260-year-old company, Coats, discusses how moving to the cloud was an integral part of successfully implementing S/4 HANA across their business and allows them to process huge amounts of data in real time; keeping them agile and ready to serve their customers.
We round up interesting research and reporting about security and privacy from around the web. This month: security as a global business risk, insured vs protected, a 12-step programme, subject access requests made real, French fine for Google, and an imperfect getaway.
Risks getting riskier
Some top ten lists are not the kind you want to appear on. Data theft and cyber attacks both featured in the World Economic Forum’s Global Risks Report 2019. Only threats relating to extreme weather, climate change and natural disasters ranked above both security risks.
The report is based on a survey which asked 1,000 decision makers to rate global risks by likelihood over a 10-year horizon. As ZDNet reports, 82 per cent of those surveyed believe there’s an increased risk of cyberattacks leading to the theft of money and data. Some 80 per cent believe there’s a greater risk of cyberattacks disrupting operations.
The report also refers to the increased risk of cyberattacks against critical infrastructure, along with concerns about identity theft and decreasing privacy. The WEF’s overview includes a video of a panel discussing the risks, and the report itself is free to download.
Insuring against cyber attacks
Thinking of buying cyber risk insurance in the near future? The legal spat between Mondelez and Zurich might give pause to reconsider. The US food company sued its insurer for refusing to pay a $100 million claim for ransomware damages. NotPetya left Mondelez with 1,700 unusable servers and 24,000 permanently broken laptops. Zurich called this “a hostile or warlike action” by a government or foreign power which therefore excluded it from cover.
As InfoSecurity’s story suggests, Zurich might have been on safer ground by invoking a gross negligence clause instead, since Mondelez got hit not once but twice. And where does this leave victims? “Just because you have car insurance does not mean you won’t have a car crash. Just because you have cyber insurance does not mean you won’t have a breach,” said Brian Honan.
Lesley Carhart of Dragos Security said the case would have implications for cyber insurance sales and where CISOs spend money. “Not only is Zurich’s claim apparently that nation state adversaries can’t be insured against, but it adds the ever tenuous question of attribution to insurance claims,” she wrote.
The 12 steps to better cybersecurity
Somewhat under the radar, but no less welcome for that, Ireland’s National Cyber Security Centre has published guidance on cybersecurity for Irish businesses. It’s a high-level document that takes the form of a 12-step guide. It’s written in non-technical language, clearly intended for a wide audience. The steps include tips like getting senior management support for a cybersecurity strategy. The full report is free to download from here. We’ve taken a deep dive into the contents and you can read our thoughts here.
Fight for your right to part…ake of your data
GDPR obliges companies to cough up the personal data they hold about us on request, but what does that mean in practice? Journalist Jon Porter exercised his right to a subject access request with Apple, Amazon, Facebook, and Google. Just under 138GB of raw data later, he discovered that little of the information was in a format he could easily understand. If some of the world’s biggest tech companies are struggling with this challenge, what does that say for everyone else? It’s a fascinating story, available here.
Google grapples French fine
And speaking of all things GDPR-related, France’s data protection regulator CNIL has hit Google with a €50 million fine for violating the regulation. The CNIL claims Google didn’t make its data collection policies transparent enough and didn’t obtain sufficient, specific consent for personalising ads.
As Brian Honan wrote in the SANS Institute newsletter: “While the €50 million fine is the item grabbing the headlines, the key issue here is the finding by CNIL of the unlawfulness of Google’s approach to gathering people’s personal data. This will have bigger implications for Google, and many other organisations, in how they ensure they legally gather and use people’s personal data in line with the GDPR.”
You can run, but you can’t hide
Here’s a cautionary tale about the dangers of oversharing personal data on smart devices. UK police collared a hitman for an unsolved murder after data from his GPS watch linked him to scouting expeditions of the crime scene. Runners World covered the story and the Liverpool Echo published CCTV footage of an alleged recon trip near the victim’s home.
It’s an extreme example maybe, but the story shows how heavy our digital footprints can be (running shoes or not). Social media sharing can also be a security risk for a company’s remote workers. Trend Micro’s Bob McArdle outlined this very subject in his excellent Irisscon 2018 presentation. Social engineering expert Lisa Forte tweeted that she can gather intel about target companies from what their employees post online.
Things we liked
Protector, puzzle master, moral crusader, change agent: the many faces of a CISO. MORE
And another thing: want to be a good security leader? Learn to tell a good story first. MORE
Making the contentious case that breaches can be a good thing, and aren’t automatically bad for business. MORE
Google Chrome, used by almost two-thirds of web browsers, has a new plugin that warns users when entering a username/password combination that’s been detected in a data breach. MORE
An offer you couldn’t retweet: meeting the godfather of fake news. MORE
The Council to Secure the Digital Economy (CSDE) has published a guide to help protect the Internet from botnets. The International Anti-Botnet Guide will be updated every year. MORE
ENISA has released a study of CSIRTs and incident response capabilities in Europe to 2025. MORE
Ireland’s National Cyber Security Centre has published guidance on cybersecurity for Irish businesses. It’s a welcome addition to the roster of material available to help organisations to develop or refine their security strategy. The team at BH Consulting has picked out key points from the guide, and added some more context and analysis.
The report’s non-technical language show that it’s clearly intended for a wide audience. In a move that’s doubtless designed to help spread the message widely, the document presents its 12 steps in three formats: as an infographic (see below), on a single page of text, and then as longer descriptions for each step.
Preparing for ‘when’, not ‘if’
Reading through the guide, it’s striking how it starts from the premise that attacks are already going on. As the introduction makes clear:
“Cyberattacks make headlines on a daily basis. It’s no longer a question of if your company will be breached, or even when, it’s likely to have happened already. The real question is whether you will know and are you prepared?”
This language echoes the Central Bank of Ireland’s 2016 guidance which warned about this risk in similarly stark terms. “Firms should assume that they will be subject to a successful cyber-attack or business interruption”, the bank said.
A resilient approach to security
The NCSC’s high-level document aims to make businesses more resilient to security incidents. That’s an approach we can all get behind. In several blogs from last year, we looked at this very issue through a business and risk lens. In one post, Brian Honan suggested a four-step process to improving resilience:
- Identify key systems and services for your business
- Look at the key risks and threats to those services
- Based on that risk analysis, identify the key areas to address such as single points of failure, inter-reliance of systems and interdependency of systems
- Engineer ways to mitigate the impact of any potential failure, either through cybercrime or other means.
Looking back, it’s interesting how many of the themes overlap with the NCSC guidance. As we noted at the time, this is about thinking of security as a business problem, not a technological one.
Obviously, businesses still need to put effort into preventing certain types of attacks and security incidents. But it’s arguably even more important to put measures in place to keep the business running no matter what. Resilience takes many forms: after attackers defaced the website for the Luas, the tram service kept running but it took nearly a month for the site to reopen.
Rather than advising a ‘big bang’ culture change to embrace security, the guide suggests using the steps as an activity plan to undertake over a 12-month period. The report spends a lot of time at a high level before getting into specific actions to take, or naming particular tools to use. In fact, the first five steps don’t look in-depth at technology. Instead, they’re about orienting a business to think about security in a systematic way.
The guide is free to download from here. Step one covers governance and organisation: that means getting senior management support for a cybersecurity plan. Next comes the step of identifying the assets that matter most. (This is a broad list, covering everything from business goals, products, and services through to people, processes technology and data infrastructure underpinning them.) The steps then follow through to identifying threats and defining risk appetite.
Interestingly, the document advises focusing on education and awareness before it covers basic technical protections. These include secure configuration, patch management, firewalls, anti-malware, removable media controls, remote access controls, and encryption.
(For organisations that prefer to skip directly to this step, the guide offers a ‘minimum baseline’ of essentials protection that includes boundary firewalls, secure configuration, patch management, malware protection, encryption and access controls.)
Step seven involves setting up the ability to monitor for suspicious activity. In another nod to the broad mix of businesses this advice applies to, the guide notes that security monitoring can range from a basic alerting system through to a more sophisticated security operations centre.
The subsequent steps cover putting in place post-incident measures. They include having a formal cyber incident management team, establishing recovery plans, and implementing extra protections to supplement the basic controls. Step 11 advises running a mocked-up exercise to test how the management would react to a security breach.
Step 12 and context
The lifecycle finishes on creating an ongoing cyber risk management lifecycle. This twelfth and final action needs to be part of ‘business as usual’, the NCSC advises. The guide strikes a fair balance between useful advice and appealing to the broadest possible audience. The ‘practical considerations’ page, which isn’t part of the 12 steps, lays out the message in simple terms. A company’s level of security will vary depending on lots of factors like the potential threats that affect it the most, the level of risk it’s prepared to accept, and the amount of budgetary and people resources it can afford to allocate.
Valerie Lyons, chief operations officer with BH Consulting, says the guide provides a really good grouping of the various areas in which to approach cyber resilience. However, she feels some areas need clarification. For example, using months as a measure could be misleading. “Identifying what matters most can take a day in a small accounting office, and take a year in a large hospital. If we take May for instance, ‘focus on education and awareness’, this should in fact be a throughout-the-year activity engrained throughout every step. However, the steps by virtue of their month-by-month presentation allow a plan to be developed,” Valerie says.
Beyond the guide: extra steps
It’s arguable that the step of creating a cyber risk management lifecycle, which the guide puts in December, should in fact be in January. “We should determine up front what the regulatory landscape looks like and the resources required to achieve it,” Valerie says.
The guide would also benefit from clear definitions of cyber resilience, and what cyber risk means to the organisation. Instead of only focusing on the threat of external attacks, businesses should weigh up the risk from their own users’ accidental or deliberate actions.
As well as the practical steps in the guide, Valerie says organisations can also run tests, red teaming exercises, and table-top scenarios to test their security. Lastly, she recommends that businesses should manage cyber risk like all other risks, and it should be led by the chief risk officer, or risk unit.
The Irish NCSC report is a welcome addition to a growing crop of business-focused security advice from trusted, independent sources. There’s a wealth of free material for businesses of all sizes that are only starting to get the security message. ENISA, the European Union agency for network and information security, regularly publishes advice which you can find here. Similarly, The UK National Cyber Security Centre also publishes excellent, easy-to-read advice. Think of it as a form of public immunisation. The more organisations are vaccinated against the most common security risks, the safer we’ll all be.
The post Ireland’s cybersecurity watchdog publishes new guidance for businesses appeared first on BH Consulting.
Members of British Parliament Targeted by Phishing Attack
Dozens of MPs from the UK were recently subjected to malicious spam and unauthorized solicitations via their mobile devices. Fortunately, as this wasn’t the first phishing attempt on MPs, many were quick to delete any unusual messages and quickly warned others to do the same. Due to the ease of mounting such an attack, phishing campaigns can be extremely effective, especially when deploying social engineering tactics to increase the victim pool.
Major African Utility Company Breached
One of the largest energy providers on the African continent suffered a data breach this week, brought on by an employee downloading a game onto a corporate device. Along with introducing a fairly sophisticated banking Trojan onto the system, the employee also allowed for a database containing sensitive customer information to be made available to the attackers. Even more worrisome, the utility company was only made aware of the breach after an independent security researcher attempted to contact them about the stolen data via Twitter.
Cryptocurrency Exchange Collapses After CEO Death
A Canadian-based cryptocurrency exchange was recently faced with a major dilemma after the untimely death of their CEO and only person to have access to the offline coin storage wallet. With more than $100 million worth of cryptocurrency current tied up in the exchange, many customers quickly found themselves without access to their funds, possibly indefinitely. Having a single point of failure is a critical, and easily avoidable, issue for any digital company.
Fast Food POS Breach
A new breach has been discovered that could affect any customers who paid with a credit card at any Huddle House fast-food locations over the past two years. While the specific malware variant is still unknown, there were obvious signs of credential stealing and other information gathering tactics. Huddle House has since been working with law enforcement and credit companies to help potential victims with credit monitoring.
Google Play Removes Porn Apps
In another wave of cleaning up the Google Play store, the company recently removed 29 apps that were disguised as photo or camera apps but would instead steal user photos and display a steady stream of pornographic advertisements. The apps had all been downloaded between 100,000 and 1 million time each, and were often extremely difficult to remove, even hiding the app icon entirely. Additionally, some of the apps would display as a photo editor, encouraging users to upload any extra pictures that weren’t already stolen.
I’m excited to share that Webroot has entered into an agreement to be acquired by Carbonite, a leader in cloud-based data protection for consumers and businesses.
Why do I think this is such good news for customers, partners and our employees?
For customers and partners, the combined Webroot and Carbonite will create an integrated solution for their top security needs today and a platform for us to build upon in the future. When surveyed, SMBs and MSPs consistently name endpoint security and backup and data recovery services among their top priorities.
For our threat intelligence partners, the addition of new data sources will make our threat intelligence services even more powerful.
We see great opportunities ahead building on the solutions you trust—endpoint and network protection, security awareness training and threat intelligence services—and extending them to backup and data recovery and beyond.
For employees, we see a great future of growth for a team with a shared culture. Both Webroot and Carbonite have tremendously talented team members who together will bring even more innovative solutions to market. But, just as important, both companies have a culture of customer focus, where customer success is the ultimate proof of company success.
Until the transaction closes, we must operate as separate companies. After close, which we expect to happen in the first calendar quarter of 2019, I look forward to sharing more information about our plans.
In the meantime, customers and partners can expect:
- The same commitment to customer care and support. You will have access to your same account reps and award-winning customer support team.
- Future solutions that combine Webroot’s threat intelligence driven portfolio with Carbonite’s data protection solutions.
- Extended sales channels and partner ecosystems. Carbonite partners will provide additional channels for Webroot to reach new customers and partners worldwide.
The most important point I want to underline is that our commitment to you will not change, and we are just expanding the family of people dedicated to building great solutions to protect you and your customers.
President & CEO, Webroot