1. A guide brought to you by
INFORMATION
SECURITY
The Data Protection
Law is changing
Are you prepared?
2. A report by the Department for Business
Innovation and Skills has found that the
financial cost of security breaches has
doubled in the last year attributing to
necessary response activities.
To a large organisation this figure is now
between £600k - £1.15m and £65k -
£115k to a small business.
The average cost per record lost in a
breach event in the UK has risen from £86
to £95 and the number of breached
records per incident in the last 12 months
has ranged from 5,000 to 70,000 records. 1
This guide, produced by Signacure
Resilience highlights some of the
potential risks facing your business,
and what you can do about it now.
The EU Data Protection Directive, adopted
in 1995 is likely to be replaced in 2015 by
the new EU Data Protection Regulation.
The new regulations will require company
owners and data processors (such as cloud
and offsite data hosting companies) to
share the liability for data breaches.
However recent reports show that the
vast majority of these service providers
are not yet ready to meet these new
requirements.
Technological investments in the last 10
years have had many benefits for
organisations however much of what was
put in place wasn’t designed to be secure
in a networked environment, and as a
consequence data breaches are on the
rise, as are the costs to businesses
as a result of an attack.
The European Parliament has agreed that national data protection
authorities such as the ICO need to be able to impose effective
sanctions in cases where law has been breached.
The proposal will allow fines of up to 5% of the annual
worldwide turnover of a company.
FOR EXAMPLE:
£95 x 5,000 records = £475,000
(and that’s just the minimum)
Every record you lose will cost roughly £95.
Think about how many records you hold and
what this could mean to your business.
1 2014 Cost of Data Breach Study - Ponemon Institute 02
Breaches cost more than you think
Don’t feel overwhelmed
We’re only a phone call away and can
help you reduce your risks.
Lost record cost
EU fine - 5% of
annual turnover
Downtime and manpower
ICO fine - up to £500,000
Legal action from
customers & suppliers
The real cost
of a data breach
Did you know?
what this means
to your business
3. %
%
%
High-speed internet, Smartphones, Wi-Fi, Social
networks and flash storage; the business landscape has
changed significantly in the last 10 years and evolving
technology continues to alter the way we work and do
business.
Unfortunately, criminals are constantly finding new and
subtle ways to target businesses with little or no
defence, their attacks often going undetected.
It is important to not only ensure you are adequately
protected but also plan how you will respond to a breach
to limit the potential damage to your business.
of large organisations of small businesses in the
UK had a security breach
in the last year alone. 2
Of Compromise victims
didn’t detect the breach
themselves.
It takes on average 13
days longer to contain a
breach when detected by
a third party.3
Your business is at risk
2 2014 Information Security Breaches Survey Department for Business Innovation & Skills
3 2014 Cost of Data Breach Study - Ponemon Institute03
Board members have a legal obligation towards information
security. Section C2 of the UK Corporate Governance Code
(formerly the combined code) requires boards to “maintain
sound risk management and internal systems”
This covers digital storage of information as well as other
risks facing the business.
14 Days
1 Day
Did you know?
CONTACT US TODAY ON: 0845 052 3945
High-speed internet, Smartphones, Wi-Fi, Social
networks and flash storage; the business landscape has
changed significantly in the last 10 years and evolving
technology continues to alter the way we work and do
business.
Unfortunately, criminals are constantly finding new and
subtle ways to target businesses with little or no
defence, their attacks often going undetected.
It is important to not only ensure you are adequately
protected but also plan how you will respond to a breach
to limit the potential damage to your business.
of large organisations
Of Compromise victims
didn’t detect the breach
themselves.
3rd Party Detected. 3
Self Detected. 3
4. Don’t think of theft as simply payment card details.
The new EU law will allow fines of up to
5% of your annual turnover
of business said customers asked
about information security
credentials in the last year 6
At a glance...
%
8 Internet Security Threat Report 2014 Symantec Corporation
9 2014 Information Security Breaches Survey—Department for Business Innovation & Skills 04
More than just finances
For peace of mind call us on: 0845 052 3945
The financial implications of a cyber attack can be crippling
for even the largest organisations, but the consequences
can affect the whole business.
ntellectual property
Staff, customer and supplier details
such as logins and passwords
roducts and services purchased
cal or sensitive legal plans
such as takeover or court papers. 4
Findings show that fewer customers
remain loyal following a data breach.
Abnormal churn increased as a result
of a breach by 8% in 2014. 7
This risk increases in service sectors,
and companies find it harder to win
back customers following a reputation
damaging incident.
Likewise, suppliers will avoid businesses
that have been attacked for fear of
contracting a breach indirectly.
brand credibility
The length of time business operations
are disrupted continues to increase
each year.
Latest findings have reported that this
figure now stands at 7-10 days for small
businesses and 5-8 days for large companies. 3
The time spent fixing breaches has also risen,
doubling since 2013. For a small business
this is now 12-24 man days and larger
companies this is 45-85 man days. 5
downtime
Just under half of businesses don’t understand
the legal obligations of securing data and
1 in 5 have reported losses due to
compensation payments and regulatory fines. 4
T nformation Commissioners Office
can enforce fines of up to £500,000 for
serious breaches of the Dat rotection
A vacy and Electronic
Communications Regulations.
laws & regulations
55% of lost commercial data is from
theft vandalism
Son aystation suffered one of
the worst breaches in 2011 and
in August 2014 they were
targeted again.
Their systems suffered a large scale
DDoS attack, the hackers main
objective was to cause disruption.
DDoS attacks will bring websites and
e-commerce operations to a halt
the modern digital version of graffiti
on a wall but the consequences are
much more serious.
5. 8 Internet Security Threat Report 2014 Symantec Corporation 9 2014 Information Security Breaches Survey—Department for Business Innovation & Skills05
Where’s the threat?
Hacking continues to be the leading cause for a breach,
accounting for 35% of breaches in 2013. 8
Once they breach a network, hackers will generally monitor
the compromised computers, to determine weak points
which can be exploited.
Weak points can come from inappropriate patches or
server maintenance and can often go undetected.
Hackers
2014 saw a 7% increase in businesses using cloud storage
and hosting of business critical applications, however there
is also an annual increase in breaches relating to cloud
computing services. 9
Although an extremely cost effective solution, it is important
to recognise that security failures existing in an IT environment
are exasperated by moving to the cloud.
The focus should be on preventing breaches, and your ability
to gain access and investigate following an incident.
Cloud storage
Many companies are under the illusion that they are protected against
data breaches, simply by firewalling their network and using anti
malware software, but the continuing rise of successful breaches shows
that this is not the case. So where are the real threats?
6. 8 Internet Security Threat Report 2014 Symantec Corporation 06
Where’s the threat?
Last year, the number of phishing campaigns saw a 91% rise
from 2012 and there has been a noticeable increase in
hacks through viruses and malicious software.
Last year 45% of small and 73% of large businesses reported
an infection. 8
Phishing is the atempt to acquire sensitive information
such as usernames and passworks by masquerading as
a trustworthy entity, usually carried out via email.
Viruses & software
In June 2014, laws on flexible working changed giving all
employees the legal right to request flexible working, including
working from home.
Theft or loss of a device accounted for 27% of data breaches
in 2013. 8
However many companies have not considered the additional
threats outside of the usual working environment such as
open wireless networks.
Flexible working
Signacure can help you identify
the threats facing your business
7. 7 Internet Security Threat Report 2014 Symantec Corporation 9 2014 Information Security Breaches Survey—Department for Business Innovation & Skills07
www.signacure.co.uk for more information on risks facing businesses today
Where’s the threat?
Although there is an increase in the number of companies
adopting security policies, reports indicate that only 1 in 4
businesses believe their staff have a good understanding
of it. 7
Human error, whether deliberate or accidental continues
to be a problem and users with admin rights are often
more responsible for breaches than external hackers.
Staff behaviour
The popularity of bring you own device (BYOD) continues to
blur the lines between personal and business life and introduces
additional risks to businesses such as unsecured wireless
networks, inaccurate inventory records and employees
accessing sensitive customer data on mobile devices.
The risk associated with mobile devices continues to increase,
only 38% of businesses encrypt data held on mobile phones and
only 42% train staff on threats associated with mobile devices. 9
Mobile devices
8. Being resilient to these risks involves much more than putting an IT “what if” strategy
in place, it takes investment of time and thought but your efforts will be rewarded with
fewer attacks, more efficient processes and reduced data loss.
51% of businesses now accept the inevitability that some attacks will be successful
and have changed their objective to “Cyber resilience” - the ability to minimize the
successful attacks and to recover quickly when breaches are suffered. 8
8 2014 Information Security Breaches Survey—Department for Business Innovation & Skills 08
What you can do next
“Cyber security”
is becoming an
outdated phrase.
Sensitive information is held throughout the whole
business, some of which are critical to the
achievement of organisational objectives.
When embarking on an information security
programme there needs to be clear alignment
with the business strategic objectives.
A company wide approach involving all departments
will see benefits across the business. For example,
sales and marketing will have more opportunities to
win business through tendering by demonstrating
security credentials.
Create strategic
alignment
Identify
risks
Manage
risks
It’s not just IT and directors that are responsible for
defending against security breaches, nor are these
the single individuals affected by them.
If your organisation has a thorough understanding
of its most valuable assets, it can take steps
to protect them.
This can be achieved by undertaking a comprehensive
enterprise wide information assets audit, then
prioritisation of the assets can take place.
Furthermore vulnerability scanning against servers
and applications that house those data assets
should be completed.
Your policies will be weaker if employees
aren’t on board, and new measures and controls
will be redundant if your team don’t understand
the consequences.
Threats and controls should be regularly reviewed
for effectiveness in order to minimise risks.
A lack of regular training and awareness can result
in staff clicking malicious links and opening
seemingly harmless emails, their actions resulting
in costly fines and exposure of sensitive data.
9. %
Most attacks are financially motivated and come
in the form of a phishing attempt, that appears
to be a genuine looking email which upon opening
downloads a file that begins digging
into the system.
In more extreme cases, fake user profiles have
been set up and used to process orders through
the organisation’s existing operational procedures.
This results in stolen funds being deposited into
criminals accounts.
These damaging intrusions can be avoided
but only by taking the appropriate action now.
Did you know?
9 2014 Information Security Breaches Survey—Department for Business Innovation & Skills09
What you can do next
of all contingency
plans do not work
as expected9
Businesses that engage in breach response
planning are more likely to respond in a
measured fashion, however many struggle
to find the time and find the right people
for the task within the organisation.
Working with specialist professionals will
limit damages and greatly increase your
chances of survival in the event of a
security breach.
Plan your
response
Test your
programme
Desktop simulations can test response
plans in a real time pressure situation.
Particularly sensitive assets may
benefit from additional protection that
penetration testing in a controlled
environment offers.
However, to ensure you are fully prepared,
you must regularly review and update your
full security programme to incorporate new
and emerging risks.
10. From 1st October 2014 the Government will require all
suppliers bidding for certain sensitive and personal
information handling contracts to be certified against
the Cyber Essentials Scheme.
Did you know?
10
Where should I start?
Beginning a journey to cyber resilience can
seem like a daunting task.
Many businesses are in a ‘cyber-trance’,
hypnotised by the volume of information
regarding invisible threats and immeasurable
risks. They are unsure what to do and
overloaded with material regarding
the latest tools and techniques.
Cyber resilience should incorporate not only
technology, but also processes and training
and be adaptable enough to keep up with
constantly changing threats.
There are a number of steps you can take to
address your own information security issues.
A free service that provides relevant digital security warnings,
advisories and good practice from a number of global experts,
filtered and processed to add local information and value.
The truth is that for the majority,
it’s not a case of if, but when you
are breached. Businesses who
survive not only manage the
risks but also plan how to
respond to a breach.
Register for the Free Cyber
Early Warning Service
Certain organisations may wish to consider the Information Security
Standard ISO 27001:2013. This new standard helps the organisation
in establishing, implementing, maintaining and continually improving
an information security management system within the context of
the organisation. It also includes requirements for the assessment
and treatment of information security risks tailored to the needs
of the organisation.
Consider ISO
A government backed, industry supported scheme to help
organisations protect themselves against common cyber attacks
and provides a framework to gain a basic level of security. The
scheme enables organisations to gain 1 of 2 Cyber Essentials
badges and is backed by a number of insurance companies
offering incentives for businesses.
Certify your business for the
Cyber Essentials Scheme
CONTACT US TODAY ON: 0845 052 3945 OR FOR MORE INFORMATION PLEASE VIEW: www.signacure.co.uk
11. 9 2014 Information Security Breaches Survey—Department for Business Innovation & Skills11
Our services
Signacure Resilience incorporate a range of tools and
techniques to build bespoke plans for businesses that
address issues which may be posing security threats.
No matter if your set up is partially outsourced or
incorporates cloud storage we can use a combination
of our professional services to ensure your strategy is
robust and focused on your needs.
Our consultants are CISSP Accredited and
experienced in implementing Information
Security risk programmes.
Our programmes are commercially focused with
clear objectives that tie in with your specific goals.
However our recommendations are underpinned by
research and findings from leading academics in the
ever changing field of Cyber Security.
nformation Systems Strategy Formation
nformation Systems Audit
Data Breach Response Plan
xecutive Media Training
nformation Security Staff Training
esktop Simulations
tal For nvestigations
Legal Protection
Standards
Strategy
Our services include: