1: Executive management must establish PCI responsibilities and compliance program management (service providers only)

12.11.x: Quarterly personnel reviews P&P’s (service providers only)

ICO: Warning to SMEs as firm hit by cyber attack fined £60,000

Small and medium sized businesses are being warned to take note as a company which suffered a cyber attack is fined £60,000 by the UK Information Commissioner’s Office.

An investigation by the ICO found Berkshire-based Boomerang Video Ltd failed to take basic steps to stop its website being attacked.

Sally Anne Poole, ICO enforcement manager, said:

“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.

“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”

She added:

“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”

The video game rental firm’s website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.

The ICO’s investigation found:

  • Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
  • The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
  • Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
  • Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary

Ms Poole said:

“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.

“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”

Is the North West a hub for nuisance calls?

In the last few months it appears that the North West of England has become a hub of nuisance calls after three raids undertaken on behalf of the Information Commissioners Office.

The ICO executed two search warrants this week, one in Gatley, Greater Manchester, on Wednesday and the other in Wilmslow, Cheshire, on Thursday.

Computers and phones were seized during the searches as the ICO continues to investigate nuisance calls prompted by the theft of people’s details from car repair centres throughout the UK. The items will now be subject to forensic examination and investigation.

Mike Shaw, ICO Criminal Investigations Group Manager, said:

“This illegal trade has multiple negative effects – both on the car repair businesses targeted for their customer data and the subsequent nuisance calls made to customers. These can be extremely unsettling and distressing. 

“Our searches this week are the latest step in us tracking down the unscrupulous individuals involved in this industry. These people won’t get away with it – any person or business involved in the theft and illegal trade of personal data may find themselves subject to ICO action.”

ICO investigators are looking at how the data was stolen, who stole it and which companies have subsequently made calls to the public encouraging them to make compensation claims about to accidents they may have been involved in.

The ongoing investigation, named Operation Pelham, started in May 2016 and has so far involved:

December 2016. A business and two homes in Macclesfield and Heald Green were searched by ICO officers. The business was linked to the making of telephone calls to numbers originating from some of the car repair centres. Computers, telephones and documents were among items seized from the residential properties.

April 2017. Homes in Macclesfield and Droylsden.

Technological Change and Cyber Risk Overtake Regulation as Top Risks for Insurers

The global insurance industry’s ability to confront structural and technological changes is now the greatest risk it faces, according to a new survey of insurers and close observers of the sector.

The CSFI’s latest Insurance Banana Skins 2017 survey, conducted with support from PwC, surveyed 836 insurance practitioners and industry observers in 52 countries, to find out where they saw the greatest risks over the next 2-3 years.

Insurance Banana Skins 2017 
(2015 ranking in brackets)
1 Change management (6)
2 Cyber risk (4)
3 Technology (-)
4 Interest rates (3)
5 Investment performance (5)
6 Regulation (1)
7 Macro-economy (2)
8 Competition (-)
9 Human talent (15)
10 Guaranteed products (7)
11 Political interference (16)
12 Business practices (11)
13 Cost reduction (-)
14 Quality of management (12)
15 Quality of risk management (10)
16 Social change (20)
17 Reputation (18)
18 Product development (17)
19 Corporate governance (21)
20 Capital availability (22)
21 Complex instruments (25)
22 Brexit (-)

Change management is at the head of a cluster of operating risks which have jumped to the top of the rankings. The report raises concerns about the industry’s ability to address the formidable agenda of digitisation, new competition, consolidation and cost reduction it faces, especially because of rapidly emerging technologies which could transform insurance markets, such as driverless cars, the ‘internet of things’ and artificial intelligence.

Cyber risk follows close behind, with anxiety rising about attacks on insurers themselves as well as the costs of underwriting cyber-crime. Other major concerns include the adequacy of insurer’s internal technology systems and new competition, particularly from the ‘InsurTech’ sector.

The next cluster of high-ranking risks, interest rates, investment performance and macro-economic risk, shows that concern about economic instability remains high. Although respondents acknowledged signs of growth, confidence in the recovery is not strong for reasons as widely dispersed as the slowdown in China, the risk of Trump-era protectionism, and populism in Europe. The risk of political interference was seen to have risen sharply. However, Britain’s exit from the EU was seen to be a minimal source of risk for insurers, particularly those without operations in the UK.

Regulatory risk, which has topped the last three editions of this survey, has fallen out of the top five this year. This is largely because recent regulatory changes are settling in to business as usual (e.g. Solvency 2), though the cost and complication of regulation continue to be a concern.

The report shows that the industry’s ability to attract and retain human talent is a fast-rising concern, particularly to handle the digital challenge.  Conversely, an area of declining risk is the governance and management of insurance companies. These were seen as high-level risks during the financial crisis but have fallen sharply since, because of both initiatives from the industry itself and regulatory pressure.

Overall, the climate for insurers is becoming more challenging, according to respondents. The 2017 Banana Skins Index, which measures the level of anxiety in the industry, is at a record high, while the industry’s preparedness to handle these risks has fallen from 2015.

David Lascelles, survey editor, said: “For the first time in six editions of this survey, operating risks pose the greatest threat to insurers. Structural and technological changes to the industry could upend traditional business models. At the same time, insurers are grappling with a very difficult economic climate, which helps explain why anxiety is at an all-time high.”

Mark Train, PwC Global Insurance Risk Leader, comments: “Both the challenges and opportunities presented by change underline the vital importance of being clear about where you’re best able to add value, and then being ruthless in targeting investment and management time at these priorities. A key part of this ‘fit for growth’ strategy is differentiating the capabilities needed to fuel growth, ‘good costs’ targeted for investment, from low-performing business and inefficient operations, ‘bad costs’ targeted for overhaul or elimination.”

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: