Contact Centre Summit | Forum Events Contact Centre Summit | Forum Events Contact Centre Summit | Forum Events Contact Centre Summit | Forum Events Contact Centre Summit | Forum Events

Posts Tagged :

cyber security

Cyberattacks on major organisations ‘highlight AI vulnerabilities’

 960 640 Stuart O'Brien
By:
0

The cyber landscape continues to evolve as major organisations like British Airways, Boots, and the BBC face the aftermath of a crippling cyber attack.

The battle against cyberattacks seems to have been lost, with vulnerabilities in AI becoming a potential future target for those trying to steal personal data, according to analysts at GlobalData.

David Bicknell, Principal Analyst, Thematic Intelligence at GlobalData, said: “The ingenuity behind these attacks is beyond the capability of most enterprises to prevent occurring. They can only take steps to be as resilient as possible. These attacks are tried and tested perhaps more than many realize.”

Analysis by Kroll suggests the Clop ransomware gang has been looking for ways to exploit a now-patched zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution since 2021.

Bicknell added: “The battle to prevent these sorts of attacks from occurring has already been lost. What is important now is for security specialists – companies, researchers, security vendors, and governments –to put their best efforts into limiting as far as possible the use of artificial intelligence (AI), including generative AI, by hackers for offensive purposes.

“Events this week demonstrated that security researchers can too easily break through so-called guardrails instituted in AI software and manipulate the software into ignoring safety restraints and then revealing private information. If they are not controlled, these vulnerabilities will lead to future AI-driven cyberattacks.”

Rajesh Muru, Principal Analyst, Global Enterprise Cybersecurity Lead at GlobalData, said: “This is a classic case of insufficient risk management posture across company supply chains. Risk management compliance guidelines like NIST go some way to address supply chain cybersecurity risks. However, both user and supplier initiatives around cybersecurity are just not sophisticated enough to drive visibility across the complete supply chain.

“This often leads to end-user enterprises not having visibility on the security posture across the complete supply chain and, more importantly, sufficient time to react.

“The irony of all of this is that Progress very much sells on the premise of secure transferability of sensitive data with MOVEit. The product itself has strong security features, covering cryptographic tamper-evident Logging, Regulatory/Compliance Support (PCI, HIPAA, SOC2, GDPR), and Gateway Reverse Proxy.

“Therefore, it just shows that, even now, with developments in AI and the sheer volume of use cases for it, the question is, is the world moving into a darker place with the potential for adversarial machine learning attacks through vulnerabilities?”

Amy DeCarlo, Principal Analyst, Global IT Hosted and Managed Services at GlobalData, noted: “Clop allegedly exploited a vulnerability in the file transfer software MOVEit to tap personal identifiable information (PII) including names, addresses and banking information.

“This doxware incident, in which instead of cybercriminals encrypting data and demanding ransom in exchange for a decryption key, they threaten to publish the information, is one of a steadily increasing stream of similar incidents.

“Prevention is critical. Organizations need to make sure they are running the most current anti-virus software. Another important defense is end-user education. Attackers often use phishing and other social engineering tactics to breach an enterprise.”

80% of global organisations expect breaches of customer records

 960 640 Stuart O'Brien
By:
0

Trend Micro and the Ponemon Institute have revealed the findings of a study which discovered that 86% of global organisations expect to suffer a cyber attack in the next 12 months.

The findings come from Trend Micro’s biannual Cyber Risk Index (CRI) report, which measures the gap between respondents’ cybersecurity preparedness versus their likelihood of being attacked. In the first half of 2021 the CRI surveyed more than 3,600 businesses of all sizes and industries across North America, Europe, Asia-Pacific, and Latin America.

The CRI is based on a numerical scale of -10 to 10, with -10 representing the highest level of risk. The current global index stands at -0.42, a slight increase on last year which indicates an “elevated” risk.

Organizations ranked the top three negative consequences of an attack as customer churn, lost IP and critical infrastructure damage/disruption.

Key findings from the report include:

  • 86% said it was somewhat to very likely that they’d suffer serious cyber-attacks in the next 12 months, compared to 83% last time
  • 24% suffered 7+ cyber attacks that infiltrated networks/systems, versus 23% in the previous report.
  • 21% had 7+ breaches of information assets, versus 19% in the previous report.
  • 20% of respondents said they’d suffered 7+ breaches of customer data over the past year, up from 17% in the last report.

“Once again we’ve found plenty to keep CISOs awake at night, from operational and infrastructure risks to data protection, threat activity and human-shaped challenges,” said Jon Clay, vice president of threat intelligence for Trend Micro. “To lower cyber risk, organizations must be better prepared by going back to basics, identifying the critical data most at risk, focusing on the threats that matter most to their business, and delivering multi-layered protection from comprehensive, connected platforms.”

“Trend Micro’s CRI continues to be a helpful tool to help companies better understand their cyber risk,” said Dr. Larry Ponemon, CEO for the Ponemon Institute. “Businesses globally can use this resource to prioritize their security strategy and focus their resources to best manage their cyber risk. This type of resource is increasingly useful as harmful security incidents continue to be a challenge for businesses of all sizes and industries.”

Among the top two infrastructure risks was cloud computing. Global organizations gave it a 6.77, ranking it as an elevated risk on the index’s 10-point scale. Many respondents admitted they spend “considerable resources” managing third party risks like cloud providers.

The top cyber risks highlighted in the report were as follows:

  • Man-in-the-middle attacks
  • Ransomware
  • Phishing and social engineering
  • Fileless attack
  • Botnets

The top security risks to infrastructure remain the same as last year, and include organizational misalignment and complexity, as well as cloud computing infrastructure and providers. In addition, respondents identified customerturnover, lost intellectual property and disruption or damages to critical infrastructure as key operational risks for organizations globally.

The main challenges for cybersecurity preparedness include limitations for security leaders who lack the authority and resources to achieve a strong security posture, as well as organizations struggling to enable security technologies that are sufficient to protect their data assets and IT infrastructure.

Here’s why you need to be at the Security IT Summit

 960 640 Stuart O'Brien
By:
0

Register today for the Security IT Summit – It’s FREE for you to attend and could help you reduce your expenditure by matching you up with innovative suppliers who match your requirements.

You will be joining just 60 other senior professionals who are attending the event to network, learn and forge new business relationships.

Register today to avoid disappointment. Here’s why:

  • As one of our guests, you will be provided with a bespoke itinerary of face-to-face meetings with suppliers.
  • You’ll have the opportunity to attend insightful seminars and interactive workshops.
  • Network with 60 other senior cyber security professionals who share your challenges.
  • Enjoy complimentary lunch and refreshments.

The Security IT Summit takes place on June 30th at the Hilton London Canary Wharf. Book your complimentary guest pass today.

British businesses battle sophisticated security threats with old tools and misplaced spend

 960 640 Stuart O'Brien
By:
0

Only a quarter (25%) of business leaders across EMEA are confident in their current cybersecurity practices.

That’s according to a study commissioned by VMware in partnership with Forbes Insights, which shows UK businesses are trapped in a routine of spending without adequately assessing the needs of their organisation.

Three quarters (78%) of business and IT security leaders believe the cybersecurity solutions their organisation is working with are outdated, despite 40% having acquired new tools over the past year to address potential threats.

Seventy four percent, meanwhile, reveal plans to invest even more in detecting and identifying attacks in the next three years, despite having a multitude of products already installed – a quarter (26%) of businesses currently have 26 or more products across their enterprises for this. 

The apparent hope of UK businesses to spend their way out of security crises is coupled with a significant security skills gap: just 16% of UK respondents state extreme confidence in the readiness of their organisation to address emerging security challenges, with only 14% extremely confident in the readiness of their people and talent.

The report concludes that, despite British businesses shoring up their defences against an evolving threat landscape, the complexity surrounding multiple cybersecurity solutions is making it harder for organisations to respond, urgently adapt or improve their strategies. In fact, a third (34%) of IT security leaders state it can take up to an entire week to address an issue. 

Ian Jenkins, Director, Networking and Security UK & Ireland, VMware, said: “Businesses across the UK and beyond continue to follow the same IT security paths, and yet expect to see different results. Yet we now live in a world of greater complexity, with more and more intricate interactions, more connected devices and sensors, dispersed workers and the cloud, all of which have created an exponentially larger attack surface. Investment in traditional security solutions continues to be dwarfed by the economic repercussions of breaches.”

The lack of confidence highlighted in this study sits within a chasm forming between business leaders and security teams. In the UK, only a quarter (24%) of IT teams consider C-suite executives in their organisation to be ‘highly collaborative’ when it comes to cybersecurity. Across EMEA, meanwhile, only 27% of executives and only 16% of IT security practitioners say they are collaborating in a significant way to address cybersecurity issues.

Jenkins added: “Modern-day security requires a fundamental shift away from prevailing preventative solutions that try to prevent breaches at all costs. British businesses must invest in solutions that make security intrinsic to everything – the application, the network, essentially everything that connects and carries data. Breaches are inevitable, but how fast and how effectively you can mitigate that threat and protect the continuity of operations is what matters. Combining this approach with aculture of security awareness and collaboration across all departments is crucial to driving cyber best practice forward, and helping enterprises in the UK and across EMEA stay one step ahead in the world of sophisticated cybercrime.”

Majority of UK workforce lacks basic cyber security training

 960 640 Stuart O'Brien
By:
0

Seventy-seven per cent of UK workers admit that they have never received any form of training cyber skills training from their employer.

That’s according to a study from Centrify and comes during the European Union’s CyberSecMonth, which is designed to raise awareness of cybersecurity threats, promote cybersecurity among citizens and organisations; and provide resources to protect themselves online, through education and sharing of good practices.

The survey of 2,000 fulltime UK workers in professional services, conducted by independent survey company Censuswide, also found that over one quarter (27 per cent) of workers use the same password for multiple accounts, including work email and social media, putting both their personal security and that of their company at risk from hackers.

Most worryingly, the survey also found that 69 per cent admit that they do not have the confidence in their own cyber security processes when it comes to protecting their own data.

Additionally, 14 per cent have admitted to keeping their passwords recorded in an unsecured handwritten notebook or on their desk in the office. The news comes despite the UK government’s drive to improve cyber security for companies, with its Cyber Essentials programme.

A further 14 per cent do not utilise multi-factor authentication cyber security measures for apps or services unless required to do so – despite the fact that many consumer banking apps and social media now offer this service. 

Experts have warned that such a lacklustre approach to critical cyber awareness could land employers in hot water.

Donal Blaney, a cyber law expert at Griffin Law, said: “Ignorance of the law is no defence. Company directors and business owners owe it to themselves, their staff, their shareholders, and their customers to know how to protect their businesses and their customers’ data. They will only have themselves to blame if this blows up in their face one day.”

Andy Heather, VP at Centrify, added: “In an age where cyber attacks have emerged as one of the most ruthless and successful forms of crime that can be committed against a business on a large scale, it is astounding to hear that so many UK companies neglect to instil even the most basic cyber security measures in their employees.

“Just one misplaced password could result in the theft of millions of sensitive company documents, personal information and financial fraud, allowing hackers access to critical data. Tackling this issue requires urgent investment in cyber skills training and adopting a zero-trust approach, to further reduce the risk of weak passwords leaving easy entry points and to ensure malicious parties cannot run riot in company systems with stolen log-in credentials.”

GUEST BLOG: Whose data is it anyway? GDPR and the problem of data ownership

 960 640 Guest Post
By:
0

By Tony Pepper, CEO, Egress Software

“GDPR is the new Y2K” was a phrase I heard multiple times during the first 12 months since its implementation. As the ICO continued to work through historical breaches under the Data Protection Act, there was certainly a sense that GDPR was all bark and no bite.

Then its first anniversary was quickly followed by the ICO issuing intentions to fine British Airways an incredible £183.39m and Marriot nearly £100m. With this move, the ICO reminded CISOs and their boards that they are indeed operating in a new era of data protection and compliance, and GDPR moved back up the agenda once more. 

Yet despite this, we don’t go a day without a new breach hitting the headlines – and the impacts are only getting more significant. The latest ‘Cost of a Data Breach’ report from Ponemon and IBM shows the average cost has increased 1.5 per cent to $3.92m. 

Stemming this tide is the problem all CISOs are working to solve – but if measures to date have had limited impact, where should they look next to achieve this? A clear understanding of why data breaches are happening is the logical place to start, however when employees are involved, this is never a straightforward issue. 

Understanding the ‘why’ around data breaches 

Much analysis has been carried out into the types and frequency of data breaches, but there has been little focus on why they are happening. When considering cyberattacks and malicious data breaches, we can quickly attribute motivations to factors such as financial gain (including ransom), political affiliations, competition and sabotage, or emotions (for example, anger). To most people, the link between these motivations and subsequent actions make sense, much in the same way that physical theft might do. 

When we consider non-malicious insider data breaches caused by staff, the problem becomes layered with complexity that’s difficult to untangle and resolve. Yet only when we understand more clearly the why behind these breaches, can we reduce their likelihood and impact. 

At Egress, we looked into this topic with independent research company Opinion Matters. Our survey of over 500 CIOs and IT leaders in the US and UK found that nearly all of them (95 per cent) are concerned by insider threat and most believe employees have put data at risk in the last 12 months either accidentally (79 per cent) or maliciously (61 per cent).

We also surveyed over 4,000 employees and found that they paint a very different picture: 92 per cent said they have not accidentally leaked data in the last year, while 91 per cent said they had not intentionally leaked data. 

Such a contrast clearly demonstrates that to some degree, employees are either unwilling to admit to causing data breaches or unaware that they have caused one.  

The issue of unknowingly causing data breaches is a nuanced discussion. It’s not simply a case of, say, never becoming aware that they’ve emailed sensitive data to the wrong person; it also includes whether employees feel like they have a right to the data in the first place, and therefore by removing it from a secure environment, they don’t realise that they’ve caused a breach – for example, exfiltrating customer lists when moving onto a new company. 

Our research found that almost one-in-three employees (29 per cent) believe they have ownership over the data they have worked on for a company and that 60 per cent don’t believe the organisation has exclusive ownership over the data.  Interestingly, those aged 16 – 24 were actually less likely to think the organisation has exclusive ownership (33 per cent), while those aged over 65 were more likely to think so (51 per cent).

The problem of ethics and ownership

Awareness and education are a favourite starting point for tackling non-malicious insider breaches. A solid foundation of cybersecurity awareness does help to reduce negligent or inadvertent instances by championing good practices. Employees can also be challenged and re-educated on the subject of data ownership, for example explaining what needs to remain with the organisation when they leave. These educational measures should also be highly targeted to the current workforce age ranges within individual organisations. In a time where digital natives, such as millennials and Generation Z, have grown up with prevalent sharing on social media and a sense of ownership around what they produce, this problem is likely to be exacerbated in these employees. 

Yet education alone won’t turn the tide of data breaches, as it can’t prevent reckless behaviour or be able to stop all inadvertent breaches – after all, people are always going to make mistakes!

How technology can reduce breaches

When respondents who acknowledged to causing a data breach were asked how this happened, our research found that accidental leaks were caused by: rushing and making mistakes (48 per cent), working in a high-pressure environment (30 per cent), and tiredness (29 per cent). Two of the top causes of intentional breaches were not having the tools required to share data securely (55 per cent) and taking data to a new job (23 per cent).

This insight helps us to understand the role technology needs to play in preventing data breaches. Advances in machine learning and graph data base technologies have made it possible to identify when people are about to accidentally or intentionally leak data – warning users and administrators in real-time that a breach is occurring, and even preventing the release of certain data altogether.

The use of this technology can not only reduce the likelihood of a data breach but also significantly reduce the impacts should a breach occur. The ‘Cost of a Data Breach’ study shows that use of security technologies such as encryption and DLP were associated with lower-than-average data breach costs. In particular, encryption had the greatest impact, lowering the cost by $360,000 on average. What’s more, security automation that leveraged technologies like machine learning and analytics on average reduced the cost of a data breach by an impressive $2.5m.

Not another Y2K

For those of us operating in cybersecurity on a daily basis, it’s impossible to be ignorant of GDPR and its impacts. This awareness inevitably dilutes the further we get from CISOs and their Security Teams, but GDPR doesn’t make this distinction: good data protection practices are non-negotiable.

As research has shown, there’s no one silver bullet to turning the tide of data breaches, particularly those caused by employees and the complexities they bring to this problem. But GDPR has emphatically proven it is not another Y2K – and CISOs need to keep educating and equipping employees to prevent non-compliance. To do this, CISOs need to address the motivations and problems staff have when sharing data – and when they don’t have confidence that people will make the right decisions, they need to look to the latest technologies to do this on their behalf.

GUEST BLOG: Four questions organisations need to ask after a cyber attack

 960 640 Guest Post
By:
0

Cyber attacks are inevitable, but it’s how an organisation deals with them that can make or break their business. Have they got all the answers, and do they fully understand the implications? Can they be sure the attack won’t happen again?

Swift and comprehensive incident response is a critical step to ensuring the future security of a business and protecting its reputation. It’s not enough to be aware that an attack is taking (or has taken) place. There are four key questions organisations need to be able to answer following a cyber security breach – if a single answer is missing, the security team won’t have the full picture, leaving the business vulnerable to impending attacks. Not having this level of insight can also damage an organisation’s relationships with suppliers and affect customer confidence, as it means the business itself is not in control of the situation.

Andy Pearch, Head of IA Services at CORVID, outlines four questions all organisations must be able to answer after a cyber attack.

1. How and where did the security breach take place?

The first step of an effective incident response strategy is to identify how the attackers got in. Quite simply, if an organisation misses this first crucial step, attackers will exploit the same vulnerability for future cyber attacks. Guesswork won’t cut it – any security professional can hypothesise that “it was probably an email”, but security teams need clear evidence so they can fully analyse all aspects of the problem and devise an appropriate solution. 

2. What information was accessed?

Understanding specifically what information was accessed by the attacker is paramount to knowing what impact the attack will have on the organisation. Identifying which departments were targeted or what types of information might have been stolen isn’t good enough; organisations need to be able to articulate exactly which files were accessed and when. Headlines about attackers stealing information are common, but just as importantly, you need to know the scope of the information they’ve seen, as well as the information they’ve taken. Not only will this inform the next steps that need to be taken, and shed light on which parts of the business will be affected, but it will also enable the organisation to remain compliant with legal obligations, for example, identifying if a data breach needs to be reported under GDPR.

3. How can systems be recovered quickly?

Organisations will understandably want to get their IT estate back to normal as soon as possible to minimise damage to their business, service and reputation. If the compromise method is identified and analysed correctly, IT systems can be remediated in seconds, meaning users and business operations can continue without downtime for recovery.

4. How do you prevent it from happening again?

Knowing the IT estate has been compromised is useless without taking steps to make sure it doesn’t happen again. Managed Detection and Response (MDR) is all about spotting the unusual activity that indicates a potential breach. If a user is accessing files they would never usually touch, sending unexpected emails or reaching out to a new domain, for example, such activity should prompt a review. The problem for most companies, however, is they lack not only the tools to enable such detection, but also the time and skills to undertake thorough analysis to determine whether it is a breach or a false positive.

A managed approach not only takes the burden away from businesses, but also enables every company to benefit from the pool of knowledge built up as a result of detecting and remediating attacks on businesses across the board. With MDR, every incident detected is investigated and, if it’s a breach, managed. That means shutting down the attack’s communication channel to prevent the adversary communicating with the compromised host, and identifying any compromised asset which can then be remediated.

Shifting security thinking

Clearly, GDPR has raised awareness that the risks associated with a cyber attack are not only financial, as hackers are actively seeking to access information. Security plans, therefore, must also consider data confidentiality, integrity and availability. But it is also essential to accept the fundamental shift in security thinking – protection is not a viable option given today’s threat landscape. When hackers are using the same tactics and tools as bona fide users, rapid detection and remediation must be the priority.

Image by kalhh from Pixabay