CLOUD SECURITY If it’s good enough for the US Navy, it’s good enough for you
GLOBAL FRAUD FEARS International cyber-gangs spark Bank of England probe
SPOTLIGHT ON TEISS 2016 Cyber-crime high on our agenda, says Met Police at summit
Page 2
Page 3
Page 5
AWARD-WINNING BUSINESS JOURNALISM • MAY 2016
BUSINESS-REPORTER.CO.UK
Your cyber-security needs you: exclusive interview with Eugene Kaspersky
The campaigning billionaire
INSIDE
For our eyes only: the Inspector is pleased to hear GCHQ has taken to Twitter
DISTRIBUTED WITHIN THE SUNDAY TELEGRAPH, PRODUCED AND PUBLISHED BY LYONSDOWN WHICH TAKES SOLE RESPONSIBILITY FOR THE CONTENTS
R3: Resilience, Response & Recovery Summit 2016 Your roadmap to a robust incident response plan Etc Venues St Paul’s, London 27 September 2016
For more information, and to get involved, contact Tracey Meaneaux on 020 8349 6475 or tracey.m @businessreporter.co.uk
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
2
business-reporter.co.uk
Business Reporter UK
@biznessreporter
If the cloud is good enough for the US Navy, it’s good enough for your company
OPENING SHOTS SHANE RICHMOND
“
T
HERE HAS to be a culture change,” said Captain A rlene Gray, chief information officer of the US Navy, during a discussion on cloud security at the Akamai Government Forum in Washington DC, in April. She added: “We have to trust that industry is able to take care of that for us.” The security needs of the US Navy are likely to be pretty high and yet here they are, ready to put their trust in cloud services to secure their data. Does your business feel the same degree of confidence? Probably not, if a recent sur vey is to be believed. According to the 2016 Cloud Security Spotlight report, security concerns are hindering cloud adoption, with 53 per cent of the 2,200 professionals
surveyed citing them as a barrier. More worrying for cloud providers is that this figure has increased from 45 per cent last year. In all, 91 per cent of organisations said they were concerned about cloud security. Admittedly, it would be a bold IT professional who said they weren’t particularly concerned about cloud security, but even so this is an overwhelming percentage. The most common concern among respondents was unauthorised access to company data (53 per cent), following by account hijacking (44 per cent), insecure interfaces or APIs (39 per cent) and external sharing of confidential data (33 per cent). It’s hard to dispute the logic of any of those concerns except that they are all security threats that apply to on-premises data storage too. There is a degree to which a small company looking after its own data might benefit from “security through obscurity”. After all, Amazon’s data centres are a
“Keeping your data on site might feel more concrete and safe, but cloud storage is actually more secure”
much more visible and tempting target than you are. Except that, when the impossible happens and your company is targeted by hackers or suffers a breach due to employee error, you are probably less well placed to detect the breach, prevent it from getting worse and recover from it. The cloud giants, big targets that they are, simply have more practice. Being a more tempting target for hackers puts pressure on you to keep your security systems up to date – and this, according to cloud firms, is where they have an advantage over on-premises options. Speaking at a conference in San Francisco in March, Aaron Levie, the chief executive of Box, said that many companies are at risk because of outdated security practices. “Many organisations are unable to keep up with the security requirements,” he told the Morgan Stanley technology conference. “Their legacy technology is making them insecure.”
Could this be the reality? Keeping your data on site might feel more concrete and safe, but cloud storage is actually more secure. Having your data stored on servers you control, looked after by your staff and in a place where you can physically pop in and check on them is very reassuring. Yet it just might be inviting disaster if your defences fall behind the cutting edge. That’s not to say that you should blindly entrust your data to the cloud. We need consistent standards so that companies know what they are getting from a cloud provider. Staff need to be trained on the client side so that they know what questions to ask and how to use the tools provided to monitor their data. But the reality is that cloud services are almost certainly safer than on-premise solutions, as even the US military is learning. If you’ve been holding back on cloud services for security reasons, then perhaps now is the right time to join the Navy.
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
facebook.com/biznessreporter
3
info@lyonsdown.co.uk
International cyber-fraud sparks BoE crackdown JOANNE FREARSON
T
HE BANK of England has ordered UK banks to update cyber-security measures after a cyber-gang s t o l e $ 81 m i l l i o n f r o m Bangladesh’s central bank earlier this year. Sources told news agency Reuters that the Bank of England is calling for banks to check they are complying with the security practices recommended by SWIFT, as well as undertake a review of computer logs linked to the attacks. This is believed to be the first case where a major central bank has ordered its member banks to undergo a security review following a cyber-breach. The central bank is still yet to comment on the matter. Last February hackers tried to steal the money from the central bank of Bangladesh via instructions issued by the SWIFT network. The cyber-criminals set up five transactions worth $101million to be withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York. Initially, the hackers sent $20million to Sri Lanka and $81million to the Philippines. The Sri Lanka transfer was seized before it completed, while authorities are still trying to recover the monies sent to the Philippines. The Federal Reserve Bank of New York blocked another 30 transactions amounting to $850million at the request of the Bangladesh Bank. Neil Greathead, vice president and chief customer officer of EMEA at BMC Software, says: “The Bank of England’s call to
MAY 2016 Publisher Bradley Scheffer Editor Daniel Evans Production editor Dan Geary Client manager Michele Taylor: production@business-reporter.co.uk Project managers Marc Morrow, Grant Scheffer Contact us: info@lyonsdown.co.uk
Bangladesh ambassador to the Philippines John Gomes, left, greets reporters after a fraction of an $81billion cyber-heist, laundered in Manila casinos, was recovered
TEISS recognised as top information security brand The European Information Security Summit (TEISS) has been recognised as one of the top information security brands in the world. In a list compiled by Onalytica, TEISS was ranked as the 22nd biggest cyber-security influencer on Twitter. Anti-virus provider Kaspersky Lab was the top-ranked brand in the analysis of security Twitter accounts, followed by Digital Forensics and Tripwire. “This is fantastic news,” said Bradley Scheffer, managing director at Lyonsdown, which runs the TEISS conference. “It is a privilege to be among such great brands. This is incredibly encouraging and spurs us on to be the number one most influential brand among the great companies in this sector.” • For our report on TEISS 2016 see page 5
action is a reminder that British businesses can no longer afford to be complacent in the face of mounting cyber-security threats.
“As companies continue to embrace digital transformation initiatives, hackers will increase attacks to steal confidential
THE INNER GEEK
data. That’s why it’s critical that banks and organisations in the financial services space increase information security procedures for the long term.” Best practices will also be shared on fraud detection as well as enhanced support by third-party providers. Gottfried Leibbrandt, SWIFT CEO, says: “While each individual SWIFT customer is responsible for the security of its own environment, the security of global banking can only be ensured collectively. “It requires a collaborative approach between SWIFT, its customers, overseers, and thirdparty suppliers. SWIFT is fully committed to leading the
MOZ & BRADDERS
community effort required to keep global banking safe and deploying its expertise to help customers in the fight against cyber-attacks.”
The future is hybrid, says strategist
H
YBRID CLOUD is set to become the primary means of computing as more and more companies use it to develop new products and services for their customers. Kevin Bocek, chief security strategist at Venafi, says: “Hybrid cloud has been attractive because it allows us to extend business operations fast. Chief information officers want speed and elasticity. “They want to be able to innovate quickly. They want their teams to have the ability to take advantage of the latest features and capabilities.” What is attractive about hybrid cloud is it gives companies control about what they want to keep private and what they want to keep public, says Bocek. “It is a way of managing risk. From a risk perspective it gives them a much better idea of what is friend or foe. “Businesses can go from something that is public and running in the cloud to pulling back the systems and have them running inside the enterprise and be able to shift back and forth. It allows businesses to shift and have great flexibility over where they are going to process data and where they are going to store data.”
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
4
business-reporter.co.uk
Business Reporter UK
@biznessreporter
Like climbing a mountain with a hangover: helping CIOs enable digital evolution The new chief information officer’s job description is transformative. Rapid digital evolution is the priority, and CIOs are racing to capitalise on cloud as an enabler for change
M
ORE THAN 50 per cent of the Fortune 500 from the year 2000 are gone, according to Capgemini: either bankrupt, acquired or simply blipped out of existence. Digital disruption is largely responsible for this shift, proving that a business’s approach to technology, or a failure to embrace and exploit it, has very real competitive consequences. This has had a massive impact on the role of IT. Traditionally, “keeping the green lights on” as cost-effectively as possible was the overarching mandate, with success measured by the lack of downtime. Today, the perception of cloud as a silver bullet for enabling business agility means technical teams are increasingly tasked with creative innovation and making digital a vehicle for delivering strategic value. However, the spectre of legacy casts a long shadow across these thoroughly modern aspirations.
The morning after the night before
“Considered engagement of specialist, experienced cloud partners is a typical feature of new-world CIO strategy”
One CIO recently described this as “like trying to climb a mountain with a hangover” – scaling the heights of digital advantage with a serious tech headache, weighed down by the heavy, inflexible baggage of past priorities. The promise of cloud is alluring (armed with a credit card and a few spare hours, you can conjure up as many instances
in Amazon Web Services as you like), but for many businesses, cloud’s potential sets unrealistic expectations that ignore the gap between where they are now and where they want to be.
Moving mountains The new CIO job description is transformative and does not include wondering whether the green lights are on or off. Speed to market is the priority, and CIOs are racing to capitalise on the oppor t unit ies of fered by cloud in a rapidly evolv ing ecosystem. But simply approaching the challenge in the same way they always have (redeploying existing resources to manage new-world environments) is highly unlikely to be the hair of the dog. Getting ahead of the game sustainably requires a change in approach for most non-Generation Z businesses. Organisations need to create the space to build an authentic and consistent culture of innovation, allowing them to compete with fresh, unencumbered new market entrants.
Shaking it off with specialists Considered engagement of spec ia l i st, e x per ienced c loud partners along the trail is a typical feature of new-world CIO strategy. This naturally accelerates and de-risks change, removing
52% …of the Fortune 500 from the year 2000 are now gone
legacy dependencies and roadblocks on the path to the top. These partners act as trusted terrain guides, collaborating with organisations to deliver agility, security and ultimately, orienting the business towards its desired outcomes. Ongoing managed cloud services additionally enable CIOs and their teams to focus on the right priorities on a permanent basis: enhancing customer experience and developing internal talent. In short, specialist cloud providers empower businesses to
achieve complete benefit realisation, which in turn creates competitive edge. Our ongoing obsession with digital has created enormous disruption, but is also reinventing and revitalising IT. Cloud can and will deliver your applications and aspirations – but finding the hangover cure that is right for your business is key to reaching your goal. INDUSTRY VIEW
hello@adapt.com adapt.com
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
facebook.com/biznessreporter
5
info@lyonsdown.co.uk
SPECIAL REPORT: THE EUROPEAN INFORMATION SECURITY SUMMIT 2016
Met police: Cyber-fraud must be taken more seriously
Education is key to fighting cyber-crime MATT SMITH
T
JOANNE FREARSON
H
ACKERS ARE becoming increasingly sophisticated and companies more than ever are faced with complex array of security threats, according to experts. The European Information Security Summit 2016, now in its fourth year, looked at what needs to be done to make sure companies remain vigilant against threats and how they can build an agile cyber-security culture. DCI Andrew Gould from the Metropolitan Police’s FALCON unit, created 18 months ago and which has been instrumental in stopping cybercrime in the banking industry, said at the event that “fraud needs to be taken seriously as a crime”. Gould explained that one gang targeting banking customers was able to gain access to its victims’ online accounts, which were cleared out within minutes. “It was a Monday-to-Friday business operation,” said Gould. “They were making a couple of million quid a week.” The FALCON unit used tactics normally employed for anti-terrorism work for the operation, which had never been used before for this type of case. “We got enough evidence to arrest them – 25 people have been charged and are now going through the court system,” Gould said. “Out of those, seven have already pleaded guilty.” Gould explained that the gang was made up of British Pakistani males who had moved from the drugs industry into cyber-crime. The money – £90million – was moved to Dubai and Pakistan. The FALCON unit has so far recovered £40million and is working towards getting the rest back. FALCON is now looking to turn the intelligence from its investigations into awareness packages for businesses. It is also planning a 24/7 telephone line, which businesses can call to help them fight cyber-crime. “We know your priority is to get your business back on track as soon as possible,” Gould said. The FALCON unit is
442 Number of charges brought by the Metropolitan Police’s new FALCON unit since it was set up 18 months ago DCI Andrew Gould speaking at this year’s European Information Security Summit
To keep up with the latest information on security news, follow The European Information Security Summit @InfoSec_BT and Business Reporter @BiznessReporter on Twitter
also producing a book, The Little Book Of Big Scams, to provide companies with typical examples of cyber-crime messages. “LinkedIn is a great targeting tool for cyber-criminals. People need to be more aware what they are putting on Facebook,” Gould said. “We want to show people what their vulnerabilities are and give them advice.” So far the FALCON unit has made more than 1,000 arrests in this area, with 442 charges brought – some of which resulted in hefty sentences, said Gould. In order for companies to keep their data protected, they must also make sure they are following regulations and comply with the laws where there data sits. For example, the demise of the Safe Harbor agreement, which allowed the transfer of European citizens’ data to the US, is causing companies to rethink how they move data around globally and report
cyber-breaches as they are forced to comply w it h new data pr ivac y regulations. Bridget Treacy, managing partner at Hunton & Williams, who also spoke at the summit, said: “The new law is a game changer. It gives individuals enhanced rights and carries much greater enforcement power.” Individuals will be able to form groups and bring claims against businesses. Said Treacy: “Companies need to think very hard about what changes they need to make. Do we have clear records of all data assets and processing activities? Who will maintain this? What software tools? Do we have a data protection compliance programme? “Companies will need to have a good understanding of what their data assets are. All of this requires resource. It is a business responsibility.”
HE KEY to information security is to make people more aware of what they can do to protect against threats while avoiding making things too complicated and hindering productivity or the customer experience. Speaking at The European Information Security Summit 2016, Nationwide Building Society group risk director Michele Faull said the challenge is striking a balance between keeping customers safe and providing a good level of service. She said security is “a fundamental assumption” when customers join a bank. “I can’t imagine any bank asking, ‘Do you want a safe bank or a bank that’s not quite as safe?’” she said. “I think it’s a given. People expect their bank to be safe and secure.” She added that sometimes customers can complain about security measures that complicate the customer experience, but that it is the duty of organisations to explain why these are in place. Educating others about cyber-security is an important part of keeping systems protected. A panel discussion at the conference also examined how to use psychology to improve cyber-security awareness. “We know that people are both part of the problem but also part of the solution to cyber-security,” said Professor Pam Briggs, chair in applied psychology at Northumbria University. She explained that companies need to focus both on employees’ understanding of cyber-security and the skills they will need when tackling potential dangers. “People, as we know, don’t tend to know exactly how to attend to a threat,” she said. “But also, in very few companies are they really motivated to cope. “They might alert you to an incident, but to what extent do you praise them for alerting you and is it part of their job description?” She argued that this feedback on actions is vital in encouraging staff to come forward.
WITH THANKS TO OUR TEISS SPONSORS I.T. Security Specialists
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
6
business-reporter.co.uk
Business Reporter UK
@biznessreporter
Why cloud is the key enabler for digital transformation 16% The number of enterprises that have a digital strategy in place Source: Cloud Industry Forum
T
HE IT manager may be mistaken if they thought the world was becoming fixated on digital transformation. In fact, we are seeing a radical change as everything – from customers to equipment alike – is connecting, and creating the socalled internet of things. There is a sense of urgency taking hold, as organisations either face the implications of digital transformation or face being marginalised at the hands of competitors. From an internal perspective, this means aligning resource and strategic focus to respond to dynamic and unpredictable forces in the market. In other words, the IT manager now needs to reinvent IT provision to fundamentally change how an organisation operates – from customer engagement and internal operations, right through to the core business model. According to the latest research from the Cloud Industry Forum, 16 per cent of enterprises have a digital transformation strategy in place, with a further 55 per cent actively implementing one – and it is not confined to the larger players, as SMEs themselves are driving this revolution from the bottom up.
The cloud is the key technology enabler – a natural ally to change as it embodies its core value. The Cloud Industry Forum found 79 per cent of those who have implemented a digital transformation strategy have done so off the back of cloud-based solutions. “This is not so much as a technical shift but an entirely new mindset about how we consume technology,” stated Mitchell Feldman, CEO of RedPixie. “Up until quite recently the cloud was viewed with a degree of scepticism by some IT leaders. Now it has become mainstream and is a leading in novat ion plat for m
for businesses looking to create a competitive advantage through digital transformation.” Ingram Micro Cloud is a growing business in its own right and as such is aligning itself with a number of partners and suppliers of cloud-based solutions that share a vision of the future. Through this network of trusted advisers it is at the forefront of guiding and advising businesses on their digital transformation strategy. Apay Obang-Oyway, director of Ingram Micro Cloud, Northern Europe, added: “The cloud is critical for unlocking one of the major sources of differentiation for true
breakthrough innovation – speed. Shortening innovation and product development cycles, thereby reducing time to market, is a powerful source of competitive advantage. “IT managers are telling us that speed is a top priority. Digital innovation is causing disruption to existing business models and they [must] move fast to deliver new infrastructure, platforms and applications to meet the needs of today’s consumer.” “The imperatives for change are many, but forward-thinking organisations are embracing digital technologies as a means to disrupt industries and secure competitive advantage. Cloud is the agent of change with flexible, on-demand, consumptionbased applications removing barriers and enabling businesses to react quickly. So for businesses large and small, finding the right partner to guide them on this digital journey and enabling them to transform is imperative,” concluded Apay. INDUSTRY VIEW
Apay Obang-Oyway (left) is director of Ingram Micro Cloud, Northern Europe; Mitchell Feldman is CEO of cloud specialist RedPixie 020 7112 2033 RedPixie.com
SECURITY POLICY MANAGEMENT Simplified. Automated. Orchestrated.
Automate firewall change management Mitigate risk and enforce compliance Ensure secure application connectivity Unified visibility across cloud and on-premise
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
facebook.com/biznessreporter
7
info@lyonsdown.co.uk
Head in the cloud, feet on the ground Microsoft UK’s Patrik Bihammar on the benefits of the hybrid cloud. By Joanne Frearson
M
ICROSOF T H A S been helping companies transform their businesses through the hybrid cloud. It allows them to be able to scale up their services cost effectively, but gives them the flexibility of choosing what services they have in the cloud. “They are looking at scalability and how they can reduce cost and how they can become more agile through using the public cloud,” says Patrik Bihammar, hybrid cloud lead at Microsoft UK. “We see they are looking at using the cloud for certain use cases. It is a lot easier to do testing and development on the cloud. Once the application is built they can then decide whether they want to keep that as a cloud applicat ion or to b r i n g it b ac k on premises. “There are also scenarios where they say, ‘I am going to build this new application. I am going to put the user interface and the application logic in the cloud. I want to keep the data part of the application in my own data centre’. That is kind of the conversations [people are having] about new applications. “Another thing we’re seeing a lot of interest in is saving costs by taking advantage of backing up to the cloud. Backup of storage or disaster recovery is an area we definitely see a lot of adoption of in cloud services. They are extending what they are already doing on premises.” By using the cloud, companies are reducing costs, enabling them to focus more on innovation and providing better services to their customers. Around 85 per cent of Fortune 500 companies currently use the Microsoft cloud. “It is an expectation today by end-consumers that everything happens at internet speed,” Bihammar says. “It is a way of providing better business service and building new applications faster. We see customers looking at an application that they have on premises, for ins t a n c e , a n d t h i n k i n g ab out something they want to add to the application to prov ide bet ter service.” Aviva has been using the Microsoft Azure hybrid cloud to help determine how much its customers should pay for car insurance. The
85% Fortune 500 companies currently using Microsoft Cloud
firm wanted to base auto insurance quotes on the behaviour of individual drives instead of statistics by collecting telematics data from moving vehicles. However, using on-premises infrastructure to house all of this information was too costly and complex. Instead, Av iva used Microsoft Windows Azure SQL Database to store its telematics data and combined that with its existing on-premises quote system. Customers who had their driving behaviour tracked were able to save money if they were deemed to be a safe driver. According to Bihammar, the future is in the hybrid cloud. The majority of companies find it difficult to migrate 100 per cent to the cloud unless they are a start-up and don’t have many legacy applications. There are also worries about keeping sensitive information solely on the
cloud, such as customer data systems or financial information. “The concerns are normally around security controls – I do not want to lose my data,” he says. “More often than not it is a data sovereignty issue as opposed to a security issue. If they put their application data in the cloud, they want to know what that cloud provider is going to do with that data.” A survey by Microsoft showed that 60 per cent of companies had concerns around data security as a barrier to adoption, with 45 per cent saying that the cloud would result in a lack of data control. However, once these organisations adopted the cloud 94 per cent experienced security benefits they didn’t previously have on premises, while 62 per cent said privacy protection increased as a result of moving to the cloud.
“More often than not it is a data sovereignty issue as opposed to a security issue” – Patrik Bihammar, Microsoft UK
Microsoft understands the importance of building trust with customers. Bihammar says: “It is about having transparency with our customers. They know it’s their data – they own the data and we can’t access it. We encrypt all the data, but it is the customer that has the key.” The service is used by more than 20 million businesses worldwide. Microsoft recently launched Azure Stack, a new hybrid cloud platform that enables companies to deliver Azure services from their own data centres. By usi ng t he hybr id c loud companies are becoming more cost effective and flexible. Research shows once companies are on the cloud, they believe their security increases, allowing them to scale up quickly, develop new services and meet the demands of their business.
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
8
business-reporter.co.uk
“It is necessary to redesign systems. We are still alive because the very bad guys are stupid and lazy” Anti-virus guru Eugene Kaspersky is on a mission to get firms – and governments – to wake up to cyber-security threats THE BIG INTERVIEW JOANNE FREARSON
E
UGENE KASPERSKY, chairman and CEO of Kaspersky Lab is a man who has dedicated his life to fighting cybercrime. He began his career in 1989 by accident after the Cascade virus infected his computer. Having a background in cryptography, he was able to understand its behaviour and develop a removal tool. Ever since then he has been developing cyber-security technologies to fight malware. Co-founding Kaspersky Lab in 1997, his technologies now protect more than 400 million users worldwide. Today, Kaspersky is hosting an event about protecting critical infrastructure at the Science Museum in London. “The number of criminal attacks on industrial systems has
been growing very quickly and unfortunately we are not seeing the whole picture because in many cases the victims do not disclose the data,” he tells me. “Last year there was an attack on a Ukrainian power grid – some regions had a blackout because of the cyber-attack. The bad guys shut down the power and wiped all of the systems. The engineers had to physically go to their power stations and turn it on because they have a manual override.” Kaspersky explains that, fortunately, such a degree of damage is rare in cyber-attacks. But he warns that next time we might not be so lucky, as many of the newer power grids do not allow for engineers to manually override them. “Modern systems do not have manual override – if the same happens elsewhere I am afraid that the problem will be more serious,” he says. Cyber-criminals have become more sophisticated over the years, and are getting
Business Reporter UK
@biznessreporter
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
facebook.com/biznessreporter
much more professional and international. They have been designing technologies that have cracked very well protected networks. “Around 20 years ago, there were just vandals, hooligans creating simple malware and DDoS [direct denial of service] malware,” he says. “Then there were criminals – and the criminals become internationally organised. They have become very professional. “The criminals are looking for money, but in different ways. There have been attacks on financial services, both on customers and banks themselves. They are infecting systems with ransomware, sending spam or making DDoS attacks on competitors. Then there are hacktivists with political motivation, their main goals being to damage the reputation of a business or paralyse them.” Kaspersky explains that this year there have been critical data attacks on hospitals in Australia, California and Germany, where all data has been wiped and systems paralysed. To help fight these cyber-criminals, Kaspersky regularly works with international and national law enforcement agencies such as INTERPOL, Europol and The City of London Police, providing them with technical advice about malware. “We don’t read detective stories,” he says. “We live in detective stories. We are in touch with cyber-police in many nations around the world. We assist them with our knowledge and our experience to investigate cyber-attacks. Our life is never boring.”
Kaspersky believes governments should put more regulation in place, to ensure companies in all sectors follow protocols that can help protect them. “For businesses, it is complicated – you have to deploy solutions through the network, protect the gateways, endpoints, backups,” he says. “But for the industrial sector it is even more complicated, because it is not a product, it is a project.” Kaspersky explains that the problem is that each company designs infrastructure to its own requirements, without a proper standard in place to indicate whether it is meeting guidelines or not. “All nations depend on infrastructure and infrastructure depends on cyber-systems,” he says. “Cyber-systems are vulnerable, and we need to redesign them in a more secure way to make them immune.” Kaspersky believes there needs to be joined-up regulation and consistency when it comes to cyber-security. Indeed, he sees the regulation of cyber-security as just as important as that of any civil engineering project. “When companies design cybersystems, they do it as they want to do it. So one of the important steps for governments is to introduce regulation for cyber-systems which manage critical infrastructure,” he says. “At the moment governments have regulations for power lines, for buildings, for railways, for traffic – so there has to be same regulation for IT systems which are used in critical infrastructure. It is necessary because this world depends on cyber, and ut when it comes to developing technolo[currently] everyone designs a cyber-system gies that protect systems against how they want. Legacy systems are largely cyber-criminals, Kaspersky tells me there is at fault,” he says. “That is why many problems no simple answer. “That depends on the size happen – because of these old, vulnerable of the company and importance of the data systems. If it is connected to the internet, it on their computer systems, or the physical is vulnerable.” infrastructure that is in use,” he says. “If it is Kaspersky’s dream is to develop an operata very small business and the computer ing system that will ultimately be so expensive systems are only there to support some activifor criminals to hack, they won’t even bother ties, these are minor things – install security trying. At that point, he says with a big smile, software, keep your mind switched on and he will retire. “Perfect security is when attacks don’t trust everyone. That’s it. cost more than possible damage, when at“If it is a big enterprise with critical data, tackers have a negative return on investment, or you have physical infrastructure, first of and it is more expensive to hack than the all you need a security audit. Then training possible profit,” he explains. “My dream is for employees, then cyber-security strategy to reach that level of security.” – then look for the partners who can design Kaspersky does not expect governments a system. Then do it again. It is a process. and industries to be in a rush to fix their Check your system again, again and again.” systems until something very bad happens, The major mistake most companies make, however. “It is a process. It is not possible to explains Kaspersky, is thinking introduce 100 per cent security that the system will work for years The CV: Eugene Kaspersky and forget about it. It will not unattended. Firms should also work – we have to do it again constantly be reviewing their Eugene Kaspersky was born in and again, start with the penNovorossiysk, Russia in 1965 and graduated security systems, he believes. etration test and security audit “The engineers and manage- from the Institute of Cryptography, to understand where the most ment have a rule: if it works, don’t Telecommunications and Computer Science vulnerable is within your orin 1987 with a degree in mathematical touch,” he explains. “We have to ganisation. Give training for engineering and computer technology. break this rule. We have to redeemployees and build a strategy sign the systems. We have to keep He is based in Moscow and has earned to help make it absolutely the source code. We have to be a number of international awards for his secure.” in touch with the software engi- technological, scientific and entrepreneurial Kaspersky’s dream of having neers, the teams that have achievements. He was voted the World’s an operating system that’s too Most Powerful Security Exec by SYS-CON designed it. expensive for cyber-criminals Media in 2011, awarded an Honorary “It is not possible to build it to crack might force Kaspersky Doctorate of Science from Plymouth and forget about it. It is necessary University in 2012, and named one of into (an albeit very comfortable) to redesign systems from time to Foreign Policy magazine’s 2012 Top Global retirement, but there is much time. We are still alive because Thinkers for his contribution to IT security at stake if governments and the very bad guys are stupid and awareness on a global scale. companies do not protect their lazy.” cyber-systems.
B
9
info@lyonsdown.co.uk
“We don’t read detective stories – we live in detective stories. We are in touch with cyberpolice in many nations around the world. We assist them with our knowledge and our experience to investigate cyber-attacks. Our life is never boring”
The cloud is just someone else’s computer AMERICAN VIEW KEIL HUBERT
T
HERE WAS a time when a clever IT boffin could deflect an executive’s unwanted inquiry by pointing out the nearest window and exclaiming: “You asked which cloud your data was stored on, yeah? It’s that one.” The boffin then beat a hasty retreat back to her locked server room while her incredulous boss strained to try to make out his home directory in the cumulonimbus. It was just a lark at first. Then a certain publisher of PC operating systems launched its “To the Cloud!” adverts and the joke wore painfully thin. These days, just saying “cloud” around a technologist is likely to induce a migraine. The cloud is a breathtaking mystery to most users, thanks to cloying marketing copy that’s made it synonymous with magic. Your data isn’t limited to plain old computers anymore (the adverts tell us) – instead, your data rockets around the world’s ley-lines in a cosmic quantum thingy (or something equally ludicrous). It’s all silliness. Please repeat after me: “The cloud is just someone else’s computer.” That’s all. Buying cloud services just means that you’re paying someone else to host your stuff on their servers instead of having your own staff host your stuff on your own servers. There’s no magic involved. It’s a bit easier to visualise if you think of your applications and data as your own personal auto and think of the data centre as a garage. Using traditional data centre services is like parking your car at home. If your garage is large enough to handle several cars, and they can change spots based on who’s driving what, then you have yourself a private cloud. If, instead, you have a paid driver park your car at someone else’s garage across town,
you’ve engaged a cloud provider. It’s a crude analogy, but it works well because it inspires normal people to start getting cynical. When your park your car at your own house, you know that you’re responsible for securing the doors to keep thieves out. Your car is only as safe as you choose to make it, based on how much time, money, and attention you’re willing to invest in protecting it – and how badly the local thieves want it. That’s all easy to understand. When you have someone else park your car for you somewhere else, certain questions naturally arise: will my car always be available when I need it? Will my provider be as diligent at keeping thieves out? Might my provider park my car in another country where the rules are different? Will my driver be as diligent as I am at driving? Am I really saving money by paying someone else to do this for me? Can I afford to completely do away with my own garage? How much risk am I willing to accept? When your CIO and CISO next come to fisticuffs over whether or not to “move to the cloud”, these are exactly the questions that they’re usually fighting over. CIOs generally want better performance at lower cost, while CISOs want to minimise the opportunities for baddies to swipe the company’s crown jewels. Both positions are valid. Ultimately, it’s up to the man or woman at the top to decide the issue, and senior executives usually hedge their bets: they choose a little of each, blend a little private cloud with some rented cloud and call the compromise a hybrid cloud solution. I suspect this is because CEOs always get a private parking space at the office to go with the ones they have at home, but that could be a complete coincidence.
May 2016
10
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
business-reporter.co.uk
Business Reporter UK
@biznessreporter
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
facebook.com/biznessreporter
Inspector As part of the team at Business Reporter, the Inspector has been following GCHQ on Twitter ever since it joined the online social media networking site earlier this month. GCHQ’s first tweet was “Hello, World”, which is the name of one of the first programmes you learn to write in coding languages such as C, Python, Java, PHP, and Ruby. The UK intelligence agency will be using Twitter to talk about technology, maths, innovation and cyber-security. Andrew Pike, director of communications at GCHQ, says: “In joining social media GCHQ can use its own voice to talk directly about the important work we do in keeping Britain safe”. GCHQ is a regular source for our information securty stories. Business Reporter’s European Information Security Summit (TEISS) has also been recognised as one of the top information security brands on Twitter by Onalytica and will be especially keen to view GCHQ tweets. The profiles GCHQ follows are less conventional than one might think – numbering opera singer Katherine Jenkins OBE, who visited GCHQ in Cheltenham earlier this year, apparently performing to the staff by way of thank you for helping to keep Britain safe. Others followed by the
11
info@lyonsdown.co.uk
BY CIARA LONG, ONLINE REPORTER
Dogberry
GCHQ is now following 007 (below right) on its new Twitter page; below left: GCHQ’s cryptographic 2015 Christmas card stumped thousands
McAfee blog
We Live Security
Stay up to date with the latest security threats with some help from the experts from McAfee, who provide practical advice on how to stay safe, along with more in-depth articles exploring trends in cybersecurity. Be sure to follow the official Twitter account for the latest posts direct to your timeline.
Run by the ESET team, this blog takes a more newsfocused format, bringing you the latest research and discoveries in the sector along with expert analysis. Recent posts include news of the demise of the infamous TeslaCrypt ransomware and a look at one of the potential contenders to its throne, Jigsaw.
blogs.mcafee.com
www.welivesecurity.com
HOTforSecurity
www.hotforsecurity.com
HOTforSecurity is the blog of security firm Bitdefender and provides news, security tips and threat analysis. It has nearly 900,000 Facebook fans and boasts contributors including expert Graham Cluley, who will be speaking at Business Reporter’s Data Security in the Cloud event this June.
Google Security Blog
security.googleblog.com
agency include – perhaps more obviously – James Bond, the main inspiration for the Inspector’s love of gadgetry. GCHQ also plans to use the Twitter site to post brain-teasers, puzzles and quizzes, following on from its director Robert Hannigan’s Christmas card puzzle last year – a cryptographic mind-
bender that was successfully completed by only three people from around 600,000 original entries. The card certainly had the Inspector’s tail wagging – he spent some hours in his kennel attempting to complete the grid-shading puzzle – and he’s looking forward just as much to the next ones. Just make them a little easier this time round, eh?
Avast Mobile Security (Free – iOS, Android)
There are plenty of anti-virus solutions out there for your mobile devices, but this free app comes with a four-and-a-half star rating.
WhatsApp Messenger (Free – iOS, Android)
This popular messaging app recently drew praise from security and privacy advocates when it introduced end-to-end encryption by default.
Getting into the slightly more technical side of things is Google’s security blog, which takes a look at some of its latest work to make its products more secure. Recently, this has included an update that brought HTTPS support to Blogspot blogs, as well as advice for mobile developers who want to make sure their Android apps are secure.
Video campaigns from Digital transformation
Small businesses
DIGITAL TRANSFORMATION
SMALL BUSINESSES
Cyber-security
CYBER-SECURITY
SPOTLIGHT ON…
SPOTLIGHT ON…
SPOTLIGHT ON…
• Data management • Digital experience • Innovation • Communication strategy
• Customer communication • Performance improvement • Energy consumption • Flexible working
• Board agenda • Cyber-risk assessment • Breach response • Data protection • Identity management
Risk management
RISK MANAGEMENT SPOTLIGHT ON… • Risk assessment • Risk culture • Regulatory compliance • Cyber-security
To watch these videos, and for more information, go to business-reporter.co.uk/category/video
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
12
Business Zone
Four pages of analysis and expert comment
business-reporter.co.uk
Business Reporter UK
@biznessreporter
Four ways to make sure you’re winning against the bad guys Security doesn’t have to be complex and expensive. Here are some simple best practices to help shore up your defences
H
Vulnerability scan
AVING GIVEN many presentations and teaching sessions around the globe in the past few months, the messaging and the “how do I get started in security?” strategy is finally getting out there. The core message is simple: embrace these four security best practices and win against the bad guys.
End-points and networks are always changing and users – even with the best intentions and focus on doing their jobs – can introduce new vulnerabilities and put data at risk. If you don’t know where your critical or confidential data is located, and if payroll, banking, credit card and other personally identifiable information is not protected, you are at risk. If you are missing patches or have configuration mistakes, you are at risk. A key part of being good at delivering security is being aware of the business risk. Weekly vulnerability scans will help you or your team prioritise what security activities need to happen urgently. Start the week off with the scan, work at the issues it raises and make sure management sees the results.
Patch management There are two kinds of IT professionals out there: ones who aggressively patch and keep their customers’ servers and workstations ransomware- and malwarefree, and ones who rely on technology like firewalls or anti-virus and continue to get infected by ransomware and malware.
Restricting administrative credentials Sometimes I can’t believe it’s 2016 and we are still having this conversation about removing administrative rights. Avecto’s 2015 report on Microsoft Vulnerabilities provides a stark reminder of the basics of IT security: • 85 per cent of all critical vulnerabilities documented in the 2015 report can be mitigated by removing admin rights. • 99.5 per cent of all vulnerabilities reported in Internet Explorer in 2015 could be mitigated by removing admin rights. • 82 per cent of all vulnerabilities affecting Microsoft Office could be mitigated by removing admin rights.
If you are serious about securing customer end-points, you have to figure out a way to remove administrative privileges. If that means putting time and effort into figuring out how to deliver a line of business application in a nonadmin environment, then do it.
Reduce your attack surface The maths here is simple: less software equals less vulnerability. A report from Recorded Future, which offers threat intelligence analysis of more than 100 cyber-crime exploit kits and known vulnerabilities, identified Adobe Flash Player as the most frequently exploited product. According to web analysis from January 1 2015 to September 30 2015, Adobe Flash Player comprised eight of the top 10 vulnerabilities leveraged by exploit kits.
And finally… I have purposefully neglected one thing: I’m going to assume you already have a robust hybrid (cloud-based and local) backup solution in place. Even if you are not in the security business, if you are in the IT business you better be good at backup and recovery. Backup does not just protect against the activities of cyber bad guys, it protects against user mistakes and your own accidental mistakes. The biggest win in security is having a recovery capability for when you lose at security. INDUSTRY VIEW
Ian Trump (left) is security lead for LOGICnow and author of The LOGICnow Cyber Threat Guide, which you can download free at http://bit.ly/1WPDn00 Follow Ian on Twitter at @phat_hobbit
How consolidating IT helps lower costs
M
ANY ORGANISATIONS are battling fragmented IT infrastructure and spending significant resources on integration and securing operation of disparate systems. Infrastructure fragmentation can mean different things for each organisation – it can mean a combination of multiple hypervisors, bare-metal servers, multiple data centres as well as public cloud usage, making management complex and human resource intensive. While public cloud adoption increases by the day, it’s still more practical to run certain workloads in-house and it remains
impossible for some companies due to regulations or compliancy. A combination of private and public cloud is generally the most optimal solution. However, managing heterogeneous on-premise (private cloud) infrastructure can be a complex undertaking when including different virtualisation technologies, a dedicated server environment, storage and networking. Besides, in many cases it doesn’t solve the IT fragmentation. Different vendor-specific management tools require specialised knowhow and training, leading to an
under-utilisation of resources. Licensing costs add up when deploying multiple solutions, each with their own licensing paradigm and often providing duplicated functionality. So what can be done to address this level of IT complexity and fragmentation? The answer lies in a combination of actions, starting by evaluating the environment and simplifying the management of your infrastructure by adopting the right tools. Qstack is that tool. Being both hypervisor and hardware vendor agnostic, Qstack can satisfy a need for a fully-fledged hybrid cloud and infrastructure management platform. Its uniform interface and functionality allows enterprises to easily implement a multi-zone cloud
environment deploying one single solution. Enabling a single interface management platform such as Qstack, enterprises can profit from an enormous advantage in terms of delivery speed, improved utilisation levels and operational simplification – all resulting in lower costs and efficiency. Organisations deploying Qstack have managed to significantly improve resource utilisation levels, ultimately resulting in increased agility and effective IT operations. INDUSTRY VIEW
Jonsi Stefansson (left) is CEO of Greenqloud www.qstack.com www.greenqloud.com
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
facebook.com/biznessreporter
13
info@lyonsdown.co.uk
How savvy businesses get the most from hybrid clouds 80%
Setting the gold standard for cloud security
W
HEN MOST managers consider moving their services to the cloud, the question they ask is: is the cloud secure? The perhaps surprising answer: Cloud services can be more secure than hosting onsite. One particular way to think about this is to ask some questions: • A re your company’s servers physically secure? Beyond the reach of intruders or vandals? Is someone watching over your servers each and every day and all night? • Is your data backed up somewhere offsite? After a fire, flood, earthquake or explosion could you retrieve your data? How long would it take? • Do you have an information security plan? Do you consider security at every step of building your capacity? In the hardware, in the network, in the software, among the staff? How many people in the IT department are devoted to the security of your equipment and data? • Do you regularly test your system against intrusion, and how long would it take you to realise an intrusion has occurred? How fast can you respond and what would you do? • A re your data, e-communications, and voice communications encrypted? If they were intercepted, what could an attacker learn about you and your customers? Many companies have a hard time answering these questions satisfactorily. Just last autumn, for example, British Gas, Marks & Spencer and TalkTalk all suffered serious data leaks. But a carefully crafted cloud solution can help businesses strengthen their defences. Interactive Intelligence’s latest cloud-based customer-service, communication, and collaboration solution, PureCloud, builds information security into each part of the process from the ground up. This creates a security environment too costly for most
onsite or hybrid call-centre solutions, removing a significant barrier in deciding to move to the cloud. Interactive Intelligence’s cloud platform is built on Amazon Web Services, whose commitment to physical security is certified at the highest industry standards. Data is routinely backed up and stored to various locations. That way, if there’s a problem in one location, your data can be restored from another. With PureCloud, different types of data are encrypted – files, emails, texts, voice connections, and call recordings. Interactive Intelligence uses publicly signed certificates to validate senders and runs frequent certification checks, consistently receiving an A-grade. Penetration-testers on staff actively search out weaknesses in third-party information security plans. But the company goes the extra mile by hiring specialist penetration-testing firms to probe for holes in its cloud security, and publicising the high-level results on its website. “Not a lot of companies will show that kind of transparency,” says Jarrod Sexton, interactive intelligence sr. security engineer. PureCloud is engineered to prevent, say, a rogue employee from one client hacking into the data of another. In fact, PureCloud’s access controls, auditing, and tracking system would foil the intruder from seeing all his or her own employer’s information. Interactive Intelligence uses hashed (coded) passwords with cryptographic “salt” (randomly generated characters) to defend against advanced password-cracking techniques. In these ways and many others, Interactive Intelligence’s PureCloud callcentre solution sets the gold standard for cloud security. Any client needs to trust its cloud vendor with its data, and that’s why Interactive Intelligence’s clients can rest assured that their precious data is safe in PureCloud. INDUSTRY VIEW
David Paulding is regional director UK, Middle East and Africa Interactive Intelligence +44 (0)7966 242499 david.paulding@inin.com
Percentage of enterprise IT organisations that will commit to hybrid cloud by 2017 Source: IDC
B
USINESS SPENDING on cloud-based IT services will grow another 16.5 per cent this year to $204billion worldwide, according to research firm Gartner. The trend is unlikely to subside anytime soon because the cloud provides so many competitive and bottom-line benefits. But to maximise those benefits, businesses need to choose the right ways to connect to the cloud. Hybrid clouds are growing at the fastest rate, according to Gartner and other analysts. That’s because this model lets businesses spread their applications across a mix of private clouds – including IT infrastructure they own – as well as public clouds such as Amazon Web Services. For example, some enterprises don’t want to prematurely retire infrastructure that has years of life left, but they also don’t want the expense of expanding it to keep up with growth. A hybrid model enables them to use public cloud services to cost-effectively accommodate additional employees and customers. And when their private cloud infrastructure starts to show its age, they can shift more and more of the workload to the public cloud to take advantage of new technologies and greater scalability. These benefits are among the reasons why more than 80 per cent of enterprise IT organisations will commit to hybrid cloud architectures by 2017, according to a recent study by IDC. The hybrid cloud market in North America is expected to hold the largest share, followed by Europe, with AsiaPacific (APAC) expected to grow at the highest CAGR (MarketsandMarkets, April 2016).
Maximising performance The catch is that although fibre is key for ensuring a great user experience, it’s a mistake to overlook other factors that play equally important roles. For example, a fat pipe still can seem slow if the public cloud traffic has to traverse an entire country or continent. That’s why savvy enterprises prefer public cloud providers with multiple data centres scattered around a geographic area. By putting employees and customers
close to the data they use, this architecture minimises the latency, packet loss and jitter that undermine application performance. When developing a hybrid cloud strategy, enterprises should also consider whether some of their applications would benefit from using an ISP that has direct, private connections with their cloud provider(s) and/or with the exchange points serving sites such as branch offices. Both enable better end-to-end performance, flexibility and reliability compared with routing traffic over public internet connections. Leading cloud networking provider GTT delivers this dedicated connectivity via its comprehensive portfolio of EtherCloud services. These Layer 2 and Layer 3 wide area networking services are available in a variety of configurations, and are backed by leading SLAs that provide guaranteed performance end-to-end. GTT also provides the most flexible commercial model in the industry with class of service included, as well as fixed rate, burstable and aggregate committed data rates for maximum efficiency. The reality is that some hybrid cloud architectures are simply superior to others in terms of reliability, security and performance. Choosing wisely can have a critical impact on the success of your cloud deployment and your company’s bottom line. INDUSTRY VIEW
Gina Nomellini (left) is CMO at GTT gina.nomellini@gtt.net www.gtt.net
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
14
business-reporter.co.uk
Business Reporter UK
@biznessreporter
Competition: the big force behind cloud adoption
W
HEREVER AND whenever an organisation can keep ahead of its rivals, it will. And with the uptake of cloud growing exponentially, businesses adopting cloud have discovered that it isn’t just a business tool, it’s a business enhancer and a competition beater. The cloud is more agile and much faster than other technologies, and allows businesses to not only get up and running more quickly, but also reduces the time in which they see a return on investment. With competition
No longer just a nice-to-have: why encryption is now a necessity 23% Percentage of UK organisations which now feel very or extremely vulnerable to both internal and external threats to sensitive data Source: Vormetric
T
HE HIGH-PROFILE hacks of the past few years have certainly given businesses a scare. Today, the majority of UK organisations admit they now feel more vulnerable than ever to both internal and external threats to sensitive data, according to Vormetric’s 2016 Data Threat Report. What’s more, nearly a quarter (23 per cent) said they feel “very or extremely” vulnerable to these attacks. This vulnerability is hardly unjustified. Nearly half of UK organisations surveyed in the report revealed they had experienced a data breach at some point, with one in five being the victim of an attack in the past 12 months. We only have to look what happened to the likes of Ashley Madison, whereby the details of 37 million users were breached, TalkTalk and Anthem to see the damage these breaches can cause to a brand’s reputation and the trust of their customers.
strong security strategy is not just a “niceto-have” – it’s a necessity, and encryption is now widely accepted as best-practice for protecting data. However, that’s still only a third of global organisations. There is still work to be done, and challenges to overcome. First things first, businesses need to understand and locate where the sensitive and confidential data is situated within the business and decide whether it is sensitive enough to require encryption. This process alone is proving difficult for IT departments, with more than half of respondents (57 per cent) admitting discovering where sensitive data resides in their organisation as their most difficult security challenge. Keeping secrets is expensive, and businesses should avoid trying to boil the ocean by enforcing the same level of protection to the crown jewels as they do the mundane, everyday data.
Head in clouds? A security shake-up These mega breaches and cyber-attacks have certainly given organisations a much-needed wake-up call and an increased urgency to improve their security posture. And this has been particularly evident in the rise in the use of encryption within organisations. In fact, our most recent Global Encryption Trends report found more than a third (37 per cent) now have an encryption strategy in place, compared with less than one in five (15 per cent) a decade ago. Evidently, many organisations are now starting to see that a
Secondly, growing adoption of cloud computing also poses problems. At present, more than half of global organisations are transferring sensitive or confidential information to the cloud, and this figure is set to skyrocket to 84 per cent within the next two years. However, despite this enthusiasm to move sensitive data to the cloud, many organisations still haven’t got their heads around how they are going to protect it. If we consider that earlier this year, consultant PwC revealed cloud computing as an avenue increasingly attracting the
attention of the cyber-criminals, the lack of data security within the two thirds of companies without a good encryption strategy in place could prove to be their downfall. It is encouraging, though, to see that organisations understand that security needs to be a top consideration in today’s tech landscape; support for cloud and on-premise deployment was rated the most important encryption solution.
More than a tick box exercise High-profile hacks certainly have put cyber-security at the very top of every CIO’s agenda. Awareness of having a good encryption strategy in place in order to safeguard sensitive or confidential information is the first step to ensuring your company doesn’t end up the next victim of a mega breach. It’s now about taking that awareness to the next level: identifying the information that needs protecting, finding where this data is located and safeguarding it from the determined hackers who want to get their hands on it. Placing encryption at the heart of your security strategy will ensure your business stands tall against those looking to break down its walls. INDUSTRY VIEW
Peter Galvin is vice president strategy, Thales e-Security Visit Vormetric, a Thales company, on stand C140 at InfoSecurity Europe www.thales-esecurity.com www.vormetric.com
driving the uptake of cloud, organisations will discover that their investment will allow them to focus more on the core business – whether that’s selling or producing – and also see business benefit. A common misconception about the cloud is that it’s less secure. However, the reality is that data in the cloud is as secure as on-premise data, if the correct security standards have been applied. Three ingredients are imperative to securing data within the cloud – secure infrastructure, the elimination of passwords using a standard such as SAML, and the use of multi-factor authentication and IAM solutions, such as OneLogin. The use of multiple methods of authentication for employees to adhere to in order to access sensitive information creates several additional layers of security for an organisation, making it more difficult for hackers to infiltrate and ultimately keeps data safer. INDUSTRY VIEW
salesteam-emea @onelogin.com www.onelogin.com
May 2016
AN INDEPENDENT REPORT FROM LYONSDOWN, DISTRIBUTED WITH THE SUNDAY TELEGRAPH
facebook.com/biznessreporter
15
info@lyonsdown.co.uk
The debate What are the main cyber-security threats facing companies today?
Tony Pepper
Mark Basham
Daniele Catteddu
Graham Mann
Andy Johnson
H
R
O
O
T
CEO Egress Software Technologies UMAN ERROR remains the leading cause of data breaches and something organisations should be striving to protect against. However, high-profile media attention of cyber-attacks has caused a shift in organisations’ information security focus – and may end up leaving them exposed to a breach. We recently asked 200 CIOs from firms of more than 1,000 employees where they prioritise information security spending to protect customer data. Nearly half (49 per cent) said they did so to keep external hackers out, with just 20 per cent claiming their main focus was accidental employee breaches. Yet statistics from the Information Commissioner’s Office found that 93 per cent of breaches were caused by human error. Organisations therefore need to work harder to eliminate this mismatch between board-level priorities and the reality of how their employees process and share sensitive data. Technology exists that can make a significant difference in this, and with new EU legislation set to make the repercussions of a breach more severe, companies need to be investing now. INDUSTRY VIEW
Managing director BSI EMEA
Chief technology officer Cloud Security Alliance
ESEARCH HAS shown that human error is now a leading cause of cyber-breaches, with trusted insiders playing a key role in many of them. The most serious breaches are due to multiple failings in people, processes, procedures and technology. In their haste to adopt new technology and working practices, businesses sometimes overlook the inherent risks and fail to put appropriate security measures in place. Do you allow staff to bring their own devices to work, and access your network? Are you confident that family members are not also using it? Are you aware of the malicious code being added to free apps downloaded onto mobile devices? Encouraging staff to make their personal information security a natural part of their routines can help businesses to secure corporate information. Implementing training and awareness activities, alerting staff of the importance of taking as much care with business information as they would their own personal information, should be a priority for every organisation.
UR SOCIETY is living in an era of hyper-connectivity and information overload, in which decision and policy makers are struggling to keep pace with technological evolution as well as understanding how to address the complexity generated by the convergence of various trends such as cloud computing, micro-services, the internet of everything, big data and artificial intelligence. Every two years, the Cloud Security Alliance publishes a report on the main cloud computing threats, which can be generalised to any form of computing. The report is the result of a survey conducted within both the provider and user communities, and the most recent findings say that the top concerns for organisations are: data breaches; weak identity, credential and access management; insecure APIs; system and application vulnerabilities; account hijacking; malicious insiders; advanced persistent threats (APTs); data loss; insufficient due diligence; abuse and nefarious use of cloud services; denial of service; shared technology issues.
INDUSTRY VIEW
+44 (0)345 0765606 www.bsigroup.com/en-GB/ Cyber-Security
info@egress.com www.egress.com
INDUSTRY VIEW
dcatteddu@ cloudsecurityalliance.org @DanieleCatteddu
Cisco Talos finds 3.2 million machines at risk
3.2m Number of computers potentially at risk to Sansam ransomware Source: Cisco
R
ECENTLY A large-scale ransomware campaign delivering Samsam changed the threat landscape for ransomware delivery. Targeting vulnerabilities in servers to spread ransomware is a new dimension to an already prolific threat. Due to information provided from our Cisco IR Services Team, stemming from a recent customer engagement, we began looking deeper into the JBoss vectors that were used as the initial point of compromise. Initially, we started scanning the internet for vulnerable machines. This lead us to approximately 3.2 million at-risk machines.
As part of this investigation, we scanned for machines that were already compromised and potentially waiting for a ransomware payload. We found approximately 2,000 machines with a backdoor already installed. Over the last few days, Talos has been in the process of notifying affected parties including: schools, governments, aviation companies, and more. Several of these systems had one specific software solution in common. INDUSTRY VIEW
Find out more at http://blogs.cisco.com/security/talos
Managing director Encode UK RGANISATIONS SIMPLY aren’t able to detect attacks early enough. While they will undoubtedly still strive to implement new defences, it’s insight that will increasingly become the defence of choice. Data generated from a company’s activities is infinitively greater now than it was five years ago, making it difficult to control, manage and therefore protect. Networks continue to be a great place for nefarious and motivated attackers to hide, and it will become even easier to secrete harmful malware as network complexity increases. There are also too few people chasing too many vacancies, and therefore organisations will need to outsource security to maintain levels. Attackers will never stand still but will continue to evolve their capabilities, leading inevitably to a plethora of solutions, thus making it increasingly difficult for organisations to choose the right cyber-security solutions. The internet of things is also an issue. Increasingly, everyday items will become IP-ready, opening up new opportunities for attackers, creating an ever-greater need for cyber-security. INDUSTRY VIEW
g.mann@encodegroup.com encodegroup.com
Managing director, EMEA/APAC GTT HERE ARE too many to list, which highlights the overarching problem: Hackers and fraudsters are continually developing new attack vectors, many of which are enabled by the new applications and devices that businesses are continually adding, such as wearables and the internet of things. This is overwhelming for IT departments and leaves them with little time to keep up with emerging attack methods, new security tools and changing regulatory requirements related to security and privacy. That’s why businesses are increasingly turning to managed service providers that have the tools and expertise to stay ahead of hackers and fraudsters. For example, a leading security vulnerability is Logjam, which undermines Transport Layer Security by exploiting weaknesses in the size and type of key exchanged between two systems, such as a point-of-sale device and the card processor. Managed TLS VPN services mitigate this threat by using private networks and techniques such as refusing requests to downgrade encryption strength. INDUSTRY VIEW
Andy.Johnson@gtt.net www.gtt.net