PC PORTAL

Experienced. Trusted. Solutions.

BH Consulting News

By

Security roundup: February 2019

We round up interesting research and reporting about security and privacy from around the web. This month: security as a global business risk, insured vs protected, a 12-step programme, subject access requests made real, French fine for Google, and an imperfect getaway.

Risks getting riskier

Some top ten lists are not the kind you want to appear on. Data theft and cyber attacks both featured in the World Economic Forum’s Global Risks Report 2019. Only threats relating to extreme weather, climate change and natural disasters ranked above both security risks.

The report is based on a survey which asked 1,000 decision makers to rate global risks by likelihood over a 10-year horizon. As ZDNet reports, 82 per cent of those surveyed believe there’s an increased risk of cyberattacks leading to the theft of money and data. Some 80 per cent believe there’s a greater risk of cyberattacks disrupting operations.

The report also refers to the increased risk of cyberattacks against critical infrastructure, along with concerns about identity theft and decreasing privacy. The WEF’s overview includes a video of a panel discussing the risks, and the report itself is free to download.

Insuring against cyber attacks

Thinking of buying cyber risk insurance in the near future? The legal spat between Mondelez and Zurich might give pause to reconsider. The US food company sued its insurer for refusing to pay a $100 million claim for ransomware damages. NotPetya left Mondelez with 1,700 unusable servers and 24,000 permanently broken laptops. Zurich called this “a hostile or warlike action” by a government or foreign power which therefore excluded it from cover.

As InfoSecurity’s story suggests, Zurich might have been on safer ground by invoking a gross negligence clause instead, since Mondelez got hit not once but twice. And where does this leave victims? “Just because you have car insurance does not mean you won’t have a car crash. Just because you have cyber insurance does not mean you won’t have a breach,” said Brian Honan.

Lesley Carhart of Dragos Security said the case would have implications for cyber insurance sales and where CISOs spend money. “Not only is Zurich’s claim apparently that nation state adversaries can’t be insured against, but it adds the ever tenuous question of attribution to insurance claims,” she wrote.

The 12 steps to better cybersecurity

Somewhat under the radar, but no less welcome for that, Ireland’s National Cyber Security Centre has published guidance on cybersecurity for Irish businesses. It’s a high-level document that takes the form of a 12-step guide. It’s written in non-technical language, clearly intended for a wide audience. The steps include tips like getting senior management support for a cybersecurity strategy. The full report is free to download from here. We’ve taken a deep dive into the contents and you can read our thoughts here.

Fight for your right to part…ake of your data

GDPR obliges companies to cough up the personal data they hold about us on request, but what does that mean in practice? Journalist Jon Porter exercised his right to a subject access request with Apple, Amazon, Facebook, and Google. Just under 138GB of raw data later, he discovered that little of the information was in a format he could easily understand. If some of the world’s biggest tech companies are struggling with this challenge, what does that say for everyone else? It’s a fascinating story, available here.

Google grapples French fine

And speaking of all things GDPR-related, France’s data protection regulator CNIL has hit Google with a €50 million fine for violating the regulation. The CNIL claims Google didn’t make its data collection policies transparent enough and didn’t obtain sufficient, specific consent for personalising ads.

As Brian Honan wrote in the SANS Institute newsletter: “While the €50 million fine is the item grabbing the headlines, the key issue here is the finding by CNIL of the unlawfulness of Google’s approach to gathering people’s personal data. This will have bigger implications for Google, and many other organisations, in how they ensure they legally gather and use people’s personal data in line with the GDPR.”

You can run, but you can’t hide

Here’s a cautionary tale about the dangers of oversharing personal data on smart devices. UK police collared a hitman for an unsolved murder after data from his GPS watch linked him to scouting expeditions of the crime scene. Runners World covered the story and the Liverpool Echo published CCTV footage of an alleged recon trip near the victim’s home.

It’s an extreme example maybe, but the story shows how heavy our digital footprints can be (running shoes or not). Social media sharing can also be a security risk for a company’s remote workers. Trend Micro’s Bob McArdle outlined this very subject in his excellent Irisscon 2018 presentation. Social engineering expert Lisa Forte tweeted that she can gather intel about target companies from what their employees post online.

Things we liked

Protector, puzzle master, moral crusader, change agent: the many faces of a CISO. MORE

And another thing: want to be a good security leader? Learn to tell a good story first. MORE

Making the contentious case that breaches can be a good thing, and aren’t automatically bad for business. MORE

Google Chrome, used by almost two-thirds of web browsers, has a new plugin that warns users when entering a username/password combination that’s been detected in a data breach. MORE

An offer you couldn’t retweet: meeting the godfather of fake news. MORE

The Council to Secure the Digital Economy (CSDE) has published a guide to help protect the Internet from botnets. The International Anti-Botnet Guide will be updated every year. MORE

ENISA has released a study of CSIRTs and incident response capabilities in Europe to 2025. MORE

The post Security roundup: February 2019 appeared first on BH Consulting.

By

Plan for potential incidents and breach scenarios, cybersecurity conference hears

Businesses should prepare an incident plan for security breaches in advance to know what resources they’ll need to deal with it. Speaking at the Technology Ireland ICT Skillnet Cybercrime Conference earlier today, Brian Honan said that running different scenarios can help businesses identify whether they’ll need assistance from IT, legal, HR or public relations.

Research from the Institute of Directors in Ireland has found that 69 per cent of SMBs claim they’re prepared for a data breach. Brian flipped that statistic to point out that this means almost one third of business owners have no such plan.

Never mind cyber; it’s crime

He also encouraged companies to report incidents like ransomware, CEO fraud or a website infection. “Don’t forget you’re the victim of a crime. In most cases, a cybersecurity incident is treated as an IT problem, not even a business issue or a crime. It’s a mindset change. It’s not separate to your business, it’s integral to it.” To help make that change, he suggested: “we should drop the name ‘cyber’.”

When businesses have to disclose an incident, Brian called on them not to use the phrase ‘we suffered a sophisticated breach’ – because most times, it’s not true. In many cases, incidents are due human error, or to bad practices like poor passwords. “If you’re using cloud email, enable two-factor authentication and educate people in using secure passwords. Encourage them not to click on suspicious links,” he said.

Other attacks exploit platforms like WordPress and Joomla. Businesses using those tools to run their websites need to continuously manage and update them, Brian said. “Many web vulnerabilities and threats like attack types like SQL injection are known about for over 10 years,” he said.

Steps to better security

Companies can take several steps to improve their security, such as establishing policies. “They’re very important – they set the strategy for the business and help everybody to meet it,” said Brian. Having systems to monitor and respond to suspicious activity is also essential. “Look at the physical world: you can’t guarantee your business won’t be burgled. It’s the same in online world, but we need to be able to detect when it happens,” he said.

The best security investment a business can make is in awareness training for employees, Brian added. These programmes educate staff about how to identify potential attacks, and how to handle information in a secure way.

He also encouraged businesses to disclose when they have suffered an incident, to help improve overall security. “Everybody will have a breach, there’s no shame in that, so let’s get over that and share information to help each other,” he said.

Tackling the cybersecurity skills gap

Research shows a high proportion of security breaches take months to recover from, which is partly due to an industry skills shortage. “The biggest problem we have is a lack of skilled staff in cybersecurity,” Brian said. The conference saw the launch of a new programme to train 5,000 people in cybersecurity over the next three years. The Cybersecurity Skills Initiative aims to address the shortage in skilled security personnel.

It’s worth asking whether the industry is open to candidates without formal degrees in cybersecurity or computer science. Brian said some companies may need to relax restrictive HR policies such as requiring formal degrees in security or computer science to attract the right people into security roles. Otherwise, they could be missing out on enthusiastic, experienced and skilled people.

 

 

The post Plan for potential incidents and breach scenarios, cybersecurity conference hears appeared first on BH Consulting.

By

BH Consulting marks EU Cyber Security Month with daily tips on staying secure

October is EU Cyber Security Month and to mark the occasion, BH Consulting will be sharing advice about digital security and privacy. Every working day during October, we’ll post useful information on our Twitter feed and on our LinkedIn page.

These short tips will draw attention to common security risks and threats that many of us face. We’ll be using various hashtags as appropriate, including #CyberSecMonth, #Cybersecuritymonth2018 #cyberaware, #cyberhygiene and #saferinternet4EU. (We also recommend you visit the official website for the EU-wide awareness campaign, at www.cybersecuritymonth.eu.)

Staying secure at work and in the home

The themes we plan to cover include staying secure in the workplace by preventing CEO fraud, ransomware, phishing and spam. As the month goes on, we’ll also give advice you can pass on to family members about protecting personal information and using digital technology securely.

Many of our posts will link to blogs we have written or to other open source security awareness material. At the end of each week, we’ll round up those tips into a post which we’ll publish here on our blog. This will be a ‘living’ post about EU Cyber Security Month that we’ll keep adding to as each week passes during October.

Please like and share widely to help us spread the word and improve security awareness for everyone. And a quick reminder: we also publish a monthly newsletter for information security professionals and people working in related roles. You can sign up for the newsletter

The post BH Consulting marks EU Cyber Security Month with daily tips on staying secure appeared first on BH Consulting.

By

Now hiring: sales and marketing assistant at BH Consulting

We are looking for a motivated individual to join our team and help us grow our business. The sales and marketing assistant will serve as a point of contact for customers with queries about our services, and will provide support to our team. The ideal candidate would be goal oriented and have a deep understanding of customer service best practices.

This is an excellent opportunity to develop a career in sales and/or marketing. This role also includes a guaranteed annual personal development plan and budget.

BH Consulting is one of Ireland’s leading cybersecurity consultancies. We are an award-winning independent consulting company providing specialist advice in information security, GDPR, cybersecurity, risk, cloud forensics, and training.

Purpose of the role

  • Assist in all the administrative aspects of sales and marketing operations
  • Provide quality customer service and deal with inbound queries and outbound sales
  • Assist in the design and execution of marketing campaigns and lead generation activities as directed by the sales and marketing manager

Responsibilities

  • Assisting the sales and marketing manager in all administrative aspects of the sales operations including answering incoming calls, responding to customer enquiries, qualifying leads, writing sales proposals and all follow-up correspondence
  • Developing marketing collateral, marketing campaigns and event management/conference setup
  • Managing the company’s CRM system
  • Providing administrative support and other ad hoc duties
  • Helping in sales and generation of new business opportunities
  • Helping in the production of weekly and monthly sales and marketing reports
  • Conducting market research on an ongoing basis

Core competencies

  • Excellent presentation, telephone manner and communication skills are essential
  • Customer service oriented
  • Highly proficient in Microsoft Office with expertise in Word, PowerPoint, Outlook and Excel
  • Excellent organisational and multitasking skills
  • Passion and drive – willingness to go that extra mile to achieve a target or objective
  • Flexible and adaptable
  • A team player with a high level of dedication

Education and experience requirements

A third-level qualification in business, sales, marketing or other relevant degrees would be an advantage. Applicants should ideally have one to two years of experience in sales, retail and/or office administration. Previous telephone sales experience would be an asset, and a demonstrable interest in sales and in cybersecurity would also be an advantage.

Please send CVs by email to [email protected].

 

The post Now hiring: sales and marketing assistant at BH Consulting appeared first on BH Consulting.

By

Upcoming cybersecurity events featuring BH Consulting

Here, we list upcoming events, conferences, webinars and training featuring members of the BH Consulting team presenting about cybersecurity, risk management, data protection, GDPR, and privacy. 

Tech Connect Live 2019: Dublin, 30 May

BH Consulting COO Valerie Lyons will be presenting at this event which takes place at the RDS in Dublin on Thursday 30 May. The conference is a business and technology event, with talks on a range of related subjects happening throughout the day. The event is free to attend, and more than 5,000 delegates are expected on the day. To find out more and to register for a free pass, visit here

Data Protection Officer certification course: Vilnius/Maastricht June/July

BH Consulting contributes to this specialised hands-on training course that provides the knowledge needed to carry out the role of a data protection officer under the GDPR. This course awards the ECPC DPO certification from Maastricht University. Places are still available at the courses scheduled for June and July, and a link to book a place is available here

IAM Annual Conference: Dublin, 28-30 August

Valerie Lyons is scheduled to speak at the 22nd annual Irish Academy of Management Conference, taking place at the National College of Ireland. The event will run across three days, and its theme considers how business and management scholarship can help to solve societal challenges. For more details and to register, visit the IAM conference page. 

The post Upcoming cybersecurity events featuring BH Consulting appeared first on BH Consulting.