REGISTER NOW

SUMMIT LONDON

27 APRIL 2016http://tinyurl.com/RSASummit2016LondonT: +44 (0) 1344 781613

DISCOVER NEW STRATEGIES FOR SECURING MODERN IT

What are the next steps towards cyber security?Read an extract from the UK Cyber Security Strategy 2011-2016 Annual Report

AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET

APRIL FUTUREOFTECH.CO.UK

READ What is the biggest cause of a cyber breach? P4

INSIDE How to empower a common risk conversation P6

ONLINE Why modern vehicles could become a target for cyberattack

Cyber securityFUTUREOFTECH.CO.UK

AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET2 FUTUREOFTECH.CO.UK MEDIAPLANET

The greatest need is for training and awareness for all staff. A common route in to a system is via a member of staff clicking on a

phishing email. Attacks can be very sophisticated, for example, looking as if it’s a note from the boss. It is on-ly via training that members of staff will understand how important the-se issues are and their role in helping prevent them.

Here at the MoD, the DCPP advo-cates a three stage approach, starting with a risk assessment that is car-ried out on every contract. In some cases there will be no risk; in others we measure risk in four levels rising from low to very high. We give the

supplier an assurance questionnaire primarily based on self-assessment and the controls we apply are appro-priate and proportionate. This is not a case where one size fits all.

One growing threat at the moment is the use of ransomware, when an e-criminal attacks and encrypts your information and only after you ha-ve paid up will they give you the key to unlock it. This has happened to a number of hospitals in the US, inclu-ding one in LA which was attacked, had not backed up its files and had to pay a $17,000 ransom to get their in-formation back.

All companies are potential tar-gets for these and other attacks, whi-le the adversaries come from a num-ber of backgrounds; as well as e-cri-minals attacks can come from bored

Don’t let cyberthieves in by the back doorCyber attacks, including cyber crime, are on the increase and affects every area of life. Nowhere does this apply more than the Ministry of Defence, where my focus is on the defence supply chain and the Defence Cyber Protection Partnership (DCPP), a joint initiative between the MoD and the business community

READ MORE ON FUTUREOFTECH.CO.UK

Playing catchupPiers Wilson outlines how the cyber security industry is addressing the skills shortage to get ahead of threatsP4

“Not if, but when”Jon Buttriss on how to protect ourselves from the evolving professionalism of the cyber security industryP5

Catch him if you canFrank Abagnale Jr explains how cyber-crime and fraud is a threat to banking and financial services

teenagers seeing what they can get away with, hacktivists who might have political agendas they wish to further, cyber terrorists or foreign in-telligence services.

Challenges arise because each group has a different approach. Hack-ers might be trying at random to see what targets they are able to breach, without any specific organisation in mind, much as a car thief might stroll around a car park, trying car doors un-til they find one that is unlocked. If a company has basic cyber security protection in place – most easily achieved through the government’s Cyber Essentials Scheme, they will li-kely be thwarted and go off and try and find easier targets. Other attackers may be more targeted and persistent.

Suppliers need to be mindful of the

scale of the risks they face. Last year 90 per cent of large organisations sur-veyed reported that they had suffered a security breach and the costs can be significant, rising into seven figures. They can also be attacked more strate-gically than before: there is a growing awareness that companies don’t ope-rate in isolation and that they can be vulnerable to attack via their supply chain. This happened to the Target su-permarket chain in the US, when they were attacked via a their heating, ven-tilation and air conditioning compa-ny. This turned into a significant breach which compromised the de-tails of 61 million customers. All of which means it has never been more important to have the appropriate controls in place and a workforce who are trained and aware.

Please Recycle Follow us facebook.com/MediaplanetUK @MediaplanetUK @MediaplanetUK

Project Manager: Henry Worth E-mail: henry.worth@mediaplanet.com Content and Production Manager: Henrietta Hunter Business Developer: Rebecca Nicholson Designer: Juraj Príkopa Managing Director: Carl Soderblom E-mail: carl.soderblom@mediaplanet.com Mediaplanet contact information: Phone: +44 (0) 203 642 0737 E-mail: info.uk@mediaplanet.com

IN THIS ISSUE

Dan Selman Cyber Industry Deputy

Head, Ministry of Defence

AN INDEPENDENT SUPPLEMENT BY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 3

COMMERCIAL FEATURE

COMMERCIAL FEATURE

Most high-profile attacks on corporate data centers and institu-tional networks have

originated outside of the victimised organisations. But the network open-ings that allow outside cyber-attack-ers to burrow in, infect databases and potentially take down an organisa-tion’s file servers, overwhelmingly originate with trusted insiders.

According to a worldwide survey of Information Security Forum (ISF) members, the vast majority of those network openings were created inno-cently through accidental or inadvert-ent behaviour by insiders without any intention of harming their employer. In a number of cases, that vulnerability was, ironically, the result of a trusted employee doing a seemingly run-of-

Matthias Maier is a security specialist at Splunk, a plat-form for Operational

Intelligence that helps customers to monitor, analyse and visualise machine-generated big data. “Fun-damentally, everything that is dig-ital can be exposed by cyber crimi-nals, cyber terrorists or malicious insiders. If we look at an emerging example, the majority of the health-care industry was not connected to the network 10 years ago, but now you can turn devices on and off remotely. Being able to do this has advantages, but it also represents a real opportunity for those with malicious intent to steal data or cause damage.”

When trusted insiders are your biggest security threat

Data driven security: Machine data is the first line of defence

the-mill task like taking files home to work on in their own spare time.

There are three types of risky insider behaviour. Malicious: Malicious insider behav-iour combines a motive to harm with a decision to act inappropriately. Negligent: Negligent behav-iour can occur when people look for ways to avoid policies they feel impede their work. Accidental: ISF members report that completely inadvertent breaches are more common than malicious ones.

Combatting the wholesale theft of data by limiting the types of inadvert-ent actions which could lead to its misappropriation should be a priority

In an environment of advanced threats, changing business demands and extensive technology infrastruc-ture, a traditional perimeter focused approached to IT security is no longer effective. Maier believes that a totally new approach to cybersecurity is required. “Organisations need to adopt a data driven approach to cyber security if they are to stay ahead of external attacks, malicious insiders and potential fraud.”

The evidence of an attack exists in machine data within an organisation, so security teams need to gain insight from that data to properly detect, analyse and respond. Attackers will attempt to use all possible mech-anisms to compromise an organ-isation, which may involve use of

By Steve Durbin

By Virginia Blackburn

The modern professional life requires organisations to review not only the threat of malicious outsiders, but of negligent insiders too

One of the major business trends from the past decade is the growing digitalisation of customer interactions. With all indus-tries looking at ways to take a more digital and integrated approach to how they work, there is a significant opportunity to improve customer services. At the same time, digitalisation presents a challenge as it opens up an organisation to a more

diverse and threatening set of risks

ble management step in safeguard-ing an organisation’s information assets. After new employees have been satisfactorily screened, con-tinue the trust-building process through onboarding by equipping them with the knowledge and skills required of trusted insid-ers. Expectations of trustworthy behaviour should be made explicit from the outset.

Above all, a culture of trust built on shared values, ethical behaviour and truth begins at the top. The conduct of senior management sets a tone which reverberates from the C-suite to the shop floor. Having a culture of trust affects more than just informa-tion security; it is also fundamental to the organisation’s prospects for future success.

what’s happening within your secu-rity and IT environment, you can’t protect yourself.”

Organisations like UniCredit and John Lewis have adopted Splunk to get answers out of machine and digi-tal services generated data. “For these organisations it’s critical that in a dynamic digital landscape they can apply big data technology to quickly get answers to their questions to in near real time,” says Maier. “This means they can react as soon as they detect anything that might give them – or their customers – cause for con-cern.” With the threat landscape con-tinuing to evolve, it’s clear that machine data will take its place as the first line of defence for organisations in all industries.

for every organisation. Investment in technologies that can help to pre-vent intrusions and protect data from attackers is essential. Management controls including segregation of duties, periodic reassessment of priv-ileges, and audits, are also important.

But the most fundamental ele-ment of threat is deeply human. It starts with the proper vetting of employees to look for signs that the individual has not, in the past, been a responsible steward of informa-tion entrusted to them. Applicants whose pasts have included questions over managing information should not be brought onboard.

The trust factorCultivating a culture of trust is likely to be the single most valua-

identity, endpoints, servers, business apps, web and email servers, as well as non-traditional systems such as HVAC access control. The evidence of these activities is captured in the machine data from these systems, which makes all data security relevant.

“By continuously monitoring this data across your entire infrastructure you can detect malicious activity as early as possible,” says Maier. “This could involve spotting anomalies, recognising unusual activity or iden-tifying indicators of compromised systems. As soon as you identify an issue you can determine the scope and impact of a threat before under-standing who is affected, what to do about it and how to ensure it doesn’t happen again. If you aren’t able to see

Steve Durbin Managing Director,

Information Security Forum

Matthias Maier Security specialist, Splunk

AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET4 FUTUREOFTECH.CO.UK MEDIAPLANET

COLUMN

One of the biggest issues facing the cyber security industry today is the skills shortage. Although the need to be cyber-safe has never been greater, there is still a lack of people with the necessary expertise, something the industry recognises and is keen to tackle

understood it,” says Wilson. “On the other hand if a new security threat arises tomorrow, the cyber security in-dustry is immediately playing catch-up to understand it and be able to de-tect and respond.”

The challenges are not set to go away. “There are some developments around machine learning and anomaly detec-tion where smart technologies can identify and diagnose threats and the logical next step for this is to see what systems can do to automate responses in a confident and safe way,” says Wil-son. “They are making security more efficient by removing the noise, distill-ing down the data to make decisions and enabling swift action that is con-sistent, repeatable and allows the busi-ness to react more quickly. This frees up time for other activities that improve security, like hunting for threats that are not yet apparent, improving the overall security posture and training and development.”

There will always be an asymmetry between the at-tackers’ capability and the de-fenders’, as in order to protect

a system you need to cover all the vul-nerabilities, all of the time,” says Piers Wilson, director of IISP, the profession-al body for security professionals. “But budgets are finite; whereas to mount a successful attack you only have to find one exposed weakness and you can be as patient and spend as much effort as you feel is worthwhile.”

Education is key both with academ-ia and universities as well as within industry itself. This means keeping board members up to scratch as well as providing constant retraining for IT staff – because technology and poten-tial threats are changing all the time.

There are various options open for cy-ber training. “They range from formal courses comprising quick overviews to specific courses, to product and technology courses to full-time MSc

programmes,” says Wilson. “It’s also an industry that generates a huge amount of research and white paper materi-al – so training aside there is no short-age of materials available for self-learn-ing too. Which of those fits a particular organisational or individual need is a matter for debate. At the IISP we have been active in setting standards and running a training course accredita-tion and assessment programme. This way people can select courses that we can vouch for and also find out which topic areas will be covered.”

The steady march of technology means that in IT everyone is always learning - 10 years ago the technolo-gies and hence the attack vectors were different but now there are superior platforms, security controls and work-ing knowledge of facilities. “Some are-as can afford to take a more considered path: developers, for example might only migrate from one language to the next one once they feel they have

The urgent need to combat the skills shortage

By Virginia Blackburn

In the field of HLS & Cyber,

the Israeli industry provides an extensive array of outstanding and

innovative technologies specifically designed

to counter a variety of threats in an ever-changing world.

Registration will open on June 1 on our website:

www.israelhlscyber.comFor more information about

the 4th International HLS & CYBER Conference in Tel Aviv, please contact:

Julia.Bayer@israeltrade.gov.il | http://itrade.gov.il/uk/ THE 4TH INTERNATIONALCONFERENCE

NOVEMBER 14–17, 2016

ISRAEL TRADE & FAIRS CENTER, TEL AVIV

NEWS

“Piers Wilson Director, IISP

Waqas Hashemi

CEO, Whitehall Media

Beware of the human factor

In this age of short term contracts allied to new working practices inclu-ding the cloud, mobi-le and flexible working

hours, one of the biggest issues in the cyber security sector is managing employee identity. “When an individual joins an organisation, it usually marks a fusion of IT and human resour-ces,” says Waqas Hashemi, CEO of Whitehall Media, which runs a suite of conferences around se-curity and risk management as well as identity and access ma-nagement. “Emerging trends in the workplace are proving disruptive and are causing pro-blems with integrating access to the new technology.”

The biggest problems of all when it comes to managing em-ployee identity is not malicious intent but negligence and the human factor, according to Reh-man. “Password management is also difficult,” she adds. “People still don’t use ones with suffi-cient complexity.”

“To mount a

successful cyber

attack you only

have to find one

weakness”

AN INDEPENDENT SUPPLEMENT BY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 5

“The cost of an

attack far outstrips

the ongoing cost of

security”

There is an ever-growing awareness of cyber security threats, with almost daily coverage in the media. Even large organisations, with top talent and significant resources devoted to cyber-security, have suffered major breaches. The truism “it’s not if, but when” rings in the ears of business leaders and reinforces the need for skilled security professionals to mitigate against the threat. The truth is every organisation is vulnerable, and 100 per cent defence is not possible

Having identi-fied cyber se-curity as a na-tional priori-ty, in 2015 the UK Governme-nt announced

an increase in cyber security spending to £1.9bn by 2020 – the only area of the budget to increase. This is reflected in business, with average salaries for se-curity professionals increasing 16 per cent year on year.

The reason for the increased invest-ment is simple; the cost of an attack far outstrips the ongoing cost of security. The ICO has handed out fines as high as £980,000 –which is still less damaging than the customer loss and reputatio-nal damage as results of a breach.

But despite increasing budget to counter the cyber threat, businesses are still struggling to recruit the skills they need to keep up. Unemployment in the security industry has been reported at 0 per cent, with a 10 per cent increase in demand forecast each year to 2020. So how can we deliver the skills needed to address the current shortfall and also meet the growing demand?

This is a question being asked by government, organisations and

professionals. It is the reason for the in-tensifying chatter surrounding professi-onalisation of the cyber security industry.

Professionalisation addresses this burning issue by establishing a stan-dard that enhances the quality of the workforce. By understanding, alig-ning and cultivating the most needed skills, the profession can raise the bar in the areas that will have the most va-lue. This also establishes standardised roles and skills clusters. Businesses ha-ve a shared vocabulary to describe the skills they need that are recognised by potential applicants. New entrants are clearer on the skills they need and mindful of the need to continually self-develop. Structure, clarity and recog-nition make security a more attracti-ve career path, which in turn encoura-ges new entrants and grows the talent pool. This is perhaps the most critical of all – considering the evident need to step-change the number of workers in the field.

It is not always easy for professio-nals and potential entrants to naviga-te the skills and competencies requi-red at each stage of their careers. Em-ployers are not always clear themselves on this so the demand cited in job ad-vertisements is not necessarily an

accurate reflection of what is needed. This is where recognised skills frame-works developed by professional bodies come in. And from this standardisation and definition comes the ability to cul-tivate the skills on a greater scale.

For professionals wanting to demon-strate their capabilities against these frameworks, certification offers verifi-cation of their proficiency, clear step-ping stones for development and im-proved employment and earning pro-spects. For employers, certification helps to assure the calibre of the pro-fessionals they are recruiting, provided this is backed up by demonstrable ex-perience. It signifies that potential em-ployees have been independently asses-sed, aiding employers in recruiting rele-vant skills into their organisations.

As well as being a mark of technical

capability, certification also comes pack-aged with membership to a professional body such as BCS, The Chartered Insti-tute for IT. These memberships demon-strate a commitment to self-develop-ment and require adherence to codes of professional conduct.

The combination of skills alignment, certification and continuous develop-ment comes together, in the form of professionalisation, to promote stan-dards and quality amongst cyber secu-rity professionals. There is little doubt that businesses need quality security professionals, and in greater numbers. Cyber security is not a challenge that we will solve overnight, or with any one so-lution. Neither does it have an end date; we will have to continually assess the threat and work together to evolve best practice to stay ahead.

The evolving professionalism of the cyber security industry

By Jon Buttriss

IT has been gaining momentum within global business for decades and we’ve been there from the beginning, nurturing talent and shaping the profession. Today professionals & organisations work with us to exploit our unique in-sight and independent experience as we continue to set the standards of per-formance and professionalism in the industry.

ABOUT BCS, THE CHARTERED INSTITUTE FOR IT

FACTS

Jon Buttriss CEO, BCS Learning and

Development

AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET6 FUTUREOFTECH.CO.UK MEDIAPLANET

“The UK is the

most cyber-

at tacked country

in Europe and

the second most

assailed in

the world”

INFOGRAPHIC

Cyber crime is on the rise but there are many ways to fight it. From addressing the problems at board level to making sure staff are properly trained, SMEs cannot guarantee they won’t be attacked, but they can make extensive preparations in advance

evidence you can such as a screen shots. Use back-ups.”

Given that an attack is almost ine-vitable, Talal stresses that it is as im-portant for a company to be able to re-spond to a breach as it is to erect defen-ces against it. “There is not just one way to respond across the board,” he says. “For example, Talk Talk notified custo-mers as to what was going on but that didn’t actually help as other opportu-nistic hackers saw this as an opportu-nity to make fishing attempts. The way to react depends on what type of orga-nisation you are. You should always no-tify the authorities, which many com-panies still don’t do and it’s safer not to always use the same email template.”

This is not a problem that is going to go away any time soon and so the cyber security industry continues to work overtime to find, if not a solution, then at least the heavy weaponry required to fight back. “One new trend is the in-creased use of data security analytics,” says Talal. “Companies are analysing in-formation that comes in on a daily basis to foresee where the threat will come from next. And there will be further threats. As increasing numbers of devices are interconnected and smart cities continue to expand across the world, ever increasing numbers of hack-ers will come after everyone. This goes down to individuals not companies: make sure in all your wearable devices that security is built in by design.”

As the world beco-mes increasingly interconnected, cyber crime is a problem as never before. It is now a case of not if but

when most companies get attacked and this is especially the case in this country, with the UK as the most cy-ber-attacked country in Europe and the second most assailed in the world, with attacks up 40 per cent, according to Symantic. They are at least aware of the problem, with research by Equinix showing that seven out of 10 compa-nies in the UK do not feel prepared for cyber-attacks. So what to do?

Talal Rajab is Programme Manager – Cyber, National Security and Criminal Justice at techUK. “Regardless of how much money is spent on products and services, attacks and threats are inevita-ble,” he says. “These days tools to launch such an attack can be bought very cheaply on the dark web, as in the Talk Talk crisis, where it is widely believed the perpetrators were not much more than children. But at least these attacks are increasing public awareness of the problem, as did the assaults on Sony and Ashley Madison. However, although we can trace the region these come from, it is difficult to track down the actors.”

One problem is that SMEs are often targeted because they are less likely to have basic security measures in place

and a further issue is that many who do not offer online payments are safe. They are not. “Any company that has data on its system is threatened,” says Talal. “The first step in dealing with this is to make sure that cyber security is on the boardroom agenda. Many breaches stem from the fact that staff are not aware of best practice which means that training and awareness are crucial. Many are not even aware of the most ba-sic password security and the constant importance of updating systems and ensuring companies are not left with legacy software.” Checks that should be standard across every company inclu-de strong passwords, the regular upda-ting of software and regular back-ups, whether the company is a multi-natio-nal conglomerate or a one-man band.

Many companies are at least waking up to the fact that this is no longer just an IT problem. “Traditionally it was the case that responsibility for security lay solely with IT,” says Talal. “And until re-cently, the IT person was essentially the chief security officer but now incre-asing numbers are appointing dedica-ted CSOs. They are also sending far mo-re people on security courses.”

And so once an attack begins, how should a company respond? It is es-sential to plan ahead, and have the right staff and skills in place. “Be cy-ber streetwise,” says Talal. “Don’t continue using the system. Noti-fy the authorities. Get any forensic

Fighting cyber threats is essential for SMEs to win the war with cyber breaches

By Virginia Blackburn

NEWS

Talal Rajab Programme Manager –

Cy ber, National Security

and Criminal Justice,

techUK

According to the 2014-2015 Cyber Governance Health Check of FTSE 350 companies:

88 % of companies now actively consider cyber security as a business risk

have a basic or clear under-standing of where their critical information and data sets are shared with third parties

The Winter 2015 FT-ICSA Boardroom Bellweather Survey found that

regard the threat of cyber-attack to be increasing

The UK’s domestic cyber security sector contributes over

£17 billion to the economy

The National Cyber Crime Unit (NCCU) is leading

domestic and international operations to disrupt serious cyber crime

The Metropolitan Police set up a Fraud and Crime Online (FALCON) team in 2014, which brings together their specialist cyber crime investigators to pursue and disrupt cyber criminals.

The work of the FALCON team has resulted in 985 arrests, 431 people charged, 241 convicted and £3.1 million confiscated.

Tackling online fraud is a top priorityDuring 2012, HMRC took down almost 1000 fraudulent websitesDuring 2015, that figure rose to more than 11,000HMRC established a cyber security team in 2012.

During 2014-2015, the team assisted in the prevention of frauds totalling more than

59 %

82 %

170

£103million1011

PHOTO: THINKSTOCK

AN INDEPENDENT SUPPLEMENT BY MEDIAPLANETMEDIAPLANET FUTUREOFTECH.CO.UK 7

John Cannon Commercial director –

Fraud and ID, Callcredit

Information Group

COMMERCIAL FEATURE

Under the forthcoming EU General Data Protection Regulation (GDPR), which comes into force in 2018,

unless the data breach is unlikely to result in a high privacy risk for an individual, or if the data was appropri-ately encrypted, all organisations will have to inform their customers when a serious data breach occurs, and rec-ommend ways in which any adverse effects could be mitigated, and if they fail to do so could be fined up to four per cent of their global turnover. So what are the issues facing the indus-try and how can businesses work to overcome them?

The first step is to understand who the potential hackers are. “They are quite wide ranging,” says John Can-non, commercial director – Fraud and ID of Callcredit Information Group. “From organised criminal gangs who are motivated by fraud, to terrorist groups and corporate and rogue state sponsored espionage with malicious intent. But the threat isn’t just from organised groups: hackers have all kinds of motives and could just be an individual flexing his/her intellectual muscles showing off to peers simply because they can.”

There are now a number of security risks facing businesses today. “Many more of us are interacting digitally and data is increasingly important, meaning where and how it’s stored,” says Cannon. “Businesses that are migrating from their traditional model into digital channels are poten-tially not as well geared up to the threat.” They are having to accept the idea, he says, that there are threats posed both externally and internally, such as from rogue employees.

As a result of all of this, however,

New EU regulation highlights the risks of cybercrime

companies are becoming increas-ingly aware of the potential dangers and many are taking action to try to alleviate the risks. “This is becoming increasingly high on the agenda at board level,” says Cannon. “Recent data breaches have clearly shown the financial and reputational impact to businesses and those not giving it focus risk being caught out by the introduction of the new GDPR.”

These are issues individuals must be aware of, too. There is a misconception that if hackers don’t manage to get hold of PINs and full card details then there is nothing to worry about. That is not the case. “We are seeing the rise of ‘social engineering’ techniques,” says Cannon. “This means that even if hackers exposed a low level of infor-mation, it could be used to gather the data they really want. These days, most of us are clued up enough to know that if we get a phone call out of the blue asking for our bank details, then we shouldn’t hand them over. But if you were contacted by an organisation you hold an account with and they quoted that account number, you may be more likely to be tricked into handing over more sensitive information...”

The new EU regulations are forcing companies to take cyber risk and data breaches a lot more seriously and to implement measures to guard against attack. “The first step is to make sure someone in the company is empow-ered to implement the relevant pro-cesses,” says Cannon. “Then start thinking about a plan. Come up with the worst case scenarios, think about what data you hold and what is impor-tant to the business. Play through the various scenarios and see what you can do to increase your protection and what to do afterwards. Think

By Virginia Blackburn

The rise of cybercrime is now one of the biggest issues affecting many businesses and the EU regulators have now taken actions to try to get the business community to act to protect itself

breach. The service can be available to consumers within 48 hours of a breach occurring and consumers who sign up to the service can use it to help identify and respond to fraud-ulent activity, checking whether their credit profile is being damaged by criminals. Noddle Protect allows consumers to review their credit report for free and helps them to look out for people applying for credit in their name or using their details fraudulently, giving them peace of mind and ensuring they continue to trust in your brand.”

The increase in data breaches in recent years coincides with the increase in consumers making use of digital channels due to the conveni-ence they offer. The value of your per-sonal data to fraudsters is increasing as it is their way to gain access to your digital accounts. Your data is their means to an end. “I often compare it to car security,” says Cannon. “In the past, if someone wanted to steal a car they would break into the car and hot-wire it to drive away. As a result, car manufacturers have increased their security meaning it is now much harder. The approach of a car thief has shifted to stealing the car keys by breaking into your house. It’s similar in the digital world, as organisations increase security around services they offer through digital channels, fraudsters see your data as the key to unlocking your digital accounts using techniques such as identity fraud and account takeover being able to bypass security.” In other words, while the benefits of life online are enormous, so are the risks and companies and individuals alike must take measures to protect themselves against the threat of cyber-crime.

about what you need to implement to recover from an attack and make sure employees are trained to understand what a breach looks like.”

If a company is attacked, there are two steps it must take. “First, establish and understand as much as you can about what’s happening,” says Can-non. “IT security must understand exactly what’s going on. Then execute the plan you have put in place. If you can establish where the attack is com-ing from you may, say, be able to make changes to your firewall. Or in extreme cases you may need to consider taking your system offline. Secondly, com-munication is key as everyone should be aware of what is happening both internally and externally.”

Of course, after a data breach it is crucial for businesses to reassure their customers that the problem has been dealt with: damage to their corporate or brand reputation could prove a disaster in the longer run. “You should consider what has happened and give your customers the absolute confidence that you have done everything to mitigate the breach happening again in the future,” says Cannon. “Customers will understandably worry about their personal details being exposed and through education are becom-ing increasingly aware of the value of their personal data. Media stories highlighting anonymous forums used by fraudsters on the dark web are adding to their concern so you should proactively consider having a data breach response. For example, Noddle Protect enables businesses to put in place a fast and effective reme-diation plan to safeguard consumers who may have had their personal data compromised following a data

PHOTO: THINKSTOCK

Integral to ‘making the UK a secure place to do business ’ has been the call for industry to openly collaborate with each other in order to overcome the Cyber Threat. However, many organisations still seem to need to be convinced, despite losses being reported on an almost daily basis. A recent survey revealed that 68% of CEOs are reluctant to share security incidents externally , for fear that publically admitting a breach could have irreparable damage on the brand, reputation and share price of their business. Templar Executives’ CEO, Andrew Fitzmaurice, believes however that the current Cyber Security market is perpetuating a climate of ‘Project Cyber Fear’ which gener-ates two behaviours with the same outcome: a belief that stories are just scaremon-gering to promote sales and secondly, fear to discuss issues at all.“Business leaders are becoming apathetic to these scare stories and are asking us what we can do about it”, Fitzmaurice says. “We are changing the narrative from a glass half empty to a glass half full by promoting ‘Project Cyber Business’. Cyber Security needs to owned by the business, and addressed holistically within the organisation”.

As a leadership issue, the C-suite need to lead their organisations by adopting ‘Project Cyber Business’ to deliver business excellence. Organisations who align Cyber Security best practice to business objectives by investing in proportionate controls, are optimising their businesses with better Cyber maturity. The benefits include gaining competitive advantage, winning new business contracts, as well as enhancing reputation and shareholder confidence. Fitzmaurice explains, “Templar has engaged continuously over the past 5 years with a client to develop and sustain their Cyber maturity and resilience, and as a result this client has won over £7.2 billion worth of new business”. As a direct impact of ‘Project Cyber Business’, businesses are seeing an increased return on their investment, as well as a rise in brand value and share price. The results speak for themselves.

To optimise your business and join the success story, contact Templar Executives at

Turning a cyber half glass empty into a half glass full – A Call to Action

enquiries@templarexecs.com

The pace of change has accelerated ex-ponentially since then and will only continue to quick-en. Technology is a huge force for good,

an opportunity from which we can all benefit. In 2010, the Internet of Things was still in its infancy; in 2016, over six billion connected devices will be in use worldwide, enabling people to connect with people and govern-ments and businesses to deliver bet-ter services. By 2020, that number is set to rise to over 20 billion.

The 2010 National Security Strate-gy identified cyber as one of the top threats to the UK. In response, the Government has invested £860 mil-lion since 2011 in a National Cyber Security Programme to: • Tackle cyber-crime and make the UK one of the most secure places in the world to do business in cyberspace.• Make the UK more resilient to cyber-attack and better able to pro-tect our interests in cyberspace. • Help shape an open, vibrant and stable cyberspace that supports open societies and:• Build the UK’s cyber security

knowledge, skills and capabili-ties. We have made tangible pro-gress against these vital objectives. In collaboration with our industry, academic and international partners, we have laid solid foundations for the future.We have significantly enhanced our national capabilities and technolo-gies to defend ourselves against tho-se who would do us harm. We have a national approach to incident re-sponse and secure information sha-ring on threats, through CERT-UK and the Cyber Security Information Sharing Partnership it hosts.

Businesses of all sectors and sizes now have unprecedented levels of expert guidance and training available to help them manage their cyber risks. Government digital servi-ces are more secure than ever, and we are building in security by design and taking robust action against at-tempts at online fraud.Through this, the UK is helping shape the international deba-te on the future of cyberspace. UK cyber security companies now have an increased market share in-ternationally. And we are on a long-er-term mission to ensure the UK has

the right cyber skills and knowledge, with interventions at every level of the education system and cutting- edge research in cyber security.

But there is more to do. The 2015 National Security Strategy confirmed that cyber remains a top level threat to the UK’s economic and national security. That threat is increasing in scale and complexity. It is also increa-sing at such a pace that we must run simply to stand still. The increased inter-connectedness of our everyday lives means that the range of targets is broader and the task of protecting them harder.

Five years is a long time in cyberspace. When we published the UK’s first Cyber Security Strategy, digital technology was already having a transformational impact on how we consume, share and save information

The next steps towards cyber security

By the Rt Hon Matthew Hancock MP

INSPIRATION

AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET8 FUTUREOFTECH.CO.UK

We must build the UK’s cyber security knowledgand capabilities to become more resilient to cyber-a

265x112

So we have announced that we will substantially increase our investment to £1.9 billion in protec-ting the UK from cyber-attack and developing our sovereign capabi-lities in cyberspace. Our new Pro-gramme, led by a new National Cyber Security Centre, will mark a re-doubling of our efforts to tackle the cy-ber threat. But we cannot do this alone.

Everyone has a role to play in keep-ing our society safe. Continued, sus-tained and close collaboration bet-ween government, industry, acade-mic and international partners is vital and we must accept our indivi-dual and collective responsibilities.

2016 will see the launch of the UK’s second National Cyber Security Stra-tegy. This will define our vision and ambition for the next five years. Whi-le we know the scale of the task ahead, we also know we are building on a good platform. This report highlights the current Programme’s achieve-ments over the past year and the wi-der impact of the Programme since its inception. We should be proud of the foundations we have jointly laid through our first National Cyber Se-curity Programme. They have positio-ned us well for the future.

“We are on a

long-term mission

to ensure the

UK has the right

cyber skills and

knowledge”

PHOTO: THINKSTOCK

AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET MEDIAPLANET 9

Mind The Gap: Empower a Common Risk Conversation

COLUMN

Commuters throughout London encounter a simple message about risk everyday. As one boards the rail or tube, Transport for London will advise them to “Mind the Gap”. The phrase serves as a simple and effective message to mitigate the risk of someone being

injured. Next time the words are heard, consider a different gap - the gap that exists between strategies organisations use to manage their business and cyber risk.

Today, we are more reliant on technology than ever before, with exposure from cyber threats constantly escalating, organisations are struggling to explain security in terms the business can understand. To be successful in today’s digital world and address advanced threats, companies must have a converged view of business and cyber risk. Organisations need to be able to determinewhat level of appetite they have for security risks. Business decisions must carefully consider the impact cyber has on the overall strategy and risk posture. Organisations need to approach this in three ways. Every employee should be engaged in active-ly managing risk. Security practitioners need to partner with and provide meaningful insight that resonates with the business. The business and security teams need to align taxonomies that enable a common conversation.

To learn more about empowering a common risk conversation, new approaches to visibility, analysis, and action, and managing identities, attend the RSA London Summit on April 27th. Until then, please continue to “Mind the Gap” to prevent personal injury and to protect the business.

Genaro ScaloGRC Senior Manager,

Europe, Middle East and Africa, RSA

Extract from the UK Cyber Security Strategy 2011-2016 Annual Report

ge, skills attack

LONDON TECH WEEK 20-26 JUNE Read Mediaplanet’s London Technology Campaign

out on 14 June in the City A.M.

WE TURN INTEREST INTO ACTION

AN INDEPENDENT SUPPLEMENT BY MEDIAPLANET10 FUTUREOFTECH.CO.UK MEDIAPLANET

How to block the fraudsters

SUPPORTING EVENT

Along with the explosion in ecommerce there has been an ex-plosion in efraud, with the industry urgently having to come up with a raft of new initiatives and strategies to keep ahead of the game. Social media doesn’t help: it has been making it easier for criminals to gather a lot of personal information about speci-fic individuals and clone their identities. But the cyber security industry is fighting back, with a series of initiatives designed to protect digital payments from becoming a way of committing fraud or identity theft.

Zehra Chudry is the Head of Content for Payments World Series – who will be running PayExpo Europe in London this June. “So much information is online now that there has been a lot of clo-ning of identities,” she says. “Companies can get you online to say who you are but to date there have been limited ways of tra-cing back to make sure they are dealing with the real person, but that could be about to change. There are two major areas the in-dustry is looking into. The first concerns online identity and the-re are a number of start-ups which are beginning to check infor-mation people supply on, say, Facebook, LinkedIn and Twitter to make sure it comes from the same person and thus verifies and individual’s identity to make sure it hasn’t been cloned. It allows companies to ask about people’s friends and updates to authenti-cate yourself online.”

The other major initiative concerns the problems caused by transferring information such as card details and addresses onli-ne. “Increasingly businesses are using a technology called block-chain, which encrypts information in such a way that only the receiving end will be able to see it and this is particularly useful for, say, money transfers,” says Chudry. “But there is a question about capacity. The reality at the moment is that how to integra-te this into a business has not yet been clearly defined.”

But there is a great deal more to come. The battle to combat on-line fraud now encompasses robotics and artificial intelligence, with machines using algorithms to look at consumer patterns and spot changes in behaviour while elsewhere the industry is examining the viability of establishing a single set of cyber-crime standards. “Every country currently has its own values of what constitutes acceptable risk,” says Chudry. “So what we are asking is, ‘Is this achievable? Is it the way to look forward?’ Although it can feel like a battle just to keep your head above water in the fight against cybercrime as it becomes more intelligent, tech and software providers are also evolving faster than ever.”

Zehra ChudryHead of Content, Payments World Series

Cybervillains are everywhere. Companies and individuals alike must stay alert

Cybercrime is a major issue these days: Google and McA-fee estimates there are 2,000 cyberattacks every day cos-ting the global economy about £300 billion a year.

The problem cannot be overestimated and is becoming increasingly wides-pread. “We’ve been providing data se-curity standards since we launched in 2006 to keep track of payment card da-ta online,” says Jeremy King, Interna-tional Director of the PCI Security Stan-dards Council, which was formed as a global body to tackle payment securi-ty issues that surround the area of cy-bercrime. “We are dealing with global-ly organised criminal gangs operating on a massive scale. Thieves are trying to steal any data they can, governme-nts are looking to see what can be done to tackle the problem and over one bil-lion records are stolen every year. At the annual Infosec security event it was re-ported that 90 per cent of large organi-sations suffered at least one security breach and on average they reported 14 security breaches a year.”

Many organisations, unfortunate-ly, have been in denial about the scale of the problem, especially those which are not actually involved in sales, King believes. However, boards are begin-ning to take it more seriously, accep-ting that this is not just an IT threat and are gradually becoming aware that there are four major types of cyber th-reat, starting with compromised cre-dentials. “The main aim when protec-ting cardholder data is that you don’t store it if you don’t need to but if you do keep it then encrypt it,” says King.

Another type of attack involves

ransomware. “The criminals insert malware, encrypt everything and then, for example, say, give us a certain amount in bitcoins and we’ll unlock your information,” says King. “Some US hospitals have been the victim of that. Or there can be a denial of servi-ces attack where so many requests are put into a system at once it can’t cope and runs slowly or shuts down. These types of attacks can have a massive im-pact: for example, if betting firms were targeted during the Grand National.”

Cybercriminals also use spyware and keyloggers to get in to a system and the most common way here is via a phishing attack. Some of these are obvious; some, say, in the form of re-quests for bill payments, are a lot less so. Keyloggers, meanwhile, log eve-ry key stroke, thus revealing valuable credit card information and have in the past come to light when compa-nies have spotted cleaners behaving suspiciously. Training staff is more crucial than ever. “Some companies have asked for a friendly phishing at-tack in order to test staff awareness and something like 25 per cent of em-

ployees fail,” King continues. “When that happens, typically a notice will pop up on screen saying, ‘You’ve fai-led, apply to personnel for further training.’ But it’s worse at board level where 33 per cent fail.”

Another issue stems from the fact that an increasing number of domes-tic appliances such as fridges and kett-les are now connected to the internet, but while this may be convenient for the householder, white goods manu-facturers do not understand security and risk broadcasting wifi security de-tails everywhere.

Small merchants, too, have pro-blems, with 1.3 million in the UK not having any IT services department. The Government is trying to address this, publishing 10 Steps to Cyber Se-curity, using deliberately non-techni-cal language to help. At PCI we have had a task force developing our own guide, this will be released in June.

Another growth area is Card Not Present – CNP – fraud, which PWC predicts will grow from $2.9 billion in 2014 to $6.4 billion in 2019. “The UK Cards Association monitors and reports fraud figures and has seen a 26 per cent increase across all fraud, with the majority in CNP via internet purchases,” says King. The European Central Bank is taking action: it is in-troducing further requirements on businesses and there will be hefty fi-nes imposed if they don’t protect their customers’ data properly.

Adds King, “Improving security practices to identify and detect at-tacks quickly with the PCI Data Secu-rity Standard, and establishing an in-cidence response plan need to be top priorities for organisations in 2016.”

By Jeremy King

INSPIRATION

Jeremy King International Director, PCI

Security Standards Council