Security Newsletter

In this edition we find Gartner’s latest cyber-security awareness-building idea, the Centre for Internet Security’s top three ‘threat’ trends for 2019, Cambridge Analytica’s latest woes at the hands of the ICO, how even a small pottery businesses is falling foul of cyber crime and more …

Cyber Security Trends for 2019 – What to Look Out For?

A New Year means a new round of ‘trends’ for the upcoming year from tech sector pundits. However, in the cyber-security field, these trends could help change the way you protect your IT infrastructure and business. Let’s find out what awaits cyber-security professionals in 2019:

Start ‘beefing up’ your Internet of Things Security – The Mirani botnet attack on IoT devices showcased how a simple bit of computer code could cause lasting damage to the brands and technology that have underpinned the IoT revolution. This bug made speakers and cameras remain live – for the purposes of unscrupulous cyber-activities – without the users’ own consent or permission. Kaspersky, the tech security firm, argues that the “unstoppable” pace in the sector requires IT security bosses to put IoT at the heart of their 2019 cyber security plans.

The Centre for Internet Security argues that these three tends will be huge in 2019:

  • Privacy transparency with profound enforcement from regulators. Last year saw Starwood hotels, British Airways and high street banks fall victim to cyber-criminals yet most of these attacks resulted from human error and a breach of regulations leading to financial fines from government regulators. The GDPR is now in full steam and the ICO is beginning to clamp down hard on companies who aren’t GDPR ready.
  • More companies need to undertake Security Assessment Plans. As cyber-warfare and cyber-crime become household terms and as smaller companies are hit by malicious cyber-criminals, more and more businesses will need to strategise ways of countering cyber-criminality through audit reporting, security assessment and cyber security plans.
  • “Blurred Lines” when more businesses move to the cloud, with increases in remote working and legacy computer networks. This is about understanding cyber-security when the data your business depends upon moves outside of your traditional legacy network into the cloud or virtually. Being responsible for data integrity against cyber-criminality requires fresh thinking from security strategists.

Gartner Calls of Businesses To Build a “Network of Champions To Increase Security Awareness”

Tech research giant, Gartner, has outlined a new approach to building awareness for good data security hygiene standards within business enterprises. Gartner argues that as companies expand, as cultural diversity increases and as business becomes more and more virtual and global, there is a need to help champion security through the deployment of “people power”.

Gartner believes this can help balance the constant struggle faced by IT bosses by promoting a “culture that is security-aware”. This can be achieved at near zero-cost by building a network of volunteers within the organisation who will go out and spread good practice within the wider workforce.

Gartner’s four step plan includes:

  1. “Make clear connections between the security champion program and business objectives to get executive support for the program. Resist using the “My program is the most critical investment you will make” approach. Rather, security leaders will have a much more persuadable audience if their program is a cornerstone of any effort intended to achieve business objectives.
  2. Build a network of champions that is inclusive of all roles and geographies across the enterprise. The right mix of representatives will come through manager nomination and volunteering. It is important to identify employees who have a solid understanding of how their respective communities work, and have the influence to be heard and drive change.
  3. Present the role of a champion as a developmental opportunity and integrate it into performance development plans. The champions should have a way to assess their performance, the contributions they are making to the team and the impact they are having on their community. Build in a recognition and reward system to drive interest and output.
  4. Allow champions to take creative liberties with the content to better suit their audiences. Package all materials into toolkits for consistency across the enterprise, but allow champions to tailor the content and the execution in their local markets.

Cambridge Analytica fined £15,000 by the ICO

The Information Commissioner’s Office has fined SCL Elections Ltd (Cambridge Analytica) £15,000 due to a failure surrounding the correct protocol for satisfactory subject access request notices. The company received a subject access request from US-based academic, Professor David Carroll, and when they failed to respond to the individual request the ICO issued an enforcement notice on SCL Elections Ltd.
SCL Elections Ltd was summoned to Hendon Magistrates’ Court and pleaded guilty – through the company’s official administrators – for the breach of the Data Protection Act of 1998. The criminal prosecution based on Professor Carroll’s failure to receive his subject access request in a timely manner resulted in the company being fined £15,000 plus an additional £6,000 in legal courts and a £160 victim surcharge.

The Head of the ICO, Elizabeth Denham, stated:

“This prosecution, the first against Cambridge Analytica, is a warning that there are consequences for ignoring the law.

Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply.

Organisations that handle personal data must respect people’s legal privacy rights. Where that does not happen and companies ignore ICO enforcement notices, we will take action.”

Pottery Firm targeted in “Potty” Cyber Attack

A Stoke-on-Trent pottery business, Steelite International, was blackmailed by Cyber-thieves when they managed to identify a vulnerability within their IT system and ‘locked out’ the company from their systems just before payday. The company was sent a message asking for 79 Bitcoins by the international cyber gang.
However, the cyber-attack failed to identify and freeze out access to the backup facilities employed by Steelite International. Their IT team managed to undertake a full backup and restore operation which resulted in the company reclaiming their IT systems from the criminals.

The company’s boss, Jon Cameron, stated:

“The hacker asked for 79 Bitcoins. One Bitcoin is worth around £2,500 so it wasn’t an unsubstantial amount. But we wouldn’t be held to ransom, we have not replied.

Thankfully, the hacker didn’t have chance to encrypt our back-up files, which meant that the IT team could restore function and prevent a potential catastrophe.

Though one of the files targeted was the payroll file, the IT team’s actions meant staff payments were not affected.
Panic mode did set in initially but thanks to the fantastic work of the IT team working through the night to build the server again, we made sure the hackers didn’t get what they wanted.”

As cyber-criminals target SME micro businesses in their ever-growing capacity to extort more and more vulnerabilities in networks for financial gain, there is a growing imperative for more businesses to focus on cyber-security. If you’d like to find out more about cyber-security and how you could improve your company’s cyber-security approach you can visit the Government’s Cyber Aware website to find out more.

Until next time …