Archive for the ‘Data Breaches’ Category

Welsh Councils break DPA 2.5 times a week

April 15th, 2014 by

It’s quite a staggering statistic: 135 breaches of the Data Protection (DPA) Act by Welsh Councils in 2013: more than double the 60 breaches in 2012.

This basically means that every other day the DPA is being broken in a council in Wales. This information came to light after a Freedom of Information request by the BBC.

Nearly all councils in Wales breached the DPA last year. Breaches ranged from financial and personal information sent in error, data being lost, a failure to encrypt data and confidential papers being left on public transport.

Breathe a sigh of relief if you live in the Blaenau Gwent, Ceredigion, Neath Port Talbot, Vale of Glamorgan and Swansea areas as these councils reported no breaches last year.

Anne Jones, Assistant Information Commissioner for Wales, said: “It’s important local authorities live up to their legal responsibilities under the Data Protection Act.”

“Keeping people’s personal information secure should be hardwired into their culture as losses can seriously affect reputations and as a consequence, service delivery”.

Manage sensitive data with BS10012

So what can these councils do to better manage the confidential data they handle?

BS10012 is the British best-practice Standard that provides the specification for a Personal Information Management System (PIMS). It details the actions that organisations should take to ensure they comply with UK data protection and privacy laws.

Learn more about BS10012 and compliance to the UK Data Protection Act.

Do you use a penetration testing tablet?

April 11th, 2014 by

As a penetration tester, you’ll know that having the right tools for the job is of critical importance. A new weapon in the arsenal of penetration testers is the penetration testing tablet. These devices, such as the Pwn Pad 2014, provide a highly flexible and convenient means to pen test a network.

Read a review of the Pwn Pad 2014 by a professional penetration tester.

Packed full of the latest penetration testing apps, these devices are ideal for penetration testing professionals and ethical hackers who are always on the go, and who don’t want to carry around bulky laptops or other large pen testing equipment.

If you haven’t selected your penetration testing tablet yet, we recommend the Pwn Pad 2014. Our own technical services team use the device and have found it to be a more than capable penetration testing tool.

See the Pwn Pad 2014 in action

Want to know more about the Pwn Pad 2014? Come and see the device in action at our event in London on 8 May at the Churchill War Rooms.

The Protection of Personal Information Act (POPI) in South Africa – Benefits and Challenges

March 24th, 2014 by

In South Africa the Protection of Personal information Act (POPI) aims to regulate how companies secure the integrity and confidentiality of their data assets by taking technical and organisational measures to prevent the loss of, and damage and unauthorised access to, personal information. POPI was signed into law on 26th November 2013 but the commencement date is yet to be announced; companies have been given a year to achieve compliance with the Act. Penalties for failing to comply with the Act include prosecution, with possible prison terms of up to 12 months, and fines of up to R10 million. I believe that POPI will make life easier for IT organisations in South Africa.

Why is it so important for organisations to keep personal information safe?

Data breaches, and the resultant loss of information assets, can lead to huge financial losses for companies as well as the reputational damage and a loss of customer trust.  The lack of robust Information Security Management Systems (ISMS) can leave organisations of any size and sector open to data breaches. POPI’s objective is to regulate the way personal information is collected and stored by organisations, which will in turn increase customer confidence in the organisations. The Act will apply to all organisations, regardless of size or sector, whether public or private, including the Government. As a reminder of the importance of data security, the City of Johannesburg suffered a massive data breach in August 2013 which allowed anyone to read citizens’ personal billing information on the Council’s website, including full names, account numbers, addresses, and contact details. Anything could have happened to that information, including targeted phishing attacks, and the production of fake ID books and proof of residence, which could have been used for terrorist purposes.

POPI’s challenges

The major challenge of POPI is that companies will have to change the way they collect and store customer information as soon as possible: organisations have been given only a year to be compliant before the Act is enforced. Given the extent of changing business processes and employees’ attitudes it will be a serious challenge to reach compliance in only a year.

PwC’s “journey of implementation” report found that the majority of organisations in South Africa believe it will take several years to achieve compliance with POPI.


Source: PwC “The journey to implementation”

One way for South African organisations to make compliance with POPI easier would be to implement the international information security standard ISO27001, which sets out the requirements against which an organisation’s information security management system can be independently audited and certified. Implementing the standard will help South African businesses fulfil the compliance requirements of any related legislation (including the Protection of Personal Information Act). Moreover, by implementing ISO27001, businesses ensure that they have effective controls in place to manage risk and protect personal information.

IT Governance SA has developed a wide range of ISO27001 books, training and tools to help organisations with weak information security, and recommends that companies look at the useful information about ISO27001 available on the company’s website.


The 5 most common types of data stolen

March 18th, 2014 by

iStock_000019633342_SmallCyber attacks have become a regular occurrence in the last few years; in fact, you can’t turn the news on without some mention of a business suffering an attack. Most attacks are fuelled by criminals looking to steal valuable information, but what type of information is being stolen?

According to a report by Veracode, the top 5 types of information that are stolen are:

Payment Data

No surprises here of course. Card payment data is a very attractive form of information for cyber criminals to steal. Card data provides quick access to money in multiples ways such as siphoning the victims account, using their card for purchases or selling on the black market.

Selling and purchasing card payment data online is terrifyingly easy, so easy in fact that you could have bought several card details in the time it’s taken you to read this far.

Authentication Details

Details that allow authorised access into online systems are very valuable on the black market. Imagine the price tag on login credentials for the email address of a celebrity, or the president of an international bank.

Unfortunately, humans are subjects to bad habits such as using the same password for online accounts. So if cyber criminals manage to get hold of your Facebook password, then they will most likely be able to login to any of your accounts.

Copyrighted Material

Why would a cyber criminal pay for software when they could just steal it? With most websites being vulnerable to attack, a cyber criminal could in theory steal any software they fancy, costing organisations a large sum of money.

Medical Records

Thieves could sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.

Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.

Classified Information

Depending on how you define classified, this could include information such as your organisation’s top secret product idea or the code for your security door. Either way, if it’s labelled classified then you don’t want it to be in the hands of cyber criminals.

Protecting this information

There is a high chance that the five forms of information listed above can be found on your organisation’s network, so what are you doing to protect it?

What you should be doing is carrying out regular vulnerability assessments of your network to identify where you are vulnerable. After a vulnerability assessment is carried out, you should be conducting a risk assessment to identify critical components which will, if compromised have a high impact on the organisation. Finally, these systems should then be penetration tested to identify if they are exploitable and what the impact would be.

IT Governance is currently running a 20% discount on its CREST-accredited pen testing services if booked before 28 March 2014.

Why do you need a penetration test if you already conduct vulnerability scans?

March 17th, 2014 by

A vulnerability scan is a series of automatic tests that have been programmed to evaluate your network and applications for vulnerabilities.  An automatic report is then produced, giving an overview of the results of the scan. Automated vulnerability scans are able to find “already known” vulnerabilities, but do not produce the logical thought process and critical reasoning needed for uncovering serious security flaws.  

Vulnerability scans only provide a very superficial indication of potential vulnerabilities and usually don’t meet international best practice recommendations for the assessment of your infrastructure, network and applications.

In the first phase of a cyber attack an attacker will scan for targets that have a potential vulnerability which they think they can exploit. If an organisation can quickly identify how these vulnerabilities appear to attackers, they can reduce the trail left by these potential vulnerabilities and reduce the likelihood of attack.

Although commercial, automated products exist that can provide credible testing parameters and results, nothing replaces a hands-on, manual test conducted by a qualified, experienced penetration tester.

Penetration testers are highly skilled professionals who have been trained to think and interpret the findings of such tests.  They are adept at being able to analyse, monitor, review and make judgement calls about specific issues in order to uncover the right security flaws that could pose significant threats if left undetected.

Consultant-driven tests, which combine a mixture of automated scans with a battery of deeper manual tests, are more effective in identifying attack surfaces and defence postures in order to determine the potential vulnerabilities that exist.

Due to the professionalism of cyber criminals, new vulnerabilities creep up overnight in databases that may previously have been considered secure. That’s why companies have to employ continuous monitoring in order to ensure their defences offer constant protection.

IT Governance’s consultant-driven Level 1 Infrastructure Penetration Test and Level 1 Web Application Penetration Test combine a range of advanced manual tests by our experienced and expert in-house penetration testers with a number of automated vulnerability scans, using multiple tools and techniques, to identify potential vulnerabilities in your infrastructure, systems and websites.  Get the combined test here.

Cyber War has already started! (The Criminals just didn’t tell you.)

March 17th, 2014 by

Aerial assault


This post is about why you should book a place at our Cyber War London Event:

Event: ISO27001:2013 and PCI DSS V3: new Standards in the Global Cyber War (Churchill War Rooms, London, 8 May 2014)

If you are a C-Suite manager and you care about your organisation’s reputation, commercial advantage, share price and the cash in the bank… then I recommend that you join us in the bunker. [SFX: Air Raid Sirens] Read on…

Cyber War will not start at Midnight… it’s raging now. Are you in the fight?

Shocking though it is to report, the growing number of organised gangs and rogue states behind the escalation of cyber crime did not issue a media announcement before hacking into the systems of profitable businesses.

Global hacking without declaring a State of War? How jolly unsporting!

After all, you’re not meant to go around the Maginot Line. We’ve spent billions building firewalls and routers, installing intrusion protection and SIEM software, and now they are evading our best efforts by simply attacking us on the Cloud and infecting the CEO’s BYOD at home. Cheats!  

Windows XP support will end: which organisations are actually ready?

The fact is, war on the internet is not due to start at midnight on a future date, like the one on which Microsoft finally withdraws patch updates for Windows XP (8th April 2014) – even though there are still ATMs that are running this stable and much-loved Operating System from a different age.

I’ve just bought Windows 8.1 myself. I realise that I was clinging to the technology that I knew. It’s actually quite good so far, despite bad press. That’s the trouble though, isn’t it? Our perception wanes as we grow a bit older. We want to fight the last war, not this one. It’s a natural mistake for all politicians, business leaders and organisational decision-makers to make.

Even in the mid-1930s the Royal Air Force’s front-line fighters were biplanes, little different from those employed in the First World War. The rearmament programme [NF1] enabled the RAF to acquire modern monoplanes like the Hawker Hurricane and Supermarine Spitfire, such that sufficient numbers were available to defend the UK in the Battle of Britain in 1940 during the early stages of World War II. In the British Parliament, the case for rearming was championed by the man who later came to lead the nation in a time of total war: Sir Winston Churchill, whose Cabinet War Rooms we will be commandeering (courtesy of the Imperial War Museum).

Thursday, May 8th, 2014: a date that will go down in your company’s history?

At 09:30 on May 8th, our event will begin. After an introduction by our Executive Chairman, Alan Calder, our keynote speaker, Neira Jones, will begin speaking on the subject of:

“The Global Cyber War: Using ISO27001:2013 and PCI DSS Version 3 to drive business, cost and security improvements”.

Her point will be that security isn’t necessarily a cost; it can be profitable to think in terms of protecting your own and your customers’ private data.

In the course of the day other cyber security experts, including UKAS technical advisor on Information Security, Steve Watkins, Bridget Kenyon, the Head of Information Security at University College, London, and Geraint Williams, a QSA and leader in the field of PCI DSS compliance, will explain what your organisation needs to do to protect its confidential data and achieve ‘cyber resilience’ – the cyber age equivalent of ‘Business As Usual’.

What can we do about Cyber Security – assuming that we are not doing it?

I sympathise with the C-Suite and senior IT managers over this question. There are as many answers as there are suppliers of software, hardware, technical services, consultancy and the gamut of training options out there.

Not surprisingly, everybody with a vested interest is claiming that they have the weapons that you need to defeat the terror of the cyber criminals. The noise from their marketing campaigns, strident ‘fear, uncertainty and doubt’ messaging and loud calls to action are in danger of defeating us all.

But wars are not won with new weapons alone. Technology often tips the balance in favour of one side or the other, just as a well-trained army with a high level of morale has a better chance of overcoming a poorly-prepared and frightened group of raw recruits. But in the end, the winners in the game of war are more likely to be those that understand the need for their people, processes and technology to work in a coordinated, strategic way.

So what measures should we be taking to protect our business interests?

First: think ‘People, Process and Technology’. (Note: not just Technology).

Second: do not fall into the trap of thinking that your organisation is too low-profile/small/not in an ‘at risk’ business sector to be a victim of crime.

Cyber attackers seek out vulnerabilities: if your system has them, attackers will exploit them. Sooner or later (and it may already have happened), you will join the burgeoning list of enterprises that have suffered a security breach.

Would you like to book your place? The cost is only £45+VAT.

For just £45 you could receive some of the best advice that you will hear in your career: advice that could help you to resource where needed, train staff across your organisation, and put in place procedures and controls to enable you to manage cyber security in line with HM Government’s advice.

In Churchill’s words:


Book your place now

Want our expert help, but can’t make this date? Then…

Read our page on Cyber Health Checks – find out if you need to close gaps in your own cyber security to be compliant with the Cyber Hygiene Profile.

*  *  *  *

If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ISMS) to help you comply with PCI DSS Version 3.0, talk to our consultants on 0845 070 1750.

Bookmark this page as well!


List of February Data Breaches and Cyber Attacks

February 28th, 2014 by

Whilst the short month of February comes to an end, a significant amount of organisations are coming to terms with the data breaches and or cyber attacks they have suffered.

Similar to January, there have been high profile online attacks such as those of Kickstarter, and Tesco. Most of those have resulted in customer information being stolen. But it’s important to remember that not all attacks are carried out online. Data breaches can be caused by offline activities too, such as laptop theft; which is how two of the below attacks occurred.

The following list reveals the names of some of the companies that have suffered online and offline breaches in February:

Online Attacks Hacked by Syrian Electronic Army Because of “Hate for Syria”

Hackers disabled e-mail systems and take over Las Vegas Sands Hotels and Casinos Website

Tesco customers’ usernames and passwords exposed by hackers

Kickstarter hacked: Passwords, phone numbers, and phone numbers stolen

Ethical hacking organization hacked, website defaced with Edward Snowden’s passport

Syrian hackers hijack FC Barcelona’s Twitter account

Twitter Commerce Plans Leak: When Will Businesses Learn About Secure Data Sharing?

Mt. Gox exchange goes dark as allegations of $350 million hack swirl

University of Maryland breach impacts more than 300,000

Hackers breach Texas college server, thousands compromised

Texas health system attacked, data on more than 400K compromised

YouTube ads spread banking malware

Offline Attacks

Roughly 1,100 Indianapolis patients impacted following laptop theft

Missing thumb drive puts 3,500 Texas cancer centre patients at risk

Laptop stolen from California charity employee, thousands impacted

Nielsen staffer accidentally sends mass email containing employee data

BoI customers hit as skimmers hack into their current accounts

So with these attacks in mind, what are you doing about information security? To determine whether or not you are doing your best, I invite you to download IT Governance’s free green paper – Cyber Resilience: Cyber Security and Business Resilience .

Cyber crime costs Italy €2.45 billion

February 25th, 2014 by

Following the hacking of the new Italian PM Matteo Renzi’s website this week, I would like to take a look at cyber crime in my home country – Italy.

On 13th December 2013 Matteo Renzi’s website was hacked and taken down for 24 hours by a DDOS attack. A hacker called RenziHack AKA stole the usernames, emails, passwords and telephone numbers of 430,000 of Renzi’s political organisation’s members, including donors and supporters. The hacking of Renzi’s website resembles the attack that happened in 2012 to another political leader, Beppe Grillo. Before this, there were also several website attacks on other members of political organisations.

In Italy the government sector was the most attacked in 2012, suffering 129 public attacks according to the Italian Information security Association Clusit report. 32% of Italian cyber crime was directed at the government or political organisations, whereas 15% was directed at the media and entertainment sources. Despite a large increase in the internet usage in Italy, there is still a lack of awareness of the risks associated with poor information security. The Norton Cyber Crime 2012 report  stated that cyber crime in Italy costs €2.45 billion in 2012 and that 62% of Italians have experienced cybercrime at least once in their lives.

In 2011, cyber criminals hacked the Italian National Computer Crime Centre for Critical Infrastructure Protection (CNAIPIC), stealing 8GB of secret documents and posting them on the internet. Below is a small picture of the files.

cyber crime

Italy has strong cybercrime laws and strict privacy laws and yet it is ranked as the country with the 7th highest incidence of cybercrime in the world. This is due to the level of government and political data attacked over the years.

In January 2013, the Italian government published its cyber strategy, the “National Strategic Framework for cyberspace security”. In its first part, the document states current cyber trends, making reference to vulnerabilities and the second part highlights measures to improve national cyber defence capabilities. The Italian government identified six strategic guidelines in order to develop the country’s preparedness and resilience. These strategic guidelines will work along 11 operational guidelines which list high level operational measures.

As the techniques used by cyber criminals to access companies’ financial information are becoming more advanced, they are also shifting their interest to government and political organisations’ information. IT Governance in Europe is the leader in information security and ISO27001 products and services, and highlights the necessary precautions for businesses to mitigate the cyber threat. ISO27001, for example, is a globally recognised framework that sets out the best practice for the implementation of an Information Security Management System (ISMS) to reduce organisations’ cyber risks. For further information on ISO27001, I would recommend downloading the free Information Security and ISO27001 Green Paper, which will increase information security knowledge for organisations that want to avoid cyber attacks. Additionally, if you would like to further your knowledge on ISO7001 and would like guidance on implementing the standard in your organisation, then read The Case for ISO 27001.

Raising UK Cyber Security Standards

February 19th, 2014 by

HM Government logo 20140218

Basic Cyber Hygiene Profile discussed in public at ISO27001 User Group, BSI Headquarters (14th February, 2014).

The UK Government’s ‘Basic Cyber Hygiene’ Profile is out in draft (v0.12) is circulating.

What is it?

In the words of the department for Business, Innovation & Skills (BIS), the Basic Cyber Hygiene Implementation Profile (a 16-page A4 document) is described as “…a key deliverable as part of the UK’s National Cyber Security Strategy / Cyber Programme”. It represents one of (potentially) several such profiles to help organisations manage the variety of business issues introduced by “the growing number of cyber threats”.

Who is this Cyber Security Profile for? And why should I/we be interested?

This implementation profile has been developed for all types and sizes of organisation, as they all need to protect themselves against low level cyber threats. Measures to address low level cyber threats described in this profile are considered to be the “absolute minimum” that any organisation connected to the Internet needs to have in place and sustain. It is therefore assumed (rightly, I judge) that this profile will be “…of interest and relevance to a broad range of individuals that have responsibility for protecting the organisation against low level cyber threats, including business owners, business executives, business managers, IT specialists and security practitioners”. But will it be widely adopted by smaller firms?

I asked the BIS to comment on this and other issues raised at the User Group, and their response below should be of interest to all UK businesses:

Q: What is the Cyber Hygiene Profile?

A: The Cyber Hygiene Implementation Profile is considered by HMG to “help businesses follow best practice in basic cyber hygiene and mitigate risks at the low-threat level”.

Q: Will HM Government specify the Profile in contractual relationships?

A: HMG will specify the Profile in contractual relationships with its suppliers where it is proportionate to do so, either in reference to best practice or as a requirement in terms of adequate cyber security best practice.  In addition, HMG is encouraging adoption amongst major market sectors, including within companies’ own supply chains.

Q: Will other implementation profiles follow – and who will they be for?

A: It is anticipated that this Implementation Profile will be one of a suite of publications developed for other scenarios which might include the use of cloud services, for example.

Q: When will the Basic Cyber Hygiene Profile be published?

A: The Cyber Hygiene Profile will be made available by the 31st of March, after which the Government will continue to engage with industry on further developments.

So, you have answers to some important questions, courtesy of the BIS!

How will the Basic Cyber Hygiene Profile work? – What does it consist of?

To make the advice relevant to different sizes of enterprise, BIS define three Categories which form a set of all organisations ranging from individual user or very small organisation (Category 1; 1 to 10 users) – what I would term a ‘microbusiness’ – through small organisations (Category 2; less than 250), to large/complex organisations (Category 3). Large enterprises of course represent the majority of the ISO27001 certificates issued on a global basis, although the trend may well be towards a larger number of SMEs adopting and certifying to the Standard.

SMEs are rarely ISO27001 registered; although it is fair to say in our experience, the ones that have gained a certificate are very proud of it and use it as evidence of their high standards of cyber/information security. But what of the others? Will this Cyber Hygiene Profile obviate the need to be ISO27001:2013 compliant when it comes to winning Government work?

Will the Implementation Profile approach work to address cyber security?

The Cyber Hygiene Profile is ‘Basic’ and to ignore these fundamental security activities would be frankly irresponsible – boarding on reckless.

While 80% of the threat to systems could be dealt with through good information assurance practice – such as keeping security “patches” up to date – the remaining 20% was more complex and cannot simply be solved by building “higher and higher” security walls (the first of the 5 ‘topics’ covered in the Profile). The head of GCHQ, Iain Lobban, said in a BBC News article on October 2010 that the country’s future economic prosperity rested on ensuring a defence against assaults to our critical infrastructure.

This definition includes national power grids and the emergency services that face in Sir Ian’s words a “real and credible” threat of cyber-attack. Critical infrastructure also includes sectors such as financial services, government, mass communication, health, transport, and food and water – all of which are deemed necessary for delivering services upon which daily life in the UK depends. A high proportion (most?) of these critical assets are in some way supplied by smaller enterprises, so the risk factor is there.

SMEs need better cyber security – but can they actually afford to improve?

Many SMEs are at risk because of uncertainty over their security and cyber-attack threats, according to a study published by the Ponemon Institute in November 2013. The Risk of an Uncertain Security Strategy study polled 2,000 SMEs globally, of which 58% of respondents said management does not see cyber-attacks as a significant risk to their business.

The same study found that some 44% reported IT security is not a priority, while 42% said their budget is not adequate for achieving an effective security posture and only 26% said their IT staff have sufficient expertise.

Will the new BIS Basic Cyber Hygiene Profile work for British Industry?

As the wise person said: ‘A journey of a thousand miles begins with a single step’. But it is just that. The Implementation Profile is ‘Basic’ in the extreme, intended only to provide a consistent approach to low level threats. And it’s worth reflecting that it isn’t just Government that wants better cyber security; many of the world’s leading enterprises and their Tier 1 suppliers are increasing nervous about dealing with SMEs that cannot demonstrate their compliance. Large enterprises don’t want to throw away years of costly investment in information security best practice by connecting their servers to organisations that have few/no IT policies, procedures and controls. Moreover, they have a global reputation to protect that is worth far more than supplier relationships with small firms.

Cyber Security is Global. The USA will soon be introducing a new Standard

In an article in InformationWeek Government, the US standard is seen as a must-have requirement: “Why Businesses Can’t Ignore US Cybersecurity Framework” by Wyatt Kash describes the Framework for Improving Critical Infrastructure Cybersecurity in the following terms:

“…the framework has cred, as its recommendations come not from Washington regulators, but from industry experts who’ve combatted cyberattacks. In pulling together the framework, the National Institute of Standards and Technology went to great lengths to collect, distill, and incorporate feedback from security professionals. More than 3,000 individuals and organizations contributed to the framework.”

One wonders how many UK organisations will have the opportunity to comment on the UK Government’s Implementation Profiles, starting with Basic Cyber Hygiene? More importantly, will there been a serious attempt to bring SME organisations into the process of defining what constitutes an acceptable minim standard?

Read our page on Cyber Health Checks – find out if you need to close gaps in your own cyber security to be compliant with the Cyber Hygiene Profile.

*  *  *  *

If you would like to find out more about ISO27001:2013 and how to set up and run an Information Security Management System (ISMS), talk to our consultants by calling: 0845 070 1750.

Bookmark this page as well!

Cyber Crime Part 4:
What information do hackers actually target?

February 14th, 2014 by

The basic answer, unsurprisingly, is anything that can be used.

All information has a value to someone, and industrial espionage is a great motivator for the wily cyber criminal. Commercial information, intellectual property, customer lists, details of negotiations, business and commercial strategy, financially sensitive information… Criminals can sell all this information to your competitors, and often for a cut of the profits they will make at your expense. And if your competitors won’t cooperate, the criminals can hold them to ransom or just steal from them as well.

The example of Barclays Bank’s data breach earlier this month is just the latest in a series of high-profile attacks.

Imagine if you’d been working for months on a large deal only to lose all the details of your bid to your competitor at the last minute. Think what would happen if you were in the midst of developing a new product, and its details were sold to another company which then rushed out a cheaper version ahead of you. Such cases are not as rare as you may think.

What happens after vulnerabilities have been exploited?

In a successful phishing attack a criminal will send speculative emails purporting to be from someone else and persuade someone within an organisation to download malware, often just by clicking a link or opening an attachment. That malware will enable them to take control of a system.

All systems are riddled with vulnerabilities, too. Coding is never perfect, and there will always be exploitable areas which a hacker can take advantage of. IT Governance’s Penetration Testing service compiles statistics of vulnerabilities discovered during routine testing. On average, over the last six tests carried out, we have found:

  • 19 high-level threats (i.e. ones which a hacker could exploit to gain control of the system or application);
  • 26 medium-level threats (i.e. ones which a hacker could exploit to gain access to data); and
  • 34 low-level threats (i.e. ones which a hacker could exploit to gain information about the system which could be used to facilitate further access).


As well as stealing information, the criminal can follow a different route: it’s not uncommon for criminals to gain control of a website and take it offline till a ransom is paid. The majority of organisations are entirely unprepared to deal with this sort of low-level blackmail and often find the easiest response is to pay up, and then implement a rigorous series of security updates.

What the criminal can do with your personal information

More broadly usable data assets have an obvious value too: banking and credit card details, payment information, and personally identifiable information can all be used by criminals for various nefarious ends. Apart from selling it on, cyber criminals have other uses for your information. We all know of someone who has had their debit card cloned or found that their credit card has been used to pay for something they haven’t bought. The more information a criminal has, however, the more they can do with it. Identity theft is a serious problem: if someone commits fraud in your name it can take years for you to recover your reputation and repair your credit rating, and often all it takes is an opportunistic attack on your email account for the criminal to get all the information they need.

Cyber Health Check

Assess the state of your vulnerability to attack with IT Governance’s Cyber Health Check, a two-day service that combines on-site consultancy with remote vulnerability assessments to assess your cyber risk exposure. The four-step approach will identify your actual cyber risks, audit the effectiveness of your responses to those risks, analyse your real risk exposure and then create a prioritised action plan for managing those risks in line with your business objectives.

%d bloggers like this: