Speed Is Key in Tackling Data Breach Fallout

INDEPENDENT PUBLICATION BY RACONTEUR.NET #0570 24/02/2019

Distributed in

CYBERSECURITY Published in association with

ARTIFICIAL CYBER-RESILIENCE FINANCIAL Contributors 02 INTELLIGENCE 06 BY DESIGN 09 IMPACT How should IT experts respond Building a cyber-secure Five ways cyberattacks Davey Winder when AI falls into the wrong hands? business from the ground up can destroy company value Award-winning journalist and author, he specialises in cybersecurity, contributing to Infosecurity magazine.

Kate O’Flaherty INCIDENT RESPONSE Freelance tech writer specialising in cybersecurity, her work has appeared in The Guardian, The Times, The Economist, Forbes, and Wired UK.

Speed is key in tackling Matthew Staﬀ Former editorial director, he is now applying his multi-sector B2B experience across numerous data breach fallout industry titles. Nafeez Ahmed Investigative journalist and editor In the age of social media and public relations crises of Insurge Intelligence, he has contributed to The Guardian, snowballing out of control, the ensuing hours after a Independent, VICE and The Atlantic. data breach can make or break a company’s reputation Nick Easen Award-winning journalist and broadcaster, he writes on science, technology, economics and business, producing content for BBC World News, CNN and Time magazine. Nick Easen

Nick Ismail assive cyberattacks appear to go responding to breaches, will become Content editor of Information Age, he M in waves and we’re probably due even more crucial to business success in writes for technology leaders, helping one soon. Marriott, British Air- the future,” says Tim Rawlins, director at them manage business-critical issues ways, Facebook, Dixons Carphone are NCC Group. for today and in the future. just some of the big names that have been smacked hard in the corporate face. Bruis- Oliver Pickup ing data haemorrhages seem to be a reg- Award-winning journalist, he ular occurrence, while the dreaded fall- specialises in technology, business out on social feeds, tabloid headlines and and sport, and contributes to a wide range of publications. 24-hour online media can be legion. “Once more unto the breach, dear friends, once more” is not so much a line One of the first Tim Cooper from Henry V and the Bard himself, but Award-winning freelance fi nancial more a 21st-century hue and cry from the challenges in dealing journalist, he has written for publications including The Spectator, public relations, C-suite and cybersecu- aff ected organisation often has very few ically – as the breach involved virtually Look closer and you may realise that our with a cyberattack is London Evening Standard, Guardian rity teams as they clamour to shore up tat- facts to work with. Maintaining stakeholder everyone who entered their credit card data infrastructure has been built using Weekly and Weekly Telegraph. tered brand images and stymie any fi nan- time. Incidents can confi dence when you have no facts is a chal- details on their website over the period of methods created in the 20th century and cial losses. lenge and especially because these facts can the hack.” we’re now having to re-engineer our data- “One of the first challenges in dealing go viral and global take days, weeks, even months to uncover.” In the summer of 2018, the details of fed world to deal with security in the 21st, with a cyberattack is time. Incidents can in an instant At the same time, we live in an era when around 380,000 airline bookings were including the cloud, mass digitalisation of go viral and global in an instant. Organ- there’s a toxic cocktail of high breach compromised when hackers obtained supply chains, the internet of things, robot- isations will be dealing with short time- fatigue among consumers and low public names, streets and email addresses, as ics and artifi cial intelligence, as well as the frames to manage reputational risk, trust in companies that hold our precious well as credit card numbers, expiry dates merger between physical and cyber-realms, recover data and prepare a co-ordinated data. Arguably, it’s how businesses have and security codes; certainly enough the so-called fourth industrial revolution. response to regulators, third parties and There’s no doubt that a proactive handled attacks globally that has led to information to steal from people’s bank Next-generation intelligence-driven Publishing manager affected customers,” says Dr Paul Robert- response must be delivered alongside an this state of affairs. accounts. In textbook style, British Air- security is needed. “Before a breach, busi- Reuben Howard son, cybersecurity, privacy and resilience honest plan to tackle a breach, even if its “The reporting of incidents has gen- ways immediately contacted customers nesses struggle to know whether they director at EY. knee jerk, otherwise it’s carnage. erally been poor and often doesn’t high- when the breach became clear. need to invest and struggle to under- Associate editor We also have to face up to the fact we “The saying that 'a lie can travel half- light the real scope of a data breach, with “Within the incident report, you had stand what the impact of inaction will be Peter Archer live in a post-GDPR world. Companies way around the world before the truth has incident reports littered with non-defi - to scroll down the page to see the advice on their business. They know this after a Managing editor have 72 hours to fess up to a cyberattack its shoes on' is very real when it comes to nite words such as ‘could have’, ‘might related to credit cards. At the time, the breach, of course, but at which point it’s Benjamin Chiou or face crippling fines under the EU’s Gen- social media. A misrepresentation of the be’ and so on,” says Professor Bill announcement was your passport details too late,” says Nigel Ng, vice president of eral Data Protection Regulation. As the facts can become a ‘fact’ very quickly and Buchanan, cybersecurity expert at Edin- were safe and that your card details were international sales at RSA Security. Head of production clock ticks in those early hours, the pres- is then often picked up by traditional news burgh Napier University. at risk. You can see that PR teams will try Many organisations are now being more Justyna O'Connell sure can be extreme. sources,” warns Richard Horne, cyberse- “In the case of British Airways, to soften the scope of a data breach, but proactive and less reactive. As Cesar Cer- “Consumers are becoming increas- curity partner at PwC. every customer should have stopped this doesn’t help the media or the general rudo, chief technology officer at IOActive, Digital content executive ingly savvy about the value of their “Cyber-crises are also diff erent to many transactions on their credit card – public understand the scope of an attack,” puts it: “This is no longer an IT issue, but a Fran Cassidy data. Transparency, particularly when others in that directly after the event, the in fact, it should have happened automat- says Professor Buchanan. business imperative.” Although preparedness is more prevalent in the likes of say Design financial services than in healthcare. Grant Chapman Big companies now have so-called Sara Gelfgren MOST CONCERNING CONSEQUENCES OF A CYBERATTACK TIME TAKEN TO IDENTIFY AND CONTAIN Kellie Jerrard fi re-response policies and cyber- A DATA BREACH, BY ROOT CAUSE Harry Lewis-Irlam Percentage of executives who believe the following would have a big impact on their organisation breach simulations bringing IT, public Samuele Motta Survey of 477 companies that experienced relations and customer service teams together a data breach in 2018 as they work on dry runs and responses. How- Head of design Business interruption ever, there’s increasing realisation that a Tim Whitlock 75% Average number of days to identify more holistic approach is needed. Average number of days to contain “Embedding security into an organisation's DNA goes far beyond just raising Reputational damage 59% Although this publication is funded through ad- awareness or training people; everyone vertising and sponsorship, all editorial is without 221 needs to understand how the business bias and sponsored features are clearly labelled. Malicious or For an upcoming schedule, partnership inquir- decisions they make can impact cyber- Breach of customer information 55% criminal attack ies or feedback, please call +44 (0)20 8616 7400 risk,” says Mr Horne. However, this still or e-mail [email protected]. Raconteur is a 81 doesn’t tackle the issue of reviving pub- leading publisher of special-interest content and research. Its publications and articles cov- Data or software damage % lic trust, which is sorely needed before the er a wide range of topics, including business, 49 next round of breaches. fi nance, sustainability, healthcare, lifestyle and technology. Raconteur special reports are pub- “It is often difficult to tell the difference lished exclusively in The Times and The Sunday Extortion/ransomware 177 between say a bank which invests heav- Times as well as online at raconteur.net. The 41% System glitch ily in their cybersecurity and one that information contained in this publication has been obtained from sources the Proprietors doesn’t,” says Professor Buchanan. believe to be correct. However, no legal liability Liability to third parties 60 “For those affected, it is often finan- can be accepted for any errors. No part of this 35% cial loss, which worries many people, and publication may be reproduced without the pri- resulting from a breach or consent of the Publisher. © Raconteur Media therefore we need ever-increasing levels of security. Our ‘Wild West’ of data-han- Disruption/interruption of industrial 29% 174 systems or other technology Human error dling and data-mining needs to end some- time soon. Maybe there should be cyber- /raconteur.net security ratings for companies, where Loss/theft of intellectual property 57 @raconteur 28% they would be extensively audited for the detection and response to incidents.” @raconteur_london Marsh/Microsoft 2018 Ponemon Institute/IBM 2018 There’s a thought. raconteur.net /cybersecurity-2019

Organisations are being forced to re-evaluate their approach to Security, Risk, & Governance—

Find out why on page 6 2 CYBERSECURITY Commercial feature

ARTIFICIAL INTELLIGENCE CAUGHT IN THE CYBER CROSSFIRE Fighting ﬁ re with ﬁ re:

2017 attacks on INDUSTRIES AFFECTED the dark side of AI Ukraine showed a domino effect Shipping of damage Use of artifi cial into enterprise intelligence (AI) in networks worldwide Pharmaceuticals cybersecurity is enabling

IT professionals to franckinjapan/Unsplash predict and react to Financial emerging cyberthreats quicker and more 64 $10bn Energy eﬀ ectively than ever countries affected in damages before. So how can they expect to respond Health services An estimated when AI falls into the wrong hands? 10% 5hrs Transportation of all computers in to spread across over Ukraine were wiped 2,000 companies

Companies must prepare Nick Ismail magine a constantly evolving I and evasive cyberthreat that for ‘cyber cold war’ could target individuals and organisations remorselessly. This is the reality of cybersecurity in an era of artifi- The burgeoning global trade war is set to trigger a series cial intelligence. AI has shaken up the cybersecurity of cyber-espionage attempts between nation states, and industry, with automated threat preven- enterprises are likely to be caught up in the crossfire. tion, detection and response revolution- ising one of the fastest growing sectors in With current security approaches failing to prevent the digital economy. breaches, a paradigm shift is required However, as is so often the case, there’s a dark side. What if cybercriminals get their hands on AI, and use it against public and private sector organisations? “The edge in cyberdefence is speed. rowth of the internet in the Businesses certainly can’t be accused both suffered significant damage to AI is transforming cyberdefence, allow- G 1990s fuelled an era of glo- of not trying to do this as worldwide their brands by responding to their ing businesses to detect evermore com- balisation defined by a rapid spending on information security respective data breaches in a poor plex threats from evermore sophisticated pace of innovation, open trading products and services will exceed and knee-jerk manner. attackers,” says Andre Pienaar, founder of and cross-pollination of technol- $124 billion this year, according to In the world of cybersecurity, C5 Capital. TOP BENEFITS OF AI IN CYBERSECURITY ogy across borders. However, popu- Gartner, but established approaches knowledge sharing is also crucial. Nevertheless, the more AI security solu- Percentage of cybersecurity professionals list movements in recent years have appear to be failing. While many organisations tend to tions, the more cybercriminals will adopt who agreed with the following Hackers are using AI sought to reverse this tide and return The number of vulnerabilities, prefer to isolate themselves and keep the technology; it’s a case of fighting fire to more protectionist postures. data records, new malware samples intelligence in-house, this can restrict with fire. Newton’s Third Law describes to speed up polymorphic AI-based technologies provide Fracturing trust among world leaders and malicious programs continue to the overall ability of businesses to the situation aptly: for every action, there deeper security than what last year resulted in a rising number grow each year, and large-scale data is an equal and opposite reaction. malware, causing it prepare effectively. A competitor to humans alone can provide of trade sanctions and embargoes breaches are covered in the media your products and services is still an Before the advent of AI in cyberattacks, 60% to constantly change between nation states. on a regular basis. Executives are ally in a cyber cold war and should be the security landscape was already chal- These trade disputes restrict nation kept awake at night worrying about seen that way. lenging. But the use of AI in targeted its code so it can’t states from acquiring technologies the impact a cyber-attack could have Most of all, however, companies criminal attacks has made cybersecurity be identiﬁ ed and intellectual property (IP) vital to on their business and are well within must now be prepared to switch their more treacherous. Not only are attacks AI-based security technologies their local industries and security, their rights to ask why the extensive whole approach to security, focusing more likely to be successful and personal- simplify the process of detecting while enterprises in affected coun- funding they’re putting into secu- on understanding where their valua- ised, but detecting the malicious piece of and responding to security threats and vulnerabilities tries also risk losing access to new rity is not providing the protection ble assets are rather than on a phys - intelligent code and getting it out of your innovation and information. they need? ical perimeter or stopping attacks network is likely to be much more diffi- 59% not dissimilar to Homer’s Trojan Horse, is The result is the emergence of a from getting in. cult, even with AI security in your corner. able to propagate and infect systems auto- cyber cold war reminiscent of the “The technology keeps being super- Adoption of AI by cybercriminals has matically. Changes can be made by the mal- late-1940s to early-1990s when nation seded by new threats,” says Mr Brown. led to a new era of threats that IT leaders ware’s authors on the fl y, so it is very diffi - states frequently acquired technolo- “When a new threat vector is revealed, must consider, such as hackers using AI to AI-based security technologies cult to detect and remediate against. gies and IP via espionage. But rather everybody scrambles around trying to learn and adapt to cyberdefence tools, and will decrease the workload of The autonomous benefits of AI secu- IT security personnel than sending in spies to physically fix it. We'll never have a 100 per cent the development of ways to bypass security apply to cybercriminals and their steal information, the difference this view on the threat landscape, so we rity algorithms. It won’t be long before a 34% nefarious activities, enabling them to time is the theft will be carried out The answer lies in need to flip the paradigm and focus continuous stream of AI-powered mal- analyse large stolen datasets in the blink through targeted data breaches understanding the on what we can control.” ware is in the wild. of an eye and in turn create personalised launched remotely. The answer lies in understanding “In the short term, cybercriminals are Ponemon Institute/IBM 2018 emails or messages to target unsuspect- It’s not only governments and secu - points at which people the points at which people and data likely to harness AI to avoid detection and ing individuals. rity agencies that should be worried and data interact interact. Human interactions with maximise their success rates,” says Fraser AI trumps human every time as was about these attacks because busi- data underpin every organisation, so Kyne, Europe, Middle East and Africa shown in an experiment conducted by nesses are likely to be caught in the tracking and analysing those interac- (EMEA) chief technology officer at Bro- two data scientists from security firm Zer- cyber-crossfire, according to Luke tions in detail enables companies to mium. “For example, hackers are using AI oFOX. The AI, called SNAP_R, sent spear Somerville, head of special investiga- understand what’s abnormal. Once to speed up polymorphic malware, caus- phishing tweets to more than 800 users tions at Forcepoint Security Labs. “The current paradigm is broken,” they know what’s abnormal, they can ing it to constantly change its code so it % at a rate of 6.75 tweets a minute, captur- “It’s often IP supplied to govern- says Duncan Brown, chief security quickly and accurately detect when can’t be identified. This renders security 85 ing 275 victims. The human, by contrast, ments by private organisations that strategist, Europe, Middle East and something is wrong. tools like blacklisting useless and has of organisations sent malicious tweets to 129 users at 1.075 other nation states want to get their Africa, at Forcepoint. “There are Forcepoint calls this approach given old malware new life.” have not fully tweets a minute, capturing only 49 indi- hands on, such as the designs for tonnes of technology deployed out human-centric behaviour analytics. What about some particular threats? deployed automation viduals. It’s no contest and another reason in their cybersecurity components, which may make their there, which is effective to a degree, Downloading a certain file may be AI-based malware, such as Trickbot, will why hackers are adopting AI as it takes processes way into critical tools and infrastruc- but not stopping the breaches. The normal for one employee, but abnor- begin plaguing organisations more regu- less effort and yields greater rewards. ture,” he says. “If they’re no longer paradigm is to constantly try to mal for another. Understanding that larly. This particular Trojan, a piece of mali- “Traditionally, if you wanted to break able to access that expertise on the second guess the hackers, essentially context enables organisations to know cious code that can enter a network in a way Ponemon Institute/IBM 2018 into a business, it was a manual and open market, they will target those by looking in the rear-view mirror, but what it is in control of and, by estab - labour-intensive process,” says Max companies with a high calibre of it’s a fool’s game. lishing a base line, determine what is Heinemeyer, director of threat hunting at cyber-attack to steal them instead. “The attack community is much safe from what is unsafe. It puts them Darktrace. “But AI enables the bad guys “Even if your company has no direct more creative than that. The para- on the front foot. to perpetrate advanced cyberattacks, en link with a target, you could still be digm needs to change. We can't keep “We're trying to orientate the secu- masse, at the click of a button. We have affected. Beyond the general risk of spending all this money where it is rity strategy in an organisation around seen the first stages of this over the last collateral damage – the malware used palpably not working. Broadly, there behaviour of people and their inter- year with advanced malware that adapts

on the 2017 cyber-attacks on Ukraine, are two main ways to prevent theft action with critical data, then use the Drop/Shutterstock Ink its behaviour to remain undetected.” for example, spread globally – you may of your critical data: hope and pray, technology to provide the teleme- To cope with this emerging AI security be a target if you supply a government or get on the front foot and organise try that informs the model,” says Mr threat, organisations need to adapt their supplier or are even further down the yourself to expect an attack. Many are Brown. “By understanding what the security strategies to not only accommo- chain. Compromising your systems still in the former mindset.” normal behaviour pattern is you can date AI and innovation, but also priori- may make it easier for the attack to Forcepoint, a cybersecurity soft- apply different risk assessment to tise protection of the corporate gold: data. flow up the supply chain and reach ware provider, advises all compa- each user. In the digital economy, the main aim of the real target.” nies to expect to be breached and to “Lots of companies really can't pre- hackers is to exploit data; it’s where the The cyber cold war means enter- plan accordingly with a full incident dict how they're going to be attacked, money is. Also, crucially, AI does not rep- prises must ensure they have the right response plan in place. Often the but they worry about it a lot and resent a silver bullet. security in place to protect them- worse damage comes not from the this vulnerability stops business “Organisations should use data-centric selves from these kinds of cyber-at- attack itself, but the way the organi- from doing what needs to be security models underpinned by informa- tacks and prevent theft of their IP. sation responds. Equifax and TalkTalk done. By understanding user behav - tion assurance to protect data, as well as iour and the key data assets, you continue all the innovations surrounding can free up that business. Human- AI, while continuing to adopt a prevent, centric behaviour analytics is Isolating the threat email attachments. It also provides detect and response strategy,” says Dan the core engine that gathers the unique threat data. By allowing malware Panesar, vice president and general man- telemetry, and by gathering all of Application isolation, developed by to run, security teams can track the ager, EMEA, at Certes Networks. “This the telemetry from our various Bromium, is a unique technology that full kill chain to see what it is trying to combination is the best way for organ- security systems, we can get a very renders malware harmless by allowing do or steal. As this data is captured isations to protect themselves in this >$1trn 88% accurate sense of how users are it to execute fully in a completely in the virtual machine, AI can then be digital world.” behaving on a network and interact- isolated, contained environment. As applied to spot patterns, identify gaps Cybersecurity, while not the only con- to be spent on of surveyed Forcepoint ing with data.” the malware is trapped in a micro and recommend next best actions for sideration, must be front and centre in the cybersecurity over customers are virtual machine, it has no means of response. Knowing how an attack works minds of IT leaders. The consequences the next seven years concerned about escape and no data to steal, ultimately enables organisations to deal with it of a breach are certainly great enough to potential attacks preventing damage to the enterprise. in minutes and mitigate the threat. keep any chief executive awake at night. on the critical For more information please visit This helps to protect against the However, it is important this solution is Make no mistake, we’re engaging in infrastructure their www.forcepoint.com most common attack vectors, such cyberwar, when AI is both the weapon of organisation relies on used alongside other protection tools as malicious downloads, plug-ins and to secure an organisation. mass destruction and part of the sophisticated solution. And the AI arms race is Cybersecurity Ventures TechValidate. TVID: 900-9BB-779 just beginning. RACONTEUR.NET 3

BREAKDOWN COST OF INSIDER INCIDENTS Taken from a survey of 3,269 separate incidents from large organisations in 2018 THE 3% Overheads Direct and indirect labour 25%

5% Revenue losses

THREAT 14% Cash outlays Technology 21% Employees, contractors and third parties with access to company data should all be considered when it comes to enterprise security. And while malicious insiders – such as disgruntled workers out to cause harm – pose a serious threat, accidental lapses in security through carelessness or negligence are Process and 16% Disruption cost 17% still to blame for a large portion of data breaches and other cyber incidents workflow changes

Ponemon Institute 2018

WHAT'S ENABLING INSIDER THREATS? TIME AND COST TO CONTAIN INSIDER INCIDENTS Percentage of cybersecurity professionals who believe the following are enabling insider threats Taken from a survey of 3,269 separate incidents from large organisations in 2018

01 Phishing attempts 02 Bad password-sharing practices 03 Weak/reused passwords Less than 30 to 61 to More than 04 Unsecured wifi networks 05 Unlocked devices 30 days 60 days 90 days 90 days

16% 23% 30% 31% TIME 04 02

$4.6m $5.6m $9.1m $12.1m COST

IDEN CC TAL A Ponemon Institute 2018 40% 30% 60% 20% 50% 70% 10% 0% 0% 10% 70% 50% 20% 60% 30% 40% DETERRENCE AND DETECTION Most common controls companies have in place, ranked Deterrence Detection

MA S Intrusion detection LICIOU Data loss prevention 01 01 and prevention 10

06 02 Encryption of data 02 Log management Identity and access Security information 03 management 03 and event management Endpoint and Predictive analytics 04 mobile security 04 User and entity 09 07 05 Cloud access security 05 behaviour analytics

Cybersecurity Insiders 2018

08 WHAT INSIDERS LOOK LIKE Too many users with excessive Technology is becoming 06 07 Increasing number of devices with 08 Percentage of cybersecurity professionals who say the following presents a security risk access privileges access to sensitive data more complex

Increasing amount of Lack of employee Regular employees 09 10 56% sensitive data training/awareness Privileged IT users/admins 55%

Contractors/service 42% ACCIDENTAL BREACHES WORRY EXPERTS JUST AS MUCH AS MALICIOUS ATTACKS providers/temporary workers Most concerning insider threats to cybersecurity professionals Privileged business 29% users/executives Malicious/deliberate insider Accidental/unintentional insider Not sure Customers/clients 22% Someone willfully causing Carelessness, negligence or harm to the company compromised credentials None 2%

47% 51% 2% Not sure/other 6%

Cybersecurity Insiders 2018 Cybersecurity Insiders 2018

INSIDER THREATS AS A PERCENTAGE OF ALL THREATS BY SECTOR TARGETS OF INSIDER THREATS Percentage of all security incidents and data breaches that were perpetrated by insiders Types of data most vulnerable to insider attacks

1% Confidential business information 57% 10% Privileged account information 52% 56% 34% 31% 23% 19% 19% 13% Sensitive personal information 49%

Intellectual property 32%

Employee data 31%

Accommodation Operational/infrastructure data 27% Healthcare Public sector Professional Information Financial Education ManufacturingRetail

Verizon 2018 Cybersecurity Insiders 2018 4 CYBERSECURITY 6 CYBERSECURITY

Behaviours need to change, says Empowerment Mr Zander, who asks: “Is it normal EMPLOYEE ENGAGEMENT AND INSIDER THREATS for an executive to demand some- If an organisation’s cybersecurity is thing like a bank transfer to a vendor, only as good as its weakest link, it is cru- or a large purchase from a random cial to empower all employees and give site with no questions asked either them a reason to be diligent. “Encour- because of fear or sternness? Five reasons why staﬀ aging employees to question requests, Welcome to phishing heaven. It’s up double check on records and be just a to IT and security teams to enable, little paranoid are all critical in improv- empower and educate employees ing overall cybersecurity posture,” says as part of strengthening the engagement needs to be Aaron Zander, head of IT at HackerOne. weakest links.” “Companies that blame employees Audra Simons, head of For- for poor passwords or bad behaviour cepoint Innovation Labs, adds: with email aren’t spending enough “Engaged employees tend to be more part of your cyberdefence time, money or energy driving home conscientious, compliant and ulti- security. Preventing phishing attacks mately become a positive force within can be closely tied to corporate culture.” the organisations.” Optimising employee engagement has many benefi ts, not least bolstering cybersecurity and reducing the likelihood of insider threats

Oliver Pickup 4

first contact is often a ‘stepping stone’ Education cyber-approach. “Engaging employees on cybersecu- While almost three quarters of cyberat- rity ensures they are more alert during tacks are perpetrated by people outside these early-stage phishing attempts, an organisation, more than a quarter and when alert they are more likely to involve insiders, according to Verizon’s report contact and stop a breach before 2018 Data Breach Investigations Report. it happens.” Togetherness Furthermore, human error is the root Moreover, Matthew Buskell, assis- cause of close to one in five breaches. tant vice president at Skillsoft, Now more than ever, thanks to the Education of the workforce, therefore, believes organisations cannot rely introduction of cloud solutions, cyber- is critical. on the IT or security departments. “A security simply has to be a compa- “The vast majority of data breaches recent (ISC)2-commissioned survey ny-wide commitment, from top to bot- can be traced back to an original phish- identified a glaring skills gap on the tom. “Some 92 per cent of cybersecurity ing email, or series of emails, whereby horizon,” he says, “projecting that the teams surveyed in The Oracle and employees are used as targets to overall cybersecurity skills shortage is KPMG Cloud Threat Report 2019 said obtain data,” says Luke Vile, cyberse- set to rise to 350,000 workers in Europe they were concerned that individuals, “One innovative solution is to go curity expert at PA Consulting. “This by 2022.” whole departments or lines of business beyond mere cyber-awareness train- 1 were in violation of their security poli- ing and develop more ‘gamified’ cies for the use of cloud applications,” approaches, boosting the engagement says John Abel, vice president of cloud of employees and leaders through excit- and innovation at Oracle. ing role plays and scenarios involv- “In almost half of those cases, the 5 ing ‘games’ with cyberattacks and Jake Moore, cybersecurity expert at unauthorised apps being used resulted attackers,” says Thomas Calvard, Happiness ESET, agrees. “Employees are your best in improper access to data and the lecturer in human resource manage- asset, yet they are also the weakest link. introduction of malware that can ment at the University of Edinburgh It’s impossible to quibble with the They are able to spot signs that not even quickly spread across an organisation. Business School. logic that a happy worker is a pro- artificial intelligence can see, such as a “The increasing number of con- Adenike Cosgrove, cybersecurity ductive worker. A happy, committed begrudged staff member, and pick up nected devices and the growth in strategist at Proofpoint, took this worker is also unlikely to turn rogue on such signs,” he says. mobile working has led to an exponen- approach with Royal Bank of Scot- when it comes to cybersecurity. “A Most employees demand flexible tial increase in opportunities for cyber- land (RBS) staff. “Through an ongoing main reason for companies to invest in working and PA Consulting’s Mr Vile criminals, making it even more impor- programme of ethical phishing employee wellbeing and engagement says organisations must ensure this tant for employees to be engaged and simulations based on actual is that discontented staff pose a clear policy, to boost happiness, is secure. prepared to spot threats. fraudulent messages from the wild, security risk, especially when resign- “With many employees now routinely “Our research also revealed almost Motivation RBS determined their employees’ ing or leaving the organisation,” says working from home, or working out of one in four companies that had been In the same way an organisation with a susceptibility to real-world attacks,” Louis Smith, insider threat specialist multiple offices, it extends the digi- the subject of a cyberattack in the past clear and inspiring vision is more likely she says. at Fidelis Cybersecurity. tal boundaries of an organisation far two years said ‘increasing employee to attract and retain talent, by educat- “Users falling victim to these fake “Individuals who feel wronged by beyond its traditional office space,” he awareness and training’ led to the big- ing the workforce about cybersecurity phishing messages on multiple occa- the company might feel they have points out. “Whenever digital bounda- gest improvement in the security of the using a fun and engaging approach can sions received comprehensive training, something to gain from sabotaging ries are expanded in this way, it makes organisation, showing just how power- reap big rewards. “Studies show that which led to a significant 78 per cent intellectual property or conducting it harder for security to stretch and ful employee engagement programmes the stick doesn’t work,” says PA Con- reduction in the likelihood of users IP theft.” cover everybody.” 2 can be.” sulting’s Mr Vile. clicking on nefarious campaigns.”

Commercial feature

Instead of creating models that look for tools and methods hackers have used in the Closing down past, deception creates a hostile environment, confusing the attacker and detecting the behaviour underlying lateral movement. cyberattack pathways This enables reliable detection, regardless of how the attackers’ tactics change over time. Deception solutions can, therefore, give In today’s interconnected business environment, dynamic organisations greater confidence in guarding against cybersecurity threats is their ability to minimise cyber-risk, allowing executives to focus on their core business increasingly complex, with enterprises susceptible objectives. “Businesses can’t stop growing and to months-long business interruption and millions innovating just because they’re afraid of security failures. Having the ability to expose and in real costs. But new tech offers hope... stop lateral movement gives leaders freedom to run their business without having to continuously consider cybersecurity,” says Mr Israeli. Companies that don’t have visibility inside their networks and lack the capacity to limit severely the ability of attackers to move laterally will find themselves at high risk when their perimeter is breached. Only 28 per cent of security professionals surveyed by Ponemon have the ability to detect accurately credentials that are improperly stored on systems. “Lateral movement is a blind spot for many enterprises, but our Attack Surface Manager (ASM) solution provides visibility, automatically identifies hidden risks and removes keys that allow attackers to obtain essential assets,” says Mr Israeli. The approach of Illusive Networks differs to that of other cybersecurity companies in its automation, simplicity and high-fidelity he advent of cloud and the move Once hackers have gained a foothold, they alerts. This solution doesn’t require contin- T towards digital transformation move laterally through the network on the uous monitoring or management, but gives have effectively broken traditional search for high-value assets and increase their customers the confidence that when an cybersecurity perimeters and made focus- level of access in the process. Yet many busi- attack happens, they are protected. ing defence efforts on keeping attackers out nesses are still not fully prepared to combat Illusive’s Pathway functionality shows an unsuitable approach. Firms that don’t this type of attack, despite the large amounts of defenders what options attackers can take have a plan of action for when attackers money being invested in security technologies. to reach prized business-critical assets and breach the cyber-front line leave their net- “Ensuring that attackers, once they’ve helps security personnel remove excess or work acutely vulnerable to attacks on busi- breached the perimeter, can’t move inside unauthorised paths without harming essen- ness-critical data and applications. the network is critical,” explains Ofer Israeli, tial business connectivity. According to a recent study of more than founder and chief executive of Illusive By giving security teams the tools to handle 600 security professionals by research Networks, the leader in lateral movement the full life cycle of these challenges, Illusive firm Ponemon Institute, only 36 per cent of detection and prevention. Networks can assist firms in becoming better respondents believe they are able to detect “During normal use of the network, a equipped to deal with cyberthreats. “We and investigate attackers before serious company’s employees leave behind data – pre-empt, detect and respond to any lateral damage occurs inside the network. credentials and unintended connections movement that occurs inside the network. between computers – that attackers use to This gives peace of mind to businesses know- move laterally. From a preventative stand- ing their most important data and systems point, this material can be removed to limit are protected in a way that is simple, cost the attacker’s options.” effective and scalable,” Mr Israeli concludes. Deception technology can be a highly efficient method of detecting attackers For more information, or to schedule a free Ensuring that attackers, who rely on lateral movement techniques. Attack Risk Assessment, please visit once they’ve breached As opposed to traditional cybersecurity go.illusivenetworks.com/times approaches, deploying deception-based the perimeter, can’t solutions brings the burden and battle to move inside the the intruder by forcing them to determine what is real and what is fake. At the first network is critical wrong move, they are detected. 6 CYBERSECURITY 2 CYBER SECURITY RACONTEUR.NET 5 Commercial feature

CLOUD Adam Philpott, McAfee’s president, Europe, Middle East and Africa, points AT LEAST ONE FLAW IN A PREVALENCE OF COMMON FLAW TYPES out C-suite ignorance. “We currently esti- COMPONENT, BY LANGUAGE mate that the average organisation gener- 2016 2017 2018 Experts fret as cloud ates over 3.2 billion events per month in No flaws At least one flaw the cloud, of which 3,217 are anomalous Information and 31.3 are actual threat events,” he says. leakage “Also, most organisations underesti- 12.5% Cryptographic attacks intensify mate how many cloud services they actu- Issues ally use, with the average using approxi- Java mately 1,935, a figure that has seen a 15 per Code quality As the adoption of cloud technology surges, cent growth from last year. In contrast, protecting organisations against evolving the average organisation thinks it uses 87.5% just 30 cloud services.” CLRF injection threats on internet-facing infrastructure Consider that the number of connected devices is expected to rise to 20 billion by Directory has never been more critical next year, according to Gartner, organi- 9.8% traversal sations will use some 40 per cent of these and each one opens up a new vulnerabil- Credentials management ity. Gartner also projects worldwide pub- PHP Oliver Pickup lic cloud growth of 17 per cent this year. Cross-site How then can organisations maintain scripting (XSS) adequate cybersecurity in this increas- 90.2% ingly vicious online war zone? Insufficient Improving general cyber-hygiene and input validation significantly greater education in this 14.3% area, from top to bottom of an organi- SQL injection sation’s hierarchy, is imperative. Adam Louca, chief technologist for security at .Net Encapsulation IT infrastructure provider Softcat, says: Marnix Hogendoorn /Unsplash Hogendoorn Marnix “The current cybersecurity skills gap 0% 10% 20% 30% 40% 50% 60% 70% 80% means defending cloud infrastructure 85.7% from compromise is one of the biggest Veracode SOSS volume 9 challenges of modern business. “Cloud companies must do more to 7.6% FLAW PERSISTENCE ANALYSIS educate their customers on best-practice security configuration. Businesses 100% must continue to invest in security skills C++ training, and onboard new talent to close 80% the widening gap between their security 75 per cent of flaws persist after 21 days needs and the resources they have to pro- 92.4% tect themselves.” 60% 50 per cent of flaws persist after 121 days Another level of protection is gained 25 per cent of by using tech against tech, says Alan 31.5% 40% flaws persist Duric, co-founder of Wire, an end-to-end after 472 days encrypted communication and collaboration platform. “Automated attacks on 20% cloud structures are directly related to JavaScript Overall, 4.4m findings were closed out of 6.3m findings businesses using insecure and unrelia- 0% ble communications platforms like email, 0 100 200 300 400 500 600 Slack and WhatsApp,” he claims. 68.5% Days from first discovery “Firms need to invest in secure communications platforms that are end-to- Veracode SOSS volume 9 Veracode SOSS volume 9 end encrypted, while ensuring all mobile devices used by the business are hard- wired for security, and built with security and privacy from the ground up.” It’s clear that those who take a breezy attitude to cloud security risk being blown away in this stormy climate. Software leaves businesses

WHAT THE CLOUD IS USED FOR open to hackers Percentage of cloud services in use by category ultifarious benefits of cloud com- Indeed, our telemetry shows a Hadoop The rise of open source software has of creating secure code, knowledge of M puting make the disruption of YARN installation is attacked about once File sharing how to do so is lacking. digital transformation worth- a minute. A vulnerable installation would and collaboration provided a wealth of benefits for developers Education and awareness will ultimately while, business leaders are assured. How- be attacked immediately. These measures empower development teams to improve ever, a recent torrent of automated attacks vary wildly across the industry and as a and businesses alike. But a lack of knowledge how they create secure code. Veracode 20.9% on cloud infrastructure’s vulnerabilities result there remain huge exposures for the Finance around how to write secure code, and use provides tools that enable developers to has precipitated a somewhat gloomy out- internet ecosystem at large.” identify and correct security defects within look, raining on the cloud’s silver lining. Alarming figures illustrate the growing code from open source libraries securely, seconds of writing code, while also telling In September, for example, Xbash – issue. “In January, 1.8 billion records were them whether or not the open source an advanced, data-destructive malware leaked online,” says Dr Guy Bunker, sen- is causing enterprises to unwittingly allow building blocks they are using have any vul- IT services 7.5% Commercial feature strain that combines cryptomining, ran- ior vice president of data security organ- hackers to compromise their systems nerabilities in them. somware and botnet capabilities – was isation Clearswift. “Today it is possible Automation technologies such as arti- identified. How can organisations that to collect and analyse billions of pieces 7.1% ficial intelligence and machine-learn- have come to depend on the cloud for of sensitive data in almost no time at all. Cloud ing are accelerating the ability to look the smooth running of their business It can be transferred across the internet infrastructure for defects in software, but it will be an Instead of creating models that look for combat these morphing, multi-vector to a partner who shares it with another 7.1% onsumer demand for inter- more accessible for individuals who cannot appropriate balance between machines tools and methods hackers have used in the cyberthreats? and another, further enriching it with C net-connected devices and afford licensing fees. and humans that is most successful. Closing down past, deception creates a hostile environ- “Cloud security has never been more more data. the software applications that The benefits of open source code While computers are excellent at looking Development 6.5% ment, confusing the attacker and detecting critical,” warns Max Heinemeyer, director “These large datasets are not only use- power them has rocketed in the last ten can be so alluring that businesses forget for the traits of potential defects in data the behaviour underlying lateral movement. of threat hunting at Darktrace, a global ful for business, they are also a honey- years. Smart applications now spread about the risks involved with using public, at speed and scale, they can’t do with- % cyberattack pathways This enables reliable detection, regardless of leader in artificial intelligence-powered pot for cybercriminals who will steal it 6.3 beyond smartphones into other devices, unvetted chunks of software throughout out our human ability to prioritise how to how the attackers’ tactics change over time. cybersecurity. “Xbash is a very sophis- and then sell the information on the dark Human with web-enabled television, doorbells their applications. Vulnerabilities in open address and remediate flaws. Deception solutions can, therefore, give ticated example of an automated attack web. Security is only as strong as the resources 5.7% and security cameras increasingly com- source code are prized by hackers simply “We use machine-learning to identify In today’s interconnected business environment, dynamic organisations greater confidence in because it can target both Linux and Win- weakest link.” monplace. Software is a pervasive and because of the prevalence of their use. and pinpoint potential vulnerabilities guarding against cybersecurity threats is their ability to minimise cyber-risk, allowing dows servers, and has multiple payloads. 5.3% crucial driver of innovation in commerce, Once a hacker discovers a vulnerability with ever-increasing accuracy,” says Mr Education executives to focus on their core business “Automated attacks against inter- 3.8% helping organisations to be more agile in a widely used open source package Farrington. “However, humans are great increasingly complex, with enterprises susceptible objectives. “Businesses can’t stop growing and net-facing infrastructure, like Xbash, are and competitive. or library, they can exploit potentially at finding the sequence of steps hack- to months-long business interruption and millions innovating just because they’re afraid of secu- not new. What has changed is that the The functionality of these devices and thousands of systems running that code, ers must undertake to compromise that rity failures. Having the ability to expose and number of devices that are internet facing applications are determined by source amplifying by many degrees the impact of system. We use the appropriate blend of Business in real costs. But new tech offers hope... stop lateral movement gives leaders freedom and potentially vulnerable has increased code written by developers. According to the vulnerability. automation and human ingenuity. We call to run their business without having to contin- exponentially. This is in no small part intelligence the AppSec Market Report, around 111 bil- these people manual penetration test- uously consider cybersecurity,” says Mr Israeli. due to the advent of the cloud. Attackers lion lines of new software code were cre- ers, looking for security defects to prove % 29.8% Companies that don’t have visibility inside are innovating rapidly, and we can expect 21 ated in 2017. Within that massive volume they exist in systems.” Security their networks and lack the capacity to limit attacks on the cloud to get faster and of new code inevitably comes millions of Developers must ultimately think about severely the ability of attackers to move lat- more furious.” software vulnerabilities and the security where the software will sit once it goes into erally will find themselves at high risk when Charaka Goonatilake, chief technology of all fi les in the cloud problems compound themselves with age. production or lands on a user's device. contain sensitive data their perimeter is breached. officer of Panaseer, another cybersecu- Other The growing reliance on software in Applications may exist in hostile environ- Only 28 per cent of security profession- rity giant, agrees. “What’s different in the both business and society means data It's really key to ments, far longer than originally envisaged, als surveyed by Ponemon have the ability cloud era is the ease with which exploita- McAfee 2019 McAfee 2019 breaches are more impactful than ever ensure developers not and hackers may do anything to subvert to detect accurately credentials that are ble software can be spun up and exposed and hackers are actively targeting vul- them. As such, developers should seek an improperly stored on systems. to the world on the internet,” he says. nerabilities in the code. In Verizon’s Data only think about the understanding of secure code and work “Lateral movement is a blind spot for many “Vulnerability search engines, such Breach Investigations Report 2018, web theoretical risk, but in tandem with security teams to remove enterprises, but our Attack Surface Manager as Shodan, continually trawl the inter- applications were identified as the most friction from the development process. (ASM) solution provides visibility, automat- net for these exploitable weaknesses and they use to spin up workloads within the common source of data breaches and are also given tools to “As the use of containers continues ically identifies hidden risks and removes make it effortless to identify masses of clouds. Additionally, application designs security incidents. to drastically reduce the time required keys that allow attackers to obtain essential targets to attack. Combined with the fact need to be modifi ed to add two-factor “Software applications are the prime highlight the proven to deploy and scale software, we are at assets,” says Mr Israeli. that highly sophisticated malware, such authentication for exposed services. target for attackers who want to get risks that exist in the forefront of developing techniques The approach of Illusive Networks differs as Xbash, is readily available off the shelf, “Finally, since current cloud topologies hold of an enterprise's assets and data,” to ensure we secure the applications that to that of other cybersecurity companies in makes for a very low barrier for nefarious are woefully lacking in segmentation, says Paul Farrington, chief technology the software exist in containerised environments,” its automation, simplicity and high-fidelity actors to carry out lucrative attacks from leaders absolutely must improve their officer, Europe, Middle East and Africa, says Mr Farrington. “However, addressing he advent of cloud and the move Once hackers have gained a foothold, they alerts. This solution doesn’t require contin- the comfort of their own homes.” segmentation game. Even by taking at Veracode. “Web and mobile applica- the problem at source, when the devel- T towards digital transformation move laterally through the network on the uous monitoring or management, but gives Hardik Modi, senior director of threat just the very basic steps to isolate, tions account for more than a third of opers actually write the code, is going to have effectively broken traditional search for high-value assets and increase their customers the confidence that when an intelligence at Netscout, expands upon segment and micro-segment their cloud data breaches, and attacks at the appli- According to Veracode's State of be how we address the problem at scale. cybersecurity perimeters and made focus- level of access in the process. Yet many busi- attack happens, they are protected. this worrying theme. “There are numer- environments, leaders will impede an cation layer are growing by about 25 per Software Security report, 88 per cent of “It's really key to ensure developers ing defence efforts on keeping attackers out nesses are still not fully prepared to combat Illusive’s Pathway functionality shows ous instances of such open-source pack- intruder’s lateral movement and thus cent annually.” Java applications contain at least one vul- not only think about the theoretical risk, an unsuitable approach. Firms that don’t this type of attack, despite the large amounts of defenders what options attackers can take ages like Hadoop, Mongo and Elastic- make it harder for attackers to succeed.” While 20 years ago software was nerable open source component. This is but are also given tools to highlight the have a plan of action for when attackers money being invested in security technologies. to reach prized business-critical assets and Search which remain exposed to the Dr Guy Bunker at Clearswift urges mostly developed in-house using custom noteworthy because just a single vulnera- proven risks that exist in the software. breach the cyber-front line leave their net- “Ensuring that attackers, once they’ve helps security personnel remove excess or internet, and there have been waves of security professionals to “start thinking code, Gartner forecasts that seven out of bility in a piece of open source code can Veracode pinpoints what we call the ‘vul- work acutely vulnerable to attacks on busi- breached the perimeter, can’t move inside unauthorised paths without harming essen- reports of installations that have been like their attackers”. He asks: “How ten applications are now running on open hit hundreds of thousands of applications. nerable methods’ so we can show devel- ness-critical data and applications. the network is critical,” explains Ofer Israeli, tial business connectivity. exploited and encrypted,” he says. can they make it as diffi cult as possible source databases. “The open source community is really opers the line of fire between the code According to a recent study of more than founder and chief executive of Illusive By giving security teams the tools to handle “This can have severe consequences to obtain the information and then to Developers face overwhelming pressure exploding and the desire for businesses to they write and the security exploit that is 600 security professionals by research Networks, the leader in lateral movement the full life cycle of these challenges, Illusive for businesses of all sizes, since they may How to improve use it?” to push out more software in shorter time- move faster is encouraging developers to just waiting to happen in the open source firm Ponemon Institute, only 36 per cent of detection and prevention. Networks can assist firms in becoming better not be in a position to recover such data. cloud defences Encryption is part of the solution. frames. Open source libraries can help by make use of open software, which reduces software. That’s a game-changer for respondents believe they are able to detect “During normal use of the network, a equipped to deal with cyberthreats. “We McAfee’s Adam Philpott believes a providing pre-built pieces of code that the cost for enterprises and means deliv- software development teams who don’t and investigate attackers before serious company’s employees leave behind data – pre-empt, detect and respond to any lateral What should organisations be doing to collective, proactive approach is critical. deliver specific functionality without having ery timelines can be hit faster than ever have time to deal with noise.” damage occurs inside the network. credentials and unintended connections movement that occurs inside the network. shore up their cloud security defences? “I would suggest auditing your Amazon to build it from scratch. Consequently, 90 before,” says Mr Farrington, who predicts between computers – that attackers use to This gives peace of mind to businesses know- “They need to harden their cloud Web Services, Azure, Google Cloud per cent of the code in many applications there are more than five million unique move laterally. From a preventative stand- ing their most important data and systems applications and infrastructure, and Platform or Infrastructure as a Service may originate from open source libraries. open source components that exist in To get a clear picture of the state of soft- point, this material can be removed to limit are protected in a way that is simple, cost incorporate processes that continuously confi gurations,” he says. Open source software enables develop- various software repositories develop- ware security, including data on open the attacker’s options.” effective and scalable,” Mr Israeli concludes. check enterprise applications for “Further to this, try to understand ers to fulfil business requirements more ers interact with. “Soon, this will become source risk, which vulnerabilities peers in Deception technology can be a highly What has changed is vulnerabilities,” says Dave Klein, senior where your most sensitive data lives, and quickly and at less cost, but also introduces hundreds of millions because of the rate your industry are finding most often, and efficient method of detecting attackers For more information, or to schedule a free director of engineering and architecture assess your access and sharing privileges. new risks. of contribution from developers,” he says. how organisations are reducing their soft- Ensuring that attackers, who rely on lateral movement techniques. Attack Risk Assessment, please visit that the number of at cloud and datacentre security Once you have an understanding of this, When software is released as open Developers are no doubt aware of the ware risk, please download Veracode’s once they’ve breached As opposed to traditional cybersecurity go.illusivenetworks.com/times devices that are internet specialist Guardicore. lock down and apply data loss prevention source, it means the original author intends security flaws in open source software. State of Software Security Volume 9 at approaches, deploying deception-based “Further, they must incorporate patch, to your most sensitive locations. to give the code to developers to use freely, For example, the Apache Struts vulnera- www.Veracode.com/sossreport the perimeter, can’t solutions brings the burden and battle to facing and potentially kernel and application updates into the Remember, if your data is a collaborative study and enhance. The amount of collab- bility was behind the massive data breach move inside the the intruder by forcing them to determine vulnerable has provisioning and management scripts effort, so should your security be.” oration these projects can foster brings that exposed the personal information of what is real and what is fake. At the first forward some of the greatest advance- 143 million Americans in March 2017. But network is critical wrong move, they are detected. increased exponentially ments in tech and it makes the software while they may appreciate the imperative 6 CYBERSECURITY Commercial feature

NETWORK INFRASTRUCTURE National security models still not up to scratch

“This hasn’t been helped by the piece- Attacks on national critical infrastructure meal approach to IT upgrades that the could bring a country NHS has spent several decades grappling to its knees with. It’s made for a set of weak systems that are perfect for low-cost, high-impact

Max Lederer/Unsplash Max asymmetric cyberattacks or other security breaches, which could easily see our personal health data becoming a cyberwarfare bargaining chip. “We had a taste of what the impact of an NHS cyberattack looks like with the Wan- naCry incident in 2017. The impact was immediate and widespread, highlighting how vulnerable our most critical information systems can be.” Dr Gilbert says there shouldn’t be a difference in how critical network infrastructure or physical infrastructure is protected, adding that governments need to make systems too “costly and ultimately counter-productive” to be attacked. Mr Emm says: “Fast-changing threats have made it impossible to secure critical national infrastructure networks and systems completely, but a wait-and-see attitude should not be adopted. In fact, it should serve as the latest warning that hackers can severely affect, or even take Boardrooms seek offline, critical public infrastructure. “Updating plans for improving defences and reducing the impact of attacks must well-rounded approach become the new normal if the government and operators are to be agile in responding to this changing environment.” There is an overwhelming consensus to cybersecurity and privacy that a reactionary approach to the current situation is not enough. To get ahead With buy-in from the very top, organisations are merging of the curve, a mixture of holistic system protection, on the surface, and improved security, risk and governance to form a holistic view of the networking, education and training, behind the scenes, is vital. threats they face and a broad solution to achieving protection “Essentially, every industrial customer and process is unique, and it is important to deploy a solution made up of a port- he crucial relationship senior director of security, risk and applications and data, and how each With cyberattacks the public sector has to handle, against folio of technologies and services that T between an organisation governance marketing at Micro Focus, can become a vulnerability if not pro- this entrenched slowness to adopt modern can adapt to different sectors, whether and its customers has been the UK’s biggest technology company. tected as well as the others. When silos rising in both volume digital standards in the era of Industry 4.0. that’s oil and gas, water, power increasingly defined by data in recent “Security becomes the enforcement are prevalent across an organisation, “Yes, data dumps of printed Excel files grids, manufacturing and so on,” says years as new insights breed better mechanism, risk becomes the measure it can be easy for an individual with a and complexity, are still a thing,” says Alex de Carvalho, Mr Emm. products and services. However, this and governance the decision-making. background in DevOps, for example, to chief information officer and co-founder Mr de Carvalho believes inroads are has also meant fears of a damaging data only think about application security. and critical network of PUBLIC, which helps tech startups being made in the UK through not just breach have sharply elevated, making By neglecting to think about the data infrastructure now a solve prevalent public sector challenges workshops and classes, but physical tools it a board-level issue and a concern the applications operate on or the and pitfalls. that are able to “quickly and effectively across the whole business. users who interact with them, they can vulnerable target, fi lling “Many departments and local author- notify individuals and management of This has also forced organisations end up running into different kinds of ities have a pressing challenge to apply potentially unsecure actions”. to re-evaluate their approach to secu- security challenges. Making a change the gaps in government high standards of protection and over- By following a comprehensive, pro- rity, risk and governance, which were in one area can also have an impact on sight over a very disparate and digitally cess-oriented approach, critical network typically viewed and managed as sepa- We have some of others that are out of view. “If they’re cyberdefence has never uneven network, and that’s where we have infrastructure will be better guarded rate domains. New requirements, such not careful, they can set the organ- been more important been working to try and find startups against sophisticated, targeted attacks, as the European Union’s General Data the best, innovative isation up to be blindsided,” warns that can help public sector security teams veering away from an inefficient, Protection Regulation, have brought technology in the Mr Grandpre. tackle the cybersecurity challenge.” reactionary seek-and-destroy approach the areas of security and privacy closer In the rush to meet the demand for Mr Emm and Mr de Carvalho agree to an embedded culture of front-line together and empowered people to be marketplace, spanning greater security, venture capitalists that to implement reliable protection public protection. more aware of how their personal data not just security, but have inadvertently heightened the like- against all hazards, a multi-layered, is being used. lihood of such silos in an organisation. highly configurable defence is required In this new reality, keeping secu- many other parts Having injected more funding into the to extinguish more traditional threats, Matthew Staff rity, risk and governance separate is of the enterprise security industry in the past year than such as phishing emails, unsecure links WANNACRY'S IMPACT ON THE NHS detrimental to an organisation’s over- the last four combined, the result is and human error, and then dig deeper to Although not specifi cally targeted at the NHS, all ability to protect itself. Companies an abundance of point solutions that ere’s a warning: “The world is ensure greater clarification of best-prac- WannaCry was still the largest cyberattack implement security controls to enforce tackle very narrow pieces of the secu- H still not prepared for cyberat- tice technology standards are in place for to hit the health service in history. Launched appropriate activity, but knowing rity problem, creating even greater tacks on critical infrastructure. the companies or institutions themselves, on May 12, 2017, the ransomware disrupted what’s appropriate and determining If you bring all of those teams together integration challenges and making it Governments are not ready, law enforce- their own internal arms, and their busi- NHS trusts and GP practices across the what needs to be done requires gov- around that uniform process, you can difficult to achieve a holistic view. ment isn’t ready, the facilities themselves ness partners and supply chain. country, leading to thousands of cancelled ernance and a strong understanding of be much more effective and start pro- By providing perspective and inte- are not ready, and the people who design, “Attacks on industrial systems are on appointments and operations the risk levels. viding a lower-risk environment.” gration across not just security, risk and build and operate them are often the least the rise and it’s clear that for businesses “They’re all part and parcel of the Companies must also recognise the governance, but the whole enterprise, ready of all. Unfortunately, the cyber- operating industrial or critical infrastruc- same process,” says Travis Grandpre, clear relationship between identities, including DevOps, hybrid IT and analyt- criminals are very ready indeed.” ture systems, the risks have never been ics, Micro Focus is well suited to organ- So says David Emm, principal security greater,” says Mr Emm. “In 2017, TRI- isations that wish to eliminate harm- researcher at global cybersecurity pro- TON, a malicious malware, took control ful silos and achieve a well-rounded vider Kaspersky Lab, who is not alone in of Triconex safety instrumented system % approach to securing their business. his assessment of the current readiness controllers, giving attackers the ability 34 of NHS trusts in “We have the ability to connect all among governments to protect critical to interfere with the plant’s processes or England were Q&A these teams, solve new use-cases and network infrastructure and the public to cause an emergency shutdown, halt- disrupted in couple different businesses and buying institutions that exist under its umbrella. ing operations at a critical infrastructure the attack Culture eats centres, which allows organisations to While private sector operators take organisation.” bring in technology that's been built responsibility for their own digital safe- Closer to home, it’s more evocative strategy for security to solve security challenges in a much guarding, such are the financial dangers to resonate with the notion of a similar more impactful way than the many associated with not doing so, Mr Emm event happening within the NHS, a fact Nick Nikols, vice president of point vendors out there in the market,” asks: “Who will take responsibility for that hasn’t been lost on Barney Gilbert, appointments were security strategy at Micro Focus, says Mr Grandpre. protecting our utilities, our rail lines or co-founder and co-chief executive of For- cancelled in the says building a risk culture is The benefits of bringing together our healthcare system?” ward Health, a company offering secure 6.9k space of six days security, risk and governance spread In the UK, the government holds infor- messaging, compliant with the General crucial to keeping secure in beyond protecting the organisation mation on individuals’ health records, Data Protection Regulation, for doctors today’s threat landscape from threats and ensuring data privacy residency, bank details and numerous and nurses as an alternative to open, pro- for customers. Cybersecurity is now so other pieces of private data. By inade- hibited portals such as WhatsApp. appointments would engrained in the success of an organ- quately protecting such personal infor- “The NHS is a huge operation run by have been cancelled isation that achieving a well-rounded mation against potential breaches, the myriad staff, with varying levels of secu- 19k in total, based on the What is the danger of overlooking this because additional insights and approach also enables new opportuni- ramifications could be disastrous. rity clearance, most of whom engage with normal rate of follow- people and process when awareness help change behaviour ties for businesses to grow. Mr Emm continues: “The difference a unique combination of systems on a up appointments to protecting an organisation from and impact the efficiency of how “It gives you many ways to drive between an attack on a single organisa- daily basis and the majority of which are fi rst appointments cyber-threats? people interact. The culture builds disruption and achieve even greater tion and an attack on critical national processing highly personal data. It’s a Technology is a tool the process a much more productive environ- heights, while at the same time infrastructure is there could be a real- minefield,” says Dr Gilbert. National Audit Office 2017 uses, but it’s people that make the ment because everybody has a defending against breaches and keep- world effect across an entire country. In decisions. You end up having multi- clearer picture of the risk of their ing data private,” says Mr Grandpre. 2015, Ukraine had a taste of this, when ple levels you're dealing with, from individual activities and it becomes “We can help customers deliver a hackers took control of its power grid, Last year’s those running the business to the more natural to do the right things. bright digital transformation for their plunging thousands of homes and estab- WannaCry employees operating all of the nec- future without worrying about incur- lishments into darkness for hours.” cyberattack showed just how vulnerable essary functions within the organ- ring greater risk. Despite a growing awareness of the How can organisations ensure the NHS is to isation and the customers being their people aren’t their biggest “Over the last 40 years, Micro Focus cyberthreat, many IT security mod- ransomware and interacted with. Understanding vulnerability? has proudly built this very successful els are still lagging behind, embedded other threats that relationship relative to the We've seen the biggest success business from taking a lot of amaz- in the hope that “security by obscurity” Gomez/Shutterstock John processes and how the technology when companies place more ing technology, some more mature is enough. The challenge arises from can facilitate their interactions is emphasis on career growth and fos- and some new, and making it work the sheer volume of sensitive data that critical. You can't separate the tering people to develop and stay for where our customers are going. three; they’re integral to any suc- within the organisation. By treat- We have some of the best, innovative cessful deployment. ing them as a long-term asset, they technology in the marketplace, span- can keep growth going as far as ning not just security, but many other What’s your advice for building addressing security and risk, and parts of the enterprise.” a culture where technology, the things around culture that can people and process interlink be really impacted. Having said this, most effectively? I don't know if it's ever possible for For further information please visit The diﬀ erence between You need to have a certain level of a company to be so risk focused www.microfocus.com/srgtimes transparency as to what's going on that everybody watches everything an attack on a single within the business. When you're they access and share, so technol- Or alternatively, email Nick Nikols at organisation and dealing with technology, or even ogy plays a big part too. You can [email protected] when you're dealing with processes, look at privileges and monitor or Travis Grandpre at an attack on critical that visibility into the current state access, keeping a much more gran- [email protected] national infrastructure of play elevates the understand- ular look and avoiding a situation ing of the overall risks. Having the where no one really understands is there could be a right kind of analytics facilitates what’s going on. real-world eﬀ ect across an entire country 2 CYBER SECURITY RACONTEUR.NET 7

silos that ignore the bigger picture and the need to be holistic where prevention is con- HOW CONFIDENT COMPANIES ARE IN cerned,” says Helen Davenport, director SECURING EMERGING TECHNOLOGY and cybersecurity expert at Gowling WLG. Percentage of leaders who said the following Understanding risk is a key part of are critical to at least some of their business, building resilience. Indeed, GDPR calls and the percentage who said they had RishabhVarshney/Unsplash for firms to think about how they pro- suffi cient digital trust controls in place* tect sensitive information. The regulation also encourages businesses to consider Critical the risk added by third-party contractors, Digital trust which might not be secure and could lead to a breach of a company’s data. Internet In some cases, an organisation’s pro- 81% 39% of things cess for procuring services will need to be rewritten, says Mr Elmellas. “Cybersecu- rity needs to be written into your procure- ment, even as part of the vetting process.” There is no doubt that cyberattacks Artifi cial will continue to hit business, but tech- 70% 31% intelligence nology can help to detect threats. For example, many firms are already using techniques that take advantage of artificial intelligence and machine-learn- Robotic/ ing. Tools based on these technologies intelligent 69% 33% can monitor employees’ behavioural pat- process terns and pick up abnormalities, such as automation a change in the time they log into systems, to alert firms that they may be Robotics under attack. (physical 67% 26% And, of course, employees are an inte- machines) gral part of a cyber resilient-by-design CYBER-STRATEGY business. “The foundation of a security culture must be rooted in a sense of shared responsibility,” says Cath Gould- 3D printing 65% 31% ing, head of cybersecurity at Nominet. “This means every person within the business, from the front desk, to customer Building a cyber-resilient service reps, all the way up to the board, must play their part. CEOs who feel secu- Virtual reality 63% 27% rity policies don’t apply to them are mis- taken; if anything, they are far more likely business from the ground up to be targeted due to their profile and stat- ure within the business.” As the number of cyberattacks surge, ﬁ rms must ensure Nick Taylor, UK and Ireland security Augmented 63% 28% lead at Accenture, says “brilliant basics”, reality they have a resilient-by-design business model including training employees to spot and report suspicious activity, are the foundation of resilience. Dr Bell agrees. “We often hear they are Edge 63% 28% At a time when business competition technology offi cer at Auriga Consulting. the weakest link, but the users of the infor- computing Kate O’Flaherty is fi erce and the European Union General “Firms need to know which of their appli- mation system are the fi rst line of defence,” Data Protection Regulation (GDPR) man- cations is most important to the day-to- she says. “They need to be aware of proce- here is a well-known saying in dates that fi rms report breaches of per- day running of the company, and ensure dures and processes, and what part they cybersecurity: it’s not a matter of sonal data, customer trust now depends on this is resilient and can get back up and play. The system will be vulnerable and T Quantum 62% 29% if you are attacked, but when. And a business’ ability to prove it is secure. This running should an incident happen.” threat actors will try to manipulate employ- computing a growing number of big firms are starting is putting a focus on resilience, a fi rm’s 87% At the same time, it’s important that ees, so give them coping mechanisms.” to discover how true this is. The last year capacity to protect itself from breaches, of organisations infrastructure is robust, says Dr San- has seen successful cyberassaults hit the and respond quickly and appropriately do not yet have dra Bell, head of resilience consulting at likes of British Airways, Marriott Hotel when an attack does inevitably happen. suffi cient budget to Sungard AS. “The more robust your IT is, Group and Facebook. Yet cyber-resilience is not as straight- provide the levels of the more options an organisation has,” Blockchain 61% 25% As the frequency of attacks surges, forward as it seems. In the past, security cybersecurity and she says. cybersecurity is increasingly being was based on building a better “wall” resilience they want When protecting infrastructure, perim- viewed as a business problem. This is around business data. But this approach eter walls should be strong enough to further fuelled by the growing cost of no longer works in today’s perimeter-free make it difficult for attackers to get in. Every person within Drones 55% 22% breaches. According to Accenture, com- world of multiple devices and cloud, says “But if they do breach the perimeter, net- panies globally could incur £4.1 trillion Chris Moses, senior operations manager work segmentation will help to prevent an the business, from the in additional costs and lost revenue over at Blackstone Consultancy. say that IT security attacker from accessing business data,” front desk, to customer the next five years due to cyberattacks, as Instead, a multi-faceted strategy can fully inﬂ uences says Elliot Rose, head of cybersecurity at dependency on complex internet-enabled help create a resilient-by-design company. business strategy plans PA Consulting. service reps, all the way *Digital trust is defi ned as the level of 18% on a regular basis confi dence in people, processes, and business models outpaces the ability to First, an organisation needs to understand Firms also need to ensure their data up to the board, must technology to build a secure digital world introduce adequate safeguards to protect fully its business model including its most storage methods meet legal requirements. critical assets. valuable assets, says Jamal Elmellas, chief EY 2018 “It is all too easy to get caught up in digital play their part PwC 2018

OPINION Commercial feature

for some countries and Brexit has created a more siloed world, which doesn't help Re-establishing anybody apart from the cybercriminals because the digital age does not work in ‘Traditional corporate silos, it’s joined up, connected and doesn't trust in an ultra- have borders. “Cyberthreats don't see, let alone governance principles on their connected world respect, boundaries that nations put up and to counter that from a security perspective we need to be able to operate without bor- own are inadequate in the face As cyberthreats continue to ders too. Competition powers innovation and evidence shows that most companies evolve at pace and nation state benefit significantly when there are others protectionism risks giving around them doing the same thing, only of digital transformation’ better. In cybersecurity, this translates into an advantage to hackers, better protection for everybody involved.” Kaspersky Lab is pioneering Kaspersky Lab is leading the cybersecu- a new set of standards and rity industry’s charge to counter internet Balkanisation, and re-establish trust and he business environ- The report underlines that good viduals that acquire the necessary principles that champion co-operation between nation states, busi- T ment can be exciting and governance becomes even more expertise, collaborate and embrace trust, transparency nesses and citizens. Its Global Transparency unpredictable in equal important in the cyberage. But it change. They will understand that Initiative (GTI), launched in October 2017, is a measure. Opportunities for inno- goes further than that: traditional positive risk management can and co-operation unique programme that has seen the company vators who fi nd openings that oth- corporate governance principles make enterprises sustainable in in the fight against open itself up to third-party audit and review ers fail to spot are unprecedented. on their own are inadequate in the these unpredictable times. in unprecedented ways, pioneering a new set At the same time, they face and face of digital transformation. In It is important to stress that criminals of standards for organisations to abide by. cause risks that we did not even simple terms, there are a whole lot good risk management is much Last year, Kaspersky Lab began redesign- know about a few years ago; change of emerging risks out there that more than a theoretical concept. ing its infrastructure and moving elements can happen at break-neck speed. could flatten a company unless Another CASS report, Roads to of its data processing to Switzerland, a How we respond can be the diff er- they are identified, understood Ruin, commissioned by Airmic nation known for its political independence ence between sustainable success and overseen. in 2011, featured 18 case stud- and strong data security and management. and failure. It has always been the case that ies of corporate catastrophes. It It welcomes audits of its engineering prac- Against this background Air- firms must reconsider their pur- found that all could have been he cyberthreat landscape has tice there and is planning to open three fur- mic, which represents those who pose from time to time to stay avoided had the board been better T evolved at a rapid pace over the last ther transparency centres globally, where work in risk, commissioned a successful. After all, the Shell informed and more responsive. decade as the digitisation of busi- its partners and customers can access its report from CASS Business School oil company famously started Many board members do not ness and society has created a myriad of new documentation and source code, which to examine the impact that the out life, as the name suggests, understand what positive risk opportunities for hackers. The rise of online Cyberthreats don't see will also be verified and audited by a leading so-called fourth industrial rev- importing and selling shells. The management can do for their shopping, artificial intelligence and the boundaries that nations put management consulting firm this year. olution can be expected to have difference now is that things hap- businesses, while many risk internet of things may have provided enor- Kaspersky Lab now encourages other ven- on the resilience of companies. pen so fast that companies need managers do not understand mous value, but they’ve also made security up and to counter that from dors to follow suit. Becoming so transparent Although Roads to Revolution is to reinvent themselves almost all and align to the business driv- far more complicated and challenging. a security perspective we is not risk free for a cybersecurity firm, Mr fundamentally positive, it warns the time; to be alert, inquisitive, ers sufficiently to wield strategic As one of the leading and oldest play- Winton concedes. Exposing the company’s that organisations cannot con- open to change and agile. influence within their organi- ers in the cybersecurity market, Kaspersky need to be able to operate code, even in such a highly controlled envi- tinue to manage risk as they Cyber-related technology is, of sations. Changing this culture Lab has ridden these waves for more than without borders too ronment, can open it up for attack. However, have in the past and expect to course, at the heart of develop- and putting risk at the heart of 20 years, and now tracks over 360,000 Kaspersky Lab believes this is a risk worth remain successful. ments. It no longer merely helps corporate thinking is a top pri- new malicious files every day in its mis- taking to fly the flag for trust in the digital This is an age when a teenage us to carry out existing processes ority with cyber at the centre of sion to help organisations and consumers world and to put customers at ease. hacker working out of his bed- more efficiently. Digital transfor- the discussion. protect their data and devices. Its Global “We're evolving our strategy into one room can potentially cause as mation of business models is now Research and Analysis Team (GReAT), made One of the biggest emerging threats is that strives for complete immunity,” says Mr much economic damage as a trop- core to how we add value, how up of an elite group of security experts, the Balkanisation of the internet by nation Winton. “In doing so, we think we're taking ical storm, when a systems failure we reinvent our purpose, organ- has discovered and thwarted a long line of states, driven by a geopolitical climate another step closer to saving the world. This or social media event that hits the ise our enterprises, our networks, threats, including the likes of ProjectSauron, increasingly defined by protectionism. In is an ambitious claim, but we fundamentally unprepared business can leave supply chains, the products ShadowPad and 2017’s notorious Android their attempts to obstruct cyber-espionage believe the work we're doing, the products we a reputation in tatters. We must and services we offer, and how spyware Skygofree. and apply digital borders, governments are offer and the movement of our business from understand and deal with this we relate to our customers and “The reality today is not if businesses enforcing embargoes that ban or restrict a product set to a service solution, under- kind of challenge. other stakeholders. are going to be attacked, but when,” says trade with suppliers from certain countries. pinned with the transparency we're offering, “Board members need to under- I have no doubt that an increas- Andrew Winton, vice president of global In the long term, this could result in more puts us in a really strong place to help protect stand that traditional resilience ingly cyber-dominated business marketing at Kaspersky Lab, which counts damage to national security, not less. consumers and businesses around the world.” measures alone are insufficient environment will continue to make more than 400 million users on its network “If people weren't hearing from foreign in the digital age,” our report the world more interesting and across five continents. “We're constantly cybersecurity firms as much as they do, and For more information please visit says. Regular reviews of stake- more prosperous. We need not fear in a cat-and-mouse game to stay one step governments keep blocking such compa- kaspersky.com/transparency holder purpose and continu- innovations such as artifi cial intel- ahead of cybercriminals. Given that an nies, we’re actually likely to see more secu- ous business model reinven- ligence, blockchain and quantum average breach costs a large enterprise up rity problems for businesses and citizens,” tion are necessary for the future computing. But there will be losers John Ludlow to £1 million, it can have a significant impact says Mr Winton. “The global political land- success and sustainability as well as winners. The winners will Chief executive on businesses.” scape that has led to successful campaigns of organisations. be those organisations and indi- Airmic 8 CYBERSECURITY

Silk Road website, which ran on online black market in illicit drugs. The dark web thrives as a treasure trove of automated software applications which can be used to troll and attack vulnerable accounts automatically. “A cybercriminal can simply purchase any number of password-cracking programs and can rent or purchase exploit kits which contain many attack tools,” says Corey Milligan, one of the US Army’s first cyber operations technicians and now a senior threat intelligence analyst at Armor Defense, a cloud security firm in Texas. “The kits are designed to make it quite trivial for an average computer user to successfully attack various vulnerabilities and then distribute malware or potentially wipe a victim’s hard drive.” Cybercrime in the dark web is thriving, especially as people can be hired through third parties to conduct attacks. “The greatest impact they can have is when they are hired to do something for somebody else,” adds Mr Milligan. In effect, a whole new underground industry has emerged, dubbed “malware as a service”. And as the IoT expands, so too will opportunities for commercial and criminal growth. According to Intel, we are moving from a world of two billion smart, wirelessly connected objects in 2006, to a world of 200 billion by 2020. By 2021, half a billion of these will be wearable devices. Dr Janusz Bryzek, a Silicon Valley guru who pioneered sensor technology, predicts that within 20 years there will be 45 trillion networked sensors, devices which detect and respond to physical environmental CYBERCRIME cyberspace, there could be a wealth of oppor- This sort of activity has been facilitated by changes such as light, heat, sound, moisture tunities for criminals,” warns an October the dark web, a hidden part of the internet and pressure. 2018 report from the UK Ministry of Defence where criminals can act undetected, using Already, attacks on connected devices, Global Strategic Trends programme. With complex encryption and anonymisation tools. including routers, cameras, thermostats, relatively low startup costs and potentially The dark web first hit the headlines in electronic appliances and alarm clocks, are Trillion-dollar industry huge profits, organised cybercrime has an 2013 when the FBI shut down the notorious among the top cybercrime targets. But com- obvious business appeal, the report says, panies are not doing enough to protect these especially for “people in countries with lim- devices, preferring to get them on the market ited economic opportunities”. ANNUAL REVENUES OF CYBERCRIME without delay. Most cyberattacks in the European “The risk is global. Regardless of the size hidden in the dark web Conservative estimates, based on data drawn Union, for instance, actually come from of your business, or what sector you’re in, from five of the highest profile and lucrative outside the region. if you’re connected to the internet, you’re varieties of revenue-generating cybercrimes The low startup costs Nafeez Ahmed ensuring their companies are protected. And like any other business, cybercrimi- at risk, as anyone can find you and any And it’s not just businesses. Government fig- nals are rapidly investing in innovations and of the assets you have connected,” says and huge profits he internet of things (IoT) has been ures reveal that UK residents are more likely new techniques to improve their productiv- $860bn $3bn $160bn Mr Milligan. hailed as ushering in a technologi- to be a victim of cybercrime or fraud than ity. A report by the Tel Aviv-based global IT Illicit, illegal Crimeware and Data trading, Most businesses remain dramatically associated with T online markets ransomware such as stolen cal revolution that will transform any other offence. security firm Check Point Software Technol- financial behind the curve on safeguarding against cybercrime have our lives for the better. With every conceiv- While the costs to legitimate businesses ogies highlights how cybercrime methods information these heightened risks. In 2018, the Ipsos able tool and device we use seamlessly inter- and consumers escalate, so do profits for have become “democratised” and available MORI Cyber Security Breaches Survey found resulted in a thriving connected through the cloud, everything we cybercriminals. A 2018 University of Surrey to anyone willing to pay for them. that four in ten businesses and a fifth of do from work to leisure will be increasingly study conservatively estimates that cyber- “Cybercriminals are successfully explor- charities had experienced a cyberattack. industry, and no automated, efficient and easily configurable crime carried out on well-known platforms ing stealthy new approaches and business The findings led King’s College London’s in ways that were previously unimaginable. such as Amazon, Facebook and Instagram models, such as malware affiliate programs, Cyber Security Research Group this January companies – regardless But even before the IoT revolution has fully rakes in a cool $1.5 trillion, equivalent to the to maximise their illegal revenues while to call on the UK government to name and of sector or size – are arrived, associated costs are rising exponen- GDP of Russia. reducing their risk of detection,” says Peter $1.5trn shame companies whose cybersecurity meas- tially. A new Accenture report estimates that This is not even particularly sophis- Alexander at Check Point. Total cost ures fail to protect the data of consumers. safe from its reach businesses could incur up to $5.2 trillion over ticated cybercrime. According to study Maya Horowitz, Check Point’s director Complacency is not an option. In a taste the next five years in additional costs and author criminologist Dr Michael McGuire, of threat intelligence and research, paints of things to come, one of the largest electric lost revenue due to cybercrime “as depend- these platforms are being used to evade tax, a picture of an increasingly corporatised power companies in America, Duke Energy, ency on complex internet-enabled business move money, trade illicit drugs and sell fake approach to cybercrime. Attacks involve was hit with a $10-million regulatory fine in models outpaces the ability to introduce ade- goods. As technology advances, the oppor- organised teams of programmers, corpo- $500bn early-February for 130 violations of physical quate safeguards that protect critical assets”. tunities for such crime will transform. rate insiders, IT technicians and phishing Trade secrets, and cybersecurity standards. If companies According to the report, some 80 per cent “In a world where almost every instruction, experts. These teams even issue job ads for IP theft fail to act now, governments will have little of business leaders admit having a hard time process, transaction and secret is located in new roles for the next hack. Bromium 2018 choice but to make them pay later. RACONTEUR.NET 92 Commercial feature

COMPANY VALUE

“To aid the SRT member in discover- ing these vulnerabilities, Synack created Let the Red Team Hydra, a tool for categorising a company’s digital assets. In my experience, Hydra Five ways cyberattacks massively decreases the amount of time protect you from required during the recon phase of working on a new engagement, allowing myself and other SRT members to begin locating can hit company value vulnerabilities faster and more efficiently.” black hat hackers Ms MacRunnels continues: “Synack delivers integrated, continuous pro- The potential impact of cyberattacks on company value The days of static, reactive approaches tection for organisations by seamlessly deploying their crowd with this AI-enabled continues to be misunderstood by many business leaders and to cybersecurity are over technology that tracks all hacking activ- fi nance professionals. So while fi nancial audits are regulated, ity for auditability and metrics, and even alerts the Synack Red Team of potential why is cyber-risk still largely ignored and underplayed? usinesses are becoming increas- vulnerabilities to make them more effi- B ingly digital and agile to deliver SYNACK PROFILE cient. Such diversity and scalability can products and services easily only be realised via this optimal com- and conveniently to their consumers. choice of G2000 bination of human and machine intelli- Tim Cooper However, these benefits come with a and security gence that drives Synack’s comprehensive caveat. A recent study by IDG revealed #1 companies crowdsourcing model.” that 78 per cent of consumers would stop Synack’s platform produces valuable engaging with a brand online if the brand hacker-powered data and metrics that are According to the Ponemon Institute, experienced a data breach. Up to increase accessible through the customer portal. in Synack Business interruption disruptions that can aff ect corporate value Protecting the brand and business customers ARS “Our portal delivers powerful insight and include system downtime, increased com- in a digital world threatened by damag- 200% over two years intelligence to the customer. We can Serious business interruption after a munication including help desk activities, ing cyberattacks is just as important as speed up or slow down this delivery of breach has one of the largest eff ects on the issuing new accounts, legal expenditure running that business in the first place. information to align with the customer’s value of companies because of its impact and identity protection. Cybersecurity has become an endeavour internal resource capabilities,” says Ms Synack protects: on cash fl ow, according to David Chinn, Globally, companies that contained Images Barraud/Getty Martin of building consumer trust. MacRunnels. senior partner at McKinsey. a breach in less than 30 days saved more Leading crowdsourced security-testing of top credit card “We’re not an outsourced function or “Attackers are becoming more aggres- than $1 million compared with those tak- platform Synack has pioneered a model companies an afterthought brought in every now sive,” he says. “Previously, they aimed to ing longer. However, containment is tak- that combines the best of artificial intelli- 75% and then to monitor their security. We steal data. Now more interruption can ing longer due to the increasing severity of gence (AI) and human intelligence to beat are entirely integrated into how these come from ransomware or collateral dam- attacks, says Ponemon. hackers at their own game and deliver not of top global companies develop secure product, age from nation state attacks. For example, Caleb Barlow, vice president of threat just security, but trust to their customers. 25% banks created with flexibility to fit each cus- to cover their tracks, attackers are willing intelligence at IBM Security, says trans- Synack was founded in 2013 when tomer’s needs, with complete trans- to damage companies’ residual networks. port giant Maersk’s response to the Not- former US National Security Agency in digital parency in terms of knowledge-sharing “In most cases, company share prices Petya attacks of 2017 was a great exam- employees Jay Kaplan and Mark Kuhr rec- payments and education.” revenue bounce back from business interruption. ple of how to react. “They updated their ognised cyberattacks were evolving far $110bn The data and metrics play a huge role in However, the stock market is particu- website, telling people what was happen- more rapidly than organisations’ defences security that is practical and results-fo- larly sensitive to the competence of the ing and restarted business operations in could handle. The pair launched the cused. Not only does the Synack Red Team response. For example, being unclear, say- fewer than ten days, from scratch in some industry’s first solution to crowdsource explains Synack’s chief marketing officer uncover vulnerabilities and help custom- ing something that proved to be wrong, areas,” he says. “Few companies could do hackers safely and effectively for vulner- Aisling Scallan MacRunnels. ers fix them, but customers are getting a call centres that people can't get through that. We spend a lot of time training com- ability intelligence. “When we recruit and assess ethical real-time score that tells them how resist- to, websites that don't work; these can all panies to make faster decisions in this Six years later, the Silicon Valley-based hackers, we have the most stringent vet- ant they are to attacks and how that score be damaging.” kind of scenario.” pioneers have an expansive network of ting model of any security company out changes over time. Experience has proven 1 ethical hackers, the Synack Red Team there. It’s not static either. It’s a continu- that Synack customers increase their (SRT), in more than 60 strategic locations ous process to ensure we always have the attacker resistance scores up to 200 per around the world with the task of remain- best and most trustworthy researchers in cent when they utilise Synack’s crowd- ing a step ahead of their criminal counter- the world.” sourced security platform consistently Regulatory ﬁ nes parts, 24/7, 365 days of the year. These researchers, or ethical hack- over the course of two years. “By deploying a team of extensively ers, are at the heart of the crowdsourc- “We have swung the pendulum from Fines by regulators over data breaches vetted and superiorly skilled ethical hacking business model first put forward by traditional human-based models to an

do not always aff ect a company’s share rawpixel/Unsplash ers within the confines of an agile, continu- Synack in 2013. But the technology behind intelligent, diverse and flexible model, price at the time they are issued. By that ous model, it gives our customers the abil- the crowd of hackers is just as important which ensures trust between researches

SFIO CRACHO/Shutterstock SFIO time, the damage has often been done ity to launch and sustain their own trusted to ensure around-the-clock capabili- and customers, trust between security and the markets have factored in the applications and digital infrastructures,” ties to stay on top of the most pertinent and DevOps teams, trust between DevOps impact already. threats that organisations face. teams and C-Level executives, and trust However, they can have an impact if According to Callum Carney, one of with their own end-customers,” Ms the market is not expecting them or per- Synack’s British Red Team hackers: “Every MacRunnels concludes. “All of that comes haps not expecting such severity. For day, SRT members like myself work to pro- from trust delivered by Synack.” example, when the Information Com- tect a wide variety of Synack customers. missioner fi ned telecommunications Even though each customer has their own For further information please visit company TalkTalk a record £400,000 in unique application stack, there will always www.synack.com relation to a data breach, its share price, Cybersecurity has be some SRT members on hand with the which had already plummeted after become an endeavour of expertise and knowledge to find the crit- the attack, continued to fall after the ical vulnerabilities that customers are announcement of the fi ne. The compa- building consumer trust looking for. ny’s stock price has yet to recover. The eff ect of regulation on corporate values could be set to rise dramatically 2 now that the European Union’s Gen- was fi ned under more lenient rules before eral Data Protection Regulation (GDPR), GDPR came in. which allows for much higher fi nes, has IBM Security’s Mr Barlow says that, come into eff ect. For example, millions apart from the size of the new GDPR lim- of Facebook user accounts were exposed its, the biggest issue with fi nes is that reg- by a security breach in September 2018. ulation can be quirky and misunderstood Under GDPR, the company could be by many companies. “For example, they fi ned up to 4 per cent of its global annual don’t realise that the biggest regulatory revenue, which would be £1.3 billion. impact is the speed of decision-making 3 Some experts have commented that and process in responding to the breach,” TalkTalk was lucky in the sense that it he says. Customer data Loss of customer data is often a critical RISK factor aff ecting share price after a data breach. For example, when credit infor- Mr Barlow at IBM Security says: “If mation company Equifax lost more than another country steals your IP, it has gone a third of its value after reporting a data forever, you can’t get it back and they will ERADICATOR breach in 2017, it was largely due to hack- use it against you. So it is important to ers stealing personal customer infor- try and fi nd out exactly what you have

mation. This included addresses and Varzar/Unsplash Raul lost, who took the data and some idea of social security, driver’s licence and credit their motivation.” card numbers. Mr Chinn of McKinsey says one way to According to a study by the Pon- guard against this is to ringfence the com- emon Institute, the average cost per lost pany’s most valuable information. “If you or stolen record in a breach is $148 and can’t keep attackers out completely, iden- the more records the company loses, tify and protect the things that can impact the higher the cost. most on corporate value,” he says. “People Ponemon says incident teams and bet- are shifting from protecting the perimeter ter security such as encryption help miti- to diff erentiated protection according to gate these costs. It says organisations that the value of the asset.” fall victim to data breaches on average see Such information could take many their share price fall 5 per cent immediately forms. “For example, in a pharmaceu- after the disclosure of a breach. Falls range tical company, clinical trial records are from 3 per cent for companies with good 4 extremely valuable IP as they aff ect share security to 7 per cent for companies with price,” says Mr Chinn. “In a manufactur- poor. Longer term, damage to corporate Intellectual property ing company, the systems that operate the value can be even more, says Ponemon. factories are critical to corporate value. If But having an incident response team As hackers become more sophisticated, you are in the middle of a big merger, the saves $14 per record and the extensive there is greater risk of them obtaining details of what you are willing to pay or use of encryption reduces cost by $13 sensitive commercial information such the negotiation strategy are also incredi- per record. as intellectual property (IP) and using it. bly valuable.”

panies have been much quicker to report cyberattacks; however, there is a balance Reputation and trust if they are trying to get the attacker out without them knowing and don't want to YOU are ready for anything. You’re poised WE are Sungard Availability Services. More organisations worldwide lost cus- publicise the fact.” to anticipate risk, mitigate the impact and We help transform IT and deliver resilient, tomers last year after data breaches, Peter Lefkowitz, chief digital risk according to the Ponemon Institute. This officer at Citrix Systems, says media cov- capitalise on the outcomes. You’re revamping recoverable production environments— Bernard Hermant/UnsplashBernard could be due to increased awareness of erage has a major impact on share price. production and recovery processes to keep IT protecting risk eradicators from the perils breaches and expectations of what a com- “The breaches that make front page news pany should do after one. According to a suffer the worst,” he says. “Those cases systems in sync and cyberthreats at bay. of IT disruption every day. recent IBM Harris survey, 75 per cent of usually involve something new and dif- But the risk and complexity of IT transition Lead with resilience at www.sungardas.co.uk, consumers said they would not buy from ferent or people hiding things. Often they can run companies ragged. a company, no matter how good it was, if have lots of problems happening at once, or call 0800 143 413. it was not protecting their data. or the attack is by a nation state, or we In the United States, losing custom- learn more about [their governance] from ers after a breach cost companies $4.2 the company’s poor response.” million on average, Ponemon says. Ponemon says organisations can Meanwhile 71 per cent of chief market- reduce these losses if they have a leader, ing officers believe the biggest cost of a such as a chief information security security incident is loss of brand value. officer, directing initiatives to improve McKinsey’s Mr Chinn says: “When customer trust in their guarding of per- TM customer data is stolen, lost trust in sonal information. Off ering victims iden- Transforming IT for resilient business management can impact corporate tity protection in the aftermath of a 5 value and turnover significantly. Com- breach also helps. 10 CYBERSECURITY

HACKERS

ive years ago everyone knew F about the much-lamented pau- Should you employ a city of skilled cybersecurity professionals. That lack of talent is no longer a problem, though, and there still Talent and skills is no need to employ ex-black hat hackers are hard to ﬁ nd, but former black hat hacker? as penetration testers. So says Ian Glover, president of Crest, the international not- employing an ex-black In hacking, as in life, it is not just good and bad, black and white: there is a grey for-profit accreditation and certification hat requires a level of body that represents and supports the area. Converted black hat hackers have amassed the experience needed to test technical information security market. trust that cannot aﬀ ord “The UK cybersecurity services mar- to be abused cybersecurity systems properly and many organisations are providing them ket is one of the most mature in the world,” he says. “We have benefited with a clean slate to bolster defences. However, recent evidence indicates that from the development of a higher education system that generates signifi- more white hat hackers are being tempted to commit cybercrime. So although cant numbers of cybersecurity profes- ing damage to company productivity, ex-criminals looking to redeem their past sins are likely to have the nous and sionals, a mature training market that revenue, intellectual property and rep- allows people to cross-train into the utation,” says Marcin Kleczynski, chief skill to protect a company, can they be trusted? Ultimately, is it worth the risk? industry and well-structured career executive and founder of anti-malware pathways to promote professional prac- software organisation Malwarebytes. tices, underpinned by codes of con- “We must up-level the need for Oliver Pickup duct and ethics that proper security financing to the exec- are both meaningful utive and board level. This also means and enforceable. updating endpoint security solutions, “Therefore, the and hiring and rewarding the best and avid Warburton, senior threat nology and vulnerabilities constantly need to look at using brightest security professionals who D evangelist at application ser- evolving, it is a never-ending mission with cybercriminals manage endpoint protection, detec- vices organisation F5 Networks, no tangible fi nish line. Cybercriminals, to support the tion and remediation solutions.” believes the knowledge amassed by cyber- by contrast, only need to fi nd one area of criminals is invaluable for businesses try- weakness to get in and claim victory.” In our system of law, ing to shore up their defences. “When we Ben Sadeghipour, hacker operations we must believe in employ contractors to work on our homes, lead at HackerOne, a growing plat- we tend to look for someone with strong form that is accessed by approximately rehabilitation and be hands-on experience,” he says. “So while it 300,000 white hat hackers, looking to open to it, otherwise may sound counter-intuitive to make use gain bug bounties, agrees. “It can be of ex-criminals to help plan and test our hard to work with ex-cybercriminals it just doesn't work cyberdefences, the one thing they have in because of the ‘baggage’ they come with,” abundance is hands-on experience. he says, adding that it is still worth it. “Security architects have a wealth of “The best part about working with hack- knowledge on industry best practice, but ers with a cybercriminal background is continues: “The programme introduces what is often lacking is fi rst-hand experi- that, in some cases, possibly most, they the Computer Misuse Act 1990, and com- ence of how attackers perform reconnais- understand how to demonstrate a real- bines technical exercises with industry sance, chain together multiple attacks and world scenario in which a malicious insights and careers advice.” gain access to corporate networks. Appli- actor could abuse a certain vulnerability Furthermore, redemption should be cation defenders need to consider every or functionality.” encouraged, says Sam Curry, chief secu- single possible angle of attack. With tech- Luke Vile, cybersecurity expert at PA rity offi cer at Cybereason. “For years, I industry is not appropriate and is not For Consulting, continues this theme. “Many believed that those who had transgressed necessary. This practice of using ex-of- However, given that Malwarebytes’ large organisations understand there should not be rewarded or hired at all,” he fenders is not used in other professions, recent research indicates cybersecurity is sometimes a great deal of value in says. “They couldn’t be trusted and, most so if we want and need the industry to be professionals in the UK admit to partic- understanding how cybercriminals importantly, their former dark work was viewed as a profession, this should not ipating in criminal activity almost twice think and operate in the real world,” too often being glorifi ed or used for gain by be encouraged.” as much as the global average, engaging he says. “Plus, there is a huge diff er- hirers. However, I have changed my mind Lisa Forte, formerly of Red Goat Cyber canny, ex-convicts might not be smart. ence between paying individuals in my old age. Security, contends: “The reality is that Indeed, the August 2018 research known to be involved in criminal “I’m glad I did because some of my best very few organisations use ex-black hats identified the emergence of the “grey work and using the specialist skills colleagues now used to be my adversaries, at all. There is a multitude of reasons for hat” hacker, those overlapping the of people who have actively cho- and I apologise to those I didn’t try harder this. Firstly, a common concern is that realms of the good (white hat) and bad sen to use their talents for the good to help 20 years ago and blocked from if it all goes wrong and they decide to (black hat) hackers. The key findings of security.” hiring in my companies because of their attack you, it would be a PR disaster for include one in thirteen security pro- Steps to ward off would-be black hat black hat, for-profi t endeavours. Over the the company. fessionals in the UK owned up to grey hackers from the dark side are being taken. last 30 years, many famous, infamous and “Secondly, the skillsets required don’t hat activity, compared with one in Mr Vile’s employers, in collaboration with not-so-well-known black hat hackers have quite match up. A lot of the black hats twenty two globally, and 46 per cent of the National Crime Agency and Cyber shown genuine remorse and contributed I’ve encountered seem to work almost respondents said it is straightforward Security Challenge UK, recently ran an to the public good. entirely as lone wolves. Working for the to commit cybercrime without being Intervention Day workshop that showed “Every hacker is a unique case and gen- cybersecurity team of a big company caught. Moreover, the main driver for young IT enthusiasts the rewards of using eralisation is dangerous. What matters requires a high degree of teamwork and black hat transgression is the opportu- their cyber-skills ethically and legally. He most, though, is that people with skills to collaboration.” nity to earn more money than security harm learn the moral and ethical lessons Steven Furnell, senior member of the professionals, according to 54 per cent of their errant ways and work towards the Institute of Electrical and Electronics of those surveyed. public good. Given time, many reform and Engineers and professor of security at Warren Mercer, technical lead at utilising their skills is a tremendous bene- the University of Plymouth, has a simi- threat intelligence group Cisco Talos, fi t to the industry.” lar view. “Being an ex-criminal is not a says: “It’s a tricky situation. Ex-black If ex-black hats are employed, direct indication of capability; it simply hats are likely to have unique insights more-than-adequate checks have to be in means that they were breaking the law and skills which can help identify and place, at least to begin with, urges Naaman and were caught doing so,” he says. fix specific vulnerabilities, but these Hart, cloud services security architect at “While the idea of poacher turned people are criminals. Digital Guardian. “Initially, I can under- gamekeeper has some credibility if you “The industry has typically relied stand the need for some controls, but there are looking for someone to think like on individuals having a certain level should be an obvious expectation on both an attacker, it doesn’t necessarily mean of integrity, especially given that they sides that trust is being built up with reg- they have the knowledge or skills to could be granted access to a myriad of ular opportunities to prove that trust,” introduce the necessary protection.” information, whether that’s bank details, he says. “Lasting stigma over being an Besides, in this digital age when healthcare details, important conver- ex-criminal is proven to be more likely to attack vectors are multiplying, if you sations with loved ones or private pic- lead to reoff ending as a form of spite. In are encouraged not to trust anyone tures. Talent and skills are hard to find, our system of law, we must believe in reha- in your organisation, why take a risk but employing an ex-black hat requires bilitation and be open to it, otherwise it on ex-criminals? “We are seeing more a level of trust that cannot afford to just doesn't work.” instances of the malicious insider caus- be abused.” 6 CYBERSECURITY RACONTEUR.NET 11 Commercial feature

C-SUITE Poor communication INTELLIGENCE-DRIVEN SECURITY SECURITY LEADERSHIP THREAT ANALYSIS remains the weak 32% 10X more efficient faster security teams identification link in cybersecurity of threats Language is key to INCIDENT SECURITY successful collaboration RESPONSE OPERATIONS between the chief information security 63% 50% officer (CISO) and faster resolution more alerts of security reviewed other executives threats VULNERABILITY MANAGEMENT

reduction in 86% unplanned downtime

Davey Winder

apgemini’s The Modern Con- C nected CISO report revealed 60 Recording data per cent of organisations have their CISO at key board meetings, but only half of business executives think the role has a high level of influence on manage- for cyberdefence ment decisions. This could be because less than a quarter of executives thought By harvesting data from all over the digital landscape, information security was a proactive enabler of digital transformation. But an innovative company is providing firms with the just as easily it could be that C-suite intelligence to counter cybercrime and cybersecurity experts don't talk the same language. Without a more cohesive working relationship between the CISO and chief eliver threat intelligence people put on the web. First, we to bring a numeric value to cer- executive, chief financial officer and D that’s meaningful and acces- developed natural language process- tain risks, that’s what we’re able to chief operating officer, the organisa- sible for all security profes- ing to turn unstructured text into provide customers.” tion will never move at the speed of sionals. Remove the barriers to adop- structured data. Once the structure The introduction of its third-party trust that is required by current agile hxdbzxy/Shutterstock tion. Integrate threat intelligence into was added, we were able to do all risk product further empowers cus- business demands. existing cybersecurity workflows. kinds of analytics on it.” tomers to evaluate and assess pro- "Business leaders often choose to present to the chief executive and board. Cultivate the company’s ecosystem Nine years on and with many suc - posed suppliers or partners prior to PERCEPTIONS OF INFORMATION take risks while cybersecurity teams are "Developing the right communications of partners. cess stories such as its Norwegian connecting digitally with them. Mr SECURITY IN THE BUSINESS trained to mitigate risk, which means pri- flow is the key to ensuring that business These are the tenets Recorded client in tow, Recorded Future con- Truvé emphasises that this extent of orities are at odds,” says Greg Day, chief Survey of global chief information security offi cers leaders appreciate the risks and mitiga- Future holds front and centre as tinues to harvest data from sources risk management can only be achieved security officer, Europe, Middle East and tion strategies,” he says. it stares down the industry’s big- all over the digital landscape, from by operating outside company walls. Africa (EMEA), at Palo Alto Networks. The commonplace situation of the CISO gest challenge: to help organisations RSS (rich site summary) feeds, big

Fixing this disconnect between the CISO % % % % % presenting an annual risk report to the reduce risk in the face of a vastly media, social media and even deeper 11 11 11 and the rest of the C-suite is therefore key 31 board, with everything else across the expanding attack surface. down into the hackers’ playground 34 to building cyber-resilience through an year being made by their boss, usually the On February 6, Recorded Future via forums. Ultimately, the com- informed risk management strategy. chief information officer or finance chief, documented the latest in a long line pany aims to deliver relevant, real- So where are the most common discon- can mean security status reporting often of success stories, having helped time threat intelligence powered by nects to be found? That many CISOs find takes on the bias of whoever that happens a Norwegian company analyse a machine-learning to manage risk and being heard at the top table still a work in to be. cyber-intrusion by a nation-state empower security teams to make fast, At heart, we are a progress, rather than a done deal, is part The CISO undoubtedly needs to be able actor. The issue had resulted from confident decisions. data company that of the problem. to communicate effectively with the sen- a simple mislaid password and the “It’s such a broad spectrum we "CISOs, though growing in prominence, ior leadership team. They need to be able resultant use of a third party to trans- monitor and analyse,” says Mr Truvé, provides intelligence still struggle to wield influence at board to grasp complex issues relating to risk fer private data out of the company. “but over the past couple of years, we level,” says Keiron Shepherd, senior secu- and get these across in a way that secures Recorded Future’s chief technol- have looked to complement this text for our customers’ rity systems engineer at F5 Networks. F5 the buy-in needed. ogy officer and co-founder Staffan data with more technical sources too. security teams to research from last year showed 19 per cent "Yet many CISOs will have had no prior Truvé deduces that this is yet another For example, we are now harvesting all of CISOs reported all data breaches to their leadership experience,” argues Chris example of how an increasingly inter- new registered domains around the make decisions with board of directors, and 46 per cent admit- Underwood, managing director at Adas- connected world is making us more world, as well as other technical infor- information pertinent ted chief executive and board-level com- trum Consulting. “As such, they will have vulnerable and increasingly exposed. mation about how networks are being munications only happen in the event of limited knowledge of how to operate at It’s a notion the company has been used, and even doing our own analy- to their business material data breaches and cyberattacks. executive level and speak ‘executive’ lan- looking to remedy since its inception sis of malware to see what’s hidden "This is a serious strategic disconnect,” guage.” Which brings us to the biggest in 2009. inside them.” says Mr Shepherd. problem for cybersecurity: lack of align- “When the company was founded, I As Recorded Future’s remit has Or how about the responsibility for day- ment with the business. was operating a research institute in expanded, and the general popu- to-day security which, for many busi- "CISOs have traditionally been seen as Sweden, looking into the application lation’s awareness of cyberthreats “We’ve conducted thorough map- nesses, doesn't fall squarely on any one running business prevention units,” says of artificial intelligence techniques has increased, the company’s demo- ping of more than 100,000 compa- person's shoulders? Institute of Information Security Profes- in various sectors,” Mr Truvé recalls. graphic has broadened simultaneously. nies from this external vantage point,” "The narrow gap between the roles of sionals chief executive Amanda Finch, who “I could see how algorithms could “We are very industry agnostic in he says. “Web services, domains, IP chief information officer, chief execu- explains they are often thought of as "proph- help guide us in the future, while the present day, thanks to the breadth address ranges, historical problems tive and CISO shows that no one execu- ets of doom, scaremongers and a drain on my business partner and Recorded of data we collect,” says Mr Truvé. with data leakages; we can collate all tive function is stepping up to the plate,” the business”. Clearly, CISOs must demon- Future chief executive Christopher “It’s a tremendous spread of cus- this data and put a numerical score says Azeem Aleem, vice president of con- strate they are on the same side. “They need Ahlberg was curious about ways we tomers across numerous segments to it, so a human customer can assess sulting at NTT Security. “Given escalating to speak to chief executives and chief fi nan- could use everything that was being of industry ranging from finance, to and evaluate what’s best for their threat levels and increasingly acute regu- cial offi cers in language they understand to published on the internet for more manufacturing, to food and drink, company from a digital perspective latory challenges, there’s an urgent need provide a common understanding of the real meaningful purposes. and even transport. For each we before connecting their systems with for clear reporting lines and a foreground risks that an organisation can face,” Ms “ We brought those ideas together to have essentially geared our machin- another company’s. role for the CISO." Finch concludes. create a business model that revolved ery in recent years towards the “I like to say that we’re trying to Ian Bancroft, general manager, EMEA, Being able to articulate risk in a busi- around harvesting everything that cyberthreat landscape. build ‘cybersecurity centaurs’, to take A blocker of innovation of A blocker hurdle A compliance competitive of A driver advantage or differentiation of enabler An ciencybusiness effi A cost necessary at Secureworks, agrees that all too often it ness context, alongside realistic and cost- “The core technologies are the the term from chess. The best chess takes a breach before the CISO is asked to Capgemini 2019 aware solutions, is central to this rela- same as what we started off with, player over the years hasn’t been a tionship-building exercise. "This is easier but we have diversified in terms of human or a computer, but the com- said than done though,” warns Sam Curry, the sources we collect from and the bination of the two. It’s the same at chief security officer at Cybereason. “It IT WOULD TAKE kinds of events we gear our algorithms Recorded Future, we build machines requires soft skills, patience, gravitas, and towards detecting.” and a portfolio of data that empower sincere enthusiasm and participation in The model in 2019 acknowledges human analysts.” the business." the different disciplines and require- In the future, the business is turn - Which, according to Mr Curry, involves ments facing security teams, and ing its attention from descriptive the use of just six key terms: revenue, Recorded Future helps to amplify the analytics, where aggregated infor- cost, risk (this is the big one), customer impact security teams can have across mation on events that have already satisfaction, employee efficiency and all internal, discrete functionalities. occurred are analysed and doc - company strategy. The company has also greatly umented, to predictive analytics, Simon Roe, product manager at Out- expanded its partner ecosystem, where risk scores won’t only be pro - post24, says: ”Each C-suite member needs 8,774 integrating with vulnerability manage- duced via historic data, but through to have an understanding of the business ment, security operations, incident predicting future trends based on data analysts risks associated with a major breach.” response and SOAR solutions, as well the information being analysed and Whether that’s costs associated with run- as deepening its ties with top global the threats being thwarted. ning a cybersecurity programme, reputa- resellers and managed security ser- Mr Truvé concludes: “We can apply tional impact or financial penalties asso- vice providers. this predictive approach to domains, Towfi qu Photography/Getty Images Photography/Getty qu Towfi ciated with an unreported breach, it's all “We add context that allows secu- IP addresses and even industry sec- part of a security culture. rity professionals to take proactive tors, and from there the obvious Communications a criminal gang gained a foothold Eoin Keary, chief executive of edges- steps, no matter which discipline a step is to move towards automation failure + ignored risk = within the corporate network," Mr can, sums it up: “There should be a con- security professional is working in,” as well, not only predicting risks, $100-million loss Warrington explains. scious effort with one side committing says Mr Truvé. “At heart, we are a data but prescribing a course of action “In-house security had asked the to learning about cybersecurity and the company that provides intelligence for companies to combat these "We undertook a cybersecurity C-suite for funding, but failed to other to make cybersecurity understanda- for our customers’ security teams to foreseen threats. assessment of a fi nancial services impress upon them the signifi cant risk ble to a layperson who has a different area 8-hour make decisions with information per- “In doing so, we’re edging closer to business and it became clear there was it posed, talking in technical terms of expertise." tinent to their business.” shifts, five days a week realising our goal of not just solving a signifi cant risk to that organisation rather than framing it as a business As companies augment their digi- one security problem at a time, but from a specifi c piece of software risk. When the notoriously diffi cult tal capabilities, they are concurrently allowing you to attack many of your essential to the operation of the chief fi nancial offi cer asked why he connecting their own systems to security problems, faster and more business," Vince Warrington, chief needed to spend so much defending numerous others, both internally and confidently, with data that is impact- executive at Protective Intelligence against kids in bedrooms messing externally across the supply chain and ful for your organisation.” recounts. "We submitted a report to about, they couldn’t give a clearly customer base. With every new inter- the client's technical security team defi ned business reason." connection, however, vulnerabilities highlighting the risk to the business." Both business and security team Given escalating threat are exacerbated and Recorded Future When his team was called back in forgot about the vulnerability, and the has looked to reduce the risk associ- For further information please visit following a serious security incident, fi nance chief was pleased he didn’t levels and increasingly ated with this broadened network. www.recordedfuture.com investigations traced it back to that need to spend any money. "Until the acute regulatory “Data is just data until you make vulnerable software. "The suspect day nearly $100 million disappeared 52 weeks it meaningful and actionable to the functionality was still enabled, no from their corporate bank account,” challenges, there’s an participant, and by doing broader to process the same amount monitoring had taken place and Mr Warrington concludes. urgent need for clear and deeper collection of data than of security event data machine anyone else out there, and subse- reporting lines analytics can process each year quently aggregating that information 12 CYBERSECURITY

Partially blurred tweets by Twitter account @_0rbit, which calls itself G0d, that released an ‘advent calendar’ of daily links to personal data and documents of German politicians and public figures in December 2018 Krisztian Bocsi/Bloomberg via Getty Images via Bocsi/Bloomberg Krisztian Rawpixel.com/FreePik/AFP/Getty Images Rawpixel.com/FreePik/AFP/Getty GERMANY

to the UK “creating a joined-up and agile net- to change a login password regularly. Now, work of organisations” which he says “form however, the latest research recommends the a powerful barrier helping the UK to fight exact opposite as the more a person changes What 'G0d' cybercrime on many different levels”. a password, the weaker it becomes. Now “It’s important to understand that cyber- imagine if password protection had been crime can manifest itself in many different somehow enshrined in law. It would be diffi- ways,” says Professor Woodward. “It can cult to amend and easy for hackers to exploit. be state sponsored, perpetrated by sophis- “A much better approach would be to pro- taught us about ticated cybercriminals, or in less serious mote more information-sharing with other cases, it can be carried out by so-called EU states through institutions such as the ‘hacktivists’. Britain was quick to realise European Cybercrime Centre and actively the nuanced nature of the global cyber- champion cyber-awareness best practice.” Germany's threat and, unlike Germany, it created the However, with more household devices National Cyber Security Centre (NCSC). such as toasters and televisions utilising German chancellor “The NCSC, while part of GCHQ [Govern- the internet of things (IoT), both Dr Schulze Angela Merkel’s ment Communications Headquarters], was and Professor Woodward believe protecting personal information established to stymie the threat to British homes from cyberattacks is a challenge that cybersecurity was breached in industry through initiatives like the Cyber few countries are suitably prepared for. So the hack Security Information Sharing Partnership, how would such an attack manifest itself which any business, big or small, can access and what is the worst-case scenario? he’d found his way into people’s private manufacturing sector, which includes to protect themselves from cybercrime. Dr Schulze says: “The big worry for Ger- James Gordon An advent calendar of lives by simply guessing passwords. many small and medium-sized businesses This light-touch approach, which seeks to many and most other states is that a rogue cyberattacks revealing This attack, and another one, in which (SMEs), is exceptionally vulnerable to educate, to influence businesses, rather actor tries to take down a country’s national he cyberattacks began in Ger- servers belonging to the German federal attack by opportunist cybercriminals.” than strong-arming them into complying, gird by hacking into its smart meters and the confidential data of T many last December. At first parliament were broken into four years ago, Curiously, UK SMEs – according to the has been remarkably effective.” other strategic locations.” nobody paid much attention. underlines just how far Germany is behind Federation of Small Businesses there are 5.6 But with cyberattacks carried out by rogue Professor Woodward thinks the IoT opens thousands of German But then the attacks started to become its European neighbours in cybersecurity. million operating at present – seem to be states on the rise, it’s clear that Germany, up a myriad of opportunities for hackers to more frequent and more ambitious. Over But it is not just politicians who have been less vulnerable to cyberattacks than simi- which is ranked below the United States, exploit. “It doesn’t have to be the grid that public figures revealed the following few weeks, personal data affected. A recent report by German digital lar-sized companies in Germany. So why is UK and Australia in The Economist Cyber they try to compromise. Attacks seeking to just how far behind the relating to thousands of Germany’s most industry association Bitkom says cyberat- this? Is it due to better preparedness? Power Index, is playing catch-up. Its politi- penetrate the IoT will be much more subtle influential people was publishedtacks have affected 47 per cent of Germany’s Alan Woodward, a leading academic at cians believe that legislation is the answer than that. In theory, if a nation state intent country is when it comes on social media by a hacker called manufacturing companies. And a study by the Surrey Centre for Cyber Security and an and they are due to bring in new cybersecu- on cyberwarfare were to find a weakness in 'G0d'. Links to confidential information, pho- insurance company Hiscox reveals the high- adviser to Europol, thinks so. He puts it down rity regulation during the first quarter. a smart TV, it could hack into it and create to its cyberdefences tographs and credit-card details were released est cost for a single incident amounted to a Dr Schulze thinks legislation, while not a YouTube video which would then instruct daily in an advent calendar of attacks during whopping €5 million. an absolute panacea, can help Germany Alexa to order goods on Amazon. the festive season. Panic ensued. Was this But why is Europe’s richest nation so combat larger threats from rogue states. “If the hackers could infiltrate enough the work of a rogue nation state? Who would cyber-unaware? Matthias Schulze, at the Ger- But Professor Woodward disagrees. “The households that have both devices, a hit like be next? But most troubling of all was how the man Institute for International and Security theory that passing more stringent legisla- this could severely disrupt a nation’s supply security services seemed powerless to stop it. Affairs, explains: “When it comes to the man- tion somehow makes a country safer, does chain. And given that most countries rely When the authorities finally made an ufacturing sector, Germany is very different not add up in my view. Why? Because cyber- on international supply chains, this could arrest in early-January, fear gave way to to the United States or UK. Its businesses are Businesses are very criminals, whether they’re state sponsored be damaging for a number of states.” embarrassment and later to anger. The very hierarchical and steeped in tradition. hierarchical and steeped or working for themselves, don’t have any But while America and the UK have attack, it turned out, hadn’t been spon- This means many of them have until recently respect for the rule of law. embraced these smart devices, take-up in sored by a rogue state. Instead, the per- been sceptical towards digital innovation. in tradition... many have “Secondly, regulation, no matter how Germany has been slow, says Dr Schulze. petrator was a 20 year old, who had been “It’s also very difficult to integrate cyber- until recently been sceptical robust, is not fluid enough to keep pace with This may be one cyberthreat that Ger- working alone and seemingly from a very security awareness and training in this the digital world. Take password security for mans don’t have to worry about, at least for low skills-base. A determined amateur, rigid structure, and therefore the German towards digital innovation example. Five years ago people were advised now anyway.