Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions

Phone:

0800 035 1231 (Mon to Fri 9am – 5pm)

36B Market Street, New Mills

Derbyshire, SK22 4AA, United Kingdom

The Hull-based telecoms firm, KCOM, has been fined £900k by Ofcom over a failure of their 999 call service back in December 2015.  The 4-hour outage resulted in 74 emergency calls failing, so the fine equates to over £10 000 per call (or £225k per hour)!  Although Ofcom accepted that the root cause of the disruption was the flooding of a BT exchange in York, they found “serious weaknesses” in KCOM’s continuity planning: the pre-planned back-up routes also used the same BT exchange in York.

If this fine seems high, much worse could be to come as Digital Minister Matt Hancock has announced a consultation on new proposals for fining critical infrastructure providers for disruptions arising from cyber attacks, power failures and natural disasters.  The government’s plan is to impose fines of up to £17m (or 4% of global turnover) on firms who experience disruptions as a result of failing to manage risks appropriately.  It is very unclear at this stage though what will constitute acceptable risk management.

BA in the News Again (Twice)

Last week attention was drawn once again to BA’s major IT outage back in May, which left tens of thousands of passengers stranded; when their owner, IAG, announced its half-year results.  There were various predictions of the cost of the disruption around the £100m mark at the time of the incident, but IAG announced that the actual cost to the company has now been calculated at £58m.  Despite this, operating profits for BA were actually up 17%!

IAG failed to shed any more light on the root cause of the disruption but did stress that it was an “isolated incident”.   However, yesterday, passengers at both Heathrow and Gatwick experienced significant delays in checking in because of further IT problems.  We await the findings of BA’s investigations with interest…

The Information Commissioner’s Office (ICO) released its 2016/17 annual report on 13th July, which showed another steep rise in the number of data protection incidents. There were a total of 2565 self-reported data protection incidents in 2016/17, an increase of over 30% from the previous year. Once again the top sectors, by number of incidents, were Healthcare (41%) and Local Government (11%). The breakdown of the types of data protection incident is also interesting, with the top causes as follows:

  • Data posted, faxed or emailed to incorrect recipient (26%); and
  • Loss or theft of paperwork (14%).

Visit our Information Security Services page to see how we can assist with keeping your data secure.

Just over 1 month on from the WannaCry attack, there have been reports about a significant ransomware attack on University College London.  The attacks impacted shared drives, with detailed instructions given out on the university website.  By 2.30pm on 16th June, users were told that the ‘first phase of share folders will come back online this afternoon at 2.30pm and the remainder will be restored on Monday morning once full recovery of the corrupted files in these shares has been completed.’  Interestingly, UCL is now updating a security certificate for Eduroam despite earlier stating that ‘Our antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident. We cannot currently confirm the ransomware that was deployed.’; it is not known whether the two issues are linked.

As ever, this example serves to highlight the need for education to ensure that staff and other users are not clicking on dangerous links in emails or an websites, as well as the need for swift communications to ensure that further damage to systems is not caused by continued access.  It equally highlights the importance of integration between business continuity and information security, showiug how effective back-up practices are vital for the recovery of data.  Indeed, it would be interesting to know if the recovery from this incident is within the paramenters that have been identified in any Business Impact Analysis that may have been completed by the University.

 

Contact Cambridge Risk Solutions to find how we can help you with information security and incident management planning,  Call us on 0800 035 1231

Written by Helen Molyneux

Well, another year, and another Business Continuity Awareness Week, and it certainly seems to have slip out with less of a bang than it started!  This year’s theme has been Cyber Resilience and, given the world-wide problems with WannaCry, it has certainly been a topical theme!

Today’s story looks more towards business continuity in a more traditional setting, and considers the implications that need to be considered for large-scale changes to an organisation.  It has been announced today that London City airport is to alter the way that it does air traffic control, and will be the first UK airport to use remote digital systems.   This presents incredibly huge challenges for continuity and resilience, not least due to the potential impact if something does go wrong over the city.  The reports suggest that there will be 14 high-definition cameras and two cameras which are able to pan, tilt and zoom, each providing a live feed via fibre cables to a the operations room in Hampshire.

The reports explain that there will be three different cables each with different routing; I am presuming consideration has been made for what happens for the last 100m or so of the cabling; I have seen organisations where cabling has been done through different routes and providers, but still enters the building at the same point!  It would also be interesting to know what has been put in place from a business continuity perspective; there are many examples where back-ups to back-ups have failed, such as generators.  From a financial perspective, limitations are required when planning resilience, but all technologies have limitations and may ultimately rely on people; it remains to be seen whether NATS will be able to maintain the skills with a move to digital reliance.  Equally, will adequate plans and procedures have been put in place to ensure a smooth transition to the new arrangements?

Contact Cambridge Risk Solutions to find how we can help you with business continuity planning,  Call us on 0800 035 1231

Written by Helen Molyneux

A quick summary of the cyber news today, and it is clear that the same key lessons are emerging as have already been noted this week.  Indian restaurant guide, Zomato, is reporting the theft of data of some 17 million users.  From the phrasing in their blog, it appears that they have just found the breach, but have not clarified when it occurred, and have stated that ‘So far, it looks like an internal (human) security breach – some employee’s development account got compromised.’  It is interesting to note that, although they state that ‘they take cyber security very seriously’, the actions they are taking now include a ‘layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach.’

Meanwhile DocuSign, who ‘move businesses forward securely and reliably’, have reported that a list of email addresses has been breached, and that customers have been sent phishing emails.  Their website has been effectively used to report on the breach and the investigations, as well as posting a detailed FAQ.  The fact that Docsign has certified to ISO 27001 has probably helped to ensure that they have effective incident management processes, but this highlights that even companies that have information security management systems in place can still be susceptible to attacks and breaches.  Both the Docusign and Zomato incidents have had a swift incident response, with clear communications about the steps being taken available on the relevant websites.

In the US, bots are being used to spam a regulator’s website, thought to be some form of protest over a proposed reversal of net neutrality rules.  In this instance, the website is being bombarded with comments, and there are suspicions that stolen data is being utilised in order to make the comments appear real, despite the similarity of the comments.  Also in the US, an Apple software developer has had source code stolen , in a case that demonstrates that even developers can be fooled by the hackers.

All these cases, and more, highlight similar lessons but, in particular, organisations should ensure that information security training is an integral part of business culture, and starts with staff.  Staff need to know what emails are safe to open, and which links should not be clicked.  As stated in ISO 27002, access to information should have ‘rules based on the premise “Everything is generally forbidden unless expressly permitted” rather than the weaker rule “Everything is generally permitted unless expressly forbidden”;

 

On a personal level, the need for business continuity planning kicked in this morning.  First a puncture; not normally a problem but I simply could not get the wheel off the car.  Finally made it in to the office, and found that, after even more Microsoft updates, it took 2 hours to get onto the network with my new laptop, as well as finding that my existing screen does not fit as technology has moved on, and the new laptop does not take a VGA fitting.  All sorts of lessons for business continuity, including fully understanding that things will take longer than expected (particularly when you need them to be quick!), and technology does move on, so those assumptions that you have made about your recovery strategy may not be quite as easy as you thought, so should be tested!

Contact Cambridge Risk Solutions to find how we can help you with information security and incident management planning,  Call us on 0800 035 1231

Written by Helen Molyneux

There has understandably been much focus, over the last few days, on information security in the NHS.  Whilst there is still no suggestion that any patient data was breached in the recent ransomware incident, breaches of patient data remain a global problem within the healthcare sector: over 30 million patient records were breached in the US over the period 2010 to 2014.  Analysis of this US data produces two interesting findings:

  • The number of incidents in each state displays a linear relationship with the number of people employed within the healthcare sector in that state;
  • And the rate of incidents per employee has remained fairly stable over the period at between 11 and 14 breaches per year, per million employees.

Both the relationship between incidents and number of employees, and the stability in the number of incidents over time, suggest that most data breaches are in fact the result of accidents not malicious attacks.  This is borne out by last year’s annual report of the Information Commissioner’s Office which found that the second most frequent cause of data breaches was “data posted/faxed to incorrect recipient”.

Of course we must continue to improve our resilience against the growing threat of cyber crime; but it is vital to also pay close attention to how we handle information ourselves if we are really to improve information security.

Hot on the heels of the massive ransomware attack on 12 May 2017, reports are emerging of ransomware attack on Disney.  Unlike the Wannacry attack, which has impacted over 200,000 computers in 150 countries, the Disney attack has been deliberately targeted, with hackers threatening to release segments of the new Pirates of the Caribbean film unless a bitcoin ransom has been paid.

This is not the first time that the media industry has been targeted in such a way.  Perhaps the most famous case was that of Sony in 2014 which wiped out half of Sony’s global network, erasing everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers.  As well as obtaining staff details and confidential emails, the hackers leaked a number of films that had yet to be released.

More recently,  Netflix ‘Orange is the New Black’ episodes were stolen and released by hackers when their demands for ransom were not paid.  This case is particularly interesting as the hack was part of a much larger attack, and took place at the post-production studio, Larson Studios; the hackers tried initially to claim their ransom from Larson January 2017.  This latter case really highlights the importance of understanding your supply chain and ensuring that the information security policies and procedures that are in place are fit for your requirements; in this instant, the hacker involved (TheDarkOverlord) was reported stating that ‘they love going after third party vendors’.

Each of these examples demonstrates the need to have a clear understanding of the risks that will surround your information security system, and to ensure an ongoing assessment and mitigation of those risks.  It is also critical to have a good understanding of the risks within your supply chain.  It is highly unlikely that all risks will be mitigated, for reasons of cost and practicality, but any vulnerabilities must be understood, and appropriate incident management plans put in place to ensure a speedy and coordinated approach.

 

Contact Cambridge Risk Solutions to find how we can help you with information security and incident management planning,  Call us on 0800 035 1231

Written by Helen Molyneux

What a start to Business Continuity Awareness Week!  The theme for this year is Cyber Resilience’, and the week has started with the investigations and continued fall-out from what has possibly been the world’s largest cyber security event which occurred on Friday afternoon.

A ransomware attack has spread throughout 150 countries, infecting more than 200,000 computers, and impacting a wide-range of diverse organisations, including a number of NHS Trusts, Telefonica, German railways, the Russian Interior Ministry, Fedex and Renault manufacturing sites.  The full impact has not yet been fully realised, and even whilst I write this, not all systems have been recovered.

The investigations, recriminations and reports into this attack will be released over the coming months, and it is too early to speculate as to how the attack started in each organisation.  However, it is worth noting a few key lessons:

Business Continuity

There has been much in the media about how NHS Trusts are resorting to using pen and paper.  If this is the strategy that has been adopted as part of the business continuity plan, then this makes sense.  However, it remains to be seen whether business continuity plans have been fully effective at meeting the required Recovery Time objectives (RTOs) for each of the services that have been impacted.

Back-Up

If there is an effective back-up in place, organisations will be better placed to be able to recover or access their records.  Having said this, it is known that some cyber attacks lie dormant and undiscovered for a period of time, and there is no guarantee that a back-up will be unaffected, particularly where mirroring techniques are used.

Recovery Strategy

During this attack, most experts have been agreed about the recommendation not to pay a ransom, although I did hear one radio interview stating ‘just pay them’.  Majority of ransomware demands are relatively small, and it maybe that organisations do decide that it is simpler just to pay; indeed by noon on 15th May, is was reported that $38000 dollars had been paid, although it is not known whether this led to the recovery of the files.  In an exercise that I ran recently, there was a lengthy debate about whether or not to pay; it was then realised that the organisation did not know how to get bitcoins.  By having a pre-determined strategy, the focus can then be on recovery rather than debating whether or not to pay.

Training

Information Security is not purely an IT team issue.  Staff need to understand which emails and links are safe to open.  An example reported in the Telegraph today describes an event: ‘a few weeks ago, 15 of Donald Trump’s advisers received an email, apparently from a friend. It contained an invitation to edit a Google spreadsheet. More than half of the recipients clicked on the link. James Comey, then still the FBI director, actually replied to it. The email in fact came from the website Gizmodo. It wasn’t a hack, though it could have been. It was a stunt, intended to show how vulnerable our systems are to hackers’ number one weapon: human stupidity.’

Applying Patches

We all grumble when the latest Microsoft updates foul up a PC for a day or more (well, I certainly do!), but many larger organisations hold onto patches to test them before rolling them out across the network.  There may be further delays for devices which do not connect to the network regularly, such as laptops.  The problem is further aggravated by Bring Your Own Devices (BYOD), where organisations allow staff to use their own equipment and mobile devices.  It is critical that updates and security patches are applied in a timely fashion.

Operating System Updates

There is a cost to updating systems and sometimes, such as in the ill-fated Vista and even Windows 8, there appears to be a valid reason for not being an operating system bellwether.  However, when systems, such as Windows XP, are no longer technologically supported, the organisation must understand the risks related to continued use of this system, and must ensure that strategies and plans are in place in the event of things going wrong.  It is quite possible, in this instance, that the short term financial saving of not updating will be completely wiped out by the longer-term impact of this cyber attack.

The Way Forward

Not all organisations will want to certify to ISO 27001.  However, by following the standard, and implementing a comprehensive information security management system, which includes a systematic process to understand, assess and mitigate risks to security, and which ensures that an incident management plan is in place, as well as back-up and business continuity plans, an organisation will be much better placed to prevent or respond to such attacks.

Contact Cambridge Risk Solutions to find how we can help you with information security and incident management planning,  Call us on 0800 035 1231

Written by Helen Molyneux

Business Continuity Awareness Week (BCAW) takes place this year from the 15th to the 19th of May and focuses on the very topical issue of cyber security.  As a timely curtain-raiser for BCAW 2017, the news emerged on Monday that user IDs and email addresses for customers of the ‘Guardian Soulmates’ dating website had been leaked.  Whist this information may not appear to be as sensitive as, for example bank details or medical information; it is potentially embarrassing for those involved, and has already resulted in some users being targeted with offensive messages.  Interestingly, it appears that a third-party supplier was responsible for the leak.

Follow the link to find out more about how we can assist your organisation with information security.