Search

Brian Pennington

A blog about Cyber Security & Compliance

Category

Uncategorized

11 Cyber Security Questions Every Small Business Should Ask

ICO: Warning to SMEs as firm hit by cyber attack fined £60,000

Small and medium sized businesses are being warned to take note as a company which suffered a cyber attack is fined £60,000 by the UK Information Commissioner’s Office.

An investigation by the ICO found Berkshire-based Boomerang Video Ltd failed to take basic steps to stop its website being attacked.

Sally Anne Poole, ICO enforcement manager, said:

“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.

“If a company is subject to a cyber attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”

She added:

“Boomerang Video failed to take basic steps to protect its customers’ information from cyber attackers. Had it done so, it could have prevented this attack and protected the personal details of more than 26,000 of its customers.”

The video game rental firm’s website was subject to a cyber attack in 2014 in which 26,331 customer details could be accessed. The attacker used a common technique known as SQL injection to access the data.

The ICO’s investigation found:

  • Boomerang Video failed to carry out regular penetration testing on its website that should have detected errors
  • The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
  • Boomerang Video had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
  • Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary

Ms Poole said:

“For no good reason Boomerang Video appears to have overlooked the need to ensure it had robust measures in place to prevent this from happening.

“I hope businesses learn from today’s fine and check that they are doing all they can to look after the customer information in their care.”

Is the North West a hub for nuisance calls?

In the last few months it appears that the North West of England has become a hub of nuisance calls after three raids undertaken on behalf of the Information Commissioners Office.

The ICO executed two search warrants this week, one in Gatley, Greater Manchester, on Wednesday and the other in Wilmslow, Cheshire, on Thursday.

Computers and phones were seized during the searches as the ICO continues to investigate nuisance calls prompted by the theft of people’s details from car repair centres throughout the UK. The items will now be subject to forensic examination and investigation.

Mike Shaw, ICO Criminal Investigations Group Manager, said:

“This illegal trade has multiple negative effects – both on the car repair businesses targeted for their customer data and the subsequent nuisance calls made to customers. These can be extremely unsettling and distressing. 

“Our searches this week are the latest step in us tracking down the unscrupulous individuals involved in this industry. These people won’t get away with it – any person or business involved in the theft and illegal trade of personal data may find themselves subject to ICO action.”

ICO investigators are looking at how the data was stolen, who stole it and which companies have subsequently made calls to the public encouraging them to make compensation claims about to accidents they may have been involved in.

The ongoing investigation, named Operation Pelham, started in May 2016 and has so far involved:

December 2016. A business and two homes in Macclesfield and Heald Green were searched by ICO officers. The business was linked to the making of telephone calls to numbers originating from some of the car repair centres. Computers, telephones and documents were among items seized from the residential properties.

April 2017. Homes in Macclesfield and Droylsden.

Technological Change and Cyber Risk Overtake Regulation as Top Risks for Insurers

The global insurance industry’s ability to confront structural and technological changes is now the greatest risk it faces, according to a new survey of insurers and close observers of the sector.

The CSFI’s latest Insurance Banana Skins 2017 survey, conducted with support from PwC, surveyed 836 insurance practitioners and industry observers in 52 countries, to find out where they saw the greatest risks over the next 2-3 years.

Insurance Banana Skins 2017 
(2015 ranking in brackets)
1 Change management (6)
2 Cyber risk (4)
3 Technology (-)
4 Interest rates (3)
5 Investment performance (5)
6 Regulation (1)
7 Macro-economy (2)
8 Competition (-)
9 Human talent (15)
10 Guaranteed products (7)
11 Political interference (16)
12 Business practices (11)
13 Cost reduction (-)
14 Quality of management (12)
15 Quality of risk management (10)
16 Social change (20)
17 Reputation (18)
18 Product development (17)
19 Corporate governance (21)
20 Capital availability (22)
21 Complex instruments (25)
22 Brexit (-)

Change management is at the head of a cluster of operating risks which have jumped to the top of the rankings. The report raises concerns about the industry’s ability to address the formidable agenda of digitisation, new competition, consolidation and cost reduction it faces, especially because of rapidly emerging technologies which could transform insurance markets, such as driverless cars, the ‘internet of things’ and artificial intelligence.

Cyber risk follows close behind, with anxiety rising about attacks on insurers themselves as well as the costs of underwriting cyber-crime. Other major concerns include the adequacy of insurer’s internal technology systems and new competition, particularly from the ‘InsurTech’ sector.

The next cluster of high-ranking risks, interest rates, investment performance and macro-economic risk, shows that concern about economic instability remains high. Although respondents acknowledged signs of growth, confidence in the recovery is not strong for reasons as widely dispersed as the slowdown in China, the risk of Trump-era protectionism, and populism in Europe. The risk of political interference was seen to have risen sharply. However, Britain’s exit from the EU was seen to be a minimal source of risk for insurers, particularly those without operations in the UK.

Regulatory risk, which has topped the last three editions of this survey, has fallen out of the top five this year. This is largely because recent regulatory changes are settling in to business as usual (e.g. Solvency 2), though the cost and complication of regulation continue to be a concern.

The report shows that the industry’s ability to attract and retain human talent is a fast-rising concern, particularly to handle the digital challenge.  Conversely, an area of declining risk is the governance and management of insurance companies. These were seen as high-level risks during the financial crisis but have fallen sharply since, because of both initiatives from the industry itself and regulatory pressure.

Overall, the climate for insurers is becoming more challenging, according to respondents. The 2017 Banana Skins Index, which measures the level of anxiety in the industry, is at a record high, while the industry’s preparedness to handle these risks has fallen from 2015.

David Lascelles, survey editor, said: “For the first time in six editions of this survey, operating risks pose the greatest threat to insurers. Structural and technological changes to the industry could upend traditional business models. At the same time, insurers are grappling with a very difficult economic climate, which helps explain why anxiety is at an all-time high.”

Mark Train, PwC Global Insurance Risk Leader, comments: “Both the challenges and opportunities presented by change underline the vital importance of being clear about where you’re best able to add value, and then being ruthless in targeting investment and management time at these priorities. A key part of this ‘fit for growth’ strategy is differentiating the capabilities needed to fuel growth, ‘good costs’ targeted for investment, from low-performing business and inefficient operations, ‘bad costs’ targeted for overhaul or elimination.”

Will GDPR Change the World?

Rob Luke’s keynote speech ‘Will GDPR Change the World?’.

Introduction

Thank you.

Let me take a moment to thank TechUK for putting together this event and for offering me the platform to speak with you this morning.

Our Commissioner, Elizabeth Denham, has been clear that the ICO’s vision – of increasing data trust and confidence among the UK public – can only be achieved by working in partnership with the private, public and third sectors.

An important part of that is developing key relationships with representative or umbrella organisations as multipliers and amplifiers for our engagement with different constituencies. Helping us reach new or hard-to-reach audiences.

Our strong relationship with Tech UK is a great example of that partnership approach.

We appreciate the role you play in bringing together representatives from across the sector and your ongoing constructive dialogue with us around issues of importance to your members and the sector as a whole.

I’m glad to have the opportunity to continue that dialogue this morning.

Will GDPR change the world?

Will the General Data Protection Regulation change the world?

Wow, what a question. On the face of it, even the most ardent data protection advocate would struggle to make a case that a blandly titled piece of European legislation deserves that billing.

So despite my professional obligation to emphasise the importance of data protection in the digital age, I am not going to make the argument for the world revolving around GDPR.

What I will try to do is highlight some of the opportunities and challenges GDPR brings for organisations.

Ultimately, of course, GDPR is an indicator of change as much as it is an instigator. And no sector is more relevant to that rapidly changing landscape than yours.

GDPR is part of the response to the challenge of upholding information rights in the digital age. Of protecting the rights and interests of the individual in the context of an explosion in the quantity and use of data and in an environment of extremely rapid technological change.

So I feel it is particularly relevant to mark One Year To Go in dialogue with the tech sector in particular.

I should be clear early on that this is not a speech about Brexit or an exploration of the UK’s possible post-Brexit data protection framework.

In a pre-election period, and with the need to adhere to the guidance on purdah, I hope you will understand that I am not in a position to speculate about the post-Brexit environment, nor indeed to comment on proposals in political party manifestos.

I apologise in advance if there are questions, or elements of the panel discussion, where I am limited by the caution that purdah requires.

What we can safely say however, is that one way or another, GDPR is going to be an important part of the global data protection landscape over the years ahead, with great relevance to UK organisations, the public and their data.

Fit for the digital age

The moment at which GDPR takes effect in the UK on 25 May 2018 will of course mark a change. In delivering legislation fit for the digital age GDPR confers new rights and responsibilities and organisations need to be working now to prepare for them.

I assume that this audience has a familiarity with the core features of GDPR and the key requirements it places on organisations. I hope you have already deployed our ’12 steps to take now’ guidance and our ‘Overview to GDPR’ and that you are drawing on our wider resources.

One consistent feature of our outreach with organisations is a high demand for granular guidance – often people will say to us: “tell us what we need to do”.

We are working at pace to produce detailed guidance, both at national level but also European level guidance produced by the Article 29 EU Working Party to which we are making a major contribution.

I will flag up some particular pieces of guidance in a minute, and the pipeline of guidance will continue to flow.

But I urge you not to wait, nor to take a reactive approach to your GDPR preparations, motivated solely by a mindset of compliance or risk management.

Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law.

Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong.

Transparency and accountability

It can be boiled down to two words: “transparency” and “accountability”.

Being clear with individuals how their personal data is being used.

And placing the highest standards of data protection at the heart of how you do business.

An issue for the boardroom

That means this is an issue for board level, whatever the size of your business.

Not least because under GDPR the regulator wields a bigger stick. For the most serious violations of the law, the ICO will have the power to fine companies up to twenty million Euros or four per cent of a company’s total annual worldwide turnover for the preceding year.

And as we’ve seen in well-publicised examples the cost to business of poor practice in this area goes above and beyond any fine we can impose. Losing your consumers’ trust could be terminal for your reputation and for your organisation.

We would all prefer a win-win outcome. A model where organisations take an approach to data protection which earns the trust of consumers in a more systematic way. And where that trust translates into competitive advantage for those who lead the charge.

Nowhere does that feel more relevant than for your sector.

GDPR and the tech sector

The UK tech industry is at the forefront of our vibrant digital economy, changing how we live our lives and offering huge potential for positive change and wide social benefit.

Data is the fuel that powers that economy and tech companies are involved at every level.

GDPR is a response to this evolving landscape, building on previous legislation but bringing a 21st century approach and delivering stronger rights in response to the heightened risks.

The right of an individual to be informed about use of their data; their right to access their information and move that information around; the right of rectification and erasure of data where appropriate; the right to remove consent; and the right to enable automated decisions to be challenged.

Good practice tools that the ICO has championed for a long time – such as privacy impact assessments and ensuring privacy by design – are now legally required in certain circumstances.

The ICO covers privacy impact assessments in its existing Privacy by Design guidance and the European Article 29 Working Party has also issued draft guidelines.

Being transparent and providing accessible information to individuals about how you will use their personal data is another key element of the new law and our privacy notices code of practice is GDPR-ready.

Increased responsibilities for data processors are another feature. Data processors, companies using personal data on behalf of others, will have specific legal obligations to maintain records of personal data and processing activities.

Data breach reporting will also change under the GDPR. You’ll be obliged to notify the ICO, within 72 hours, of a breach where it is likely to result in a risk to the rights and freedoms of individuals.

The widespread availability of personal data on the internet and advances in technology, coupled with the capabilities of big data analytics mean that profiling is becoming a much wider issue.

People have legitimate concerns about surveillance, discrimination and the use of their data without consent.

Data protection can be challenging in a big data context and some types of big data analytics, such as profiling, can be intrusive.

We explore many of these issues in detail in our recently updated paper on big data, artificial intelligence, machine learning and data protection.

We’ve also recently published a consultation paper on profiling under GDPR to which TechUK has responded. We’ll be using this to feed into the European Article 29 Working Party guidelines.

Harnessing the benefits of big data, AI and machine learning, as it relates to healthcare for example, will be sustained by upholding the key data protection principles and safeguards set out in GDPR.

Whilst the means by which personal data is processed are changing, the underlying issues remain the same. Are people being treated fairly? Are decisions accurate and free from bias? Is there a legal basis for the processing? These will remain key questions for us as a regulator under GDPR as they have been under the DPA.

The GDPR is a principles based law well equipped to take on the challenges of 21st century technology.

It aims to be flexible – protecting individuals from harm while enabling you to innovate and develop services that consumers and businesses want.

Data analytics

As data becomes the fuel powering the modern economy, so it becomes a key element of many of the debates in modern society.

Take the announcement last week by Elizabeth Denham of her opening of a formal investigation into the use of data analytics for political purposes.

Given the big data revolution I have mentioned it is understandable that political campaigns are exploring the potential of advanced data analysis tools to help win votes. The public have the right to expect that this takes place in accordance with the law as it relates to data protection and electronic marketing.

This is a complex and rapidly evolving area of activity and the level of awareness among the public about how data analytics works, and how their personal data is collected, shared and used through such tools, is low.

What is clear is that these tools have a significant potential impact on individuals’ privacy. It is important that there is greater and genuine transparency about the use of such techniques to ensure that people have control over their own data and the law is upheld.

We will provide an update on that investigation later in the year.

Rising to the challenge

I’ve talked about some of the challenges and opportunities GDPR brings for organisations. Likewise it is a moment for us at the ICO to reflect on how we do our work.

Clearly there are practical aspects such as preparing for a higher volume of activity given enhanced breach notification requirements.

But we are thinking more widely than that.

One example, again with particular relevance for the tech sector, is how we might be able to engage more deeply with companies as they seek to implement privacy by design.

How we can contribute to a “safe space” where companies can test their ideas. How we can better recognise the circular rather than linear nature of the design process.

Separate but related we need to become more comfortable about recognising good practice and drawing on exemplars.

We should be able to find ways to give credit where credit is due without that translating into a free pass for an individual organisation or practice. GDPR explicitly foresees wider use of tools such as codes of conduct and certification schemes, which potentially have an important role to play.

To deliver on the above and more broadly we also need to build our own tech know-how and capability. We are working on a new Technology Strategy which will outline our means of adapting to rapid technological change as it impacts information rights.

We are also committed to exploring innovative and technologically agile ways of protecting privacy.

And of course we need to exercise global reach and influence. Effective protection of the UK public’s personal information becomes increasingly complex as data flows across borders.

The ICO will continue to develop and deepen effective relationships with our international partners, reacting to changes in the global regulatory environment.

These goals among others feature in our new Information Rights Strategic Plan, being launched today by Elizabeth Denham, which sets out the ICO’s plan for the coming four years.

The tech sector will be a priority for our engagement as we look to seize these opportunities set out in the strategy.

Conclusion

With 12 months to go until GDPR takes effect in the UK, I hope I have offered a brief insight into some of the implications and impacts of GDPR on UK businesses.

I hope I have also signposted key actions you should be taking and key tools on which you can draw to rise to the challenge.

GDPR brings big changes, important changes. But GDPR is an evolution of the existing rules, not a revolution.

And as I said at the outset it is also a mirror of the changes in the practices and environment it seeks to regulate.

It is not GDPR which is pushing data protection up the public, political and media agenda. It is the changing nature of the world in which we live, and the ubiquity of data, which is causing society to reflect on the consequences for our personal information and for privacy itself.

You are at the heart of that change. Your response to the challenges and opportunities of GDPR will set a marker for other sectors.

You have a major stake in the enterprise of increasing data trust and confidence among the UK public. By putting the individual in genuine control of their own data you can help achieve that goal, delivering benefits for your consumers, your business and society as a whole.

Thank you.

ICO statement on recent cyber attacks on the NHS

The ICO has released the following statement concerning the recent cyber attacks on the NHS:

“All organisations are required under the Data Protection Act to keep people’s personal data safe and secure.

“Following the news on Friday afternoon that many organisations had been the subject of a cyber attack, the ICO made contact with both NHS Digital and the National Cyber Security Centre (NCSC).

“Our enquiries will continue this week and we note that NHS England have said they have no evidence that patient data has been accessed.

“Any appropriate next steps for the ICO will decided once these initial enquiries are complete.

“The ICO has published a useful blog on how to prevent ransomware attacks.”

VMware Infographic – Are you ready to tackle the security risks facing your business

Cyber-screening: Putting security on the M&A agenda

This is a contributed piece by Brian Pennington, regional sales director, EMEA for Coalfire

From financial institutions such as Tesco Bank to tenured technology giants like Yahoo, it seems that no one is impervious to the mounting sophistications of cyber attacks. And in the case of the latter, these attacks pose more of a threat than just the compromising of user data. As a result, businesses need to seriously think about the hidden issues that a cyber-security breach can cause to a merger and acquisition (M&A) deal.

2016 was a big year for cybersecurity. From discussions pertaining to foreign infiltration in the US election to some of the largest scale cyber attacks ever witnessed, questions around the global state of cybersecurity dominated the media. As a result, there are increasing needs, demands and pressures for purchasing companies in M&A deals to calculate and identify cybersecurity weaknesses and breaches in the companies they intend to buy.

With so many moving parts involved in a large scale M&A; it is easy to overlook the cyber security element. With contracts, staffing, and a lot of legal frameworks to be worked through, cyber security can quickly fall down the list of priorities. This though can be a big flaw, as once a data breach is found – even if it took place years before an acquisition was even planned – the purchasing company can be held responsible and consequently suffer the penalties and charges that come from this.

These ticking time bombs can then go off, wiping millions or even billions off the value of an acquisition. For those that have spent time engineering the deal, it can turn a career defining moment into a nightmare. Having completed the deal, the people that should have been held accountable can, in fact, head off into the sunset, without needing to worry about what might happen next.

 

The modern-day M&A                                                                                                                                          

One recent example of how a good deal can turn sour very quickly can be seen in Verizon’s deal to buy Yahoo. Having agreed to buy Yahoo for $4.8 billion, Verizon soon found out that all was not what it may have seemed as two large, successful and separate cyber attacks were announced to the public. With one billion accounts having been compromised in the largest of the attacks, Yahoo now has the unenviable title of suffering the largest cyber-attack ever recorded. Following this news, it was widely reported that Verizon may seek to have $1 billion removed from the sale price for Yahoo.

With large hacks such as these making headline news across the global, PR and marketing teams at Yahoo will be springing into action to save as much of the company’s reputation as possible. Having established itself as a world-renowned, and recognised internet brand, Yahoo is in serious danger of becoming synonymous with cyber hacks and data breaches.

 

The price you pay

Brand reputations are not the only area that can take a blow following a cyber-attack. The financial impact of a data breach can easily spiral into large sums of money, with some estimates placing the average cost to a company at  $221 per stolen record in the US. If this applied to the smallest of Yahoo’s reported attacks the total would still be over $100 billion or close to the market capital of MasterCard! To make matters even worse, a company’s share price often nosedives after a breach, with the likes of TalkTalk taking a hit of 20% off its share price in the months after its widely broadcast cyber-attack. It is quite clear that forgoing cybersecurity checks can cost businesses billions financially and make a once priceless brand name, completely worthless.

So how can businesses empower and protect themselves from a cyber-attack when considering a potential M&A? Well there are three steps that can help protect the investment:

  • Audit potential breaches: Carrying out a risk audit of potential breaches, assessing both the societal and financial factors that might increase the likelihood of becoming a cyber-target will help M&A analysts calculate whether the eventual acquisition is cost effective.
  • Regulatory industry standards: Companies within certain industries are obliged to maintain a secure environment that will mitigate risk of cyber-attacks and protect user data. For instance, Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information do so in a secure fashion. Ensuring that potential purchases are compliant with these standards is essential in M&A deals.
  • Seek expert help: Cyber security systems are complex and require in-depth knowledge and understanding of how to navigate them safely and effectively; without compromising existing structures. It is therefore highly recommended that M&A analysts enlist the help of cybersecurity consultants to advise them on the suitability of a potential purchase.

 

Cyberpolitics and societal security                                                                                                                   

As cyber criminals and their crimes become ever more complex and dangerous, it is in the best interests of the purchasing company during an M&A to calculate and identify cyber security weaknesses and breaches in the business they intend to buy. Furthermore, brands need to start planning earlier in the M&A process to carry out a full cyber security due diligence investigation and report to assess the dangers of a hack. Carrying out a full cyber risk assessment as part of an M&A not only lessens the financial impact on a deal but also ensures that a business’s reputation remains intact too.

Next time you are planning an M&A it is vital to get the experts in to ensure there are no hidden surprises from large cyber attacks. Working with cybersecurity experts to assist the M&A department could truly be the difference between disaster and prosperity in years to come.

Originally published by IDG Connect here.

car-cracking

FASTRInfographic2017

Forrester predicts the Top 15 Dynamics that will shape 2017

2017 will be a year of action for many companies, as they address the realities of a fast-moving customer-led and digital-centric market,” said Cliff Condon, chief research and product officer at Forrester.

“Empowered customers are forcing the hand of virtually every industry. And so the question for most companies and business leaders is not if they will respond to these market dynamics, but when and how. Inaction presents immediate revenue risk or much worse a threat to a company’s existence

The top 15 dynamics that will shape 2017 are:

  1. The extent to which businesses will need to restructure to adapt to a customer-led market.
  2. How and how many CMOs can successfully evolve to meet new and expansive leadership demands.
  3. The likelihood that CIOs will rise to the challenge of leading digital business strategies.
  4. How CEOs will handle business unit and product leadership in a market dominated by empowered customers and disruptors.
  5. How transitional roles like chief data officer, chief digital office, and chief customer officer will fare.
  6. How businesses will react to acute cyber risk to maintain customer trust.
  7. Determining the scarce but critical talent required to lead in the age of the customer and how that will place significant pressure on both talent management and talent acquisition.
  8. Identifying new levels of revenue risk directly attributed to underperforming or even mediocre customer experiences.
  9. The extent to which companies are able to measure and operationalize emotion, which continues to be a primary driver of customer affinity and spend.
  10. How companies are designing signature moments to capture customers’ hearts, minds, and spend.
  11. The beginnings of a new technology revolution that will reshape how businesses operate and interact with customers.
  12. The role augmented reality and virtual reality will play in 2017 and where both are in their evolution.
  13. The implementation and impact of the internet of things in 2017.
  14. The impact and evolution of artificial intelligence to deliver contextually rich, personalized experiences.
  15. The next steps in cloud computing to change the architecture and economics of technology.

To gain more insights on the dynamics that will shape 2017, download Forrester’s predictions guide.

 

100 Percent of Retailers Disclose Cyber Risks

According to BDO’s analysis of risk factors listed in the most recent 10-K filings of the 100 largest U.S. retailers, risk associated with a possible security breach was cited unanimously by retailers, claiming the top spot, up from the 18th spot in 2007.

Since major retail security breaches began making national headlines in 2013, retailers have become acutely aware of the growing cyber threat and cyber-related risks. Between new point-of-sale systems and evolving digital channels, the industry faces unique vulnerabilities: Retailers are responsible for safeguarding consumer data as well as their own, in addition to protecting against potential gaps in security related to third-party suppliers and vendors.

2016 marks the 10th anniversary of our retail risk factor analysis, and throughout the decade, we’ve seen the retail landscape undergo a dramatic evolution in response to the recession, new and maturing e-commerce channels and evolving consumer preferences,” said Doug Hart, partner in BDO’s Consumer Business practice. “Retailers over the years have proven to be in tune with the industry-wide issues and trends that could pose risks to their businesses, and they are clearly not tone deaf when it comes to reacting to the urgency of cybersecurity

The following chart ranks the top 25 risk factors cited by the 100 largest U.S. retailers:

Top 20 Risks for Retailers 2016 2015 2014
General Economic Conditions #1 100% #1 100% #1 100%
Privacy Concerns Related to Security Breach #1t 100% #4t 99% #8 91%
Competition and Consolidation in Retail Sector #3 98% #1t 100% #3 98%
Federal, State and/or Local Regulations #4 96% #1t 100% #2 99%
Natural Disasters, Terrorism and Geo-Political Events #5 94% #7 96% #13 87%
Implementation and Maintenance of IT Systems #6 93% #4 99% #7 92%
U.S. and Foreign Supplier/Vendor Concerns #6t 93% #6 98% #4 96%
Legal Proceedings #6t 93% #9t 95% #8t 91%
Labor (health coverage, union concerns, staffing) #9 91% #7t 96% #5 94%
Impediments to Further U.S. Expansion and Growth #10 90% #12t 92% #17 78%
Dependency on Consumer Trends #11 88% #9 95% #6 93%
Consumer Confidence and Spending #12 87% #15 89% #8t 91%
Credit Markets/Availability of Financing and Company Indebtedness #13 85% #11 94% #11 89%
Failure to Properly Execute Business Strategy #14 82% #12 92% #11t 89%
Changes to Accounting Standards and Regulations #15 76% #14 90% #13t 87%
International Operations #16 73% #17 86% #15 80%
Loss of Key Management/New Management #16t 73% #19 80% #16 79%
Marketing, Advertising, Promotions and Public Relations #18 66% #25 68% #24 64%
Consumer Credit and/or Debt Levels #19 62% #27 65% #23 65%
Joint Ventures #20 61% #21 76% #18 74%

Additional findings from the 2016 BDO Retail Risk Factor Report:

Cyber Risks Include Compliance Measures

As the cyber threat looms larger, retailers are bracing for new and emerging cybersecurity and data privacy legislation. Risks associated with cyber and privacy regulations were cited by 76 percent of retailers this year. This is in line with the findings from the 2016 BDO Retail Compass Survey of CFOs, in which nearly 7 in 10 retail CFOs said they expected cyber regulation to grow in 2016. These concerns have been highlighted by President Obama’s recently unveiled Commission on Enhancing National Cybersecurity and continued debate in Congress over information sharing between the government and private industry.

Retailers have not escaped regulatory scrutiny. The industry is also subject to Europay, Mastercard and Visa (EMV) standards that bolster credit card authentication and authorization. Industry analysts estimate that just 40 percent of retailers are compliant with EMV standards despite the Oct. 1, 2015 deadline.

“Mandating EMV chip-compliant payment systems is an important first step in shoring up the industry’s cyber defenses, but it’s just the tip of the iceberg,” said Shahryar Shaghaghi, National Leader of the Technology Advisory Services practice group and Head of International BDO Cybersecurity. “Online and mobile transactions remain vulnerable to credit card fraud and identity theft, and POS systems can still be hacked and provide an access point to retailers’ networks. New forms of malware can also compromise retailers’ IT infrastructure and disrupt business operations. Every retailer will experience a data breach at some juncture; the real question is what mechanisms have been put in place to mitigate the impact.”

E-Commerce Ubiquity Drives Brick & Mortar Concerns

Impediments to e-commerce initiatives also increased in ranking, noted by 57 percent of retailers in 2016, a significant contrast from 12 percent in 2007. In 2015, e-commerce accounted for 7.3 percent of total retail sales and is continuing to gain market share.

As e-commerce grows and businesses strive to meet consumers’ demand for seamless online and mobile experiences, retailers are feeling the effects in their physical locations. The recent wave of Chapter 11 bankruptcies and mass store closings among high-visibility retailers has raised concerns across the industry. Ninety percent of retailers are worried about impediments to growth and U.S. expansion this year. Meanwhile, risks associated with owning and leasing real estate jumped 14 percentage points to 54 percent this year.

Heightened worries over the impact of e-commerce on physical locations are far reaching, driving concerns over market competition for prime real estate and mall traffic to rise 19 percentage points to 46 percent. Meanwhile, consumer demand for fast shipping fueled an uptick in risks around the increased cost of mail, paper and printing, rising 10 percentage points from seven percent in 2015 to 17 percent this year.

General Economic Conditions Hold Weight

General economic risks have been consistently top of mind for retailers throughout all ten years of this survey. Even at its lowest percentage in 2008, this risk was still the second most cited, noted by 83 percent of companies.

Despite the fact that since 2013, general economic conditions have remained tied for the top risk, concerns about specific market indicators have receded.

For more information on the 2016 BDO Retail RiskFactor Report, view the full report here.

About the Consumer Business Practice at BDO USA, LLP

BDO has been a valued business advisor to consumer business companies for over 100 years. The firm works with a wide variety of retail and consumer business clients, ranging from multinational Fortune 500 corporations to more entrepreneurial businesses, on myriad accounting, tax and other financial issues.

Demystifying 9 Common Types of Cyber Risk

Abstract Forward Consulting

1)       Crimeware
This is designed to fraudulently obtain financial gain from either the affected user or third parties by emptying bank accounts, or trading confidential data, etc. Crimeware most often starts with advanced social engineering which results in disclosed info that leads to the crimeware being installed via programs that run on botnets which are zombie computers in distant places used to hide the fraudsters I.P (internet protocal) trail. Usually the victim does not know they have crimeware on their computer until they start to see weird bank charges or the like, or an I.T. professional points it out to them. Often times it masquerades as fake but real looking antivirus software demanding your credit card info in an effort to then commit fraud with that info.

2)       Cyber-Espionage
The term generally refers to the deployment of viruses that clandestinely observe or destroy data in the computer systems of government agencies and…

View original post 1,143 more words

Over 35% of organisations in the energy sector are not able to track threats

Tripwire 2016 Energy Survey: Physical Damage

Tripwire’s 2016 energy study was conducted by Dimensional Research on the cyber security challenges faced by organizations in the energy sector. The study was carried out in November 2015, and respondents included over 150 IT professionals in the energy, utilities, and oil and gas industries.

“After hundreds of years protecting our nation’s geographic borders, it is sobering to note that possibly the most vulnerable frontier happens to be the infrastructure that runs the largest companies in the country.”

Rheka Shenoy, VP and general manager of industrial IT cyber security for Belden

Does your organization have the ability to accurately track all the threats targeting your OT networks?

tripwire-2016-energy-survey-physical-damage-

Does your organization have the ability to accurately track all the threats targeting your OT networks?

tripwire-2016-energy-survey-physical-damage- 2
In your opinion, is your organization a target for a cyberattack that will cause physical damage?
tripwire-2016-energy-survey-physical-damage- 3
Is your organization a potential target for a nation-state cyberattack?
tripwire-2016-energy-survey-physical-damage- 4
The incredibly high percentages of these responses underscores the need for these industries to take material steps to improve cyber security. These threats are not going away. They are getting worse. We’ve already seen the reality of these responses in the Ukraine mere months after this survey was completed. There can be no doubt that there is a physical safety risk from cyber attacks targeting the energy industry today. While the situation may seem dire, in many cases there are well understood best practices that can be deployed to materially reduce the risk of successful cyber attacks.

Tim Erlin, director of IT security and risk strategy for Tripwire

More fines next year for nuisance call companies

Companies making nuisance calls have been warned to expect more fines in 2016.

The ICO imposed more than a million pounds worth of penalties for nuisance calls and text messages in 2015, with the same amount in the pipeline for early 2016.

The fines included:

  • £295,000 of fines for companies offering call blocking or nuisance call prevention services
  • A £80,000 fine to a PPI claims firm that sent 1.3million text messages
  • A £200,000 fine to a solar panels company that made six million nuisance calls
  • A £130,000 fine to a pharmacy company that was selling customer details to postal marketing companies

Total fines related to nuisance marketing in 2015:

  • £400,000 fines for nuisance texts (Help Direct UK Ltd; Oxygen Ltd; UKMS Money Solutions Ltd)
  • £575,000 fines for nuisance calls (Direct Assist Ltd; Point One Marketing Ltd; Cold Call Elimination Ltd; Home Energy & Lifestyle Management Ltd (HELM); Home Energy & Lifestyle Management Ltd;  Nuisance Call Blocker Ltd; Telecom Protection Service Ltd)
  • £130,000 fine for selling customer records for marketing (Pharmacy 2U Ltd)
  • £30,000 fine for sending marketing email (Telegraph Media Group Ltd)

Total: £1,135,000. 

Andy Curry, ICO Enforcement Group Manager, said:

Nuisance marketing calls frustrate people. The law is clear around what is allowed, and we’ve been clear that we will fine companies who don’t follow the law. That will continue in 2016. We’ve got 90 ongoing investigations, and a million pounds worth of fines in the pipeline

The ICO received around 170,000 concerns in 2015 from people who’ve received nuisance calls and texts, a similar number to the previous year (2014: 175,330). PPI claims prompted the most complaints, followed by accident claims. Areas identified as emerging sectors for nuisance calls and texts included call blocking services, oven cleaning services and industrial hearing injury claims.

The following are examples of complaints showed the level of distress that calls can cause:

Telecom Protection Service:

“I was recovering from major surgery at the time and the call caused me distress. The caller was very smooth talking and did not make it clear that he was selling a commercial service that was nothing to do with the TPS. The call was frankly misleading.”

HELM:

“I am receiving daily updates regarding a friend in hospital, and am expecting the worst. When these calls come in I expect it to be from the hospital.”

Cold Call Elimination:

“This company has ‘conned’ my mother out of £84.99 for an unnecessary service … my parents are 87 and 86 respectively; my father is suffering from dementia.”

“I am looking after my elderly mother who has terminal cancer. She initially answered and I could see I needed to intervene as I could hear the sales guy not giving up. I took the phone and asked him who he was and what he wanted. He got quite annoyed that I had intervened and I told him we were not interested.”

Point One Marketing:

“Very upset and angry that my mum, who has dementia, was talked into giving credit card details when it would have been obvious to the caller that she had dementia. This caused my mum distress because I had to explain why her debit card had to be cancelled and what she had done. This has caused both of us great distress. Had I not checked her call log and … the number that had called her I would not have known it had happened at all.”

Utilities Oil Gas Risk Infograph

How to Hack a Car – an infograph

How a Car Hack Attack Is Happening [Infographic]

how-car-hack-attacks-are-happening-infographic-large

Originally posted on Coinspeaker, here.

2015 Best & Worst Tourist Attractions for Mobile Security

Skycure collects data lakes of threat intelligence about the multiple layers of mobility, including device-level, app-level and network-level intelligence, which is beyond the reach of traditional mobile security tools.

Types of Attacks

The most frequent threat that we identified at the Top 15 Danger Destinations was a WiFi-based attack called SSL decryption, which allows cyber criminals to capture personal and work information (such as mobile banking logins/passwords and corporate credentials). SSL Stripping was the other common attack that allows attackers to downgrade HTTPS URLs to non-secure HTTP URLs. These attacks are generally hard for users to detect as the attackers keep them believing that her or his session is secure.

iOS vs. Android

In a separate analysis that reviewed worldwide Skycure Threat Intelligence data, researchers found that on average, mobile devices are more than 25% likely to expose personal and corporate data to a network attack on a monthly basis. The research also found that while iOS devices/users connect to many more WiFi network access points (probably because of automated hotspot connections, usability and being used more often in work environments than Android devices), Android devices/users connect to more malicious ones. This was a little surprising to us as well and we have a few theories on why that might be the case:

  1. User Behavior: Android users are generally more tech-savvy and their comfort level to connect to “never-seen-before” networks is a bit higher than iOS users.
  2. Data Plans: Android users tend to choose from a greater range of carrier plans that are more economical but may have smaller data limits. Not wanting to incur fees for going over their data plans, Android users may be more likely to voluntarily connect to “Free” WiFi hotspots.

The study found that a massive 8% of the total reported threats originated from a WiFi network with “Free” in its name.

Safety Tips for Travelers: Here are a few quick tips for mobile users traveling to high-risk destinations:

  1. Avoid “Free WiFi” networks.
  2. Update your device to the most current operating system.
  3. Read the warnings on your device and don’t click “Continue” if you don’t understand the exposure.
  4. Disconnect from the network if your phone behaves strangely (e.g. frequent crashes) or you receive a warning notification.
  5. Protect your device with a mobile security app like Skycure.

Skycure_MapInfographic-v15

Over 17% of documents in Office 365 contain sensitive data

Skyhigh Networks has released the industry’s first Office 365 Cloud Adoption and Risk Report. The report analyses use of Office 365 across more than 21 million employees and found that over 87.3% of enterprises have adopted Microsoft cloud-based services including Word, Excel, PowerPoint, Exchange Online, OneDrive and SharePoint Online.

The new Office for Windows 10 universal apps require an Office 365 subscription, which should drive massive adoption of OneDrive and SharePoint Online. The Skyhigh Office 365 Cloud Adoption and Risk Report highlights that Office 365 has already established a foothold in a majority of enterprises and provides a benchmark for future growth.

Office 365 Landscape in the Enterprise

  • 87.3% of organizations have at least 100 employees using Office 365
  • 93.2% of employees are still using Microsoft on-premise solutions.
  • This finding suggests that while Office 365 has tremendous traction in enterprises, it is in the early innings and there is a massive opportunity ahead to transition all employees to Office 365.

Office 365 Landscape between Enterprises

The average large organization collaborates with 72 business partners on Office 365. Top industries collaborating with partners via Office 365 are high-tech, manufacturing, energy, financial services and business services, respectively. This makes Office 365 one of the top “collaboration” services connecting businesses to each other.

Office 365 Houses Valuable Data

  • 1.37 terabytes of data are uploaded to Office 365 each month by the average organization, equivalent to approximately 1 billion Word documents.
  • 17.4% of documents in Office 365 contain sensitive data
  • 4.2% of the sensitive data stored in Office 365 was classified as personally identifiable information (PII) such as social security numbers, phone numbers and home addresses
  • 2.2% of the sensitive data was protected health information
  • 1.8% was payment data including credit card and bank account numbers
  • 9.2%, corporate data such as financial statements, business plans and source code makes up the largest percentage of sensitive data stored in Office 365.

Perhaps the most shocking of the report’s findings was that enterprises have an average of 143 files in Office 365 with “password” in the filename.

Increasing Need for Cloud Security

While Microsoft offers security for its cloud-based services, many enterprises require an additional layer of protection for corporate data in Office 365.

It’s important to strike a balance between what tools and services you provide your employees and what security controls to have around those services to track data and manage confidential information,” said Tim Topkins, Senior Director of Security Innovation at Aetna. “Companies should look for solutions that make the secure path the easy path. A frictionless approach to visibility, compliance, data security and threat detection on top of a service in demand like Office 365 creates a secure and productive workforce

85,000 new malicious IPs are launched every day

The Webroot 2015 Threat Brief reveals that 85,000 new malicious IPs are launched every day, and the top phishing targets are technology companies and financial institutions.

Key findings from 2015 Threat Brief include:

  • The United States accounts for 31% of malicious IP addresses, followed by China with 23% and Russia with 10%. Overall, half of malicious IP addresses are based in Asia.
  • The average reputation score of all URLs is 65%. Surprisingly, some categories that might be assumed suspicious or unwanted due to their nature are relatively reputable. For example, URLs tied to Cheating (85%), Hate and Racism (82%), Violence (77%), Adult and Pornography (65%), and Nudity (65%) are relatively reputable when compared to the average scores.
  • There is a 30% chance of Internet users falling for a zero-day phishing attack in the course of a year, and there was an over 50% increase in phishing activity in December 2014. This is most likely due to the holiday season.
  • On average, there are nearly 900 phishing attempts detected per financial institution, but over 9,000 attempts detected per technology company. Top five technology companies impersonated by phishing sites are: Google, Apple, Yahoo, Facebook and Dropbox.
  • When evaluating phishing sites by country, the United States is by far the largest host of phishing sites, with over 75% of sites being within its borders.
  • On average, only 28% of apps on the Android platform were trustworthy or benign, which fell from 52% in 2013, nearly 50% were moderate or suspicious, and over 22% were unwanted or malicious. Trojans make up the vast majority of malicious threats, averaging 77% for 2014.

Webroot has seen a continued rise in the number of malicious URLs, IP addresses, malware, and mobile applications used to enable cybercriminals to steal data, disrupt services, or cause other harm,” said Hal Lonas, chief technology officer at Webroot. “With more breaches at major retailers, financial institutions and technology companies in the headlines and scores of other, smaller breaches in 2014, the trend shows no signs of slowing down. The Webroot 2015 Threat Brief highlights the need for highly accurate and timely threat intelligence to help organizations assess the risk of incoming data, reduce the volume of security incidents, and accelerate response to successful attacks

2014 also brought an increase in innovative techniques to infect PCs. Most notable was the discovery of Poweliks, a powerful Windows registry exploit, which was fully contained in the registry and did not require a file component to deliver a new infection such as crypto ransomware. Further, five unique PUA families were discovered and hundreds of variants, including widely prevalent CTB/Critroni and Cryptowall 3.0. Each family introduced new innovative social engineering techniques and complexity to the encryption process.

The full report can be found here.

Blog at WordPress.com.

Up ↑

%d bloggers like this: