Navigation

CYSPEX Blog

Entries in cyber attack (5)

Thursday
Aug092012

Cyber Vulnerability Index... -Why not Information Exploitation Index?

AuthorCYSPEX Administrator | Posted on DateThursday, August 9, 2012 at 06:49AM

KPMG have recently launched a ‘first of its kind’ cyber vulnerability index that demonstrates that financial services is far and away the worst information-leaking sector.

 

A massive 48% of information leakages from the 10 Forbes 2000 companies that offered cyber attackers the most opportunity came from organisations in the financial services (banking – 30%, diversified financials – 12% and insurance – 6%)1.

 

Once again the risk-based case is made for investing in cyber security.

 

However, this research joins a large body of case studies, publications, and media articles that focus on the risks businesses are running with regard to its information. By now most executives will be aware of the potentially large-scale impacts of poor cyber security. Yet many are still not investing to reduce the risk or change their corporate behaviours around information management. Why?

 

Is the evidence still not strong enough to overcome the ‘it won’t happen to me’ syndrome? Are the impacts being exaggerated and businesses aren’t feeling the pain of information loss? Or is it that in these tight economic times any “spare” money is not being invested in risk reduction initiatives that are traditionally viewed as largely a sunk cost and instead being invested in areas that offer a stronger return on investment?

 

Possibly all 3 but focussing on the latter, implementing cyber security should not be viewed as a sunk cost as the cyber capability you develop can provide a significant return on investment! This important area is rarely discussed in the plethora of media around cyber security with authors preferring to describe the latest juicy scare story.

 

Yes, there are people, organisations, States trying to get hold of your information. That isn’t going to stop. Yes, organisations are on the whole quite bad at looking after their information. That can change but scare stories don’t seem to be having the desired effect on the Board room to invest in cyber security (as desired by Governments ….. and security suppliers, of course!). So whilst I think it is a good piece of research, I am a little disappointed to see yet another report is focussed on the risk; the threat; and who is the worst at protecting their information.

We need more positivity around cyber security to make it more attractive to the Board room.

At the heart of cyber security is information. Whilst companies need to protect information they also need to exploit it. So why don’t more studies focus on who is the best at safely and securely exploiting their information? Why aren’t their more case studies circulating about companies who’ve successfully exploited information for substantial gain? Rather than talking about the negative side of cyber security, we, as an industry, should be talking about which companies are the most secure, the most resilient, and who has developed the most competitive advantage through safely exploiting their information? Companies who can deliver a return on investment from their cyber security and become a safe, sustainable business in this information age is, I believe, what investors and shareholders want to hear!

1 Publish and be Damned - Cyber Vulnerability Index 2012, KPMG

CommentPost a Comment →
tagged ,
Monday
Feb062012

How Secure Is Your Online Banking? 

AuthorCYSPEX Administrator | Posted on DateMonday, February 6, 2012 at 05:58AM

Reports released today have suggested that online hackers have found a way to ‘outwit’ the latest banking security systems. In the last year, UK banks have improved their security systems in a bid to prevent online fraud, providing their Internet-banking customers with dual-factor authentication devices. The devices issue a unique key which can be used to log into accounts for around thirty seconds, after which the key is invalidated.

HSBC, who were the first bank in the UK to provide customers with this security feature, claim on their website that the ‘SecureKey’ will help to protect customers from Internet banking fraud. “Devices like these are commonly being used for secure transactions all round the world” claims their website but customers from all banks are still falling into traps.

After entering their unique pin information into the bank’s real website  customers are offered ‘training’ in a new ‘upgraded security system’.  By simply clicking on this link, hackers can access the customer’s account and move the money, whilst hiding this from the user.

Whilst experts have advised that customers should use up-to-date anti virus software it has been suggested that even this may not protect users. Banks and organisations working with the government to improve cyber security are continually looking at new ways to avoid this type of attack.

It is not only personal accounts that are at risk of such attacks. Businesses are equally likely to be exposed to online fraud and hacking. With an increasing number of organisations using online systems to manage their finances, businesses are more frequently becoming targets for hackers. It is evident to us at Templar Executives and StratexSystems that the solution lies not just in technology but must be holistic – building the awareness, culture and processes to create robust cyber security capability.

Training staff to be aware of such cyber attacks and knowing how to handle them if they occur is vital to modern businesses.

The BBC have issued the following advice:

How to spot if you have been infected
- If your transaction seems to be taking longer than normal, there is a chance it is going via a fraudster's system
- If you are asked for more information than normal, especially entire passwords where previously you were only asked for part, your machine may have been infected
- Computers that have been infected often slow down while malware monopolises both the process and the Internet connection 

What to do if you suspect something
- Contact your bank by phone, not by email
- Tell them the time and date you believed you were accessing your bank account, if the bank's records do not match, it is likely your computer has been compromised
- In the UK, banks usually refund victims of online fraud as a matter of course

If this is a concern to you, personally, or for your business, and you have any questions regarding online banking and hacking, please feel free to comment below and we will look into your query. 

By Rebecca Beard, StratexSystems 

CommentPost a Comment →
tagged , , , , , ,
Tuesday
Dec132011

CYSPEX: Bigger, Broader, & Deeper than ISO27001

AuthorCYSPEX Administrator | Posted on DateTuesday, December 13, 2011 at 06:15AM

ISO27001 has not stopped organisations from losing data! 68% of large organisations had fully implemented ISO27001 by 2009 and, despite that, 62% of large organisations were infected by a virus or malicious software in that same year[1]. ISO27001 fails to protect against data breaches because, unlike CYSPEX, it does not provide a deep, holistic assessment of an organisation. 

CYSPEX offers a holistic assessment of an organisation’s cyber security in terms of the business outcomes it wishes to achieve. This functionality is wider, deeper and more pertinent than ISO27001 accreditation that is solely focused on information security. CYSPEX is a strategic, all-encompassing business process with an assessment of cyber security through physical, personnel and infrastructure and is the most holistic assessment around; ISO27001 is a more tactical, tick-box exercise focused primarily on the infrastructure. Undertaking CYSPEX not only gives you a fuller picture of your current cyber maturity, it also provides you with the ability to formulate a realistic over-arching strategy for making decisions: it facilitates a way ahead.

Due to its technical focus, ISO27001 lacks an awareness of the importance of corporate governance in cyber security. Leadership, accountability and governance are a core part of the CYSPEX model, with the roles, responsibilities and expectations of the senior governance chain clearly defined and tested. High-level accountability and governance sets the culture of an organisation and leads the way in terms of behaviour; by not assessing this crucial component of cyber security, ISO27001 fails to address one of the core enablers for a useable cyber security. Likewise, the fulfilment of specific duties by key roles (including Chief Operating Officers, Heads of Business Units, Information Asset Owners and Senior IT Managers) are analysed in CYSPEX, but are entirely overlooked in ISO27001. 

Another crucial differentiator between ISO27001 and CYSPEX is training. Training is hugely important in cyber security: research shows that in 2010 alone nearly 50% of staff in UK organisations lost or leaked confidential data and 80% of large organisations reported staff-related breaches, a figure which has doubled since 2008[2]. CYSPEX analyses not just whether training is undertaken by all staff but also how effective it is and how it compares with best practice.

Offering a holistic analysis of cyber security, CYSPEX addresses physical and personnel security which is frequently the weakest link. The interface between physical, personnel and electronic security often represents the point where security breaches occur, which is neglected by ISO27001.  ISO27001 accreditation will contribute towards the CYSPEX model, but, unlike CYSPEX, will not support credible and robust cyber security on its own.

 

[1]PWC, 2010

[2] ibid

 

By Dr. Jessica Barker, Templar Executives

CommentPost a Comment →
tagged , , , , | in
Monday
Dec122011

DDoS Attack in the Middle of the Russian Election

AuthorRebecca Beard | Posted on DateMonday, December 12, 2011 at 05:22AM

As the Russian election gets underway, it has been reported that a Distributed Denial of Service (DDoS) attack prevented a number of Russian websites from working; including election monitoring groups, independent media and number of blog pages. DDoS attacks have become more regular but still, the difficulty is in finding who the perpetrator of the attacks are.

Across the world, cases have been reported, including cases involving the armed forces site in the UK to a large-scale attack in Estonia. As our reliance on cyber increases so do the risks we face both as individuals, organisations and governments. Leaving only one question for consideration: how can we prevent exposure to such attacks?

CommentPost a Comment →
tagged , , , | in
Monday
Dec122011

89% of UK Organisations Suffered a Security Breach in 2010, PWC 2011 report

AuthorRebecca Beard | Posted on DateMonday, December 12, 2011 at 05:15AM

All types and size of business are susceptible to cyber attack; a recent report by PWC found that 89% of UK organisations suffered a security breach in 2010 and 59% experienced two or more breaches. Employee mobile devices and laptops were highlighted within the report as the most likely endpoint from which serious cyber attacks are executed against a company. The commercialisation of mobile devices has meant that it is more difficult for organisations to keep track of which employees are using which pieces of mobile technology – the line between personal and business use of technology is blurring and at a rapid rate. 

CommentPost a Comment →
tagged , , , , | in