Posts Tagged ‘Information Security’

Deal With 2016 Cyber Threats Today

April 10th, 2014 by

The Information Security Forum (ISF) has recently published their forward-looking report on the security threats and cyber landscape of the future ‘Threat Horizon 2016 – on the edge of trust.’

This annual report attempts to identify what the cyber security issues will be in two years’ time and what organisations need to do now to mitigate the possible threats and scenarios they will face.

The forecast doesn’t look good. Heavily influenced by Edward Snowden’s revelations of cyber surveillance by the US government, the Threat Horizon report cites a breakdown in trust between individuals, business and governments.

It also brings in to focus increased cyber risks caused by inadequate cyber defences, a lack of encryption, poorly designed mobile applications and a shortage of skilled cyber security professionals.

The report states that organisations must build cyber resilience now: the ability to defend against cyber attack whilst also having provisions in place should an attack occur.

The threats identified included:

  • Service providers become a key vulnerability: cyber criminals target the supply chain rather than the organisation itself.
  • Big data = big problems: be wary of making strategic decisions based on incomplete data sets.
    • Ensure the organisation has the skills to analyse big data properly and apply it to cyber security issues.
  • Mobile apps become the main route for compromise: cyber criminals target mobile apps as their fast paced development often means a lack of security.
  • Encryption fails: due to the huge increase in processing power combined with poorly designed software.
  • Skills gap becomes a chasm.

The cyber threat landscape won’t wait for you. You need to address 2016 threats now. Developing an enterprise wide cyber resilience strategy is essential for all businesses.

Get started today by downloading our free Green Paper: Cyber Resilience: Cyber Security and Business Resilience

What are going to be the hot topics at Infosecurity 2014?

March 25th, 2014 by

As the highlight of the information security calendar – Infosecurity Europe 2014 , 29 April – 1 May, Earls Court, London – fast approaches, let’s take a look some of the hot topics that will be covered by this year’s education programme.

(By the way if you register as a guest of IT Governance (Stand #F103) you will receive a £5 voucher from us – to be used at our stand on the day - and can benefit from a free 15-minute consultancy surgery. Find out more details here.

BYOD – Bring Your Own Device

BYOD usage is only going to increase. If you don’t have an effective policy that covers mobile and tablet devices being brought into and used in the workplace then you are leaving yourself exposed to security risks. Cyber criminals go where the people go – and that’s mobile devices.

The Cloud

More and more organisations are migrating services to the cloud (ours included). It offers a host of great benefits but make sure that you know what level of security you need, especially if it is personally identifiable information (PII).

EU General Data Protection Regulation

On 12 March 2014 the EU parliament voted in favour for the EU General Data Protection Regulation. It includes the levying of fines of up to €100m, limitation on legal process outside of the EU and obligatory Data Protection Offices for larger organisations.

The Internet of Things

Objects that connect to the internet are collectively known as the Internet of Things. Soon enough our toilets, water dispensers and light switches will all be hooked up to the net. Understandably this has huge information security implications.

Cyber Crime

It’s not going away, so how do you protect yourself and minimise the impact of a potential breach? There’s the new ISO27001:2013 standard to consider, the latest software and services including penetration testing and vulnerability scanning.

Hot potatoes…

Obviously there are plenty more hot potatoes in the infosec world.

So what do you think will be the big talking point of Infosec 2014? We’d love to hear your thoughts.

Infosec 2014 is Europe’s largest information security event and features over 325 exhibitors. Sign up as a guest of IT Governance today and we will send you pre-event information on stand offers and a £5 voucher to be used on publications purchased on the day, for orders over £10.

Have you heard AXELOS is going to release cyber security best practice guidance?

February 20th, 2014 by

AXELOS, the owner of the Best Management Practice portfolio of management methodologies, has announced it is going to release a set of best practice guidance for cyber security called AXELOS Cybersecurity.

The guidance will focus on delivering a practical approach to cyber security and will integrate with AXELOS’s other methodologies such as ITIL® and PRINCE2®. It will also be complementary to other best practice approaches to information security and IT governance such as ISO/IEC 27001 and COBIT 5.

Nick Wilding, a seasoned cyber security expert, has been appointed by AXELOS to head up the AXELOS Cybersecurity programme. The guidance itself will be authored by Stuart Rance, an experienced service management and information security expert. The guidance will be based on the input of many different sources of best practice including government and international professionals.

In time, AXELOS will launch a qualification scheme under which professionals can gain qualifications in order to recognise their expertise in cyber security.

AXELOS Cybersecurity will be released in the second half of 2014 and an assessment tool that organisations can use to assess the maturity of their cyber security processes will be released subsequently.

Why wait to get started with cyber security?

If you don’t want to wait until the second half of 2014 to get started with managing cyber risk effectively, why not use a book or standard to get started today?

Here is a list of books and standards on the subject of cyber security that we recommend:

ISO/IEC 27001:2013

Cyber Security Policy Guidebook

Transforming Cybersecurity Using COBIT 5

Cybersecurity Managing Systems Conducting Testing, and Investigating Intrusions

PAS 555

McAfee CTO: Cyber Criminals Target SME’s

February 13th, 2014 by

This week – in an article in the Financial Times – McAfee CTO Mike Fey stated that small businesses have become an easy target for cyber criminals because of their lacklustre approach to cyber defences.

SME’s are often guilty of not keeping software protection up to date, ensuring basic cyber training is given (for example awareness of phishing scams) and identifying risks when new technology (including mobile devices) is brought into the business

Mr Fey also commented on how sophisticated technology was being used not only against large corporations:

“Small- and medium-sized businesses are nice easy targets – and you can attack 2,000 small businesses at once,” he said. “We’re starting to see stuff which may have been built for very sophisticated industries put to all sorts of minor use cases.”

One of the most interesting points that Mr Fey made was the misconception by SME’s that they had nothing cyber criminals wanted. What smaller businesses fail to recognize is that cyber criminals are indiscriminate, using automated technology which exploits vulnerabilities wherever they find them.

It doesn’t matter if you’re Sony, Target or the local flower shop’s website. If a weakness is found criminals will exploit it, whether it’s intellectual property, credit card numbers or access to a larger network (as was the case in the Target breach, which started with a hack of one of their vendors networks).

One final thought. Contrary to what to what you might think hackers and cyber criminals do not require sophisticated skills. On the internet there are freely available hacking toolkits complete with simple instructions and even customer support. If you can read, you can hack. It’s that simple.

The question is, now you know you’re at risk (it’s nothing personal) what are you going to do about it?

The Cyber Security Risk Assessment Tool is an in-expensive (just $100) way of identifying your current levels of cyber security.  It will provide you with a clear idea of your current risks, your exposure and what gaps you need to close.

Major US hotel management firm discloses data breach

February 11th, 2014 by

White Lodging, who provide a range of hotel management and development  services, has come under the spotlight as it investigates a possible data breach across 14 of its properties.

The firm, who manage hotels for brands such as Mariott, Holiday Inn and Radisson across America, believe the suspected credit and debit card breach occurred between March 20 and December 16 at the hotel’s food and beverage outlets. White Lodging have said that the information that was compromised could have included names on credit or debit cards, the full number on the card, security codes and expiration dates.

Customers of these hotels will  now start to question if their card was breached and doubt their loyalty to the hotel chain itself, even though they were not the ones to suffer the breach. Mariott, Holiday Inn and Radisson are now associated with the breach and will most likely suffer brand damage, loss of customer trust and loss of revenue.

This latest data breach to reach the headlines really hits home for organizations of the fact that  your supplier’s information security procedures are as important as yours. How they store, transmit and process your customer’s confidential data can have a significant impact on how your customer values you, as a brand.

ISO 27001 is recognized globally as the world’s only information security standard. By selecting suppliers who are already certified to this standard will bring increased levels of information security, customer and stakeholder confidence, resulting in a significant advantage over your competitors.

IT Governance, America’s information security and governance specialists, provides a range of books, standards, tools and training to help organizations implement best practice information security standards to better secure their information.

Their ISO27001 2013 ISMS Standalone Documentation Toolkit provides a cost-effective and time-saving solution to implementing the standard by providing pre-written policies, procedures and work instructions and records. Find out more >>

If you would like to increase your levels of information security, then purchase this toolkit to help you implement an information security management system which is in line to ISO 27001.

Alternatively, if you would like to find out more about ISO 27001 when sourcing suppliers, download our free green paper on the subject.

Source: USA Today

The Internet of Things – a new cyber crime target

February 10th, 2014 by

As we are entering the era of the Internet of Things (IoT), our homes are becoming increasingly populated by devices that are connected to the Internet in order to share information with each other and the external world more easily. Ranging from smart phones and smart TVs to motor-cars with 4G and Wi-Fi, from automated household appliances to sophisticated business tools, this web – connected smart devices are collectively known as the Internet of Things. According to a Cisco report, it’s predicted that 50 billion objects worldwide will be connected to the internet by 2020.

The benefits that the Internet of Things can bring are numerous, but so are the concerns that it can facilitate cyber attacks. According to a Proofpoint’s report on cyber attacks, cyber criminals are beginning to target home appliances and smart devices. Often these Internet-connected devices have significant implications for device owners. They are easier to hack as they don’t have robust security measures, such as strong passwords, in place so are obviously easier to infiltrate and to infect than PC, laptops or tablets.

Organisations using the Internet of Things can see huge benefits such as greater efficiency, lower costs, improved services, greater accessibility to information, increased employee productivity and higher customer satisfaction. But although there are numerous benefits, organisations face grave risks such as espionage, corporate and personal data breaches, theft of intellectual property, and attacks on infrastructure components because they are more exposed to the internet. It is strongly recommended that manufacturers of smart devices need to start focusing on building more secure tools for organisations and individuals. Organisations should implement robust measures to secure their infrastructures and business information.

According to an ISACA report on how European IT professionals perceive the Internet of Things, 27% stated that the risk outweighed the benefits. 39% of respondents said that increased security threats were seen as the biggest governance issue, followed by data privacy at 26%.

European Internet users are very concerned about cyber security. According to the Eurobarometer report carried out by the European Union in 2013, 28% of Europeans don’t feel safe when simply browsing the Internet and carrying out online transactions. The main fears among European Internet users are that personal information is not kept secure by websites and organisations and that banking information can be stolen and bank accounts hacked while transactions are carried out. 84% use the internet for email access, 50% for commercial transactions and 48% for online banking are Swedish, Dutch and Danish, but they are also the ones who feel more informed about cybercrime and cyber security. In contrast, the Romanians, Hungarians and Portuguese are less likely to use the internet for e-commerce and feel less informed about cybersecurity, and as a result are more concerned.

With a robust Information Security Management System (ISMS) in place, customers and clients will feel more secure when making online transactions, and will build trust towards organisations and experience greater customer satisfaction. IT Governance EU thinks that cyber security training course are necessary for individuals and organisations in countries like Portugal, Hungary and Romania in order to raise awareness of cyber security risks. ISO 27001 ensures organisations are protected from information risks and threats which could otherwise lead to reputational damage, financial repercussions and the loss of assets. The ISO27001 Certified ISMS Foundation Training Course is an introductory training course which raises awareness and builds information security knowledge. To those who need an advanced level of training to deliver information security management to an organisation, we recommend attending the ISO27001 Certified ISMS Lead Implementer Online which is designed to give comprehensive and practical advice for implementing and maintaining the requirements for ISO27001.

We recommend downloading our ISO27001 & Information Security greenpaper overview which gives organisations the foundation to start with their implementation towards a better security.Download our free green paper on information security and ISO27001 >>

IT Governance is a specialist in helping organisations with cyber security, cyber governance and cyber compliance. Find out more about our products and services here.

For more information about IT Governance training courses call us on 00 800 48 484 484 or
email us at servicecentre@itgovernance.eu

Is the enemy behind the keyboard?

January 30th, 2014 by

Last week I read a story on the BBC website about one of the biggest data breaches to date. The article details how the personal information (names, social security numbers and credit card details) of 20 million individuals were stolen by a single IT worker.

This example just goes to prove how often the weak point in any organisation’s information security is in fact the human behind the keyboard and not the technology used to protect the organisation.

Human error is also another common way in which organisations suffer a data breach. A simple mistake such as emailing a customer list or document to the wrong person, especially if it is unencrypted, counts as a data breach.

But how do we deal with this insider threat?

The answer is pretty simple really, by taking a balanced approach to information security such as ISO/IEC 27001:2013 and implementing the necessary controls.

Specifically, you could implement controls such as email and document classification using software such as Boldon James Classifier to classify each file to ensure they receive adequate protection, or you could implement an encryption solution such as Symantec Drive Encryption to ensure data is encrypted so that if it is stolen it cannot be accessed.

Combine people, processes and technology to maximise the security of an organisation’s information – use ISO 27001.

To encrypt USB or not to encrypt USB, that is the question!

January 30th, 2014 by

Whether ’tis nobler in the mind to suffer
The slings and arrows of a data breach misfortune,
Or to take up secure USB arms against a sea of troubles…

I could go on quoting Shakespeare all day in my very English information security way, but I won’t. Recently I was asked a very similar question to the one above, ‘should we use secure USB sticks or not?’

My answer to this was very clear, that if you want your organisation to avoid the risk of a data breach, you need to use hardware-encrypted USB sticks when you transfer data outside of the organisation, such as SafeXs 3.0. Using SafeXs 3.0 sticks will protect any data stored on them to a high degree as the data is hardware encrypted, which is more secure than using software encryption.

You should also use a USB stick management solution such as SafeConsole to ensure you are managing your secure USB sticks. This offers the advantage of being able to remote wipe data if a stick goes missing, enforce security policy across your sticks and a whole host of other security features.

To paraphrase Shakespeare again: If you prick us do we not bleed? If you tickle us do we not laugh? If you poison us do we not die? And if you use non-encrypted USB sticks we will not suffer a data breach?

The answer to the latter question is probably yes. If you move data about on insecure devices you probably will suffer a data breach. But as Shakespeare said again, ‘Suspicion always haunts the guilty mind’. Do you want to be haunted by your suspicions that you are putting your organisation at risk by not using a secure USB solution?

Anyway, I will leave you with a couple more Shakespeare quotes that I have paraphrased: The course of true information security never did run smooth. Ensure your information security runs smooth through the use of a simple, secure USB stick such as SafeXs 3.0 that is  used in conjunction with SafeConsole Secure USB Management.

Parting is such sweet sorrow, until a securer tomorrow!

European Data Protection Day 2014: Looking to the future

January 28th, 2014 by

Today marks Data Protection Day in Europe, distinguishing the signing of an international treaty to do with privacy and data protection from 1981.

Two years ago the EU data protection reform was proposed in aid to benefit citizens who want to be able to trust online services. The European Commission wanted the individual to have more control over their data, including the right to be forgotten, easier access to their own data and the right to know when their data has been hacked. These proposals are likely to be adopted in April 2014.

With more power to be given to the consumer, businesses throughout Europe will have to strengthen their information security management systems (ISMS) and data privacy controls so that they fall in line with the proposals. If businesses fail to comply, or incur a data breach, the proposed regulations will see compromised organisations facing fines of up to €100m, or 5% of their annual worldwide turnover.

Can your business afford a €100m fine?

We thought not….so we’re encouraging organisations to act before it’s too late.  With data protection within the EU being a “fundamental right”, data privacy will be a hot topic for 2014 and nearly all organisations will have to strengthen and/or adapt their information policies in one way or another.

IT Governance is Europe’s leading provider of information security books, standards, tools and training, helping organisations around the world implement an ISMS to win trust with customers and to compete with competitors.

Data Protection: A Practical Guide to UK and EU Law, Third Edition is a valuable handbook that offers practical solutions to issues arising in relation to the UK and EU data protection laws. It has been fully updated and expanded to include coverage of all of the significant developments in the practice of data protection.

“This book really is a practical guide, being a good deal more readable than the legislation that underlies it” - Datonomy

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

How to master an ISMS in under 6 months

January 27th, 2014 by

Creating an Information Security Management System (ISMS) will not only provide your organisation with a documented and structured approach to information security, it will also protect your organisation against threats that could damage the livelihood of your business. An ISMS will ensure confidence with  stakeholders, including your most important contributor – your customer.

Organisations who have an ISMS in place – particularly those aligned to ISO 27001 (the universally-accepted standard for information security) – are more likely to safeguard their assets against employee misuse, hackers and other security threats, than organisations without an ISMS.

Using a documentation toolkit, such as the ISO27001 2013 ISMS Standalone Documentation Toolkit, will help you implement an ISMS (whilst aligning it to ISO 27001) on time and on budget. It includes pre-written templates to help you produce policies, procedures, work instructions and records that will save you months of work as you get your information security system up to speed.  Tim Moreton from Airline Technology who used this toolkit to secure his organisation’s information, claimed:

“Using the templates, was the only way that we could deliver a 1st edition ISMS in under 6 months.”

If you would like to be among the growing number of IT security professionals who are recognising the benefits of of using the ISO27001 2013 ISMS Standalone Documentation Toolkit in their organisation to implement an ISMS (in line with ISO 27001) in under 6 months, then download the toolkit today.

Download now >>

IT Governance, the European information security providers, are on hand if you need further information, help on getting your ISMS started and/or advice on the direction your organisation needs to take in order to secure its data. Contact them today.

Special Offer: IT Governance are offering their ISO 22301 BCMS Toolkit with the ISO27001 ISMS Standalone Toolkit in the Cyber Resilience Implementation Suite so you can be cyber resilient as well as cyber secure. The additional toolkit will help you implement a Business Continuity Management System (BCMS) that integrates with your ISMS , ensuring your organisation returns to business as quickly as possible, should a disaster happen. Currently you can save €363,80 by buying the two toolkits together. Offer ends 31st January 2014. Find out more.


%d bloggers like this: