Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Cyberattack

ICO statement on recent cyber attacks on the NHS

The ICO has released the following statement concerning the recent cyber attacks on the NHS:

“All organisations are required under the Data Protection Act to keep people’s personal data safe and secure.

“Following the news on Friday afternoon that many organisations had been the subject of a cyber attack, the ICO made contact with both NHS Digital and the National Cyber Security Centre (NCSC).

“Our enquiries will continue this week and we note that NHS England have said they have no evidence that patient data has been accessed.

“Any appropriate next steps for the ICO will decided once these initial enquiries are complete.

“The ICO has published a useful blog on how to prevent ransomware attacks.”

Over 35% of organisations in the energy sector are not able to track threats

Tripwire 2016 Energy Survey: Physical Damage

Tripwire’s 2016 energy study was conducted by Dimensional Research on the cyber security challenges faced by organizations in the energy sector. The study was carried out in November 2015, and respondents included over 150 IT professionals in the energy, utilities, and oil and gas industries.

“After hundreds of years protecting our nation’s geographic borders, it is sobering to note that possibly the most vulnerable frontier happens to be the infrastructure that runs the largest companies in the country.”

Rheka Shenoy, VP and general manager of industrial IT cyber security for Belden

Does your organization have the ability to accurately track all the threats targeting your OT networks?

tripwire-2016-energy-survey-physical-damage-

Does your organization have the ability to accurately track all the threats targeting your OT networks?

tripwire-2016-energy-survey-physical-damage- 2
In your opinion, is your organization a target for a cyberattack that will cause physical damage?
tripwire-2016-energy-survey-physical-damage- 3
Is your organization a potential target for a nation-state cyberattack?
tripwire-2016-energy-survey-physical-damage- 4
The incredibly high percentages of these responses underscores the need for these industries to take material steps to improve cyber security. These threats are not going away. They are getting worse. We’ve already seen the reality of these responses in the Ukraine mere months after this survey was completed. There can be no doubt that there is a physical safety risk from cyber attacks targeting the energy industry today. While the situation may seem dire, in many cases there are well understood best practices that can be deployed to materially reduce the risk of successful cyber attacks.

Tim Erlin, director of IT security and risk strategy for Tripwire

Internal Audit is having an ever increasing role in Cyber Security

According to a report by the Institute of Internal Auditors Research Foundation, cyber preparation at most organizations follows a classic bell curve.

Asked, for instance, how prepared their organizations would be to respond to a cyber-attack;

  • 29% of respondents said “extremely” or “very”
  • 44 % said “moderately”
  • 23% said “slightly” or an ominous “not at all”

As organizations increase spending on tech tools to address cyber risks, internal auditors are advocating a holistic approach that includes policies, response planning and board involvement to develop a broader view of an organization’s cyber risks and defences.

Helped by their understanding of organization controls and risk management, internal audit can bring various functions together and help them address cyber threats more effectively, the study says.

“Boards and audit committees also must … be kept up-to-date on technologies that not only can help meet business objectives, but also may make an organization more vulnerable to attack. When properly resourced and supported, internal audit will develop the skills and perspective to provide review and assurance services in this area,” the study says.

Key Components

The report identifies five key components to cyber risk management and says internal audit can play a key role in supporting each element:

  1. Protection: Internal audit can help organizations test security controls related to bring-your-own-device (BYOD) policies, review third-party contracts for compliance with security protocols, and perform IT governance assurance services.
  2. Detection: IIA’s 2015 Global Internal Audit Common Body of Knowledge (CBOK) study found that five in 10 respondents use data mining and data analytics for risk and control monitoring, as well as fraud identification. The cyber preparedness study says audit executives should partner with IT and information security pros to develop and monitor key risk indicators and validate security-related controls.
  3. Business Continuity: Just as they plan for natural disasters or other corporate crises, organizations have to develop plans to serve customers and other stakeholders during cyber-attacks. Internal audit can help provide enterprise-wide perspective and provide assurance about the expected effectiveness of response plans.
  4. Crisis Communications: Similar to response plans, it’s important to keep customers, shareholders, regulators and other interested parties informed during (and immediately after) a cyber breach.
  5. Continuous Improvement: If an organization experiences a cyber-attack, internal audit can play a valuable role in helping the organization assess the effects and outline strategies and protocols to defend against the next attack.

The study also suggests corporate boards increase their ability to assess and defend against cyber risks. This may involve recruiting board and committee members with cyber-related experience or expertise, or bringing in third-party security experts to educate board members about evolving cyber threats and governance practices.

The full article can be downloaded here.

Cyber Security a Major Threat for Metals Industry: Top Three Lessons for Executives

According to a report commissioned by the Metals Service Center Institute (MSCI), cyber security poses complicated threats for metals companies.

The report was compiled by graduate students at the Boeing Center for Technology, Information & Management (BCTIM) at the Olin School of Business at Washington University in St. Louis.

Other research has shown that cybercrimes are growing more common, more costly, and taking longer to resolve. According to the findings of the fifth annual Cost of Cyber Crime Study conducted by the respected Ponemon Institute the 2014 global study of U.S.-based companies found:

  • The average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from 11.6 million in the 2013 study
  • The average time to resolve a cyber-attack is also rising, climbing to 45 days, up from 32 days in 2013

With data breaches happening frequently, our members and all companies must be concerned about the safety of their data and honestly ask themselves if they are as well protected as they think they are,” said M. Robert Weidner, III, MSCI president and CEO. “The potential damage to the company is compounded by how long it would take to be up and running again and at what cost and the cost of lost revenue

These concerns and questions prompted MSCI to ask BCTIM to research the cyber security threat, specifically as it relates to the metals industry.

From the report, three key lessons for executives concerned or dealing with cyber security emerged:

  1. Cyber security efforts require C-suite support. Executives must be directly involved in the management of their company’s cyber risk, creating and implementing the processes and policies necessary. Little happens in this arena without the top executive pushing for and supporting change.
  2. The biggest risk to any size company is internal. Employees have access to critical information. That fact, coupled with a lack of proper cyber security policies, procedures and processes leads to vulnerabilities. An example: Most employees are not trained to detect email and phishing scams (the U.S. Steel and Alcoa breaches a few years ago were prompted by phishing scams).
  3. If a company is unsure about reducing their cyber security risk, the policies and procedures necessary and the next steps to take, they should get help from a specialized third part with the necessary expertise.

.

Information Security and Cyber Liability Risk Management – a 2014 survey

Advisen Ltd and Zurich have partnered for a fourth consecutive year on a survey designed to gain insight into the current state and on going trends in information security and cyber liability risk management. Invitations to participate were distributed via email to risk managers, insurance buyers and other risk professionals. The survey was completed at least in part by 507 respondents.

The majority of respondents classified themselves as either

  • Member of Risk Management Department (not head) (38%)
  • Chief Risk Manager/Head of Risk Management Department (33%)

Respondents with more than 20 years of risk management and insurance experience represented the largest group at 39% of the total, followed by 25% with between 11 – 20 years, 18% with 5 years or less, and 17% with between 6 – 10 years.

A summary of the survey is below.

Perception of Cyber Risks

Respondents’ perception of cyber risk is largely unchanged from last year with 88% considering cyber and information security risks to be at least a moderate threat to their organization. Respondents do however believe that board members and executive management are viewing cyber risks more seriously.

“In your experience, are cyber risks viewed as a significant threat to your organization by:”

  • 64% said “yes” for Board of Directors (54% in 2013)
  • 72% said “yes” for C-Suite Executives (6% in 2013)

Perception of risk varies based on size of business. Although studies have suggested that small companies are targeted as frequently, if not more so, than larger companies, as a group they continue to view cyber risks less seriously. In response to the question

How would you rate the potential dangers posed to your organization by cyber and information security risks?”

  • 81% of the smallest companies (revenues less than $250 million) consider cyber risks to be at least a moderate danger
  • 93% of the largest companies (revenue greater than $10 billion) consider them to be so.

Consistent with last year’s study, on a scale of one to five, with 5 as very high risk and 1 as very low risk, “damage to your organization’s reputation resulting from a data breach” is the biggest concern of respondents with 64% rating it a 4 or 5. This was closely followed by “incurring costs and expenses from a cyberattack” with 62%, and “privacy violation/data breach of customer records” with 61%.

In contrast, the exposure perceived as the least risky was “theft or loss of customer intellectual property” with 43% rating it a 1 or 2. This was followed by “business interruption due to customer cyber disruptions” with 33%, and “employment practice risk due to use of social media” with 32%.

Data Breach Response

Over the past year, huge and highly recognizable U.S. businesses have fallen victim to some of the largest data breaches in history. These breaches are proof that even those with the most sophisticated information security practices and infrastructures are vulnerable to a cyber-attack. Some suggest that corporate data breaches are no longer an “if” or even a “when” proposition, but rather “how bad” will the inevitable breach be. When a breach does occur, research suggests that organizations that have data breach response plans in place prior to a breach, fare much better than those who do not.

“Does your organization have a data breach response plan in the event of a data breach?”

  • 62% said yes
  • 14% said no
  • 24% did not know

“In the event of a data breach, which department in your organization is PRIMARILY responsible for assuring compliance with all applicable federal, state, or local privacy laws including state breach notification laws?”

  • IT – 38%
  • General Counsel – 21% received the highest percentage of the responses.

Information Security and Cyber Risk Management Focus

Consistent with the 2013 survey, 80% claim that information security risks are a specific risk management focus within their organization. Larger companies are slightly more likely to make it a focus with 83% of companies with revenues in excess of $1billion doing so, compared with 77% with revenues under $1billion. However, the 6% point difference between small and large companies is significantly less the 17% difference from a year ago.

The difference is even more significant when comparing the largest companies (revenues of $10 billion or greater) and the smallest companies (revenues of $250 million or less), with 92 % of the largest companies making information security a risk management focus compared with only 72% of the smallest companies.

For a second consecutive year, the percentage of respondents with a multi-departmental information security risk management team or committee has declined, 52% have an information security risk management team or committee which is down from 56% in 2013, and 61% in 2012. Although statistically still within the margin of error, this is a potential trend worth following. As in previous years, however, this varies materially based on the size of company with 58% of larger companies ($1billion in revenue or greater) claiming to have this team or committee compared to 42% of smaller companies (under $1billion in revenue).

The departments most likely to have representation on the information security risk management team are:

  • IT – 90%
  • Risk Management/Insurance – 73%
  • General Counsel – 63%
  • Compliance – 55%
  • Internal Audit – 47%
  • Treasury or CFO’s Office – 40%
  • Chief Privacy Officer – 36%
  • Marketing – 10%
  • Investor Relations – 6%
  • Sales – 5%
  • 9% Didn’t Know
  • 15% said Other
  • The most common write-in responses under “Other” were Operations and Security

The IT department is still acknowledged as the front line defense against information losses and other cyber liability risks. In response to the question “Which department is PRIMARILY responsible for spearheading the information security risk management effort?”

  • 69% responded IT
  • 11% Risk Management/Insurance
  • 5% responded Other. The most common other being Information Security

Social Media

Social media provides businesses with an array of benefits such as increasing brand awareness, promoting products, and providing timely support. It also exposes organizations to a degree of risk, such as the potential for reputational damage, privacy issues, infringing other intellectual property, and data breaches.

“Does your organization have a written social media policy?”

  • 74% responded yes
  • 17% no

Cloud Services

For a third consecutive year respondents were asked questions on cloud services. Thanks to its cost effectiveness and increased storage capacity, cloud services have become a popular alternative to storing data in-house. Warehousing proprietary business information on a third-party server, however, makes some organizations uncomfortable due to the lack of control in securing the information. Nonetheless, security concerns continue to be outweighed by the benefits.

“Does your company use cloud services?

  • 66% responded yes, up from 55% last year, and 45% in 2012.

“Is the assessment of vulnerabilities from cloud services part of your data security risk management program?”

51% responded yes – consistent with last year

Mobile Devices

“Does your organization have a mobile device security policy?”

  • 74 % said yes
  • 15 % said no
  • 13 % did not know

Larger companies continue to be more likely to have such a policy with

  • 82 % of large companies ($1 billion or greater) responding yes
  • 62 % of smaller companies ($1 billion or less).

The use of personal handheld devices for business purposes is increasingly preferred by employees and allowed by employers. These non-company controlled devices, however, are accessing proprietary corporate information and frequently exposing organizations to a higher degree of risk.

“Does your organization have a bring your own device (BYOD) policy?”

  • 47% responded yes which is consistent with last year’s response.

The Role of Insurance in Information Security and Cyber Risk Management

The upward trend in the percentage of companies purchasing cyber liability insurance plateaued in 2014.

“Does your organization purchase cyber liability insurance?”

  • 52% responded yes
  • 35% said no
  • 13% did not know

Of the respondents who purchase coverage

  • 32% have purchased it for less than two years
  • 47% between three and five years
  • 22% for more than five years
  • The percentage of companies who buy coverage for loss of income due to a data breach dropped slightly from 54 % in 2013 to 48 % this year.

Finally, respondents that do not currently purchase cyber insurance were asked “Are you considering buying this coverage in the next year?” 54% said yes. This was only a one percentage point increase from 2013.

The full survey can be found here.

The lack of live cyberthreat intelligence could be costing businesses millions

The 2013 Live Threat Intelligence Impact Report from the Ponemon Institute, sponsored by Norse reveals how 700+ respondents from 378 enterprises defines

  • What “live threat intelligence” is.
  • How global enterprises are using it defend against compromises, breaches and exploits;
  • The financial damage that slow, outdated and insufficient threat intelligence is inflicting on them.

The key findings were:

  • They spent an average of $10 million in the past 12 months to resolve the impact of exploits.
  • If they had actionable intelligence about cyberattacks within 60 seconds of a compromise, they could reduce this cost on average by $4 million (40%).
  • Those that have been able to stop cyberattacks say they need actionable intelligence 4.6 minutes in advance to stop them from turning into compromises.
  • 60% were unable to stop exploits because of outdated or insufficient threat intelligence.
  • Those not successful in detecting attacks believe 12 minutes of advanced warning is sufficient to stop them from developing into compromises.
  • 57% believe threat intelligence currently available to most companies is often too stale to enable them to grasp and understand the strategies, motivations, tactics and location of attackers.
  • Only 10% know with absolute certainty that a material exploit or breach to networks or enterprise systems occurred.

Other findings include:

  • 72% believe that in order to defend against an attack, it is important to essential to know the geo-location of attack sources.
  • 69% believe that future attacks are most likely to come from China, but 71% said they were seeing most of their current attacks originating in the U.S.
  • 57% of say Advanced Persistent Threats (APTs) are their greatest concern; 54% say they are most concerned about root kits; 45% say SQL and code injection is their biggest worry.
  • 35% rely on IT security teams’ “gut feel” to determine whether or not an attack will occur.
  • 34% believe that criminal syndicates pose the biggest threat to their enterprise; 19% said state-sponsored attackers were the greatest threat.
  • 9% cannot determine whether or not they are compromised.
  • A wide range of technologies is used to gather threat intelligence, ranging from SIEM to IDS to IAM to Big Data analytics and firewalls. On a one-to-10 scale of effectiveness, only 22% rate these technologies between a 7 and a 10, and 78% rate them between a 1 and 6.

These findings are startling but not surprising. Enterprises are conditioned to believe that after-the-fact threat intelligence is all that is available, a perception that is leaving them open to compromises and data breaches that are costing them millions,” said Sam Glines, CEO, Norse. “This report makes it clear that enterprises are in need of an advanced level of threat intelligence that shrinks the interval between attack identification and mitigation down to minutes or even seconds if they are to survive the modern-day cyberthreat juggernaut

Ponemon Institute has conducted IT security research for over a decade, and this is one of the first studies that reveals the facts behind the impact that weak threat intelligence is having on organizations,” said Larry Ponemon, founder and chairman of Ponemon Institute. “Anyone who reads this report will come to understand that live threat intelligence must be an integral part of any security strategy.”

To view the report click here.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: