Cyber Threat Intelligence − How to Get Ahead of Cybercrime
Cyber Security small
1. REGISTER NOW
SUMMIT LONDON
27 APRIL 2016
http://tinyurl.com/RSASummit2016LondonT: +44 (0) 1344 781613
DISCOVER NEW STRATEGIES FOR SECURING MODERN IT
Whatarethenextsteps
towardscybersecurity?
Readanextractfromthe
UKCyberSecurityStrategy
2011-2016AnnualReport
AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET
APRIL FUTUREOFTECH.CO.UK
READ Whatisthebiggest
causeofacyberbreach?P4
INSIDE Howtoempowera
commonriskconversationP6
ONLINE Whymodernvehicles
couldbecomeatargetforcyberattack
CybersecurityFUTUREOFTECH.CO.UK
2. AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET2 FUTUREOFTECH.CO.UK MEDIAPLANET
T
he greatest need
is for training and
awareness for all
staff. A common
routeintoasystem
is via a member of
staff clicking on a
phishing email. Attacks can be very
sophisticated, for example, looking
as if it’s a note from the boss. It is on-
ly via training that members of staff
will understand how important the-
se issues are and their role in helping
preventthem.
Here at the MoD, the DCPP advo-
cates a three stage approach, starting
with a risk assessment that is car-
ried out on every contract. In some
cases there will be no risk; in others
we measure risk in four levels rising
from low to very high. We give the
supplier an assurance questionnaire
primarily based on self-assessment
and the controls we apply are appro-
priateandproportionate.Thisisnota
casewhereonesizefitsall.
Onegrowingthreatatthemoment
is the use of ransomware,when an e-
criminal attacks and encrypts your
information and only after you ha-
ve paid up will they give you the key
to unlock it. This has happened to a
number of hospitals in the US, inclu-
ding one in LA which was attacked,
had not backed up its files and had to
pay a $17,000 ransom to get their in-
formationback.
All companies are potential tar-
gets for these and other attacks,whi-
le the adversaries come from a num-
ber of backgrounds; as well as e-cri-
minals attacks can come from bored
Don’t let cyberthieves in by the
back door
Cyber attacks, including cyber crime, are on the increase and affects every area of life. Nowhere
does this apply more than the Ministry of Defence, where my focus is on the defence supply chain
and the Defence Cyber Protection Partnership (DCPP), a joint initiative between the MoD and the
business community
READ MORE ON FUTUREOFTECH.CO.UK
Playing catchup
Piers Wilson outlines
how the cyber security
industry is addressing
the skills shortage to
get ahead of threats
P4
“Not if, but when”
Jon Buttriss on how
to protect ourselves
from the evolving
professionalism of the
cyber security industry
P5
Catch him if you can
Frank Abagnale Jr
explains how cyber-
crime and fraud is a
threat to banking and
financial services
teenagers seeing what they can get
away with, hacktivists who might
have political agendas they wish to
further, cyber terrorists or foreign in-
telligenceservices.
Challenges arise because each
group has a different approach. Hack-
ers might be trying at random to see
what targets they are able to breach,
without any specific organisation in
mind,much as a car thief might stroll
around a car park,trying car doors un-
til they find one that is unlocked. If
a company has basic cyber security
protection in place – most easily
achieved through the government’s
Cyber Essentials Scheme, they will li-
kely be thwarted and go off and try
andfindeasiertargets.Otherattackers
maybemoretargetedandpersistent.
Suppliers need to be mindful of the
scale of the risks they face. Last year
90 per cent of large organisations sur-
veyed reported that they had suffered
a security breach and the costs can be
significant, rising into seven figures.
Theycanalsobeattackedmorestrate-
gically than before: there is a growing
awareness that companies don’t ope-
rate in isolation and that they can be
vulnerable to attack via their supply
chain.ThishappenedtotheTargetsu-
permarketchainintheUS,whenthey
wereattackedviaatheirheating,ven-
tilation and air conditioning compa-
ny. This turned into a significant
breach which compromised the de-
tails of 61 million customers. All of
which means it has never been more
important to have the appropriate
controlsinplaceandaworkforcewho
aretrainedandaware.
Please RecycleFollow us facebook.com/MediaplanetUK @MediaplanetUK @MediaplanetUK
Project Manager: Henry Worth E-mail: henry.worth@mediaplanet.com Content and Production Manager: Henrietta Hunter Business Developer: Rebecca Nicholson Designer: Juraj Príkopa Managing Director: Carl Soderblom
E-mail: carl.soderblom@mediaplanet.com Mediaplanet contact information: Phone: +44 (0) 203 642 0737 E-mail: info.uk@mediaplanet.com
IN THIS ISSUE
Dan Selman
Cyber Industry Deputy
Head, Ministry of Defence
3. AN INDEPENDENT SUPPLEMENT BY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 3
COMMERCIAL FEATURE
COMMERCIAL FEATURE
Mosthigh-profileattacks
on corporate data
centers and institu-
tional networks have
originated outside of the victimised
organisations. But the network open-
ings that allow outside cyber-attack-
ers to burrow in, infect databases and
potentially take down an organisa-
tion’s file servers, overwhelmingly
originatewithtrustedinsiders.
According to a worldwide survey
of Information Security Forum (ISF)
members, the vast majority of those
network openings were created inno-
cently through accidental or inadvert-
ent behaviour by insiderswithout any
intention of harming their employer.
Inanumberofcases,thatvulnerability
was, ironically, the result of a trusted
employee doing a seemingly run-of-
Matthias Maier is a
security specialist
at Splunk, a plat-
form for Operational
Intelligence that helps customers
to monitor, analyse and visualise
machine-generated big data. “Fun-
damentally, everything that is dig-
ital can be exposed by cyber crimi-
nals, cyber terrorists or malicious
insiders. If we look at an emerging
example,the majority of the health-
care industry was not connected to
the network 10 years ago, but now
you can turn devices on and off
remotely. Being able to do this has
advantages, but it also represents
a real opportunity for those with
malicious intent to steal data or
cause damage.”
When trusted insiders are your biggest
security threat
Data driven security:
Machine data is the first line of defence
the-mill task like taking files home to
workonintheirownsparetime.
There are three types of risky
insider behaviour.
Malicious:Maliciousinsiderbehav-
iour combines a motive to harm with
adecisiontoactinappropriately.
Negligent: Negligent behav-
iour can occur when people look
for ways to avoid policies they feel
impede their work.
Accidental: ISF members report
that completely inadvertent
breaches are more common than
malicious ones.
Combatting the wholesale theft of
databylimitingthetypesofinadvert-
ent actions which could lead to its
misappropriationshouldbeapriority
In an environment of advanced
threats, changing business demands
and extensive technology infrastruc-
ture, a traditional perimeter focused
approached to ITsecurity is no longer
effective. Maier believes that a totally
new approach to cybersecurity is
required. “Organisations need to
adopt a data driven approach to cyber
security if they are to stay ahead of
external attacks, malicious insiders
andpotentialfraud.”
The evidence of an attack exists in
machinedatawithinanorganisation,
so security teams need to gain insight
from that data to properly detect,
analyse and respond. Attackers will
attempt to use all possible mech-
anisms to compromise an organ-
isation, which may involve use of
By Steve Durbin
By Virginia Blackburn
The modern professional life requires organisations to review not only the threat
of malicious outsiders, but of negligent insiders too
One of the major business trends from the past decade is the growing digitalisation of customer interactions.With all indus-
tries looking at ways to take a more digital and integrated approach to how they work, there is a significant opportunity to
improve customer services.At the same time, digitalisation presents a challenge as it opens up an organisation to a more
diverse and threatening set of risks
ble management step in safeguard-
ing an organisation’s information
assets. After new employees have
been satisfactorily screened, con-
tinue the trust-building process
through onboarding by equipping
them with the knowledge and
skills required of trusted insid-
ers. Expectations of trustworthy
behaviour should be made explicit
from the outset.
Above all,a culture of trust built on
shared values, ethical behaviour and
truth begins at the top. The conduct
of senior management sets a tone
which reverberates from the C-suite
to the shop floor. Having a culture of
trust affects more than just informa-
tionsecurity;itisalsofundamentalto
the organisation’s prospects for
futuresuccess.
what’s happening within your secu-
rity and IT environment, you can’t
protectyourself.”
Organisations like UniCredit and
John Lewis have adopted Splunk to
get answers out of machine and digi-
talservicesgenerateddata.“Forthese
organisations it’s critical that in a
dynamic digital landscape they can
apply big data technology to quickly
get answers to their questions to in
near real time,” says Maier. “This
means they can react as soon as they
detectanythingthatmightgivethem
– or their customers – cause for con-
cern.”With the threat landscape con-
tinuing to evolve, it’s clear that
machinedatawilltakeitsplaceasthe
first line of defence for organisations
inallindustries.
for every organisation. Investment
in technologies that can help to pre-
ventintrusionsandprotectdatafrom
attackers is essential. Management
controls including segregation of
duties,periodic reassessment of priv-
ileges,andaudits,arealsoimportant.
But the most fundamental ele-
ment of threat is deeply human. It
starts with the proper vetting of
employees to look for signs that the
individual has not, in the past, been
a responsible steward of informa-
tion entrusted to them. Applicants
whosepastshaveincludedquestions
over managing information should
not be brought onboard.
The trust factor
Cultivating a culture of trust is
likely to be the single most valua-
identity, endpoints, servers, business
apps,webandemailservers,aswellas
non-traditionalsystemssuchasHVAC
access control. The evidence of these
activities is captured in the machine
data from these systems, which
makesalldatasecurityrelevant.
“By continuously monitoring this
data acrossyour entire infrastructure
you can detect malicious activity as
early as possible,” says Maier. “This
could involve spotting anomalies,
recognising unusual activity or iden-
tifying indicators of compromised
systems. As soon as you identify an
issue you can determine the scope
and impact of a threat before under-
standing who is affected, what to do
about it and how to ensure it doesn’t
happen again.Ifyou aren’t able to see
Steve Durbin
Managing Director,
Information Security Forum
Matthias Maier
Security specialist, Splunk
4. AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET4 FUTUREOFTECH.CO.UK MEDIAPLANET
COLUMN
Oneofthebiggestissuesfacingthecybersecurityindustrytodayisthe
skillsshortage.Althoughtheneedtobecyber-safehasneverbeengreater,
thereisstillalackofpeoplewiththenecessaryexpertise,somethingthe
industryrecognisesandiskeentotackle
understood it,” says Wilson. “On the
other hand if a new security threat
arisestomorrow, thecybersecurityin-
dustry is immediately playing catch-
up to understand it and be able to de-
tectandrespond.”
Thechallengesarenotsettogoaway.
“There are some developments around
machine learning and anomaly detec-
tion where smart technologies can
identify and diagnose threats and the
logical next step for this is to see what
systems can do to automate responses
in a confident and safe way,” says Wil-
son. “They are making security more
efficient by removing the noise,distill-
ing down the data to make decisions
and enabling swift action that is con-
sistent,repeatable and allows the busi-
nesstoreactmorequickly. Thisfreesup
time for other activities that improve
security, like hunting for threats that
are not yet apparent, improving the
overall security posture and training
anddevelopment.”
There will always be an
asymmetry between the at-
tackers’capabilityandthede-
fenders’,asinordertoprotect
a system you need to cover all the vul-
nerabilities, all of the time,” says Piers
Wilson,director of IISP,the profession-
al body for security professionals. “But
budgets are finite; whereas to mount a
successful attack you only have to find
one exposed weakness and you can be
as patient and spend as much effort as
youfeelisworthwhile.”
Education is key bothwith academ-
ia and universities as well as within
industry itself. This means keeping
board members up to scratch as well
asprovidingconstantretrainingforIT
staff – because technology and poten-
tialthreatsarechangingallthetime.
Therearevariousoptionsopenforcy-
ber training. “They range from formal
courses comprising quick overviews
to specific courses, to product and
technology courses to full-time MSc
programmes,”saysWilson. “It’salsoan
industrythatgeneratesahugeamount
of research and white paper materi-
al – so training aside there is no short-
ageofmaterialsavailableforself-learn-
ingtoo. Whichofthosefitsaparticular
organisational or individual need is a
matter for debate.At the IISP we have
been active in setting standards and
running a training course accredita-
tion and assessment programme.This
way people can select courses that we
can vouch for and also find out which
topicareaswillbecovered.”
The steady march of technology
means that in IT everyone is always
learning - 10 years ago the technolo-
gies and hence the attackvectorswere
different but now there are superior
platforms,security controls andwork-
ing knowledge of facilities. “Some are-
ascanaffordtotakeamoreconsidered
path: developers, for example might
only migrate from one language to
the next one once they feel they have
Theurgentneedto
combattheskills
shortage
By Virginia Blackburn
In the field of HLS & Cyber,
the Israeli industry provides an extensive array of outstanding and
innovative technologies specifically designed
to counter a variety of threats in an ever-changing world.
Registration will open on June 1 on our website:
www.israelhlscyber.com
For more information about
the 4th International HLS & CYBER Conference in Tel Aviv, please contact:
Julia.Bayer@israeltrade.gov.il | http://itrade.gov.il/uk/ THE 4TH
INTERNATIONAL
CONFERENCE
NOVEMBER 14–17, 2016
ISRAEL TRADE & FAIRS CENTER, TEL AVIV
NEWS
“
Piers Wilson
Director, IISP
Waqas Hashemi
CEO, Whitehall Media
Bewareofthe
humanfactor
I
n this age of short term
contracts allied to new
working practices inclu-
ding the cloud, mobi-
le and flexible working
hours, one of the biggest issues
in the cyber security sector is
managing employee identity.
“When an individual joins an
organisation, it usually marks a
fusion of IT and human resour-
ces,” says Waqas Hashemi, CEO
of Whitehall Media, which runs
a suite of conferences around se-
curity and risk management as
well as identity and access ma-
nagement. “Emerging trends
in the workplace are proving
disruptive and are causing pro-
blems with integrating access to
the new technology.”
The biggest problems of all
when it comes to managing em-
ployee identity is not malicious
intent but negligence and the
human factor, according to Reh-
man. “Password management is
also difficult,” she adds. “People
still don’t use ones with suffi-
cient complexity.”
“To mount a
successful cyber
attack you only
have to find one
weakness”
5. AN INDEPENDENT SUPPLEMENT BY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 5
“The cost of an
attack far outstrips
the ongoing cost of
security”
Thereisanever-growingawarenessofcybersecuritythreats,withalmostdailycoverageinthemedia.Evenlarge
organisations,withtoptalentandsignificantresourcesdevotedtocyber-security,havesufferedmajorbreaches.The
truism“it’snotif,butwhen”ringsintheearsofbusinessleadersandreinforcestheneedforskilledsecurityprofessionals
tomitigateagainstthethreat.Thetruthiseveryorganisationisvulnerable,and100percentdefenceisnotpossible
H
aving identi-
fied cyber se-
curity as a na-
tional priori-
ty, in 2015 the
UK Governme-
nt announced
an increase in cyber security spending
to £1.9bn by 2020 – the only area of the
budget to increase. This is reflected in
business, with average salaries for se-
curity professionals increasing 16 per
centyearonyear.
The reason for the increased invest-
ment is simple; the cost of an attack far
outstrips the ongoing cost of security.
TheICOhashandedoutfinesashighas
£980,000 –which is still less damaging
than the customer loss and reputatio-
naldamageasresultsofabreach.
But despite increasing budget to
counter the cyber threat,businesses are
still struggling to recruit the skills they
need to keep up. Unemployment in the
securityindustryhasbeenreportedat0
per cent, with a 10 per cent increase in
demand forecast each year to 2020. So
how can we deliver the skills needed to
address the current shortfall and also
meetthegrowingdemand?
This is a question being asked
by government, organisations and
professionals. It is the reason for the in-
tensifying chatter surrounding professi-
onalisationofthecybersecurityindustry.
Professionalisation addresses this
burning issue by establishing a stan-
dard that enhances the quality of the
workforce. By understanding, alig-
ning and cultivating the most needed
skills, the profession can raise the bar
in the areas thatwill have the mostva-
lue. This also establishes standardised
roles and skills clusters.Businesses ha-
ve a shared vocabulary to describe the
skills they need that are recognised by
potential applicants. New entrants
are clearer on the skills they need and
mindful of the need to continually self-
develop. Structure, clarity and recog-
nition make security a more attracti-
ve career path,which in turn encoura-
ges new entrants and grows the talent
pool. This is perhaps the most critical
of all – considering the evident need to
step-change the number of workers in
thefield.
It is not always easy for professio-
nals and potential entrants to naviga-
te the skills and competencies requi-
red at each stage of their careers. Em-
ployersarenotalwaysclearthemselves
on this so the demand cited in job ad-
vertisements is not necessarily an
accurate reflection of what is needed.
This is where recognised skills frame-
worksdevelopedbyprofessionalbodies
comein.Andfromthisstandardisation
and definition comes the ability to cul-
tivatetheskillsonagreaterscale.
For professionals wanting to demon-
strate their capabilities against these
frameworks, certification offers verifi-
cation of their proficiency, clear step-
ping stones for development and im-
proved employment and earning pro-
spects. For employers, certification
helps to assure the calibre of the pro-
fessionals they are recruiting, provided
this is backed up by demonstrable ex-
perience.It signifies that potential em-
ployeeshavebeenindependentlyasses-
sed,aidingemployersinrecruitingrele-
vantskillsintotheirorganisations.
As well as being a mark of technical
capability,certificationalsocomespack-
agedwithmembershiptoaprofessional
body such as BCS, The Chartered Insti-
tute for IT.These memberships demon-
strate a commitment to self-develop-
ment and require adherence to codes of
professionalconduct.
The combination of skills alignment,
certification and continuous develop-
ment comes together, in the form of
professionalisation, to promote stan-
dards and quality amongst cyber secu-
rity professionals. There is little doubt
that businesses need quality security
professionals, and in greater numbers.
Cybersecurityisnotachallengethatwe
willsolveovernight,orwithanyoneso-
lution.Neitherdoesithaveanenddate;
we will have to continually assess the
threat and work together to evolve best
practicetostayahead.
Theevolvingprofessionalism
ofthecybersecurityindustry
By Jon Buttriss
IT has been gaining momentum within global business for decades and we’ve
been there from the beginning, nurturing talent and shaping the profession.
Today professionals & organisations work with us to exploit our unique in-
sight and independent experience as we continue to set the standards of per-
formance and professionalism in the industry.
ABOUT BCS, THE CHARTERED INSTITUTE FOR IT
FACTS
Jon Buttriss
CEO, BCS Learning and
Development
6. AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET6 FUTUREOFTECH.CO.UK MEDIAPLANET
“The UK is the
most cyber-
attacked country
in Europe and
the second most
assailed in
the world”
INFOGRAPHIC
Cybercrimeisontherisebuttherearemanywaystofightit.From
addressingtheproblemsatboardleveltomakingsurestaffareproperly
trained,SMEscannotguaranteetheywon’tbeattacked,buttheycan
makeextensivepreparationsinadvance
evidence you can such as a screen
shots. Use back-ups.”
Given that an attack is almost ine-
vitable, Talal stresses that it is as im-
portant for a company to be able to re-
spond to a breach as it is to erect defen-
cesagainstit.“Thereisnotjustoneway
to respond across the board,” he says.
“For example,TalkTalk notified custo-
mers as to what was going on but that
didn’t actually help as other opportu-
nistic hackers saw this as an opportu-
nitytomakefishingattempts.Theway
to react depends on what type of orga-
nisationyouare.Youshouldalwaysno-
tify the authorities,which many com-
panies still don’t do and it’s safer not to
alwaysusethesameemailtemplate.”
This is not a problem that is going to
goaway any time soon and sothe cyber
security industry continues to work
overtimetofind,ifnotasolution,thenat
least the heavy weaponry required to
fight back. “One new trend is the in-
creased use of data security analytics,”
saysTalal.“Companiesareanalysingin-
formationthatcomesinonadailybasis
to foresee where the threat will
come from next. And there will be
further threats.As increasing numbers
ofdevicesareinterconnectedandsmart
cities continue to expand across the
world,everincreasingnumbersofhack-
ers will come after everyone. This goes
down to individuals not companies:
make sure in all your wearable devices
thatsecurityisbuiltinbydesign.”
A
s the world beco-
mes increasingly
interconnected,
cyber crime is a
problem as never
before. It is now a
case of not if but
when most companies get attacked
and this is especially the case in this
country, with the UK as the most cy-
ber-attacked country in Europe and
the second most assailed in the world,
with attacks up 40 per cent,according
to Symantic.They are at least aware of
theproblem,withresearchbyEquinix
showing that seven out of 10 compa-
nies in the UK do not feel prepared for
cyber-attacks.Sowhattodo?
Talal Rajab is Programme Manager –
Cyber, National Security and Criminal
Justice at techUK. “Regardless of how
much money is spent on products and
services,attacksandthreatsareinevita-
ble,”hesays.“Thesedaystoolstolaunch
such an attack can be bought very
cheaply on the dark web,as in theTalk
Talk crisis, where it is widely believed
the perpetrators were not much more
thanchildren.Butatleasttheseattacks
are increasing public awareness of the
problem,asdidtheassaultsonSonyand
AshleyMadison.However,althoughwe
cantracetheregionthesecomefrom,it
isdifficulttotrackdowntheactors.”
One problem is that SMEs are often
targeted because they are less likely to
have basic security measures in place
and a further issue is that many who
do not offer online payments are safe.
They are not. “Any company that has
data on its system is threatened,” says
Talal.“Thefirststepindealingwiththis
istomakesurethatcybersecurityison
the boardroom agenda.Many breaches
stem from the fact that staff are not
aware of best practice which means
thattrainingandawarenessarecrucial.
Manyarenotevenawareofthemostba-
sic password security and the constant
importance of updating systems and
ensuring companies are not left with
legacysoftware.”Checksthatshouldbe
standard across every company inclu-
de strong passwords, the regular upda-
ting of software and regular back-ups,
whether the company is a multi-natio-
nalconglomerateoraone-manband.
Many companies are at leastwaking
up to the fact that this is no longer just
anITproblem.“Traditionallyitwasthe
case that responsibility for security lay
solelywithIT,”saysTalal.“Anduntilre-
cently, the IT person was essentially
thechiefsecurityofficerbutnowincre-
asing numbers are appointing dedica-
tedCSOs.Theyarealsosendingfarmo-
repeopleonsecuritycourses.”
And so once an attack begins, how
should a company respond? It is es-
sential to plan ahead, and have the
right staff and skills in place. “Be cy-
ber streetwise,” says Talal. “Don’t
continue using the system. Noti-
fy the authorities. Get any forensic
Fightingcyberthreatsis
essentialforSMEstowin
thewarwithcyberbreaches
By Virginia Blackburn
NEWS
Talal Rajab
Programme Manager –
Cyber, National Security
and Criminal Justice,
techUK
According to the 2014-2015
Cyber Governance Health
Check of FTSE 350
companies:
88 %of companies now actively
consider cyber security as a
business risk
have a basic or clear under-
standing of where their critical
information and data sets are
shared with third parties
The Winter 2015 FT-ICSA
Boardroom Bellweather
Survey found that
regard the threat of
cyber-attack to be
increasing
The UK’s domestic cyber security
sector contributes over
£17 billionto the economy
The National Cyber Crime
Unit (NCCU) is leading
domestic and international
operations to disrupt serious
cyber crime
The Metropolitan Police
set up a Fraud and
Crime Online (FALCON)
team in 2014, which
brings together their
specialist cyber crime
investigators to pursue
and disrupt cyber
criminals.
The work of the FALCON team
has resulted in 985 arrests, 431
people charged, 241 convicted
and £3.1 million confiscated.
Tackling online fraud is a top
priority
During 2012, HMRC took down
almost 1000 fraudulent websites
During 2015, that figure rose to
more than 11,000
HMRC established a cyber
security team in 2012.
During 2014-2015, the team
assisted in the prevention of
frauds totalling more than
59 %
82 %
170
£103
million
1011
PHOTO: THINKSTOCK
7. AN INDEPENDENT SUPPLEMENT BY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 7
John Cannon
Commercial director –
Fraud and ID, Callcredit
Information Group
COMMERCIAL FEATURE
Under the forthcoming EU
General Data Protection
Regulation(GDPR),which
comes into force in 2018,
unless the data breach is unlikely
to result in a high privacy risk for an
individual,orifthedatawasappropri-
ately encrypted, all organisations will
have to inform their customers when
a serious data breach occurs, and rec-
ommend ways in which any adverse
effects could be mitigated, and if they
fail to do so could be fined up to four
per cent of their global turnover. So
what are the issues facing the indus-
try and how can businesses work to
overcome them?
The first step is to understand who
the potential hackers are. “They are
quite wide ranging,” says John Can-
non,commercial director – Fraud and
ID of Callcredit Information Group.
“From organised criminal gangs who
are motivated by fraud, to terrorist
groups and corporate and rogue state
sponsored espionage with malicious
intent. But the threat isn’t just from
organised groups: hackers have all
kinds of motives and could just be an
individual flexing his/her intellectual
muscles showing off to peers simply
because they can.”
There are now a number of security
risks facing businesses today. “Many
more of us are interacting digitally
and data is increasingly important,
meaning where and how it’s stored,”
says Cannon. “Businesses that are
migrating from their traditional
modelintodigitalchannelsarepoten-
tially not as well geared up to the
threat.”They are having to accept the
idea, he says, that there are threats
posed both externally and internally,
such as from rogue employees.
As a result of all of this, however,
New EU regulation highlights the risks of
cybercrime
companies are becoming increas-
ingly aware of the potential dangers
and many are taking action to try to
alleviate the risks. “This is becoming
increasingly high on the agenda at
board level,” says Cannon. “Recent
data breaches have clearly shown the
financial and reputational impact
to businesses and those not giving
it focus risk being caught out by the
introductionofthenewGDPR.”
Theseareissuesindividualsmustbe
awareof,too.Thereisamisconception
that if hackers don’t manage to get
hold of PINs and full card details then
there is nothing to worry about. That
is not the case. “We are seeing the rise
of ‘social engineering’ techniques,”
says Cannon. “This means that even
if hackers exposed a low level of infor-
mation, it could be used to gather the
datatheyreallywant.Thesedays,most
ofusarecluedupenoughtoknowthat
if we get a phone call out of the blue
asking for our bank details, then we
shouldn’t hand them over. But if you
werecontactedbyanorganisationyou
hold an account with and they quoted
that account number, you may be
more likely to be tricked into handing
overmoresensitiveinformation...”
The new EU regulations are forcing
companies to take cyber risk and data
breaches a lot more seriously and to
implement measures to guard against
attack. “The first step is to make sure
someone in the company is empow-
ered to implement the relevant pro-
cesses,” says Cannon. “Then start
thinking about a plan. Come up with
the worst case scenarios, think about
whatdatayouholdandwhatisimpor-
tant to the business. Play through the
various scenarios and see what you
can do to increase your protection
and what to do afterwards. Think
By Virginia Blackburn
The rise of cybercrime is now one of the biggest issues affecting many businesses and the EU regulators have now taken actions
to try to get the business community to act to protect itself
breach. The service can be available
to consumers within 48 hours of a
breach occurring and consumers
who sign up to the service can use it
to help identify and respond to fraud-
ulent activity, checking whether
their credit profile is being damaged
by criminals. Noddle Protect allows
consumers to review their credit
report for free and helps them to look
out for people applying for credit
in their name or using their details
fraudulently, giving them peace of
mind and ensuring they continue to
trustinyourbrand.”
The increase in data breaches in
recent years coincides with the
increase in consumers making use of
digital channels due to the conveni-
ence they offer.The value of your per-
sonal data to fraudsters is increasing
asitistheirwaytogainaccesstoyour
digital accounts. Your data is their
means to an end. “I often compare it
to car security,” says Cannon. “In the
past,if someone wanted to steal a car
theywouldbreakintothecarandhot-
wire it to drive away. As a result, car
manufacturers have increased their
security meaning it is now much
harder.Theapproachofacarthiefhas
shifted to stealing the car keys by
breaking into your house. It’s similar
in the digital world, as organisations
increase security around services
they offer through digital channels,
fraudsters see your data as the key to
unlockingyourdigitalaccountsusing
techniquessuchasidentityfraudand
accounttakeoverbeingabletobypass
security.” In other words, while the
benefits of life online are enormous,
so are the risks and companies and
individuals alike must take measures
to protect themselves against the
threatofcyber-crime.
aboutwhatyouneedtoimplementto
recoverfromanattackandmakesure
employees are trained to understand
whatabreachlookslike.”
If a company is attacked, there are
twostepsitmusttake.“First,establish
and understand as much as you can
about what’s happening,” says Can-
non. “IT security must understand
exactlywhat’sgoingon.Thenexecute
the plan you have put in place. If you
canestablishwheretheattackiscom-
ingfromyoumay,say,beabletomake
changestoyourfirewall.Orinextreme
casesyoumayneedtoconsidertaking
your system offline. Secondly, com-
munication is key as everyone should
be aware of what is happening both
internallyandexternally.”
Of course, after a data breach it
is crucial for businesses to reassure
their customers that the problem
has been dealt with: damage to
their corporate or brand reputation
could prove a disaster in the longer
run. “You should consider what has
happened and give your customers
the absolute confidence that you
have done everything to mitigate
the breach happening again in the
future,” says Cannon. “Customers
will understandably worry about
their personal details being exposed
and through education are becom-
ing increasingly aware of the value
of their personal data. Media stories
highlighting anonymous forums
used by fraudsters on the dark web
are adding to their concern so you
should proactively consider having
a data breach response. For example,
Noddle Protect enables businesses to
put in place a fast and effective reme-
diation plan to safeguard consumers
who may have had their personal
data compromised following a data
PHOTO: THINKSTOCK
8. Integral to ‘making the UK a secure place to do business ’ has been the call for
industry to openly collaborate with each other in order to overcome the Cyber
Threat. However, many organisations still seem to need to be convinced, despite
losses being reported on an almost daily basis. A recent survey revealed that 68% of
CEOs are reluctant to share security incidents externally , for fear that publically
admitting a breach could have irreparable damage on the brand, reputation and
share price of their business.
Templar Executives’ CEO, Andrew Fitzmaurice, believes however that the current
Cyber Security market is perpetuating a climate of ‘Project Cyber Fear’ which gener-
ates two behaviours with the same outcome: a belief that stories are just scaremon-
gering to promote sales and secondly, fear to discuss issues at all.
“Business leaders are becoming apathetic to these scare stories and are asking us
what we can do about it”, Fitzmaurice says. “We are changing the narrative from a
glass half empty to a glass half full by promoting ‘Project Cyber Business’. Cyber
Security needs to owned by the business, and addressed holistically within the
organisation”.
As a leadership issue, the C-suite need to lead their organisations by adopting
‘Project Cyber Business’ to deliver business excellence. Organisations who align
Cyber Security best practice to business objectives by investing in proportionate
controls, are optimising their businesses with better Cyber maturity. The benefits
include gaining competitive advantage, winning new business contracts, as well as
enhancing reputation and shareholder confidence.
Fitzmaurice explains, “Templar has engaged continuously over the past 5 years with a
client to develop and sustain their Cyber maturity and resilience, and as a result this
client has won over £7.2 billion worth of new business”. As a direct impact of ‘Project
Cyber Business’, businesses are seeing an increased return on their investment, as
well as a rise in brand value and share price. The results speak for themselves.
To optimise your business and join the success story, contact Templar Executives at
Turning a cyber half glass empty into
a half glass full – A Call to Action
enquiries@templarexecs.com
T
he pace of change
has accelerated ex-
ponentially since
then and will only
continue to quick-
en. Technology is a
huge force for good,
an opportunity from which we can
all benefit. In 2010, the Internet of
Thingswasstillinitsinfancy;in2016,
oversixbillionconnecteddeviceswill
be in use worldwide, enabling people
to connect with people and govern-
ments and businesses to deliver bet-
ter services. By 2020, that number is
settorisetoover20billion.
The 2010 National Security Strate-
gy identified cyber as one of the top
threats to the UK. In response, the
Government has invested £860 mil-
lion since 2011 in a National Cyber
Security Programme to:
• Tackle cyber-crime and make the
UKoneofthemostsecureplacesinthe
worldtodobusinessincyberspace.
• Make the UK more resilient to
cyber-attack and better able to pro-
tect our interests in cyberspace.
• Help shape an open, vibrant and
stablecyberspacethatsupportsopen
societies and:
• Build the UK’s cyber security
knowledge, skills and capabili-
ties. We have made tangible pro-
gress against these vital objectives.
In collaboration with our industry,
academicandinternationalpartners,
we have laid solid foundations for
the future.
We have significantly enhanced our
national capabilities and technolo-
gies to defend ourselves against tho-
se who would do us harm. We have
a national approach to incident re-
sponse and secure information sha-
ring on threats, through CERT-UK
and the Cyber Security Information
Sharing Partnership it hosts.
Businesses of all sectors and
sizes now have unprecedented
levelsofexpertguidanceandtraining
available to help them manage their
cyberrisks.Governmentdigitalservi-
cesaremoresecurethanever,andwe
arebuildinginsecuritybydesignand
taking robust action against at-
tempts at online fraud.
Through this, the UK is helping
shape the international deba-
te on the future of cyberspace. UK
cyber security companies now
have an increased market share in-
ternationally. And we are on a long-
er-termmissiontoensuretheUKhas
the right cyber skills and knowledge,
with interventions at every level of
the education system and cutting-
edge research in cyber security.
But there is more to do. The 2015
National Security Strategy confirmed
that cyber remains a top level threat
to the UK’s economic and national
security. That threat is increasing in
scaleandcomplexity.Itisalsoincrea-
sing at such a pace that we must run
simply to stand still. The increased
inter-connectedness of our everyday
lives means that the range of targets
is broader and the task of protecting
themharder.
Five years is a long time in cyberspace. When we published
the UK’s first Cyber Security Strategy, digital technology
was already having a transformational impact on how we
consume, share and save information
Thenextsteps
towardscyber
security
By the Rt Hon Matthew Hancock MP
INSPIRATION
AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET8 FUTUREOFTECH.CO.UK
We must build the UK’s cyber security knowledg
and capabilities to become more resilient to cyber-a
9. 265x112
So we have announced that we
will substantially increase our
investment to £1.9 billion in protec-
ting the UK from cyber-attack and
developing our sovereign capabi-
lities in cyberspace. Our new Pro-
gramme, led by a new National
Cyber Security Centre,will mark a re-
doublingofoureffortstotacklethecy-
berthreat.Butwecannotdothisalone.
Everyone has a role to play in keep-
ing our society safe. Continued, sus-
tained and close collaboration bet-
ween government, industry, acade-
mic and international partners is
vital and we must accept our indivi-
dualandcollectiveresponsibilities.
2016 will see the launch of the UK’s
second National Cyber Security Stra-
tegy. This will define our vision and
ambition for the next fiveyears.Whi-
leweknowthescaleofthetaskahead,
we also know we are building on a
good platform.This report highlights
the current Programme’s achieve-
ments over the past year and the wi-
der impact of the Programme since
its inception. We should be proud of
the foundations we have jointly laid
through our first National Cyber Se-
curityProgramme.Theyhavepositio-
neduswellforthefuture.
“We are on a
long-term mission
to ensure the
UK has the right
cyber skills and
knowledge”
PHOTO: THINKSTOCK
AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET MEDIAPLANET 9
MindTheGap:Empowera
CommonRiskConversation
COLUMN
C
ommuters throughout London encounter a simple
message about risk everyday.As one boards the rail or
tube,Transport for London will advise them to “Mind
the Gap”.The phrase serves as a simple and effective
message to mitigate the risk of someone being
injured. Next time the words are heard, consider a different
gap - the gap that exists between strategies organisations use to
manage their business and cyber risk.
Today,we are more reliant on technology than ever before,with
exposure from cyber threats constantly escalating, organisations
are struggling to explain security in terms the business can
understand. To be successful in today’s digital world and address
advanced threats, companies must have a converged view of
business and cyber risk. Organisations need to be able to determine
what level of appetite they have for security risks. Business
decisions must carefully consider the impact cyber has on the
overall strategy and risk posture. Organisations need to approach
this in three ways. Every employee should be engaged in active-
ly managing risk. Security practitioners need to partner with and
provide meaningful insight that resonates with the business. The
business and security teams need to align taxonomies that enable
a common conversation.
To learn more about empowering a common risk conversation,
new approaches to visibility, analysis, and action, and managing
identities, attend the RSA London Summit on April 27th. Until
then, please continue to “Mind the Gap” to prevent personal injury
and to protect the business.
Genaro Scalo
GRC Senior Manager,
Europe, Middle East and Africa, RSA
Extract from the UK Cyber Security Strategy
2011-2016 Annual Report
ge, skills
attack
LONDON TECH WEEK 20-26 JUNE
ReadMediaplanet’sLondonTechnologyCampaign
outon14JuneintheCityA.M.
WE
TURN
INTEREST
INTO
ACTION
10. AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET10 FUTUREOFTECH.CO.UK MEDIAPLANET
Howtoblockthe
fraudsters
SUPPORTING EVENT
Along with the explosion in ecommerce there has been an ex-
plosion in efraud,with the industry urgently having to come up
with a raft of new initiatives and strategies to keep ahead of the
game. Social media doesn’t help: it has been making it easier for
criminals to gather a lot of personal information about speci-
fic individuals and clone their identities. But the cyber security
industry is fighting back,with a series of initiatives designed to
protect digital payments from becoming a way of committing
fraud or identity theft.
Zehra Chudry is the Head of Content for PaymentsWorld Series
– who will be running PayExpo Europe in London this June. “So
much information is online now that there has been a lot of clo-
ning of identities,” she says. “Companies can get you online to
say who you are but to date there have been limited ways of tra-
cing back to make sure they are dealing with the real person, but
that could be about to change.There are two major areas the in-
dustry is looking into.The first concerns online identity and the-
re are a number of start-ups which are beginning to check infor-
mation people supply on, say, Facebook, LinkedIn andTwitter to
make sure it comes from the same person and thus verifies and
individual’s identity to make sure it hasn’t been cloned. It allows
companies to ask about people’s friends and updates to authenti-
cate yourself online.”
The other major initiative concerns the problems caused by
transferring information such as card details and addresses onli-
ne. “Increasingly businesses are using a technology called block-
chain,which encrypts information in such a way that only the
receiving end will be able to see it and this is particularly useful
for, say, money transfers,” says Chudry. “But there is a question
about capacity.The reality at the moment is that how to integra-
te this into a business has not yet been clearly defined.”
But there is a great deal more to come.The battle to combat on-
line fraud now encompasses robotics and artificial intelligence,
with machines using algorithms to look at consumer patterns
and spot changes in behaviour while elsewhere the industry is
examining the viability of establishing a single set of cyber-crime
standards. “Every country currently has its own values of what
constitutes acceptable risk,” says Chudry. “So what we are asking
is, ‘Is this achievable? Is it the way to look forward?’ Although
it can feel like a battle just to keep your head above water in the
fight against cybercrime as it becomes more intelligent, tech and
software providers are also evolving faster than ever.”
Zehra Chudry
Head of Content, Payments World Series
Cybervillains are
everywhere. Companies
and individuals alike
must stay alert
Cybercrime is a major issue
these days: Google and McA-
fee estimates there are 2,000
cyberattacks every day cos-
ting the global economy about
£300 billion a year.
The problem cannot be overestimated
and is becoming increasingly wides-
pread. “We’ve been providing data se-
curity standards since we launched in
2006tokeeptrackofpaymentcardda-
ta online,” says Jeremy King, Interna-
tionalDirectorofthePCISecurityStan-
dards Council,which was formed as a
global body to tackle payment securi-
ty issues that surround the area of cy-
bercrime.“We are dealingwith global-
ly organised criminal gangs operating
on a massive scale.Thieves are trying
to steal any data they can, governme-
ntsarelookingtoseewhatcanbedone
to tackle the problem and over one bil-
lionrecordsarestoleneveryyear.Atthe
annualInfosecsecurityeventitwasre-
ported that 90 per cent of large organi-
sations suffered at least one security
breachandonaveragetheyreported14
securitybreachesayear.”
Many organisations, unfortunate-
ly, have been in denial about the scale
oftheproblem,especiallythosewhich
are not actually involved in sales,King
believes. However, boards are begin-
ning to take it more seriously, accep-
ting that this is not just an IT threat
andaregraduallybecomingawarethat
there are four major types of cyber th-
reat, starting with compromised cre-
dentials.“The main aimwhen protec-
ting cardholder data is that you don’t
storeitifyoudon’tneedtobutifyoudo
keepitthenencryptit,”saysKing.
Another type of attack involves
ransomware. “The criminals insert
malware, encrypt everything and
then,forexample,say,giveusacertain
amount in bitcoins and we’ll unlock
your information,” says King. “Some
US hospitals have been the victim of
that. Or there can be a denial of servi-
ces attackwhere so many requests are
put into a system at once it can’t cope
and runs slowly or shuts down.These
typesofattackscanhaveamassiveim-
pact:forexample,ifbettingfirmswere
targetedduringtheGrandNational.”
Cybercriminals also use spyware
and keyloggers to get in to a system
andthemostcommonwayhereisvia
a phishing attack. Some of these are
obvious; some, say, in the form of re-
quests for bill payments, are a lot less
so. Keyloggers, meanwhile, log eve-
ry key stroke, thus revealing valuable
credit card information and have in
the past come to light when compa-
nies have spotted cleaners behaving
suspiciously. Training staff is more
crucial than ever. “Some companies
have asked for a friendly phishing at-
tack in order to test staff awareness
and something like 25 per cent of em-
ployees fail,” King continues. “When
that happens, typically a notice will
pop up on screen saying, ‘You’ve fai-
led, apply to personnel for further
training.’ But it’s worse at board level
where33percentfail.”
Another issue stems from the fact
that an increasing number of domes-
ticappliancessuchasfridgesandkett-
les are now connected to the internet,
but while this may be convenient for
the householder, white goods manu-
facturers do not understand security
andriskbroadcastingwifisecurityde-
tailseverywhere.
Small merchants, too, have pro-
blems, with 1.3 million in the UK not
having any IT services department.
The Government is trying to address
this, publishing 10 Steps to Cyber Se-
curity, using deliberately non-techni-
cal language to help. At PCI we have
had a task force developing our own
guide,thiswillbereleasedinJune.
Another growth area is Card Not
Present – CNP – fraud, which PWC
predicts will grow from $2.9 billion
in 2014 to $6.4 billion in 2019. “The
UK Cards Association monitors and
reports fraud figures and has seen a
26 per cent increase across all fraud,
with the majority in CNP via internet
purchases,” says King. The European
Central Bank is taking action: it is in-
troducing further requirements on
businesses and there will be hefty fi-
nesimposediftheydon’tprotecttheir
customers’dataproperly.
Adds King, “Improving security
practices to identify and detect at-
tacks quickly with the PCI Data Secu-
rity Standard, and establishing an in-
cidence response plan need to be top
prioritiesfororganisationsin2016.”
By Jeremy King
INSPIRATION
Jeremy King
International Director, PCI
Security Standards Council