12
The Malta Independent | Thursday 11 June 2015
Size doesn’t matter in cybersecurity 83% of large organisations ranked themselves as below “developed” in maturity to address cybersecurity risks. Up to 45% admit they are not able to measure, assess and mitigate cybersecurity risk. These were just some of the findings from the ‘Cybersecurity Poverty Index’ conducted by RSA, the security division of EMC. The inaugural study compiles survey results from more than 400 security professionals across 61 countries. The survey allowed participants to self-assess the maturity of their cybersecurity programs leveraging the NIST Cybersecurity Framework (CSF) as the measuring stick. The research provides valuable global insight into how organisations rate their overall cybersecurity maturity and practices across a variety of organisational sizes, industries and geographies. While larger organisations are typically thought of as having the resources to mount a more substantive cyber defence, the results of the survey indicate that size is not a determinant of strong cybersecurity maturity and nearly 75% of all respondents self-reported insufficient levels of security maturity. The lack of overall maturity is not surprising as many organisations surveyed reported security incidents that resulted in loss or damage to their operations over the past 12 months. The most mature capability revealed in the
research was the area of Protection. The research results provide quantitative insight that organisations’ most mature area of their cybersecurity programme and capabilities are in preventative solutions despite the common understanding that preventative strategies and solutions alone are insufficient in the face of more advanced attacks. Further, the greatest weakness of the organisations surveyed is the ability to measure, assess and mitigate cybersecurity risk with 45% of those surveyed describing their capabilities in this area as “non-existent” or “ad hoc”, and only 21% reporting that they are mature in this domain. This shortfall makes
it difficult or impossible to prioritise security activity and investment - a foundational activity for any organisation looking to improve their security capabilities today. Counter to expectations, the research indicates that the size of an organisation is not an indicator of maturity. In fact, 83% of organisations surveyed with more than 10,000+ employees rated their capabilities as less than “developed” in overall maturity. This result suggests that large organisations’ overall experience and visibility into advanced threats dictate the need for greater maturity than their current standing. Large organisations’ weak self-
assessed maturity ratings indicate their understanding of the need to move to detect and response solutions and strategies for a more robust and mature security. Also counterintuitive to expectations were the results from financial services organisations, a sector often cited as industryleading in terms of security maturity. Despite conventional wisdom, however, the financial services organisations surveyed did not rank themselves as the most mature industry, with only one third rating as well-prepared. Critical infrastructure operators, the original target audience for the CSF, will need to make significant steps forward in their current levels of maturity. Organisations in the telecommunications industry reported the highest level of maturity with 50% of respondents having developed or advantaged capabilities, while Government ranked
last across industries in the survey, with only 18% of respondents ranking as developed or advantaged. The lower self-assessments of maturity in otherwise notably mature industries suggest a greater understanding of the advanced threat landscape and their need to build more mature capabilities to match it. Despite the fact that the CSF was developed in the United States, the reported maturity of organisations in the Americas ranked behind both APJ and EMEA. Organisations in APJ reported the most mature security strategies with 39% ranked as developed or advantaged in overall maturity while only 26% of organisations in EMEA and 24% of organisations in the Americas rated as developed or advantaged. For more information on RSA’s Cybersecurity Poverty Index report, visit http://bit.ly/1GoPWqq
Announces an independent and secure solution for the digital transmission of sensitive data in judicial cases MITA has just hosted a two-day e-Codex General Assembly meeting with delegates from the 24 partner states along with other official bodies such as the Council of the Notariats of the European Union (CNUE) and the Council of Bars and Law Societies of Europe (CCBE). Yesterday the E-Codex (e-Justice Communication via Online Data Exchange) Assembly was addressed by Hon Owen Bonnici - Minister for Justice, Culture and Local Councils and Hon José Herrera - Parliamentary Secretary for Competitiveness and Economic Growth. The goal of e-Codex - a €24 million EU part-funded project which in Malta is being supervised by MITA is to improve the cross-border access of citizens and businesses to legal means in Europe as well as to improve the interoperability between legal authorities within the EU. During the meeting in Malta the e-Codex partners announced the launch of the Standalone Connec-
tor - an independent and secure solution for the digital transmission of sensitive data in judicial cases. This is especially interesting for small states that have low volumes of cross-border claims/litigations and therefore do not have their own dedicated application to process these transactions. European citizens will, in the near future, be able to initiate cross-border claims directly from the e-Justice Portal. In his address, Minister Bonnici spoke about the importance of eJustice in addressing the justice reform programme and how Malta is focusing on expediting the interactions between the legal profession and the courts through the implementation of electronic systems. Such systems allow the seamless interactions with the Courts and can be initiated through the device of their choice. “We have recently provided mobile enabled electronic services to encourage more citizens to inter-
act electronically with the courts and therefore allowing them to gain better insight to the status and progress of their cases,” said Hon Bonnici. “I believe that the e-Codex project represents a quantum leap forward towards making cross-border justice accessible to the citizen and as the project moves toward closure I trust that the continual sustainability of the achievements will be on the top of the project’s agenda.” Hon Bonnici also revealed that Malta will be a pilot country to host the standalone connector and therefore becoming directly connected to the e-Justice portal. Hon Herrera welcomed initiatives such as e-Codex that offer a number of benefits for small nations by providing a single homogeneous e-delivery framework. He explained that having a single architectural framework provides savings on operational costs and facilitates the interconnection of
Roderick Spiteri
Roderick Spiteri is Marketing and Communications Manager at MITA and editor of Malta Independent ICT feature
the ICT systems of the future. “The application of ICT makes judicial procedures more transparent, efficient and economic. At the same time, it helps citizens, companies, administrations and legal practitioners to get facilitated access to justice. This means not only smoother access to information, but also the ability to process cross-border cases more efficiently.” Hon Herrera stated that as Malta focuses on achieving a high penetration rate of digital services through the implementation of the Digital Malta Strategy, Government is also seeking solutions to problems that have sometimes kept services bound to manual processes and have therefore prevented them from being reengineered into the digital world. About e-Codex In a Europe without borders, cross-border judicial cooperation is crucial to enable and stimulate the mobility of citizens and businesses. In an increasingly digital society, such judicial cooperation relies on e-Justice to facilitate the interaction between different national and European actors in legal procedures. At a time when the physical barriers between countries in the EU have been removed, the digital era poses new cross-border challenges: challenges related to different standards, different protocols, the cross-border recognition of iden-
tities, mandates, electronic signatures, and so forth. These are the reasons why the EU has part-funded a €24 million project which runs over a 66 month period. Through this funding mechanism e-Codex has developed technical solutions that can be used in or between member states to support crossborder operation of processes in the field of justice. Through eCodex, member states and associated states have jointly developed interoperable building blocks and are implementing them in real life settings through pilot projects. The Malta e-Codex General assembly comes at a pivotal stage of the project where many of the pilot projects take on a life and start to transact across the eCodex gateways and therefore allow citizens of the European Union to enjoy simplified and reachable remedies through eJustice. The European Payment Order pilot is already running in a good number of member states. In the immediate and subsequent months this will be followed by pilots in the areas of Small claims, Business Registers, Mutual Legal Assistance in Criminal Matters, European Arrest Warrant, Framework Decision 909 on Exchange of Prisoners, Mutual Recognition of Financial Penalties. For more information about eCodex visit www.e-codex.eu
The Malta Independent ICT Feature
C
yber criminals often try to steal your data by deceiving you in thinking they are someone they’re not. One of the means of doing this is through phishing. They masquerade as a trustworthy entity by sending you an official looking email asking for your password or bank details with the hope that you fall for the trap and send them your data. A new study found that al-
most no one is really able to identify correctly all phishing email attempts. The week we look at this study whilst suggesting some do’s and don’ts to protect yourself from becoming a victim of a phishing scam. This week MITA is hosting the e-Codex members who are meeting in Malta for their General Assembly. During their two-day assembly, they have announced the launch of a new solution that
will see the digital transmission of sensitive data in judicial cases. Malta will be one of the forerunners in the implementation of this solution. A new study has confirmed that size does not matter when it comes to cyber security. Being a huge corporation with thousands of employees does not make you any better in defending yourself against cyber threats. The study found that the majority of such
large organisations rate themselves as under developed in addressing cyber security risks. All ICT Features are available on www.mita.gov.mt/ictfeature
97% of people globally unable to correctly identify phishing emails
R
e-Codex General Assembly meets in Malta
13
The Malta Independent | Thursday 11 June 2015
ecently, Intel Security released the findings of their phishing quiz which tested consumer knowledge of, and ability to detect, phishing emails. The quiz presented ten emails compiled by Intel Security and asked respondents to identify which of the emails were phishing attempts designed to steal personal information and which were legitimate. Of the approximately 19,000 survey respondents from 144 countries, only 3% were able to correctly identify every example correctly and 80% of all respondents misidentified at least one of the phishing emails, which is all it takes to fall victim to an attack. Cyberscammers use phishing emails to get consumers to click on links to websites they’ve created solely for the purpose of information theft. They trick users into typing their names, addresses, login IDs, passwords, and/or credit card information into fields on sites that look like they belong to real companies. In some cases, just clicking the link provided in the email will automatically download malware onto the user’s device. Once the malware is installed, hackers can easily steal the victim’s information without their knowledge. Globally, the 35-44 year old age group performed best, answering an average of 68% questions accu-
rately. On average, women under the age of 18 and over the age of 55 appeared to have the most difficulty differentiating between legitimate and phony emails, identifying six out of ten messages correctly. On the whole, men gave slightly more correct answers than women, averaging a 67% accuracy rate versus a 63% rate for women. The world: phishing bait? Of the 144 countries represented in the survey, the U.S. ranked 27 overall in ability to detect phishing, with 68% accuracy. The five best performing countries were France (1), Sweden (2), Hungary (3), the Netherlands (4), and Spain (5). No statistics for Malta were available. Even real emails can be deceptive Interestingly, the survey found that the email most often misidentified was actually a legitimate email. This email asked the recipient to take action and “claim their free ads.” People often associate free prize offers with phishing or spam, which is likely the reason a large number of people misidentified the email. “Phishing emails often look like they are from credible sites but are designed to trick you into sharing your personal information,” said Gary Davis, Chief Consumer Security Evangelist at Intel Security. “Review your emails carefully
and check for typical phishing clues including poor visuals and incorrect grammar, other clues which may indicate that the email was sent by a scammer.” To better protect yourself from becoming a victim of a phishing scam, Davis offers the following advice: Do: • Keep your security software and browsers up to date • Hover over links to identify obvious fakes; make sure that an embedded link is taking you to the exact website it purports to be • Take your time and inspect emails for obvious red flags: misspelled words, incorrect URL domains, unprofessional and suspicious visuals and unrecognized senders • Instead of clicking on a link provided in an email, visit the website of the company that allegedly sent the email to make sure the deal being advertised is also on the retailer’s homepage Don’t: • Click on any links in any email sent from unknown or suspicious senders • Send an email that looks suspicious to friends or family as this could spread a phishing attack to unsuspecting loved ones • Download content that your browser or security software alerts you may be malicious • Give away personal informa-
tion like your credit card number, home address, or social security number to a site or e-mail address you think may be suspicious