Blog

How Secure Is Your Supply Chain?

by
Supply Chain

Many businesses are now reliant on third parties in order to function and to provide their goods or services. These third parties are likely to form a supply chain providing such capabilities as IT services, HR outsourcing and hosting services.

The calibre of these services can vary greatly be they a large conglomerate to small local business. Each suppler will have they own cyber security processes and procedures that should be embedded within the business….. but in practice is this the case and what is the impact on a business if they suffer a cyber security breach?

With reliance now placed on a supply chain it is important that due diligence is carried to ensure that this resilience is in place.

What sort of processes can be carried out in order to provide some assurances?

  • Regular cyber security audits of third party vendors
  • Prioritization of vendors for critical services
  • Review of data monitoring standards of third parties
  • Ensure own security procedures remain at a high standard enforcing regular patching and installation of latest firewalls.
  • Managing of privileges provided outside of the business
  • Robust procurement processes for new vendors
  • Management of contractual liability with the vendor in the event of a possible data breach
  • Due diligence of cloud service providers
  • Insurance checklist for professional indemnity and or cyber insurance by the vendor
  • Review interconnected devices to managed The Internet of Things ( IoT) exposures

The supply chain of a business can be their weakest link and managing this should be given the same level of attention as the internal cyber risks that exist.

The National Cyber Security Center publish a list of some of the risks that businesses should look out for :-

https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/Cyber-security-risks-in-the-supply-chain.pdf

The consequences of a third party suffering a compromise of their computer systems could lead to  the following:-

1.Business Interruption

2. Reputational Damage

3.Regulatory Actions and Fines

4.Loss of customers

5.Costs incurred to the business to rectify loss of data or damage to computer systems

6.There have been a number of high profile data breaches where losses have emanated from the supply chain :-

Target

In December 2003 hackers gained access to the heating and ventilation system of the retailer Target. As a result of network credentials being stolen from a mechanical services engineer the hackers were then able to gain access to credit and debit card data of customers. The cost of the breach is thought to be close to $300M with 100 million individuals being affected and the CIO of Target resigning soon after the breach.

Stuxnet

This was a malicious computer worm that targeted automated processes utilized to control machinery on factory assembly lines and systems within the nuclear industry.

It was introduced into a supply network via an infected USB flash drive by individuals that had access to the system It was then possible for the worm to move across the network which scans software that controls machinery and n influence the commands that were given.

NonPetya

Last year NonPetya was a malicious code aimed at software supply chains. The targets were outdated and unpatched Windows systems utilizing the EternalBlue vulnerability which hit many global businesses such as WPP DLAPiper and Maersk.

The hackers initially breached a financial services company in the name of MeDoc which was a third party software service readily utilized by goverments. Once access had been obtained they were able to install malware on their software which was then distributed to end users when the latest update was downloaded.

A report earlier this year by Symantec reported that there had been a 200% increase over the last 12 months in hackers injecting malware implants into the supply chain to gain access to the organizations computer systems.

https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

Perhaps one of the keys to ensuring that a supply chain is secure is to try and enforce the supply chain to have in place similar robust cyber security procedures and practices to the business in order to manage the evolving cyber risk landscape that exists.

 

Image : Shutterstock

Sign Of The GDPR Fines To Come…?

by
GDPR Fines

It was announced last week that the credit reference agency Equifax has been fined by the ICO in  the sum  of £500,000 as a result of failing to protect the personal data of 15 million UK citizens and 146 million in the US during the 2017 data breach.

http://cyberbrokers.co.uk/equifax-the-anatomy-of-a-data-breach/

The long awaited ICO report found that the UK arm did not have in place the appropriate steps for processing and protecting the personal information of its data subjects.

https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/09/credit-reference-agency-equifax-fined-for-security-breach

The joint ICO and FCA report highlighted the following :-

  • Data was retained for longer than was necessary
  • Inadequate measures were in place to manage personal information
  • IT security was not of the highest standard with the compromise of data being likely.
  • The US Department of Homeland Security had advised Equifax Inc about a critical vulnerability in 2017
  • Customers data should have been treated in a much higher regard.

The investigation was carried out under the 1998 Data Protection Act as opposed to the recent General Data Protection Regulation (GDPR) that came into force on 25th May this year. The ICO imposed the maximum GDPR fine of £500,000 under the previous Act.

Under the GDPR the ICO has the powers to set a maximum possible fine of 4% of Global turnover of a company the consequences therefore of this data breach could have been much higher should this data breach have occurred post 25th May this year.

The approach by the ICO to GDPR fines and the imposing of these to businesses who are responsible for data breach is still very much unknown as the climate remains untested and only time will tell how this is imposed and to its possible severity. The Equifax fine does suggest that the ICO will be treating such data breaches very seriously and will wish to demonstrate that the new legislation does have “teeth” and that they will act accordingly.

 

Image : Shutterstock

Loss of Reputation – The Biggest Cyber Threat ?

by
Ransom

Is the loss of reputation on the biggest cyber threats that a business faces today ?

A good reputation takes a long to build up but the emerging cyber threat landscape can ruin this reputation in a matter of hours. It is important therefore that businesses have in place a loss mitigation plan in place in order to manage this disaster case scenario.

One of the highest profile cyber attack in the UK was the data breach at TalkTalk where the long term consequences of this still being felt within the business today.

The impact on the reputation a business of a data breach 

  • Loss of existing customers
  • Loss of confidence in the business
  • Competitors exploiting the situation
  • Share price of the business
  • Loss of future earnings
  • The stigma of a data breach
  • The attractiveness of future investment in the business
  • Attracting new employees
  • Bad management of the data breach

Be Prepared 

It is essential that the business has an incident response plan in place in order to manage the cyber attack and the ensuing  fall out that will inevitably occur.  This would include a crisis management and business continuity plan.

These should be regularly updated with “dry runs” carried out in order to ensure that they work effectively..

Cyber Insurance 

This specialist form of insurance can help manage and mitigate a cyber attack at both the very early stages of a data breach and also help the business through the process. This is facilitated through the incident services that an insurer offers as part of the policy benefits . This includes public relations consultants and access to a solicitors so that sensitive data can be handled in the most effective manner.

The policy also provides coverage for reputational harm or business interruption coverage modules, typically this would encompass loss of profits and increased costs of working as a result of the data breach.

Policy wordings and intent vary considerably in the insurance market and it is therefore important that an insurance broker with a specialism in this area is utilized.

Image : Shutterstock

The Holiday Cyber Risk Landscape

by
Holiday

The holiday season is now in full swing where people travel to far off destinations to enjoy a well earned break and to spend time with their families. Unfortutely the cyber threat remains with us …… and arguably is increased as people’s guard is somewhat down due to the relaxed environment that being on holiday promotes.

A survey carried out by Keeper Security Inc last year showed that the US posed to the greatest threat to holiday makers from hackers, however more worryingly the UK came in a second place with France, Spain and Italy also featuring in the top ten.

https://www.marieclaire.co.uk/entertainment/technology/cyber-security-holiday-destinations-523668

Some of the cyber threats that exist to indivuals and businesses are as follows :-

Insecure Wi-Fi Networks

A hotel wi-if network may be vulnerable if not secured with the latest security encryption software. This could also be said of restaurants or cafes. Attacks know as “Man in the Middle” where a third party is listening and changing information pretending to both the user and the application can intercept highly sensitive data and use this to compromise a users details.

GCHQ regularly warn travellers of the threats posed by insecure wi-fi networks and the holidayseason is when these threats become more prevalent. It is therefore important to check that the wi-if has the appropriate safety protocols in place in particularly when money is being transacted.

Holiday Scam E-mails 

It is conceivable that an individual could fall foul of a hacker before they leave their house .Holiday scam e-mails may portray a bogus website that offers a holiday deal which is too good to be true and the likelihood is that this could well be the case. Funds could be stolen by an on-line transaction with debit or credit card details also being compromised by a hacker.

Being Aware

Leaving a laptop or smart phone on your beach towel of on a cafe table opens opportunity for a speculative hacker to steal an electronic device and use data themselves or to post on the dark web to be sold at a later date.

Keeping a tight ship

The same principle applies to businesses during the holiday season who may not have their usual numbers in their cyber security team which creates an environment where threats could be missed or not acted upon as quickly as normal. A greater reliance therefore is imposed on everyday users to carry out good cyber hygiene in their everyday work schedule. Watching out for phishing e-mails and dubious website links which could lead for example to an incident of fraud or a ransom ware attack.

Back Home

Once back home it is good housekeeping to to check matters such as bank statements to ensure that no fraudulent transactions have taken place and that you can account for everything spent.

At work looking for any unusual e-mail activity or change in the functionality of your computer in case a virus may have downloaded itself whilst you were away.

Wherever you are on holiday cyber threats exist in many forms , hackers do not go on holiday so it is vitally important that you maintain the same cyber security posture.

Tackling the Cyber Threat at the World Cup

by
World Cup

The 2018 FIFA World Cup has finally arrived with the expectations for the England team  more subdued than normal…..away from the football pitch the cyber threat landscape will once again present challenges for this major sporting event.  Already this year we have seen the Winter Olympics in South Korea experience wiper malware that hit the internet and TV broadcasting of the opening ceremony.

With Russian hackers having  “home advantage ” it will be interesting to see the attack vectors utilized and how resilient cyber security will be to combat this.

GCHQ have warned the Football Association that both the officials and players could well be targeted by hackers during the tournament.

https://www.theguardian.com/football/2018/jun/12/england-world-cup-squad-targets-russian-hackers

Why the World Cup ?

Major sporting events grab the attention of the entire world but unfortunately this also attracts elements of the population who perceive this as an opportunity to be exploited  ….. the world of cyber crime.

The threat that cyber crime poses to an event such as this is similar to that which exists for any other business but on a much larger scale and with more dramatic consequences due its high profile and the many threat vectors that may exist.

Assessing the Cyber Threat

Some of the targets for cyber criminals are likely to be the following :-

1.The Official World Cup Website

Distributed denial of service (DDoS) attacks preventing access to website by fans.

The accessing of the website by hackers and altering the data such as falsifying the results and tables and providing incorrect information to the public.

Defacement of the website by a hacktivist.

Fans will no doubt access the website via Wi-Fi and vulnerability will exist if they inadvertently log in through a rogue Wi-Fi connection which could lead to the stealing of their personal data.

2.Match Day Tickets

Ticket fraud with the setting up of bogus websites taking fans money and issuing counterfeit tickets.

Website scamming offering last minute match day tickets for the big games with no ticket actually being produced.

3.The Stadiums

Technology will be pivotal in all aspects of the running of the ten stadiums being used in the tournament. Stadium entry, ticketing processing, management of floodlights and associated infrastructure would all be impacted in the event of a cyber attack.

4. Tournament Data 

The event will involve a huge amount of data ranging from credit card data of fans, players confidential information or the database of the organizers which is likely to be targeted by hackers. This could occur through phishing attacks in order to steal personal private information (PPI)and then lead to possible bank fraud of individuals. With GDPR now in force hackers are likely to focus more on stealing data.

5.E-mail Transmission

E-mail scamming could be caused by bogus e-mails set up to obtain players and officials personal information that is disseminated over the internet. The numerous sending and exchanging of e-mails also presents an opportunity or spamming.

6.Media Coverage

World wide coverage will be provided to this event by television companies who will be reliant on technology and the service could be interrupted or even blacked out by a hacker wishing to cause transmission downtime.

7. Computer Network 

The spreading of a malware attack within the internal computer network and third party providers could cause enormous interruption to the running of the tournament. The reliance on technology reaches far and wide ranging from the transportation network to close circuit TV surveillance systems.

8. Mobile Applications 

Fake mobile apps devised by developers to give the impression of the official FIFA app.

9.Cyber Terrorism

Cyber terrorism could occur in a number of forms. A ransomware attack would limit or entirely restrict the use of computer systems affecting many aspects of the tournament.

There may be political motivation from countries that want to disrupt the tournament. This could be to make a political stand on an issue or perhaps a country that failed to reach the finals or a country that has controversially been knocked out of the competition.

The threat of remotely controlled drones by cyber terrorist entering a stadium causing disruption and delay to matches.

10.Social Media

Infiltration of social media websites by hackers of the tournament and personal accounts pose a threat to fans , players and officials privacy.

Cyber Risk Management Program

FIFA will no doubt have in place a comprehensive cyber risk management program to manage the World Cup  which is likely to be broken down into the following :-

  • Identification of cyber risk vectors
  • The mitigation of cyber risk within the tournament
  • The transfer of residual cyber risks that they are unwilling or unable to manage.

Cyber Insurance

Cyber Insurance can assist with the transfer of cyber risks by the following insurance modules :-

  • Network Security Liability
  • Data Privacy Liability
  • Multimedia Liability
  • Network Business Interruption
  • Data Asset Protection
  • Cyber Extortion
  • Crisis Management

A cyber insurance policy also provides post breach vendor assistance helping with data breach notification , forensic investigation and public relations.

Image : Shutterstock

Is Our Data Safer Under GDPR?

by
GDPR

Now that GDPR is in force will this make our data safer…..

The volumes of data running through businesses in the UK is difficult to visualise and practically impossible to safeguard so will GDPR actually make any difference to our data being better protected? The chances are that it will be but the same inherent threats will still exist.

So what are these threats ?

1.Businesses that have not yet complied with GDPR

In the the run up to GDPR a number of reports indicated that many business were behind in achieving the required standards expected there is therefore a danger that firms are still very much behind the curve in meeting the GDPR standards.

2.Inability to restore data

In the event of a compromise of personal data it will be important that a businesses can restore data by having the appropriate back-ups in place if this is not possible this will impact on their business confidence and reputation.

3.Internal espionage

Rogue employees or a disgruntled member of staff might wish to cause disruption or make a point on a company wide issue. Morrisons were recently involved in a court case and found vicariously liable for the acts of an employee who gained access to the personal details of employees and released this into the public domain.

http://www.hrmagazine.co.uk/article-details/the-morrisons-data-breach-and-gdpr-compliance

4. Heightened cyber security threats 

It is conceivable that there will a visible increase in cyber attacks on businesses as hackers will target firms for their data and exploiting vulnerabilities. Such threats as ransomware or a DDos attack where a hacker could hold a business to ransom by threatening to steal or disseminate data.

http://cyberbrokers.co.uk/will-ransomware-attacks-increase-under-gdpr/

5. Poor cyber risk management

A data controller with poor cyber risk management would be a prime target for a hacker. Basic cyber hygiene is vital with minimum standards of Cyber Essentials and preferably ISO27001 advanced cyber security processes in place.

6. The absence of an incident response plan

If a businesses is hit by a data breach it will need to react quickly to this, an incident response will assist with this . Business continuity and disaster recovery plans should also be in place so that the business can continue to operate.

Cyber Insurance can help….

This specialist form of insurance can provide valuable coverage in the event of a data breach and help mange the impact of this.

The main elements of coverage provided to protect data are as follows:-

  • Privacy Liability
  • Data notification costs
  • Regulatory costs and expenses
  • 24/7 Incident response services

There is no doubt that data will still be at risk with threats to its security emerging as technology and the incentives to use data for ill means increases.

Image : Shutterstock