Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions

Phone:

0800 035 1231 (Mon to Fri 9am – 5pm)

36B Market Street, New Mills

Derbyshire, SK22 4AA, United Kingdom

A quick summary of the cyber news today, and it is clear that the same key lessons are emerging as have already been noted this week.  Indian restaurant guide, Zomato, is reporting the theft of data of some 17 million users.  From the phrasing in their blog, it appears that they have just found the breach, but have not clarified when it occurred, and have stated that ‘So far, it looks like an internal (human) security breach – some employee’s development account got compromised.’  It is interesting to note that, although they state that ‘they take cyber security very seriously’, the actions they are taking now include a ‘layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach.’

Meanwhile DocuSign, who ‘move businesses forward securely and reliably’, have reported that a list of email addresses has been breached, and that customers have been sent phishing emails.  Their website has been effectively used to report on the breach and the investigations, as well as posting a detailed FAQ.  The fact that Docsign has certified to ISO 27001 has probably helped to ensure that they have effective incident management processes, but this highlights that even companies that have information security management systems in place can still be susceptible to attacks and breaches.  Both the Docusign and Zomato incidents have had a swift incident response, with clear communications about the steps being taken available on the relevant websites.

In the US, bots are being used to spam a regulator’s website, thought to be some form of protest over a proposed reversal of net neutrality rules.  In this instance, the website is being bombarded with comments, and there are suspicions that stolen data is being utilised in order to make the comments appear real, despite the similarity of the comments.  Also in the US, an Apple software developer has had source code stolen , in a case that demonstrates that even developers can be fooled by the hackers.

All these cases, and more, highlight similar lessons but, in particular, organisations should ensure that information security training is an integral part of business culture, and starts with staff.  Staff need to know what emails are safe to open, and which links should not be clicked.  As stated in ISO 27002, access to information should have ‘rules based on the premise “Everything is generally forbidden unless expressly permitted” rather than the weaker rule “Everything is generally permitted unless expressly forbidden”;

 

On a personal level, the need for business continuity planning kicked in this morning.  First a puncture; not normally a problem but I simply could not get the wheel off the car.  Finally made it in to the office, and found that, after even more Microsoft updates, it took 2 hours to get onto the network with my new laptop, as well as finding that my existing screen does not fit as technology has moved on, and the new laptop does not take a VGA fitting.  All sorts of lessons for business continuity, including fully understanding that things will take longer than expected (particularly when you need them to be quick!), and technology does move on, so those assumptions that you have made about your recovery strategy may not be quite as easy as you thought, so should be tested!

Contact Cambridge Risk Solutions to find how we can help you with information security and incident management planning,  Call us on 0800 035 1231

Written by Helen Molyneux

There has understandably been much focus, over the last few days, on information security in the NHS.  Whilst there is still no suggestion that any patient data was breached in the recent ransomware incident, breaches of patient data remain a global problem within the healthcare sector: over 30 million patient records were breached in the US over the period 2010 to 2014.  Analysis of this US data produces two interesting findings:

  • The number of incidents in each state displays a linear relationship with the number of people employed within the healthcare sector in that state;
  • And the rate of incidents per employee has remained fairly stable over the period at between 11 and 14 breaches per year, per million employees.

Both the relationship between incidents and number of employees, and the stability in the number of incidents over time, suggest that most data breaches are in fact the result of accidents not malicious attacks.  This is borne out by last year’s annual report of the Information Commissioner’s Office which found that the second most frequent cause of data breaches was “data posted/faxed to incorrect recipient”.

Of course we must continue to improve our resilience against the growing threat of cyber crime; but it is vital to also pay close attention to how we handle information ourselves if we are really to improve information security.

Hot on the heels of the massive ransomware attack on 12 May 2017, reports are emerging of ransomware attack on Disney.  Unlike the Wannacry attack, which has impacted over 200,000 computers in 150 countries, the Disney attack has been deliberately targeted, with hackers threatening to release segments of the new Pirates of the Caribbean film unless a bitcoin ransom has been paid.

This is not the first time that the media industry has been targeted in such a way.  Perhaps the most famous case was that of Sony in 2014 which wiped out half of Sony’s global network, erasing everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers.  As well as obtaining staff details and confidential emails, the hackers leaked a number of films that had yet to be released.

More recently,  Netflix ‘Orange is the New Black’ episodes were stolen and released by hackers when their demands for ransom were not paid.  This case is particularly interesting as the hack was part of a much larger attack, and took place at the post-production studio, Larson Studios; the hackers tried initially to claim their ransom from Larson January 2017.  This latter case really highlights the importance of understanding your supply chain and ensuring that the information security policies and procedures that are in place are fit for your requirements; in this instant, the hacker involved (TheDarkOverlord) was reported stating that ‘they love going after third party vendors’.

Each of these examples demonstrates the need to have a clear understanding of the risks that will surround your information security system, and to ensure an ongoing assessment and mitigation of those risks.  It is also critical to have a good understanding of the risks within your supply chain.  It is highly unlikely that all risks will be mitigated, for reasons of cost and practicality, but any vulnerabilities must be understood, and appropriate incident management plans put in place to ensure a speedy and coordinated approach.

 

Contact Cambridge Risk Solutions to find how we can help you with information security and incident management planning,  Call us on 0800 035 1231

Written by Helen Molyneux

What a start to Business Continuity Awareness Week!  The theme for this year is Cyber Resilience’, and the week has started with the investigations and continued fall-out from what has possibly been the world’s largest cyber security event which occurred on Friday afternoon.

A ransomware attack has spread throughout 150 countries, infecting more than 200,000 computers, and impacting a wide-range of diverse organisations, including a number of NHS Trusts, Telefonica, German railways, the Russian Interior Ministry, Fedex and Renault manufacturing sites.  The full impact has not yet been fully realised, and even whilst I write this, not all systems have been recovered.

The investigations, recriminations and reports into this attack will be released over the coming months, and it is too early to speculate as to how the attack started in each organisation.  However, it is worth noting a few key lessons:

Business Continuity

There has been much in the media about how NHS Trusts are resorting to using pen and paper.  If this is the strategy that has been adopted as part of the business continuity plan, then this makes sense.  However, it remains to be seen whether business continuity plans have been fully effective at meeting the required Recovery Time objectives (RTOs) for each of the services that have been impacted.

Back-Up

If there is an effective back-up in place, organisations will be better placed to be able to recover or access their records.  Having said this, it is known that some cyber attacks lie dormant and undiscovered for a period of time, and there is no guarantee that a back-up will be unaffected, particularly where mirroring techniques are used.

Recovery Strategy

During this attack, most experts have been agreed about the recommendation not to pay a ransom, although I did hear one radio interview stating ‘just pay them’.  Majority of ransomware demands are relatively small, and it maybe that organisations do decide that it is simpler just to pay; indeed by noon on 15th May, is was reported that $38000 dollars had been paid, although it is not known whether this led to the recovery of the files.  In an exercise that I ran recently, there was a lengthy debate about whether or not to pay; it was then realised that the organisation did not know how to get bitcoins.  By having a pre-determined strategy, the focus can then be on recovery rather than debating whether or not to pay.

Training

Information Security is not purely an IT team issue.  Staff need to understand which emails and links are safe to open.  An example reported in the Telegraph today describes an event: ‘a few weeks ago, 15 of Donald Trump’s advisers received an email, apparently from a friend. It contained an invitation to edit a Google spreadsheet. More than half of the recipients clicked on the link. James Comey, then still the FBI director, actually replied to it. The email in fact came from the website Gizmodo. It wasn’t a hack, though it could have been. It was a stunt, intended to show how vulnerable our systems are to hackers’ number one weapon: human stupidity.’

Applying Patches

We all grumble when the latest Microsoft updates foul up a PC for a day or more (well, I certainly do!), but many larger organisations hold onto patches to test them before rolling them out across the network.  There may be further delays for devices which do not connect to the network regularly, such as laptops.  The problem is further aggravated by Bring Your Own Devices (BYOD), where organisations allow staff to use their own equipment and mobile devices.  It is critical that updates and security patches are applied in a timely fashion.

Operating System Updates

There is a cost to updating systems and sometimes, such as in the ill-fated Vista and even Windows 8, there appears to be a valid reason for not being an operating system bellwether.  However, when systems, such as Windows XP, are no longer technologically supported, the organisation must understand the risks related to continued use of this system, and must ensure that strategies and plans are in place in the event of things going wrong.  It is quite possible, in this instance, that the short term financial saving of not updating will be completely wiped out by the longer-term impact of this cyber attack.

The Way Forward

Not all organisations will want to certify to ISO 27001.  However, by following the standard, and implementing a comprehensive information security management system, which includes a systematic process to understand, assess and mitigate risks to security, and which ensures that an incident management plan is in place, as well as back-up and business continuity plans, an organisation will be much better placed to prevent or respond to such attacks.

Contact Cambridge Risk Solutions to find how we can help you with information security and incident management planning,  Call us on 0800 035 1231

Written by Helen Molyneux

Business Continuity Awareness Week (BCAW) takes place this year from the 15th to the 19th of May and focuses on the very topical issue of cyber security.  As a timely curtain-raiser for BCAW 2017, the news emerged on Monday that user IDs and email addresses for customers of the ‘Guardian Soulmates’ dating website had been leaked.  Whist this information may not appear to be as sensitive as, for example bank details or medical information; it is potentially embarrassing for those involved, and has already resulted in some users being targeted with offensive messages.  Interestingly, it appears that a third-party supplier was responsible for the leak.

Follow the link to find out more about how we can assist your organisation with information security.

Blazing buildingsThere is widespread coverage of a large fire that has broken out at a research building attached to The Christie.  The fire started at around 10.35, being brought under control shortly before 1500hrs, although still not extinguished.

The nature of this incident would test even the most developed and well-rehearsed business continuity plan, from both a business recovery and crisis management perspective.  The following gives just a couple of considerations:

Communications

This fire highlights the factual inaccuracies that will surround an incident of this nature.  As an example, the Manchester Evening News was reporting at 11.05 that the hospital had been evacuated.  This is not the case, and the hospital has not required evacuation; it is known that the building itself does not house patients, but it is adjoining the hospital.  Some patients have been moved and some treatments have been postponed, and the hospital has released details for patients that are trying to make contact.

The nature of medical research results in a complex relationship between different organisations; in this case, the Manchester Cancer Research Centre was formed between the University of Manchester, Cancer research UK and the Christie NHS Foundation Trust.  It is now the cancer research part of the Manchester Academic Health Science Centre (MAHSC), which is a strategic partnership between the University and six NHS Trusts across Greater Manchester.  There are also a significant number of stakeholders with, for example, a wide-range of funding bodies.  Each of these different organisations will have their own communications needs and priorities, and a coordinated crisis management approach will have to ensure that the different strategic aims and cultural values is taken into account.  More importantly, it is critical that these organisations work together to align behind a single communications message, avoiding contradictions.

Internal communications should also be a priority.  it was interesting to note that one student stated that ‘”I left because I couldn’t bear the smell and it was making me really dizzy, but then I was told there was a fire and we had to leave”, raising a question about methods used to communicate with staff.

Business Continuity and Recovery

At 11.30, clinical and admin staff were reported as having been evacuated and standing on the pavement 50 yards or so away.  It would be interesting to know what the business continuity recovery time objectives (RTO)  are, and whether staff would shortly be directed to work from alternate premises or to go home.  Would alternate arrangements be considered in the case of inclement weather?

In terms of business recovery, it could be difficult to quantify the longer-term effects that this incident could have on research, particularly if samples have been lost.  One student, Nerette Navarro, was quoted as saying, “Either everything is burnt, smoke damaged or water damaged, so everything is lost”.  It is also worth noting that research is particularly difficult to quantify through a standard Business Impact Analysis (BIA) process, particularly for longer term studies.

Welfare

There will be welfare concerns that need to addressed.  This will apply to patients and their families, who are already under a degree of stress and to staff.  Additionally, there are students who are working to deadlines and have funding restraints will need reassurance.

Lessons Identified

It would be interesting to note if the MAHSC and The Christie were able to share any of the lessons learned from the fire at the Royal Marsden Hospital or other similar incidents at research, university or hospital sites.  Equally, will MAHSC and The Christie share their lessons from this incident?

 

Contact Cambridge Risk Solutions to find how we can help you with business continuity and crisis management planning,  Call us on 0800 035 1231

Written by Helen Molyneux

The message below describes an exciting research opportunity at Sheffield University: please pass on to anybody who may be interested.

“We are seeking applications for an ESRC PhD studentship, entitled ‘Social media and community resilience: a process based study of South Yorkshire Fire and Rescue Services’. Funded by a White Rose Doctoral Training Partnership Collaborative award, the successful applicant will work with SYFR to evaluate how sites such as Facebook and Twitter can be used to promote community disaster resilience and encourage citizens to fully participate in disaster risk management and reduction initiatives. SYFR are also providing the successful candidate an internship with the organisation as part of the studentship.

“Further details on the studentship can be found here and the closing date for applications is 8 May 2017.”

Speaking last week at the Institute of Directors; Minister for Digital and Culture, Matt Hancock, announced a new push on the Cyber Essentials programme to encourage all UK businesses to adopt the scheme.  Measure announced include:

  • Updating the Cyber Essentials requirements, to make the scheme easier to use;
  • A marketing campaign to raise awareness and drive adoption of the scheme.
  • Strengthening the requirement for Government contractors to take up the scheme; and
  • Firms including Barclays, BT, Vodafone, Astra Zeneca and Airbus have agreed to encourage adoption amongst their suppliers.

The Minister also announced that the number of Cyber Essentials certificates awarded had more than tripled in the past year, with the total now exceeding 6000; and that the Government will be publishing the figures on take-up each month from now on.

Go to the Information Security section of our website for more information on how to improve your cyber security.

 

Two weeks ago the ICO announced that it had fined a senior barrister £1000 for failing to keep clients’ sensitive personal information secure.  The ICO explained that the barrister had kept sensitive information on 250 clients on a home computer without using any encryption.  Then, during an update of software on the computer, files were automatically backed up on-line, where they were temporarily visible to search engines.  There are clear lessons here for other small businesses, but it would appear that large organisations also have issues.  A few days later the ICO announced that it had fined Norfolk County Council £60 000 for leaving social work case files in a cabinet that they disposed of – the files were discovered by a member of the public who bought the cabinet in a second-hand shop!  Once again, this example highlights that information security is not just about electronic data.