Tag Archives: Online Security

Advent IM welcomes James Morris MP for cyber security skills gap discussions

Midlands-based cyber and information security consultancy Advent IM and members of the Malvern Cyber Security Cluster have enjoyed some serious discussions with James Morris (the MP for Halesowen and Rowley Regis) around how to bridge the current cyber security skills gap.

Advent IM welcomed the MP to its head office and training centre on 20 February. During the visit, Morris met with members of the team in addition to the company’s directors, Julia McCarron and Mike Gillespie, who highlighted the ongoing cyber security skills gap that the UK is experiencing.

The MP acknowledged this as a topic he himself is extremely keen to address with the local college and that he’s also keen to be a part of the solution to entry level skill building and a career path for young people interested in joining the cyber security sector.

James Morris MP (centre) with Mike Gillespie and Julia McCarron

James Morris MP (centre) with Mike Gillespie and Julia McCarron

Last year, Mike Gillespie joined Cyber Skills Challenge UK’s CEO Stephanie Daman on BBC Radio 4 to discuss this topic, and takes every opportunity to raise awareness of the threat that a continuing gulf between UK security needs and the number of available professionals actively forms.

“The youngsters growing up now are using technology in an ever-increasing array of ways,” stated Gillespie. “The Internet of Things connects people with their information in an unprecedented manner. It’s vital we engage the upcoming generation such that they’re interested in cyber security, not only as a career path towards being a security professional, which is what UK plc really needs, but also because security is becoming part of all employees’ lives. Their role in organisational security is increasingly acknowledged.”

Gillespie went on to tell Risk UK: “We cannot afford to allow our approach to security to remain static. Threats and risks to business proliferate in a dynamic landscape and we need to develop our talent to deal with that landscape in the same evolved and proactive way. Bringing young people into security via apprenticeships and helping them to develop down this route is going to form a vital part of safeguarding UK plc in the years to come.”

Advent IM is keen to explore options for bridging the skills gap in the local community. To this end, the company will be supporting James Morris MP in addressing the challenge of developing education and training programmes that will enable local youngsters to actively become the cyber security experts of the future.

Leave a comment

Filed under Risk UK News

KPMG on cyber crime in 2015: ‘This time it’s personal’

‘This time it’s personal’ will be the motto of 2015 as cyber criminals are predicted to become more selective in the way that they target victims.

According to Stephen Bonner, a partner in KPMG’s cyber security practice, the next 12 months will see criminals move away from mass spear-fishing tactics in favour of highly-targeted ‘campaigns’ based on the data trail people leave in their online lives.

“Over the past year, the Internet of Things took its first tentative steps into the mainstream,” said Bonner, “but consumers’ willingness to adopt the latest trend has come at a price. Their desire to be seen has overtaken their desire to be secure, meaning that we can expect organised crime to find new ways in which to make money in our increasingly digitised society.”

Bonner continued: “It’s possible that our willingness to share and shop online will let criminals become more selective about who they target. They will not need to maintain the current ‘hit and hope’ approach of spear phishing, instead only attacking specific users and computers based on the data these give away about their owners.”

According to Bonner, the result will be a business world in which cyber protection matures and where Governments come together to improve ways in which confidential data is secured.

The next 12 months will see criminals move away from mass spear-fishing tactics in favour of highly targeted ‘campaigns’ based on the data trail people leave in their online lives

The next 12 months will see criminals move away from mass spear-fishing tactics in favour of highly targeted ‘campaigns’ based on the data trail people leave in their online lives

“2014 may have been a year in which hardly any time went by without news of a cyber attack,” asserted Bonner, “and the next 12 months will be no different. This time, however, third party assurance will become a burgeoning industry as firms seek to protect themselves against lawsuits for loss of data or revenue. As part of this, my hope is that EU Governments will reach agreement on data protection legislation in a post-Snowden world and implement a data breach disclosure regime.”

In conclusion, Bonner explained: “Ultimately, cyber defence will be akin to a game of whack-a-mole with more emphasis on spotting attacks, more sharing of intelligence in near real-time and enhanced efforts by companies and Governments to counter and disrupt cyber attacks as quickly as they can. However, to win the game a change in mindset is needed, with security teams necessarily having to reinvent themselves by engaging with the business to really understand its priorities and justify the budget, in turn ensuring that their efforts are focused on defending key business assets while being seen as an enabler for doing business in the digital world.”

Leave a comment

Filed under Risk UK News

CrowdControlHQ: “IT directors ignore social media risks at their peril”

Marc Harris (Chief Technical Officer at CrowdControlHQ) examines the issues facing IT directors from the use of social media.

Many IT directors operate their own personal Facebook and LinkedIn accounts. However, when it comes to corporate social media they pass responsibility for management of same to the Marketing Department. Are they doing so at their peril?

Let me start with the elephant in the room, namely the role of the IT director. After an extensive IT career in the media, telecommunication and technology sectors recent experience has led me to conclude that social media needs to be firmly at the top of the priority list of every IT director.

In my current role, I see at first hand the impact of reputational damage realised by both internal and external sources through the use of social media, and find it surprising how few IT directors are willing to discuss the issues or attend conferences on the subject. Perhaps they feel an unwelcome interference or ‘elbowed out’ by this new communication channel which has evolved extensively under the umbrella of marketing?

In future, the organisations succeeding in the social media space will have Marketing and IT Departments working seamlessly together to tackle the issues. The ‘DNA’ of IT makes it the most qualified department to deal with some of the risk issues that surround social media, so why isn’t it more involved?

Today, social media is being used in every aspect of business, from the Boardroom right through to the delivery of customer service. By its very nature, social media is a collective responsibility. Not surprisingly, its reliance on ‘collaboration’ has in some instances manifested itself as ‘sharing’ responsibility for posting of content… and even the sharing of passwords!

New rules now apply

I once overheard a social media officer quite gleefully boasting the fact that they had the Twitter login to hand for their company chairman. When challenged, the officer admitted that he was ‘The Chosen One’. If he was off sick that was it – no tweets or updates! Worse still, if he left the organisation he had the power to bring the place down tweet by tweet.

This is the stuff that would have kept me awake at night as an IT director, yet in a world powered by social engagement new rules seem to apply.

Marc Harris: CTO at CrowdControlHQ

Marc Harris: CTO at CrowdControlHQ

Recent research also reported that a scarily large number of employees still use the dreaded Post-It note to record their login usernames and passwords, stuck to walls, desks and even the computer screen. Apparently, we’re not coping well with the need to access everything online from social media to our weekly shop and fear our mobile devices could be pinched. We’re reverting to pen and paper, it seems.

This practice can only end in tears. There have now been too many examples of ‘rogue’ tweets, no audit trail of who posted them (or why) and organisations – who, frankly, should have known better – being left rosy cheeked, so why is this practice still so rife?

Why would an employee, with their job on the line, ‘fess up’ when they know that at least 15 other people had access to the account that day?

I also believe that few IT Departments have a handle on the number of users across their ‘official’ social media accounts, let alone a log of which password protocol they are using, how they are accessing the site or posting.

Need to look both ways

We cannot just blame the employees. Even organisations with the most robust and celebrated IT protocols let themselves down when it comes to simple issues such as data storage. I suspect very few IT directors are crystal clear about where their marketing communications teams are storing their social media campaigns, let alone harbour an understanding of the conversations from the past that they may need to reference in the future or where they keep their notes about their customers linked to these campaigns.

I would hazard a guess that many IT Departments are breaking their own compliance and governance issues when it comes to social media.

Today, there’s no need to share passwords. The social media ‘savvy’ have cottoned on to tiered password access, with both the IT and Marketing Departments having an ‘on/off’ switch to give them instant control in times of crisis. If IT is involved in the installation of a Social Media Management Solution (SMMS) they can see exactly who is plugged into the system, where accountability lies and who they need to train and develop to uphold the security protocols needed in order to keep an organisation’s reputation intact.

Within the scope of most IT budgets a SMMS will be a drop in the ocean but will address these major issues. Any smart IT director will already be looking at a SMMS if there isn’t already one in place. Such a system gives control back to the organisation. All passwords are held in one place such that accounts are not owned by individuals but by the company. The right system gives an organisation the ability to moderate content at a senior level. In turn, the risk of misuse or mistakes can be eradicated.

A SMMS also takes care of the practical management issues. I fear that some organisations are taking a step backwards in terms of their technological evolution, reverting to time-wasting, ineffective manual processing of social media (eg multiple logins to different social media platforms rather than using readily available tools for automation and effectiveness).

The message is clear. IT directors ignore social media at their peril. When it comes to corporate social engagement, it’s time for them to wake up, check and challenge.

Leave a comment

Filed under Risk UK News

Centrify survey pinpoints ID theft as key concern for digital consumers

Identity theft has ranked as the top concern among 2,000 consumers questioned about their digital lifestyles in new research commissioned by Centrify Corporation. The survey reveals that 81% of respondents stated they are concerned – or very concerned – about the prospect of having their identity stolen online.

Having credit card information stolen on the Internet is also extremely worrying for consumers, with 79% ranking it the second biggest concern above being a victim of cyber crime (73%).

Surprisingly, cyber bullying is the least concerning prospect for respondents with just 40% of consumers showing any real concern, while privacy of social networks (59%) and e-mail spam (68%) both ranked much higher.

The comprehensive survey also reveals the numbers of respondents that have a high, medium or low ‘digital footprint’ based on the amount of time they spend online in a typical week e-mailing, texting and sharing or watching digital images, songs, games, videos and apps.

62% of those very concerned about identity theft have a medium digital footprint, 46% low and 26% have a high digital footprint. Equally, only 26% of those with a high digital footprint are concerned about having credit card information stolen on an online shopping website and their e-mail accounts being spammed, showing that those who spend more time online are less concerned about their identity being stolen.

One-in-four respondents to the survey have definitely (or probably) been a victim of identity theft, 43% of victims suggesting the problem took more than one month to fix with one-in-five saying it took more than ten hours. 47% of interviewees admitted to having to spend their own money to resolve the issue, with 28% noting they’ve spent at least £60 (in turn highlighting the need for increased password security).

Identity theft remains a key concern for online shoppers in both America and the UK

Identity theft remains a key concern for online shoppers in both America and the UK

Security of personal information at risk

“With so much of our time now spent online, be it in relation to social networking, banking or shopping, the security of our personal information and, more importantly, our identities is being put at risk on a daily basis,” explained Tom Kemp (CEO at Centrify).

“According to our survey, online purchases are the top reason why users feel they became victims of identity theft, underscoring the importance of confidence in one’s own online security. Consumers have very little faith in the absolute security of their passwords. Just 15% believe those passwords are very secure, regardless of the amount and type of characters used. Being able to manage our password security is crucial.”

Other research highlights:

• The groups that are most likely to say they’ve been victims of identity theft are those that probably best understand and notice the signs of identity theft: IT workers, online shoppers, higher salary workers, the ‘tech-savvy’ and those with a high digital footprint

• Those with the least confidence that their passwords are absolutely secure include individuals that do less online shopping (12%), those aged 50-64 (11%) and those with a medium digital footprint (11%)

• A plurality of consumers are only somewhat confident that their passwords for personal accounts could not be cracked by a computer program, but few are very confident

*The Widmeyer Survey was developed to assess people’s engagement with (and perception of) passwords in order to determine their efficacy in the workplace. The survey was completed in September 2014 with more than 1,000 participants in the UK and 1,000 in North America. Results were similar across both regions

Leave a comment

Filed under Risk UK News

“Organisations must act now to avoid hackers’ oldest trick in the book” urges ICO

The Information Commissioner’s Office (ICO) is warning organisations that they must make sure their websites are protected against one of the most common forms of online attack – SQL injection.

The warning comes after the hotel booking website, Worldview Limited, was fined £7,500 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers.

The data was accessed after the attacker exploited a flaw on a page of the Worldview website to access the company’s customer database. Although customers’ payment details had been encrypted, the means to decrypt the information – known as the decryption key – were stored with the data. This oversight allowed the attackers to access the customers’ full card details, including the three digit security code needed to authorise payment.

Christopher Graham: the Information Commissioner

Christopher Graham: the Information Commissioner

The weakness had existed on the website since May 2010 and was only uncovered during a routine update on 28 June 2013. The attackers had access to the information for ten days. The company has now corrected the flaw and invested in improving its IT security systems.

Worldview Limited would have received a £75,000 penalty but the ICO was required to consider the impact any penalty would have on the company’s financial situation.

Attacks are preventable

Simon Rice, the ICO’s Group Manager for Technology, said: “It may come as a surprise to many in the IT security industry that this type of attack is still allowed to occur. SQL injection attacks are preventable but organisations need to spend the necessary time and effort to make sure their website isn’t vulnerable. Worldview Limited failed to do this, allowing the card details of over 3,000 customers to be compromised.”

Rice added: “Organisations must act now to avoid one of the oldest hackers’ tricks in the book. If you don’t have the expertise in-house then find someone who does, otherwise you may be the next organisation on the end of an ICO fine and the reputational damage that results from a serious data breach.”

Leave a comment

Filed under Risk UK News

Cyber Streetwise survey reveals 75% of Britons place online safety at risk

A new survey conducted by Cyber Streetwise has revealed that most people are not taking the necessary steps to protect their identity online, with 75% of those who took part in the study admitting they don’t follow Best Practice to create complex passwords.

The figures have been released during Cyber Security Awareness Month to mark the launch of the latest phase of the UK Government’s Cyber Streetwise campaign. In partnership with the police service and industry experts, Cyber Streetwise aims to raise awareness of wise and unwise behaviour in the online space.

Despite 95% of Britons saying it’s their own responsibility to protect themselves online, two thirds are risking their safety by not using symbols in passwords. Nearly half (47%) exhibit other unsafe password habits such as using pet names or significant dates as their password.

Modern Slavery and Organised Crime Minister Karen Bradley MP explained: “When passwords are compromised, financial and banking details can be stolen and cause problems for the person affected, for businesses and for the economy. There’s an emotional impact caused by the loss of irreplaceable photos, videos and personal e-mails, but even worse these can be seized to extort money.”

Bradley added: “We can and must play a role in reducing our risk of falling victim to cyber crime. Most attacks can be prevented by taking some basic security steps, and I encourage everyone to do so.”

Vulnerability to ID theft, fraud and extortion

This latest research shows that 82% of people manage more online accounts that require a password than they did last year, with the average Briton dealing with 19. Over a third (35%) of those questioned admit that they do not create strong passwords because they struggle to recall them. However, poor passwords leave people vulnerable to identity theft, fraud and extortion.

Cyber crime presents a serious threat to the UK and the Government is taking action to increase public awareness of the risk, dedicating £860 million to this issue over the next five years through the National Cyber Security Programme. In essence, the Government is working hard to transform the UK’s response to cyber security.

The latest survey conducted by Cyber Streetwise has revealed that the majority of people are not taking necessary steps to protect their identity online

The latest survey conducted by Cyber Streetwise has revealed that the majority of people are not taking necessary steps to protect their identity online

Jamie Saunders – director of the National Crime Agency’s (NCA) National Cyber Crime Unit – commented: “The NCA is working closely with law enforcement colleagues all over the world to target and disrupt cyber criminals. We should be clear that the criminals will target weaknesses. On that basis, having weak passwords will leave people vulnerable.”

Saunders continued: “Nobody wants their personal financial details, business information or photographs to be stolen or held to ransom, so simple things like using three or more words, a mixture of numbers, letters and symbols and upper and lower case letters will make it much more difficult for hackers to access personal information.”

Creating strong and memorable passwords

Advice on creating strong and memorable passwords can be found at http://www.cyberstreetwise.com along with other easy tips for staying safe online. Tips for creating and remembering passwords include the following:

Loci method
Imagine a familiar scene and place each item that needs to be remembered in a particular location (ie a red rose on the table, a book on the chair, a poster on the wall). Imagine yourself looking around the room in a specific sequence. Re-imagine the scene and the location of each item when you need to remember

Acronyms
Use a phrase or a sentence and take the first letter from that sentence

Narrative methods
Remember a sequence of key words by creating a story and littering it with memorable details (for example, ‘The little girl wore a bright yellow hat as she walked down the narrow street…’)

Further information on Cyber Security Awareness Month is available at: http://www.staysafeonline.org/ncsam/

Leave a comment

Filed under Risk UK News

Employees cost UK businesses £130,000 per annum in lost productivity managing passwords

According to new research conducted by Centrify Corporation (a leader in unified identity management across data centre, cloud and mobile platforms), poor password habits are not only placing employers at risk but also losing them hundreds of thousands of pounds in lost productivity every year.

The survey of 1,000 UK workers highlights that the average employee wastes £2611 each year in company time on trying to manage multiple passwords. For an organisation with 500 staff on the payroll, that equates to a loss of more than £130,000 every 12 months.

“In our new digital lifestyles, which see a blurring of the lines between our personal and professional lives, we’re constantly having to juggle multiple passwords for everything from e-mail and mobile apps through to online shopping and social media,” explained Barry Scott, CTO (EMEA) for Centrify.

“According to the results of our extensive survey, over a quarter of us now enter a password online more than ten times each day, which could equate to 3,500 to 4,000 times every year. This is becoming a real challenge for employers who need to manage security and privacy concerns, and also for employees who are costing their companies both time and money.”

While around half (47%) of those employees questioned use their personal mobile devices for business purposes, one-in-three (34%) admit they don’t actually use passwords on these devices even though they keep office e-mail, confidential documents, customer contact information and budget details on them.

Centrify's Infographic on Passwords

Centrify’s Infographic on Passwords

High on many people’s list of ‘most annoying things’, it seems that passwords are becoming the cause of major headaches. Centrify’s study reveals that forgetting a password for an online account is more annoying for individuals than misplacing their keys (39% of respondents), a mobile phone battery ceasing to work (37%) or receiving spam e-mail (31%).

One-in-six (16%) of respondents would rather sit next to someone talking loudly on their mobile phone, 13% would rather spend an hour on a customer service line and 12% would prefer to sit next to a crying baby on a flight than have to manage all of their passwords.

Multiple incorrect password entries

The Centrify research also shows:
• More than one-in-three (38%) employees have accounts they cannot access any more because they cannot remember the passwords
• 28% are locked out at least once a month due to multiple incorrect password entries
• One-in-five employees change their passwords at least once a month while 8% change them every week
• Most have little faith in password security – just 15% believe their passwords are ‘very secure’

With nearly half (42%) of respondents creating at least one new account profile every week – more than 50 per annum, in fact – the problems around password management will only worsen. In fact, 14% of employees quizzed believe they will have 100-plus passwords to deal with in the next five years.

Despite this, it’s believed that many employees already seriously underestimate the number of account profiles they have online, with nearly half (47%) believing they have just five profiles – although a quarter admit they harbour 21 or more.

Andy Kellett at analyst OVUM added: “When it comes to providing safe access to what should be highly secure business systems, the password model is no longer fit for purpose. It remains the primary security tool for businesses in environments where other authentication options should be considered. We used to go to work and stay in one place. Now we are just as likely to be working from a remote office, on the train or at home and simple passwords are neither robust nor secure enough to support secure remote access.”

Kellett added: “With today’s workforce also using social media and flexible remote tools and applications, we need to empower them to do this by allowing them to have more ownership of their identities and incorporate better, more balanced security measures that also improve productivity.”

Top 5 bad password practices

When asked what they do in order to remember their passwords, survey respondents stated that they:
(1) Always use the same password whenever possible
(2) Rotate through a variety of similar passwords
(3) Keep a written password in a master book of passwords
(4) Use personal information in a password
(5) Avoid using complicated symbols or combining upper and lower case

Barry Scott: Chief Technology Officer (EMEA) at Centrify

Barry Scott: Chief Technology Officer (EMEA) at Centrify

Top 5 password tips

To help employers, Centrify has complied a list of top tips on effective password management:

• Educate staff about using passwords – make it a key part of your corporate security policy
• Make it easier for employees to work anywhere, any time by using technology that offers single sign-on capabilities (ie one click to access all of their work accounts and applications)
• With some mobile phones now providing both identity and access management capabilities, incorporate them as part of your BYOD (Bring Your Own Device) policy
• Create one profile for any corporate log-ins and then have privileges for individual employees within the one profile. Anyone who leaves the company can be removed automatically
• Think about replacing passwords with something much more intuitive like pass phrases.

The Widmeyer survey was developed to assess people’s engagement with – and their perception of – passswords in order to determine their efficacy in the workplace. The survey was completed in September 2014 with more than 1,000 participants in the UK and 1,000 in North America. Results were similar across both regions. The final results can be found at: http://www.centrify.com/Password-Survey

Reference

1Figure calculated by taking an average of the hourly rate of personal income from one’s job multiplied by the amount of time spent dealing with password management

Leave a comment

Filed under Risk UK News