In the week that the publication of “Lessons Learned Review of the WannaCry Ransomware Cyber Attack” concluded that the impact on the NHS of last May’s attack was preventable; there is some good news on the cyber security front….
The number of organisations achieving certification under the UK Government’s Cyber Essentials and Cyber Essentials Plus schemes has continued to grow significantly. Based on information from the four recognised accreditation bodies (CREST, IASME, APMG and QG Management Systems); as of this week 6394 organisations had achieved certification, up from 4574 six months ago (a rise of 40%). A glance at the list of names suggests that all sizes of organisation and sectors of the economy are embracing the scheme.
Clearly though, there are still many organisations who have not recognised the need to improve information security: follow the link to find out how we can help your organisation.
Radware’s annual reports provide a very detailed analysis of the current state of the cyber security threat. Whilst the latest report, released earlier this month, confirms that cyber attacks are occurring with relentless frequency and continue to evolve and grow in sophistication; it also shows some subtle shifts in the targeting of these attacks. For instance the frequency of attacks amongst service providers appears to be increasing with 23% of firms reporting experiencing daily attacks (up from 15% in 2016); likewise the number of financial services firms reporting daily attacks was up from 14% to 17%. However, in the same period, the proportion of government agencies experiencing daily attacks fell from 27% to 24% and the number of organisations in the education sector fell from 15% to 5%.
Perhaps there is a danger here though of getting lost in all the detail: even within the education sector, 90% of organisations report experiencing at least one cyber attack a year so it is clearly a threat that cannot be ignored. Particularly as the average estimated cost of a cyber incident was reported at $1.3m.
Follow the link to see ho we can help with your information security management challenges.
2017 appears to have been a quiet year for product recalls in the UK. According to the FSA website there were only 45 recalls of food products (down from 76 in 2016); whilst recalls of electrical products were down from 61 to 32 (see Electrical Safety First). Before we get too excited though, looking at the longer term (see graph below) these would appear to be just part of the natural variation from year to year, rather than evidence of a breakthrough in quality management!
We would therefore still advise organisations to maintain and exercise their product recall plans, including the associated crisis communications plans.
The Information Commissioner’s Office (ICO) announced yesterday that it had fined Carphone Warehouse £400 000 over a cyber-attack in 2015. The company’s failure to secure the system allowed unauthorised access to the personal data of over three million customers and 1,000 employees, including: names, addresses, phone numbers, dates of birth, marital status and payment card details. The ICO considered that the personal data involved would significantly affect individuals’ privacy, leaving their data at risk of being misused; although it was acknowledged that there was no evidence that this had happened.
Using valid login credentials, intruders were able to access a Carphone Warehouse system via out-of-date WordPress software. The ICO identified multiple inadequacies in Carphone Warehouse’s approach to data security and determined that the company had failed to take adequate steps to protect the personal information. In particular their investigation highlighted that:
- Important elements of the software in use on the systems affected were out of date;
- The company failed to carry out routine security testing; and
- There were inadequate measures in place to identify and purge historic data.
In summary, the Information Commissioner said:
“A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.
“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systemic failures we found related to rudimentary, commonplace measures.”
With just over four months to go before GDPR comes into force this is another reminder of the need to ensure information security management systems are fit for purpose. Follow the link to see how we can help.
There appears to have been a big rise in the number of organisations certifying to the Cyber Essentials standard over the last three months. Data from the four certifying bodies in August 2017 revealed that nearly 4600 organisations were certified at that stage, but this has now risen to over 5500; an increase of more than 20%. Backed by the UK Government, the Cyber Essentials standard focuses on the following five areas:
- Boundary Firewalls and Internet Gateways;
- Secure Configuration;
- Access Control;
- Malware Protection; and
- Patch Management.
By achieving certification, organisations can demonstrate to their customers and other stakeholders that they have achieved a basic level of cyber security. Follow the link for more information on how we can help you with all aspects of information security management.
At first glance the announcement of a data breach involving data from 57 million drivers and customers of Uber is a case of more of the same: there have been much bigger breaches over the last few years. However, the revelation that the company didn’t acknowledge the breach for a year, opting instead to pay a ransom to hackers, makes the story of real interest. Here in the UK, the Information Commissioner’s Office has expressed “huge concerns” about this lack of openness; and there has been an angry backlash from those who may have been affected by the breach and are now wondering what has happened to their personal data over the last 12 months. The decision to pay a ransom is particularly hard to fathom, and potentially the most damaging aspect, escalating the discussion beyond information security into a debate about the ethics and judgement of the firm’s senior management. We shall follow this story with interest…..
The BCI Supply Chain Resilience Report has become an invaluable source of information for both resilience and supply chain professionals over the last few years. The release of the 2017 report this week brings the picture right up to date.
In many ways this year’s report confirms the patterns seen in previous years: 65% of respondent organisations experienced one or more supply chain disruptions in the last 12 months (compared to 70% in 2016); and the eight of the top ten causes of disruption from 2016 featured in this year’s top ten, with IT/telecoms outages and cyber attack/data breach featuring as the top two causes again. However, buried in the detail of the report there is a striking and alarming change from last year.
In last year’s report 9% of organisations reported that a single supply chain incident had cost them more than €1m, but this year that proportion jumped to 23%. Even more alarmingly 14% of organisations report that a single incident cost them more than €10m (3% in 2016) and 9% report that a single incident cost them more than €100m (0 in 2016). Can there really have been this huge growth in extreme supply chain incidents globally; or is this increase driven, for example, by a small number of respondents severely impacted by the recent string of hurricanes in the US?
I came across a fascinating article recently by Andrew Healy and Neil Malhotra entitled “Myopic Voters and Natural Disaster Policy”. The authors reconciled local data from across the US on government spending on various aspects of disaster preparedness and disaster relief, with election results in each area. Their key finding was that politicians were rewarded, in electoral terms, for spending money on disaster relief; but not rewarded for spending money on disaster preparedness. This is even more striking as the research also estimates that $1 spent on disaster preparedness saves $15 of spending on disaster relief.
The authors also go on to discuss a variety of reasons why this, seemingly irrational, behaviour by voters may be observed; but the more interesting thing for me is the parallels with business continuity management. How often do we see this same “myopic” approach to managing risks at the organisational level? One suspects that, like the politicians, executives are not generally rewarded for investing in resilience. The question then is how can we mobilise directors and shareholders to address this imbalance? Any suggestions greatly appreciated!
We are now becoming so used to data breaches that only the most spectacular example receive much attention. Usually they are spectacular because of the sheer volume of data, such as the Yahoo! breach of 2013; but on this occasion the newsworthy feature of the attacks is the sensitivity of the data that was compromised.
In what many are hailing as the sequel to the “Panama Papers” incident, which led to the resignation of the Icelandic Prime Minister, it was announced last week that an offshore law firm based in Bermuda suffered a “data security incident last year which involved some of our data being compromised.” Few details are available at this stage, but it is reported that some of Britain’s wealthiest people may be involved; and there is already speculation that there may be some embarassing revelations about people’s tax affairs.
Most people would consider their financial affairs to be pretty sensitive but, even worse, it was also revealed last week that a major cosmetic surgery clinic in London had also suffered a data breach. Hackers who targeted London Bridge Plastic Surgery claim to have “terabytes” of data, including photos showing various body parts of clients; and that they are planning to publish names and photos on-line. It has been widely reported that the clinic has many high-profile clients, including Katie Price.
The coincidence of these two data breaches being announced in the same week provides a powerful reminder of the extra care that needs to be taken with such sensitive data. Follow the link to the Information Security section of our website to find out how we can help.
According to the Business Continuity Institute’s (BCI) inaugural Information Security Report, 15% of organisations “lost sensitive data” in the last 12 months. Indeed the actual figure could be higher, as a further 15% don’t know if they did or didn’t. Whatever the precise figure, it is broadly in line with a report from IBM in 2016 which estimated a 13% annual chance of “a material data breach involving 10 000 lost or stolen records”. Other research has found the likelihood of a data breach was about 14% for a organisation with 10 000 employees in 2015, and had been reasonably stable at that level for the last few years. So everybody seems to be in rough agreement that it’s a serious problem.
Another interesting finding from the BCI report was that “human error” was the most frequent cause of loss of sensitive data. Once again, this is very consistent with other reports, such as those from the Information Commissioner’s Office which, for the last two years has found “Data posted, faxed or emailed to incorrect recipient” to be the most frequent cause of data breaches. The key to improving information security lies in effective policies, processes and training: follow the link to see how we can help with this.