Skip to main content

Time to get serious in 2015




Security professionals are faced with the on-going problem of stakeholders under-estimating the security flaws within their organisation. In most cases this is not the failing of the security team but depending on the market/vertical, teams are faced with budget constraints, redundancies, or most commonly, companies not taking responsibility that Security starts within. This means educating internal staff to take responsibility from the moment they walk into the office; I.e. The devices they bring, the doors that they open to 'guests',  the confidential conversations they have in open areas and the general ethos. Furthermore, there is the responsibility of your key suppliers and other third parties that you share information with. 

You may have all the IT/Cyber security gadgets and resources you need but what are your suppliers doing with that data? Do they share the same vision for security and are they as vigilant as you? How do you measure that in an efficient way and act upon on it?

Then to the other extreme of external threats. It's not if you get attacked it's when...No matter the size of your company, no one can hide from the inevitable. Whether it's protecting your brand/reputation or the time that squeezes on your employee productivity; It's essential to get the right tools in place and resources to understand your vulnerabilities both an internal and external perspective from the top of the stack to the bottom. 

Cyber Security Insurance

Another point to think and debate on, is the stakeholders decision to attempt to defer the risk; the thought process that some of the external threats and losses are covered by Cyber Risk Insurance. Is that an excuse to relax their internal data governance practises? It only takes one of the below for premiums to rocket. It goes back to my point on educating your organisation, understand the threat. You can't mitigate everything but if you turn into a proactive organisation rather than a reactive organisation; you will be in a better position for the ongoing changes in the cyber world. IT/Cyber Security is not a small part of your business - in my opinion it should lie in the core of how your business operates.

Security teams and professionals alike can work with the budgets and tools that they are given. As horrible as it sounds, security breaches are rife and evermore imminent; these attacks are becoming closer to home than we would like. 

Some of the big security breaches we saw in 2014:

  • Russian Cyber criminal gang stole 1.2 billion usernames and passwords from 420,000 websites by exploiting SQL injection vulnerabilities in web applications
  • Intrusion into JP Morgan Chase’s network and the third-party website that manages its charity race
  • Cyberattack on Sony Pictures Entertainment’s infrastructure
  • Morrisons Suffers Staff Payroll Data Theft
  • Thames Valley Police officer dismissed for selling police information
  • Thousands hit in Tesco.com attack
  • MoonPig.com - Some 3.6 million customer data leaked
  • HeartBleed - undiscovered for more than two years. Attackers could exploit vulnerable versions of the open-source software known as OpenSSL – which runs on millions of web servers – to steal passwords, credit card details, encryption keys and other sensitive data, without leaving any trace.
  • Ebay - Hackers managed to seal personal records of 233 million users. The hack took usernames, passwords, phone numbers and physical addresses compromised.
More large scale attacks can be see here at Informationisbeautiful 

Comments

Popular posts from this blog

ICO Referendum response plus UK Gov recommendations to #DataBreaches and University gets suffers Second #DataBreach

ICO Referendum result response An ICO spokesperson said: “The Data Protection Act remains the law of the land irrespective of the referendum result. “If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018. “With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that would continue to be the case. “Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be s...

Yahoo Data Breach #ICOiscoming #NewChiefInTown #Yahoo

The new Information Commissioner, Elizabeth Denham, has revealed that the ICO is questioning Yahoo about its catastrophic data breach, and is looking to probe WhatsApp and other Facebook-owned companies over how they share data with one another. In her first speech as Information Commissioner, Denham said that the ICO would be choosing its investigations carefully to ensure they are relevant to the general public. Last Friday, the ICO had stepped in to ask questions about the Yahoo data breach, which involved eight million UK accounts. "The data breach is unprecedented. The numbers are staggering," Denham told BBC Radio 4, in a subsequent interview. "Why did it take so long for Yahoo to notify the public of the breach? It looks like it happened two years ago. What can these account holders do to protect themselves? "I'm asking those questions on behalf of UK citizens," she said. Cited and more information at  Computing

Human Error, a common theme in the ICO data breach findings #UK #ICO

The ICO recently carried out a study of the recent security incidents that have been reported or notified to the ICO. It's no shock that data breaches are on the rise with two-thirds of sectors studied reporting an increase in the first quarter compared with the same time a year ago, according to new ICO figures. The data protection watchdog, ICO have shown findings for the period 1 January – 31 March 2016 and uncovered some worrying statistics. Below are the key data security issues for each sector:  Data security incidents by type: The main data security issues within the health sector were: Data being posted or faxed to an incorrect recipient – 22% of incidents. Loss or theft of paperwork – 20% of incidents. The main issues for local government were: Data being posted or faxed to an incorrect recipient – 23% of incidents. Failure to redact data – 16% of incidents. Loss of theft of paperwork – 14% of incidents. The main issues for education were: Los...