Skip to main content

Time to get serious in 2015




Security professionals are faced with the on-going problem of stakeholders under-estimating the security flaws within their organisation. In most cases this is not the failing of the security team but depending on the market/vertical, teams are faced with budget constraints, redundancies, or most commonly, companies not taking responsibility that Security starts within. This means educating internal staff to take responsibility from the moment they walk into the office; I.e. The devices they bring, the doors that they open to 'guests',  the confidential conversations they have in open areas and the general ethos. Furthermore, there is the responsibility of your key suppliers and other third parties that you share information with. 

 You may have all the IT/Cyber security gadgets and resources you need but what are your suppliers doing with that data? Do they share the same vision for security and are they as vigilant as you? How do you measure that in an efficient way and act upon on it?

Then to the other extreme of external threats. It's not if you get attacked it's when...No matter the size of your company, no one can hide from the inevitable. Whether it's protecting your brand/reputation or the time that squeezes on your employee productivity; It's essential to get the right tools in place and resources to understand your vulnerabilities both an internal and external perspective from the top of the stack to the bottom. 

 Cyber Security Insurance

 Another point to think and debate on, is the stakeholders decision to attempt to defer the risk; the thought process that some of the external threats and losses are covered by Cyber Risk Insurance. Is that an excuse to relax their internal data governance practises? It only takes one of the below for premiums to rocket. It goes back to my point on educating your organisation, understand the threat. You can't mitigate everything but if you turn into a proactive organisation rather than a reactive organisation; you will be in a better position for the ongoing changes in the cyber world. IT/Cyber Security is not a small part of your business - in my opinion it should lie in the core of how your business operates.

Security teams and professionals alike can work with the budgets and tools that they are given. As horrible as it sounds, security breaches are rife and evermore imminent; these attacks are becoming closer to home than we would like. 

Some of the big security breaches we saw in 2014:

  • Russian Cyber criminal gang stole 1.2 billion usernames and passwords from 420,000 websites by exploiting SQL injection vulnerabilities in web applications
  • Intrusion into JP Morgan Chase’s network and the third-party website that manages its charity race
  • Cyberattack on Sony Pictures Entertainment’s infrastructure
  • Morrisons Suffers Staff Payroll Data Theft
  • Thames Valley Police officer dismissed for selling police information
  • Thousands hit in Tesco.com attack
  • MoonPig.com - Some 3.6 million customer data leaked
  • HeartBleed - undiscovered for more than two years. Attackers could exploit vulnerable versions of the open-source software known as OpenSSL – which runs on millions of web servers – to steal passwords, credit card details, encryption keys and other sensitive data, without leaving any trace.
  • Ebay - Hackers managed to seal personal records of 233 million users. The hack took usernames, passwords, phone numbers and physical addresses compromised.
More large scale attacks can be see here at Informationisbeautiful 
Labels:

Comments

Post a Comment

Popular posts from this blog

HCA International fined 200k for Data loss #ITSecurity #DataSecurity #unencrypted

HCA International Ltd, private health firm are the latest to be fined by the ICO.  They have been fined £200,000 for failing to keep data secure after it was found that conversations had by IVF patients were online. Audio recordings of interviews with patients were being sent to a company unencrypted in India for transcription. The Indian company was unable to maintain secure access due to an unsecure server. By failing to ensure its subcontractor had acted responsibly, HCA International failed to comply with the seventh data protection principle. More details on the monetary penalty notice click here Supplier Risk is a huge concern for most companies - You may have all the bells and whistles when it comes to security your infrastructure but your partners may not. Failing to ensure due diligence in the Supply chain costs - with HCA it was £200,000 - next year it would of been much more!! #EUGDPR
1 comment
Read more

Human Error, a common theme in the ICO data breach findings #UK #ICO

The ICO recently carried out a study of the recent security incidents that have been reported or notified to the ICO. It's no shock that data breaches are on the rise with two-thirds of sectors studied reporting an increase in the first quarter compared with the same time a year ago, according to new ICO figures. The data protection watchdog, ICO have shown findings for the period 1 January – 31 March 2016 and uncovered some worrying statistics. Below are the key data security issues for each sector:  Data security incidents by type: The main data security issues within the health sector were: Data being posted or faxed to an incorrect recipient – 22% of incidents. Loss or theft of paperwork – 20% of incidents. The main issues for local government were: Data being posted or faxed to an incorrect recipient – 23% of incidents. Failure to redact data – 16% of incidents. Loss of theft of paperwork – 14% of incidents. The main issues for education were: Los...
Post a Comment
Read more

Police need more money to fight cyber-crime, finds report

Money is urgently needed from the Government's £860 million National Cyber Security Programme to plug big holes in the police's ability to combat cyber-crime, which is now reaching crisis levels. That's the key finding from an authoritative new  survey   by PA Consulting which finds that only 30 percent of UK police analysts believe they have the skills and tools to effectively combat cyber-crime. “The UK has reached a ‘tipping point' on cyber-crime and tackling the challenges is now urgent,” the report reads. PA Consulting finds that one-third of the 185 analysts questioned from 48 law enforcement organisations have been unable to share information about the cyber-threat, and just five percent believe they have ‘considerable knowledge' of cyber-crime. The respondents predict that the time they will spend analysing cyber-crime will treble over the next three years – yet they already have limited scope to deal with the problem, spending only 10 percent of th...
Post a Comment
Read more