Navigation

CYSPEX Blog

Entries in cyber risk management (9)

Wednesday
Oct312012

The first steps to managing cyber-risk.

AuthorCYSPEX Administrator | Posted on DateWednesday, October 31, 2012 at 08:03AM

The following is a summary from an article by Dunbar, Thomas. 

Every company is reliant on technology, and data is often a critical asset. Managers and IT personnel must monitor reports via their computers and mobile devices 24/7, but even that seems to be an ineffective way to keep up. According to Financial Times, companies generate 2.5 exabytes of data. This much data means that 90% of the stored data today has been created in the past two years.

With this unprecedented growth, new threats emerge. These risks have been historically been the domain of the IT department, but while cyberrisks are by definition rooted in technology, they are not actually technological risks; they are business risks. Business risks are best addressed through a holistic risk management process that includes quantification, assessment, mitigation and systematic risk identification. 

Data Breach Facts in 2011

* 97% of breaches were avoidable through simple or intermediate controls


* 96% of attacks were not highly difficult


* 96% of victims subject to the Payment Card Industry Data Security Standard (PCI DSS) had not      achieved compliance


* 94% of all data compromised involved servers


* 92% of incidents were discovered by a third party


* 85% of breaches took weeks or more to discover


* 79% of victims were targets of opportunity

The article also suggests 3 steps for risk professionals to better protect their company's most important assests: Data.

Step 1: Assemble a Cyber-Risk Team

Step 2: Identify and Assess the Risks

Step 3: Develop an Incident Response Plan

To read more click here

 

CommentPost a Comment →
tagged , , | in
Monday
Oct292012

10 STEPS TO REDUCE YOUR CYBER RISK

AuthorCYSPEX Administrator | Posted on DateMonday, October 29, 2012 at 07:11AM

The following guide is produced by GCHQ, BIS and CPNI: 

Many players pose a risk to information:

  • Cyber Criminals: making money through fraud
  • Industrial Competitors & Foreign Intelligence Services: gaining an economic advantage for their own company or country
  • Hackers: enjoys the challenge of interfering with computer systems
  • Hacktivists: wish to attack companies for ideological or political motives
  • Employees: those who have legitimate access (by accident or deliberate misuse)

The key to effective enterprise-wide risk management and awareness is being aware of potential threats. Companies need to consider what could threaten their critical information assets and what the impact would be if those assets were compromised. The key is mitigating the majority of risks to critical information assets and being better able to reduce the impact of and recovery from problems as they arise. The 10 steps below can help reduce your Cyber Security Risks. 

 

 

The guide by GCHQ, BIS & CPNI also gives 3 examples of companies across different industries who have experienced some form of cyber security attack. These examples are based on events that had real impact on the companies operations. The guide explains, "Application of the 10 steps provides a comprehensive information risk management framework; however, for each scenario we have suggested those of particular relevance (GCHQ, 2012)..." To read more click here

 

This Guide and the accompanying documents have been produced jointly by GCHQ,

BIS and CPNI. They are not intended to be an exhaustive guide to potential cyber

threats or mitigations, are not tailored to individual needs and are not a replacement for

specialist advice. Companies should ensure that they take appropriate specialist

advice where necessary.

© Crown Copyright 2012

CommentPost a Comment →
tagged , , | in
Monday
Mar052012

CYSPEX Cyber Security Breakfast: From Threat to Solution

AuthorCYSPEX Administrator | Posted on DateMonday, March 5, 2012 at 04:43AM

Is your organisation leveraging the competitive advantage of a positive cyber security culture? What is your organisation doing to promote cyber security and support the Government in making the UK the world's leading market place? It’s a fine line between protection and enablement –   how is your organisation dealing with the cultural and behavioural impacts?  

These questions and more were raised at the CYSPEX Cyber Security Breakfast held at the Houses of Parliament on the 1st March 2012.  It was a full house with attendees from the government, private sector and academia providing insights and responses to some of the challenges facing the UK in Cyber Security. 

The event was sponsored by Templar Executives and StratexSystems. Andrew Fitzmaurice, CEO, Templar Executives, introduced the speakers and set the scene explaining, “Today’s briefing is designed to promote the holistic approach required for effective cyber security and to hear from those in the public and private sectors who understand this and are actively contributing to the National Cyber Security Strategy".

Key note speakers included; Andrew Miller MP and Chair of the Science and Technology Select Committee, Adrian Leppard, Commissioner of Police for the City of London, John Cook, Head of Defence Security and Assurance Services, Ministry of Defence, Simon Parker, Chief Information Officer, Babcock International Group PLC and Rena Lalgie, Deputy Director of Cyber Security, Department for Business Innovation and Skills. Both Baroness Paul Neville-Jones (Special Representative to Business on Cyber Security) and Lord Errol supported the event and participated in the lively audience debate that followed. All of these attendees are prominent in the actions they are taking to develop the UK’s Cyber Security maturity response. 

Andrew Miller MP opened the session by highlighting it is imperative for government and business to work together to tackle the cyber threat which is growing and “increasingly complex and dynamic”.  Commissioner Leppard re-enforced this by stating that last year alone, fraud cost the UK economy £38.6billion. 

Commissioner Leppard outlined the plans of the Economic Crime Unit and National Fraud Intelligence Agency and the steps they are taking to centralise the capture of fraud intelligence. The Commissioner concluded by saying; “the threat of internet crime is increasing exponentially and whilst both the government and the private sector have responded positively to this challenge we have got to keep the pace going” a view that was echoed by all speakers.

John Cook from the MoD and Simon Parker, CIO of Babcock shared the approach that their respective organisations are taking to increase their Cyber Maturity capability. Simon Parker explained that technology was only part of the picture; to be effective the culture of the organisation needed to be changed by carrying out training, at all levels, to raise awareness. Both the speakers concurred that organisations need to do more to articulate their information risk appetite and manage risk in accordance with that appetite.

John and Simon also emphasised the need for the board to endorse a Cyber Security strategy and drive change from the top. Implementing effective cyber security requires everyone within an organisation to be accountable and take responsibility for understanding the threats and vulnerabilities they face and how they can prevent them. Addressing the supplier  market, John Cook said suppliers need to “take action to ensure and demonstrate they have sufficient cyber security measures in place in what is a dynamic challenge that none of us can afford to ignore.” It was noted that those suppliers who did take action were not only contributing to the overall aim of the National Cyber Security Strategy – making UK Plc the place to do business – but also gaining a competitive advantage.

Rena Lalgie called for a shift in emphasis so that cyber security is seen as an enabler for economic prosperity and that there needs to be a focus on galvanising and partnering with the private sector to deliver the change necessary in this area. Cyber security should be an integral part of how companies manage their corporate risk.  

In his closing remarks Andrew Miller MP commented on the next generation of the UK workforce and observed “the missing link is in education; technical and practical skills and behavioural change need to be taught and embedded in the education process.  We need to shift the dynamics so young people grow up knowing how to protect their own work and are used to working in that way.”

CommentPost a Comment →
tagged , , , | in
Wednesday
Feb152012

Managing your Cyber Security: Moving from Rhetoric to Action

AuthorCYSPEX Administrator | Posted on DateWednesday, February 15, 2012 at 07:01AM

A holistic approach to cyber security, one in which your people, processes, culture and ICT infrastructure is taken into account, will reduce direct and indirect costs (such as fines and litigation), optimise your revenue opportunities (by proving to clients and customers that you are a safe and secure organisation to do business with) and ultimately enhance your business prosecution. A high level of cyber maturity works to safeguard your reputation, attract (and retain) investors and clients and enables you to make the best use of information, knowing that it is valued, timely and relevant.

But what exactly is ‘cyber maturity’? Simply, it is the measure of an organisation’s level of cyber security development, signalling how robust that organisation is in cyber space and the level of knowledge and understanding that the organisation, as a whole, has regarding threats, risks and appropriate behaviours to pursue. Finally, it is about ensuring that such knowledge and understanding is put into practice and supported throughout the business as a whole.

Measuring your level of cyber maturity is therefore about much more than simply assessing your technology. It is also about the governance structures in place, the culture which is fostered around information, how employees are supported through learning and development, the level of cyber situational awareness running throughout the business, and so much more.  All businesses have information they need to protect and good cyber security is ultimately about recognising what your most valuable information is, and being confident that it is sufficiently protected and optimised.

It is important for businesses to remember that their most valuable information might be the personal information of customers and employees, as highlighted by Adrian Leppard, Commissioner of the City of London Police:

Technology might be fanning the flames of fraud, but data is the fuel fraud needs to survive. While individuals focus on shredding old utility bills and protecting their PINs, the reality is that businesses are a far greater source of data, with many holding thousands, even millions, of customers’ details. In today's fight against fraud, businesses are becoming a major battleground(Source: The Telegraph, 2011)

Commissioner Leppard will join other representatives from government and industry at a Cyber Security Breakfast briefing on the 1st of March 2012 to discuss ways in which organisations are taking steps to mitigate both the internal and external cyber threats. The briefing will address how public and private organisations can work together and engage in practical steps to improve the UK’s Cyber Maturity level, in light of the UK Cyber Security Strategy: Protecting and Promoting the UK in a Digital World.

To find out more about the ‘Cyber Security Breakfast Briefing: From Threat to Solution, please click here.

By Dr. Jessica Barker, Templar Executives

CommentPost a Comment →
tagged , , , | in , ,
Monday
Feb062012

How Secure Is Your Online Banking? 

AuthorCYSPEX Administrator | Posted on DateMonday, February 6, 2012 at 05:58AM

Reports released today have suggested that online hackers have found a way to ‘outwit’ the latest banking security systems. In the last year, UK banks have improved their security systems in a bid to prevent online fraud, providing their Internet-banking customers with dual-factor authentication devices. The devices issue a unique key which can be used to log into accounts for around thirty seconds, after which the key is invalidated.

HSBC, who were the first bank in the UK to provide customers with this security feature, claim on their website that the ‘SecureKey’ will help to protect customers from Internet banking fraud. “Devices like these are commonly being used for secure transactions all round the world” claims their website but customers from all banks are still falling into traps.

After entering their unique pin information into the bank’s real website  customers are offered ‘training’ in a new ‘upgraded security system’.  By simply clicking on this link, hackers can access the customer’s account and move the money, whilst hiding this from the user.

Whilst experts have advised that customers should use up-to-date anti virus software it has been suggested that even this may not protect users. Banks and organisations working with the government to improve cyber security are continually looking at new ways to avoid this type of attack.

It is not only personal accounts that are at risk of such attacks. Businesses are equally likely to be exposed to online fraud and hacking. With an increasing number of organisations using online systems to manage their finances, businesses are more frequently becoming targets for hackers. It is evident to us at Templar Executives and StratexSystems that the solution lies not just in technology but must be holistic – building the awareness, culture and processes to create robust cyber security capability.

Training staff to be aware of such cyber attacks and knowing how to handle them if they occur is vital to modern businesses.

The BBC have issued the following advice:

How to spot if you have been infected
- If your transaction seems to be taking longer than normal, there is a chance it is going via a fraudster's system
- If you are asked for more information than normal, especially entire passwords where previously you were only asked for part, your machine may have been infected
- Computers that have been infected often slow down while malware monopolises both the process and the Internet connection 

What to do if you suspect something
- Contact your bank by phone, not by email
- Tell them the time and date you believed you were accessing your bank account, if the bank's records do not match, it is likely your computer has been compromised
- In the UK, banks usually refund victims of online fraud as a matter of course

If this is a concern to you, personally, or for your business, and you have any questions regarding online banking and hacking, please feel free to comment below and we will look into your query. 

By Rebecca Beard, StratexSystems 

CommentPost a Comment →
tagged , , , , , ,
Page 1 2 Next 5 Entries »