Predictable Cloud Spend.
Right Sized Resources. Apptio Cloud Business Management provides cost and resource optimization capabilities across all leading public cloud providers (AWS, Azure and Google Cloud) so IT leaders can increase the efficiency of public cloud spending and slash waste from over-purchase and underuse.
Create visibility & control Visualize cost and consumption across multiple providers in a single pane of glass. Optimize resources & decisions Take action on rule-based and machine learning-driven optimization recommendations across compute, storage, and data. Drive accountability Collaborate with cloud consumers to lower costs and increase speed through tagging, governance, and showback/chargeback.
Try it free today! apptio.com/CBM-trial To get started all you need is your cloud provider account credentials, and Apptio does the rest, ingesting provider billing, purchasing detail, and other relevant data.
contents
cybersecurityeurope
INDEX The governance of cyber security is changing as executive leadership now assumes greater responsibility in the strategic decision-making. 08 editor’s view
Cyber crime now impacts society at all levels. So, should cyber security become part of corporate social responsibility? And can organisations that fail to fix system flaws be accused of collusion with the criminals?
10 NEWS ROUND-UP
Human error now top risk say surveyed c-suites; cyber readiness has ‘stalled’; bots cost companies €3.75m a year; slow-running systems hurt business productivity most; banks’ cyber readiness to be tested.
CSE PROFILE
18 EUROFOCUS: BELGIUM
The country plays host to more cyber policy-making agencies than any other European state, and it comes as somewhat of a surprise that Belgium has elsewhere a mixed record when it comes to national cyber security readiness. But brave little Belgium is bouncing back.
24 RANSOMWARE: IT’s back and it wants more...
Reports of the demise of ransomware threats have been exaggerated. Businesses will have to redouble their defences as new, more devious variants of extortionate malware grow – and victims have to decide whether it’s pay or ‘no way’ when it comes to recovering their data.
34 HIT LIST: biometric identification
OPINION
From head to toe, biometric tech’s busy turning our corporeal features into personal identifiers. We look at 10 biometric security checkpoints.
PAULA JANUSZKIEWICZ 32 Effective cyber security is all about protection and defence, to be sure; but prevention is the real key to best practice, says CQURE’s Paula Januszkiewicz. She advocates a five-point ‘back to basics’ approach to addressing the most commonly-felt pain points.
O4
38 legal threats: law firms in the firing line
European law firms must become more cyber-savvy as clients want them to provide more digitally-focused services, and also as threats target their data. Law firms hold much sensitive client information, and are key enablers in business transactions, such as M&As: that’s highly valuable data threat agents are keen to misappropriate.
46 two-way stretch: talking back to the techies
A communications gap between frontline IT security teams and the c-suite exists in organisations across Europe. This disconnect is blamed often on a lack of focus on cyber security at the top – but should this argument be tested? Could it be the case that the techies also need to improve their communications skills?
INTERVIEW
BEN RUSSELL, NATIONAL CRIME AGENCY 42 As Head of Cyber Threat Response at the NCA National Cyber Crime Unit, Ben Russell holds responsibility for the UK’s cyber crime intelligence, strategy and capability. He explains how the counteraction against the UK’s international digital adversaries is succeeding.
O5
contents
cybersecurityeurope
Managing Editor James Hayes Project Director Helen Sinclair Creative Director Digital/Print Lee Gavigan Operations & Production Alena Veasey Accounts Controller Martin Reece
Cyber Security Europe is produced and published by World Show Media Ltd Tel: +44 (0) 203 960 1999 Fax: +44 (0) 845 862 3433 Website: worldshowmedia.net For all sales enquiries: operations@worldshowmedia.net For all corporate enquiries: corporate@worldshowmedia.net
50 cyber security AWARENeSS training
FUTURE VIEW
With policy-based cyber awareness staff training strategy, organisations can turn their workforces into a perimeter guards who serve as ‘human firewalls’ against attackers. But to win full engagement, such training should be delivered using employee-friendly tools and techniques.
56 team SKILLS MANAGEMENT for the 2020s
The cyber skills gap is at an all-time high, security tech evolves rapidly, threats evolve even faster. So, how do organisations meet both 2019’s needs, and plan for those of the near-future? And will today’s cyber security skills still be relevant to the threat landscape of 2025?
60 EDITORIAL CONTRIBUTORS
Cyber Security Europe’s panel of top contributing writers come from leading solutions vendors, sector agencies, and journalistic market-watchers. Meet the team here.
Cyber Security Europe is published by World Show Media Ltd and provides business and government executives with the intelligence and insight required to prepare their organisations for the ever-changing cyber threat landscape. Copyright © 2019 World Show Media. All rights reserved. No part of this publication may be reproduced, stored in any retrieval system or transmitted in any form or by any means, electronic, photographic, recording or otherwise, without the prior written permission of World Show Media. While every effort is made to ensure that information is correct at the time of going to press, neither the publisher nor event organisers can be held responsible for any errors, omissions and changes to the event programme and publication content.
62 EDITOR’S EXPO PICKs
O6
Executives can benefit from decision optimisation tools that help them make better-informed choices when it comes to business event outcome prediction and learning from past trends about future threats.
Sign-up for Cyber Security Europe’s free e-newsletter – browse to: cseurope.info/subscribe
cybersecurityeurope
advertorial
Automated hacking isn’t new, but it is getting more serious – and now there’s a new wave of well-informed threats, says Senior Security Expert Robert Krenn. ONLINE ACTIVITIES OF ALL ORGANISATIONS ARE INCREASING EXPONENTIALLY AND changing constantly. This is also true for digital vulnerabilities and techniques that malicious actors use. External digital threats are increasing, such as phishing websites, fake social media accounts and data regarding your clients and employees floating around on the dark web... When organisations review their IT security plans, it’s important that they realise cyber threats change by the month, and any forward-focused risk evaluation is likely to be somewhat outdated by the time it’s implemented. Automated hacking is a prime example of the kind of threat that used to be fairly low-level, but is now escalating in its sophistication and potential to inflict damage. Much of the increase in automated hacking relates to the growth of OSINT, open source intelligence data collected from publicly available sources to be used in an intelligence (knowledge of) context – and with cyber attackers, that means in support of malicious intent. Hackers can use OSINT to easily find vulnerable targets on an internet-wide scale. They can, for example, find all IP addresses located in London running on a specific version of webserver software. The results can then be used to launch an automated attack. OSINT tools operate at scale and can assess a large network estate fast and thoroughly. These MORE INFORMATION
continually refined and updated tools can turn non-tech cyber criminals into Grade A threats across the full length of the ‘cyber kill chain’. Therefore, managing and protecting your online footprint is a continuous task – and one that can no longer be done manually. The good news is that automated hacking tools can also help your organisation’s defensive security by identifying where you are vulnerable, so that you can take preventative measures to protect your online footprint. Many automated hacking techniques are integrated in Cybersprint’s Digital Risk Protection platform. This platform continuously scans and analyses a broad range of open source intelligence and bespoke data sources, collecting data referring to your brand. The Web module, for example, analyses a feed of approximately 450,000 newly registered domains every 24 hours, looking for domains your organisation or malicious actors put online. The detected IT-assets relating to your brand are categorised by their threat level and supplemented with contextual information. Cybersprint’s platform provides you with a continuous overview of your online attack surface and rapidly detects threats. Remediate your digital vulnerabilities – don’t let cyber criminals keep you up at night. Cybersprint will be exhibiting at Infosecurity Europe 2019 (Olympia London, 4-6 June) on Stand M40
CYBERSPRINT
To protect your reputation, you need to minimise cyber risks. Cybersprint’s Digital Risk Protection platform provides continuous, real-time insights into your organisation’s digital attack surface. They prevent, detect and resolve cases of brand abuse, data leaks, CEO-fraud, phishing, and hacking.
Try their free Quickscan and make your organisation’s invisible digital vulnerabilities visible. Pictured: Robert Krenn, Senior Security Expert at Cybersprint.
CONTACT For further details please visit: | cybersprint.com | info@cybersprint.com
07
viewpoint
cybersecurityeurope
Cyber crime of some kind now impacts society at all levels. So should cyber security be part of organisations’ corporate social responsibility? RUN THE TERM ‘CYBER CRIME’ PAST MANY EUROPEAN SENIOR EXECUTIVES, and they’ll likely assume that you are referring to routine digital felonies like hacking, malware and distributed denial-of-service (DDoS) attacks. Other varieties of illegal net-based nefarious activity, meanwhile, tend to be classified under the heading of ‘online criminal activity’. Such crimes are less likely to get headline media coverage than big brand data hacks, but their culminative pernicious effect on economic and societal stability should not be underrated. The interconnected nature of crime – where the proceeds of an established criminal activity fund the growth of another – is already part of the dynamics of digital misdemeanor. It’s a concern that has informed the European Union’s Cybersecurity Act that passed into law earlier this year. The Act’s ambits reflect a wider concern that the surplus proceeds of cyber crime are used to fund growth of criminal activity in other areas, and cause malefaction to spill over from cyber space into physical space. Business leaders across Europe’s organisations need to be most aware of the indirect impact this phenomenon has on their own organisations’ security governance. Several subcategories of cyber crime are labeled electronic payment fraud – most acutely for senior executives being Business Email Compromise and Email Account Compromise. These cleverly orchestrated scams REACH OUT
involve teams who will compromise legitimate business email accounts – e.g., through social engineering or computer intrusion techniques – to cause unauthorised transfers of company funds. As European firms reach out to global commerce, such risks grow commensurately. To keep up with the threats, effective cyber security governance is as much about superrigorous testing and fixing existing infrastructure as it is about the latest defensive solutions.
Surplus proceeds of cyber crime are used to fund growth of criminal activity in other criminal areas. Some organisations that build and manage their IT security infrastructures on-premises plan to make a commitment to a total cyber security assurance programme (CAP) integral to their corporate social responsibility policies. Such CAP programmes would cover everything from staff cyber awareness to making penetration testing a routine procedure. Organisations that fail to safeguard themselves against attack risk exposing themselves to the suggestion that leaving their systems vulnerable is tantamount to aiding and abetting the Black Hatters. James Hayes
FEEDBACK TO CYBER SECURITY EUROPE
Cyber Security Europe magazine is committed to engagement with its readership: if you have any feedback on this issue, I’d be pleased to receive it via email at the address given right.
O8
CONTACT DETAILS Contact our editorial team via the Managing Editor: | james.hayes@cseurope.info
CyberSecurity
Let’s talk about
security !
Securing Critical Business
Airbus CyberSecurity provides a wide range of training and consulting services to maximise your security posture. Our services can be tailored to the specific needs of your organisation and help you achieve compliance with national and international standards. The content of courses can be crafted for a range of audiences - from technical experts to operational managers, and include operational exercises on our self-developed cyber range. Our consultancy services can range from vulnerability audits to full architecture design and implementation, whatever is needed to help you build a resilient network and organisation. For your leap into the digital future.
Contact us :
Contact.cybersecurity@airbus.com www.airbus-cyber-security.com
NEWS & products
cybersecurityeurope
Selected news and views, plus all the latest industry and technology updates for cyber-savvy executives
Banks’ cyber resilience tested… more women in security roles at c-suite level… cyber readiness ‘stalled’… bots costing companies average of €3.57m a year… human error is ‘top risk’… data breach job losses... c-suiters even more targeted by cyber attackers... Europol and MRC Europe fight e-commerce fraud… 42%
VERY/EXTREMELY VULNERABLE TO DATA SECURITY THREATS SOURCE: 2019 THALES/IDC DATA THREAT REPORT SURVEY EUROPE EDITION
34% Cyber attackers will now face European Union (EU) sanctions designed to deter attacks on European organisations. The EU has ratified a new sanctions regime aimed at cyber threats, that will ‘impose tough consequences’ for perpetrators of hostile cyber incidents. The sanctions regime will involve travel bans and asset freezes against those known to have been responsible for malicious actions. “Our message to governments, regimes and criminal gangs prepared to carry out cyber attacks is clear,” says UK Foreign Secretary Jeremy Hunt. “This is decisive action to deter future cyber-attacks.” The new sanctions followed a diplomatic push by the UK and the Netherlands to allow the 28-country bloc to move more quickly against cyber attacks that could disable critical infrastructure. | europa.eu
EXHIBITION ALERT
27%
24% 17%
SWEDEN
GLOBAL
TOTAL EU
HOLLAND
UK
GERMANY
Europe’s digital transformation programmes leave sensitive data in its enterprises more exposed to breaches, a study warns. The 2019 Thales Data Threat Report Europe Edition survey of 1,200+ executives found that only 55% of respondents trust their move to digitally-transformative technologies leaves them ‘very’ or ‘extremely’ secure. The UK is most confident in its security levels, with 66% of its execs polled saying they are ‘very’ or ‘extremely’ secure; confidence is lower in Germany at 49%. Ninety per cent of polled organisations acknowledge that they use, or will be using, all-cloud environments by the start of 2020. Their biggest fear (38%) concerns the security of data if their cloud provider is acquired or fails, Thales says. | thalesesecurity.com/2019/data-threat-report-euro
CYBER SECURITY EUROPE AT INFOSECURITY EUROPE 2019
As Europe’s leading cyber security publication and online platform for European c-suite and board-level executives, Cyber Security Europe is exhibiting at Infosecurity Europe 2019 (4-6 June, London Olympia). Readers who are also going
10
26%
to be at the show are welcome to drop by our stand – Stand X2 – say hello, and meet the team! | infosecurityeurope.com
All use cases. All standards. All devices. All cases. Alloption. standards. All devices. Theuse affordable The affordable option.
! d a ! e h d a a e s h e a v o s e m v 2 o s m y 2 a s w l y A a Alw Effective email encryption Effective email encryption is a hard nut to crack. Our is a hard nut to crack. Our user-friendly solutions handle user-friendly solutions handle even the toughest challenges. even the toughest challenges. totemo. totemo. The Email Encryption Experts. The Email Encryption Experts.
We protect more than 6,000 mail domains and We more than 6,000 mail domains and overprotect 3 million users worldwide. over 3 million users worldwide. Curious? Get a free trial! Curious? Get a free trial! www.totemo.com/free-trial www.totemo.com/free-trial
NEWS & products
cybersecurityeurope
Women represent 24% of the global cyber security workforce, according to the 2019 Women in Cyber Security Report from professional body (ISC)². “More women are coming into the field of cyber security,” said (ISC)² CEO David Shearer, “and not only working in the frontline, but also in the c-suite.” More women (52%) in the survey hold a post-graduate degree than their male counterparts (44%). The report’s findings indicate that men and women share many of the same concerns about their roles as frontline cyber security practitioners: they include a ‘lack of commitment from upper management’, the ‘reputation of their organisation’, the threat of AI reducing the need for security staff. The report found also that, although men still outnumber women in cyber security by about three to one, women in the field are advancing to leadership positions, with 28% of women vs. 19% of men at c-suite executive level. | isc2.org
NEGATIVE CONSEQUENCES THAT RESULT FROM A CREDENTIAL STUFFING ATTACK SOURCE: PONEMON INST./AKAMAI Most US c-suite executives surveyed by Oracle believe that investing in security software, infrastructure and emerging technologies is critical to the protection of their data from cyber security risks. C-suite execs also said that they choose to invest more in their workforces – via staff training and recruitment – than in technology, like Artificial Intelligence (AI) and Machine Learning (ML). These advanced technologies are, however, deemed essential to advancing security and significantly minimising human error, as they rank this factor as the top cyber security risk for their organisations. Asked what they perceived to be the greatest security threat to the technology industry, attacks by foreign governments was ranked highest by 30% of c-suite respondents. The survey, Security in the Age of AI, details the views and actions of c-suite executives, policy makers, and the public, in relation to cyber security and data protection. ‘Cyber Awareness Training’ feature – see page 50. | oracle.com
INDUSTRY PARTNERSHIPS
APPLICATION DOWNTIME FROM LARGE SPIKES IN LOGIN TRAFFIC COSTS TO REMEDIATE COMPROMISED ACCOUNTS
63%
LOWER CUSTOMER SATISFACTION
48%
LOST BUSINESS DUE TO CUSTOMERS SWITCHING TO COMPETITORS
42%
COMPROMISED ACCOUNTS LEADING TO FRAUD-RELATED FINANCIAL LOSSES
40%
DAMAGED BRAND EQUITY FROM NEWS STORIES OR SOCIAL MEDIA
14%
OTHER
5% 10% 20% 30% 40% 50% 60% 70% 80%
Companies lose an average of €3.57m due to ‘credential stuffing’ attacks each year, research by Ponemon Institute on behalf of Akamai, has indicated. Credential stuffing is where hackers systematically use botnets to try stolen login information across web-based accounts. The research identified that the volume and severity of credential stuffing is increasing, and European companies polled will now experience an average of 11 credential stuffing attacks each month. Each attack targets an average of 1,041 user accounts, and can cause costly application downtime, loss of customers, and resourceconsuming involvement of IT security teams. This is resulting in annual average costs per business of €1.07m, €1.42m and €1.07m, respectively, in addition to the direct costs connected to the fraud incidents themselves. | akamai.com
EUROPOL AND MRC EUROPE JOIN TO FIGHT E-COMMERCE FRAUD
Europol’s European Cybercrime Centre (EC3) has signed a MoU with the European Merchant Risk Council (MRC Europe), the business association set-up to fight e-commerce fraud in Europe. MRC Europe is a partner of EC3 in taking action
12
73%
against e-commerce fraud in the European market landscape. MRC Europe is a key stakeholder in the recurrent Europol e-Commerce
EXPO IN BRIEF RAI, Europaplein 24, 1078 GZ Amsterdam, Netherlands Date & opening hours 19-20 June 2019 Wednesday 08:00 to 18:00 Thursday 08:00 to 18:00
EXPO OVERVIEW
C-level executives are now the major focus for social engineering attacks, with senior managers and board-level members 12 times more likely to be targeted than they have been in recent years. According to the Verizon Data Breach Investigations Report 2019, successful ‘pretexting’ attacks on some senior executives can reap large dividends as a result of the bosses’ often unchallenged approval authority over financial transfers, and privileged access into critical systems. Typically time-starved and under pressure to deliver, those in senior leadership roles quickly review and click on emails prior to moving on to the next, making suspicious emails more likely to get through, the study states. The Verizon report also reckons that ransomware attacks are still going strong: They account for nearly 24% of incidents where malware was used. Ransomware returns – see page 24. | enterprise.verizon.com
Slow-running IT systems and broadband connectivity issues do more to disable business productivity than cyber attacks, new research suggests. A survey of 1,137 workers by Probrand revealed that UK companies lose £3.4bn annually due to IT-related bugbears. Losing 5% of a working day to tech issues equates to 21 minutes of lost productivity per day, 1.75 hours a week, or seven hours (one working day) per month: which totals £3.4bn a year. The top three workplace IT issues reported were: slow-running equipment (34%), internet connectivity issues (27%), and cyber security breaches (19%). Other workplace hobblers include printers not working (11%), and outdated hardware (9%). Those surveyed who have in-house IT departments reported that problems take an average of 6.2 hours to be resolved. Knowing they will have to wait for assistance, many workers attempt to resolve IT issues themselves, distracting them from their own work, and often worsening problems. | probrand.co.uk
Action, an international EMPACT operation that targets fraudsters and the serious organised crime groups with the help of national
Cyber Security & Cloud Expo Europe 2019 will host two days of top level discussion around cyber security and cloud and the impact they have on sectors like energy, government, financial services, and healthcare. The event’s conference agenda features case studies and panel discussions within the dedicated tracks: Enterprise Cyber Security, Cyber Intelligence, Regulation & Compliance, Security Solutions Development.
AGENDA IN BRIEF The expo conference agenda features four security-focused tracks: Developing Security Solutions (cloud, threat detection, penetration testing, cyber risk, network security, DevSecOps); Cyber Security Innovations (biometrics, Security Information and Event Management (SIEM), innovation, startups, firewalls, Software-asa-Service); Enterprise Security (Internet of Things, Industrial Internet of Things, automation, training); Emerging Technology & Regulations (the impact that advanced tech such as blockchain, AI and Machine Learning, will have on cyber security. 2019 Expo highlights – turn to pages 16-17.
FULL AGENDA
competent authorities, as well as MRC’s network of 535 e-merchants. “MRC provides an excellent platform in the fight against organised crime,” said EC3 Head Steven Wilson. | europol.europa.eu
13
NEWS & products
cybersecurityeurope
The UK may need to build a resilience model against ‘catastrophic’ cyber attacks that could destabilise the finance sector, the Bank of England has said. The BoE is concerned that some banks will not be able to meet minimum requirements for service restoration within timescales it’s to set and test. “If this were the case, then it would fall to either the public or private sectors to come up with a collective solution,” said BoE Director of Supervisory Risk Specialists Nick Strange (left) at the OpRisk Europe conference. “A US initiative called ‘Sheltered Harbor’ has been set up to protect customers, financial institutions, and public confidence in the financial system if a cyber attack causes critical systems to fail.” Under this scheme banks provide account data to a central vault, and designate a restoration partner (a participating firm) so that if the plan is activated, that partner can restore critical data. | bankofengland.co.uk [PHOTO: FT CYBER SECURITY SUMMIT EUROPE]
An marked increase in the number and cost of cyber attacks has left 61% of firms polled by Hiscox report one or more attacks in the past 12 months, yet the proportion achieving top scores for their cyber security readiness is down yearon-year. The insurer’s Cyber Readiness Report 2019 found that average losses associated with all cyber incidents have risen from €204,463 in 2918 to €329,497 in 2019 – an increase of 61%. For large firms with between 250 and 999 employees cyber-related losses now top €625,062 on average compared with €144,672 a year ago. German firms suffered the most, with one reporting a cost for all incidents of €42m. The report also found that expenditure on cyber security among organisations polled is up by 25%: the average spend on cyber security is now €1.29m – up 24% on 2018 – and the pace of spending is accelerating. Based on all respondents globally, 60% have taken out cyber insurance, and 31% plan to do so in the future. | hiscox.co.uk
INDUSTRY PARTNERSHIPS
ECSO AGREES MEMORANDUM WITH ETSI
The European Cyber telecommunications MoU to facilitate a and standardisation.
14
European businesses want to trust their employees when it comes to cyber security, but they need to better leverage technology to do so, according to research from ObserveIT. Its study found that employers should develop clear cyber security protocols and invest more in employee training programmes and monitoring tools to verify safe user activity. On average, 46% of respondents agree that their organisation ‘doesn’t have confidence in its workforce’ when it comes to keeping valuable data assets safe. This lack of trust is even higher in the public sector (53%), IT services (52%) and manufacturing (51%) sectors. 92% of respondents agree that investment in new technologies to monitor insider threats will be crucial for keeping information secure. | observeit.com
Security Organisation (ECSO) and the standards body ETSI have signed a closer co-operation in cyber security Standardisation is now paramount in
the field of cyber security, says the ECSO, especially after the EU Cybersecurity Act established a certification framework.
EXPLORING THE SECURITY NEEDS OF FUTURE TECHNOLOGY GLOBAL
EUROPE
N.AMERICA
25-26 APRIL 2019
19-20 JUNE 2019
NOVEMBER 13-14, 2019
OLYMPIA GRAND, LONDON
RAI, AMSTERDAM
SANTA CLARA, CA
TOPICS INCLUDE
Data Intelligence
Ecosystem
Security
Enterprise
Privacy
Governance
Identity
Infrastructure
+44 (0) 117 980 9020 | enquiries@cybersecuritycloudexpo.com | www.cybersecuritycloudexpo.com Co-hosted Events
PARTNER event
cybersecurityeurope
The Cyber Security & Cloud Expo Europe 2019 exhibition and conference consists of two days packed with top-level discussion around cyber security and cloud, and the impact that they’re having across business sectors. Don’t miss this opportunity to connect with a range of acknowledged European experts.
CYBER SECURITY AND CLOUD EXPO EUROPE WILL TAKE PLACE AT THE RAI Amsterdam Conference Centre 19-20 June. Its conference agenda will highlight the innovative advances in technologies which are affecting these technological fields. With so much scheduled across its tracks, it’s a win-win event. There will be many real-life case studies and expert panel discussions within the conference’s dedicated tracks: Enterprise Security – IoT and Digital Transformation (19 June), Cyber Security Innovations (19 June), Developing Security Solutions (19 & 20th June), and Cyber Security – Emerging Tech and Regulations (20th June). These tracks will have specific focus on important sectors of emergent technology. DEVELOPING SECURITY SOLUTIONS Leading analyst Gartner predicts that over $75bn will be spent worldwide on
CS&C EVENT BRIEFING
infrastructure protection and security services in 2019. The more that we depend on information technology, the more vital it becomes to ensure that it is fully protected against cyber threats. And as cloud moves into the forefront for both consumer and enterprise computing, development of cloud security solutions is set to make up a large proportion of that budgetary expenditure. With so much key data now being stored in the cloud, the need for secure infrastructure is more imperative than ever. On Day 2, focus shifts to discussion of network security – hearing from industry professionals about their latest
Cyber security is dynamic. Now, half the job of being a tech professional is in keeping up with the newest developments and innovations. solutions, how they work, and what results are being seen by the companies now using them: it’s first-hand insight from practitioners now working at the leading edge of enterprise IT and IT security deployment. ENTERPRISE SECURITY – IOT & DIGITAL TRANSFORMATION During this track you will hear examples from across enterprise, including Internet of Things (IoT), Industrial Control Systems, energy and automotive industries as to how to implement effective enterprise cyber security.
TODAY’S MOST CRITICAL TECHNOLOGIES – AND HOW TO SECURE THEM
Cyber Security & Cloud Expo Europe 2019 brings together more 10,000+ people across key tech industries for two days of world-class content from leading brands that now embrace and develop cutting-edge tech across cyber
16
security, Big Data, Internet of Things (IoT), Blockchain, Artificial Intelligence and Cloud computing. The event’s conference highlights
CYBER SECURITY – EMERGING TECH & REGULATIONS The world of cyber security has become increasingly subject to regulatory compliances and other legal mandates in recent times. Since its effectuation in May 2018, the European Union General Data Protection Regulation – GDPR – has reverberated through the IT industry (and beyond), causing many organisations to review their security provisions and plan for new investments to ensure that they operate within the law. This session will focus on the impact that new technologies such as blockchain, AI and Machine Learning will have on cyber security practice. With the use of case studies from across key vertical sectors, this track will examine threats to data, legal implications of data breaches, and the increased importance of standards and regulations. CYBER SECURITY INNOVATIONS Cyber security is dynamic, and the evolution of security technology is constant and unrelenting. Half the job of being a technology professional is keeping up with the newest developments and innovations. This conference track will explore some of the latest technologies available within the cyber security ‘ecosystem’, and showcase how they are being used in real world scenarios. EXHIBITION AND CONFERENCE ACCESS OPTIONS The Cyber Security & Cloud Expo exhibition area is combined for all four constituent events, so visitors will have access to companies exhibiting across the Cloud, Cyber Security, IoT, Blockchain, AI and Big Data spectrum.
all the latest innovations within the technologies core to these sectors. There will be top case studies and panel discussions within the four
Note that visitors who want to attend all of the IoT, Blockchain and AI conferences, in addition to the Cyber Security & Cloud conferences, will need to register for an Ultimate Pass: further details can be found on the event’s website. THE OPEN CONFERENCE TRACKS ARE: Day One | 19 June Developing for the IoT IoT Innovations & Technologies Data Analytics for AI & IoT Developing Blockchain Applications Blockchain for Business Investors, Start Up & Crypto Zone Day Two | 20 June Smart Buildings & Infrastructure Developing Cloud Security Solutions Developing AI Technologies Blockchain Technologies Blockchain for Business Investors, Start Up & Crypto Zone
dedicated conference tracks (outlined above). Go to the event website to find full details of the visitor pass options available, and discover which is the best for your visit to Amsterdam in June. | cybersecuritycloudexpo.com
17
EUROFOCUS
cybersecurityeurope
It plays host to more cyber policy-making bodies than any other European state, but Belgium still faces infosecurity challenges.
THE CLUSTER OF CYBER SECURITY INDUSTRY BODIES HEADQUARTERED WITHIN ITS BORDERS – AND MOST SPECIFICALLY, its capital city, Brussels, make Belgium an epicentre of European cyber crime counteraction agencies. Influential agencies like ENISA, ECSO, the Cyber Security Coalition, and the European Organisation for Security, are each based in Brussels, alongside the country’s own state cyber security body, the Centre for Cybersecurity Belgium (CCB); the Leuven Institute of Criminology is located nearby. As the de facto ‘capital’ of the European Union (EU), Brussels also hosts some of the highest profile targets for cyber attackers; they include the Council of the European Union and the European Parliament. Belgium is proving to be the place where much pan-European cyber crime policy is debated into legislation, and the place where intelligence gathered by cyber security agencies in EU members states pooled and collated. It comes as somewhat of a surprise, then, that according to some recent comparative studies, Belgium has elsewhere a mixed record when it comes to cyber security readiness and best practice, and has been relatively slow to impose some of the legislative safeguards to ensure that its own economy – and citizens – are as well-protected against the ravages of cyber crimes as they could be. The EC reportedly even threatened to take the federal Government of Belgium (headed since 2014 by Prime Minister Charles FACTS
POLICY-DRIVEN APPROACH TO NATIONAL CYBER SECURITY Belgium adopted its first national cyber security strategy in 2013. It defines three strategic objectives across eight action domains. The three objectives are: to ensure a safe and reliable cyberspace; to provide optimal security and
24 18
protection for critical infrastructures and for governmental information systems; to enable the development of national cyber security capabilities.
A section of the strategy is dedicated to cyber risk management, covering threats, vulnerabilities and it’s impact. Within Belgium a ‘Lack of knowledge
about different cyber threats’ (as noted by Cyberwider. eu) is considered to pose a significant security risk in the country – a concern that is, perhaps, borne out by the limited available research in this area.
19
EUROFOCUS
cybersecurityeurope
Michel) to court for being slow to transpose the Network and Information Systems (NIS) directive into national law. In common with its European nation-state neighbours, the cyber crime phenomenon has received growing media attention and provoked concern in Belgium over the last five years. To allay these concerns and protect its citizens, businesses, and other organisations, the government established the Centre for Cybersecurity Belgium in 2015, and successive administrations have designated cyber crime counteraction as a top priority in the country’s longterm national security plan, called the ‘Kadernota Integrale Veiligheid [Integrated Security Framework] 2016-2019’. Despite this, as the influential Leuven Institute of Criminology’s 2017 Impact of Cybercrime on Belgian Businesses report notes, to date, ‘little empirical data is available to investigate the experiences of Belgium-based businesses with cyber crime, or the impact cyber crime has had on these businesses’. As also noted by the report, with cyber crime, one of the main challenges all EU member states have had to deal with is a lack of commonly-agreed definitions that they can base EU-wide legislation around. Whereas the Council of Europe does not define cyber crime in a generic context, the EC has attempted a definition in its 2013 ‘Cybersecurity Strategy of the European Union’, as ‘a broad range of different criminal activities where computers and information systems are involved either as a primary tool or as a primary target’.
20
Cyber crime comprises traditional offences (e.g. fraud, forgery, and identity theft), content-related offences (e.g., online distribution of unlawful pornography or incitement to racial hatred) and offences unique to computers and information systems (e.g., attacks against information systems, denial of service and malware)’. This definition (as well as the whole strategy) are, however, non-binding for the EU Member States. Fifty-three per cent of Belgian respondents to PwC’s Global Economic Crime & Fraud Survey (2018) deemed cyber crime ‘the most common economic crime in Belgium’ believe that cyber crime will continue to be the most disruptive in the next 12 months, outperforming other types of crime. The survey also found that the known consequences of cyber crime in Belgium are that 31% of cyber crime attacks caused disruption in business processes; in 28% of those cases, data assets were misappropriated; however, theft of Intellectual Property (IP) was reported by just 2% of respondents. At the same time, 20% of the Belgian respondents the PwC’s poll indicated that they ‘do not know what the exact consequences [of a cyber incident] are’. This means that in many cases, companies might not know if there were (or were not) serious consequences, which, PwC suggests, is all then more alarming because there might have been loss or theft of critical data and/or IP. Another finding of the PwC survey was the low levels of uptake of more advanced technologies that could be used in cyber threat defence, protection and counteraction: it found that still a large part of the Belgian respondents has not yet fully adopted the technologies like Artificial Intelligence, data analysis, pattern detection or communications monitoring, as deployed in support of defensive cyber security counteractions.
FOCUS
MIXED PICTURE OF NATIONAL CYBER SECURITY TRENDS
DLA Piper’s 2019 GDPR Data Breach Survey reveals Belgium occupies a mid-ranking among its European neighbours in terms of number of data breaches per 100,000 people (figures right; graph does not include EU states with fewer breaches-per-100K). Belgium’s DPA reports a ‘remarkable’ increase in the number of data breach notifications, complaints and requests received since GDPR effectuation. (Per capita values here calculated by dividing the number of data breaches reported by the total population of the relevant country multiplied by 100,000.)
NETHERLANDS
89.8
SWEDEN
24.9
IRELAND
74.9
MALTA
22.3
DENMARK
53.3
UNITED KINGDOM
16.3
FINLAND
45.1
GERMANY
15.6
LIECHTENSTEIN
38.9
AUSTRIA
6.6
SLOVENIA
35.2
POLAND
5.7
33
BELGIUM
3.6
LUXEMBOURG
No. of data breaches per 100k people
According to a review by the Leuven Institute of Criminology and KU Leuven Centre for IT and IP Law, little empirical data is available to investigate the experiences of Belgium-based businesses with cyber crime. However, selected analysis of available research and studies can provide insights into how that country fares among its continental neighbours in dealing with cyber crime and cyber security challenges.
HOW ARE BELGIAN FIRMS BEING CYBER ATTACKED
CYBER RISK ASSESSMENT COMPARED TO OTHER RA
Cyber crime and asset misappropriation remain the top types of Belgian economic crime, but 2018 rates for these offenses decreased compared to 2016 results.
The overall percentage of Belgian firms that perform generic risk assessment (RA) is somewhat on the low side. Attention to cyber crime risk, however, is increasing. Source: PwC Global Economic Crime & Fraud Survey 2018
Source: PwC Belgium Global Economic Crime & Fraud Survey 2018
CYBER CRIME
53%
2016
65%
ASSET MISAPPROPRIATION
30%
2016
50%
FRAUD COMITTED BY CONSUMER
28%
2016
NO SURVEY
PROCUREMENT FRAUD
18%
2016
19%
BUSINESS CONDUCT/MISCONDUCT
13%
2016
NO SURVEY
BRIBERY & CORRUPTION
10%
2016
15%
ACCOUNTING FRAUD
10%
2016
8%
GENERAL FRAUD RISK ASSESSMENT
51%
ANTI-BRIBERY & CORRUPTION
22%
SANCTIONS & EXPORT CONTROLS
22%
ANTI-MONEY LAUDERING
27%
ANTI-COMPETITIVE/ANTI-TRUST
20%
CYBER ATTACK VULNERABILITY
61%
CYBER RESPONSE PLAN
35%
INDUSTRY-SPECIFIC OBLIGATIONS
33%
OTHER
2%
NO RISK ASSESSMENT IN LAST TWO YEARS
8%
MORE INFORMATION
SOURCE INTELLIGENCE
Global Economic Crime & Fraud Survey 2018 | pwc.be/en/news-publications/publications/2018/ global-economic-crime-survey.html DLA Piper GDPR Data Breach Survey | dlapiper.com/en/uk/insights/publications/2019/01/ gdpr-data-breach-survey
21
EUROFOCUS
cybersecurityeurope
Another PwC study, Global Economic Crime & Fraud Survey 2018, revealed that at least 65% of the study’s Belgian respondents experienced economic crime in the previous two years (2017-2018), compared to 45% in 2016. Some 30% of Belgian organisations hit estimated the financial impact sustained to be between €89,550 ($100,000) and €896,740 ($1,000,000), the survey reports. Furthermore, 27% of economic crime is perpetrated by internal actors (i.e., people located within Belgium’s borders). In terms of attack methods, 66% of cyber crime within the country is the result of phishing attacks. The results underline the greater awareness and understanding in Belgium of the types of fraud, perpetrators, the role of technology, and fraud’s potential impacts and costs for a business. “We cannot equate the higher levels of reported crime with higher levels of actual crime,” explains Rudy Hoskens, Forensics Leader & Partner at PwC Belgium. “What the 2018 survey shows is that [now within Belgium] there is far more understanding of what fraud is and where it is taking place. It is particularly true of cyber crime, where there is a greater understanding of the issues, and greater investment in [defensive] controls and prevention.” The percentage of companies that perform an overall risk assessment is rather low, according to PwC. Its survey indicates, however, that entities in Belgium respond to the increased risk of cyber crime with increased attention for cyber attack responsibility (61%) compared to its global assessment figures (46%).
22
The three most high-profile cyber incidents to affect Belgium in recent times illustrate the diversity of the attack landscape and of the organisations in the firing line. In December 2018 the New York Times reported that hackers had infiltrated the EU’s diplomatic communications network for some years, and had downloaded thousands of diplomatic cables that revealed EU concerns about the Trump administration, struggles to deal with Russia and China, and the risk that Iran would revive its nuclear program. Belgian multi-metals business Nyrstar was attacked in January 2019. Nyrstar’s Metals Processing and Mining operations are not impacted by the cyber attack issue, but the company’s administrative operations were affected. Several of Nyrstar’s IT systems, including email correspondence, were shut down to help contain the issue. In March 2016 a teenager based in the US launched a cyber attack on Brussels Airport’s IT systems following Isis suicide bombings that killed more than 30 people. The Belgian federal public prosecutor’s office said the suspect aimed to take down the Brussels Airport Company website and infiltrate its computer systems on the evening of 22 March 2016 following the terrorist attacks, but was not successful. According to media reports, Belgian cyber investigators traced the hack source to Pennsylvania, and passed the information to authorities in the US.
20% of the Belgian respondents to PwC’s poll indicated that they ‘do not know what the consequences of a cyber incident are’.
Cyber crime has become the most prevalent type of economic crime in Belgium (53%), which is in second place globally (31%), behind asset misappropriation (45%). Asset misappropriation is rated in second place in Belgium, reportedly experienced by at least 30% of PwC’s Global Economic Crime & Fraud Survey respondents. “A sizable percentage of the ‘external’ perpetrators – and 70% of cases are external for our Belgian respondents) is made-up of third-parties with whom companies have regular relationships,” says PwC’s Rudy Hoskens. “[For instance,] Agents, vendors, shared service providers, customers and more. In other words, people and entities with who one would expect a certain degree of mutual trust, may actually be stealing from the company.” So, how are Belgian firms being attacked? While cyber crime and asset misappropriation remain the top two types of economic crime experienced in Belgium, rates for these crimes decreased, as compared to results of PwC’S 2016 Global Economic Crime & Fraud Survey. Indeed, almost all types of economic crime were seen less over the last two years, than the two years prior. Importantly, 62% of Belgian respondents believe that cyber crime will continue to be ‘the most disruptive economic crime’ over the next 24 months into the 2020s, ‘outperforming’ other crime types. The most common techniques used by cyber criminals on Belgian targets reported here are phishing (66%), malware (56%), and network scanning (16%). The greatest impact of cyber crime was disruption to business processes (31%), closely followed by asset misappropriation (28%). Just 2% of respondents reported IP theft. Still, some 20% of Belgian respondents indicated that they do not know what the exact consequences are, which is concerning, PwC’s analysis suggests, because there might have been theft of sensitive data loss or intellectual property. Also of concern is that although 66% of Belgian respondents worked on cyber security programmes over the last 24 months, and such programmes were installed by 55% of respondents (up from 37% in 2016), only 35% indicated they carried-out an assessment of their plan to find out how well it is working. PwC’s Hoskens, meanwhile, acknowledges that the broadening definition of ‘cyber crime’ does cause big picture analysis to become skewed, especially if computer-enabled fraud is factored into its scope. “Fraud is the product of a complex mix of conditions and motivations, only some of which can be tackled by machines and technology,” comments Hoskens. “The funds allocated to crime detection and prevention – in terms of both technology and corporate cultural – are increasing, and that has a multiplier effect in terms of understanding and detection of fraud.”
The Belgian Data Protection Authority (DPA) issued its first status update since GDPR became applicable in December 2018. The statistics show a ‘remarkable’ increase in the number of data breach notifications, complaints and requests received, according to market-watcher Lexology. Specifically, since 25 May 2018, 317 data breaches have been notified to the DPA. This is a major increase compared to the previous year (i.e., 2017), when only 13 data breaches were formally reported. This increase is obviously due to the fact that there was no obligation to report prior to 25 May (except for the country’s telecommunications companies or financial services providers). The top Belgian verticals reporting data breaches are healthcare, insurance, public sector and defence, telecoms, financial services. In addition, the DPA reports to have received 148 GDPR-related complaints in the six months that followed GDPR effectuation, which comes down to almost one complaint per-day. This amount is, however, negligible compared to Belgium’s neighbouring countries. On this point, Belgium’s DPA is running a bit behind its national neighbours, who have started their first GDPR systematic inspections already and who have already imposed a large number of warnings and sanctions, and in some cases (Austria, Germany, Portugal, the UK), financial penalties.
ACCREDITATION Words | Edmund Burr Photography | Shutterstock
23
feature
cybersecurityeurope
Reports of Reports of the demise of the demise of ransomware may have ransomware have been grossly exaggerated: been grossly businesses will have to exaggerated: redouble their defences as new businesses have variants grow in scope and to redouble their ambitiousness. defences as new variants become ever more devious.
GR AA NMS EO DESPITE SOME SIGNS THAT IT IS BEING DISPLACED BY NEWER MALWARE SUCH AS ‘CRYPTOJACKING’ (MALICIOUS use of computer processing power to mine cryptocurrency) as cyber criminals’ preferred cashcow, ransomware remains a serious persistent threat to organisations of all kinds. SonicWall’s 2019 Cyber Threat Report records 206.5m ransomware attacks in 2018 – that’s a rise of 11% on 2017. High-profile targeted attacks on Tribune Publishing (US), City of Albany (US), Arizona Beverages (US), the Police HELP
Federation (UK), and Norsk Hydro (Norway) in the first quarter of 2019, show that it still carries a significant sting, and that its proponents think that the bigger the target, the higher the possible ransom to be extorted. What’s more, because ransomware raises multiple ethical questions in terms of an organisation’s governance policies, cyber-savvy CEOs and their c-suite colleagues must stay apprised of the dilemmas it stirs up. NTT Security’s latest Global Threat Intelligence Report, for instance, found
For business owners it’s also important to be mindful of how factors like staff churn affect an organisation’s cyber security stance.
GANDCRAB DECRYPTOR AVAILABLE A new decryption tool has been released for free on the No More Ransom depository for the latest strand of GandCrab, one of the world’s most prolific ransomware to date. GandCrab surpassed all other
24
strains of ransomware during 2018, according to EU law enforcement agency Europol, having infected more than 500,000 victims since
OM WV AER RE ALERT!!! COUNTING THE COST OF DOOMSDAY SCENARIOS ALERT!!!
Private key will be destroyed on 9 | 6 | 19 14:21 PM Time Left 54 : 15 : 22
BASHE ATTACK: Global Infection by Contagious Malware is a report produced by CyRiM (Cyber Risk Management) project, led by Nanyang Technological University in collaboration with industry partners and academia. It explores how a large-scale modelled ransomware attack might take place – and what the global impacts would be on governments, business and the insurance sector. The doomsday scenario suggests that the total economic damage to the world economy from a concerted global cyber attack (propagated via malicious email) could range from between $85bn to $193bn. The hardest hit sectors are... Retail ($15bn-$25bn loss) Healthcare ($10bn-$25bn loss) Manufacturing ($9bn-$24bn loss) Professional Services ($15bn-$20bn loss) PAY NOW
it was first detected back in January 2018. The tool was developed by the Romanian Police working in close collaboration with security company
PAY METHOD
DECRYPT DATA
Bitdefender and Europol, together with the support of law enforcement authorities from Austria, Belgium, Cyprus, France, Germany, Italy, the Netherlands, the UK, Canada and the US FBI. | nomoreransom.org
25
Source: Coveware Ransomware Marketplace Report 2019
FEATURE
cybersecurityeurope
TOP RANSOMWARE ATTACK VECTORS
HOW VERTICAL SECTORS ARE TARGETED BY RANSOMWARE
Remote Desktop Protocol based breaches were (again) the single most prevalent ransomware attack vector in Q4/2018. This vector is predicted to remain popular.
Professional service firms (e.g., law and accountancy firms), continue to be a prime target for ransomware. These firms tend to under-invest in IT security, have weak or no backup policies, and have almost no tolerance for data loss. Healthcare facilities are also more targeted.
UTILITIES 1.7%
12.1% FINANCIAL SERVS.
MATERIALS 3.4% TRANSPORTATION 5.2% 1.7% SOCIAL ENGIN’G 13.8% PHISHING
INSURANCE 5.2% RETAILING 5.2%
13.8% SOFTWARE SERVS.
CAPITAL GOODS 8.6% 84.5% RDP
HEALTHCARE 12.1% OTHER 10.3%
found ‘compelling evidence’ that ransomware attacks ‘are still on the rise’. Ransomware volumes for 2018 were up 350%, the report finds, and rose from less than 1% of global malware in 2016, to nearly 7%. Across Europe, ransomware was the leading malware manifestation at 29% of the total threat spectrum, NTT Security found, being focused mainly on the business and professional services, and healthcare industry, sectors. Not only are there more attacks; the average ransom cost is also on the up: Coveware’s most recent Ransomware Marketplace Report says that the average ransom demand increased by about 10% per quarter during 2018 (to a high of €5,975/£5,160 approx.) The same study also names the average number of days a ransomware incident lasts at 6.2, and average financial cost of ransomware incident-related downtime as €48,727 (£42,085) approx. Estimates here vary by source: SentinelOne reckons that globally, ransomware costs individual businesses an average of €684,651 (£591,238) approx. per annum. Sophos, meanwhile, sets the median total cost of a ransomware attack at €118,054 (£101,962) approx. – this extends beyond any ransom demanded and includes downtime, manpower, device cost, network cost, and lost opportunities. All figures, again, were increases over the previous year’s figures: no surprise given that studies of cyber security trends indicate that there are rich pickings to be had, as a proportion of compromised organisations opt to pay ransoms to recover their indispensible data.
26
22.4% PROFESS. SERVS
Further inducement for cyber criminals may well come from the fact that organisations polled across vertical sectors now not only expect ransomware to become a fact of commercial operations, but see it as somewhat of a tolerable business cost. This is despite evidence that paying a ransom is no guarantee that encrypted data will be recovered. Coveware reports that when a victim of ransomware pays, they receive a decryption key 93% of the time; but that is just the beginning of the recovery process.
HOW RANSOMWARE GETS INTO SYSTEMS Encryption can damage or delete files, and sometimes the decryption tools do not work well. The average data recovery rate when a working tool is delivered is about 95%, but varies markedly depending on the type of ransomware. For example, ransomware Ryuk is low at ~60%, but SamSam is close to 100%, the Coveware study found. Ransomware creators continue to build-in new ways to add value to their attacks. New ‘in-development’ ransomware (discovered by support website MalwareHunterTeam) encrypts files, and also tries to steal owners’ PayPal credentials with an included phishing page. This ransomware contains a ransom note that states the user can remit either via Bitcoins or with cash through PayPal. If a user chooses to pay using PayPal, they will be brought to a phishing site that will then attempt to filch their PayPal credentials.
Sophos found that 75% of companies infected with ransomware were, nonetheless, running up-to-date endpoint protection software. “This technique aims to maximise the return-on-investment for the attacker. Once the victim falls into the trap and pays the initial ransom, they will also be duped into providing their PayPal account credentials, which will profit the attacker even further,” says Maor Hizkiev, CTO & Co-founder at BitDam. “This kind of attack demonstrates that once an attacker gains control, there is no limit to what they can do and how much money they can steal.” Hizkiev adds: “The problem lies in the fact that almost all current security solutions are reactive, adjusting their defences based on attacks they have seen in the past. Attackers relentlessly thinking of new tricks to evade static and dynamic solutions. New attacks are emerging daily, making it harder for vendors to keep up to date and protect from the newest attackers’ tricks.”
RANSOMWARE STRAIN ATTACK PENETRATION
RANSOMWARE CREEPS INTO CLOUD
Cyber security company Datto notes that SamSam is ‘small, but mighty’: ‘the City of Atlanta was rocked from a SamSam attack’. The strain also made its way to Indiana’s healthcare industry and Colorado’s transportation system. In 2018, it was estimated that SamSam hackers netted around €5.3m.
28% of managed service providers have seen ransomware attacks in Softwareas-a-Service applications, slike Microsoft Office 365 and Google G Suite; of these...
CRYPTOLOCKER WANNACRY CRYPTOWALL LOCKY CRYPTXXX PETYA TESTACRYPT CBT LOCKER NOTPETYA TORRENT LOCKER BAD RABBIT CRYSIS COINVAULT CERBER SAMSAM
71% 50% 40% 24% 18% 17% 14% 11% 9% 8% 7% 6% 5% 5% 3%
The fact that technological safeguards have their limits places even greater emphasis on the human factor when it comes to keeping-out ransomware. Coveware’s report sample says that 15.5% of ransomware attacks came through social engineering or phishing attacks. Many cyber security expert theorists now expound the necessity for organisations to implement a holistic cyber security policy that devolves responsibility for defence beyond the IT department and out to the frontline workforce – and that includes everyone, from senior executive to temporary staff. Getting this right is acutely important in respect to avoiding ransomware, because its success mostly depends on an employee inadvertently enabling the ransomware to get into a company’s IT network. SentinelOne’s Global Ransomware Study 2018, for instance, found that with around half of respondents whose organisation had suffered a ransomware attack in the last 12 months, the attack worked because an employee was careless (51%) and/or anti-virus was in place, but did not stop the ransomware attack (45%). This latter factor is echoed by Sophos’s SophosLabs 2019 Threat Report: it found that 75% of companies infected with ransomware were, nonetheless, running up-to-date endpoint protection software.
HOW RANSOMWARE IMPACTS THE BUSINESS The financial cost to targeted businesses is another determinant that might – in the short term, at least – lead some organisations to the view that they are actually better-off paying ransoms than spending their money on defensive measures that do not seem able to fully protect them. In employee terms, the word ‘careless’ (re. the SentinelOne study findings) is perhaps used a little pejoratively. Training must keep up with the latest threats, which continually find ways to con even suspicious staff to click when they should shun. For business owners it’s also important to be mindful of how factors like staff churn bear on cyber security. This might well cause a shift in cyber security spending from technology to training, as organisations strive to reduce their ‘human exposure’ by coaching their staff to be more cyber attack-savvy. A dilemma for employers is that they are likely not to want to expend on advanced security awareness training for temporary workers – many of who, in 2019’s commercial climate, are likely to be placed in the cyber security frontline in terms of dealing with digital customer interaction that exposes them to phishing attacks, for example. Almost all – 94% – of respondents to the SentinelOne Global Ransomware Study 2018 cite that there has been some impact on their organisation because of ransomware attacks in the past 12 months, with the greatest impacts
49%
22%
REPORT 0365 INFECTIONS
REPORT G SUIT INFECTIONS
AN INCREASE OF 17% ON PREVIOUS YEAR
AN INCREASE OF 1% ON PREVIOUS YEAR
IN BRIEF
ATTACKS ON CLOUD
Many organisations migrate their data and IT functionality to cloud services because it is deemed to be provide higher levels of security that on premises IT.
Massachusetts Institute of Technology (MIT)’s prediction that one of 2018’s big cyber threat targets would be cloud computing service providers – which host almost nigh incalculable volumes of critical data for client companies – doubtless caused many of those service providers to redouble their safeguards. For ransomware attackers to crack into a cloud service provider’s system would be equivalent in impact to launching thousands of ransomware attacks simultaneously. The result would be devastating: tens of thousands of organisations that have migrated their data to third-party cloud would be compromised in near-perpetuity, unless decryption could be deployed at massive scale. The biggest cloud operators, like Google, Amazon, and IBM, have reportedly hired some of the smartest minds in IT security, so they won’t be easy to crack. But that makes them a more attractive challenge to cyber criminals and other online threats. Ransomware innovators have apparently already had success in channeling attacks through popular cloud-based business applications, such as Microsoft Office 365.
27
FEATURE
cybersecurityeurope
FACTS
WHERE THE RANSOMWARE COMES FROM Few organisations seem to hold an expectation of being able to identify who is behind the attacks they suffer – some might point to ‘nation state’ or ‘cyber criminal gangs’, according to the stipulations of their cyber insurance coverage.
“Many victims of data breaches or ransomware attacks cry ‘nation-state!’ as the first response to the incident, even though very few are able to prove it,” says Igor Baikalov, Chief Scientist at Securonix. “Lax cyber security programs is [probably more] to blame in most cases.” According to NTT Security’s Threat Intelligence Report, the ransomware attack origination countries often do not follow general perceived expectations. It found that the biggest number of attacks on European region targets, for example, came from the US (21%) followed by China (18%). Surprisingly, perhaps, the UK was the third most prevalent source of ransomware attacks (5%), NTT Security reports. being an increased investment in IT security (67%), and a change of IT security strategy, to focus on mitigation (44%). It’s arguable that these initiatives will reinforce an organisation’s security against other threats, and help protect against a multichannel cyber threat attack ‘doublewhammy’ – i.e., being hit by ransomware and hack-based data exfiltration at around the same time – the CISO’s nightmare. Furthermore, more than 10% report that their organisation has received negative press/bad publicity (14%) and/or seen senior IT staff lose their jobs (14%).
CAN PAY, DO PAY… Official bodies, criminal agencies, and the security vendors strongly advise against paying ransom. They point out that, aside from contributing to cyber crime’s finances, there is no guarantee that the ransomers will provide keys to ‘unlock’ compromised data, or if they do provide keys, that they will work as promised. Other voices point out that decryption keys may be already be freely available in the public domain to ‘release’ compromised data; and yet, despite this, some targeted organisations seem now to evaluate the pros and cons of paying in purely business terms, almost as ‘a cost of doing business’. Some of the financials do seem to lend substance to the ‘pay and be done with it’ argument. The cost of business downtime is some 10 times greater than the cost of the ransom requested, according to respondents to Datto’s The State of the
28
Channel Ransomware Report. MSPs report the average requested ransom for SMBs is ~€3,831/~$4,300 while the average cost of downtime related to a ransomware attack is ~€41,700/~$46,800. This viewpoint is perhaps informed by the fact that only 8% of respondents to the Datto report thought that ransomware attacks are likely to decrease to any degree in the foreseeable future. They accept arguments for taking the ransom on the chin, learning everything that can be divined about how it happened, then making efforts to prevent a repeat incident. When considering all the ransomware attacks that their organisation has experienced in the last 12 months, a little less than half – 46% – of respondents to SentinelOne’s Global Ransomware Study say that their organisation did not pay a ransom because they decrypted the data themselves/had backups. In contrast, 19% admit that their organisation paid the ransom demanded by the attacker every time.time. According to respondents whose organisation/the organisation’s insurer has paid some or all the ransom(s) demanded by ransomware attackers for an attack in the last 12 months, the total value of the ransoms paid in this period is €40,470/£34,845, on average and the largest value that their organisation has ever paid is €40,086/£34,514, on average. average. Of those whose organisation/the organisation’s insurer has paid some or all of the ransom(s) demanded by ransomware attackers in the last 12 months, around 60% state that their organisation paid the ransom because the cost of paying the ransomware was less than the lost productivity caused by downtime from the attack – 58% – and/or the cost of paying the ransom outweighed the cost of restoration/damage to business (56%). Lastly, some 33% report that an employee has paid a ransom in the past without the involvement or sanction of IT/security departments. Whether this was from company money or personal funds (i.e., due to embarrassment or fear of job loss) is unclear. The possibility that some senior executives may be quietly sanctioning payments as ‘miscellaneous’ expenses, because they do not want a ransomware attacks in which they are in some way inculcated made official record, should not be discounted.
ACCREDITATION Words | James Hayes Photography | Shutterstock
Solutions have a platform At the leading international trade fair for IT security, you will learn everything about the latest security standards. Get your free ticket for it-sa 2019! Nuremberg, Germany it-sa.de/it-security4U
8 -10 October 2019
advertorial
cybersecurityeurope
The IIoT promises to transform industrial processes – but we must ensure that safeguards are built-in from the outset, says Airbus CyberSecurity’s Jörg Schuler. OPTIMISTS TEND TO SEE THE RISE OF THE INDUSTRIAL INTERNET OF THINGS (IIOT), AND ITS CLOSE RELATION OPERATIONAL TECHNOLOGY (OT), as one of the most significant business trends of the early 21st Century. Analysing the concept, I can understand where the rosy glow comes from. Take the best parts of IoT – connecting a range of devices, sensors and equipment to the Internet - and add the sort of Machine-to-Machine (M2M) communication and automation needed for industrial processes – and you have segued into the next big industrial wave. In Germany, Europe’s biggest industrial economy, the harnessing of IIoT to digital automation has developed far enough for it to routinely be described as a ‘fourth industrial revolution’, the so-called ‘Industrie 4.0’ (a.k.a., ‘Manufacturing 4.0’) strategic initiative enthusiastically promoted by the German Government. It’s an alluring prospect of more integrated supply chains, real-time feedback on processes, problems and inventory, where even the smallest elements of any industrial system would become interconnected. Efficiency would be transformed, problems and failures reduced, in a world where systems might eventually look after themselves without the need for expensive human intervention and management. This IIoT is IoT done right for numerous industries on which the digital economy ultimately depends. However, facing this is a more pessimistic – some would argue more realistic – way of understanding the arrival of
IIoT and OT as delivering a new set of digital vulnerabilities that stand in danger of being underestimated in the same way that consumer IoT risks were in the early years. You don’t have to be an outright pessimist to agree that the security sceptics have a point – the more devices, equipment, sensors and applications you connect to one another, the greater the interdependency and sensitivity to disruption. If the last 20 years of cyber crime’s rise has taught us one thing, it’s surely that there are now just as many forces that might seek to disrupt IIoT and OT as benefit from it. Because Industry 4.0 and IIoT is still emerging, and a lot of technology and standards have yet to be finalised, working out how it might be vulnerable to cyber attack isn’t easy. What we know we from recent cyber attacks aimed at manufacturing should give us cause for concern. According to Verizon’s Data Breach Investigations Report – which analysed figures from 2017 – manufacturing suffered 42 known breaches and 389 cyber-incidents of various types, not far behind sectors such as healthcare, finance and retail. About 90% of these originated with external hacking rather than an internal compromise or misconfiguration and, importantly, Verizon believes that 86% were targeted attacks, custom-designed to penetrate specific companies. “Since, overall, the vast majority of attacks are opportunistic in nature, this finding underlines the point that criminals go after certain manufacturing entities with a very specific purpose in mind,” the report stated.
Airbus CyberSecurity is a European specialist in cyber security. Our mission is to protect governments, military, organisations and critical national infrastructure from cyber threats. We provide a global cyber defence approach that aims to protect, detect and respond to cyber threats with a portfolio that
includes key management and consultancy services, encryption, industrial control systems, and managed security. Pictured below: Jörg Schuler, Airbus CyberSecurity.
DETAILS For more information please visit the company website: | airbus-cyber-security.com
30
These figures don’t tell us much about how vulnerable IIoT and OT might be to cyber attack; but they do underline that the motive to target them is already well-established for a range of reasons – including geo-political advantage and financial gain. All cyber attacks are founded on a combination of technical means – the weakness being exploited to penetrate a target network – and the motivation to do so regardless of the risks or costs.
HOW ATTACKS MIGHT UNFOLD Looking at recent events, it’s clear that the obvious template for attacks is probably targeted cyber extortion, which scores a maximum 10 on both scales. A warning of how unpleasant this can be was delivered by what happened to the city of Atlanta in March 2018. Like every city in the developed world, Atlanta and its citizens depend on online services that make available simple applications such as parking, bill payment, court appearances, and a miscellany of local government bureaucracy. Using a hacking-to-ransomware platform called SamSam, the attackers burrowed into the city’s network to encrypt and hold a suite of applications hostage. With the ransom demand for $51,000 (£39,000) apparently unmet, the attack eventually cost a reported $2.6m to clean up. SamSam was blamed for other attacks during 2018, including the City of Newark, Colorado Department of Transportation, the University of Calgary, and perhaps most worrying of all
from an industrial point of view, on the Port of San Diego in California and Port of Barcelona in Spain. The lesson is that if such a thing can befall a city or port the same thing can happen to any institution, organisation, or critical asset, including a factory, industrial process or supply chain in which even a few hours of downtime can be crippling. Size and importance no longer seem to be a protection indeed the opposite might now be true. If it’s valuable and vulnerable enough, then it’s a target that a cyber attacker will spend their time going after. It’s my view that IIoT systems are still often not welldefended by use of anything that resembles a mature security model. There are simply too many ways in – often the legacies of past security design mistakes. Industrial networks supporting IIoT are not likely to be built from scratch, and will depend on an organisation’s established network security and protocols. A fundamental problem is that by its nature, IIoT and OT increase the number of devices communicating using Internet protocols attackers can aim at. All an attacker has to do is find a weak point or protocol – Remote Desktop Protocol (RDP) was SamSam’s chosen method of entry – from which to build a deeper incursion into the target network. By the time that a victim realises an attacker is inside the network it is probably already too late.
There are now just as many forces that might seek to disrupt OT and the IIoT as benefit from them. This should give anyone planning to implement IIoT and OT much pause for thought. Building security on hope in this new and much more dangerous world is asking for trouble. It falls to the ranks of information security professionals tasked with defending Industry 4.0 to build their defences from the ground up if the next wave of industrial technology is to fulfil its promise. Jörg Schuler (pictured left) is OT Cyber Security Portfolio Manager at Airbus CyberSecurity.
31
insight
cybersecurityeurope
Effective cyber security is all about protection and defence, but prevention is also key to best practice, says CQURE’s Paula Januszkiewicz. SOMETIMES YOU JUST HAVE TO SAY, ‘NO MORE’. VERY OFTEN, THE SIMPLE AND straightforward resolutions can be as effective in safeguarding your organisation’s data as your investment in defensive technology. Awareness training, a backup regime, and an acceptance that tedious software updates are preferable to the ravages of ransomware infection and recovery – all are key learnings for organisational managers, and though straightforward, should not be underestimated. Added to more sophisticated technological solutions, they can make a major contribution to overall cyber security provision, and also help make the workforce part of the security effort. So, here are five reminders of how a back to basics approach can bring quantifiable benefits when it comes to countering malicious threats. When all these actions are actioned together, and wrapped into one reasonably securityfocused prevention strategy, your enterprise infrastructure security will ascend to the next level – but remember always that cyber security journeys have no end, and that new challenges appear all the time. BIOGRAPHY
NO MORE NO RULES: SECURITY AWARENESS Some ransomware exploits the fact that Microsoft Windows allows applications of all kinds to access a user’s data. As threats change rapidly to evade detection, often utilising social media to propagate, it is impossible to prevent them from appearing on the endpoint. Ransomware attacks are not brought about by any kind of magic; they typically spread through phishing emails
Simple rule: get newer versions of applications, update your system. Basic to-dos, but big benefits. or by unknowingly visiting an infected website. For enterprises or organisations, it may be best to block email messages with attachments from suspicious sources. It is very likely, unfortunately, that the attack will be more sophisticated. Monitoring, repelling, and responding to cyber threats while meeting compliance requirements are well-established duties of CISOs (Chief Information Security
PAULA JANUSZKIEWICZ Paula Januszkiewicz is Founder and CEO at CQURE and the CQURE Academy, based in Poland. Paula is also the Enterprise Security MVP, Microsoft Regional Director, and an acknowledged cyber security expert.
32
MORE INFORMATION Contact points: | cqure.pl | @PaulaCqure
NO MORE OUTDATED SOFTWARE Imagine that your computer (Operating Systems and applications installed) is outdated. There are bugs in the software. Some of those can be used to take control over your computer and to infect it with ransomware as well other malicious purposes. If you do not update your computer’s software on a regular basis it will – sooner or later – get infected. A remedy is extremely simple: patch your Operating System and applications. Do not ignore pesky update messages and restarts. The general rule is simple: get newer versions of applications, update your system, update drivers, etc. Basic to-dos, big benefits. NO BACKUP = NO MORE EXCUSES The deeper you delve into the corners of the internet looking for information, the higher the risk of infecting your computer with more malware. So, what to do? The answer is very easy: perform backups and in case of emergency restore the data from the backup. It is critical in ransomware recovery and response. Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Note that network-connected backups can also be affected by ransomware; it is crucial to have critical backup well protected from being stolen, dropped, or even eaten by a dog or left with your laptop bag.
MORE TECHNOLOGY INSIGHT FROM PAULA JANUSZKIEWICZ IN THE NEXT ISSUE OF CYBER SECURITY EUROPE MAGAZINE
Officers), or their equivalents, and their teams. That’s why I’d argue that business leaders need CISOs to take stronger strategic leadership roles.
NO MORE TEMPORARY SOLUTIONS On the enterprise level, from the technical perspective it is important to prevent unknown code execution. The way to mitigate these types of threats is to implement a defense in depth approach, layering technologies that can block and isolate threats on the endpoint device. These are the privilege management and application control that prevents untrusted content, such as malware payloads, from executing. An important line of defense is ‘sandboxing’ (a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading). Many exploit kits take advantage of weaknesses in the browser and plug-ins to run ransomware. Other attack vectors can be found in malicious documents, and also from tricking the user into running malware thorough worms found in many popular websites. So sandboxing allows you to safely contain such web threats and isolate any malicious activity, without restricting your people. There are many solutions that perform these activities (for example, from Microsoft you will find AppLocker or a Windows Defender Application Control). You can always try using the Controlled Folder Access feature in Windows – in order to protect important folders against making changes by unknown actors. NO MORE COMPLACENCY To improve your workforce awareness, your organisation’s internal security team may test the training of your organisation’s workforce with simulated phishing emails. The objective is to mount a practice cyber attack and attempt to highlight security vulnerabilities that might otherwise be found and exploited by hackers. In doing so, you will gain valuable insight into the security posture of the assets and be able to fix them before cyber threats are able to cause serious damage of some kind. One of the ‘takeaways’ is super-simple: that all employees should pay extra attention to what comes winging into their workplace inboxes.
PAULA IS SPEAKING AT... Hack in Paris 2019, 19 JUNE 2019 | 11:25pm-12:10pm, Maison de la Chimie, Paris, France
| hackinparis.com
33
TOP 10
cybersecurityeurope
HIT LIST That biometrics will become a staple means of enterprise cyber security seems a sure bet – and from head to toe, the technology’s been busy turning our bodily features into identifiers. Here are 10 top examples.
Researchers at University at Buffalo School of Engineering & Applied Sciences are now working on a electroencephalography-based brainwave biometrics system that creates a ‘password’ out of how users respond to a set of three images – an animal, a celebrity, and a textual phrase – designed to trigger a response. After the images are displayed four times, the so‘brain password’ is set, with the authentication system able to recognise unique, recurring patterns in each individual’s response to the images.
Facial recognition is already a popular biometric security vector (and used for other security-related applications), but its reliability is now being challenged by other emergent technology. Using a 3D-printed human head, Forbes tested the face recognition security on four popular Android phones, plus an Apple iPhone. Once a complete 3D image was created, the life-size head was coloured and then placed in front of the phones. All four Android phones unlocked with the fakey face – but not the iPhone.
34
Iris recognition has gained popularity as the default individual security modality in a range of sectors, such as healthcare, immigration checks and border control, workplace time and attendance, and access control. Iris recognition biometrics’ durability is another plus: a research study by the National Institute of Standards and Technology (NIST) suggests that the human iris is a stable internal organ, and therefore, iris recognition is usable for decades after a person’s initial registration. General Data Protection Regulation (GDPR) – under which banks are required to keep track of data provenance and maintain a traceable chain of transactions related to the origin of a raw or computed data item – could prove yet another driver for iris-based ID verification system uptake.
Several banks have brought in voice recognition systems, so that attacks against speaker recognition that use technological means can be blocked. Voice attacks produced by human vocal disguise and impersonation, however, cannot easily be detected with such counteraction, according to a study from researchers at the University of Eastern Finland. It found that impersonators were able to fool automatic systems and listeners in mimicking some legitimate speakers.
Indian researchers have suggested that tongue prints could serve as a method of multifactor biometric authentication for some use-cases. Tongue characteristics also exhibit sexual dimorphism, thus aiding in the identification of the person; tongue prints also hold the promise of a potential forensic tool. A 2016 study by Thai Moogambigai Dental College highlights the uniqueness of tongue prints and their advantages over some other biometric ID modalities.
In addition to iris and retinal ID, vein recognition is another eye-based biometric modality. This uses patterns formed by veins on the sclera – the white part of eyes. The concept was developed by Dr Reza Derakhshani at the University of Missouri. He found that patterns of sclera blood vessels can be useful for personal ID as it is a unique individual characteristic. However, unlike verification for iris or retina recognition, subjects have to glance either side to be scanned.
Under its Bull brand, Atos’s biometric authentication system that uses the Nymi Band authentication wristband and HeartID biometric software to verify a wearer’s identity based on their heartbeat. Users can sign in, hands-free, by pressing their Nymi Band against an NFC reader. They are then authenticated by Bluetooth and, through a wireless connection, remain logged-in until they leave their workstation. The Evidian Enterprise SSO (Single Sign-On) solution is aimed at authentication in the healthcare and pharmaceuticals sectors where hygiene mandates touch-free security.
Ethical security researchers Jan Krissler and Julian Albrecht created fake hands of wax to bamboozle a hand vein scan biometric security system. The pair took photos of their own hands using a modified DSLR camera, then used the images to make replica hands, which were deployed to fool a vein authentication system.
Smell-based identification has long been a giveaway for tracker dogs, but in 2015 researchers at the Universidad Politécnica de Madrid, working with Ilía Sistemas, developed a biometric ID technique that would allow its users to identify some 85% of people tested through their personal odour.
Our footprints bear physiological traits and distinctive properties that can serve as unique identifiers. Footprint scan tech is still under development, and various approaches are being experimented with. Some systems use a camera to capture footprints and the recognition system extracts shape using gradient vector flow.
35
advertorial
cybersecurityeurope
Now that the full economic impact of malicious online threats can be assessed, firms should ensure legal obligations are covered, counsels DWF’s Klaus Brisch. WITH EVER-GROWING AND UNRELENTING INTENSITY, CYBER CRIME, INDUSTRIAL ESPIONAGE, AND THE UNLAWFUL PROCUREMENT of information by use of digital technology, have a severe impact on those businesses that are hit by them; and to date, few have remained unaffected by the rising threat tide. Cyber crime is widely defined as the use of a computer system to further illegal goals, such as the commission of fraud, intellectual property theft, or the violation of the privacy of a person or company. The ramifications of this type of crime are international, as reports show. In 2017, the German Federal Office for the Protection of the Constitution published statistics on the economic impact on German businesses caused by industrial espionage through cyber attacks aiming to access trade secrets, business expertise or intellectual property: the German economy suffered damages of €55bn. Another study, Economic Impact of Cyber Crime – No Slowing Down, conducted by McAfee and the Centre for Strategic and International Studies (CSIS) in February 2018, concluded that cyber crimes cost the global economy around $600bn every year. Such figures are indeed alarming. The age of digital transformation that’s led to the so-called ‘data economy’ has created an enormous range of possibilities for cyber attacks – and, therefore, for businesses that rely on technology and data, this also brings a whole set of new challenges.
Technology and innovation-oriented businesses, such as those in the IT, communications, life-science, automotive, and mechanical engineering industries, are especially of interest to – and at risk from – a range of cyber attackers.
A SILENT ENEMY WITHIN One of the greatest dangers for businesses at risk from cyber attacks is that the perpetrators will try to remain undetected within their IT systems for as long as possible, and seek to remain in a position to retrieve as much information from their target as they possibly can.
Recent industrial espionage cases have led to an increased awareness of which legal system is applicable. The affected company may, for example, not know immediately why it lost a tendering procedure to someone who outbid them, why an ongoing negotiation fell through, or a contract was lost. Unfortunately, these are all scenarios frequently observed across several business sectors. The financial appeal of industrial espionage to companies is obvious. With the help of confidential data on their competitors and products, the company can predict business choices beforehand, and perhaps even use
DWF We are a global legal business, transforming legal services
go beyond expectations. Article
through our people for our clients. Led by Managing Partner &
author Klaus Brisch is expert in
CEO Andrew Leaitherland, we have over 27 key locations and
data protection and and privacy
more than 3,100 people delivering services and solutions that
law, IT-compliance, cyber security.
DETAILS For more information please visit the company website: | dwf.law
36
innovations before they are officially released into the market. Illegally-obtained information may even be used to blackmail a business. The effect on businesses impacted by cyber crime is not just felt financially, either; the damage has a ripple effect on the economy and onto society itself. It can also lead to a slower pace of innovation and trade distortion over the longer term. So, given this operating climate, it’s very apposite to ask the question: what are the legal consequences of cyber attacks for companies and their trade secrets, employee and customer personal data, or intellectual property rights?
INTERNATIONAL COMPLICATIONS Before answering this question, it is important to note one factor: there may be a huge geographical distance between the attacker and the targeted company’s IT resource. This leads to extensive law enforcement issues, because there is a need for international co-operation between the states concerned and their respective legal authorities in order to deal effectively with the attack in question. That also raises the question as to where the cyber crime really takes place – and which legal system is applicable for the attack? Since recent cases of industrial espionage and data theft have led to an increased awareness of the problem, companies must be proactive and stringent in securing their data; and that includes the protection of personal data of employees and customers, for instance, as well as business know-how and commercial information.
INTERNATIONAL COMPLICATIONS Legislation such as the European Union (EU) General Data Protection Regulation (GDPR) of June 24 2016 (that came into effect on May 25 2018), and other national data protection laws within the EU member states, have ultimately shown millions of consumers that their personal data is extremely valuable for the economy, but also that they are at risk unless protective measures are taken by the companies that handle and process their information. In addition, the EU has already (June 8 2016) implemented the Directive on the ‘protection of undisclosed know-how
and business information (trade secrets) against their unlawful acquisition, use and disclosure’ – also known as the Trade Secrets Directive. This Directive is a piece of legislation that only now is being transformed to the national laws of the EU member states. According to the Trade Secrets Directive, the acquisition of a trade secret without the consent of the trade secret holder shall be considered unlawful, whenever carried out by (a) unauthorised access to, appropriation of, or copying of any documents, objects, materials, substances or electronic files, lawfully under the control of the trade secret holder, containing the trade secret or from which the trade secret can be deduced; and (b) any other conduct which, under the circumstances, is considered contrary to honest commercial practices.
call to counteraction In order to reduce the risks imposed on their business and remain compliant with regard to – among others – GDPR and the Trade Secrets Directive, companies must implement a secure defence system (or review the systems that already exist) – a system that ensures the protection of data, and detects cyber attacks even before any damage can be done. Should the company not have a working system to protect its own company and consumer data, in the event of a successful attack on its systems, the resulting fines and reputational damage, as well as other losses, will be severe. In view of all these considerations, it seems most evident that industrial espionage will continue to take hold across Europe unless businesses – and other organisations – take the proper steps to introduce secure standards to protect their valuable data assets. Seeking consultation from a technological and legal expert who can best advise on how to implement the necessary mechanisms that will prevent management liability in the first place, therefore, is imperative. Klaus Brisch (pictured left) is Partner & Global Head of Technology at DWF, with expertise in data protection and privacy law, IT-compliance, cyber security, additive manufacturing and cross-industry innovation.
37
feature
cybersecurityeurope
Law firms in Europe now face the triple-whammy of tech law changes, targeted hack attacks, and a surge in client calls for cyber counsel – and it seems that business is booming. IT’S LITTLE WONDER THAT IT SECURITY HAS BECOME SUCH A MAJOR CONCERN for senior management in the legal sector: targeted cyber attacks on companies that provide legal services have risen over the past 18 months, according to the 2018 Law Firms Survey from PwC. While in 2017 33% of firms reported a security, incident related to their own staff where there had been a loss or leakage of confidential information, this increased to 46% in 2018. ‘As law firms hold large volumes of client monies and confidential information, they remain a greater target for external threats,’ the report warns. The hazards are part of a bunch of related concerns. Information technology in its general application remains a key theme of PwC’s influential annual Law Firms Survey, bringing both opportunities RISK
and challenges. At the same time, cyber attacks are becoming increasingly common and law firm boards survey respondents now see this ‘as a much greater and real risk to their business’. This presents a major threat for the legal sector, as law firms hold ‘significant client funds’ and client information that’s highly attractive to cyber fraudsters and other digital dastards. Law firms certainly hold much sensitive client information, and are key enablers in commercial and business transactions, such as mergers and acquisitions: that’s highly valuable data that cyber criminals and statesponsored threat agents, for instance, are obviously keen to access, appropriate, and act upon to their illegitimate advantage. “Like all businesses, law firms are increasingly reliant on IT and technology, and are falling victim to a range of malicious cyber activity,” says Ciaran Martin, Chief Executive Officer at the UK National Cyber Security Centre (NCSC). “Losing access to this technology, having funds stolen or
Lawyers must acquire cyber expertise across a variety of areas where their clients are now on the sharp end of the digital economy.
BEWARE THE UNSECURED LEGAL WORKPLACE... “Due to the nature of their work, law firms use devices such printers and scanners for important and confidential contracts or personal documents – these devices, often forgotten about, they are a dream target for hackers, who
38
can use them for data theft, or to plant virus infections.” Randhir Shinde, CEO at Galaxkey (writing for Lawyer Monthly).
FEATURE
cybersecurityeurope
suffering a data breach through a cyber attack can be devastating, both financially and reputationally, not only for the firm but also their clients.” As the NCSC’s Cyber Threat to UK Legal Sector 2018 report points out, the risk may be greater for law firms that advise ultrasensitive clients or work in locations that are hostile to the UK. For example, firms that act for organisations engaged in work of a controversial nature (such as the life sciences or energy sectors) may also be targeted by groups with a political or ideological agenda. The sector’s transition to offer legal services digitally will not only provide new opportunities, but also further avenues for malicious cyber exploitation, the NCSC notes. This leaves many law firms athwart a virtual security nexus where three key market dynamics intersect. First, they need to stay apprised of the ways in which cyber has become an increasingly important factor in multiple aspects of commercial conduct and engagement. As a services advisory from Herbert Smith Freehills notes, ‘Cyber security issues now permeate [into] many other fields of legal advice’. Many standard legal processes have acquired a cyber element, from employment contracts to corporate mergers and acquisitions, crossborder trade to digital rights management. As the importance of digital integrity has assumed a critical role in economic conduct, and governments seek to impress upon organisations their full regulatory responsibilities for cyber governance, IT security becomes increasingly ‘legalised’
40
(for want of a better term). Added to this, some aspects of standard inter-business contractual arrangement have acquired a cyber dimension. For example, SMEs that are seeking external growth funding will have to demonstrate that cyber security is totally integral to their business plan. Second, lawyers must now acquire cyber expertise across a variety of special areas where their clients find themselves on the sharp end of digital economy, with General Data Protection Regulation transgressions proving to be the most acute of these. “Regulators have already started to flex their muscles with some 91 GDPR fines imposed to date,” says Sam Millar, cyber specialist Partner at DLA Piper. “We anticipate that regulators will treat data breach more harshly by imposing higher fines given the more acute risk of harm to individuals... [And] can expect more fines to follow over the coming year as the regulators clear the backlog of notifications.” The third – and most immediate – exposure is that, as noted, firms that provide legal services are themselves increasingly targeted by a range of cyber threats. These range from criminals and state-sponsored agents to B2B fraudsters and insider threats (in 2017, 33% of firms reported a security incident related to their own staff where there had been a loss or leakage of confidential information, and this rose to 46% in 2018, PwC’s survey says).
As law firms now hold large volumes of client monies and confidential information, they remain a greater target for external threats.
LAW FIRMS INVESTMENT PLANS
High-profile incidents over 2017-2018, whereby top European law firms have been made victims of global ransomware attacks, highlight the importance of IT security in a post-GDPR world. Source: PwC.
‘Does your fcompany plan to increase or decrease its budget on IT security-related tools and services in the next 12 months?’ LAW PRACTICE KEY DECREASE INCREASE +
83% TOP 10
0% 17% 69% 31%
TOP 11-25
DON’T KNOW 6%
0%
60% 18% 16% 6%
59% TOP 26-50 33% 8%
33%
NEITHER + OR - 18%
67% TOP 51-100
33% 0%
+ SIGNIFICANTLY 16%
+ SOMEWHAT 60%
YES NO DO NOT KNOW
As mentioned, key to cyber crime’s targeting of law firms is the fact that they often hold sums of money on behalf of clients – as part of business funds transfer, bequests, or property conveyancing, for example (although a shift toward so-called ‘digital vaults’, possibly based on blockchain models (see Cyber Security Europe, Spring 2019 issue) could help to de-risk this. The Solicitors Regulation Authority (SRA) reported that more than £11m of client money was stolen due to cyber crime incidents in the 2016-2017 period. Phishing is the most common cyber attack directed at law firms, and is most prevalent in areas of practice such as conveyancing. A June 2018 survey of law firms by the Law Society showed that 81% of practices polled reported that phishing attacks on their staff had occurred in the preceding 12 months. Other attack types cited were spoofing (53%), i.e., attempts to obtain financial or other confidential information from third-parties by impersonating a firm, and virus/spyware/malware attacks (47%).
burden of responsibility is shifting It seems probable that cyber concerns will be an influential factor in shaping the future of the law firm sector in Europe. The expansion of information technology’s role as a business enable means that the demand for legal services is in growth mode. Nobody seems sure how many law firms there are in the European region, but most market indicators suggest that there are opportunities for consolidation and new entrants. Cyber law experience and expertise is a differentiator that can bring market leading edge. There is also the prospect of disruptive new entrants from the US for European law firms to contend with. The ongoing saga of Brexit – often cited as the second biggest headache after cyber security – adds to law firms’ challenges, as do skills shortages with respect to cyber law practice. Despite the challenges, European law firms are ‘generally optimistic about the short term’, according to PwC Law Firms Survey. None of the firms who responded to its survey expect a fee income or profit decline in the current period to Q4/2019. Indeed, significant number also expect profit growth to outstrip fee income growth in the period 2019 to 2020. It’s not known how much of that surplus will be reinvested in future security spend; 75% of polled US rivals certainly plan to invest in cyber security tools and services over the next 12 months, according to a recent survey by Robert Half Legal. In closing, it’s worth a scope of the role the in-house legal advisor – often know as ‘general counsel’ (GC) – has in this, especially in the context of larger enterprises. Very often, these internal ‘legal eagles’ undertake much of the diligence that’s otherwise handled by third-party law firms, and
security concerns are often a determinant factor when the decision of whether legal requirements are done inhouse or done externally is taken. According to a report from consultancy Kroll, Cyber Risk: GCs Take Responsibility, there is an expanding level of responsibility for protecting, planning, monitoring, reporting, training, and responding to the myriad elements of cybersecurity that now fall within their domain. Critically, GCs also have to take ownership of the company’s cyber incident response plan, and ensure that it is tested, up-to-date, and ready to implement in the event of a cyber incident. Kroll’s report data shows that the role of the GC has ‘grown in relation to cyber risk’: of those polled for the report, 45% say their role has expanded into the area of security planning, 40% security monitoring, 37% security reporting, and 43% ‘responding to a cyber incident’. These increases ‘stretch well beyond compliance and keeping-up with, and staying within, the law’ the report adds. This trend is driven also by practical concerns from boards and c-suite executives about what is being done to mitigate cyber threats, and ensuring that best practice is implemented, and the highest standards applied uniformly throughout the organisation, the report concludes; increasingly, the buck stops with the legal function.
ACCREDITATION Words | Jim Meyers Photography | Shutterstock
41
Source: 2019 Robert Half Legal Survey
LAW FIRMS THAT HAVE SUFFERED FROM SECURITY INCIDENTS
interview
cybersecurityeurope
...WITH DR. BEN RUSSELL At the Cyber Crime Unit in the National Crime Agency, Ben Russell leads the UK’s fightback against the digital criminal adversaries. AS PART OF THE UK’S NATIONAL CRIME AGENCY (NCA), THE NATIONAL CYBER Crime Unit (NCCU) leads the UK’s response to cyber crime, supports partners with specialist capabilities, and co-ordinates the national response to the most serious of cyber crime threats the country faces. Working closely with the Regional Organised Crime Units (ROCUs), the Metropolitan Police Cyber Crime Unit (MPCCU), partners within industry, Government and international law enforcement, the NCCU has the capability to respond rapidly to changing threats. The NCCU works with partners to identify and understand the growing use of cyber as an enabler across all types of crime, so that the most effective ways of countering threats can be determined. (The NCA plays a leading role in the investigation and prosecution of cyber criminals. Most recently (April 2019), the NCA played a leading role in the conviction of UK-based Zain Qaiser, the cyber criminal who targeted hundreds of millions of computers with locking ransomware. The investigation found that Qaiser received more than £700,000 through his financial accounts for his role in this global campaign of malware and blackmail.) As Head of Cyber Threat Response at the National Cyber Crime Unit, Ben Russell holds responsibility for the UK’s cyber intelligence, strategy and capability development. BRIEF BIO
CSE: Do you encounter much reluctance from commercial organisations when it comes to engagement with law enforcement for cyber security matters? BEN RUSSELL: Not when they understand what our role is. What’s unique about the National Crime Agency’s National Cyber Crime Unit is that we are here to find out who is carrying-out cyber attacks. That is what we are specifically focused on and understand. Essentially, we are
It can’t be a coincidence that there’s been an increase in reporting of incidents since the GDPR started. law enforcement. We’re cops. We want to catch the bad people. The message we want to send to the business community is, yes, we do work with the National Cyber Security Centre (NCSC), to help them get messages out to business leaders, so that they can make properlyinformed decisions about how to protect their organisations. But our primary remit is to catch cyber criminals. CSE: Does that mean the Cyber Crime Unit also proactively opposes cyber attackers? BR: What we want to do in the law enforcement space is simple: to stop cyber attacks recurring
BEN RUSSELL, NATIONAL CYBER CRIME UNIT, NCA Ben leads a team of 100+ staff across disciplines, identifying cyber criminals, devising and delivering the nation’s strategy to combat cyber crime, and its response to critical cyber incidents and attacks.
42
ORGANISATION DETAILS For more information about the NCA visit: | nationalcrimeagency.gov.uk
by catching the people behind them. That applies both inside and outside targeted organisations. So if there’s an insider threat, for instance, we want to stop a rogue employee – or employees – from moving to another company and repeating their attacks. CSE: Commercial entities will, understandably perhaps, be concerned about the wider impacts of being the target of a cyber attack should news of that get out in an uncontrolled way? BR: Companies can be nervous about what it means to work with law enforcement. We understand that. We do want to help protect them, and do that in a way that’s sensitive to confidentiality. But we need to know something about their internal processes to do that. There are misconceptions around how law enforcement operates, and also around what it means to support law enforcement in a cyber investigation. CSE: What sort of misconceptions? BR: Well, we are not going to walk into an organisation that’s been breached and wrap ‘DO NOT CROSS LINE’ tape around their
servers that could be running line-of-business applications. Nor are we going to unilaterally release information about an attack to the media, which I suspect is another concern that some companies have. Our obligations are to the victim. It’s the same in cyber crime as they are with any other type of crime. Naturally, if we do bring a person to court, we might need a company involved to provide a statement, but that happens quite far down the process. If the source of the attack is overseas that may not happen at all. CSE: The world of enterprise IT and information security is now subject to a range of legislation, such as the General Data Protection Regulation (GDPR), along with the European Parliament’s Directive on Security of Network and Information Systems (NIS Directive). Do you see signs that GDPR particularly has had an effect on how businesses now manage their cyber security strategy? BR: It’s too early to tell, but it cannot be a coincidence that there’s been an increase in reporting of significant cyber incidents since GDPR came into effect [in May 2018]. Look
43
interview
cybersecurityeurope
at the number of incidents referred to the NCA (as a subsection of the overall cyber crime reporting mechanism) in the month after GDPR came into force, and you’ll see a stepchange in the number of notifications received: it grew steeply through June 2018. That can’t be coincidence. GDPR does not mandate reporting to law enforcement – but my guess is that organisations think, ‘OK, if we’re reporting the incident to the regulator we might as well inform the police at the same time’. CSE: More c-suite and board-level executives, and other non-technical chief officers, are being drawn into cyber governance decision-making. Is this change having a discernible effect on cyber defensive strategy, in the NCA’s experience? BR: Yes, I think that it is. Part of the key to good cyber security is a multidisciplinary approach. You need to bring diverse skills and expertise together to try and better understand the threats being faced. What I’ve seen work really well is when you have Threat Intelligence (TI) professionals and an organisation’s Security Operations Centre (SOC) completely joined-up and working in tandem. This is key. CSE: Why is that so important, in your view? BR: It’s important that the threats the SOC deals with on a day-to-day basis, and the further-
out analysis by TI of cyber threats coming down the line, need to be aligned – because otherwise senior management will get two sets of reports that say different things. So it needs to be connected. The other related mindset that’s also absolutely critical is how communications around cyber incidents are managed. CSE: In terms of the sharing of post-incident information between parties? BR: Yes. One of the key critical success factors I see is good stakeholder management through
44
well-planned stakeholder communication. When I’ve seen incidents go wrong, it’s often because people are not communicating effectively. CSE: How can that be addressed? BR: We need to bring cyber professionals and communications professionals together to think about how, in the event of an incident, the communications strategy would work. I believe that’s very important, particularly around the area of how targeted companies then engage with their customers, partners, the media, and so forth, following an attack. Once there’s a story out there it can get out of control, as we know. Following a cyber breach incident, cyber criminals will exploit concern that follows media coverage to conduct secondary fraud aimed at people who might have been affected by the initial incident. If in anticipation of this eventuality organisations have already formally advised their customers to ignore any attempt to get them to divulge sensitive details – using phishing attacks, for example – it can prove effective in containing further incidents. CSE: Given the range of incidents that the NCCU/NCA monitors, do you see any shift in attack types or patterns over time? BR: There are certainly still traditional attacks where threats actors hack into a network, hide there for a while, and then exfiltrate valuable
information. Those attacks are not going away. But the threat actor remains as hidden as they have always been. But there has been a shift. Cyber crime has become more confrontational. For instance, we’re seeing more denial-ofservice with extortion incidents. What we are also now seeing is other threats who are not trying to hide – in fact, they are trying to be as much in a target’s face as possible – trying to get hold of money in as aggressive, assertive, upfront a way that they can. And that applies to both ransomware or extortion models.
CSE: So are the people behind these more confrontational attacks new to the scene? BR: Not necessarily. What we’re seeing is, I think, cyber criminals adjust their methodology. Organised cyber criminals are agile and flexible – no different from other criminals, in fact. CSE: Are there indications that what we might classify as ‘traditional’ criminals gangs are moving into cyber, attracted by gains from defrauding commercial entities? BR: Yes, there are. We’ve predicted that trend: more traditional organised crime ‘enabled’ by cyber technology adoption. There have also been some instances of traditional organised crime using the services of cyber criminals for specific types of unlawful activity – but it’s not as widespread as some feared it would become. CSE: There have been some very high-profile incidences of ransomware victims paying cyber criminals for decryption keys to recover their ‘locked’ data, because it seems to be the most expedient course of action in the circumstances. BR: What I think is important to say about ransomware payments is that there a lot of fake threats where people pay when they don’t actually need to. I would also advise victims to first check to see if their encryption keys are freely available from a benign source, or use decryption tools such as those available from Europol or No More Ransom. There is also quite a lot of ransomware where people have paid and still not been given the decryption key, so it’s not a sure-fire solution. But I absolutely have a huge amount of sympathy for organisations that find themselves in this situation. CSE: Are businesses as communities – by vertical sector, say – now doing enough to protect themselves against cyber threats? BR: We welcome any sector that reaches out to us to. These kinds of co-operative mechanisms are always more effective when they are driven by organisations themselves, but we are putting effort into engagement with industry bodies, trade associations, federations, consortia, and so on. I’ve seen some of those organisations take a strong role in supporting their members in terms of commending best practice, standards, and advice around cyber security. Some of these organisations show strong leadership – and that’s really positive. Organisations that also bring people together across sectors to share intelligence about cyber threats are also making a tremendous contribution, I believe.
With ransomware there are fake threats where organisations pay when they don’t actually need to. CSE: Lastly, what the National Cyber Crime Unit team’s objectives for 2019? BR: Well, we have already brought several successful prosecutions so far this year, such as the British cyber criminal sentenced to two years and eight months for conducting attacks that disrupted a Liberian telecommunications provider.* His actions resulted in losses estimated at millions of dollars. We’ve had arrests of several high-profile individuals involved in cyber crime, and I think this could be the year that we really hit the highest levels of cyber crime hard. But we can only do that if we get real buy-in and support from industry, from the cyber security world – those who know these threats better than anybody. Countering cyber crime has got to be a team effort.
*Editor’s note: expert cyber criminal Daniel Kaye was hired by ‘a senior official’ at Liberian network provider Cellcom to carry out attacks on rival provider Lonestar MTN. From September 2016, Kaye used his own Mirai botnet, made up of a network of cyber-infected security cameras, to carry out consistent attacks. In November 2016, the traffic from Kaye’s botnet was so high in volume that it disabled internet access across Liberia. A European Arrest Warrant was issued for Kaye, and when he returned to the UK in February 2017, he was arrested by NCA officers.
ACCREDITATION Words | James Hayes Photography | National Crime Agency; Shutterstock
45
cybersecurityeurope
ON THE SAME SIDE
FEATURE
The executive and the IT security teams must do more to reduce the communications gap between them: it starts with recognition of the value each ally brings to the defence campaign.
THOUGH BASED LARGELY ON ANECDOTAL EVIDENCE, THE COMMUNICATIONS GAP BETWEEN FRONTLINE IT SECURITY TEAMS and senior executive leads exists in organisations across Europe and beyond. This gap is routinely blamed on a lack of focus on cyber security from the execs; but it’s reasonable to challenge this argument. This entails analysis of whether the IT security personnel are communicating with their senior executives in as intelligible and effective a way as possible. Cyber security is a complex, yet vital aspect of business operations, so lack of communication on the subject is a missed opportunity when it comes to aligning from the ground up – and prioritising efforts to match the core mission of the business in question – while all the while keeping business data secure. To address this disparity, organisations’ teams need work up and down to consider a range of key areas when it comes to cyber security. The cyber security team must ensure it is effectively flagging the threats it defends the organisation against, and communicate how these threats directly align with the risks assessed as the main focus by the senior executives. Frontline security teams typically focus on defence against all threats, and in many cases this mission is not synchronised with the key risk areas identified by the senior executive and upper management teams. Prioritising the threats and aligning these to the key risk focuses of the leadership team helps to close
FACTS
FIREEYE M-TRENDS REPORT 2019 GOOD NEWS... Is the cyber security industry getting better at detecting threats? Yes: From October 1, 2017, to September 30, 2018, the global median dwell time was 78 days. That means attackers are operating for just under three months (on average) before they are detected.
47
FEATURE
cybersecurityeurope
BRIEFING
TOP-DOWN PERSPECTIVE
Executive teams must pay specific attention to both the current cyber threat landscape and those threats that target their specific vertical sector, business or industry.
For example, if a competitor is targeted and this is reported on publicly, the senior leadership should communicate this specific threat as a potential business risk. Overall, a limited understanding of the risk environment, cyber threats and stakeholder priorities lead to ineffective security controls, and it most likely will not help minimise the miscommunication between the security team on the ground and the senior leadership team. The cyber security situation has now improved, and will continue to do so, as we gain better defensive insight; but there is still a residual impression that senior executives may view the cyber challenge as a rather too technical an issue for them, even if they broadly realise and acknowledge its importance. Threats such as the NotPetya malware and the WannaCry ransomware, which – very publicly – caused huge impact to big brands and institutions (with costs running to millions of dollars for targeted companies) have resonated with c-suite/ boards’ collective consciousness. Firm action still needs to be taken by European organisations to close this communication gap as a ‘preventable vulnerability’ as part of a policy-based security strategy. MORE INFORMATION | fireeye.com/current-threats/ annual-threat-report/mtrends.html
48
the communication gap, to ensure the work the security team is doing is aligned with the overall business mission – and therefore understandable to c-suite and boardroom. That said, all threats need to be addressed, detected and prevented from entering business networks; but with the everchangeable threat landscape, it is difficult to prioritise all threats. We are seeing an increasing change in the cyber crime ecosystem: nation-states look constantly to mature their offensive capabilities; and opportunistic threat actors try to monetise unauthorised access. Threats can no longer be treated with equal emphasis; therefore the mission of an organisation’s cyber defence needs to be aligned with the risk areas identified as the most crucial by the organisation. Many security operation centres now handle alerts where they prioritise all of them equally or where they struggle to sort the severities based on the motivation of the threat faced. With the lack of alignment between, what you are defending against, and what matters most for the business, the information communicated to senior leadership often gets under prioritised, even perhaps plain ignored. Given this operational context there are key questions the cyber security team would do well to address. First, do we understand who is targeting us right now, and how wellinformed are we about their tactics, techniques and procedures (TTPs)? These days, many threat actors share the same TTPs. By understanding the motivation behind a cyber threat, security teams can start to prioritise alerts. For instance, a highly-organised cyber criminal collective might be more motivated to attack your organisation if you have data they can monetise, such as credit card records. Likewise, a potential nation-state sponsored cyber espionage threat group might target your organisation if you are a government agency that holds sensitive information. Second, have we built a threat profile which factors in the business and environment, identifies and tracks cyber threats and exposure? By understanding the threat landscape and having a clear view of the business risks, security teams can start to identify the cyber threat actors who are most likely to target their organisation before they attack. Furthermore, enterprise security teams can begin to track their cyber adversaries by collecting available information on how they operate, and then map that against their exposure. This puts security teams a step ahead of the adversaries, allowing them to communicate awareness about the potential threat, before it becomes a serious risk.
Third, how do we measure our defensive capabilities? How do we detect or deny the threat on intrusion stage? Regardless of motivation, most breaches happen in the same stage. The pace of an attack might change depending on the sophistication and capabilities of the attacker, but usually, a breach and potential loss of data starts with: Initial compromise of an employee by sending phishing emails, which can be more generically created or tailor-made towards the specific target. Establishing a foothold by leveraging malware or publicly-available tools. Escalate privileges to ensure attackers have the right permissions to navigate the infrastructure and gain access to information and assets. Completing the mission by stealing the data. There are of course many varieties of the foregoing points, and therefore it is also vital to understand the motivation, rather than just the TTP.
SECURITY REPRESENTATION: ROLES CURRENLY ON THE BOARD
EMEA ‘DWELL TIME’ CHANGES
In this survey almost all of the Chief Security Officers polled report being on their organisation’s board. Source: FireEye Secure Boardroom Report (2016).
Overall ‘dwell time’ of 177 days remained largely unchanged from 175 days in 2017.
95%
Chief Executive Officer
77%
Chief Financial Officer
70%
500
474
400
Chief Technology Officer 60% Chief Operating Officer
59%
Chief Marketing Officer
52%
Chief Information Officer
51%
Chief Legal Council
34%
Chief Risk Officer
31%
305
300 200 106
128 83
Chief Compliance Officer 23% Chief Hacking Officer
177
175
100
61 24.5
18%
2016
A fourth question is, do we know the individual stakeholder’s requirement for cyber threat information? And when security teams provide information to stakeholders outside the cyber security cohort, have they ensured that it is the information that is relevant to the stakeholder? For example, does the information provided to senior leadership address business risks and does it give a forecast on the likelihood of impact due to the threat landscape. Both financial and business efficiency impact should be considered. For the senior executive team, meanwhile, it’s nothing new to acknowledge that cyber security needs to be a wider business focus, not one just for the IT team. “C-suites and boardrooms now worry about the damage to reputation and brand equity that may result from a data breach, more so than the potential of heavy fines introduced by incoming legislation such as General Data Protection Regulation (GDPR),” writes FireEye blogger Duncan Brown, Research Director/European Security Practice at market intelligence firm IDC. “Boards often do not understand the technical details of security, given that board members are unlikely to come from a deeply technological background, and cyber security gets very technical very quickly.” Brown continues: “Senior executives do understand risk, however. The expression of a cyber security strategy articulated in terms of risk means that board members are more likely to understand both the importance of what is being proposed, and the consequences of paying insufficient attention to defence against cyber attack.” From the perspective of the senior executive team, it is key that they question how they build their business risk profiles and communicate these to the cyber security team. In many cases, risk focuses on the likelihood and impact, which is usually based solely on internal values and analysis. Some organisations may get additional input by budgeting for third-party validation and penetration tests. In this area, there is an opportunity for senior leadership in understanding the threat landscape, and by following the threat landscape, involving who, what, and how threats are targeting their industry based on different motivation, they can start to factor those outputs into their ongoing risk analysis. FireEye’s M-Trends 2019 report, based on information and data collected from FireEye’s Mandiant GDPR Incident Response efforts indicates that, for 2018, the median time for the detection of a breach (a.k.a., the ‘dwell time’) in the EMEA region is 177 days (largely unchanged from 175 days in 2017) and, in many cases, organisations are relying on external notifications which increases the detection time significantly.
2017
2018
It also reflects the changing trend in the EMEA region. As noted, organisations, and in particular c-suites and boards, are taking cyber security governance much more seriously. This has been driven in part by regulation such as GDPR, but also due to increased recognition of the risk presented by targeted cyber attackers. The underlying data (see chart above) shows that while many organisations are dealing with advanced threat actors much
A cyber security strategy that’s articulated in terms of risk means c-suite and board members are much more likely to understand. faster than ever before, security teams are still uncovering historical attacks. Therefore, the increased Internal and External dwell times reflect the attention that organisations surveyed by the report are placing on effective security measures. The gap between internal and external notification reinforces the importance for organisations to have strong detection and remediation strategies in place. External notification cannot be relied upon as a meaningful detection strategy. Greater collaboration and understanding from the security teams and senior executives can help to address the gap between intrusion and detection, by carefully analysing what causes such attacks and devoting to this the time and attention it requires.
ACCREDITATION Words | Jens Monrad, Head of Intelligence EMEA, FireEye
| fireeye.com
49
Source: FireEye M-Trends 2019 Report.
Chief Security Officer
FEATURE
cybersecurityeurope
With training that turns threat awarness into a learning game, organisations can transform their employees into a first line of defence against routine cyber attacks.
A SUCCESSION OF RECENTLY PUBLISHED REPORTS INTO HOW COMPANIES APPROACH CYBER SECURITY AND DATA RISK HAVE REVEALED SOME WORRYING CONTRADICTIONS. FOR EXAMPLE, we are seeing that while most organisations agree that a cyber attack is a very real risk, many don’t even have a dedicated cyber security budget. And, while senior managers in UK companies say cyber security is a high priority in their organisation, the number of top execs who have some responsibility for IT governance policies has yet to reach critical mass. Most concerningly, even though up to 90% of data breaches reported to the UK Information Commissioner’s Office are caused by human error, and not cyber attacks (its statistics reveal), most organisations still do not provide security-focused training for their workforces. At the same time the UK Government’s recently published FTSE 350 Cyber Governance Health Check 2018 reports that just 46% of businesses have a dedicated budget for cyber security, despite the fact that 96% of them do have a cyber strategy, and 72% believe cyber risks to be ‘high’ or ‘very high’. Additionally, only 16% of survey respondents felt that, to date, their boards had a ‘real understanding’ of the business impact of cyber threats. Another Government survey, Cyber Security Breaches 2018, found that 43% of organisations had identified breaches in the previous 12 months. Some 75% of the businesses surveyed said cyber security was a ‘high priority’ for senior managers, but only 30% of the firms have responsibility for it at board level. IN BRIEF
CYBER SKILLS GAP RELATED TO ATTITUDE TOWARD CYBER TRAINING According to findings of the DDCMS Cyber Security Breaches Survey 2018, businesses that report cyber skills gaps as less likely than average to have sent staff on cyber security training. This suggest that
50
organisations that have identified a problem with skills gaps have not necessarily taken steps to address it through offering training.
51
FEATURE
cybersecurityeurope
The same report also revealed that just 20% of businesses have had any of their staff attend cyber security training in the past year. Reasons cited include cost and ‘not seeing the need for training’. Not surprisingly, one of the report’s main findings is that businesses can do more around training to protect themselves. Another report still – from the technology conglomerate Verizon – takes a more global perspective on cyber security. Its latest annual Data Breach Investigations Report found that nearly 20% of incidents were caused by employee human error – i.e., routine workplace mistakes. Clearly, learning needs to be higher up on the boardroom agenda than it is right now. As the Verizon report states, ‘Make people your first line of defence. Do your employees understand how important cyber security is to your brand, and your bottom line? Get them on-board; and teach them how to spot the signs of an attack and how to react.’ Moreover, it is not just rank-and-file personnel who need the training: senior executive management must get involved. Through leading the company’s riskmitigation measures, they would be saying to everyone else: ‘Hey, this stuff matters’. And, of course, they would be on top of the issue themselves. Therefore, training recommendations apply equally to the c-suite and boardroom employees as they to ‘frontline’ workforce – that’s to say, when it comes to cyber defences, everyone inside an organisations is targeted, which is to say, everyone is now ‘frontline’.
52
This means that everyone needs to know what the risks are and how to swiftly escalate a potential threat. There’s also a forceful argument to suggest that senior executives, Human Resources, Learning & Development, and team leaders be among the first to undertake cyber awareness training. So, let’s review some baseline measures that delineate these changes.
GDPR: EMPLOYEES’ RESPONSIBILITY We have long seen that people represent a huge vulnerability for organisations, largely because hackers are exploiting a general lack of security awareness knowledge, added to which, attacks are growing in sophistication. While the introduction of the General Data Protection Regulation (GDPR) in May 2018 has done much to focus minds on enterprise data security risk, much more needs to be done. The reports earlier referred to suggest that training is being left out of the risk mitigation equation – and that is why human error remains such a significant factor in breaches.
Playing-out the consequences of security decisions made is much more powerful than a lengthy list of ‘dos’ and ‘don’ts’ guidelines. EMPLOYEES HAVE A MAJOR ROLE TO PLAY IN COMBATING THESE CYBER THREATS – BUT ONLY IF THEY KNOW HOW TO. FOR INSTANCE: Can employees spot a phishing email? Are they aware of what constitutes protected data? Do they know the consequences of clicking onto a suspicious link? Have they been advised how to escalate an issue if they do spot a risk? Do they know the importance of rapid response and why this is so critical? Are staff advised on what to do if they see risky behaviours in colleagues? Most employees will not require the same level of training as security teams, but they do need to know enough to be aware of possible threats, and how to take preventative action. However, we believe there are training pitfalls to avoid (see ‘Practice Pitfalls’ sidebar, facing page). Compliance training will not be effective if it’s one-off, overwhelming and well, dull; and if it’s not pitched or tailored correctly to the audience. The starting point is to motivate the workforce by instilling an understanding of the importance of cyber security to the company and to customers.
GUIDANCE
PRACTICE PITFALLS
Six of the most common mistakes organisations are prone to make when it comes to GDPR training...
1. DOING NOTHING To ignore the need for awareness training puts your organisation at greater risk of a breach and the subsequent reputational meltdown. GDPR places a responsibility to embed data protection ‘by design and default’. As part of this, ‘regular and refresher training is a must’, says UK ICO.
If they understand what’s at stake, they will be more vigilant, from dayto-day. This is where managers have an important role to play, by also undertaking necessary training and leading the messaging. In its approach, training should focus on the most important things that employees really need to know. Don’t bog them down with irrelevant information. They’ll need a grounding in how to identify and respond to potential risks, and in knowing what safe and unsafe behaviour looks like. We recommend delivering this essential learning in manageable chunks that’s quicker to learn and easier to remember. Cyber security is a serious subject – but that’s all the more reason why the learning experience needs to be creative, fun even. The aim, always, is to have engaging learning that employees ‘want to do’ rather than ‘have to do’. Creativity in compliance might sound like a contradiction; but adopting this approach ensures that the message resonates with the audience. GDPR effectuation posed a huge compliance challenge for organisations. There was an urgent need for organisations to make their workforces aware of the updated, stricter regulations. Clearly, in-depth training that involved hundreds of pages of text would just never work. People wouldn’t read it, let alone remember it. In response to this learning need, my company Sponge worked with GDPR experts to create the content for an off-the-shelf GDPR learning game, built by combining learning game theory and mechanics. Sponge’s digital game, ‘GDPR Sorted’, can be played repeatedly, to teach the core principles of the regulation to workforces – without becoming boring or off-putting. To date, ‘GDPR Sorted’ has been rolled-out by 20 organisations operating across Europe: they include DPD, Krispy Kreme and Soak.com. “It took a boring topic and made it more engaging,” according to Nicky Prangley, HR Services Manager at Krispy Kreme, “so that employees are quite happy to complete the training.” For it to matter to employees, the learning should be meaningfully relatable to their world and experience. Finding the human stories behind the statistics enables people to connect with issues around cyber and data protection. One way of engaging people in this way is to use real world scenarios in digital learning, where employees can make decisions and influence what happens next. Cyber security training should offer employees to experiment via the opportunity to try it out for themselves in a context where they can learn from the decisions they are obliged to make. Again, learning games can prove the ultimate sandbox for this, because the learner can play until they have mastered the information. If they get it wrong, that’s fine,
2. FORGETTING THE AUDIENCE Rolling out the same GDPR compliance training to everyone means no-one gets the right training. High-risk data users need a different approach to the general workforce. Segment the training, so high risk employees benefit from a bespoke programme. Meanwhile, introduce the basics of GDPR to lower risk data users in an engaging and accessible way. 3. OVERWHELMING EVERYONE Handing-out documents with every GDPR dot and comma to all your people and saying ‘remember that’ is a recipe for failure. Instead, focus only on what they need to know about GDPR for their jobs, and which behaviours related to data protection are most important for them. 4. ‘ONCE A YEAR’ SYNDROME Annual GDPR training is not enough. GDPR compliance requires continuous learning and reinforcement opportunities to avoid lapses. Continuous learning helps people to apply their training daily, and contributes toward a data safety culture. 5. BOX TICKING With GDPR training, don’t just tick the box, think outside of the box. If your GDPR training is found dull and boring employees won’t engage and they won’t learn. To be effective, learning about GDPR must be memorable, so ‘rebrand’ it as an experience that people want to do. 6. IN ISOLATION GDPR learning loses effectiveness when delivered in isolation or bolted on. For maximum impact, build a GDPR learning campaign with preparation, activation and sustain phases. Use a mix of learning activities: something for everyone.
53
FEATURE
cybersecurityeurope
Sources: DDCMS Cyber Breaches Survey 2018; FTSE 350 Cyber Governance Health Check 2018.
WHO GETS AWARENESS TRAINING WHERE IT’S OFFERED
Fig 1
RISK SIMULATION: EXEC INVOLVEMENT
Fig 3
76%
Directors or senior management staff
10%
59% 30%
IT staff
13
5%
22%
5%
26% 31%
Staff members whose job role includes information security or governance
1% Businesses
25%
Other staff who are not cyber security or IT specialists
79%
Charities
16%
ORGS WHERE STAFF HAD SECURITY TRAINING 2017-2018
Fig 2
Businesses Overall
Micro Firms
Small Firms
Medium Firms
Large Firms
info/ Comms
Finance/ Insurance
Charities Overall
20%
16%
26%
43%
65%
38%
59%
15%
Yes, as part of a cyber-specific crisis simulation tailored to the organisation Yes, as part of a cyber-specific crisis simulation exercise Yes, as part of a broader crisis simulation exercise
Bases: 1,519 UK businesses; 655 micro firms; 349 small firms; 263 medium firms; 252 large firms; 99 information/communications firms; 105 finance or insurance firms; 569 charities
and better in a learning context than a real-life scenario. In a similar context, Sponge has also been working with a global restaurant brand to develop an Augmented Reality (AR) card game aimed at educating several hundred franchise owners on cyber security best practice. The mixed reality game covers threats from physical security breaches – such as ‘dumpster diving’ and ‘tailgating’ – to digital breaches such as phishing, DDoS (Distributed Denial-of-Service) attacks, Cross-Site Scripting (XSS), and SQL (Structured Query Language) injections. Delivered via a series of roadshow events aimed at franchise owners, the game brings together those with overall business and cyber security responsibility to raise awareness and knowledge. To play the game, teams comprising of five players – three business leaders versus two hackers – battle it out for a place on the leader board. The hackers (the attackers) are trying to ‘earn’ money, while the business leaders (the defenders) are trying to oppose the attack. By the end of the training, each player will have learnt the key messages around cyber security and know how to apply the learning in the real world. The aim of the game is to help business owners determine a sound business and financial strategy for their restaurant outlet via a simulation game. As with ‘GDPR Sorted’, this is ‘applied
54
Yes, as part of a ‘gold command’ level crisis simulation exercise
No
learning’, where people learn by taking part in scenarios. The underlying argument is that seeing the consequences of decisions made is far more powerful and retentive than reading a book of guidelines or a lengthy list of ‘dos’ and ‘don’ts’. In this particular instance, the game is part of a blended learning approach, not a stand-alone experience. An immersive game like this does more than simply teach people; it also generates a buzz; it gets them talking and thinking about security on a daily basis. Employers can harness this interest to generate behaviour change.
There’s a forceful argument to suggest that senior execs and team leaders be among the first to undertake cyber awareness training. It only takes a single lapse to undo good work. Therefore, it is essential to keep learning ongoing; regular refreshers and updates should be part of a continuous campaign or learning programme. This could include an updatable game, emails, or microlearning – short and snappy refreshers that fit into the working day schedule. Two of the calls-to-action that emerge from the aforementioned reports are that there needs to be greater ‘hands-on’ engagement from the very top, and that employees must have a level of training. With the first theme, the evidence suggests that a change in culture is required. Risk management and data compliance should be placed firmly at the heart of organisations and high on the boardroom agenda, so that doing the right thing is top of everyone’s minds whenever they are at work. To fix the second action call, the answer is fairly clear: organisations already have their own in-built ‘firewalls’ – their people. So why not arm them with the necessary skills?
ACCREDITATION Words | Louise Pasterfield, Founder & Managing Director, Sponge | wearesponge.com Photography | Shutterstock
Securing IT made easy JAPAN’S NUMBER 1 CYBER SECURITY SOLUTION PROVIDER Soliton has been a major game changer in developing cyber security technologies. For over a decade Soliton is the market leader in delivering simplified security solutions that ensure the security of data and network access. Soliton now introduces its vision on how its cloud application platforms and passwordless security solutions will safeguard your organization’s strategic assets and streamline user access to all platforms across your network.
Visit Soliton at Infosecurity Europe / Stand F240 Soliton Systems Europe N.V. Gustav Mahlerplein 2, 1082 MA Amsterdam, The Netherlands | +31 20 301 2166 | emea@solitonsystems.com | www.solitonsystems.com
FEATURE
cybersecurityeurope
SKILLSREBYC PLANNINGSECNEFE Cyber threats change year-by-year – so howecnegilletni eerf ytilauq fo htlae can business leaders decide the skills theirekam ot sevitucexe lla selbane ta IT security teams will need circa 2025? .snoisiced ygetarts rebyc demro THE RELEVANCE OF CYBER SECURITY TO THE BUSINESS BOTTOM LINE HAS EXPLODED IN RECENT YEARS. CYBER ATTACKS have grown more sophisticated and more ubiquitous, and regulatory scrutiny more intense. This phenomenon has created unprecedented demand for cyber security talent for which the labour market was largely unprepared. In February 2017, industry body (ISC)² predicted in its 8th Global Information Security Workforce Study that by 2022, the worldwide cyber security skills shortage would reach 1.8m; in October 2018, its new study revealed that reality had already far surpassed predictions, putting the current shortfall just below 3m. So, in a climate where the skills gap is now at an all-time high, the technology that cyber security professionals use is developing fast, and the threats they deal with are evolving even faster, how do businesses meet both today’s needs, and also prepare for those of the future? Will the capabilities they now seek even be relevant in five years’ time? To answer these questions, it must be understood how the cyber skills crisis is shaping cyber security itself. Enterprises are often hamstrung to find niche talent that has knowledge of the tools which they have already invested in – for example, someone who has experience with their particular type of firewall or cloud service provider. Due to complexity and fragmentation issues, one organisation may have many niches. FACTS
EUROPEAN CYBER SKILLS SHORTAGE The Cybersecurity Workforce Study from (ISC)² says that there are some 142,000 positions now open for cyber security professions in the EMEA region.
56
a si erehT t elbaliava ni-ylreporp
FEATURE
cybersecurityeurope
TODAY’S IN-DEMAND SKILLS
2019
Demands made on the role of info security professionals will change over the next five years. Here are nine examples of today’s specialist and generalist competences... 1
Specialist skills
2 On-premises / cloud / mobile focus 3 Manual processes experience 4 End-user support skills 5 Technology/business focused 6. Threat Intelligence informed 7 Artificial Intelligence knowledge 8 Security software patching skills 9 Tech jargon savvy
IN BRIEF
SECURE IT AS YOU BUILD IT
Many of the skills and competences we needed in 2014 are still relevant in 2019; but soon we enter a new decade, and historically, this has had sped-up rates of tech change.
Other skillsets that will need to become absorbed by 2025 will be around how cyber security as a discipline becomes woven into the ‘DevOps’ processes that will drive how organisations harness technology and data to thrive. This change will require the adoption of a monitoring and facilitating role for software updates and revisions – and thus playing a crucial part in pre-empting vulnerabilities or spotting/fixing them faster. Alongside their script and code-writing abilities, a cyber security professional will need to perform as a reverse engineer, capable of tracking back into the code development process to discover flaws, loopholes, and so forth. The shift to DevOps is about more than a new set of technology skills; it’s about a method of working and thinking that is very different to the mindset of a traditional cyber security professional; and it will also include some culture adjustments within teams. Cyber security professionals will need to employ more creativity in the job to respond to known problems with known answers, but to identify and solve new problems entirely.
58
Information security teams and security analysts now have more vulnerabilities than ever to deal with. In 2017, the National Institute of Standard and technology National Vulnerability Database, that gives formal identification numbers to vulnerabilities, assigned more than ever and more than twice that of 2016. The following year shattered even that record, with more than 16,000 new vulnerabilities formally identified. Of these, there were about 9,000 vulnerabilities ranked as ‘critical-’ or ‘high-severity’. This means organisations need to apply better prioritisation tools rather than just fixing all high severity threats, as those pose over 50% of all threats. The overall 2018 figure is a 12% increase on the previous year; it seems these record-breaking vulnerability figures can be regarded as the new normal. Trying to make sense of which of these vulnerabilities pose the greatest risk to their organisation is an almost insurmountable task for cybersecurity teams. The challenge of answering, ‘What do we try to fix today?’ is only getting harder. Cyber security teams often rely on manual processes to stitch together insights from many disparate tools and information sources. Given the resource burden and mixed results of those efforts, it’s unrealistic to expect those skills to be fit for purpose for an indefinite period. Similarly, with network security engineers and operations managers who deal with near-constant or near-real time requests for changes to meet business needs, the scale and complexity in which these changes take place
quickly out-maxes most available resources. To overcome the pressures placed on already stretched security teams and to offload data-intensive tasks, organisations are turning increasingly to automation. Automation has long been part of cyber security strategy programmes; but the amount and calibre of work organisations expect technology to take care of has grown hugely in recent years. While cyber security is by no means ready for ‘flip-switch’ solutions, recent advancements already promise the demise of manual, cut-and-paste tasks and the prominence of platform solutions that orchestrate certain processes across connected devices and given ‘attack surfaces’ where an unauthorised user (the ‘attacker’) can try to enter data to or extract data from a secured environment.)
2025
TOMORROW’S IN-DEMAND SKILLS
...Five years on, and digital integrity leads focus less on tech management, and more on control of automated systems that seamlessly safeguard business operations. Multi-skilled
1
Cloud / mobile focused
2
Automated process pilot
3
End-user digital monitoring
4
Business/technology focused
5
Threat Intelligence led
6
AIOps expertise
7
Software engineering accreditation
8
Cross-organisation communicator
9
For professionals looking to remain relevant in this new era, amassing a working knowledge in such platforms and their ecosystems of analytic tools will be vitally important. Automated technology is currently more than capable of taking on rote tasks, such as data collection and correlation. But as automation and Machine Learning (ML) continue to evolve toward the goal of Artificial Intelligence (AI), it should not degrade the authority of cyber security leaders who oversee this technology and act upon its information. Instead, it should elevate the leader’s position, and allow them to be more strategic and effective with their actions. Technological advancements often cause concern in the labour force at the time for concern it could make them irrelevant in some respect — and this concern is not misplaced. Automation in cyber security is poised to make many roles that deal with raw data analysis irrelevant, in a short amount of time. But it also opens the door to new roles which require new expertise. In the years leading up to 2025, the ability for cyber security professionals to challenge ML parameters and processes they rely upon will become exceedingly valuable. They will need to know that their machines are continually learning, adapting to change, not following false truths, etc. This means being able to crack open technology that might otherwise be opaque, requiring more than baseline knowledge in how to train and improve ML algorithms. As risks are reviewed on a larger, faster-moving scale, cyber security professionals will have to apply priority logic tools to significantly larger data sets; this requires analytics skills relevant to data science to make the right judgements and ensure a robust prevention strategy. The other skillsets that will need to be absorbed will be around how cyber security becomes woven into the DevOps processes that drive how modern organisations harness technology and data to thrive. This requires the adoption of a monitoring and facilitating role for software updates and revisions – and thus playing a crucial part in pre-empting vulnerabilities or spotting and fixing them faster. Alongside script and code-writing abilities, a cyber security professional will also need to perform as a reverse engineer, capable of tracking back into the code development process to discover flaws and loopholes in an app or digital service unique to that organisation. The shift to DevOps is about more than just a new set of technical skills; it’s about a method of working and thinking that is very different to the mindset of a traditional cyber security professional — and it will include culture adjustments within teams as well. Cyber security professionals will need to employ more pure creativity in the job to not only respond to known problems with known answers, but also
to identify and solve the new problems entirely, and keep their organisations ahead of attackers’ innovations. Building and managing the new cyber security workforce puts an onus on organisation leaders to employ mature team-building and motivational techniques that meet the needs of their new wave of employees. Reserves of creative and sceptical thinking
It is quite unrealistic to expect today’s cyber security skills to be fit for purpose for an indefinite period as we move into the 2020s. will need to be continually exercised and fed, making the opportunity for exercises like wargaming so invaluable. Leaders will also need to recognise the importance of intercommunication and collaboration to ‘connect synapses’ – so to speak – within the team. This is an area in which, of all groups, the threat actors have excelled: they routinely share knowledge and tools with their peers, thereby raising the bar for attack defence. For the cyber security community to raise the bar to launch attacks, cyber security professionals need to do more than simply sharing threat alerts. They should be writing up and sharing their analytics and playbooks to better prevent attacks. Indeed, all the investment in new skills will be of less value if those future professionals are not sharing their cyber experiences seamlessly. ACCREDITATION Words | Marina Kidron, Director of Threat Intelligence, Skybox Security | skyboxsecurity.com
59
CONTRIBUTORS
cybersecurityeurope
Cyber Security Europe’s panel of contributing writers come from solutions vendors, sector agencies, and journalistic market-watchers.
INDUSTRY
MARINA KIDRON Marina Kidron is the Director of the Skybox Research Lab, a dedicated team of security analysts who daily scour data from more than 30 public and private security feeds, and investigate more than 700,000 sites on the open and deep web. She joined Skybox Security in January 2013 as a team leader of R&D. Marina has 10+ years of experience in business and statistical data analysis, data modelling, and algorithms development, and has worked for companies in the fields of information technology, mobile technology, internet and financial services, including WeFi, Datanetis and G-STAT. Marina holds a Master’s in Political Marketing and is also a Bachelor of Computer Science and Mathematics.
JENS MONRAD Jens Christian Høy Monrad has worked in IT security for more than 15 years. In his role as Head of Intelligence, EMEA at FireEye, he manages an analyst team who uncover the latest Threat Intelligence. This information is used to help organisations understand the risks they face based on the way they operate. Jens’ role involves looking into attacks on both public and private organisations by cyber criminal groups, state-linked actors, and hacktivists. He has also counseled some of the world’s largest companies, and many government organisations, including those in the defense and intelligence sectors. Jens has presented at conferences in Europe and the Middle East; his commentary is regularly included in media reports.
DETAILS More information: | skyboxsecurity.com
DETAILS More information: | fireeye.com
LOUISE PASTERFIELD Louise Pasterfield is the Founder & Managing Director of Sponge, a company which provides workplace training to some of the world’s largest brands. Under her lead, Sponge has grown to be Europe’s largest independentlyowned custom digital learning provider, and employs 120 people out of five offices in the UK and Ireland. The company has won 18 awards over the last 15 years; they include LPI Learning Provider of the Year 2019 and silver winner of the Learning Technologies Company of the Year 2018. Louise was named Plymouth’s Entrepreneur of the Year in 2017, and shortlisted as Businesswoman of
60
the Year in PwC’s 2018 UK Private Business Awards. She is a regular speaker on the topic of women in business, the learning industry and digital economy. Earlier in her career, Louise was director of a design and marketing firm that specialised in branding/design. DETAILS More information: | wearesponge.com
BEN RUSSELL At the Cyber Crime Unit in the National Crime Agency, this issue’s ‘Face To Face ’ interviewee Ben Russell leads the fightback against the UK’s international digital threats. His team of more than 100 staff work across disciplines to identify criminals, devise and deliver the nation’s strategy to combat cyber crime, and responding to critical incidents and attacks. Earlier in his career Ben was Strategy Manager at the UK National Cyber Crime Unit, and National Director at Noam Masorti Youth.
‘EDMUND BURR’ ‘Edmund Burr’ is a technology writer and a consultant who specialises in cyber security issues. He has acted as an content consultant with cyber sector discovery projects for professional bodies and trade associations in the UK and US. He edited the first European thought leadership review of automotive cyber security and risk perspectives for connected vehicles (2015), as published by the Institution of Engineering and Technology (IET) and the Knowledge Transfer Network.
DETAILS More information: | nationalcrimeagency.gov.uk
DETAILS For more information: | cseurope.info
EDITORIAL
JAMES HAYES
As an editor and journalist, James Hayes has specialised in the business computing and enterprise ICT sectors. His previous technology publication editorships include Datacom, Network News, Communications News, Information Professional, European Ecommerce and Engineering & Technology (E&T) magazine. He has also written about cyber security issues for titles such as InfoSecurity Professional, Cloud Security Insights, Networking+, Charity Digital News, Land Mobile, and the London Business Magazine. He has also contributed to the Greenhaven study aid ‘Cyber Terrorism & Ransomware
Attacks’. Hayes is also editor of the forthcoming book Penetration Testing: a Guide for Business and IT Managers (BCS, The Chartered Institute for IT-CREST) that’s due for European publication in July 2019. He has presented at many security industry conferences. DETAILS For more information: | cseurope.info
PAULA JANUSZKIEWICZ Guest contributor Paula Januszkiewicz is now one of today’s most high-profile international enterprise IT security experts. As the Founder & CEO of CQURE Inc., she shares her expertise with the IT security community and provides advice to clients all over the world. Paula has already received the Enterprise Security MVP (Microsoft Most Valuable Professional) accolade and is a honourable Microsoft Regional Director. In addition, she is one of the few people to have been granted access to Microsoft Windows source code. Januszkiewicz has been the keynote speaker at well-known symposia and developer conferences in the US, Asia, Africa and Middle East.
JIM MEYERS As a Europe-based freelance technology and techno-culture journalist, Jim Meyers has written about a variety of technology and non-technology related topics. His areas of interest range from earthquake forecasting tech and Quantum Computing, to the development of Unified Communications and IT professionalism issues. Meyers also has a special interest in the history of video – and televisual recording technologies and digital restoration. He has been security manager for a major literary festival, and has written scripts for BBC radio. Meyers is currently researching a European vacation and recreational travel guide specially designed for information and communications technologists.
DETAILS More information: | cqure.pl
DETAILS For more information: | cseurope.info
61
sign-off
cybersecurityeurope
EDITOR’S PICKS Organisations need to get more from their data. Two exhibitors at Cyber Security & Cloud Expo focus on deriving extra value from data assets. THE GROWING RANGE OF PRODUCTS AND SERVICES TO BE SHOWCASED AT CYBER SECURITY & CLOUD EXPO EUROPE 2019 demonstrates clearly how cyber security sector concerns are permeating into other IT disciplines – and vice versa. Decision-support tools that analyse multiple sets of data, sometimes in realtime, influence enterprise strategy. They can also help make sense of cyber threat trends and patterns, help decide cyber security resource allocation – and even inform Threat Intelligence. Here are two examples to look out for at this year’s Expo... AUGMENTED INTEL FOR ASSET OPTIMISATION FROM COSMO TECH Cosmo Tech is a French software firm that aims to help an organsation’s senior management to make optimal decisions. Cosmo Tech’s aim is to enable the way senior decision makers in vertical sectors such as energy, water and transport optimise organisations’ asset management and operations strategies. Through the use of Cosmo Tech’s platform, organisations can model and simulate complex scenarios to predict the outcome of events across business ‘silos’. This capability to deliver interconnected insights then provides management with the capacity to make the more informed enterprise decisions; Cosmo Tech’s technology can also leverage an organisation’s investments in Big Data and data science, the company says. Stand | 680 | cosmotech.com UPDATES
CYBERUPT MULTISOURCE INTELLIGENCE CREATION Cyberupt solutions fuse multiple sources of data to create a single view of the observed physical or virtual domains. This approach enables insight over extended periods into behaviour, activities or transactions that are based on a range of inputs, thus enabling immediate reaction. Using statistical modelling, observations are tested against an expectation. This also allows for the discovery of patterns, anomalies, trends and developing threats. The system automatically learns from observations to ‘understand’ what is normal using a technique called ‘Model Based Machine Learning’, so as to detect that which is unexpected or indicative of a threat. Model-Based Machine Learning is suited to the detection of rare events and anomalies. Stand | 406 | cyberupt.com
THE NEXT ISSUE OF CYBER SECURITY EUROPE 〉 〉 〉 〉 〉 Don’t miss the next issue of Cyber Security Europe: watch out for regular publishing updates on our website about new editorial content, news updates, forthcoming features, media opportunities, Tech Guide, and more.
62
DETAILS For more information please go to: | cseurope.info
BE SECURE IN THE KNOWLEDGE… Cyber attacks now strike European organisations every day, every hour, everywhere. Businesses, governments, and the other organisations our economies depend on are targeted relentlessly and ruthlessly. With new data protection and corporate governance regulations, along with emerging threat types, and hardline business decisions to make, Europe’s business leaders are directly in the cyber security firing line. More than ever, they have to stay informed about the key information security challenges. Cyber Security Europe is designed in order to meet the information requirement of the top-tier European boardroom and c-suite executives who want to keep updated on today’s increasingly critical cyber security management issues. We provide the essential intelligence, insight and information you need to formulate policy and work successfully with enterprise technologists to deliver highly effective security strategies – and part of your cyber intelligence armoury.
c
ENGAGEMENT
CYBER SECURITY EUROPE MEDIA OPPORTUNITIES – IN PRINT AND DIGITAL
Cyber Security Europe is the information platform that meets your information requirement in your preferred delivery format. For more details, content, and to subscribe to our newsletter, go to:
| cseurope.info or email corporate@worldshowmedia.net
FOR ALL YOUR EVENT AND EXHIBITION PUBLISHING REQUIREMENTS
ONLINE, DIGITAL AND PRINT EDITING ● DESIGN ● ADVERTISING SALES ● PROJECT MANAGEMENT ● INTERNATIONAL
WORLD SHOW MEDIA Tel: +44 (0) 203 960 1999 | Fax: +44 (0) 845 862 3433 | Website: worldshowmedia.net For all corporate enquiries | corporate@worldshowmedia.net
CYBERSECURITY DOESN’T NEED MORE TOOLS. IT NEEDS NEW RULES. The new rules are changing the way we see security. Visit ibm.com/xforcectoc to find out how.