Tag Archives: IT Security

Bosch launches new information security services to protect against cyber attacks

The IT Security Expo and Congress 2019 takes place in Nuremberg from 8-10 October and experts from Bosch will be on hand on Stand 506 in Hall 10.1 to outline the company’s latest information security services for defending against cyber attacks.

Cyber criminals pose a threat to building security solutions. Today’s physical security systems are increasingly IP-based and run on the same networks as generic office and production IT systems.

“The growing use of IT, along with greater networks, is also making building security solutions potentially vulnerable to all of the same risks that plague the rest of the IT world, such as hacker attacks and malware,” explained André Heuer, who heads the information security operation at Bosch Building Technologies. “Particularly so in critical infrastructure, this interaction of IT and facility management makes it essential to find new ways in which to ward off cyber attacks. We want to help our customers expand their information security strategies to include physical systems.”

BoschInformationSecurity

On that basis, Bosch is introducing new information security services to address security needs in conventional building security systems by erecting “cyber barriers”. The company’s portfolio now embraces three complementary components:

Information Security Consulting for designing tailored information security concepts to meet customers’ individual protection requirements

Security Operations Centre which manages vulnerabilities and information security incidents to ensure a consistently high level of security while complying with reporting requirements

IT Security Services which implement appropriate measures to protect building security solutions from cyber threats

All of the services are provided in close consultation with customers’ IT security officers. By offering these options, Bosch feels that it’s “raising the standard of information security in buildings to a new level”.

Leave a comment

Filed under Risk Xtra

TDSi set to debut new-look stand and latest products for end users at IFSEC International 2015

TDSi will be showcasing its fully integrated security solutions – including the new version of the company’s powerful EXgarde security management software – on its newly-designed stand at IFSEC International. TDSi.s representatives will be on Stand F1100 from 16-18 June at the ExCeL Exhibition Centre in London’s Docklands.

The new-look stand will feature an eye-catching and fresh layout and design, demonstrating the versatility of TDSi’s product range which encompasses everything from one door applications through to multi-site systems.

On display will be TDSi’s SOLOgarde, MICROgarde and EXcel controllers in addition to enterprise solutions featuring the combined possibilities rendered by the company’s software products, including EXgarde security management and VUgarde CCTV software integration.

TDSi’s platform also has the ability to smoothly interact with Texecom alarm control panels, ASSA ABLOY’s Aperio and SimonsVoss’ SmartIntego wireless door locks as well as Milestone’s Video Management Solutions software.

John Davies: managing director at TDSi

John Davies: managing director at TDSi

Additionally, TDSi’s stand at IFSEC International 2015 will feature a separate section designed to showcase its new reader range, including proximity, MIFARE PLUS, MIFARE DESfire and dual technology readers.

TDSi will be showing visitors how the company’s wide range of security products provide powerful solutions to any integrated physical and IT security requirement. The company will also be presenting the considerable benefits of joining its partner scheme, which includes support for growth and business development for members, as well as offering comprehensive technical support.

Sarah Phillips: product and marketing manager at TDSi

Sarah Phillips: product and marketing manager at TDSi

Reflecting upon the upcoming event, Sarah Phillips (product and marketing manager at TDSi) commented: “We’re excited to be exhibiting at IFSEC International once again and looking forward to unveiling our new and larger stand. The show is one of the biggest in the security calendar so we’ve pulled out all the stops to make an even bigger splash this year when it comes to showcasing our very latest offerings.”

Phillips added: “We’re also keen to discuss how our partner programme has been developed to fully meet individual customer needs and ensure that all of our partners receive the exact level of support they need.”

TDSi’s new stand is a direct response to the high visitor numbers the company experienced at the show in 2014.

In conclusion, Phillips told Risk UK: “We have added more touch-points to the new stand so that visitors can experience our products and services interactively as well as speak directly to members our team. We will also be offering access to our technical team who’ll be able to answer any specific questions that visitors may have.”

Leave a comment

Filed under Risk UK News

Security Management via the Cloud: ‘Organisations must embrace the risks as well as the opportunities’

Organisations embracing cloud-based security management systems will see major benefits from doing so but must adapt quickly to ensure they don’t open themselves up to evolving risks. This was the clear message emanating from the Association of Security Consultants’ (ASC) winter Business Group meeting held on 18 November at the London Chamber of Commerce and Industry.

Inderpall Sall, technical director at NG Bailey IT Services, highlighted the rapid progress towards the next phase of cloud evolution when everything will be connected to the Internet. This would maximise the intelligence available, facilitate the convergence of building, ICT and business systems within organisations and routinely mean that powerful analytics were available.

Examples given included access control data triggering whether lights were switched on or off at a particular workstation, an entry card being disabled and desk and parking space released when someone is on holiday and an American company using data from cameras to analyse behaviour on train stations with a view to preventing suicides.

Clients are now demanding cloud-based mobile technology – “You have to put a network in otherwise someone else will do it”. There’s now a move away from organisations requiring every system to have its own separate infrastructure and applications. Indeed, Sall cited the examples of a client that had opted to have just one cabling infrastructure to manage and monitor everything and of a requirement to provide a very simple, single application with security, fire and building management sections available from one screen.

Inderpall Sall: technical director at NG Bailey IT Services

Inderpall Sall: technical director at NG Bailey IT Services

Consideration of risk alongside opportunity

However, there’s a need to consider the risks alongside the opportunities. If all information is on the network, the implications of being hacked would be much more serious. Effectively, it would be possible for someone to gain control of a whole building.

To offset these risks, i’s important to have substantial physical and IT security in place, give very careful consideration to enterprise security architecture and ensure that all functions involved with security provision are co-ordinating their activities effectively.

The intelligent buildings theme was continued with a presentation on security reporting from Brian and Steve Larkins of Verifi FMS. Despite all the technology developments of recent years, security officers have remained largely dependent on paper records. This could make organising and retrieving information (particularly where this is related to events that had occurred some time ago) challenging to say the least. This session demonstrated VeriFi EIDOS, a new cloud-based alternative which requires only a standard browser.

The ASC event also included a presentation by Broadgate Estates’ security and business continuity manager Jonathan Schulten on the scale and nature of dealing with such a large property portfolio, the dynamics of the relationships between landlord, occupiers and property managers and some typical challenges such as public realm management (for example during World Cup coverage in Exchange Square).

The next ASC Business Group meetings will take place on 3 March and 14 May 2015

The next ASC Business Group meetings will take place on 3 March and 14 May 2015

Speaking after the event, ASC chairman Allan Hildage commented: “We’ve seen today how cloud technology can help to provide a consistent and quality service and ensure different parts of an organisation work together more effectively to meet overall business objectives. However, we’re also constantly reminded that the speed of technological development is challenging everyone. The impact on systems’ integrity and the ability of the regulatory framework to keep pace are just two of the issues raised in questions from the floor.”

Hildage concluded: “From a security and resilience perspective, it’s vital that we grasp the full implications and act on them if we are to maximise the benefits while minimising the risks.”

*The next ASC Business Group meetings will take place on 3 March and 14 May 2015

**For further information about the ASC visit: http://www.securityconsultants.org.uk

Leave a comment

Filed under Risk UK News

“Remote working places business data at risk” reveals Imation Corporation Survey

According to new research initiated by global data storage and information security company Imation Corporation, poor security and impugned responsibility are placing business data at risk for those working remotely. Staff are taking confidential information away from the office, often without the knowledge of their employer, and losing unsecured and unencrypted business data in places such as pubs, on trains and in hotels.

According to the survey of 1,000 office workers* from the UK and Germany, nearly two-in-five of respondents (or someone they know personally) have lost or had a device stolen in a public place. Three quarters of these devices – among them laptops, mobile phones and USB sticks – contained work-related data. This included confidential e-mails (37%), confidential files (34%) and customer data (21%).

Around one-in-ten interviewees had lost financial data or access details such as login and password information, potentially exposing even more confidential information to the risk of a data breach.

What makes these findings even more concerning is that a large proportion of data removed from the workplace isn’t adequately secured. As many as three quarters of respondents said they had taken digital files with them outside of work, yet many do not use standard security measures such as encryption, password protection or remote wiping to protect that data from unauthorised access.

One-in-four employees interviewed for the Imation Corporation’s survey admitted breaking security policies to work remotely while the majority were not concerned about losing confidential business data

One-in-four employees interviewed for the Imation Corporation’s survey admitted breaking security policies to work remotely while the majority were not concerned about losing confidential business data

Nearly half (44%) of respondents said that data is never encrypted when taken out of the office. Three out of every ten respondents admitted they don’t protect their data with passwords, while nearly one-in-ten workers who take digital files outside of the office do not secure them at all.

Office workers, it seems, are not losing any sleep over losing confidential business data when they take work home, with only one-in-16 worrying about this massively important issue.

Lack of understanding around corporate data security

“Companies may not be aware of the amount of data that’s leaving offices unsecured,” said Nick Banks, vice-president (EMEA and APAC) for Imation Corporation’s IronKey solutions. “In addition, half of respondents said that, at least some of the time, nobody would notice if they were to take data away from the office and lose it. It’s obvious that poor security and lack of understanding of what happens to corporate data are placing organisations at risk of a data breach.”

Even though eight-in-ten of the employees interviewed read or write work e-mails on the move, and around seven-in-ten work on electronic documents away from the office, businesses are failing to provide their employees with secure tools for remote working and not putting the right security policies in place.

Fewer than six out of every ten respondents said their organisation had a remote working policy in place. Of those employees working for companies that do have a policy, more than a quarter of interviewees admitted they’d broken that policy in order to work remotely. Of those staff questioned, 8% had knowingly broken the policy and a further 18% say they’d unknowingly broken it.

Equally, of those individuals who do secure data that they take outside of the office, just over half said that their employer or a third party supplier provides the remote working security measures. One-in-five respondents reported that just they themselves provide the security measures.

“These figures emphasise the urgent need for businesses to ensure that their employees have the necessary systems in place to work flexibly and securely without further hindering productivity,” asserted Banks. “The reality is that people are working in cafes, on aeroplanes, in their GP’s waiting room and even while they take their children to the park. Organisations are tasked with a monumental challenge of providing secure access to corporate networks and data. Data protection is now a huge concern for employers who are battling to manage security and privacy for employees on the move.”

Nearly half (44%) of survey respondents said that data is never encrypted when taken out of the office

Nearly half (44%) of survey respondents said that data is never encrypted when taken out of the office

Key highlights of the research

Other research highlights are as follows:
• As many as 41% of interviewees suggested that they either do not have the right tools available to work remotely or that their solutions for doing so could be improved
• Three-in-five respondents would tell their boss if they lost a storage device with company data on it. However, nearly one-in-ten would do nothing. Less than one third of survey respondents said they have policies that dictate who should be notified depending upon the type and sensitivity of the data lost
• Almost a quarter of respondents have looked over the shoulder of someone working on a laptop/tablet in a public place or noticed someone looking over their shoulder while 6% would let someone else use their work laptop, tablet or smart phone outside of the office
• Around half (48%) of respondents that take digital files with them outside of the office do not fully separate their work and personal data, in turn placing their personal data at risk of being wiped when business data is compromised
• Only 70% of respondents report that they protect their data with passwords and only 36% encrypt their data. A small proportion of respondents are using biometric technology (14%) or remote wiping (7%) to secure their data
• Public areas such as pubs, cafes and restaurants (22%) and public transport (29%) are some of the most common locations for respondents to read or write work e-mails when outside of their home

Nick Banks: vice-president (EMEA and APAC) for Imation Corporation’s IronKey solutions

Nick Banks: vice-president (EMEA and APAC) for Imation Corporation’s IronKey solutions

*The research consisted of 1,000 online interviews carried out this summer and involving office workers in businesses of at least 250 employees and covering a range of industry sectors. 500 respondents emanate from the UK and 500 respondents work in Germany. 80% of respondents were required to work remotely for at least part of their working week. Interviews were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates were given the opportunity to participate

Leave a comment

Filed under Risk UK News

Top IT data security threats revealed in ICO security report

The Information Commissioner’s Office (ICO) has published a new security report highlighting eight of the most common IT security vulnerabilities that have resulted in organisations failing to keep people’s information secure.

The flaws were identified during the ICO’s investigations into data breaches caused by poor IT security practices. Many of these incidents have led to serious security breaches resulting in the ICO issuing monetary penalties totalling almost a million pounds.

The breaches could have been avoided if the standard industry practices highlighted in today’s report were adopted.

They include the £200,000 penalty issued to the British Pregnancy Advice Service after the details of service users were compromised due to the insecure collection and storage of the information on their website. There’s also the £250,000 fine issued to Sony Computer Entertainment Europe after the company failed to keep its software up-to-date, leading to the details of millions of customers being compromised during a targeted attack.

The top IT data security threats have been revealed by the ICO in its latest report

The top IT data security threats have been revealed by the ICO in its latest report

Announcing the publication of today’s report (entitled: ‘Protecting Personal Data in Online Services: Learning from the Mistakes of Others’), the ICO’s group manager for technology, Simon Rice, said: “In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed. While these security issues may seem complex, it’s important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure.”

Rice continued: “Our experiences investigating data breaches on a daily basis shows that while some organisations are taking IT security seriously, too many are failing at the basics. If you’re responsible for the security of your organisation’s information and you think salt is just something you put on your chips rather than a method for protecting your passwords, then our report is for you.”

In conclusion, Rice commented: “The report provides an introduction into these established industry practices that could save you the financial and reputational costs associated with a serious data breach.”

Top 8 computer security vulnerabilities uncovered

The Top 8 computer security vulnerabilities covered in the ICO’s report are as follows:
• a failure to keep software security up-to-date
• a lack of protection from SQL injection
• the use of unnecessary services
• poor decommissioning of old software and services
• insecure storage of passwords;
• failure to encrypt online communications;
• poorly designed networks processing data in inappropriate areas
• continued use of default credentials including passwords

In addition to the report’s publication, the ICO’s Simon Rice will be publishing a series of blogs this week explaining the key aspects of the ICO’s latest advice in further detail.

Rice’s first blog, published this morning, explains the pressing need for today’s report and how it was developed.

Rice will also be taking part in a Q&A session this coming Friday (16 May) to respond to any questions people have about today’s report. Those who would like to send in a question can e-mail the details to: pressoffice@ico.org.uk or tweet @ICONews by 10.30 am on Thursday 15 May

Leave a comment

Filed under IFSECGlobal.com News

Trustwave report pinpoints security pressures faced by IT professionals

The 2014 Security Pressures Report issued by Trustwave is based on a survey of over 800 IT professionals from the UK, the US, Canada and Germany.

It emerges that no less than 80% of IT directors and CISOs felt pressure from above to roll out IT projects in 2013, despite concerns that those projects were not ready due to security issues. 63% of respondents stated that this happened on more than one occasion.

The survey states that UK IT security professionals believe phishing and social engineering were the biggest threats facing their business compared with professionals from the US and Canada who were more concerned about targeted malware and APTs.

Overall, professionals in the UK feel they’re most confident in being safe from IT security threats (82%) compared with the US, Canada and Germany (73%).

Trustwave surveyed 833 IT security professionals in four countries

Trustwave surveyed 833 IT security professionals in four countries

Meanwhile, three out of four IT teams currently run security in-house, but 82% use (or are looking to use) managed security services in the future to help alleviate pressures.

At the conclusion of the findings, Trustwave provides a list of ten actionable recommendations for alleviating some of the pressure.

Trustwave states: “The report makes no claims that these pressures can be eliminated entirely, but hopefully with some changes in mindset and a fresh perspective for dealing with the problem, security pros can reduce that pouring rain to a manageable drizzle.”

Download a copy of the full report and read the Trustwave blog by Dan Kaplan

Leave a comment

Filed under IFSECGlobal.com News

Global security chiefs deliver plan for developing ‘state-of-the-art’ management teams

The Security for Business Innovation Council (SBIC) argues that information security needs to become a cross-organisational function with security functions embedded into business processes and security teams working closely alongside business units on information risk management and cyber threat mitigation.

A new research report released by RSA (The Security Division of EMC (NYSE:EMC) and put together by the Security for Business Innovation Council (SBIC) reveals the composition of a forward leaning security program – starting with building a next generation information security team focused on the lifecycle management of cyber risks in today’s global enterprises.

The last 18 months have seen big changes in the overall requirements for success for information security teams. This has been set against the backdrop of a hyper-connected business environment, an evolving threat landscape, new technology adoption and regulatory scrutiny.

In response to this ever-changing environment, essential activities (and the responsibilities) of enterprise information security teams are very much in transition.

Accountability for IT security within organisations must be shared with business managers and executives to encourage ownership of cyber risk as an overall part of business risk

Accountability for IT security within organisations must be shared with business managers and executives to encourage ownership of cyber risk as an overall part of business risk

Transforming information security: designing tomorrow’s team

Entitled: ‘Transforming Information Security: Designing a State-of-the Art Extended Team’, the new report argues that information security teams must evolve to encompass skill sets not typically seen in security, such as business risk management, law, marketing, mathematics and purchasing.

The information security discipline must also embrace a joint accountability model in which responsibility for securing information assets is shared with the organisation’s line of business managers and executives who are beginning to understand that it’s they who ultimately own their own cyber risks as a part of business risk.

Many of the advanced technical and business-centric skills needed for security teams to fulfill their expanded responsibilities are in short supply and will require new strategies for cultivating and educating talent, as well as leveraging the specialised expertise of outside service providers.

To help organisations build a state-of-the-art extended security team, the SBIC has drafted a set of seven recommendations:

Redefine and strengthen core competencies: Focus the core team on increasing proficiencies in four main areas, namely cyber risk intelligence and security data analytics, security data management, risk consultancy and controls design and assurance.

Delegate routine operations: Allocate repeatable, well-established security processes to IT, business units and/or external service providers.

Borrow or rent experts: For particular specialisations, augment the core team with experts from within and outside of the organisation.

Lead risk owners in risk management: Partner with the business in managing cyber security risks and co-ordinate a consistent approach. Make it easy for the business and hold them accountable.

Hire process optimisation specialists: Have people on the team with experience and certifications in quality, project or program management, process optimisation and service delivery.

Build key relationships: Develop trust and influence with key players such as owners of the ‘Crown Jewels’, middle management and outsourced service providers.

Think outside-of-the-box for future talent: Given the lack of readily available expertise, developing talent is the only true long-term solution for most organisations. Valuable backgrounds can include software development, business analysis, financial management, military intelligence, law, data privacy, data science and complex statistical analysis.

Speaking about the new report, Art Coviello (executive vice-president, EMC, executive chairman, RSA, The Security Division of EMC) said: “For this transformation to be successful, security must be seen as a shared responsibility that requires active partnerships to manage the inherent risks to the business in the ever-evolving threat landscape. It’s imperative that organisations are able to develop a security team with the right expertise needed to get the job done.”

Bob Rodger, group head of infrastructure security at HSBC Holdings plc, added: “The core security team’s expertise should be primarily focused on delivering consulting, providing direction, driving strategy, identifying and explaining risks to the business, understanding threats and moving the organisation forward. It should not be encumbered by the day-to-day routine operational activities.”

About the Security for Business Innovation Council

The Security for Business Innovation Council is a group of top security leaders from Global 1000 enterprises committed to advancing information security worldwide by sharing their diverse professional experiences and insights.

The Council produces periodic reports exploring information security’s central role in enabling business innovation.

Contributors to this latest report include 18 security leaders from some of the largest global enterprises, including ABN Amro, ADP Inc, Airtel, AstraZeneca, Coca-Cola, EMC Corp, FedEx Corp, Fidelity Investments, HDFC Bank Ltd, HSBC Holdings plc, Intel, Johnson & Johnson, JP Morgan Chase, Nokia, SAP AG, TELUS, T-Mobile USA and Walmart.

Additional information
• Download the Security for Business Innovation Council Report
• Download an infographic that highlights how to transition from a conventional security team to a next generation security team
• Download the SBIC Report’s Executive Summary
• Download a chart from the report outlining ‘Who does what?’ on a next generation security team
• RSA blog: Does Your Security Team Have What It Takes? (by Laura Robinson, chairman, SBIC)

Leave a comment

Filed under IFSECGlobal.com News