Avatu - A to Z Cyber Security

8172019 Avatu - A to Z Cyber Security

httpslidepdfcomreaderfullavatu-a-to-z-cyber-security 134

The A-Z

of cy ber secur ity A plain English guide to online r isk and r esilience



983090 | NEW STATESMAN | 18-24 SEPTEMBER 2015

Four pieces of enlightening news land-ed on my desk on the same day recent-ly First there was a story in the Fi-

nancial Times quoting the new chairmanof the Institute of Directors Lady Barbara Judge saying that cyber security is so

overwhelming to boards that their reac-tion is to file it in the ldquotoo difficult cat-egoryrdquo ndash her words not mine ndash rather thantackle the issue head-on

Then there came research from Marshthe global insurance broking and risk man-agement firm which showed that manyUK companies are failing to assess theircustomers and trading partners for cyberrisk adequately and are more vulnerableto cyber attacks themselves as a result

Third was a story from the Telegraph which highlighted that the average cost of

a cyber attack is now pound146m a yearAnd last of all came news from the

United States that the head of the gov-ernmentrsquos personnel office had abruptlyresigned because hackers had stolen thesensitive information of some 21 mil-lion employees including bank accountdetails health reports and even securityclearance assessments

It was a big news day for information se-curity But what struck me most was thatcollectively it painted a picture of a seriousand expensive problem which was being

dealt with ineffectively

By not facing up to the changing worldleaders are playing Russian roulette ndash withtheir companyrsquos success and the futureof their careers Boards and chief officersneed to understand that cyber security isno more than a complicated business risk

And executives can choose to be a victim(and leave the challenge in the too difficulttray) or go on the offensive

In my experience leaders of the most suc-cessful growing companies usually tackle

challenges squarely rather than passively

wait to deal with the consequencesThe issue does not have to be compli-

cated or confusing It can start with somevery simple questions such as these below

Questions that chief officers and

boards should be asking about

information security

1 Do we know if wersquove ever been breached Companies often donrsquot knowtheyrsquove had a data leak until long after ithas happened There are advanced detec-tion systems that can do this as part of

a layered info security monitor system

These are the 1047297ve simple questions you should be asking to demystiy cyber securityand protect your business (and career) writes Joe Jouhal

Time to stop playingRussian roulette

2 Where is our most sensitive potentiallydamaging and most valuable informationAll of it every piece of it every copy (thiscould be customer information staff re-cords IP financial information businessplans emails between executives hellip and

much more) Who has access to it Whatspecial arrangements do we have to pro-tect it within our systems3 How do we protect our sensitive datawhen itrsquos outside our perimeter Howdo we stop it being seen or shared withunauthorised people4 These days most of us use more thanone device for work How do we protectall of these end-points Are they a poten-tial weak point of access to our systemsand data5 Do we have insurance to make us more

risk-aware and more prepared to mitigatethe risk

There are tools technology and prac-tices to mitigate all these issues And fac-ing this information security challengehead-on demonstrates stronger leader-ship strengthens a businessrsquos resilienceand protects chief officersrsquo current rolesand future job prospects l Joe Jouhal is managing director at Avatuthe information security specialists

Join a one-day seminar ree to

New Statesman readers see page 13

IN PARTNERSHIP WITH AVATU

Leaders are playing arisky game with company

and career alike


httpslidepdfcomreaderfullavatu-a-to-z-cyber-security 33400 MONTH 2014 | NEW STATESMAN | 9830910

The threats posed by cyber breaches tothe UK government critical nationalinfrastructure financial institutions

and all levels of corporate entities withinour sovereign shores are irrefutable Yetwhile the agenda regarding the skills gap isnever more relevant to the UK than at pre-sent too little is being done to reduce our

risk of a cyber attack by increased trainingand awareness

Several schemes have been created inrecent years to address what is perceivedas the cyber skills gap However theseschemes and government policies onlyfocus on the two realms of attack and re-covery Certification available today eitherdevelops simulated attack expertise in-tended to identify weakness or recoveryexpertise designed to recover from or in-vestigate an attack Both of these strategiesare fine and play an important role in shor-

ing up our defences but the cyber skillsgap is bigger than this

When we ask why computer systemsare vulnerable we can identify two mainareas of weakness the software develop-ers and the computer users Not enoughis being done to enhance the skills of thesoftware developers to better defendagainst cyber attack and too little is be-ing done to upskill the computer users toidentify socially based and other attacksaimed at gaining user credentials and othersensitive information which can be used

in a cyber attack

Government policies are mandating ITsecurity health checks and simulated at-tacks on a regular basis however little tono security quality checking is being car-ried out on the software solutions priorto procurement There is no certificationpath for software developers to identifythat they have been trained in the disci-

pline of secure codingIn part this issue is a cultural one Soft-

ware companies are looking to ship soft-ware within a defined project develop-ment life cycle in order to meet customerdemands and to remain profitable Withthe ever increasing number of softwareplatforms developer companies nowneed to ship their products to AppleLinux multiple Windows platforms anda vast variety of mobile phones and morerecently wearable devices not to mentionthe advent of the Internet of Things

Studies have been conducted into theoverheads created when consciously cre-ating secure code using an established se-cure development life cycle and surpris-ingly it is as little as 14 per cent additionalresource However 14 per cent additionalresource to the bottom line of any busi-ness is unpalatable

It is clear that focus on providing thenext generation of software developerswith a clear understanding of securityand how their work may be attacked andabused will prevent a large number of at-

tacks from occurring in the first instance

What level of investment is needed for the UK to deal effectively

with a rapidly expanding global cyber-threat landscape

First line of attackand weakest defence

The computer users are the first line ofattack and generally the weakest defenceThey must be made aware of the threatsand educated in how to respond to themand defend against them At the veryleast this should be a standard part of anyinduction programme that should be re-freshed frequently Why not introduce

formal certifications that lead to a licenceto operate a little like the driving licencetheory and practical tests Organisations both large and small need to invest morein educating staff in cyber security and itmust be an ongoing process lEstablished in 2006 Encription is a UK-and Ireland-based IT security specialistcompany delivering services worldwideto a diverse client base including theUK central government the Ministry ofDefence police fire and rescue services

financial institutions professional service

companies manufacturers smallmedium-sized and large businesses andcharities With experienced consultantsat your disposal Encription is able to meetyour IT security needs no matter how simple or complex including penetrationtesting in all disciplines advancedresearch digital forensics at evidential standard and training

We are ISO 27001 and ISO 9001 certifiedand also CESG CHECK TigerScheme andCyberScheme members Contact us on +44

(0)330 100 2345 or at encriptioncouk

IN PARTNERSHIP WITH ENCRIPTION

9830910 | NEW STATESMAN | 18-2 4 SEPTEMBER 2015



New Statesman2nd Floor

71-73 Carter LaneLondon EC4V 5EQ Tel 020 7936 6400Subscription inquiriesreprints andsyndication rightsStephen Brasher

sbrashernewstatesmancouk0800 731 8496

Supplement Editor Jon BernsteinDesign and ProductionLeon ParksGraphicsLeon ParksSub-Editor Prudence Hone

Account Manager Penny Gonshaw+44 (0)20 3096 2269

Commercial Director Peter Coombs+44 (0)20 3096 2267

CONTENTS

Countering the threatBetween the day when thissupplement was conceived and

the moment it was sent to pressthe name Ashley Madison ndashthe dating site that facilitatesextramarital affairs ndash was added tothe hall of cyber security shameHackers stole personal details of37 million members of the morallyambiguous website causingembarrassment and ignominy

The US governmentrsquos Office ofPersonnel Management is anotherrecent inductee to the hall ofshame victim of a hack attack thatresulted in 215 million federalemployee records being stolenThere have been many othersand there will probably be more between printing and distributionand then distribution and reading

Perhaps that makes 32 pagesdevoted to cyber securityespecially timely but in truth itwould have been timely at anypoint in the past two decades

Cyber security is a complexconcept not least because it acts as

an umbrella term to cover an arrayof threats as well as methods toaddress those threats

Countering the challenge fallsinto three broad categories threatmanagement (keeping the badguys out) security informationmanagement and identity andaccess management (locking thefront back and side doors)

As for the threats themselvesthe terminology can be baffling Working on the assumption thatmany people donrsquot know theirAPTs from their DoS or theirmalware from their zero-dayattacks the centrepiece of thissupplement is an A-Z of cybersecurity terms ( see page four )

Cyber security is complex forat least another three reasonsFirst a security breach is justas likely to be the result of theactions of an internal member

4 A-Z of cyber securityU is or understandingUnravelling the code from advanced persistent threats to zero days

20 View from the expertsldquoTotal security is a ftile conceptrdquo Where does the biggest threat lie

31 Facts and Figures

Security breaches by numbersHow UK businesses big and small are coping with cyber threats

A-Z o cyber security View om the experts Facts and igures

of staff (sometimes deliberateoften accidental) as it is the effect

of external actors Considerthis three-quarters of thesecurity breaches that affectedlarge UK companies last yearwere the result at least in partof employee-related activity( see page 31)

Second given cyber securityis now a multibillion-dollarproducts and services industrythe sceptical response is tosuggest that some unscrupuloussuppliers trade on peoplersquosfears That assertion is robustlyaddressed by four securityexperts ( see page 20)

And third as one of thoseexperts Mark Brown from EYacknowledges ldquo100 per centsecurity is a futile conceptrdquo What is needed instead is bestendeavours That requiresinformed decision-making Itrsquostime to start reading l

This supplement and other policy reports can be downloaded om the NS website atnewstatesmancompagesupplements

18-24 SEPTEMBER 2015 | NEW STATESMAN | 983091

The paper in thismagazine originatesfrom timber that issourced from sustainableforests responsiblymanaged to strictenvironmental socialand economic standardsThe manufacturingmills have both FSC andPEFC certification and also

ISO9001 and ISO14001accreditation

First published asa supplement to theNew Statesman of

18-24 September 2015copy New StatesmanLtd All rightsreserved Registeredas a newspaper in theUK and USA

4 20 31


httpslidepdfcomreaderfullavatu-a-to-z-cyber-security 534983092 | NEW STATESMAN | 18-24 SEPTEMBER 2015

A983085Z OF CYBER SECURITY

Cyber security comes with a language all o its own oten opaque and replete with acronymsWith some expert help we unravel the code rom advanced persistent threat to zero days

U is or

understanding

A is or advancedpersistent threatAn APT is an attack carried out by anadversary that targets and exploits indi-viduals instead of computers and oper-ating systems Its intent is to be stealthytargeted and data-focused Typically anAPT targets individuals in an organisa-tion The adversary performs extensivereconnaissance and then sends a targetedpiece of information such as a web-link oremail to trick the user to open up vulner-abilities From this breach the adversary

uses the compromised system as a pivotpoint into the organisationrsquos network

The trick in dealing with APTs isrecognising that prevention is ideal butdetection is a must Organisations willget compromised by APTs The goal is tominimise the frequency and impact ofthis by controlling where the adversarycan get to in the network and how muchdamage it can perform

Here are things you can do to limit theimpact of an APT1 Content-filtering and examination of

behavioural anomalies

2 Create highly segmented networks toprevent lateral moment3 Monitor outbound traffic for theattackers command and control channelsEric Cole is a faculty fellow and courseauthor at the SANS Institute A is also for authorisation active attackand anti-virus software

B is or biometricsBiometrics refers to authentication toolsand technologies such as facial recogni-tion fingerprinting and retina-scanning

With traditional password-based secu-rity features increasingly hacked by cyber criminals biometrics are becomingpopular as they can be a much harder tar-get for hackers

Biometrics are more difficult to hack but should not be seen as a replacementfor password technology Whether itrsquosvoice recognition or fingerprint technol-ogy biometrics do solve some of the flawsinherent in modern password systems but they also bring a different set of chal-lenges For example fingerprints can be

reproduced some prints are stronger

than others and changes in the physicalappearance of the user can throw off theresults in facial recognition

Used together passwords and biomet-rics provide a stronger form of protectionOne serves as a backup for the other rais-ing the barrier further for unauthorisedusers attempting to gain access and hacka system For example security toolsthat incorporate multi-factor authentica-

tion including encryption alongside bio-metric fingerprint technology and typicalpassword security can ensure that devicesare covered at all basesNicholas Banks is a vice-president ofIronKey by ImationB is also for bot backdoor boundaryprotection and BYOD

C is or cloudcomputing

As defined by Gartner cloud computingis ldquoa style of computing in which scal-able and elastic IT-enabled capabilitiesare delivered as a service using internet

technologiesrdquo In other words cloud t


httpslidepdfcomreaderfullavatu-a-to-z-cyber-security 63418-24 SEPTEMBER 2015 | NEW STATESMAN | 983093

E is or encryption the process is at once intellectually simple and morally complex




Information security (infosec or justsecurity) often gets a bad press and isoften seen in a negative light Why is

this Is it the influence of sensationalismin the media about the bad guys gettingheaps of credit-card data Or is the cover-age causing fatigue because the messages

are seen as being overhyped and in a sensethat ldquoitrsquos not happened here yetrdquo Is it thatthe costs associated with infosec are seenas coming off the bottom line with no ap-parent benefit Perhaps an expensive in-fosec project failed or costs spiralled

Whatever the reason infosec needs to be better understood It is after all a busi-ness enabler ndash but can we demonstratethat A good analogy is to ask why arecars built with brakes Ask an audienceand the majority answer will be becauseit stops the car The real reason is that the

brakes enable car to be driven In otherwords they take the risk out of actuallydriving the car at speed because brakes areused to slow or stop the car

We can extend the analogy by com-paring a Formula 1 racing carrsquos brakes toa family carrsquos brakes Fit a family carrsquos brakes into an F1 car and they will fail be-fore the F1 car completes its first circuitThe quality of the brakes or control isproportionate to the risk An F1 car needsfar better brakes than those fitted to a fam-ily car due to higher speeds acceleration

and deceleration rates

What is infosec actually doing in an or-ganisation It is protecting company data be it intellectual property finance andHR records or customer data And eachdata type has a value For example salesand marketing information is of value torivals planning to make a hostile bid Ac-

cording to the datainformation value wecan identify the threats threat sources and business exposures

By identifying the threats sourcesand exposures a set of general controlsgoverning access to any data set andthe processing it can be subject to can be determined

So who owns infosec In many organi-sations infosec is thrown lock stock and barrel over the fence to the I T group butthey are the wrong people While IT candevise implement and manage technical

controls in support of identified threatsit is the core business that understandswhat the organisation does and the threatsand exposures

The business owns the informationthat drives an organisation Informationand the data it is derived from can andmust only be owned by only one personfor due diligence auditability and legalregulatory reasons Hence the HR director(or equivalent) will own HR data the fi-nance director owns finance data and so on

What does ldquoowningrdquo the data mean

It means saying who can access data and

Just as a carrsquos brakes take the risk out o driving so inormationsecurity makes business possible writes Peter Wenham

Why inosec is thegreat enabler

for what purpose Just because a person isthe MD CEO or director does not meanthat he or she should have access to all thecompany data Information should be re-stricted on a ldquoneed to knowrdquo basis

Nevertheless care is needed in this areato ensure this principle is not overly strict

Generally directors in large organisa-tions cannot have hands-on decision mak-ing for all the data under their control soany decision making regarding access anduse will be devolved down in their organi-sations but in the end they set the policyand retain overall responsibility

In summary you will have come to real-ise that for any specific informational areasuch as HR the business has identified thevalue of the information (public companyinternal sensitive and so on) and who (orwhich groups) can access the information

and what they can do to it (create deleteedit copy transmit and so on)

This is the information necessary to build a sane and sensible infosec strategyfor a company that an IT department cantake and turn into usable technical con-trols and an HR department can turn intouser policies lPeter Wenham is the director ofTrusted Management specialists ininformation assurance

To ind out more visit

trusted-managementcom

IN PARTNERSHIP WITH TRUSTED MANAGEMENT



individual business or governmentThe strength of the encryption depends

on how the technology is applied Broad-ly this happens in two ways ndash symmetricencryption uses the same key both to en-crypt and to decrypt a message whereasasymmetric encryption uses a differentkey at the beginning and end of the pro-cess From a security point of view en-

cryption can be viewed as an unalloyedgood thing but there is also an ethicaldimension Should technology firms pro-vide governments with access to encryp-tion keys in the name of averting terror-ism for example If they withhold thosekeys are they wilfully putting nationalsecurity at risk But if they share keys arethey blatantly invading personal privacy Jon BernsteinE is also for event and exploit

F is or Flashbackmalware attackThe conventional wisdom dictates that

Apple-made devices are less prone to

with a grievance against a particular brandor political issue and can be a smoke-screen to confuse the target while othermore sophisticated attacks take place

DoS attacks can be mitigated by counter-measures such as certain types of appli-cation traffic-management devices thatcan be configured to identify and discardtraffic that appears to be coming from a

botnet There are also third-party servicesthat act as a type of clearing house for webtraffic that can counteract DoS attacksStephen Sims is a course author and seniorinstructor at the SANS Institute D is also for decryption and data breach

E is or encryptionEncryption is at once intellectually simpleand morally complex

At its most straightforward it is theact of encoding data turning plain textinto cipher text Only those with a keyor password can decode ndash or decrypt ndashthe data meaning that in theory at leastsensitive information can pass securely

across networks and be stored safely by an

computing enables companies to tap into extended resources situated anywherein the world creating efficiencies andscale ndash and allowing users to pay for ser-vices as they are used

While the cloud brings a host of finan-

cial and business benefits it also bringsrisks in the form of cyber theft acciden-tal data leaks and privacy fines As sensi-tive information is of enormous value tocriminals cloud defence is imperative for businesses that hold such data

A logical starting point is to identifyall cloud applications in use classify thetypes of data they hold and assess the risklevel of each app This then helps firms tomap the appropriate security controls toprotect data such as through encryptiontokenisation and data-loss prevention

And finally organisations should con-tinuously monitor activities to detect andflag up any anomalies in the use of dataWilly Leichter is the global director forcloud security at CipherCloud C is also for critical infrastructurecipher and cryptography

D is or denialo serviceA denial of service (DoS) is a type of cyberattack that aims to overwhelm a websiteor cloud service so that it cannot functionor accept legitimate requests from otherinternet users

To perpetrate this attack cyber crimi-nals will stealthily instal software oftenon the PCs of unsuspecting home usersthat on command can generate spurioustraffic directed at the victimrsquos websiteThese botnets can include tens of thou-sands of PCs and are referred to as a dis-tributed denial of service (DDoS) attackImagine a telephone switchboard with atotal of eight available phone lines If at-tackers keep calling never giving a chancefor a line to be freed then the switchboardcan never answer a legitimate call

DoS attacks are often used by groups


A movie about the North Korean leader Kim Jong-un triggered cyber attacks on the ilm company

t

t





security breaches than Microsoft Win-dows equivalents Although a quick flickthrough the technology press cuttings ofthe past two decades is likely to bear outthis view the Apple Mac operating sys-tem is not impervious to attack

The Flashback malware attack is oneexample of when Applersquos defences ndash andthose of its OS X operating systems ndashwere breached Using a form of malwareknown as a Trojan Horse it was firstdetected in 2011 As the term suggestsa Trojan Horse attack is based more ondeception than stealth and Flashbackwas initially hidden as an Adobe FlashPlayer plug-in before moving on to ex-ploit vulnerabilities in the Java program-ming language The malware drops asmall application on to the host computer

allowing a hacker to run malicious codefrom a remote location Why are such attacks effective First

the malicious intent is hidden behindsomething mundane and useful such asa software update And second many ofthose software updates are automated sothe victim is a passive participant oblivi-ous to malicious intent According to re-ports at the time Flashback infected morethan 600000 machines Jon BernsteinF is also for fraud and firewall

G is orgateway crimesIn the world of addiction preventionthe notion of a gateway drug is wellunderstood ndash a relatively benign narcotic becomes a gateway to harder and moreharmful alternatives Criminality andillegality are important components inthe transition A similar theory can beapplied to the criminality that surroundscomputer hacking

According to Andy Archibald head ofthe National Crime Agencyrsquos cyber crimeunit digital piracy can become a gateway

to more serious online crime

Speaking at the Infosecurity Europeconference in June Archibald noted thatmany young people were developing so-phisticated digital skills and that it wasldquoimportant that they put those skills togood use and are not tempted unwitting-

ly to cyber criminalityrdquo Jon BernsteinG is also for graduated security

H is or HeartbleedHeartbleed is the open-source softwareflaw that affected more than 60 per centof the internet over a year ago It allowedaccess to the private key used by indi-viduals and businesses to encrypt webtraffic In particular it allowed anyonewith the right skills to retrieve data fromthe memory of a web server withoutleaving a trace

Heartbleed served as a long over-due wake-up call for the IT industry insome IT organisations the percentage ofopen-source code used is greater than 25per cent meaning therersquos a lot of open-source code being reused by informationtechnology programmers While someclaimed that open-source code was moresecure than in-house-generated code be-cause millions of eyeballs were lookingat it the reality showed there were still basic flaws in popular software OpenS-SL is arguably one of the most cared-for

components in the open-source commu-nity yet that community still completelymissed the zero-day vulnerability posed by Heartbleed

The moral of the Heartbleed story isthat while IT may continue to rely onopen-source components as it developsapplications IT personnel must checkanalyse and measure those componentsfor software quality and security risksLev Lesokhin is an executivevice-president at CAST Software H is also for honey pot and

hot wash

I is or identitymanagementFor practical purposes an identity is acombination of username and password(you might call it a login or account) usedto access websites such as Facebook your bank or a favourite internet shopping site

Between home and work we have

too many identities to keep track of andmost of us add new ones every week Toease the headache of remembering manycomplex passwords we use simple onesreuse them for various accounts and neverchange them This leaves us and the com-panies we work for open to cyber attacksand data breaches

Identity management generally ad-dresses problems caused by having multi-ple identities It defines methods for a userto prove who they claim to be ndash known asauthentication ndash and in a corporate envi-

ronment it ensures employees have ac-cess only to those systems applicationsand accounts they need for their job andthat access is updated appropriately asroles change ndash referred to as authorisation

Third-party identity management soft-ware and services should provide identityand access management across systemsdevices and applications whether in thedata centre cloud or mobile devicesBill Mann is the chief product officerat CentrifyI is also for incident

information assurance intrusionand intellectual property

J is or jamming Jamming is a technique used by

t

t



Even though there are an estimated100000 or so flights every day glob-ally for many people air travel still

retains a large fear factor for the simplereason that aircraft disasters althoughstatistically incredibly rare still dominatenews headlines when they occur Regard-

less that you are more likely to die fallingout of bed (a one in two million chance)than in a plane crash (a one in 11 millionchance) many people still fear flying

Unfortunately this article will hardlyhelp to assuage those fears As many busi-nesses will know the increasing threat ofa cyber attack is something that has beengaining a great deal of media attention inrecent years and the aviation industrynow finds itself a target for cyber attacksof various kinds So is it now possible forhackers to seize control of an aircraft

Not yet but the industry is comingunder sustained attack from a variety ofsources A security researcher Chris Rob-erts reportedly hacked into an aircraftflight system to demonstrate its vulner-ability only to tweet about it and subse-quently find himself under arrest by theFBI when he landed

More recently LOT Polandrsquos nationalairline had its aircraft grounded follow-ing a hack that targeted computers issuingflight plans at Warsaw airport

What these examples highlight is the

vulnerability of the aviation industry to

the growing threat of a cyber attack a di-rect consequence of the proliferation oftechnology within the industry NewBoeing models are flown with the help ofadvanced computer systems with pilotsceding aspects of control to technology While this has allowed for great strides in

aircraft safety particularly during landingand take-off it has also given hackers andother cyber criminals a new target

There are a multitude of attack methodsthat pose a threat to airlines On a groundlevel phishing attacks are a popularmethod used by criminals whereby fakeemails are sent to staff in order to attemptto retrieve sensitive company informa-tion such as passwords According to theCentre for Internet Security (CIS) 75 USairports were targeted with attacks of thissort in 2014 highlighting the frequency at

which cyber criminals are operatingRemote hacking and wifi attacks are an-

other form of attack with flight controlsystems and wifi networks offering a newmeans for hackers to compromise an air-craftrsquos command centre Couple this withldquoghostrdquo flights when a hacker inserts orremoves a planersquos projection on to radarscreens and there is plenty for the aviationindustry to consider alongside existingstringent safety measures

The aviation industry is just one fac-ing up to this new threat as it becomes

more reliant on technology Shipping and

New aircraf technology designed to enhance saety gives hackersa resh target warns Jack Elliott-Frey

Threat ndash and theinnovation dilemma

ports rail networks retail and financeare just some of the other areas of busi-ness that are facing serious cyber threatsas their core business moves online andrelies on increasingly connected networksto operate

The aviation industry offers businesses

foresight in how to adapt to this threatwithout compromising on innovation While the threat of a hacker taking downa flight is unlikely the potential to dis-rupt other airport or airline systems andcreate widespread disruption is higher andcould be incredibly damaging to both theeconomy and passenger confidence Theaviation industry has taken pre-emptivesteps with major airports in the US stress-testing networks and manufacturers suchas Boeing investing more in the security oftheir on-board systems and the code that

supports themAs the famous FBI quote goes for busi-

nesses ldquoit is not a matter of if you arehacked but whenrdquo For the aviation indus-try and other industries that are becom-ing hot cyber targets this is a quote thatshould certainly not go unheeded l Jack Elliott-Frey is a broker atSafeonline a Lloydrsquos insurance brokerbased in the City of London specialisingin cyber insurance


saeonlinecom

IN PARTNERSHIP WITH SAFEONLINE





attackers to interrupt authorised wire-less communication Jamming techniquesfall into one of three categories1 By flooding spectrum using a signalgenerator2 By attacking the transmission collision

avoidance protocols to prevent otherstations from transmitting3 By exploiting a vulnerability in theprotocols that process transmissions

While the blocking or disrupting ofthe authorised transmissions may be theend goal jamming techniques are oftendeployed as a smokescreen to hide otherattacks In this case the communications being attacked are often detection or alert-ing capabilities

It is impossible to stop the impact of allforms of jamming because of the shared

nature of all radio-spectrum communi-cations The best advice is to set up an al-ternative communication path that can beused if a device is impacted by jammingSteve Armstrong is a certified instructorat the SANS Institute J is also for joint authorisation

K is or Kim Jong-unUnwittingly or otherwise the leader ofNorth Korea is intimately connected toone of the biggest most commerciallyembarrassing and politically contentiousdata breaches of all time In November2014 Sony Pictures Entertainment fellvictim to a massive leak of sensitive infor-

mation ndash more than 100 terabytes of dataclaimed the assailants ndash ranging frominternal emails employee salaries anddetails of yet-to-be-announced movieprojects A group called the Guardians ofPeace claimed responsibility and threat-ened further disclosures unless Sony can-celled one of its forthcoming movies

The film in question was a comedycalled The Interview about a plot to assas-sinate Kim Jong-un Sony didnrsquot canceland the leaks kept on coming The UnitedStates government blamed North Korea

believing Guardians of Peace to be a proxy

in an act of state-sponsored cyber crimeSamantha Power US ambassador to theUnited Nations described the Sony hackas both ldquoabsurdrdquo and ldquoexactly the kind of behaviour we have come to expectrdquo fromNorth Korea For its part the country

continues to deny any involvement Jon BernsteinK is also for key and key escrow

L is or licensingIt is one of the key weapons in the ongoingfight against hackers The importance oflicensing to businesses software provid-ers and intelligent device manufacturerscannot be underestimated as we usher inthe Internet of Things Tamper-resistantsoftware licensing should help to reducethe risk of hacking and protect intellectualproperty with techniques such as codeobfuscation and hacker detection beingimplemented to help reduce piracy

The constant struggle to keep a com-panyrsquos software estate correctly licensedand optimised means that firms oftenseek the advice of specialists who are ableto help manage these security risk andcompliance issues in one fell swoop Fail-ure to license and manage software as-sets properly will leave businesses opento hefty fines from software publisheraudits and invariably leaves them payingsignificantly more than they should forthe technology they use in their businessGareth Johnson is the CEO of Crayon

L is also for the law and logic bombs

M is or MelissaThe Melissa virus struck in May 1999

infecting at least 100000 computersduring the first weekend of its releaseIts ability to spread quickly was tied to apropagation technique that at the timewas highly innovative Melissa embeddedits code inside a Microsoft Word docu-

ment and emailed itself to 50 individualsfrom the victimrsquos address book Once therecipient opened the infected attachmentMelissa would repeat the process to pur-sue the next set of victims

Since most security tools allowedincoming email attachments and didnrsquothave signatures for Melissarsquos files thevirus was able to bypass many anti-virusand firewall defences Moreover an ele-ment of social engineering increased thelikelihood that the victim would openthe malicious document Because the

list of message recipients was compiledfrom the previous victimrsquos address bookthe person would recognise the senderrsquosname and thinking the message camefrom a friend or colleague not be cautiousabout double-clicking the attachment

The Melissa virus demonstrated howmalicious software could spread semi-autonomously by means of difficult-to-control channels such as email and couldattach itself to document files that peopleroutinely share

Variations of these techniques are em-

ployed to this day to infect individual andcorporate systems worldwideLenny Zeltser is a senior instructor atthe SANS Institute M is also for McAfee (John)malicious code malwareand mobile

N is or networkresilience We all rely on network connectivity inour day-to-day lives ndash from the mobilenetworks that keep us in contact with theworld to the internet where we increas-ingly run our lives Network resilience

ensures that these essential services

t

t



In the past three years we have createdmore data than was created since the beginning of humanity data is of-

ficially becoming bigger Data volumesare exploding as the number of gadgetsrecording and transmitting data ndash fromsmartphones to intelligent fridges indus-

trial sensors to CCTV cameras ndash are devel-oping and adapting

For a business this vast universe of datacould consist of 10000 devices connectedto the network transmitting terabytes ofdata every day This means that secur-ing data is more difficult than ever ascyber threats can now be a virtual needlein a haystack Companies therefore facea huge challenge in how best to protectthemselves against serious threats to theirnetworks In this age of connectivity it isno longer a case of if your security can be

breached but whenThe question many businesses therefore

need to ask themselves is this which tech-nologies are truly effective at safeguardingtheir networks

Cyber security and big data analyt-ics are two sets of technologies that areseen as the top investment opportuni-ties for savvy companies keen to protectthemselves against online attacks by or-ganised cyber criminals syndicates forhire or state actors

According to a survey by MeriTalk a US

government IT network cyber threats are

now a national emergency in the Ameri-cas The survey went on to say that 86 percent of government cyber security profes-sionals believe big data analytics is the keyto helping improve cyber security

This is because many organisations cur-rently only possess the ability to protect

themselves against previously detectedthreats and concentrate on endpoint pro-tection By combining big data analyticswith cyber security companies will be ableto identify the threats before they damagethe organisation enabling rapid activationof cyber defence strategies against opera-tional financial or reputational damage

The serious crime-fighting softwareexpert Wynyard Group helps govern-ment financial institutions and criticalinfrastructure organisations find seriousthreats in the masses of network data by

leveraging the intersection of big data ana-lytics with cyber security

According to Wynyard what compa-nies need is a solution that analyses all ofthe data that is currently collated but notcurrently analysed which will provide or-ganisations with a holistic view of threatsto their digital networks and devices un-covering high-consequence cyber threats

By monitoring the network and identi-fying what is normal using rigorous ana-lytical algorithms anomalies are identifiedand presented to the security operations

team for investigation via a powerful anal-

Serious crime-ighting requires new tools argues Paul Stokes

Big datathe utureo UK cyber security

ysis component Providing the ability toidentify explore and interpret the criticalinformation is key to identifying threats

Businesses can more effectively moni-tor the security of their network byhighlighting the highest priority threatsthat lie hidden amidst the large volume

of data and feed these threats directlyto the security teams for immediate hu-man investigation

By identifying the ldquounknown un-knownsrdquo on a network (the identificationof previously unknown and unusual pat-terns and anomalies) advance notice ofpotentially malicious activity is providedwhich in turn can quickly be identifiedand managed by the security team

The future of cyber security for organi-sations with data to protect is thereforethe understanding that malicious threats

against a network are constant currentand increasing in number and complex-ity By combining big data analytics withcyber security companies can arm them-selves against this insidious threat byidentifying it at source investigating high-priority threats and rapidly responding tocompromise before irreparable damage isdone to the organisation lPaul Stokes is the chief operating officer

for Wynyard


wynyardgrroupcom

IN PARTNERSHIP WITH WYNYARD GROUP





A

few months ago a chain of York-shire tea shops found themselvesin the spotlight because someone

stole all their customersrsquo informationItrsquos hard to think of a more unlikely

target for a hack But it happened AndBettys had to apologise to all its cus-tomers review its information securityand no doubt spend many thousands ofpounds trying to put things right

This summer the cyber hacking fingerof fate pointed at Carphone WarehouseBefore that the high-profile hack wasthe US federal governmentrsquos HR depart-ment and a while back the name on allinformation security lips was Sony and

Target and eBay and Home Depot and JPMorgan Chase

When it comes to information securi-ty there is no typical victim Anyone andeveryone has the potential to enter the fir-ing line Next week it could be you

How to protect yourself start withyour crown jewelsCompanies today have an overflowingamount of information and multipleroutes in to reach it For many the chal-lenge is where to start And our answer

is always begin with your crown jewelsStep one is to decide what your compa-nyrsquos crown jewels look like What infor-

mation constitutes the lifeblood of your business What is secret sensitive or po-tentially damaging

Step two is to find it all of it (which istrickier than you might think for manycompanies) Step three is to decide onwhich layers are needed to keep it safe

There is no one single policy or pieceof technology that will provide totalprotection and a layered approach is rec-ommended to business by the govern-mentrsquos cyber and information securityadvisers at GCHQ

In this unnerving and threatening land-scape we need good old-fashioned pe-rimeter prevention But we need addedlayers of protection detection mitiga-tion and a plan in place to put things rightwhen they go wrong too

No business would leave the oice ront door unguarded but when it comes to access to theirmost valuable or sensitive inormation the door is oten let wide open It makes no sense saysJoe Jouhal especially as there are new tools and techniques that will help slam the door shut

How sae are yourcrown jewels

Six activities to help protectyour crown jewels1 Make detection part of your strategy

Many organisations have already been breached they just donrsquot know it yet Andthe longer a threat sits within your sys-tems the more potential there is for dam-age (as Sony can testify) Detection can bea more expensive option But if you canrsquotafford to take the risk itrsquos a step you needto take Detection systems such as Dam- balla Failsafe will give you the reassurancethat anything that does get through will be dealt with as quickly and efficiently aspossible before it can do unimaginableand devastating damage

2 Know where your sensitivedata is (and protect it)Many organisations donrsquot know whereits most sensitive data is held or who hasaccess to it This increases the risk anddoesnrsquot allow for proper risk assessmentor threat mitigation Nuixrsquos InformationGovernance tool can solve this situation

3 Look after your data when itrsquosinside and outside your organisationToday in our interconnected world our


Many and multipledevices can be the weak

point in your security



Join an Avatu seminar or senior proessionals to discover more about the challengesaced by business and the ways in which leaders can put organisations back on theoffensive by protecting their ldquocrown jewelsrdquo

Are you really protecting your crown jewelsOrganisations hold an abundance o inormation which is essential to their businessbut can also bring down chie officers and hit share prices i it gets into the wrong hands(through internet hackers or roguecareless insiders)

But companies do not always understand or appreciate the fll extent o the riskand how they can proactively mitigate it

This fee seminar or senior personnel will

l Explore the risks om cyber and insider threats l Discuss some o the proactive solutions to put you back on the ont oot l Hear om chies o well-known companies about how they protect their

most valuable inormation and the lessons they have learned

Date 22 October 2015Venue Institute of Directors Pall Mall London SW1Suitable or people in senior positions particularly those in a strategic rolesuch as MDs CEOs CIOs CISOs CTOs IT directors etc

Also suitable or senior people with direct responsibility or inormation securityinormation governance IT or network security cyber security or risk management

Joining fee free to NS readers Email cybersecurityavatucouk or phone 01296 621 121 to join or to 1047297nd out more Quote ldquoNew Statesmanrdquo when you book and the event will be free

data often has to be shared with peopleoutside our systems Donrsquot make it easyfor hackers and thieves to steal and share

it Information rights management suchas Seclore FileSecure can allow you to-tal control of your data whether inside oroutside your organisation

4 Review and limit accessarrangementsRemoving admin rights can mitigate 97per cent of Microsoft vulnerabilities

5 Protect the endpointAccess to company data through manyand multiple devices can be a weak point

in your security plan Introducing tech-nology such as Avectorsquos Defendpoint ndashwhich is already used by many banksgovernment agencies aerospace compa-nies and Formula 1 teams ndashwill keep yourdevices secure but still easy to use

6 Look seriously at insuranceInsurance will lessen the impact finan-cially and will help mitigate cyber risksIt will give a financial cushion to help youdeal with the fallout of an attack and en-courage best risk-limiting practices l

Find out more at a one-day seminar or senior proessionals Free to New Statesman readers





are maintained to an acceptable levelwhenever there is disruption

In cyber security this is typically whenthe service is under attack by an unusu-ally high level of requests or incorrect orinvalid requests This is usually charac-

terised by a denial of service (DoS) attacklaunched from a large number of compro-mised systems and is known as a distrib-uted denial of service attack (DDoS)

Network and service providers putin place technologies that detect thisincrease in requests and scrub the networkto provide resilience and maintain servicesThey must also ensure that the applica-tions are not vulnerable to attackGarry Sidaway is a senior vice-presidentat NT T Com SecurityN is also for non-repudiation

O is oroutside threatAs opposed to insider threat this repre-sents the majority of threats to an organi-sation Insider threats typically have somelevel of knowledge and privilege

There are different levels of outsidethreat ranging from reconnaissanceattacks to determine weaknesses in theperimeter defences of an organisationto social engineering where the outsideattacker uses social networking newsarticles and personal calls to gain an in-sight into the person or companyrsquos de-

fences This knowledge is then typicallyused to write a specific email that containsmalware (malicious software)

The majority of organisations focustheir attention on outside threats and putin place a range of technologies that pro-tect the perimeter of an organisation Butwith the advent of cloud computing andan increased mobile workforce these de-fences are being bypassed

This is where with the right securityprocesses and policies businesses caneducate their workforce to help reduce the

risk of outside threats

Garry Sidaway is a senior vice-presidentat NT T Com SecurityO is also for offline attack

P is or passwordThe comedian John Oliver recentlyobserved that cyber security is ldquothe onlyreason we know our motherrsquos maidennamerdquo The use of passwords to grantaccess to software and services online is

the most common security measure weuse and the most vulnerable To combatthese vulnerabilities many companiesinsist on the use of more complex pass-words ndash longer with a mix of letters up-per and lower case and numbers Theyalso insist that the password is changed atregular intervals

As more than one security expert in-sists the only secure password is the oneyou canrsquot remember

However therersquos no getting away fromthe impact of human behaviour and the

limits of memory According to figures

from the credit-checking agency Expe-rian we have an average of 26 onlineaccounts at any one time Duplicate useof passwords and scribbled reminderson Post-it notes are an inevitable conse-quence While two-factor authentica-tion can help mitigate misuse biometrics

and other forms of identity managementappear to be likely rivals to the alphanu-meric password Nevertheless no solu-tion is entirely safe ndash or foolproof Jon BernsteinP is also for passive attack personallyidentifiable information and phishing

Q is or quarantineQuarantine is a method of isolating a filewhen it is thought to have been infectedwith a virus The aim is to protect otherfiles on the same or connecting devicesfrom the spread of the software virus

Anti-virus software and tools will

Edward Snowden the ultimate breach-o-privacy dilemma

t

t



In the event of a significant data breach ndashdue to a cyber attack malicious actnegligence or human error ndash the In-

formation Commissionerrsquos Office (ICO)will conduct an investigation The com-missioner will want to know what actionyou took to protect the personal data en-trusted into your care and what you did

to mitigate any loss damage or distress tothe data subject

As part of the investigation the ICOwill ask ldquoWhat training did you giveyour teamrdquo An inadequate response tothis question will influence the ultimatedecision and potential enforcement andpossible monetary penalties

We have conducted many compliancereviews and audits and often companyguidelines training and policy docu-mentation are not fit for purpose Manyorganisations are aware that they need a

data protection policy or training guide but simply provide staff with an A4 sheetof paper stating ldquoStaff must process per-sonal data in accordance with the DataProtection Actrdquo Some elaborate by listingthe eight principles

While any policy is better than nonethis would fall far short of demonstratingto the ICO a commitment to protectingdata To help you these are our top tips forcreating an effective data protection train-ing programme1 Perform a privacy impact assessment

(PIA) to understand what personal data

you hold This will tell you the nature ofthe information where it is held and howsecurely Crucially it will identify the im-pact of a breach on the data subject2 Armed with the results of the PIA decidewhat level of training you need to giveyour team members to protect this data 3 Identify the different levels of re-

sponsibility and segment your trainingaccordingly It may be sufficient to trainentry level staff with little access to datausing an e-learning package or get themto watch one of the ICOrsquos free trainingvideos Supervisors and managers may benefit from external courses such as ourLevel 2 Certificate in Data Protection ForData Protection Officers and in-housetrainers longer residential courses may be suitable4 Ensure the training you provide is up-to-date and relevant to the task in hand

Provide real life examples such as ldquoatGriffin House we ensure that informationis fairly and lawfully obtained by givinga clear statement on our website beforeany data is collectedrdquo5 Keep the training interesting and appro-priate to the level of experience For exam-ple if you are training your reception teamhow to handle inbound telephone enquir-ies try role-playing Academic study hasits place but people tend to engage morewhen the training is personalised6 Keep records of your training You

will need to prove to the ICO that it was

Company guidelines training and policy documents are oten not it or purpose

Griin House Consultancy oers an alternative approach

Seven steps toeective training

delivered getting your employee to signoff the training record is best practiceMake data protection part of your newemployee induction process and updatethe team at regular intervals7 Remember to tailor policies and providetraining for all stakeholders who can ac-cess or influence your data flows includ-

ing volunteers subcontractors and dataprocessors A data breach may not justresult in the loss of personal information but also commercially sensitive and confi-dential information

Never underestimate the positive effectof culture in an organisation If you instila culture of good governance and activelyencourage and praise best practice yourteam will take ownership of complianceand seek out vulnerabilities propose im-provements and apply pressure to theirpeers to keep the organisation safe

Training is a critical element in protect-ing your organisation but even with allof these precautions sadly it is not a caseof ldquoifrdquo you are a victim of a cyber attack but ldquowhenrdquo and we therefore also rec-ommend that organisations consider ad-ditional security regimes such as CyberEssentials or ISO 270001 lGriffin House Consultancy is a data protection and information governanceconsultant auditor and trainer


griinhouseconsultancycouk

IN PARTNERSHIP WITH GRIFFIN HOUSE CONSULTANCY



httpslidepdfcomreaderfullavatu-a-to-z-cyber-security 1734983089983094 | NEW STATESMAN | 00 MONTH 2014

HEADING

digital engineeringStuart J Green

The phrase ldquoWersquore very serious aboutcyber securityrdquo seems to have be-come a standard party line Usually

this statement follows a very public an-nouncement of a breach or cyber attack orwhen shortcomings have been highlight-ed in a gap analysis and an organisation is

about to justify doing nothing about it Yes you read that right Some organisa-

tions will pay for a gap analysis to high-light their vulnerabilities and weaknessesand then will simply do nothing about it Why Sometimes itrsquos the perceived cost ofrectifying the problems Sometimes thereare personalities within the organisation(often the finance director or IT manager)who strongly object to the independentfindings and block any subsequent actionOften though itrsquos because the organisa-tion just doesnrsquot get it ndash ldquowersquove always

worked this way and wersquove been fine sofarrdquo is often a closing remark

With larger and more sophisticatedcyber attacks now being reported onat least a monthly basis (Ashley Madi-son Carphone Warehouse and so on)as consumers we want to know that thecompanies that we are dealing with areprotecting our identities and any informa-tion that they hold on us As consumerswe are becoming more savvy with higherexpectations

Why then do a vast majority of small

and medium-sized enterprises forget this

when they deal business-to-business Why is supply chain security such an al-ien concept to some An organisationrsquossupply chain is vital to its existence and itdoesnrsquot take an experience of the likes ofTarget to appreciate that

Take the field of accountancy Argu-

ably there is an accountant or account-ancy practice in every supply chain andthis professional area of expertise oftenremains unchallenged around how theyare protecting data Furthermore this oneprofession appears to be the first to resistany form of change to protect themselvesand their clients from cyber attack Yetmany claim ldquowersquore very serious about cyber securityrdquo Really Prove it

So in the world of all things cyber whatcan be done to strengthen a supply chainand combat this apparent apathy

Well the UK government has an an-swer to that in the form of their Cyber Es-sentials scheme Launched in 2014 CyberEssentials is a recognised certification thatany organisation can attain and it consistsof a number of technical controls that can be easily implemented to strengthen anorganisation against cyber attack CESGGCHQrsquos cyber advisory body will bethe first to point out that an organisationwhich meets the Cyber Essentials stand-ard is resistant to around 80 per cent ofcommon cyber attacks Now that sounds

like a great place to be

What better way to demonstrate that yoursquore meeting the challenge than by havingsomeone independent assess your perormance asks Stuart Green

So yoursquore seriousabout cyber security

With two levels of certification Cy- ber Essentials and Cyber Essentials Plusorganisations can demonstrate that theyhave self-assessed or have been assessed by an independent auditor In this age ofconsumer cyber-enlightenment what better way to demonstrate that yoursquore

meeting the challenges of cyber threatshead on than by having someone inde-pendent come in and formally say what a jolly good job yoursquore doing Thatrsquos worthshouting about ndash marketers take heed

Cyber Essentials is in its early days butmore and more organisations are feelingthe benefit of going through the processof attaining the certification Even thosewith ISO 27001 find the process revealssomething they didnrsquot know about theirorganisation and they see the value in theprocess Cyber Essentials is the one ele-

ment that we should be insistent abouthaving in our supply chains

So the next time you hear ldquowersquore veryserious about cyber securityrdquo look forthat Cyber Essentials badge Those whoare will have it and can prove how seriousthey are Those who arenrsquot Theyrsquore prob-ably speaking after a cyber attack lStuart Green is managing director ofStuart J Green Digital Engineering Ltdan information security specialist


sjgdigitalcom

IN PARTNERSHIP WITH STUART J GREEN DIGITAL ENGINEERING LTD




quarantine a file if they are unsure ofthe provenance of the attack or simplyunable to eliminate it (remember thevirus maker is always one step ahead ofthe virus eliminator) The quarantinedfile is often sent for analysis before being

destroyed This helps anti-virus softwarefirms develop and update protocols todeal with similar attacks in the future Jon BernsteinQ is also for quadrant andquality of service

R is or riskassessmentA broad set of steps that help an organisa-tion understand the likelihood implica-tions and potential damage resulting froma cyber attack Risk assessments should be carried out on a regular basis to coun-ter threats that take advantage of large

highly dynamic and complex IT environ-ments new technology vulnerabilitiesand evolving human processes ndash in otherwords your ldquoattack surfacerdquo

Risk assessments are often used to sup-port regulatory guidelines and include a broad series of activities These can rangefrom basic steps such as automated vul-nerability scans to more advanced as-sessment methods including replicatedattacks carried out by professional pen-etration testers These real-world attacksculminate in a comprehensive report of

how the attack was perpetrated and thepotential ensuing damage Such exerciseshighlight the exposure of your detectcontain and respond capabilities missingin traditional risk assessments

Consider these questions when con-templating a risk assessment1 Is there a set of security policies such asemployee internet and email usage thatmeets best-practice guidelines2 Is there a defined and regularly carried-out process for detecting an attack or anactual breach

3 Is there a response plan for an attack

and does it actually work in practicePanos Dimitriou is chief technology officerand co-founder of the Encode GroupR is also for resilience and rogue devices

S is orSnowden EdwardHowrsquos this for an ethical dilemma Whatwould you do if the only way to demon-

strate a breach of privacy and trust on anindustrial scale was to reveal highly con-fidential data In effect that is the pre-dicament Edward Snowden a former Na-tional Security Agency contractor faced before he leaked a raft of documents froma top-secret surveillance programmesanctioned by the US government

In early summer 2013 he shared the in-formation with a handful of journalistsSoon stories appeared in the New YorkTimes the Washington Post GermanyrsquosDer Spiegel and the Guardian in the UK

Snowden ndash a traitor to some a heroicwhistleblower to others ndash was charged ontwo counts under the Espionage Act 1917including wilful communication of clas-sified material to unauthorised personnel Jon BernsteinS is also for spam spoofingand spyware

T is or TargetIf ever there was a case of corporatenominative determinism this was itThink if your company is called Target beware attack The US retailer with thatname on its back suffered a catastrophiccyber breach in the run up to Christmas

2013 Malware placed in the retailerrsquos

security and payments system extractedthe names addresses phone numbersand email addresses of 70 million cus-tomers and obtained credit-card details ofa further 30 million

Reputational and financial damage

followed The attack had a human costtoo chief executive and chairman GreggSteinhafel and chief information officerBeth Jacob both lost their jobs

The winners The hackers who report-edly sold between one to three million ofthe credit-card numbers for $54m andthe technology suppliers who benefitedfrom Targetrsquos subsequent multimillion-dollar investment in cyber security Jon BernsteinT is also for threat and Trojan Horse

U is or user You may not realise it but you area target If you have an email addressa mobile device a computer or any on-

line accounts cyber criminals are target-ing you Fortunately you can protectyourself and your family by taking somesimple steps1 Use common sense If you receive anemail message or phone call that seemsodd suspicious or too good to be true itmay be an attack2 Use strong passwords to secure youronline accounts and make sure you usea different password for each accountCanrsquot remember all your passwordsNot a problem Consider using a

password manager Finally use two-step verification for all of your accountswhenever possible itrsquos the most securestep you can take to secure an account3 Protect your mobile devices witha strong PIN or pass code or use thefingerprint authentication That way ifitrsquos lost or stolen no one can access yourphotos data or apps4 Keep your computers and mobiledevices updated and currentLance Spitzner is an instructor at theSANS Institute

U is also for unauthorised access

t

t





V is or veri1047297cationOnline verification is established throughcryptographic keys and digital certifi-cates which act as the foundation of allcyber security It is a critical element inestablishing online trust for secure com-munications commerce computing andmobility A certificate is a digital form ofidentification Like a passport or otheruser identification digital certificates pro-

vide generally recognised proof of iden-tity and are intended to verify and securedata between users systems and applica-tions and devices

Digital certificates rely on public keycryptography for authentication When acertification authority issues a digital cer-tificate it is signed with a private key Inorder to verify the authenticity of a digitalcertificate the user can obtain the publickey and use it against the certificate todetermine if it was signed by the certifica-tion authority Unfortunately even this

verification process can be subvertedCyber criminals are able to com-

promise keys and certificates that arenot properly protected to get aroundsecurity controls hiding in your systemmonitoring what you do online and com-promising personal dataKevin Bocek is a vice-president at Venafi V is also for vulnerability and virus

W is or wormThe one characteristic shared by all com-puter worms is the capability to replicate Whereas a conventional computer viruswill attach itself to file or a software pro-gram a worm will commonly use failings

in the computer security to gain access

and then spread itself across the networkwithout human intervention

Some worms have a malicious payloadattached that might delete or corrupt filesfor example Others do not Neverthelessthe simple act of replication at speed cancause significant disruption By consum-

ing sufficient system memory or network bandwidth it can degrade ndash or stop ndash weband network server or standalone com-puter access An example of a payload-lessworm was MyDoom that hit Microsoft Windows PCs in 2004 It became thefastest-spreading email worm to date andcaused significant disruption Jon BernsteinW is also for white team and wifi

X is or X-ratedBeware dark recesses of the web Thatseemed to be the verdict of researcherConrad Longmore who analysed diag-nostic data from Google and concluded

that many popular pornography web-sites are infected with multiple instancesof malware Longmore told the BBC in2013 that the root of the malicious fileswas some of the adverts featured on thesesites ldquoWe call these malicious advertise-ments lsquomalvertisingrsquordquo he said The web-site owners disputed the findings Jon BernsteinX is also for X509 Public Key Certi1047297cate

Y is or Generation YThe term Generation Y applies to thosewho were born after 1980 and were raisedin a world of technology As a result theyare more tech-savvy and knowledgeable

than previous generations Generation Y

employees are more aware of the cyberrisks posed by new social mobile andcloud technologies than older probablymanagement-level colleagues

According to a recent Blue Coat surveyof the online behaviour of UK employees62 per cent of 18-to-24-year-olds take ef-

fective precautions against unauthorisedaccess to their social media data on mobile apps They routinely check the iden-tities of strangers before connecting withthem according to the survey results Bycontrast only 33 per cent of 45-to-54-year-olds check requests before acceptinginvitations to connectChristophe Birkeland is chief technicalofficer of malware analytics at Blue Coat Y is also for you

Z is or zero dayA zero-day vulnerability is a previouslyundisclosed and exploitable weaknessin a computer application for which nosecurity patches are publicly availableThe term refers to how many days thevendor of the compromised software hasknown about the vulnerability Zero-dayattacks or zero-day malwares are com-puter programs developed to exploit this

Best practice is to disclose new vulner-abilities responsibly and confidentially by sending information about vulnerable

software to the party responsible for itscreation so fixes can be made available before it is disclosed to the public

However there are individuals whoidentify and use zero day for financialpolitical or social gains These agentsinclude black-hat hackers criminals andprivate companies who research developand sell zero-day vulnerabilities

Some government agencies exploitzero day as part of their attempts to dis-rupt degrade or disable a rival govern-mentrsquos operations A real-life use of a

zero-day vulnerability was Stuxnet in2010 which disabled uranium enrich-ment facilities in IranChristophe Birkeland Z is also for zombie



bronzeyeIBRM

Cyber crime is a top priority saysthe government The police barelyscratch the surface of the problem

says the commissioner of the City of Lon-don Police Most cyber crimes we hearabout involve banks Perusing victim listsyou would be forgiven for thinking that

this is an American disease You would be wrong We are equally vulnerable andsuffer successful attacks just as frequently Wersquore just better at hiding it

Cyber crimes that make the news in-variably involve victims who have beennegligent ndash giving a conman banking de-tails he then uses to raid the bank accountfor example But where money goes walk-ies and financial companies canrsquot deter-mine how it has happened they refundthe losses and keep very quiet about it ndashusually under non-disclosure terms

There are many companies whosesecurity has been breached and had in-tellectual property stolen Many willnot know that this has happened andfor small to medium-sized enterprises(SMEs) that lost data may ultimately bea cause of their demise ndash and they willprobably never know

The cyber security industry paints itselfas a superhero fighting off hackers Thisis nonsense It is a multibillion-dollar in-dustry which relies on bad guys to staylucrative according to John Prisco a man

who has made it his mission to highlight

its many failings Much of the softwaredoesnrsquot work anyway and they know ithe says

Hyperbole Probably not Scale anddeep pockets are the primary drivers forvendors They are much less interested inSMEs They have herds of cash-cow solu-

tions to sell and they are going to sell themThe cumulative cost ndash hardware softwarelicensing people ndash quickly zooms out ofthe reach of most SMEs For any companythe consequences of being insecure get-ting hacked and subsequently deemednegligent are horrendous And it is easy toget there Goofing PCI compliance whichis pretty easy equals big trouble ndash intoKerplunk territory for many Thatrsquos a realdichotomy for SMEs

Things are changing New laws createliability and dictate responsibility Most

regulations are written with big compa-nies ndash primarily banks ndash in mind Unfor-tunately a law for one is a law for all andcompliance is a massive drain It is meantto force enterprises to focus on their cyber security For SMEs it quickly becomesa barrier In response many do nothingand hope for the best ldquoIt hasnrsquot hap-pened so itrsquos not a problemrdquo That is be-coming suicidal When ldquoitrdquo does happenit will be too late If you are not ready ina moment ldquoitrdquo becomes an insurmount-able problem and you are probably going

out of business

For many small businesses cost has become a barrier togood protection It neednrsquot be says Bronzeye

Cyber securitya must do or SMEs

Three-quarters of large breaches enterthrough third-party systems Hackersknow defences will be weaker here Onlyabout 15 per cent of larger businesses con-duct meaningful checks on supply-chaincyber security

Criminals work on riskreward Cyber

criminals are criminals Good cyber secu-rity increases hackersrsquo risks and makes youless of a target ndash more attractive to custom-ers and partners too Every enterprise canimprove cyber protection ndash surprisinglyinexpensively Soon it will be a prerequi-site to have excellent cyber security Regu-lators will bear down on larger companieswho will simply pass the requirement on

No one can guarantee that any system isunbreachable but that doesnrsquot mean doomand gloom An engaged management thathas identified the threat can create strong

cyber defences through judicious use ofresources and sensible governance Thenwhen an intruder gets in ldquoitrdquo is identi-fied and removed promptly This can beachieved for a budget within reach of all

Einstein said that insanity was doingthe same thing over and over again andexpecting a different result Letrsquos cut theinsanity and change the way we think lBronzeye IBRM offers an affordable subscription-based information andcyber security service to SMEs and others

To ind out more visit bronzeyecom

IN PARTNERSHIP WITH BRONZEYE




VIEW FROM THE EXPERTS

1 How would youconvince UK plc totake cyber securitymore seriously

CatherineAskamSenior manager ofcyber risk servicesat Deloitte UK The recent large-scalecyber incidents havedemonstrated the in-

creased need for improved security in UKorganisations Cyber threats are growingand cyber attacks are moving from dis-ruptive to destructive

The UK has experienced many large-

scale point-of-sale compromise andcredit-card thefts but now wersquore alsoseeing new targeted attacks For examplethere have been large-scale compromisesof healthcare companies and hospitals forthe theft of personal records

This isnrsquot surprising ndash the personal-datatrading market is starting to generate realrewards for criminals The loss of datafrom any organisation and the rise of thedestruction of data is very concerning

John BerrimanChair of cyber security practice at

Pricewaterhouse-CoopersEvery organisationneeds to be confidentthat it is fit for the digi-tal age As they havecapitalised on new op-erating platforms the

amount of data they hold has increasedphenomenally Data is the lifeblood of a business it underpins its every relation-ship decision and interaction

Information is now a greater source ofcompetitive advantage than ever before but only if it is secure It is essential to cre-ate a risk-aware culture led from the topwith the boardroom showing it recognis-es the potential risks at the same time as itembraces opportunities for growth

Mark Brown

Executive direc-tor cyber securityand resilience atErnst amp YoungCyber threats remainone of the most sig-nificant risks facing

UK businesses today The blistering paceof technological change and the cyberthreats that come with it are only going toaccelerate The UK government has madecyber security one of its priorities so UKplc should need little convincing about

the seriousness of this threat

Businesses should remember that c ybersecurity is not just about threats it alsooffers a tremendous opportunity for or-ganisations to turn the challenge aroundThe risks associated with cyber securitymust not be viewed solely as a danger but more innovatively as opportunitiesfor business to benefit by better leverag-

ing technology Cyber security can makegood business sense and those businessesembracing cyber opportunities stand togain significant advantage over competi-tors in an ever more global marketplace

Paul TaylorUK head of cybersecurity practiceat KPMGBusinesses are increas-ingly realising that cyber security is some-

thing that they cannotignore Our own survey of FTSE-350companies found that 74 per cent of themthought their boards were taking cybersecurity very seriously yet just 39 percent of board members saw cyber risk asan operational one when comparing it toother threats

Businesses need to consider that ifsubject to a cyber breach they risk losingmoney or intellectual property regula-tory fines clear-up costs reputationaldamage and ndash perhaps most importantly

ndash losing customer confidence

Where does the biggest threat lie And what steps should organisations large and smalltake to mitigate risk We ask our cyber specialists

ldquoTotal security is

a utile conceptrdquo

t



Cyber security makes good business sense and should be seen as an opportunity



Businesses are beginning to realise thepotential costs of a cyber breach andtheyrsquore asking us what they can do

to protect themselves We help them tounderstand their risks and whatrsquos in theinsurersrsquo minds so they can address theseissues and get the best cover possible

Cyber insurance can offer businesses

protection against a host of risksThe call from boards and shareholders

for adequate insurance cover is growingThe good news is many insurers are offer-ing cover or are in the process of buildingteams to assess and insure the risks

Businesses can easily buy insuranceto cover l costs incurred to manage breach crisis l regulatory fines proceedings l legal liabilityAlso they can now find cover for l consequential losses due to damage of

business reputation l consequential losses due tointerruptions in network operations

From an insurerrsquos point of view

Insurers are nervous They are facingregulatory scrutiny over whether theycan afford the risks they are insuring andthe possibility of escalating claims At thesame time they are trying to maintaintheir profitability As a consequence thecost of insurance is going up

To understand their exposures and

the ripple effects of claims underwriters

constantly monitor claim trends Theylook at the severity and frequency of cyber breaches across all industries So theyknow what the losses are for small com-mon breaches while being ready to payfor the hugely expensive catastropheswhich are relatively rare

Unlike other types of insurance gener-

ating predictable models for cyber lossesis difficult for two reasons First the in-surance sector only has five years of goodloss data Compare this to property insur-ers who have losses dating back hundredsof years And second the risks constantlyevolve so data from five years ago may al-ready be useless

How to get the best insurancefor your cyber riskInsurers are trying to improve their un-derstanding of the risks they are taking on

from clients They are asking for more andmore information about how the businessis run and how information is handled

The key to finding inexpensive cover isto demonstrate you have strong defencesand the capability to monitor your net-work and shut it down quickly if needs beMore specifically insurers will ask ques-tions about l Privacy governance Do you have poli-cies in place for users to follow l Privacy culture Are you making em-ployees vendors and other visitors to the

organisation aware of privacy risks

Looking or comprehensive and inexpensive insuranceMax Perkins explains where to start

Protection or whenyour deences ail

l Network security Do you protect andmonitor your IT infrastructure l Data encryption tools Encrypting dataon portable electronics is now as impor-tant as having fire sprinklers in a building l Network segmentation Separation ofnetworks or at least data is important Would you keep all of the money you have

in the world stored in one place for some-one to steal l Point-of-sales systems We have allseen the problems with storing credit-card information

We recently helped a large corporationavoid a 35 per cent increase in the cost ofits insurance by showing it took privacyculture seriously And a small business inBristol was able to increase its insurancecapacity from pound5m to pound15m by showingthat it had put proper controls in place forits point-of-sales systems l

Max Perkins is a member of Locktonrsquos global technology and privacy practiceHe helps clients manage their professionalliability cyber data breach and other risksthat can damage their reputation Theteam serves clients in Europe and the USRecently the firm was asked to give evidenceto the US Senate on cyber security onbehalf of the insurance industryMax Perkins can be contacted atmaxperkinsuklocktoncom

Lockton is a global insurance broker

Visit locktoncomcyber-and-technology

IN PARTNERSHIP WITH LOCKTON




The headlines may be about cyber warand digital Armageddon but cyberattacks affecting businesses of all

sizes and are on the increase Criminalsknow that electronic crime offers fast re-turns with a much-reduced chance of

being caught The growth in cyber crimecoincides with the explosion in the number of digital devices such as smartphoneslaptops and tablets Meanwhile socialmedia and the web have become integralparts of life

Yet many businesses are operating asif the data revolution hadnrsquot happenedThey face two challenges their conven-tional defences against cyber attack arelikely to be inadequate and their employ-ees are often unaware of the tricks that cyber criminals will use to get information

Basic technical precautions are still im-portant Anti-virus software and serversecurity patches should be applied andemail systems as a minimum have spamfilters A firewall acting as a barrier be-tween the outside world and the companyis still a requirement Important data ordevices must be protected by strong pass-words and subject to access controls toprevent accidental or deliberate leakage

The problem is that such basics were de-signed for a different more static businessenvironment The world has gone mobile

and the data along with it Attackers know

that many employees use their personaldevices for business use as well Theyshare emails across web-based email anddownload office documents to unprotect-ed devices or cloud-based storage

This means that increasing amounts of

company data and access points exist out-side the traditional company perimeterway beyond the protection of the firewall

Criminals are also adept at exploitingthe vulnerability of employees throughsocial engineering techniques They sendfake emails that look as if they originatefrom official bodies These contain weblinks that once clicked may downloadmalware designed to steal company dataor passwords and login details from un-suspecting employees

Hackers will obviously go after data that

they can see on company servers but whatif it was hidden from prying eyes Af-ter all you canrsquot hack what you canrsquot seeTechnology exists that can do just that andmake data servers go dark Such stealthtechnology puts a virtual cloak aroundservers so only the rightful owners andthose users devices and applications thatare authorised to access the data can see it

Businesses should also consider two-factor authentication where users needmore than a password to access data that isessential This can be in the form of a ran-

domly generated pin or biometrics such as

Attitudes to data security must change i businesses are to guardagainst cyber attacks writes Colin Tankard

ldquoKeep calm and carryonrdquo is not an option

a fingerprint scan And of course pass-words should also be as strong as possible

Encryption is great but not enough onits own Again only those authorised toread the data should be able to decrypt thedata fully ndash for example system admin-

istrators should be able to know that thedata exists but cannot read it

Effective business security is morethan just a one-time fix Protecting thecompanyrsquos ldquocrown jewelsrdquo is an ongoingprocess and needs regular checks to ensurethat the processes put in place are goodenough to keep cyber attackers at bay

According to research by KasperskyLab a security firm one-third of UK small businesses wouldnrsquot know what to do ifthey suffered a security breach while aquarter admit they wouldnrsquot be able to re-

cover any lost dataAll businesses need to get wiser about

cyber security and think beyond simplyspending more on an ad-hoc basis Cyberdefences need to be planned and technol-ogy choices made carefully

With the sophistication of cyber crimi-nal gangs increasing all the time the op-tion for ldquokeeping calm and carrying onrdquois not on the table lColin Tankard is the managing directorof Digital Pathways

To ind out more visit wwwdigpathcouk

IN PARTNERSHIP WITH DIGITAL PATHWAYS






constantly evolving threat landscape pro-motes a feeling of vulnerability for manyand has resulted in some organisationsspending significant sums of money onineffective programmes with poor align-ment to risks and business imperatives

Cyber security is not achievable by a quicktechnical fix nor is it a matter solely forthe IT department

We often see that these behavioursleave leadership wondering what theyreally need to do how much is reallyenough and who they can trust to helpthem get it right

The reality is that cyber security is a business risk just like physical security Ifmeasures are put in place to deal with itthen businesses can mitigate and protectagainst future attacks as a matter of ldquobusi-

ness as usualrdquo

Catherine AskamCyber risk is often associated with high-profile cyber espionage rather than themore common reality of direct threatsto day-to-day activities The basics suchas regularly updating security softwareare often forgotten as a means to preventattacks The answer is not to stop wor-rying but to turn defences in the rightdirection Security officers should pri-oritise the training of employees to un-

derstand and prevent the security risksthe organisation faces instead of beingparalysed by the fear of being blamed inthe event of an incident

3 Internal orexternal wheredoes the biggestthreat to a irmrsquos

security lieAnd why

Mark BrownAlthough the actual threat remains thetechnical vulnerabilities exploited bythe cyber criminals the biggest riskis that most of these technical vulner-abilities are exploited in the first placedue to the actions of internal employees Well-intentioned but misinformed staff

continue to expose otherwise safe prac-

tices in an organisation therefore failureto provide continual education trainingand awareness to staff is a key risk

Notwithstanding internal aspects if acyber criminal wishes to break into a cor-porate organisation technical defences

alone are insufficient An ardent attackerwill attack an organisation until they findthe exposure

Paul TaylorBoth internal and external threats exist Itreally depends on the core business of thecompany you are dealing with The key isto take a holistic view of the threat ndash think-ing about who your adversaries might bewhat they might be after and the variousways they might achieve their goals

Moreover keeping the different aspects

of security in the front of your mind bymeans of cyber exercises or resiliencegames is a good way of making sure thatall relevant parts of the organisation canwork together to deal with any incidentIn short attackers wonrsquot respect yourstovepipes and you need to think

Catherine AskamEmployees and non-employees accessing buildings data and critical IT systems areprobably an organisationrsquos biggest threat

While malicious users may attack from

the inside of an internal system causinggreater harm than any cyber attack em-ployees could also make mistakes thatput the company at risk Security infor-mation and event-management tools canprevent these as they can flag up irregu-lar activity This leads to timely incidentdetection and containment

Smartphones are also becoming acyber-security minefield The ability tolog in automatically steal credentials and break into the back-end systems poses areal risk

John BerrimanTherersquos no doubt that external threatsregularly grab the headlines Maliciousthreats and breaches cause genuineserious and high-profile breaches Manyorganisations prioritise external threats but internal ones can be just as damag-ing Staff can be the strongest or indeedweakest point in the security chain

PwC research for the governmentfound that 75 per cent of large organisa-tions suffered staff-related breaches up

from 58 per cent a year ago Inadequate

2 ldquoThe cybersecurity industrytrades o peoplersquos

ears ndash otenunsubstantiatedrdquoDiscuss John BerrimanPwC research conducted for the govern-ment has shown that nine out of ten or-ganisations reported a cyber-security breach in the past year so the threat businesses face is very real The cyber-security industry is driven by the genuineexperiences of organisations that suffer

security breachesOthers are in denial about the extent towhich they are vulnerable or fail to pre-pare adequately and then find themselveshit by a major breach that causes serious business disruption

At PwC we are trying to make organi-sations more aware and better preparedThere is a lot that can be done to preventa breach becoming a serious issue thatcauses long-term and costly damage to a business its brand and reputation

Mark BrownThe fear aspect of cyber security is welldocumented but there are alternativeviewpoints A modern approach to view-ing the role of cyber security is evolving ndashone rooted in the heart of enterprise risk-management rather than compliance Asorganisations recognise that 100 per centsecurity is a futile concept a move to-wards cyber resilience is evolving wheredetection and response is as important ifnot more so than prevention

This change requires a new breed

of cyber-security professional one ascomfortable in the parlance of businessmanagement as technology and who cansell the concept of risk enablement ratherthan simply being seen as the inhibitorof progress

The risk is very real but can be man-aged without detrimentally impactingoperations where a business-centred ap-proach is adopted

Paul TaylorTherersquos a great deal of scaremongering out

there that isnrsquot necessarily helpful The



5 What three stepsshould businessestake now in order toimprove their owncyber security

Catherine Askam1 Fix the basics such as passwords andupdate security patching and new joinermover and leaver processes2 Review current security operations andinvest in them to strengthen this area ofyour business3 Focus on prevention in addition tohow you would respond to an attack forexample threat intelligence (detectingthe methods of hackers and using thisintelligence to plan responses) and data-destruction protection such as technol-

ogy or insurance policies to avoid data orinformation being destroyed if a hackeraccessed it

John Berriman1 Organisations need to accept breacheswill happen and put in place controls toprotect systems with additional securityfor the assets that matter most2 They need to make sure that theyare investing effectively in cyber secu-rity That means focusing investment onpreventing detecting and responding

to breaches When organisations invest

training poor security awareness or gen-eral negligence can lead to breaches just asreadily as hackers and criminals

Employee awareness is a difficult areafor information security and many organ-isations struggle to get it right

4 What singlestatistic should actas a wake-up callto those who needconvincing

Paul Taylor

Every day we hear of new vulnerabilitiesattacks and incidents The Centre for Stra-tegic and International Studies estimatesthat the likely annual cost to the globaleconomy from cyber crime is between$375bn and $575bn These startling fig-ures are more than the national income ofmany countries

Catherine AskamAccording to CYRENrsquos 2015 CyberthreatYearbook the number of successful cyberattacks on businesses of all sizes increased

by 14 4 per cent between 2010 and 2014 Therefore cyber attacks are clearly agrowing concern for UK businesses Weoften say that itrsquos no longer a case of if youget hacked but when

John BerrimanThe average cost of the most severesecurity breaches for big business is nowpound146m according to PwC research Thatdoesnrsquot take into account the impact onan organisationrsquos reputation and relation-ship with its stakeholders Every organi-

sation needs to wake up to the very realthreats they face

Mark BrownCyber crime today is prevalent as a glob-al criminal industry Organisations arehacked daily but the scale of attacks isoften difficult to comprehend

During 2014 the biggest reported hackwas conducted by the Russian organised-crime gang CyberVor which capturedmore than 12 billion personal IDs ndash theequivalent of hacking the entire popula-

tion of India

Organisations are hacked every day but it can be difficult to comprehend the scale o cyber crime

appropriately upfront and align securitystrategy with business objectives theyprevent having to pay significantly largersums of money for breach responses at alater date3 They need to focus the entire organi-sation on thinking about risk setting thetone from the top

Mark Brown

1 Activate ndash make sure you switch on thedefences that exist and configure themproperly Failure to do this leaves youunnecessarily exposed to todayrsquos threats2 Adapt ndash analyse your business andunderstand what information makes youa target for cyber crime Personal dataand credit-card data are obvious targets but also think about IP and who yourcustomers and suppliers are to protectagainst threats3 Anticipate ndash get on the front foot andrehearse threat scenarios to understand

your organisational weaknesses If theyexist cyber criminals will find them ndash so better that you find and resolve them first

Paul Taylor1 Identify what data and processes are themost important to your business2 Undertake a cyber-maturity assess-ment to see where you are now Bench-mark yourself against your industry3 Put a long-term plan in place using a balance of internal resources and appro-priate help Donrsquot try to be 100 per cent

secure ndash thatrsquos simply not possible l



A worryingly large number of IT pro-fessionals believe that there is ahuge shortage in the number of cy-

ber security professionals and most ex-pect that their organisation will be hit bya cyber attack at some point over the next12 months

The 2015 Global Cybersecurity StatusReport released by ISACA showed that 83per cent of respondents believe the biggestthreat to business today is the one posed by hackers and other tech-savvy criminals

The report also shows that 87 per cent ofits British members believe that there is ashortage of skilled cyber security profes-sionals In the United States that figure isas high as 90 per cent

The British government further high-lighted the dangers posed by cybercriminals in July when they released areport which showed that 90 per cent of businesses in the country had suffered asecurity breach in 2014 Fortunately it ap-pears as though the UK is starting to takethe matter of cyber security seriously but

as for businesses most remain woefully

unprepared to tackle the ever growing andevolving threat posed by cyber crime

A cyber attack can do huge damage to businesses the theft of sensitive businessdata or customersrsquo details for examplecan do serious harm to a companyrsquos repu-tation A damaged reputation is also likelyto lead to customers being wary of your business and in turn result in a substantialloss of revenue

The best way to tackle this menaceGovernments and businesses must do

more to train their staff close the know-ledge gap and increase specialist skills ed-ucation Everyone must also be taught thatwhen online everybody is a target and thatnone of us is too small or unimportant

The skills shortage is so bad that the lackof cyber-security skills has been classed asthe biggest problem faced by the IT indus-try for four years in a row Universities areoffering courses to try to fill this skills gap but it will be years before there are enoughgraduates to satisfy demand adequatelyPeople with these skills can expect to re-

ceive very good salaries from companies

Itrsquos time to close the knowledge gap writes Matthew Olney

To ight cyber crimeirst invest in closing

the skills gap

and organisations fighting over themThis high rate of pay may not be much

of an issue for corporations or govern-ments but smaller businesses are unableto compete

Waiting around for the latest batch ofgraduates may sound like a good idea butin reality it is a flawed method of obtainingstaff with the necessary skills and know-ledge Most graduates are headhuntedstraight out of university and the competi-tion to recruit them is fierce A better way

to close the skills gap is to train staff cur-rently on the payroll

Having staff that are cyber aware givesa business an advantage over its rivals andcan increase customer confidence Askyourself whether you would rather do business with a company that has takencyber security seriously or one that hasnot Itrsquos not difficult to guess the answer

Another problem faced by organisa-tions looking to recruit cyber security per-sonnel is that professionals able to copewith the ever advancing cyber threat are

few and far between With threats always

IN PARTNERSHIP WITH PGI CYBER ACADEMY




evolving businesses and governments areforced to react and defend rather than takethe offensive

With the launching of various pro-grammes by the British government itis hoped that smaller and perhaps morevulnerable businesses will take action totackle the cyber security threat In Julyit launched a scheme offering small andmedium-sized enterprise up to pound5000worth of funding to team up with externalexperts such as Protection Group Interna-tional (PGI) to help provide staff training

The scheme is certainly a step in the rightdirection but more needs to be done espe-cially in sectors such as transport

The story of Jeep Cherokee which wassubjected to test hacking in the US hitthe headlines in July and brought intothe public eye the vulnerabilities of thecar industry when it comes to hacker at-tacks At Augustrsquos Black Hat conference inLas Vegas hackers demonstrated how thecyber attack was carried out

ldquoPlease stop saying whatever you haveand whatever thing you make is un-

hackable because yoursquore going to looksillyrdquo said a security expert at the BlackHat conference

If someone with some skills and a laptopcan hack into and take control of a car frommiles away then what is to prevent thesame from happening in the aviation andmaritime sectors

The maritime sector in particular has been found to be especially vulnerable tocyber threats In some cases the sector isten or even twenty years behind the curvewhen it comes to cyber defence

With the sector becoming increasinglyreliant on technology and the fact thatthe vast majority of the worldrsquos goodsare transported by sea the possibilitiesfor disruption by hackers or cyber ter-rorists is vast A hacker could send a shipoff course or disable it to make it an easytarget for piracy According to the Euro-pean Network and Information SecurityAgency (Enisa) awareness of cyber secu-rity in the maritime sector is currently lowto non-existent

Given the global importance of the sec-

tor this lack of awareness needs to change

ldquoNo one is immune from cyber threatsand there are many attacks aimed at themaritime sector on a daily basis Insuffi-cient investment in training and upgrad-

ing cyber security measures means thatthe sector is falling behind in the fast-paced world of cyber securityrdquo said BenSwindlehurst commercial developmentdirector at PGI

According to the InfoSec Institute theaviation industry is also struggling to fill ashortage of skilled cyber security profes-sionals With the industry hosting someof the most integrated and complex infor-mation and communications technologysystems on the planet it faces threats on amultitude of fronts

The leading threats to the aviation in-dustry range from phishing attacks toremote hijacking The implications of ahacker breaching an aeroplanersquos or an air-portrsquos security should send a cold shiverdown all of our spines

Without adequate numbers of newcyber security professionals we are allvulnerable to the acts of cyber criminalsand cyber terrorists It is a skills gap thatneeds to be filled and this is where PGIrsquosCyber Academy comes in

PGI aims to be a major contributor in

the struggle to close the skills gap in the

cyber sector At our state of the art CyberAcademy based in Bristol we implementour unique approach ldquoUnderstand testmonitor respond educate rdquo

All of our instructors are establishedcyber security professionals holding bothleading industry certificates and having awealth of real world experience Whetheryou are a small company or a largeorganisation we have the skills experi-ence and expertise to offer businesses andgovernments tailored solutions that willmake the difference in this information-enabled world

PGI believes in education and aware-ness therefore cyber security educationand training for both IT professionals and

non-IT executives stand at the core of our business Our world-class informationsecurity specialists certified against na-tional and international standards comefrom a multitude of backgrounds rang-ing from multinational corporations togovernment institutions We also operateon a global scale and believe in making theworld a safer place to do business lMatthew Olney is the communicationsofficer at Protection Group International

Find out more about PGI at

pgitlcom

Fiat Chryslerrsquos Jeep Cherokee was the subject o a hacking test earlier this year




HEADING

In todayrsquos reality of increasing cyberthreats the Cyber Essentials Schemeis the UK governmentrsquos endeavour to

help businesses and organisations securetheir digital assets by undergoing a secu-rity assessment Cyber Essentials is anoptional requirement for most businesses

unless you wish to bid for some govern-ment tenders when it becomes a manda-tory requirement

I must confess as a security consultantwith Digital Assurance when the CyberEssentials scheme was first launched in June 2014 I felt sceptical and somewhatdisenchanted certainly as a pen-tester anda fellow of the tin-foil hat brigade

Cyber Essentials was not a traditionalpen test that involved vigorous testingstaring at the only light emitting in theroom at 2am and wondering what can be

obtained from some odd memory leakvulnerability Neither was it a physicalsecurity test where we were sneakinginto your building and hiding ninja-like behind your employees or sitting at yourdesks (Yes yours the one with passwordPost-it notes all over the monitor )

And it certainly doesnrsquot include tryingto contemplate how to debug a carrsquos on- board computer over drinks with friendsat a local pub after successfully exploitingand unlocking said car remotely

I also felt somewhat sullied when I

compiled some of the first of the Cyber

Essentials reports for Digital Assurance because low-risk issues did not have to be included in the final report How pre-posterous

Now having completed several assess-ments against all kinds of infrastructure belonging to companies large and small

I can eat my tinfoil testing hat and declarethat I was wrong

If adapted by industry Cyber Essentialshas the potential to improve UK cybersecurity dramatically It is especially ben-eficial to companies that do not operate aregular or annual security review

So what does a Cyber Essentials certifi-cation include

It comes in two flavours Cyber Essen-tials and Cyber Essentials Plus The basicone Cyber Essentials consists of a com-prehensive questionnaire with five stages

covering security controls which are laterassessed by the overseeing body of the Cy- ber Essentials certification

The five stages covered are l boundary firewalls and internetgateways l secure configuration l access control l malware protection l patch management

To add a further level of assurance wealso offer a vulnerability scan against your

external perimeter and analyse the issues

A ive-step security assessment is an excellent introductionwrites Digital Assurancersquos Michael Minchinton

Cyber cybercyber essentials

arising in common off-the-shelf prod-ucts The Cyber Essentials flavour is a re-spectable starting point that helps protectyour digital assets from the perspective ofan unauthenticated remote hacker acrossthe internet

The second the Cyber Essentials Plus

includes all the elements of the Cyber Es-sentials together with an additional reviewagainst internal systems including fire-walls laptops PCs and email gateways

The Cyber Essentials Plus variant is acomprehensive addition embracing theunauthenticated remote hacker aspectwhich includes malicious intent to propa-gate malware and ransomware threats

For companies that have not had anysecurity assessment of any kind I suggestthat going through the five Cyber Essen-tials stages is a comprehensive introduc-

tion to cyber assurance lMichael Minchinton is a securityconsultant for Digital Assurance Digital Assurance is CREST- andCESG-accredited Based in offices inWestminster it delivers Cyber Essentialscertification along with conventional penetration testing services socialengineering campaigns ndash and the odd bitof car hacking just for the heck of it

For more inormation visitdigitalassurancecom

or phone 020 7060 9001

IN PARTNERSHIP WITH DIGITAL ASSURANCE




What is digital infrastructure We have all heard of the digital economy but perhaps are less familiar with the termdigital infrastructure It refers to the dig-itisation of the services that run our criti-cal national infrastructure It describesour ability to convert physical assets suchas signalling equipment into digital coderun by computers It also encompasses theincreased information systems that cap-ture data about those assets and allow us

to run them more efficiently With the rapid growth of this digital

infrastructure more services are accessedor delivered online More and more datais being collected by organisations aboutpolicies procedures staff clients com-mercial behaviour and the condition anduse of its assets To exploit the data ef-fectively it needs to be made available indifferent geographic and virtual environ-ments and at varying levels of granularity

What are the risks

All of this brings great societal benefit butalso presents an opportunity for competi-tors or criminals seeking to profit Oppor-tunity and threat go hand in hand

When it comes to a nationrsquos infrastruc-ture the potential risks go beyond thethreat of theft of customer or employeeinformation As well as more generalthreats an infrastructure organisationhas to deal with risks to the industrial andprocess control systems that maintain itsdaily operations

Industrial control (or Scada) systems that

control power plants signalling systems

and network facilities are increasingly be-ing run across the same internet protocol(IP) networks as customer managementsystems These systems have features thatmake risk more severe and the proximityof the threat greater

For example the operational systemsthat are being accessed across the internethave longer life cycles than the IT equip-ment that is used to run enterprise clientmanagement and accounting systems As

a result the underlying computer systemsare older and this means that operatingsystems are potentially no longer sup-ported and vulnerabilities are not patchedSimilarly these systems are operated fromthe shop floor and system management iscarried out on a part-time basis by an in-frastructure engineer rather than a dedi-cated IT professional

Security is a secondary concern to keep-ing the plant operational

What can we do about it

Despite the gloomy assessment there iscause for optimism The current focuson renewing or replacing infrastructuremeans that we have the opportunity to build a secure modern digital infrastruc-ture for future generations

As we design tomorrowrsquos infrastruc-ture we need to consider the future needsof our society These not only includeconsidering what services are needed butalso how those services are accessed willchange over the whole life of the asset Wecan make future digital infrastructure se-

cure by design

Despite the risks there is room or optimism argues Andrew Cooke

The threat to digitalinrastructure

How can we help make this happenInfrastructure organisations are experts inunderstanding the whole life cost of theirassets This can now be leveraged to en-sure security of service delivery

Taking a digital enterprise asset man-agement (d-EAMcopy) approach allows thedesign of infrastructure to take accountof present and future objectives and thesecurity of the physical and the informa-tion assets that deliver organisational and

societal objectives Threat vulnerabilityand risk information are linked to the de-livery of the organisationrsquos objectives andconsequently to the assets that are neededto achieve them Vulnerability and threatneed to be managed on an asset by asset basis to ensure the threat to the deliveryof organisational and in this case nationalobjectives are mitigated

The approach is not exclusively usedin the design of new infrastructure andshould be used with legacy assets as wellUnderstanding what is critical to deliver-

ing the goals of the organisation meansthat infrastructure providers can ensurethat they secure what needs to be securedand make the information they need to beavailable accessible

Protecting digital infrastructure is amatter of understanding the digital assetits use and value and making sure thatsecurity is at the heart of the way it is de-signed and exploited l Andrew Cooke is the client director for infrastructure at Atkins

To ind out more visit atkinsglobalcom

IN PARTNERSHIP WITH ATKINS




FACTS AND FIGURES

90

Security breaches by numbers

o large organisationserience security breachesup rom 81 a year ago

74o small businesses experience security

breaches up rom 60 a year ago

pound146m-pound314mAverage cost o worst securitybreaches to large organisations

pound75k-pound311kAverage cost o worst securbreaches to small businesse

50o worst breachescaused by inadvertent

human error

Security breach by type

Source 2015 Inormation Security Breaches Survey (commissioned by HM Government and conducted by PwC)

Large organisations Small organisations

75Staff-related

69Unauthorised

outsider

30

Denial oserviceattack

Staffrelated

3816


31

Unauthorisedoutsider



Professional development guidance for senior decision-makersto help them counteract data loss and cyber-attacks

Itrsquos time to develop

your own CyberSecurity capabilities

Accredited by leading professional bodies and institutions

Download our free guide from

www7safecomcyber-skills or

email contact7safecom to see us at

IP EXPO (Cyber SecurityEurope exhibition)7-8th OctoberExCel London



Awareness of cyber security has risenon the back of high-profile news sto-ries and consumer recognition of the

threats But though everyone is talking most businesses are still in the early stages of rec-ognising the sheer scale of the task ahead

Consider this summerrsquos recall of 14 mil-lion cars by Fiat Chrysler after researchers

remotely took control of a Jeep turning offthe engine by using wireless networks anda vulnerability in the vehiclersquos radio Similarstories have emerged of compromises withaircraft and washing machines The accusa-tions fly easily corporations do not prioritisesecurity or worse they wilfully ignore it Itrsquosmore likely that the opposite is true

The onset of the connected world ndash withan estimated 50 billion devices connectedtogether by 2020 ndash heralds a fundamentalchange in the way society and its economiesare developing The impact of technology onthe way we function is already evolving at

an unprecedented rate You will hear technology and business-

driven innovators alike talk about how thecloud is the new core and mobile devices thenew edge In plain English they mean thatemployees and suppliers from disparatecompanies business units and countries canwork together using myriad systems socialnetworks and business tools (many of whichstem from consumer services such as Skypeor WhatsApp that no one organisation over-sees) And there is no turning back

(ISC)2 has tracked these trends since 2004Our most recent study concludes that thechanging organisational footprint has left in-formation security professionals and the or-ganisations they protect cornered in a reac-tionary role of addressing security incidentsas they occur There is little opportunity toplan for the future

Connected cars that analyse driving fridg-es that can do the weekly shop and light andheating systems that can be controlled withan app on a mobile phone are accelerating thepace of change Itrsquos time to help those drivingthis change work with a much clearer under-standing of how it is moving us forward andwhere it is leaving us vulnerable

We need to examine developments in ar-eas such as robotics and health care to evalu-ate how dependent these fields are on tech-nology and how those dependencies couldaffect legal and regulatory concerns Thisgoes much further than the need for techni-

cal excellence in forensics technical analysisor penetration testing

The call is for a comprehensive effort onethat spans industry and management disci-plines to develop of a broad pool of talentcapable of reassessing business risk productand service development requirements andorganisational resilience

At the moment such considerations areshouldered by an overburdened cyber secu-rity function straining under a now well-known skills gap in the field

The connected world offers great promise and heralds fundamentalchange with new risks writes Adrian Davis

Cyber security skillsfor a digital future

The current (ISC) 2 Global InformationSecurity Workforce Study forecasts a globalshortfall of 15 million qualified profession-als (379000 in Europe the Middle East andAfrica) by 2020 Many laudable efforts todefine apprenticeships cyber security chal-lenges and other initiatives address focusedrequirements That overall push to enhance

a breadth of understanding and accountabil-ity still eludes usAs a professional community of nearly

110000 working in the field (ISC)2 members are motivated to change this We havefor example worked with the Council ofProfessors and Heads of Computing (CPHC)on curriculum guidelines now incorporatedwithin the accreditation criteria for mostcomputing science degrees in the UK Theaim of this and similar projects is to helpthose working on that Jeep of the futureunderstand the cyber security concepts thatshould be a core part of what they do

The connected world and the digital econ-omy offer great promise We must be guidedhowever by a much broader appreciation forhow we must evolve lDr Adrian Davis is the managing director

for EMEA at (ISC)sup2 the largest not-for- profit membership body of certified cyberinformation software and infrastructure

security professionals worldwide withnearly 110000 members

To find out more visit isc2org

IN PARTNERSHIP WITH 983080ISC983081983090



This supplement and other policy reports canbe downloaded rom the NS website at

newstatesmancompagesupplements




Four pieces of enlightening news land-ed on my desk on the same day recent-ly First there was a story in the Fi-

nancial Times quoting the new chairmanof the Institute of Directors Lady Barbara Judge saying that cyber security is so

overwhelming to boards that their reac-tion is to file it in the ldquotoo difficult cat-egoryrdquo ndash her words not mine ndash rather thantackle the issue head-on

Then there came research from Marshthe global insurance broking and risk man-agement firm which showed that manyUK companies are failing to assess theircustomers and trading partners for cyberrisk adequately and are more vulnerableto cyber attacks themselves as a result

Third was a story from the Telegraph which highlighted that the average cost of

a cyber attack is now pound146m a yearAnd last of all came news from the

United States that the head of the gov-ernmentrsquos personnel office had abruptlyresigned because hackers had stolen thesensitive information of some 21 mil-lion employees including bank accountdetails health reports and even securityclearance assessments

It was a big news day for information se-curity But what struck me most was thatcollectively it painted a picture of a seriousand expensive problem which was being

dealt with ineffectively

By not facing up to the changing worldleaders are playing Russian roulette ndash withtheir companyrsquos success and the futureof their careers Boards and chief officersneed to understand that cyber security isno more than a complicated business risk

And executives can choose to be a victim(and leave the challenge in the too difficulttray) or go on the offensive

In my experience leaders of the most suc-cessful growing companies usually tackle

challenges squarely rather than passively

wait to deal with the consequencesThe issue does not have to be compli-

cated or confusing It can start with somevery simple questions such as these below

Questions that chief officers and

boards should be asking about

information security

1 Do we know if wersquove ever been breached Companies often donrsquot knowtheyrsquove had a data leak until long after ithas happened There are advanced detec-tion systems that can do this as part of

a layered info security monitor system

These are the 1047297ve simple questions you should be asking to demystiy cyber securityand protect your business (and career) writes Joe Jouhal

Time to stop playingRussian roulette

2 Where is our most sensitive potentiallydamaging and most valuable informationAll of it every piece of it every copy (thiscould be customer information staff re-cords IP financial information businessplans emails between executives hellip and

much more) Who has access to it Whatspecial arrangements do we have to pro-tect it within our systems3 How do we protect our sensitive datawhen itrsquos outside our perimeter Howdo we stop it being seen or shared withunauthorised people4 These days most of us use more thanone device for work How do we protectall of these end-points Are they a poten-tial weak point of access to our systemsand data5 Do we have insurance to make us more

risk-aware and more prepared to mitigatethe risk

There are tools technology and prac-tices to mitigate all these issues And fac-ing this information security challengehead-on demonstrates stronger leader-ship strengthens a businessrsquos resilienceand protects chief officersrsquo current rolesand future job prospects l Joe Jouhal is managing director at Avatuthe information security specialists

Join a one-day seminar ree to

New Statesman readers see page 13


Leaders are playing arisky game with company

and career alike









in a cyber attack


























CONTENTS

























4 20 31





U is or

understanding








































































t

t


















hot wash









t

t


























saeonlinecom






























t

t




























for Wynyard


wynyardgrroupcom






A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31

















































in a cyber attack


























CONTENTS

























4 20 31





U is or

understanding








































































t

t


















hot wash









t

t


























saeonlinecom






























t

t




























for Wynyard


wynyardgrroupcom






A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31

















































CONTENTS

























4 20 31





U is or

understanding








































































t

t


















hot wash









t

t


























saeonlinecom






























t

t




























for Wynyard


wynyardgrroupcom






A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31













































U is or

understanding








































































t

t


















hot wash









t

t


























saeonlinecom






























t

t




























for Wynyard


wynyardgrroupcom






A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31
































































































t

t


















hot wash









t

t


























saeonlinecom






























t

t




























for Wynyard


wynyardgrroupcom






A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31





























































































t

t


















hot wash









t

t


























saeonlinecom






























t

t




























for Wynyard


wynyardgrroupcom






A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31
































































t

t


















hot wash









t

t


























saeonlinecom






























t

t




























for Wynyard


wynyardgrroupcom






A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31

























































hot wash









t

t


























saeonlinecom






























t

t




























for Wynyard


wynyardgrroupcom






A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31


































































saeonlinecom






























t

t




























for Wynyard


wynyardgrroupcom






A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31




































































t

t




























for Wynyard


wynyardgrroupcom






A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31




































































for Wynyard


wynyardgrroupcom






A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31












































A

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31




















































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31

































































t

t




























HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31




































































HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31











































HEADING
























sjgdigitalcom




























t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31


































































t

t






























bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31





































































bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31











































bronzeyeIBRM













out of business

























Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31






















































Mark Brown













t








































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31
















































































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31













































































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31















































































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31

















































ness as usualrdquo




security lieAnd why




































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31



















































Paul Taylor








tion of India



Mark Brown





















the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31

























































the skills gap



































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31


































































pgitlcom





HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31











































HEADING





























or phone 020 7060 9001








What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31














































What are the risks












cure by design














FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31











































FACTS AND FIGURES

90








human error




75Staff-related

69Unauthorised

outsider

30


Staffrelated

3816


31

















































































































Documents

Avatu - A to Z Cyber Security