IT Governance Blog on IT governance, risk management, compliance and information security.

It seems like every week we hear of a new news story where a company has been hacked, broken the Data Protection Act and/or fined. Although in these hacking stories the data of innocent people is often compromised, it seems like the blame is often being put upon the companies, when in fact it should be the hackers who are taking the blame.

After a data breach occurs, how much investigation goes into finding the hacker that committed the crime? Little? Or none? It is easier to blame the company where the attack occurred, issue a fine, and pronounce them incompetent of looking after your data. But is this really the case? Lee Howell, Managing Director at the World Economic Forum, stated that “it’s impossible to be completely secure online”. So if this is true, then why should the victims (companies) be put to blame? Yes, I agree that companies who manage sensitive data should take the necessary precautions to do everything they can to protect that data, but where does the justice lie for them if they did not commit the real crime?

Take it like this; if you were to lock your house up at night (doors, windows etc.) before you went to bed, and you were burgled during the night, should it then be you who faces prosecution for not protecting your house properly, or should the person who broke into your house be prosecuted?

Lee Howell talks about social norms in terms of cyber crime, concluding that “we do not yet fully understand how social norms are shaped in the virtual world. Why is it that many people who would be ashamed to admit stealing a DVD from a shop will happily discuss illegally downloading a movie?” This can be referenced to the point above about the current justice system for hackers and hacked companies.

It is important to note that one of the main reasons cyber criminals don’t get caught is because of the anonymity of it all. Hackers are often more technologically advanced than the people tracking them down, which can mean that most investigations come to a halt before they’ve even begun. You can find hacking software easily on the web, meaning that anyone can try their hand at it, which has thus been a major cause in the proliferation of hacking. Another main reason why hackers fail to get caught is the difficulty in cross-border policing. If you notice a computer attack that came from country X, tracking down that cyber criminal would be near-on impossible due to the different laws and regulations held between two different countries. Adam Segal from The Diplomat says, “It’s hard to deter if you can’t punish, and you can’t punish without knowing who is behind an attack.” With so much difficulty in tracking down hackers, they often get away with the crime, but does their anonymity give them the right to this?

More attention should be put on the hackers themselves (tracking them down and prosecuting them), rather than the companies who suffer data breaches because of them. A unified approach and shift in focus will lead to a more realistic deterrent for cyber criminals, hoping to break the cyber gang culture that is appearing across the web.

Food for thought anyway.

ENISA has just released their first EU report on the cyber security challenges that the Maritime Sector face. The report highlights that maritime cyber security is low, to virtually non-existent, showing little difference between now and 8 years ago….

This report is extremely startling as 90% of the EU’s external trade, and more than 40% of the internal trade takes place via maritime routes. If this was to be disrupted by a cyber threat, then it would have disastrous consequences for the EU Member States’ governments and social wellbeing. Trade, resources and leisure would all be severely affected.

ENISA suggest there should be regulations and policies considering cyber security, on a risk-based approach. Better information exchange and statistics on cyber security is also needed to help people understand and improve their own actuarial models and help reduce risks.

The report shows that little has changed in the 8 years since the Port of Houston was crippled by a cyber attack, allegedly committed by a teenager back in 2003. As a result, data (tides, water depths and weather) to help pilots navigate through the harbour and by shipping companies became inaccessible. The UK teenager was accused of ‘electronic sabotage’, bringing down the Internet systems of the worlds 8^th busiest maritime facility, whilst attempting to extract revenge on a fellow IRC user. The recent ENISA study has shown that the state of the Maritime Cyber Security infrastructure has not changed since the attack, leaving it vulnerable to further cyber attacks.

Modern containerships and oil tankers are highly automated and manned by a small number of crew relying on automated systems. Additional harbours and container ports are also highly automated, meaning that the whole maritime network would come to a standstill if disrupted by a cyber threat. The recent Stuxnet and Duqu attacks have shown that industrial systems as well as traditional computer systems are vulnerable to cyber attacks.

Considering how important the maritime trade is to the EU, and that attacks on critical infrastructure are increasingly becoming common, it just shows how serious cyber security in the maritime industry needs to be taken.

Protect your company from cyber threats with the complete cyber security toolkit: The No 3 ISO27001 Comprehensive ISMS Toolkit.

Use this toolkit to implement your very own ISO 27001 (the world’s only cyber security standard) project. Coming with complete documentation and books to guide you through the process, this all-inclusive toolkit will have your business’ cyber defences up in no time.

Take action now against cyber threats with the No 3 ISO27001 Comprehensive ISMS Toolkit >>

We know it’s the season of good will, for giving and for spreading Christmas wishes, but the worst thing you could do is to spread your company’s confidential data across the web.

With cyber attacks on the rise, companies are building up their cyber defense systems – and so should you! Just because it’s the festive season doesn’t mean you’re safe from an attack; in fact, hackers are more likely to attack when they know barriers are down.

Read Cyber Risks for Business Professionals: A Management Guide to truly understand the risks involved with online threats. As an eBook, you’ll be able to download it straight away for some reading over the holiday period. This book will help you understand and manage the technological risks, familiarise yourself with the legal issues, control employee use of Web 2.0 technologies and use technology to address the risks.

Find out more information >>

Alternatively, if you wanted to get kick started on a cyber security project straight away, then download the No 3 ISO27001 ISMS Comprehensive toolkit. In line with ISO 27001 (the world’s only cyber security standard), this unique toolkit provides complete coverage on how to implement, develop and accelerate an ISO 27001 project within your business.  This toolkit comes with all the documentation, books and guidance you will need to get started and make your company fully cyber secure.

Find out more information >>