Search

Brian Pennington

A blog about Cyber Security & Compliance

Category

brian pennington

Cyber insurance: trying to quantify risks

Bloomberg Intelligence August 24, 2015

This analysis is by Bloomberg Intelligence analysts Charles Graham and Edmond Christou.  It originally appeared on the Bloomberg Professional Service.

Personal data theft, cyber-attacks whet appetite for insurers

The value of personal data stored on corporate databases is rapidly increasing. For EU citizens it is set to reach 1 trillion euros ($1.4 trillion) by 2020, according to Boston Consulting Group. This is raising the need for greater protection. The increased incidence of data breaches and misuses as hackers become more sophisticated has also imposed greater regulatory requirements on businesses. Companies are seeking new products from insurers to limit the cost of interruption, reputational damage and penalties.

Companies Impacted: While cyber risk potentially affects many classes of business, there are a number of providers including AIG, Allianz, Munich Re, Swiss Re and Zurich Insurance Group, as well as specialist insurers like Beazley and Hiscox, which have developed specific cyber products.

Photographer: Craig Warga/Bloomberg

Insurers view industry as ill-prepared for risk of cyber theft

Cyber theft is top of the list of risks for which businesses are least prepared, according to Allianz’s 2015 Risk Barometer Survey. Companies need to understand the potential effect of a cyber-attack on their supply chain, the liability they could face if they can’t deliver products on time and the legal penalties if they lose customer data. While computer systems can be improved, it is impossible to make them entirely secure. This is creating opportunities for insurers.

Companies Impacted: Allianz’s 4th Risk Barometer Survey was conducted among global businesses and risk consultants, underwriters, senior managers and claims experts within Allianz in October and November 2014. Insurers offering cyber-risk cover include AIG, Allianz, Zurich, Beazley and Hiscox.

Swelling cyber-attack costs are driving wider insurance coverage

The average cost of a data breach has increased to $3.79 million, according to a study by the Ponemon Institute based on a survey of 350 companies in 11 countries. This cost has increased by 23% since 2013. The average cost for each lost or stolen record containing sensitive information rose to $154 this year from $145 in 2014. Concerns about data breaches and privacy have led to legal reforms in the U.S. and Europe, which may help drive demand for cyber-insurance.

Companies Impacted: Increasing cyber-attacks have driven insurers such as AIG, Allianz, Beazley, Hiscox and Zurich Insurance, to expand their product offerings to include first- and third-party coverage for cyber-risk.

Retailers face biggest threat from cyber theft, data breaches

Retailers face the biggest threat from data breaches, according to figures compiled by Zurich Insurance. The food and beverage industry is second in line for hackers followed by hospitality, finance and professional services. Carphone Warehouse discovered on Aug. 5 that personal data of 2.4 million of its customers and encrypted credit card details for 90,000 clients may have been accessed in a data breach. Insurers are tailoring products to meet different industries cyber risks.

Companies Impacted: Insurers work with companies to identify best practices in data privacy and security to help to minimize the financial cost should a breach occur. AIG, Allianz, Beazley, Hiscox, Zurich Insurance are among the companies to have developed cyber-insurance coverage.

Die hard 4.0 cyber scenario could cost more than $1 trillion

A cyber-attack on the U.S. power grid could cost $243 billion rising to more than $1 trillion in the most extreme scenario, according to a study by Lloyd’s of London and the University of Cambridge. The report examines the insurance implications of a major cyber-attack. It depicts a scenario where hackers shut parts of the grid, plunging 15 U.S. states and Washington DC into darkness, leaving 93 million people without power. Insurers are just starting to wake up to the scale of potential losses.

Companies Impacted: Cyber-insurance risks are widely underwritten at Lloyd’s with 47 managing agents offering cover, including quoted groups Beazley, Hiscox and Novae. Lloyd’s introduced new risk codes for data and privacy breaches and cyber-related property damage in 2015.

Swiss re joins forces with IBM to fight cyber threat

Munich Re has partnered with Hewlett-Packard and Swiss Re with IBM to develop solutions that offer clients cyber protection and provide support in the event of a security breach. IBM will assess clients’ external and internal vulnerability to cyber-attacks and offer options for mitigating these risks. IBM’s security platform provides intelligence to help organizations protect their clients’ data, applications and infrastructure.

Peer Comparison: Swiss Re’s Corporate Solutions business is one of a number of insurers offering cyber coverage. Other companies include AIG, Allianz and Zurich Insurance.

Personal data in leaked datasets is still personal data – ICO

By Simon Rice, Group Manager for Technology at the Information Commissioners Office (ICO).

Personal data in leaked datasets is still personal dataThey say ‘no publicity is bad publicity’, but after spending most of the week trending on Twitter, I wonder if the users of the Ashley Madison site might disagree.

Having already prompted a flurry of news stories when the online attack of the Ashley Madison servers was first revealed, this week we’ve seen another wave of coverage as the personal data was published online.

Wherever your sympathies might lie in relation to the people identified in the published data set, the fact remains that such details are personal information, with certain protections in law.

Like many online attacks, the data protection response is international. In this case, we’re liaising with our counterparts in Canada, where the company is based.

But with cases like this, there is still a domestic aspect to consider.

Anyone in the UK who might download, collect or otherwise process the leaked data needs to be aware they could be taking on data protection responsibilities defined in the UK’s Data Protection Act.

Similarly, seeking to identify an individual from a leaked dataset will be an intrusion into their private life and could also lead to a breach of the DPA.

Individuals will have a range of personal reasons for having created an account with particular online services (or even had an account created without their knowledge) and any publication of further personal data without their consent can cause them significant damage or distress.

It’s worth noting too that any individual or organisation seeking to rely on the journalism exemption should be reminded that this is not a blanket exemption to the DPA and be encouraged to read our detailed guide on how the DPA applies to journalism.

This is not the first time an online service has suffered such an attack and unfortunately it’s unlikely to be the last. But it’s important people don’t assume that the law and the protections it affords to UK individuals don’t apply online.

Have your details been published in a dataset?

If you find your personal data being published online then you have a right to go to that publisher and request that the information is removed. This applies equally to information being shared on social media. If the publisher is based in the UK and fails to remove your information you can complain to the ICO.

64% of Organizations are Potential Targets for Nation-State Cyberattacks

According to a recent survey conducted at this year’s Black Hat USA security conference, nearly two-thirds of organizations are potential targets for nation-state cyberattacks.

The survey conducted by Tripwire, which includes responses from 215 conference attendees, also found that 86% of those questioned have seen an increase in these targeted attacks directed at their network over the last year.

Even more alarming, however, was that despite the noticeable increase in attacks, less than half of the respondents (47%) said confidence in their organizations’ ability to detect and respond to a cyberattack grew in the last 12 months.

Screen Shot 2015-08-17 at 1.29.05 PM

Organizations know they are being actively targeted and that their current capabilities aren’t enough to consistently detect and defend against these attacks,” said Tim Erlin, director of IT security and risk strategy for Tripwire.

“While new defensive technologies are constantly being developed, organizations are hard-pressed to deploy these new tools effectively,” he said.

Erlin noted that in many cases, these organizations would do well to evaluate their investment in foundational security controls.

Additional findings from the Black Hat USA 2015 survey include:

  • 64% of respondents said targeted attacks against their networks have increased over the last year by 20% or more.
  • 53% of respondents said they do not have the visibility necessary for accurate tracking of all the threats targeting their networks.
  • 41% of respondents said they have seen a significant increase in the number of successful cyberattacks in the last 12 months.

Cybersecurity: The Looming And Growing Threat

Corporate legal spending on cybersecurity issues hit $1 billion last year, according to the BTI Legal Spending Outlook. It’s easy to see where this money is going: By 2018, more than 50% of organizations will use outsourced providers for security, Gartner predicts.

Here are seven trends expected to impact CIOs, law firms, and their clients in the year ahead:

1. Banking on IT and law firms vulnerability

In the wake of last year’s cyberattack that affected 80 million J.P. Morgan Chase customers, several banks asked their law firms to implement stronger security measures. Today, several banks and major U.S. law firms are collaborating to create a formal group by year end where they can share best practices with each other and government agencies.

“Law firms increasingly are seen as potential weak links,” the Wall Street Journal reported. “Clients often entrust them with everything from valuable trade secrets to market-moving details on mergers and acquisitions.”

2. Data breaches growing more common

More than one-quarter (27%) of chief legal officers reported a data breach within the past 24 months, according to the Association of Corporate Counsel‘s recently released 2015 CLO Survey. Healthcare CLOs were most vulnerable: almost half reported a breach in the last two years, compared with approximately one-fourth among CLOs in other lines of business, the report found.

4. Changing Regulatory Landscape

This year, the European Union is expected to unroll more stringent disclosure and liability requirements that it will start enforcing in 2016. This could lead to a business boom for law firms, will likely also necessitate educational outreach: 77% of European companies surveyed by security developer Sophos did not know whether or not they were compliant with current standards.

Across the pond, President Barack Obama also has called for changes to the Computer Fraud and Abuse Act, the federal anti-hacking statute.

5. Crashing Mobile

Today, 96% of lawyers at firms with 100 or more attorneys use a smartphone, according to the American Bar Association’s annual Legal Technology Survey. And 49% of all lawyers surveyed use a tablet, the report found.

This makes attorneys vulnerable to a growing number of viruses, spam, and attacks specifically targeting mobile devices. If unprotected by even a basic password or biometric safeguard, lost devices leave a firm vulnerable to stolen data. Across industries, only 54% of respondents implemented a mobile security strategy in 2014 compared with 42% the prior year, a PricewaterhouseCoopers study reported. In addition, 47% now use mobile device management (MDM) or mobile application management (MAM), versus 39% in 2014, PwC said.

Across all industries, 46% of IT decision makers plan to increase security spending for mobile this year, Ernst & Young determined.

Advances in wearables and future decisions in how and whether healthcare can incorporate data from devices such as fitness monitors will further complicate mobile security for firms involved in these areas and the CIOs who support them.

5. Insurance at a Premium

Organizations increasingly invest in cybersecurity insurance, to lessen the potential impact of a breach, network damage, or business interruption. Once offered by only a handful of specialized firms, these plans now are available from a wide array of insurers.

To attain cybersecurity insurance, organizations typically must undergo audits and other processes to assure the insurer of the firm’s viability. CIOs, in partnership with governance, risk-mitigation, or the COO, are then assured both of the caliber of the firm’s existing security set-up and of financial coverage should the unwanted occur. Cybersecurity insurers include: AIG; Chubb Group of Insurance Companies; Marsh USA; Philadelphia Insurance Companies, and Travelers Indemnity Co., among many.

6. Ignore Social Niceties

Many law firms hire outside experts to conduct vulnerability assessments and craft strategies to combat Many experts advise staff to frequently reset passwords that contain symbols, capital letters, and numbers. And best practices must address common phishing scams, especially those targeting corporate or client contact information or employee data. Fake apps, fraudulent social media contacts, and hackers masquerading as maintenance staff are all favorite guises for social engineers.

7. All for One, One for All

Security is not exclusively the CIO or CSO’s responsibility. Rather, security must be weaved throughout a law firm so every employee, partner, and attorney cares and acts with security in mind. Communication between departments to ensure security procedures are effective but not onerous help develop a security conscious environment.

Frequent reminders, via screensavers, automated systems, brief self-paced videos, or occasional webinars – remind everyone about security measures. Quickly responding to users’ needs to avoid rogue setups further eliminates vulnerable areas.

Author:

UK-Avast-for-Business-INFOGRAPHIC

5 steps to respond to a security breach

Is your organisation equipped to deal with potential financial and reputational damage following an attack? 

Has your organisation established an incident management plan that covers data breaches? Recent evidence shows that organisations are ill-equipped to deal with an attack.

Australian bulk deals website, Catch of the Day, suffered a security breach in 2011, with passwords and other user information stolen from the company’s databases. It took until 2014 to notify customers, suggesting there was no response plan in place.

The backlash was very severe for global retail giant, Target, which fell victim to the second largest credit card heist in history. Many customers were outraged about the retailer’s inability to provide information after the breach, and its failure to assure customers that the issue was resolved.

Consequences included settlement payouts of up to $10 million and the resignations of its CIO and CEO.

Organisations should have established and tested incident management plans to respond to data security breaches sooner rather than later. A solid response plan and adherence to these steps can spare much unnecessary business and associated reputational harm.

Here’s a five step plan to ensure you give your organisation the best chance of minimising financial and reputational damage following an attack. 

Step 1: Don’t panic, assemble a taskforce

Clear thinking and swift action is required to mitigate the damage. There is no time for blame-shifting. You need a clear, pre-determined response protocol in place to help people focus in what can be a high pressure situation and your incident management plan should follow this protocol.

Having the right team on the job is critical. Bear these factors in mind when assembling your team: Appoint one leader who will have overall responsibility for responding to the breach. Obvious choices are your CIO or chief risk officer. This leader should have a direct reporting line into top level management so decisions can be made quickly.

Include representatives from all relevant areas, including IT, to trace and deal with any technical flaws that led to the breach; and corporate affairs, in case liaison with authorities is required, to manage media and customer communications.

Don’t forget privacy (you do have a chief privacy officer, don’t you?) and legal, to deal with regulators and advise on potential exposure to liability).

If you anticipate that litigation could result from the breach, then it may be appropriate for the detailed internal investigation of the breach to be managed by the legal team. If your organisation doesn’t have these capabilities, seek assistance from third parties at an early stage.

Step 2: Containment

The taskforce should first identify the cause of the breach and ensure that it is contained. Steps may include:

  • Installing patches to resolve viruses and technology flaws. The ‘Heartbleed’ security bug identified in April 2014 at one time compromised 17 per cent of internet servers. Although a security patch was made available almost immediately once it was discovered, some administrators were slow to react, leaving servers exposed for longer than necessary.
  • Resetting passwords for user accounts that may have been compromised and advising users to change other accounts on which they use the same password.
  • Disabling network access for computers known to be infected by viruses or other malware (so they can be quarantined) and blocking the accounts of users that may have been involved in wrongdoing.
  • Taking steps to recall or delete information such as recalling emails, asking unintended recipients to destroy copies or disabling links that have been mistakenly posted. Take care to ensure that steps taken to contain the breach don’t inadvertently compromise the integrity of any investigation.

Step 3: Assess the extent and severity of the breach

The results will dictate the subsequent steps of your response. A thorough assessment involves:

  • Identifying who and what has been affected. If it’s not possible to tell exactly what data has been compromised, it may be wise to take a conservative approach to estimation.
  • Assessing how the data could be used against the victims. If the data contains information that could be used for identity theft or other criminal activity (such as names, dates of birth and credit card numbers) or that could be sensitive (such as medical records), the breach should be treated as more severe. If the data has been encrypted or anonymised, there is a lower risk of harm.
  • Considering the context of the breach. If there has been a deliberate hacking, rather than an inadvertent breach of security, then the consequences for the relevant individuals or organisations could be much more significant. This should inform how you respond to the breach.

Step 4: Notification

For serious data security breaches, proactive notification is generally the right strategy. A mandatory notification scheme has been proposed in Australia, with the government promising implementation by the end of 2015.

In any case, there are good reasons to consider voluntary notifications, which include:

  • Victims may be able to protect themselves, for example by changing passwords, cancelling credit cards and monitoring bank statements.

E-Bay was roundly criticised in 2014 for not acting quickly enough to notify users affected by a hacking attack, and only doing so by means of a website notice rather than by sending individual messages. Notices should be practical, suggesting steps that recipients can take to protect themselves.

  • The Privacy Commissioner may also be involved, particularly if personal information has been stolen. The Commissioner may take a more lenient approach to organisations that proactively address problems when they arise.
  • Other third parties may also need to be notified. For example, if financial information is compromised, you might notify relevant financial institutions so that they can watch for suspicious transactions.

Step 5: Action to prevent future breaches

Having addressed the immediate threat, prevention is the final step. While customers may understand an isolated failure, they are typically less forgiving of repeated mistakes. Carry out a thorough post-breach audit to determine whether your security practices can be improved.

This could include:

  • Engaging a data security consultant, which will give you a fresh perspective on your existing practices, and help to reassure customers and others that you do business with.
  • Promptly remedying any identified security flaws – changes should be reflected in data security policies and training documents (and if such documents don’t exist, create them.)
  • Rolling out training to relevant personnel to ensure that everyone is up to speed on the latest practices.
  • Reviewing arrangements with service providers to ensure that they are subject to appropriate data security obligations (and, if not already the case, make data security compliance a key criterion applied in the procurement process).

Written by Cheng Lim is a partner at global law firm King & Wood Mallesons. Cheng leads KWM’s Cyber-Resilience initiative and has assisted clients over many years in dealing with privacy, data security and data breaches. Originally produced for CIO Australia.

Top 5 Strategic Infosec issues in Higher Education

The EDUCAUSE infographic of the Top Five strategic information security issues for Higher Education:-

  1. Developing an effective information security strategy that responds to institutional organization and culture and that elevates information security concerns to institutional leadership.
  2. Ensuring that members of the institutional community (students, faculty, and staff) receive information security education and training.
  3. Developing security policies for mobile, cloud, and digital resources (includes issues of data handling/protection, access control, and end-user awareness).
  4. Using risk-management methodologies to identify and address information security priorities.
  5. Developing, testing, and refining incident response capabilities to respond to information systems/data breaches.

The Infographic is below:-

educause-infographic'

ICO, Michael McIntyre and the Data Protection Act

ICO response to police force tweeting Michael McIntyre’s picture:

Police forces like all other organisations must comply with the Data Protection Act. The police especially must ensure that they have legitimate grounds for processing personal data and disclosing images of this nature without a justifiable policing purpose could potentially breach the Data Protection Act. We will follow this up with the Force concerned

I have often wondered about the sharing of images and how in certain circumstances it could lead to the wrong person or a known person being identified e.g. a photo-fit image created by a Police Artist often looks like everyone’s next door neighbour.

Equally if a person in the public spot light cannot have their image shared by a public body then how can a media outlet, who is also governed by the Data Protection Act, show images that people do not want sharing.

It will be interesting to see what the outcome will be and if Michael McIntyre complains.

Cyber Security a Major Threat for Metals Industry: Top Three Lessons for Executives

According to a report commissioned by the Metals Service Center Institute (MSCI), cyber security poses complicated threats for metals companies.

The report was compiled by graduate students at the Boeing Center for Technology, Information & Management (BCTIM) at the Olin School of Business at Washington University in St. Louis.

Other research has shown that cybercrimes are growing more common, more costly, and taking longer to resolve. According to the findings of the fifth annual Cost of Cyber Crime Study conducted by the respected Ponemon Institute the 2014 global study of U.S.-based companies found:

  • The average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from 11.6 million in the 2013 study
  • The average time to resolve a cyber-attack is also rising, climbing to 45 days, up from 32 days in 2013

With data breaches happening frequently, our members and all companies must be concerned about the safety of their data and honestly ask themselves if they are as well protected as they think they are,” said M. Robert Weidner, III, MSCI president and CEO. “The potential damage to the company is compounded by how long it would take to be up and running again and at what cost and the cost of lost revenue

These concerns and questions prompted MSCI to ask BCTIM to research the cyber security threat, specifically as it relates to the metals industry.

From the report, three key lessons for executives concerned or dealing with cyber security emerged:

  1. Cyber security efforts require C-suite support. Executives must be directly involved in the management of their company’s cyber risk, creating and implementing the processes and policies necessary. Little happens in this arena without the top executive pushing for and supporting change.
  2. The biggest risk to any size company is internal. Employees have access to critical information. That fact, coupled with a lack of proper cyber security policies, procedures and processes leads to vulnerabilities. An example: Most employees are not trained to detect email and phishing scams (the U.S. Steel and Alcoa breaches a few years ago were prompted by phishing scams).
  3. If a company is unsure about reducing their cyber security risk, the policies and procedures necessary and the next steps to take, they should get help from a specialized third part with the necessary expertise.

.

The insurance implications of a cyber attack on the US power grid

The threat of cyber attack reaches every part of modern society, and insurance could have an important role to play in helping organisations to manage their cyber risk exposure.

However, there is a significant level of uncertainty attached to the impact of severe events. Lloyd’s of London has published a research report that aims to contribute to the knowledge base required to develop the next generation of insurance solutions for the digital age.

The research estimates the economic and insurance impacts of a severe, yet plausible, cyber attack against the US power grid. While the analysis focuses on the USA, we believe that it provides a framework for thinking about severe cyber attacks anywhere in the world. The key findings of the report are:

  • The attackers are able to inflict physical damage on 50 generators which supply power to the electrical grid in the Northeastern USA, including New York City and Washington DC.
  • While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers a wider blackout which leaves 93 million people without power.
  • The total impact to the US economy is estimated at $243bn, rising to more than $1trn in the most extreme version of the scenario.
  • Insurance claims arise in over 30 lines of insurance. The total insured losses are estimated at $21.4bn, rising to $71.1bn in the most extreme version of the scenario.
  • A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.
  • The sharing of cyber attack data is a complex issue, but it could be an important element for enabling the insurance solutions required for this key emerging risk.

The report can be found here.

Reaching the Cloud Era in the European Union

The ‘EU28 Cloud Security Conference: “Reaching the Cloud Era in the European Union” brought to the foreground the current cloud landscape. The aim of the conference was to bring together practitioners, academics and policy makers to discuss the level of cloud computing security in the context of current and future policy activities. The conference included presentations and panel debates on legal and compliance issues, technical advancements, privacy and personal data protection, critical information infrastructures and cloud certification.

During the conference the important role of cloud computing was acknowledged for the development of the digital economy in Europe. Cloud computing is becoming essential for users, including individual consumers, businesses and public sector organisations. However, recent figures indicate that users’ concerns on cloud security are still the main barrier to the adoption of cloud services in Europe.

Key conclusions highlight that:

  • There is a need to raise awareness and educate users and SMEs on cloud security, to encourage safe and responsible use of cloud services. “Informed customers” should be able to ask the right questions to providers and understand where their responsibilities lay, and SMEs understand that they are co-responsible for the security of the cloud services provided. A risk assessment culture should be nourished applicable to all. Transparency of cloud services must be improved by the implementation of continuous monitoring mechanisms, increasing accountability through evidence-based assurance solutions, and certification, keeping in mind that one size does not fit all. Rapid, context-based information sharing of incidents within the industry sectors, will also enable collaborative information security able to respond quickly to the changing cybersecurity landscape.
  • There is a need for flexible policy approaches towards cloud security to allow further technological advancements. Within this framework co-regulatory and self-regulatory initiatives should be supported, and create technology-neutral legal guidelines and obligations based on principles, to allow for flexible solutions. Europe-wide solutions should be encouraged.
  • Data protection is an important element to be considered. Implementation of existing rules and techniques should be encouraged and this information should be shared.
  • Governmental clouds bring benefits to cloud security. There is space to strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector. Furthermore, customised solutions based on the needs of each country and sharing of best practices can be encouraged.
  • Cloud benefits from an open market. Meanwhile discussions are required on security in relation to data location requirements, foreign jurisdiction and access to European data.
  • As cloud usage for critical sectors is increasing there is a need for elaborated security measures and specific risk assessment techniques addressing each critical sector’s needs.

Furthermore, cloud security was discussed in relation to the recent regulatory and policy initiatives, such as the ongoing data protection reform, the proposal for a Network and Information Security directive, cloud computing communication and the Digital Single Market strategy. There was consensus that further policy actions on cloud security could support trust and confidence in cloud services by addressing the key findings and issues deriving from the conference.

Risk managers identify the “big three” risks causing them their greatest concern

Risk managers identify technology, supply chain and regulatory as the “big three” risks currently causing their organisations the greatest concern, according to a survey of 500 companies in Europe, the Middle East and Africa conducted for global insurer ACE’s Emerging Risks Barometer 2015. People risk sits just outside the top-three, while geopolitical risk completes the top-five emerging risk categories.

Technology risk

Technology plays a role in almost every business’s strategic planning, whether in the development of new services or products or as an enabler of operational effectiveness. When it comes to technology risk management, however, our research suggests that companies may not be focusing on the right areas, due to a lack of knowledge about the most likely sources of threat.

Which of the following risk categories are currently causing you greatest concern as a business?
  • 43% Technology risk (including cyber security)
  • 31% Supply chain, finance and logistics risk
  • 27% Regulatory and compliance risk
  • 26% People risk (including risks to people such as personal accidents and disease, risks caused by people such as fraud and labour disputes, and talent risks)
  • 25% Geopolitical risk (including regime change, asset confiscation, trade credit risk, currency restrictions, protectionism)
  • 21% Reputational risk
  • 18% Management liability risk (including directors & officers liability)
  • 15% Environmental liability risk (such as pollution or failure to understand/comply with local regulation)
  • 15% Natural catastrophe risk
  • 14% Terrorism and political violence risk

Supply chain risk

As in our 2013 Barometer, supply chain risk remains a major concern. As companies expand into new markets using ever more complex networks of suppliers and partners the supply chain is at once an enabler of growth and a key source of risk.

In recent years, we have seen major disruptions to supply chains, caused by events such as Hurricane Sandy which prompted the most extreme fuel shortages since the 1970s and 2014’s widespread flooding in India and Pakistan, which caused US$12 billion in losses. After responding admirably to these and other catastrophes, risk managers say they have achieved a better handle on business interruption risk.

Today, businesses are better prepared and therefore less concerned about interruption caused by natural disasters. Instead, they are focusing more on issues that can harm their corporate reputations. Our respondents rank unethical labour practices as their biggest supply chain worry. Yet  61%  admit they cannot always vouch for the ethical and trading standards of every company in their supply chain.

EMERGING RISKS BAROMETER 2015 

Which of the following risks currently consume the most time and resources in your organisation? 
Technology risk 47%
Supply chain, finance and logistics risk 32%
Regulatory and compliance risk 29%
People risk 28%
Geopolitical risk 25%
Reputational risk 23%
Management liability risk (including directors & officers liability) 14%
Environmental liability risk 12%
Terrorism and political violence risk 12%
Natural catastrophe risk 11%
(Don’t know / Not applicable: 2%)

Regulatory and compliance risk

27% of respondents say regulatory and compliance risk is among their greatest concerns. The category also comes third in the list of risks with the potential to cause significant financial impact over the next two years, cited by 27% of respondents, and third in the list of risks consuming the most time and resources (29%).

Which of these risk categories do you expect will have the most significant financial impact on your business in the next two years? 
Technology risk 47%
Supply chain, finance and logistics risk 31%
Regulatory and compliance risk 27%
Geopolitical risk 26%
People risk 25%
Reputational risk 22%%
Management liability risk 17%
Natural catastrophe risk 11%
Terrorism and political violence risk 11%
Environmental liability risk 10%
(Don’t know / Not applicable: 2%)

While highly regulated sectors such as financial services and energy face the most extreme regulatory challenges, no company is immune. As businesses pursue growth on a global scale, they face a patchwork of regulatory regimes, across markets and jurisdictions.

Other risk to watch

The rise of people risk

People risk only narrowly missed out on a place in our Big Three Risks. over a quarter (26%) say this risk, including risks to people, risks caused by people and talent risks is among their greatest concerns.

34% say their greatest concern in relation to people risk is time lost to labour disputes. In recent years, we have seen substantial labour action in the UK and Germany as well as in supplier nations such as China. At the same time 75% of respondents say recent global events, such as political unrest in Ukraine and the Middle East are causing them to review their travel and security policies.

Geopolitical risk to grow in importance?

Regime change, asset confiscation, protectionism and other geopolitical risks also pose a real threat for business. Respondents today are largely confident in their ability to manage this risk, but only 30% say they are very confident. As a quarter (26%) also believe geopolitical risk will have a significant financial impact over the next two years, we could expect the risk to appear higher in the future, especially as companies continue to expand overseas.

Respondents are primarily concerned about foreign governments cancelling operating licences, concessions or contracts. The majority (68%) believe foreign governments are already making it more difficult for them to plan ahead.

DMA Privacy

ICO publishes it’s annual report

The Information Commissioner has released its annual report.

Christopher Graham points to the strengthening of his regulatory powers to show how the legislation continues to develop. In the past year, the ICO was given powers to compulsorily audit NHS bodies for their data handling, while forcing a potential employee to make a subject access request for, for example, their spent criminal record was also made an offence. A law change also made it easier to issue fines to companies behind nuisance calls and texts.

Information Commissioner Christopher Graham said:
“It’s thirty years since this office was established in Wilmslow. We’ve seen real developments in the laws we regulate during that time, particularly over the past year. Just look at the EU Court of Justice ruling on Google search results, a case that could never have been envisaged when the data protection law was established.

“Our role throughout has been to be the responsible regulator of these laws. More than that, we work to demystify some of this legislation, making clear that data protection isn’t to be seen as a hassle or a duck-out, but a fundamental right.

“A good example of that is our role in the new data protection package being developed in Brussels. We’ve been asked for our advice, based on our experience regulating the existing law, while we’ve also provided a sensible commentary on proceedings for interested observers.

“That role will continue this year, in what promises to be a crucial twelve months. The reform is overdue, but it is vital that we get the detail right on a piece of legislation that needs to work in practice and to last.”

“It is striking to see how decisions that were so hard fought in the early years have resulted in routine publication of information. Publication of safety standards of different models of cars, for example; or hygiene standards in pubs and restaurants; and surgical performance records of hospital consultants. Publication is now expected and unexceptionable.

“It’s been the ICO’s job to help public authorities to comply with requests,” Mr Graham will say. “The ICO’s role has led to information being released that time and time again has delivered real benefits for the UK.”

“Our Annual Report is our claim to be listened to in the debates around information rights. It shows the ICO knows what it is talking about.”

The ICO annual report reflects on the financial year 2014/15. Key stats include:

  • 14,268 – data protection concerns received
  • £1,078,500 – total CMPs issued, £386,000 of which were for companies behind nuisance calls or texts
  • 195,431 – helpline calls answered
  • 11.4% – rise in number of concerns raised about nuisance calls and texts (to 180,188)
  • 41 – audits conducted of data controllers (as well as 58 advisory visits to SMEs)
  • 1,177 – Information requests responded to
  • 4.9 million – number of visits to our website

The full report can be found here.

.

Tor detections jump by more than 1,000%

Vectra Networks announced the results of the second edition of its “Post-Intrusion Report”, a real-world study about threats that evade perimeter defenses and what attackers do once they get inside your network.

Report data was collected over six-months from 40 customer and prospect networks with more than 250,000 hosts, and is compared to results in last year’s report. The new report includes detections of all phases of a cyber attack and exposes trends in malware behavior, attacker communication techniques, internal reconnaissance, lateral movement, and data exfiltration.

According to the report, there was non-linear growth in lateral movement (580%) and reconnaissance (270%) detections that outpaced the 97% increase in overall detections compared to last year. These behaviors are significant as they show signs of targeted attacks that have penetrated the security perimeter.

While command-and-control communication showed the least amount of growth (6%), high-risk Tor and external remote access detections grew significantly. In the new report, Tor detections jumped by more than 1,000% compared to last year and accounted for 14% of all command-and-control traffic, while external remote access shot up by 183% over last year.

The report is the first to study hidden tunnels without decrypting SSL traffic by applying data science to network traffic.

A comparison of hidden tunnels in encrypted traffic vs. clear traffic shows that HTTPS is favored over HTTP for hidden tunnels, indicating an attacker’s preference for encryption to hide their communications.

The increase in lateral movement and reconnaissance detections shows that attempts at pulling off targeted attacks continue to be on the rise,” said Oliver Tavakoli, Vectra Networks CTO. “The attackers’ batting average hasn’t changed much, but more at-bats invariably has translated into more hits

Key findings of the study include:

  • Botnet monetization behavior grew linearly compared to last year’s report. Ad click-fraud was the most commonly observed botnet monetization behavior, representing 85% of all botnet detections.
  • Within the category of lateral movement detections, brute-force attacks accounted for 56%, automated replication accounted for 22% and Kerberos-based attacks accounted for 16%. Although only the third most frequent detection, Kerberos-based attacks grew non-linearly by 400% compared to last year.
  • Of internal reconnaissance detections, port scans represented 53% while darknet scans represented 47%, which is fairly consistent with behavior detected last year.
  • Lateral-movement detections, which track the internal spread of malware and authentication-based attacks such as the use of stolen passwords, led the pack with over 34% of total detections.
  • Command and control detections, which identify a wide range of malicious communication techniques, were close behind with 32% of detections.
  • Botnet monetization detections track the various ways criminals make money from ad click-fraud, spamming behavior, and distributed denial of service (DDoS) attacks. These botnet-related behaviors accounted for 18% of all detections.
  • The reconnaissance category looks for internal reconnaissance performed by an attacker already inside the network and represented 13% of detections.
  • Exfiltration detections look for the actual theft of data. The good news here is that it was by far the least common category of detection at 3%.

The data in the Post-Intrusion Report is based on metadata from Vectra customers and prospects who opted to share detection metrics from their production networks. Vectra identifies active threats by monitoring network traffic on the wire in these environments. Internal host-to-host traffic and traffic to and from the Internet are monitored to ensure visibility and context of all phases of an attack.

The latest report offers a first-hand analysis of active “in situ” network threats that bypass next-generation firewalls, intrusion prevention systems, malware sandboxes, host-based security solutions, and other enterprise defenses. The study includes data from 40 organizations in education, energy, engineering, financial services, government, healthcare, legal, media, retail, services, and technology.

The full report can be found here

Survey Shows Lack of Trust, Limited Visibility and Knowledge Gap between the Board and IT Security Professionals

There are significant gaps in cybersecurity knowledge, shared visibility and mutual trust between those who serve on organizations’ board of directors and IT security professionals. These gaps between those responsible for corporate and cyber governance and those responsible for the day-to-day defense against threats could have damaging impacts on organizations’ cybersecurity posture, leaving them more vulnerable to attack and breaches.

This data comes from a new survey, Defining the Gap: The Cybersecurity Governance Survey, conducted by the Ponemon Institute and commissioned by Fidelis Cybersecurity.

Cybersecurity is a critical issue for boards, but many members lack the necessary knowledge to properly address the challenges and are even unaware when breaches occur. Further widening the gap, IT security professionals lack confidence in the board’s understanding of the cyber risks their organizations face, leading to a breakdown of trust and communication between the two groups.

The survey asked more than 650 board members and IT security professionals (mainly CIOs, CTOs and CISOs) for their perspectives regarding board member knowledge and involvement in cybersecurity governance.

Key findings include:

Lack of Critical Cybersecurity Knowledge at the Top

76% of boards review or approve security strategy and incident response plans, but 41% of board members admitted they lacked expertise in cybersecurity. An additional 26% said they had minimal or no knowledge of cybersecurity, making it difficult, if not impossible, for them to understand whether the practices being discussed adequately address the unique risks faced by their organization. This renders their review of strategy and plans largely ineffective.

Limited Visibility into Breach Activity

59% of board members believe their organizations’ cybersecurity governance practices are very effective, while only 18% of IT security professionals believe the same. This large gap is likely the result of the board’s lack of information about threat activity. Although cybersecurity governance is on 65% of boards’ agendas, most members are remarkably unaware if their organizations had been breached in the recent past. Specifically, 54% of IT security professionals reported a breach involving the theft of high-value information such as intellectual property within the last two years, but only 23% of board members reported the same, with 18% unsure if their organizations were breached at all.

As the breadth and severity of breaches continues to escalate, cybersecurity has increasingly become a board level issue,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “The data shows that board members are very aware of cybersecurity, but there is still a lot of uncertainty and confusion. Many lack knowledge not only about security issues and risks, but even about what has transpired within their own companies, which is shocking to me. Without an understanding of the issues, it’s impossible to reasonably evaluate if strategies and response plans are effectively addressing the problem

Absence of Trust Between Boards and IT Security Professionals

The board’s lack of knowledge has created a further divide. Nearly 60% of IT security professionals believe that the board does not understand the cybersecurity risks of the organization, compared to 70% of board members who believe that they do understand the risks.

The gap in knowledge and limited visibility into breach activity means board members don’t have the information they need to make smart cybersecurity governance decisions, and IT security professionals don’t have the support, monetary or otherwise, to maintain a strong security posture,” said retired Brig. Gen. Jim Jaeger, chief cyber services strategist at Fidelis. “Board members don’t need to be cyber experts, but they should have a thorough knowledge of the risks their organization faces and be able to provide the support needed for the security teams to protect against those risks

Additional Key Findings Include:

  • Target breach was a watershed moment. 65% of board members and 67% of IT security professionals reported that the Target data breach had a significant impact on the board’s involvement in cybersecurity governance, while previous high profile breaches were reported to have nominal or no impact.
  • The SEC will drive drastically increased board involvement. The Securities & Exchange Commission (SEC) Guidelines requiring the disclosure of material security information had a significant impact in boards’ involvement, according to 46% of board members and 44% of IT security professionals. However, only 5% of board members and 2% of IT security professionals say they followed the SEC guidelines and disclosed a material security breach to shareholders. Moving forward, 72% of board members believe the SEC will make the guidelines a mandate, and 81% believe that this will increase the board’s involvement in cybersecurity governance.

TAKE UP OF CYBER INSURANCE REMAINS LOW

Marsh has undertaken an in-depth study into organisations’ attitudes towards the cyber threat, the management control processes they have in place, and their understanding and use of cyber insurance as a means of risk transfer. The benchmarking data in this report was collected from risk professionals and CFOs from large and medium-sized corporations from across the UK.

Spotlight on cyber risk to UK companies:

  • 18% of organisations have a “complete understanding” of cyber risk, down on last year
  • 4% of UK businesses have board-level oversight of cyber risk
  • 4% of companies do not assess their suppliers and/or customers for cyber risk

Firms across the UK continue to place cyber among their leading risks in terms of the likelihood and severity of impact; however, suggest there is still a lot of work to do to improve understanding and management.

Interestingly, there has been a substantial drop in the percentage of respondents who feel they have a “complete understanding” compared to last year (down from 34% to 18%).

This comes at a time when cyber risk is being elevated as a board agenda item, suggesting that executive-level interrogation has exposed a pre-existing overconfidence in the level of knowledge and understanding within certain organisations.

If this is the case, then it is clear those tasked with creating and delivering critical management information relating to cyber risk need more help and guidance to get them to a position where the level of management information is adequate.

Cyber risk is ranked as a tier one threat according to the UK National Security Strategy, and it is therefore surprising that 26.4% of UK companies surveyed do not consider it to be material enough to even get on the risk register. Just 16.6% of companies place cyber as a Top five risk on the risk register, while the remainder place it outside of the Top 10.

73% of respondents from the manufacturing industry say that cyber risk does not appear in the Top 10 risks on their corporate risk registers, the highest proportion of industry segments we surveyed.

This is perhaps understandable due to a low level of high-profile cyber incidents within the industry; however, as a key target for industrial espionage, and with instances of industrial control technology being compromised recently reported, one could argue that the threat is being underestimated.

The fact that fewer than 31.9% of respondents have identified one or more cyber scenarios that could most affect their organisations suggests that the lack of a complete understanding and absence/low positioning of cyber on the risk register is, for many companies, filtering through to a lack of definition around specific scenarios that might impact their businesses.

Board-level ownership of cyber risk exists in 19.4% of UK organisations. While this figure is broadly in line with last year’s findings (20%), it remains very low. Meanwhile, IT departments continue to take primary responsibility for cyber risk in 55.5% of organisations. Cyber risk is increasingly recognised as a business risk rather than simply a technical control, and, within this context, it is disappointing to note that there is no material upwards movement in risk management and board functions seizing responsibility from IT (the percentage has risen incrementally to 15.3% from 14% in 2014). IT departments might know how to implement cybersecurity; however, the inability of IT to drive value for the organisation or the potential for significant damage to be caused as a result of a security breach, most certainly is a business risk, the consequences of which will be felt at the highest levels of the organisation should it occur.

Boards therefore need to take ownership of cyber risk before a cyber event forces it on to the board agenda, and communicate the identified security priorities to IT departments so that they can align their activity and resources against the business’s risk management agenda.

Lack of data continues to prevent companies from adequately assessing cyber risk

The percentage of firms that have experienced a cyber-attack in the past 12 months has risen to 40.3%, albeit marginally (from 31% in 2014).

However, compared with other statistics (HM Government’s 2015 Information Security Breaches Survey states that 90% of large organisations and 74% of small organisations have suffered a security breach), this figure is still low, indicating that many of the respondents to this year’s survey are either particularly fortunate or (more likely) unaware of breach events within their firms.

Interestingly, 100% of respondents in two industries, communications, media, and technology and energy reported that they had been subject to a cyber-attack in the past 12 months. This most likely reveals a more enlightened position of those organisations rather than any high level of vulnerability.

In terms of organisations that have conducted or estimated the financial impact of a cyber-attack, this year’s survey results are somewhat contradictory to earlier findings. As such, it would be reasonable to question the rigorousness of the financial analysis around those numbers and how many are in fact high-level estimates rather than worst loss values calculated from detailed information and knowledge of cyber risk and individual exposures.

61.1% of organisations have not yet made any attempt to estimate/calculate loss estimates, however, suggesting that they are operating in the dark when it comes to the financial impact upon their businesses.

This puts them in a poor position to transfer the risk or even to appreciate whether a cyber event might threaten the viability of the company. Event modelling, combined with financial stress testing, is required to evaluate both the total financial loss attaching to an event and the shorter-term availability of cash to maintain trading.

The majority of organisations have not planned for sources of funding; however, the 48.9% that have is an encouraging number. Since just 11.1% of companies are buying insurance, it must be the case that companies are bypassing the insurance market and finding alternative methods to fund the risk (from available cash lines or lines of credit or assets that can be disposed of rapidly, for example).

Possessing and rehearsing an incident response plan is recognised as having a very positive effect on the operational, financial, and reputational impact of a cyber- attack upon an organisation.

The effect for breaches of personal data was quantified in the Ponemon Institute’s 2015 Cost of Data Breach Study, which reveals that those companies with an incident response team in place typically make a GBP £9.50 saving on the per capita cost of a data breach, compared with the mean per capita cost.

Lack of control over suppliers/third parties a major concern

It is both a surprise and a huge concern that 69.4% of respondents to this year’s survey do not assess the suppliers and/or customers they trade with for cyber risk.

Suppliers and external organisations with whom system links are shared present one of the key vulnerabilities to UK companies. Businesses have done a lot to improve cybersecurity in the past 12 months; however, their exposure to third parties, whether service providers, product suppliers, customers, or, in the case of banks, borrowers, presents significant risks to companies’ networks. In addition to this, 51.4% are not asked to demonstrate a competent standard of IT security practices to their own bank and/or customers in order to do business with them.

While organisations can control their own networks, they have much less control over those of the suppliers/third parties that they might be linked to. Without the appropriate checks, this leaves them exposed and lacking control over standards of IT security in systems where hackers might find a “back door” into their organisation.

There therefore needs to be an improvement in supply-chain resilience to cyber-attack if organisations are going to reduce the threat arising from this key vulnerability. This is especially true for large organisations with a profile that attracts highly motivated and sophisticated hackers who might identify smaller business partners that are typically less well protected. For example, a recent report published by Marsh and the UK Government highlighted that 22% of small businesses admit they “don’t know where to start” with cybersecurity.

One of the most well-publicised cyber breaches in recent years occurred at a large US retail company after hackers stole network credentials from a third-party heating, ventilating, and air conditioning (HVAC) contractor that had an IT link with the victim’s corporate systems. Incidents like these are likely to rise in frequency until organisations place greater focus on setting out the basic technical controls that all suppliers/ contractors should have in place.

More than half of respondents are not asked to demonstrate a competent standard of IT security practices to their own banks and/or customers.

Take up of cyber insurance remains low

52.8% of respondents’ organisations are engaged with the insurance market in one way or another. 

Marsh’s experience and earlier findings in this survey suggest that the remainder are not yet ready to approach the market as they have an incomplete understanding of the risk, as opposed to them making a conscious decision not to purchase insurance following a value-based judgment.

This latter explanation would tie in with the earlier finding that 68.1% of organisations have not identified one or more cyber scenarios that could most affect their organisations. Organisations such as these, because they have not carried out the financial assessment required are in a poor position to approach the insurance market and place a value on transferring the risk. The survey data therefore suggests that more work needs to be done by organisations and their professional advisers, including their insurance brokers, to help improve their understanding of cyber risk and their cyber exposures and demonstrate what value insurance can bring.

The insurance market continues to address the issues that represent organisations’ greatest concerns a standard cyber insurance policy can deliver cover against breach of customer information (31.9%) and business interruption (22.2%), while computer crime/fraud (12.5%) can be insured against via a comprehensive crime insurance policy. The insurance market is also making inroads to deliver meaningful cover for reputational loss (8.4%).

Of particular interest is that none of the respondents from the industrial sectors identified physical property damage as a priority risk, despite a lot of recent attention being given to the threat that exists to critical infrastructure and the potential for tampering with industrial control technology.

The findings suggest that companies recognise that cyber insurance is not a holistic solution in dealing with cyber exposure and that, in fact, it covers only certain specific events and outcomes.

Cyber exposure might attach itself to a number of different insurance policies that need to maintain an effective response when the loss or liability outcomes are created by cyber events. 48.6% of respondents admit to having “insufficient knowledge” in order to assess the insurances available, which may suggest a lack of insight into what can be insured by a cyber insurance policy. However, in view of the earlier findings, this figure might also indicate that a lack of understanding of their firm’s own risk profile places many respondents in a position where they are unable to make an informed judgment as to whether the cover is appropriate.

Cyber insurance is not a holistic solution in dealing with cyber exposure and covers only certain specific events and outcomes.

Marsh’s conclusion

Clearly, there is still a lot of work that needs to be done by UK organisations in order to improve their understanding and management of cyber risk. Achieving a high level of understanding is essential as it serves as the foundation stone upon which all other cyber risk transfer and mitigation decisions need to be made.

The solution to this lies in the boardroom, and it is still a great concern that the board takes primary responsibility for cyber risk in 19.4% of organisations surveyed. Only with board-level buy-in can companies take the big strides needed to advance their knowledge and perform the financial modelling required. Proper assessment and quantification of the risk will lead to better targeted mitigation, practical improvements in risk management, and the ability to judge the value of the risk transfer options available on the market.

One particularly interesting, and somewhat remarkable, finding to emerge from this year’s survey is 69.4% of respondents’ organisations do not assess the suppliers they trade with for cyber risk. Supply chains are proven to be a critical vulnerability in corporate IT networks, yet there appears to be too little work being done to ensure that the entities with which companies share system links are following basic good security practices.

This has to improve as, for all the proactive steps taken and money invested to harden corporate networks against cyber-attacks, a security breach at a contractor or service provider, for example, could potentially allow hackers to circumnavigate all of that.

The insurance industry can play and is already playing a role in that assurance process; however, more work needs to be done in order to move the security focus away from the edge of the corporate network and to the heart of strategic decision making.

The full report with the references can be found here.

How Cyber Security Literate is the board?

Tripwire have announced the results of a study on the cyber literacy challenges faced by organisations.

The study evaluated the attitudes of executives as they relate to cybersecurity risk decision-making and communication between IT security professionals, executive teams and boards. Study respondents included 101 C-level executives and directors as well as 176 IT professionals from both private and public U.K. organisations.

Despite the increasing number of successful cyberattacks against U.K. organisations, the study revealed that 54% of C-level executives at organisations within the Financial Times Stock Exchange (FTSE) 100 index believe their board is both cybersecurity literate and actively engaged in routine security. IT professionals from the same organisations are less confident in their boards cybersecurity knowledge, with 26% stating their boards only steps in when there is a serious incident.

While the results of the study point to executive confidence, they reveal the uncertainty of IT professionals. When asked if their board was “cyber literate,”29% of IT professionals either answered “no” or “not sure.” However, when C-level executives were asked the same question, 84% answered “yes.”.

There’s a big difference between cybersecurity awareness and cybersecurity literacy,” said Dwayne Melancon, chief technology officer for Tripwire. “If the vast majority of executives and boards were really literate about cybersecurity risks, then spear phishing wouldn’t work. I think these results are indicative of the growing awareness that the risks connected with cybersecurity are business critical, but it would appear the executives either don’t understand how much they have to learn about cybersecurity, or they don’t want to admit that they that they don’t fully understand the business impact of these risks

Other key findings include:

  • 28% of IT professionals “don’t have visibility” into what the board is told about cybersecurity
  • 47% were “not concerned” about their boards knowledge of cybersecurity.
  • In the event of a cyberattack, respondents would be most concerned about 62% customer data, 50% damage to brand and reputation and 40% financial damage or stock price.
  • 35% of respondents agreed that a security breach at their own organization had the biggest impact on their boards’ cybersecurity awareness, while other respondents felt that Heartbleed (19%) had a bigger impact than the Target or Sony breach and the Snowden leaks (17% and 8%, respectively).

Most organisations are not struggling with communication tools said Melancon. They are instead struggling with finding the right vocabulary and information to accurately portray cybersecurity risk to their boards, and they are trying to find the right balance of responsibility and oversight for this critical business risk

Shadow Cloud Services 20 Times More Prevalent than Sanctioned Cloud

Skyhigh Networks released its new “Cloud Adoption & Risk in the Government Report.” The Q1 2015 report reveals that shadow IT is prevalent in government agencies.

The average public sector organization uses 742 cloud services, which is about 10-20 times more than IT departments expect. Despite the security initiatives in place, such as FedRAMP, FISMA, and FITARA, many government employees are unaware of agency rules and regulations or simply ignore them and use cloud services that drive collaboration and productivity.

As agencies grapple with how to manage shadow IT and securely enable sanctioned IT, they need visibility into the real usage and risk of cloud services as well as the ability to detect threats and seamlessly enforce security, compliance, and governance policies,” said Rajiv Gupta, CEO of Skyhigh Networks. “Skyhigh manages shadow IT and securely enables sanctioned IT, allowing public sector organizations to use hundreds of cloud services while providing robust data protection services, thereby meeting data privacy requirements and conforming to regulations

Despite clear benefits of cloud services Federal agencies are slow to migrate to the cloud due to security concerns. As a result, employees adopt cloud services on their own, creating shadow IT. Under FITARA, Federal CIOs must oversee sanctioned cloud services as well as shadow IT. This new requirement underscores the uncertainty about how employees are using cloud services within their agencies.

Understanding Shadow IT
The average public sector organization now uses 742 cloud services, which is about 10-20 times more than IT departments report. What agencies don’t know can hurt them. When asked about insider threats, just 7% of IT and IT security professionals at public sector organizations indicated their agency had experienced an insider threat. However, looking at actual anomaly data, Skyhigh Networks found that 82% of public sector organizations had behavior indicative of an insider threat.

Agencies cannot rely on the security controls offered by cloud providers alone. Analyzing more than 12,000 cloud services across more than 50 attributes of enterprise readiness developed with the Cloud Security Alliance, the report found that just 9.3% achieved the highest CloudTrust Rating of Enterprise Ready. Only 10% of cloud services encrypt data stored at rest, 15% support multi-factor authentication, and 6% have ISO 27001 certification. Skyhigh Networks helps Federal agencies address these security gaps and gain control over shadow IT by providing unparalleled visibility, comprehensive risk assessment, advanced usage and threat analytics, and seamless policy enforcement.

Password Insecurity
Compromised credentials can also mean disaster for Federal agencies. According to a study by Joseph Bonneau at the University of Cambridge, 31% of passwords are used in multiple places. This means that for 31% of compromised credentials, attackers can potentially gain access not only to all the data in that cloud service, but all the data in other cloud services as well. The average public sector employee uses more than 16 cloud services, and 37% of users upload sensitive data to cloud file sharing services. As a result, the impact of one compromised account can be immense.

The Skyhigh “Cloud Adoption & Risk in the Government Report” reveals that 96.2% of public sector organizations have users with compromised credentials and, at the average agency, 6.4% of employees have at least one compromised credential.

Cloud Services in the Public Sector
Most cloud services deployed in the public sector are collaboration tools. The average organization uses 120 distinct collaboration services, such as Microsoft Office 365, Gmail, and Cisco Webex. Other top cloud services are software development services, file sharing services, and content sharing services. The average employee uses 16.8 cloud services including 2.9 content sharing services, 2.8 collaboration service, 2.6 social media services, and 1.3 file sharing services. Shockingly, the average public sector employee’s online movements are monitored by 2.7 advertising and web analytics tracking services, the same services used by cyber criminals to inform watering hole attacks.

The report also reveals the top cloud services used in the public sector.

Top ten enterprise cloud services are:-
1. Microsoft Office 365
2. Yammer
3. Cisco WebEx
4. ServiceNow
5. SAP ERP
6. Salesforce
7. DocuSign
8. NetSuite
9. Oracle Taleo
10. SharePoint Online

Top ten consumer cloud services are:-
1. Twitter
2. Facebook
3. YouTube
4. Pinterest
5. LinkedIn
6. Reddit
7. Flickr
8. Instagram
9. StumbleUpon
10. Vimeo

The “Cloud Adoption & Risk in the Government Report” is based on data from 200,000 public sector employees in the United States and Canada.

The majority Of Risk Professionals Without Coverage Are Considering Purchasing Cyber Insurance

RIMS, the risk management society ™ has conducted its first Cyber Survey 2015 to explore strategies implemented by risk professionals including insurance investments, exposures, cyber security ownership, government involvement, as well as identification methods and response procedures.

Responses came in from 284 of RIMS U.S. professional members in various industries, with 58% of respondents coming from organizations that produce more than $1 billion in annual revenue.

RIMS said it conducted the survey, in part, to identify methods and response procedures used by its members. As well, the organization wanted uncover strategies in place addressing areas such as insurance investments, exposures, cyber security in order to uncover strategies used by its members against cyber threats, including insurance investments, exposures, cyber security ownership and government involvement.

RIMS President Rick Roberts said that the new information is intended to give “the global risk management community valuable insight, showing how organizations are trying to stay ahead of this top concern”

Key survey findings:

  • 77% of risk management professionals credit enterprise risk management with helping them spot cyber risks at their companies.
  • The top three first party exposures reported are:
    1. 79% reputational harm
    2. 78% business interruption
    3. 73% data breach response and notification
  • 51% said their companies or organizations purchase standalone cyber insurance policies.
  • 58 percent of those with cyber insurance policies carry under $20 million in cyber coverage, and just under half of those said they pay more than $100,000 in premium.
  • 74% of respondents who said their companies lack cyber coverage are considering getting it within the next 12-24 months.

Blog at WordPress.com.

Up ↑

%d bloggers like this: