Tag Archives: cybersecurity

Get the low-down on nation state threats and government cybersecurity at CLOUDSEC

by Bharat Mistry

The cyber-threat facing firms today has never been more diverse. Organisations once relatively insulated from state-sponsored activity are increasingly drawn into the fight for geopolitical advantage, whether they run critical national infrastructure, hold sensitive data on targeted individuals or merely have the misfortune to get in the way. That makes it more important than ever to ensure you have the awareness and capabilities to manage risk effectively for your organisation.

Trend Micro’s upcoming CLOUDSEC conference is a great opportunity to maximise both. At this year’s show in September, we have just added former White House CIO and cybersecurity expert Theresa Payton to an already impressive roster of speakers.

Caught in the middle
There was a time when nation states cyber operatives only went after one other. Sadly, despite a US-China pact in 2015 that promised to maintain this dynamic, things aren’t working out that way. Countries are on the prowl for IP which can help their companies gain a global advantage; they’re looking for sensitive information to blackmail individuals; they’re searching for ways to generate profits to grow the nation’s wealth; and they’re mapping and sabotaging critical infrastructure. The current furore over providers of 5G networks highlights just how strategic crucial technology has become to national interests and how important cybersecurity is to financial and social stability.

This matters, because increasingly it is average, ordinary firms that are caught in the middle. They may be running CNI. They may hold data targeted by hackers. But they may also be targeted not in their own right, but because they’re part of a high value supply chain. Law firms are particularly at risk because of information their clients may hold. Managed service providers have also been hit in the past. Even hotel chains could be at risk if hackers want to target individuals staying there. Then there are the more scattergun attacks, like WannaCry and NotPetya, that show no organisation is safe from state-sponsored threats.

CLOUDSEC 2019
This is just one part of a much bigger picture, of course. Financially motivated cybercrime represents a massive threat, as does, on a smaller scale, the publicity-hungry sniping of hacktivists. But in order to respond effectively, CISOs need the same things: accurate intelligence, and information on best practice response strategies.

At CLOUDSEC 2019 in September, we’ve lined up a host of world-leading experts in their field to share their insight. The latest is former White House CIO, Theresa Payton. Now a cybersecurity CEO, Theresa will reveal to attendees what they need to know today and look out for tomorrow in the ongoing battle against cybercrime. Crucially, she’ll also be lifting the lid on her time in government to share insight on how cybersecurity is managed at the very highest levels.

Now in its fifth year, CLOUDSEC is bigger and better than ever before. Also lined up to speak are: Thomson Reuters Senior Director, Security Platforms and Engineering, Frank Thomas; Stena AB CISO, Magnus Carling; United Nations cybercrime expert, Rob Gilbert; and Trend Micro experts including VP of Security Research, Rik Ferguson, and Director of Forward Looking Threat Research, Rob McArdle.

We’re looking forward to seeing you at the show.

What: CLOUDSEC 2019
When: 13 September 2019
Where: Old Billingsgate Market, London

Major GDPR Fines Make the Case for Cyber Security

by Bharat Mistry

One of the most important and challenging parts of the CISO’s role is to communicate complex concepts into a language the board understands. Without this crucial skill, it might be difficult to secure much-needed top level buy-in for major projects and cultural change. That is, until now. With the advent of the GDPR, data protection, privacy and cyber security became a board-level issue. This week, things kicked up a notch further, with BA and Marriott fined over £282m (€313m) collectively by the UK regulator.

If they have been stonewalled in the past, now is the time for CISOs to make the case more urgently than ever for extra investment to mitigate the clear business risk of regulatory fines.

The phony war is over
The Information Commissioner’s Office (ICO) was instrumental in helping to draw up the GDPR, and it was acting as the lead supervisory authority on behalf of other EU Member State data protection authorities when it issued the fines this week. Marriott International was handed a penalty of just over £99m (€110) while British Airways was given a fine of over £183m (€204m). This amounts to 1.5% of its worldwide turnover in 2017, and significantly less than the possible maximum 4%. Both will appeal the size of the penalties, but one thing is clear: no board room anywhere in the world can ignore the potential impact of GDPR on their bottom line and corporate reputation.

In the case of Marriott, the firm’s woes were inherited from Starwood hotels group it acquired in 2016. But that’s no excuse, the ICO said. The hotel giant should have undertaken more effective due diligence and put in place “proper accountability measures to assess not only what personal data has been acquired, but also how it is protected”. It’s also a US firm, but 30m of the 339m guest records exposed in the massive multi-year breach belonged to EU citizens. The reach of GDPR is global.

For BA, it was a 2018 breach of 500,000 customer records, including card numbers, travel booking details and names and addresses. Attackers compromised its website with notorious digital skimming code known as Magecart, in what appears to have been a highly targeted attack in which they did their best to stay hidden. Still, the ICO said it could and should have done better. The bottom line, said information commissioner Elizabeth Denham, is this: “When you are entrusted with personal data you must look after it.” This also sends a stark message that if you use 3rd-parties for any type of service or outsource then you should take adequate steps to ensure the supply chain is secure as you are still ultimately responsible and will be fined should there be a breach. 

Time to focus on security
There’s no silver bullet when it comes to GDPR compliance – just as there is no guaranteed way to remain 100% breach free. All organisations can do is to prove they have the best interests of their customers at heart, by following industry best practices and proven frameworks. As part of these best practices, we’d encourage a defence-in-depth approach to security combining a range of cross-generational threat protection techniques at server, endpoint and network layers.

Here are a few ideas:

  • Conduct a thorough data audit to work out what you process, where it flows and how high-risk it is
  • Apply appropriate security controls to that data. Endpoint, network, server and web/email gateway protection should ideally come from a single reputable provider. Trend Micro’s XGen approach offers a combination of connected threat defence techniques at each layer
  • Apply strong encryption to high-risk data at rest and in transit
  • Restrict access controls and apply multi-factor authentication (MFA)
  • Implement continuous networking monitoring for threats
  • Improve end-user education, with phishing simulation tools like Phish Insight
  • Keep all devices and software up to date
  • Follow best practice standards and frameworks, such as Cyber Essentials, BS 10012:2017 personal information management system (PIMS) and ISO 27001:2013 information security management system (ISMS)
  • Audit your supply chain to mitigate third-party risk and update contracts reflect the new GDPR regime

Most importantly, European firms must remember that compliance is not a destination that can be forgotten about once you reach it. Instead, it’s an ongoing journey that will require constant attention, and investment, as technology environments, the threat landscape, and regulatory requirements change.



Open Source Software Risk Highlights the Need for Secure DevOps

by Bharat Mistry

UK firms on average download 21,000 open source software components containing flaws each year. That is the headline stat from new research which reveals the escalating risks facing developers from the common practice of sharing code. As demand for such components increases, the emphasis for security teams should be on finding ways to mitigate these risks as early on in the development lifecycle as possible, via seamless, automated security that doesn’t impact app delivery.

Continue reading

Ransomware on the rise: why we can’t afford to let our guard down

by Bharat Mistry

The cybercrime underground is continually evolving. That’s what makes it so compelling for news editors: there’s always something new to write about. However, the volatility of the threat landscape also makes it difficult to issue accurate long-term predictions about where things are headed. Just take ransomware: we saw a significant decline in detections and new families last year. But in the first half of 2019, several well publicised attacks on major organisations have raised the profile of the threat yet again.

Continue reading