Author Archives: Luke Irwin

Protect yourself and your customers from formjacking

Online retailers and other organisations using ecommerce functionality must prepare for the threat of formjacking, Symantec has warned, after detecting 3.7 million instances of the attack method in 2018.

Formjacking works by inserting malicious JavaScript code into the payment form of an organisation’s online checkout and siphoning off customers’ card details.

It’s particularly dangerous because there’s almost no way to spot whether a page has been compromised. The payment proceeds as normal, and the only way a customer will know they’ve been attacked is when charges show up on their bank statement or the organisation discloses a breach.

Who is being targeted?

Any organisation that accepts online payments is vulnerable to formjacking, but crooks tend to target smaller organisations that have less sophisticated defence mechanisms. This makes it easier to plant malware and for it to remain undetected on the organisation’s systems for longer.

According to Symantec, organisations that work with large companies are particularly vulnerable, as crooks can use them to conduct supply chain attacks. This involves exploiting a vulnerability in a system that’s used to provide services to a third party.

Supply chain attacks were the cause of several high-profile formjacking attacks in 2018, including those against Ticketmaster, British Airways, Feedify and Newegg.

Why are organisations being attacked?

John Moss, CEO of English Blinds, says:

Formjacking has been on the rise in recent months for a combination of reasons. First of all, the well-publicised success of Magecart groups across several high-profile attacks have served as something of an endorsement to others, but the greater part of the problem is that most businesses are simply unprepared for attacks of this type, and have no protocols in place to identify and mitigate them.

Additionally, it is almost impossible to identify if the JavaScript code of a page has been compromised as the intended payments are also processed as normal, and so a significant amount of jacks may take place before a problem is flagged, making it a highly lucrative and reasonably safe attack method for well-prepared antagonists.

To protect and mitigate against formjacking attacks, organisations first of all need to recognise the fact that they pose a real threat in the first place, and that no organisation is too small or low profile as to serve as a completely unappealing target.

Setting up protocols to execute regular penetration tests and vulnerability scans is vital for any organisation, and will ensure that potential threats are identified and eradicated before they can become a problem.

Shayne Sherman, CEO of TechLoris adds:

Hackers are looking for the quick, big win – and of course, a challenge. Identity theft is useful only if you can either a) use the identity stolen or b) sell that information. For those able to hack into larger databases of information, they can collect a larger amount of data that can then be sold. They run a smaller risk as they won’t be caught using a stolen identity. Someone else will then take that risk.

Who is behind the attacks?

The majority of formjacking attacks have been blamed on Magecart, which is believed to be a collection of cyber crime groups.

However, Magecart’s methods aren’t unique. Attacks don’t require any specialist knowledge or technology, meaning any crook could conduct one.

With a single piece of payment card information fetching about $45 (about £34) on the dark web, formjacking is an incredibly lucrative option. Its popularity may only grow further following the declining interest in cryptocurrency, which had previously sparked an increase in cryptojacking attacks.

Protect your business by paying attention

Sherman continues:

Hackers are successful because they are subtle. Making big changes sends up red flags, but by making small changes to source code, a hacker can infiltrate your system. If you’re checking these codes regularly, you’re more likely to catch these hackers before the damage is done.

You can detect malicious code and vulnerabilities that would allow crooks to plant that code by conducting regular vulnerability scans and penetration tests.

Vulnerability scans are automated tests that look for weaknesses in organisations’ systems and applications.

Organisations can use a variety of off-the-shelf tools to conduct vulnerability scans, each of which runs a series of ‘if–then’ scenarios that identify system settings or features that may contain known vulnerabilities.

Meanwhile, penetration testing is essentially a controlled form of hacking in which an ethical hacker, working on behalf of an organisation, looks for vulnerabilities in the same way that a criminal hacker would.

The objective of penetration testing is similar to vulnerability scanning, but it is more thorough and requires expertise and human interaction.

Find out how IT Governance can help meet your penetration testing and vulnerability scanning requirements >>

A version of this blog was originally published on 5 March 2019.

The post Protect yourself and your customers from formjacking appeared first on IT Governance Blog.

How to protect your organisation after a ransomware attack

So, your computer screen has been hijacked by ransomware and the criminals behind the attack are demanding money to return your systems. Now what?

That’s a question countless organisations are asking themselves nowadays, with more than 100 ransomware attacks reported so far in 2019.

If you think that doesn’t sound so bad, the true scale of the issue is much bigger than this. The majority of organisations that are struck by ransomware don’t report the issue.

This might be because they think it will make them look as if they weren’t adequately prepared to protect themselves from ransomware.

Alternatively, they might fear that announcing an attack will lead to other criminals launching similar attacks against them.

What is ransomware?

Ransomware is a specific type of malware that encrypts the files on a computer, essentially locking the owner out of their systems.

Once this has happened, the ransomware will display a message demanding that the victim make a ransom payment to regain access to their files.

Criminals generally plant the malware on victim’s computers by hiding it in an attachment contained within a phishing email.

Many ransomware victims feel obliged to pay up, because it’s the quickest and least expensive way to get back to business as usual.

However, experts generally urge organisations not to negotiate, because ransom payments help fuel the cyber crime industry.

But what’s the alternative? Take a look at our seven-step guide to find out.

1. Prepare for an attack by backing up your data

The only way to avoid paying ransoms and avoid catastrophic delays is to make sure you have a second, uninfected copy of your sensitive information. That way, when crooks encrypt your systems, there’s no need to worry. Let them keep the decryptor. You can just wipe those files and upload clean duplicates.

Because you are continuously creating new files and amending old ones, backups should be performed regularly.

You don’t need to do everything in one go; instead, look at each folder and determine how often substantial changes are made. The more frequently things are added or amended, the more often you should back them up.

Once you’ve determined that, you should set up a backup schedule, saving your work on an isolated local device or in the Cloud.

2. Identify that the attack is ransomware

Don’t assume that the person who has spotted the attack knows that it’s ransomware.

The attack method is more well-known than ever – thanks in part to WannaCry – but many people wouldn’t be able to identify the attack.. This means you could be wasting valuable time identifying the problem.

You can avoid this by teaching staff about ransomware and establishing a line of communication in the event of security incidents. That way, the employee who first discovered the malware can immediately contact someone who can identify what the threat is and initiate response measures.

3. Disconnect infected devices from the network

Now that you’re sure that you’ve been hit by ransomware, you should isolate the infection by taking affected devices offline.

This will stop the ransomware spreading, giving you partial functionality and time to implement the next steps.

a business will fall victim to a ransomware attack every 14 seconds in 2019, and every 11 seconds by 2021.

4. Notify your employees

Employees will quickly notice that something is amiss. Even if their computers haven’t been infected, they’ll see that others have and that certain systems are unavailable.

Whether or not they are aware that the disruption has been caused by ransomware, staff are liable to worry. Is it just their team that’s affected? How are they supposed to do work? Are their bosses aware of the problem?

That’s why you should explain the situation to your employees as soon as possible. Let them know which areas of the organisation have been infected and how you are going to manage in the meantime.

Many ransomware victims use pen and paper instead of computers where possible. If that’s possible in this situation, you should help out as much as you can. For example, you should provide them with said pens and paper, direct them to hard copies of information they might need and bring in colleagues who can’t work to help out.

5. Photograph the ransom note

You can use this as evidence of the attack when submitting a police report.

This might seem futile – the police will almost certainly be unable to recover your data, let alone catch the crooks – but evidence of the attack is necessary for filing a cyber insurance claim.

If you don’t already have cyber insurance, it’s worth considering. Damages associated with information security incidents generally aren’t mentioned in commercial insurance policies, meaning most providers won’t pay out if you make a claim based on, say, a business interruption.

You must therefore take out a specific cyber insurance policy if you want to protect yourself from the costs associated with cyber attacks and data breaches.

See also:

6. Find out what kind of ransomware it is

Identifying the ransomware strain used in the attack might save you a lot of time and effort. Some strains have been cracked with decryption tools available online, and others are fakes that don’t actually encrypt data.

The ransom note might explicitly state what strain it is, but if it doesn’t, there are other clues that can help you identify it. Try uploading the encryption file type, the way the ransom demand is phrased and the URLs within it to a website such as ID Ransomware, which can help you determine the strain you’ve been attacked with.

7. Remove the ransomware from your device

If the ransomware behind your attack has been cracked, you can use an online decryptor to remove the infection. Similarly, if you’ve been attacked with a fake, you can simply delete the malicious file.

But what if it’s the real thing?

Fortunately, that’s not much more complicated. The safest way to remove ransomware is to restore your infected devices to factory settings. You can do this on Windows devices by going to the update and security menu within your settings, or by holding F8 as your computer turns on until the recovery screen appears.

If the ransomware stops you from reaching recovery screens, you can use the installation disk or USB sticks on which your operating system is stored.

Be warned that this process will remove all data stored on the device, which is why it’s important to have backups.

Once your computer has been restored, you can transfer the duplicate files back onto your device. Depending on how much data you have, this could take anywhere from a few hours to a few days – so you’re not completely out of the woods.

However, this process won’t take much longer than getting the decryptor from the fraudster and regaining access to your files.

What should you do when you’re under attack? 

When your defences fail and your organisation is compromised, every second counts. You must respond quickly and follow a systematic, structured approach to the recovery process.

That is, of course, easier said than done, particularly if you don’t have a cyber security expert onboard. Fortunately, IT Governance is here to help.

With our cyber security incident response service, expert consultants will guide you through the recovery process, from identifying the source of the breach and how to stem the damage to notifying the appropriate people and returning to business as usual.

Find out more

A version of this blog was originally published on 11 June 2019.

The post How to protect your organisation after a ransomware attack appeared first on IT Governance Blog.

7 mistakes that ISO 27001 auditors make

When organisations are seeking ISO 27001 compliance, they rely on auditors to give them good advice. Most of the time they’ll do just that – it’s what they’re paid to do. But as with any profession, some auditors are better than others.

How can you tell if your auditor isn’t to be trusted? Keep an eye out for these seven mistakes:

1. They impose their opinions without facts

Why is this bad? ISO 27001 has clear rules on how to implement its requirements. Although there’s room to interpret which course of action is best for you, any decision should be supported by an instruction in the Standard.

Unfortunately, some auditors have preconceived ideas of best strategies and will recommend certain practices regardless of your organisation’s situation. You should only ever follow advice if the auditor can explain how it helps meet a specific compliance requirement.

2. They report findings but don’t provide evidence

Why is this bad? Auditors must always provide proof when highlighting areas of non-compliance. It doesn’t need to be physical evidence; an eye-witness account will do.

The point is the auditor needs something concrete that they can point to, rather than citing a vague violation or general ‘feeling’ of non-compliance.

This helps the organisation understand exactly what the failure is and what it needs to do to fix the issue.

3. They tick off checklists without considering the bigger picture

Why is this bad? Checklists are a great way of quickly assessing whether a list of requirements are met, but what they offer in convenience they lack in in-depth analysis.

Organisations are liable to see that a requirement has been ticked off and assume that it’s ‘mission accomplished’. However, there may still be room to improve your practices, and it might even be the case that your activities aren’t necessary.

A good auditor will use the checklist as a summary at the beginning or end of their audit, with a more detailed assessment in their report, or they’ll use a non-binary system that doesn’t restrict them to stating that a requirement either has or hasn’t been met.

Privacy Audit Service: GDPR & PECR

Understand your GDPR and PECR compliance gaps by contacting IT Governance for a privacy audit.

4. They believe the paperwork and ignore the facts

Why is this bad? Any organisation can create policies that demonstrate their commitment to meeting ISO 27001’s requirements, but it doesn’t mean employees actually follow those instructions.

A bad auditor might be satisfied by documentation and a cursory look at whether it’s been implemented. However, auditors must be more rigorous than that.

They shouldn’t be satisfied with just what the organisation wants them to see; they should be digging deeper to check whether the rules are being followed consistently.

5. They feel obliged to find errors

Why is this bad? Auditors sometimes try to stamp their authority by pointing out areas of non-compliance as soon as possible. This isn’t necessarily a bad thing, but it is if they’re exaggerating the scale of a shortcoming to prove a point.

It shouldn’t take long for a good auditor to find genuine faults, as even the best-prepared organisation will have room for improvements.

Auditors should keep this in mind at the start of their assessment, otherwise they’ll end up with an unfairly long list of faults or an inconsistent interpretation of the requirements.

6. They allow cost-cutting to starve the audit

Why is this bad? This mistake occurs more often in internal audits, with organisations acknowledging the need to assess their practices but unable or unwilling to provide the necessary resources.

An underfunded audit will lead to rushed and incomplete results that have little value, and a good auditor will be able to tell if the scale of the project is too big for what’s been budgeted.

7. They use the audit to generate consultancy work

Why is this bad? After completing their assessment, the auditor knows exactly how your organisation operates and where its non-compliances are, so you might be wondering why they’d be a bad fit to consult you on how to correct those mistakes.

In theory, they are a perfect fit. You already have a working relationship and you’ll save time finding a consultant and bringing them up to speed on your organisation’s needs.

Unfortunately, there’s clearly a conflict of interest in this relationship, as you run the risk of allowing the auditor to manipulate their findings to persuade you to use them as a consultant.

It’s therefore generally best if you have a second pair of eyes as your consultant. Picking someone who works at the same organisation might be a good compromise, as it allows you to build on your working relationship with that business.

Good auditing practices

ISO 19011 describes the principles that all auditors of management systems should act upon: integrity, fair presentation, due professional care, confidentiality, independence and an evidence-based approach.

Used diligently, these principles can eliminate bad practices.

You can find out more about what it takes to audit against ISO 27001 by enrolling in one of these training courses:

ISO 27001 external auditor

Our Certified ISO 27001 ISMS Lead Auditor Training Course equips you with the skills to conduct second-party (supplier) and third-party (external and certification) ISMS (information security management system) audits.

Packed with hands-on practical exercises, this five-day course helps you gain the expertise needed to competently manage an ISMS audit programme.

Learn more

ISO 27001 internal auditor

If you’re looking to audit your own organisation, you’d be better suited to our Certified ISO 27001 ISMS Internal Auditor Training Course.

Designed by IT Governance director Steve Watkins, a technical assessor for UKAS (the United Kingdom Accreditation Service), this two-day course contains an introduction to ISO 27001 and how auditing fits into the compliance process, before explaining how to plan for and execute an internal audit.

Learn more

A version of this blog was originally published on 18 February 2013.

The post 7 mistakes that ISO 27001 auditors make appeared first on IT Governance Blog.

Why risk assessments are essential for GDPR compliance

Any organisation that’s required to comply with the GDPR (General Data Protection Regulation) must conduct regular risk assessments.

This isn’t just because the Regulation says so; it’s because risk assessments are essential for effective cyber security, helping organisations address an array of problems that, if left unchecked, could cause havoc.

Organisations might assume that the only risks they face are from cyber criminals trying to break into their systems.

However, the GDPR is clear that data is also vulnerable to accidental or unlawful destruction, loss or disclosure. The ways in which these could happen need to be identified at every stage of the data handling process.

The GDPR risk assessment methodology

The goal of any information security risk assessment methodology is to make sure everybody conducting the assessment or interpreting its findings are on the same page.

You must have a methodology – i.e. a set of rules defining how the conduct the risk assessment – to make sure the risks are evaluated consistently, enabling you to adequately compare your priorities.

Methodologies also outline specific terms for an organisation’s:

  • Baseline security criteria: the minimum set of defences to fend off risks;
  • Risk scale: a universal way of quantifying risk;
  • Risk appetite: the level of risk the organisation is willing to accept; and
  • Scenario- or asset-based risk management: the strategies to reduce the damage caused by certain incidents or that can be caused to certain parts of the organisation.

You can find out more about the risk assessment process by following ISO 27001’s guidance. The international standard for information security contains a best-practice framework for evaluating risks and is closely aligned with the GDPR.

See also:

Get started with vsRisk

The complexity of risk assessment auditing, along with the repercussions of getting it wrong, means that most organisations benefit from getting expert advice.

Our risk assessment software tool vsRisk™ helps organisations conduct an information security risk assessment efficiently and easily, eliminating the need for spreadsheets, which are prone to user input errors and can be difficult to set up and maintain.

The software tool is:

  • Easy to use. The process is as simple as selecting some options and clicking a few buttons.
  • Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
  • Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
  • Streamlined and accurate. Drastically reduces the chance of human error.

DPIA risk assessments

There is more to the GDPR and risk assessments than the threat of data breaches. There are also times when you must also complete a specific type of risk assessment, called a DPIA (data protection impact assessment), to review the way you process personal data.

DPIAs are necessary whenever personal data processing is “likely to result in a high risk” to the rights and freedoms of individuals.

The GDPR doesn’t define what ‘high risk’ is, but it does provide a few examples:

  • Systematic and extensive profiling with significant effects
  • Large-scale processing of personal information
  • Public monitoring.

The ICO (Information Commissioner’s Office) adds that you must conduct a DPIA if you plan to:

  • Use innovative technology (in combination with any of the criteria from the European guidelines);
  • Use profiling or special category data to decide on access to services;
  • Profile individuals on a large scale;
  • Process biometric data (in combination with any of the criteria from the European guidelines);
  • Process genetic data (in combination with any of the criteria from the European guidelines);
  • Match data or combine datasets from different sources;
  • Collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • Track individuals’ location or behaviour;
  • Profile children or target marketing or online services at them; or
  • Process data that might endanger the individual’s physical health or safety in the event of a security breach.

How to conduct a DPIA

The GDPR doesn’t specify a framework for completing an DPIA, which can make it tricky for those getting started.

This is where our DPIA Tool comes in. Our experts created this software to guide you through the assessment process.

It’s suitable no matter how familiar you are with the GDPR’s requirements. We show you the questions you need to ask and how to find the answers, and even provide links to the relevant sections of the GDPR so you can learn more about why each process is necessary.

A version of this blog was originally published on 4 April 2018.

The post Why risk assessments are essential for GDPR compliance appeared first on IT Governance Blog.

3 reasons cyber security training is essential

Organisations are always looking for ways to improve their cyber security defences, but they often overlook the value of enrolling their employees on cyber security training courses.

According to a study by Centify, 77% of UK workers say they have never received any form of cyber skills training Given that, it’s no surprise that so many people exercise such poor security practices.

For example, the survey also revealed that 27% of employees use the same passwords for multiple accounts and 14% leave their credentials written down in a notebook or on their desk.

It’s easy to scoff at people for making basic mistakes, but if employers don’t teach them otherwise, they’re inviting trouble.

With October being European Cyber Security Awareness Month, what better time is there to boost your organisation’s knowledge of effective information security practices?

Here are three reasons to consider it:

1. You’ll reduce the risk of data breaches

If you want to keep your organisation secure, you need your employees to know what they’re doing. Almost all data breaches are caused by a mistake somewhere in the organisation.

That doesn’t only mean negligence – it could also be mistakes that you don’t even know are mistakes, such as gaps in your policies, ineffective processes or a lack of proper technological defences.

Placing staff on information security training courses will help them understand the mistakes they’re making and teach them to work more effectively.

This is especially useful if you intend to commit to a framework such as ISO 27001, the international standard for information security, as there are specific courses that teach you how to follow the Standard’s requirements.

2. You’ll meet compliance requirements

Cyber security laws and regulations inevitably contain complex requirements, so organisations need employees with specialist knowledge to achieve compliance.

For example, organisations that are required to appoint a DPO (data protection officer) under the EU GDPR (General Data Protection Regulation) must find someone with an in-depth understanding of data protection law.

The stakes associated with the position are huge; if the DPO doesn’t perform their tasks in accordance with the GDPR’s requirements, the organisation is liable to face regulatory action.

It’s therefore paramount that the DPO is given every resource available to do their job properly, and training courses should always be sought where possible.

They are not only the quickest way of studying but also usually include exams, which reassures employers that the individual is qualified.

The same advice applies for individuals in roles that involve compliance with the NIS Regulations (Network and Information Systems Regulations 2018), the PCI DSS (Payment Card Industry Data Security Standard), ISO 27001 or any other law or framework.

3. You’ll foster career growth

Training courses enable employees to pick up new skills and gain more advanced qualifications, which will help them move into more senior roles. This isn’t only beneficial for them but also their employers. It’s getting increasingly hard to find qualified information security professionals, with one report estimating that there will be 3.5 million unfilled jobs in the industry by 2021.

Finding qualified personnel isn’t the only problem. A small pool of skilled workers also means job candidates can command a higher salary and more benefits. As such, organisations might not be able to afford qualified professionals even if they can find them.

They should therefore do whatever they can to support employees who want to go on training courses. Organisations will almost certainly benefit from the extra knowledge, and it eases the pressure of finding skilled personnel in the job market.

Which course is right for you?

Cyber security is a broad industry, so you need to decide which area suits you best. To help you make that choice, here are some of our most popular training courses:

Knowledge of ISO 27001, the international standard for information security, is an absolute must for anyone who handles sensitive data. We offer several ISO 27001 courses, including an introduction to the Standard and guidance on specific roles, such as internal auditor and lead implementer.

ISO 22301 is the international standard for business continuity. Organisations that follow its framework can be sure that they’ll continue operating when disaster strikes.

Our Foundation-level course covers the essentials of the Standard, but we also offer advanced courses for those that want to lead an implementation project or audit.

Any organisation that transmits, processes or stores payment card data must comply with the PCI DSS. Our training courses help you understand the basics of the Standard, implement its requirements and complete the SAQ (self-assessment questionnaire).

The GDPR is the most significant update to information security law in more than twenty years. Anyone who handles personal data or is responsible for data protection needs to comply with its requirements.

Regular staff should familiarise themselves with the Regulation via our Foundation-level course, senior staff would benefit from our Practitioner course and those looking to fulfil the DPO role should enrol on our Certified DPO training course.

A version of this blog was originally published on 31 October 2018.

The post 3 reasons cyber security training is essential appeared first on IT Governance Blog.

NCSC announces major change to the Cyber Essentials scheme

Over the past five years, the Cyber Essentials scheme has been vital in helping protect organisations from some of the most common causes of data breaches.

However, the NCSC (National Cyber Security Centre) has announced a change to the way the scheme is run. From April 2020, the five Cyber Essentials accreditation bodies will be replaced by one, the IASME Consortium.

There will be a transition period, with the current scheme operating as normal until 31 March 2020.

After that date, new applications will be handled under the revised Cyber Essentials scheme through the IASME Consortium. Organisations still in the process of seeking certification will have until 30 June 2020 to complete their application.

Does this affect IT Governance?

In support of this change, IT Governance will become an IASME-accredited certification body from April next year.

We will continue to provide the high level of cost-effective ongoing service our clients expect from us and will ensure the transition to the new arrangements is seamless.

In the meantime, and in line with current arrangements supported by the NCSC, our clients will continue to be certified under CREST, and all existing and new certifications will continue to be valid and in line with current requirements.

You can find out more about Cyber Essentials and the ways IT Governance can help you certify on our website.

The post NCSC announces major change to the Cyber Essentials scheme appeared first on IT Governance Blog.

What is the ISO 27000 series of standards?

The ISO/IEC 270001 family of standards, also known as the ISO 27000 series, is a series of best practices to help organisations improve their information security.

Published by ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission), the series explains how to implement an ISMS (information security management system).

An ISMS is a systematic approach to risk management, containing measures that address the three pillars of information security: people, processes and technology.

The series consists of 46 individual standards, including ISO 27000, which provides an introduction to the family as well as clarifying key terms and definitions.

You don’t need to know every standard inside out to understand how the series works, and some won’t be relevant to your organisation, but there are a few core ones that you should be familiar with.

ISO 27001

This is the central standard in the ISO 27000 series, containing the implementation requirements for an ISMS. This is important to remember, as ISO 27001 is the only standard in the series that organisations can be audited and certified against.

That’s because it contains an overview of everything you must do to achieve compliance, which is expanded upon in each of the following standards.

ISO 27002

This is a supplementary standard that discusses the information security controls that organisations might choose to implement.

Organisations are only required to adopt controls that they deem relevant – something that will become apparent during a risk assessment.

The controls are outlined in Annex A of ISO 27001, but whereas this is essentially a quick rundown, ISO 27002 contains a more comprehensive overview, explaining how each control works, what its objective is and how you can implement it.

ISO 27017 and ISO 27018

These standards were introduced in 2015, explaining how organisations should protect sensitive information in the Cloud. This has become especially important recently as organisations migrate much of their sensitive information on to online servers.

ISO 27017 is a code of practice, providing extra information about how to apply the Annex A controls to information stored in the Cloud.

Under ISO 27001, you have the choice to treat these as a separate set of controls. So, you’d pick a set of controls from Annex A for your ‘normal’ data and a set of controls from ISO 27017 for data in the Cloud.

ISO 27018 works in essentially the same way but with extra consideration for personal data.

ISO 27701

This is the newest standard in the ISO 27000 series, covering what organisations must do when implementing a PIMS (privacy information management system).

It was created in response to the GDPR (General Data Protection Regulation), which instructs organisations to adopt “appropriate technical and organisational measures” to protect personal data but doesn’t state how they should do that.

ISO 27701 fills that gap, essentially bolting privacy processing controls onto ISO 27001.

Why use an ISO 27000-series standard?

Information security breaches are one of the biggest risks that organisations face. Sensitive data is used across all areas of businesses these days, increasing its value for legitimate and illegitimate use.

Countless incidents occur every month, whether it’s cyber criminals hacking into a database or employees losing or misappropriating information. Wherever the data goes, the financial and reputational damage caused by a breach can be devastating.

That’s why organisations are increasingly investing heavily in their defences, using ISO 27001 as a guideline for effective security.

ISO 27001 can be applied to organisations of any size and in any sector, and the framework’s broadness means its implementation will always be appropriate to the size of the business.

You can find out how to get started with the Standard by reading Information Security & ISO 27001: An introduction.

This free green paper explains:

  • What ISO 27001 is, how an ISMS works and how it relates to ISO 27002;
  • The importance of risk assessments and risk treatment plans;
  • How the Standard helps you meet your legal and regulatory obligations; and
  • How to begin your ISMS implementation process.

The post What is the ISO 27000 series of standards? appeared first on IT Governance Blog.

What are you doing for European Cyber Security Month?

In a month where many people’s biggest concerns are pumpkin-related, you might consider putting equal effort into something more substantial. October is National Cyber Security Awareness Month, where people are encouraged to brush up on their everyday information security practices.

With an estimated 2 million cyber attacks last year costing victims £36 billion, there is a lot to be gained from tightening up the way you handle sensitive information.

What is European Cyber Security Month?

Cyber Security Month is an EU awareness campaign that promotes cyber security in the workplace and at home.

It aims to make people understand the threat of cyber crime and the way our actions help or hinder attacks.

Our shared responsibility

The theme of this year’s campaign is “cyber security is a shared responsibility”, which can be interpreted in a couple of ways.

First, it refers to the three aspects of cyber security: people, processes and technology. IT departments must implement software and other security controls to remove vulnerabilities, organisations must create processes that explain to employees how to keep information secure, and people must follow those instructions.

If anyone fails to perform their role, the chance of a data breach increases dramatically.

Cyber security is equally everybody’s responsibility in that no one is exempt from best practices. Senior employees might delegate responsibility or complain that they are too busy to follow certain processes. Similarly, some employees might assume that one person won’t make a difference and so they can cut corners when it comes to things like password management or doing work on a public Wi-Fi.

But if everyone obeys that logic, no one will be following the organisation’s processes. Cyber security best practices can certainly be inconvenient at times, but it only takes one mistake to jeopardise the entire organisation.

What else does Cyber Security Month cover?

The first two weeks cover cyber hygiene, which involves your daily routines and general behaviour when handling sensitive information.

The second half of the month is dedicated to emerging technologies and the way they protect or threaten our security.

This is one of the biggest talking points in the cyber security industry, thanks to the controversial use of biometric data.

Although fingerprints and retinal scans provide a much more secure authentication system than passwords, they also threaten people’s privacy, and breaches of such information have major repercussions.

After all, you can change a password if it’s disclosed but you can’t change your fingerprints.

How you can get involved

There are four events in the UK over the next few weeks that are aligned with European Cyber Security Month:

Technology experts will gather at this event, hosted in Newport, to highlight the threats that organisations face and how they should address their vulnerabilities.

A series of short presentations explaining the threat of cyber crime, the role of law enforcement and what we can do to protect ourselves.

The Isle of Man government’s inaugural cyber security conference features keynote speakers and networking opportunities between the public and private sectors.

This one-day event takes place in Manchester, featuring speeches on how to implement strong security measures and how technological advancements create opportunities and challenges for staying secure.

What are we doing for Cyber Security Month?

At the risk of sounding trite, every month is cyber security awareness month at IT Governance. We are committed to helping people improve their cyber security practices, through our blog, webinars, green papers, tools and services.

October is no exception. We’ll be linking to resources that can help keep you and your organisation secure, and sharing cyber security tips and stats to remind you of what you’re up against.

You wouldn’t ignore a medical expert’s advice. Why risk your cyber health?

Don’t risk it, cyber secure it this Cyber Security Month. Find out how to keep your organisation healthy with our dedicated tips.

Take a look

cyber security awareness month

The post What are you doing for European Cyber Security Month? appeared first on IT Governance Blog.

ISO 27701 unlocks the path to GDPR compliance and better data privacy

We have good news for those looking for help complying with the GDPR (General Data Protection Regulation): new guidance has been released on how to create effective data privacy controls.

ISO 27701 explains what organisations must do to when implementing a PIMS (privacy information management system).

The advice essentially bolts privacy processing controls onto ISO 27001, the international standard for information security, and provides a framework to establish the best practices required by regulations such as the GDPR.

Organisations that are already ISO 27001 compliant will only have a few extra tasks to complete, like a second risk assessment, to account for the new controls. If you’re not familiar with ISO 27001, now is the perfect time to adopt it.

ISO 27701 and ISO 27001: privacy vs security

The main difference between the two standards is that ISO 27701 deals with privacy and the implementation of a PIMS, whereas ISO 27001 addresses information security and an ISMS (information security management system).

These are related concepts – data privacy violations and information security violations are both generally categorised as data breaches. However, they aren’t identical.

  • Information security relates to the way an organisation keeps data accurate, available and accessible only to approved employees.
  • Data privacy relates to the way an organisation collects personal data and prevents unauthorised use or disclosure.

For example, if an organisation collects excessive amounts of information on an individual, that’s a privacy violation. The same is true if an unauthorised employee or cyber criminal gets hold of the data.

When building an information security framework, organisations must take extra steps to ensure that privacy concerns are accounted for alongside security issues.

ISO 27701’s approach recognises that by expanding on the clauses of ISO 27001 and controls in Annex A that relate specifically to data privacy, as well as providing two additional sets of controls specific to data controllers and data processors.

It also builds on the principle of information security by directing the reader to the more expansive privacy principles in ISO 29100. These cover a wider range of privacy concerns, including those discussed in data protection regulations internationally.

ISO 27701 and the GDPR

Although it has ‘data protection’ in its name, the GDPR is equally concerned about data privacy.

However, as you will have learned when implementing the Regulation’s requirements, the GDPR doesn’t include guidance on how to do so. This is to prevent it from becoming outdated as best practices evolve and new technologies become available.

That’s all well and good for the long-term, but what are organisations supposed to do right now?

ISO 27701 answers that question, explaining how to ensure data privacy is addressed adequately.

It’s not your only option when it comes to compliance advice, though. ISO 27701’s framework is broad, so that it can help organisations comply with multiple privacy regimes. For example, many organisations might use the Standard to meet the requirements of the CCPA (California Consumer Privacy Act).

By contrast, BS 10012 is a British standard that’s designed to help organisations comply with the GDPR and the DPA (Data Protection Act) 2018.

If your organisation needs to conform only to the GDPR and DPA 2018, you might find BS 10012 a better option.

However, if you’re looking for something more flexible – perhaps you need to assure non-UK stakeholders that you have adequate privacy controls in place – then ISO 27701 is more suitable.

Download our guide to learn more

This article is based on our free green paper ISO 27701 – Privacy information management systems.

The guide is ideal for organisations that want to advice on how to strengthen their compliance posture and those that are familiarising themselves with privacy concerns and the GDPR.

It explains:

  • How ISO 27701 differs from and complements ISO 27001;
  • The structure and requirements of ISO 27701;
  • How ISO 27701 can help you achieve compliance with privacy laws like the GDPR and the DPA 2018; and
  • Which additional requirements will apply if you already have an established ISMS.

ISO27701 guide

The post ISO 27701 unlocks the path to GDPR compliance and better data privacy appeared first on IT Governance Blog.

Is your school GDPR compliant? Use our checklist to find out

At this year’s ASCL (Association of School and College Leaders) conference, a guest said to us: “The GDPR? Wasn’t that last year?”

Our heads fell into our hands. How was it possible for someone to be so misguided about such a well-publicised regulation? Granted, 2018 was very much ‘the year of the GDPR’ in some circles. It came into effect in May 2018, following much discussion and a last-minute surge from organisations that left compliance until the last minute.

But compliance isn’t a one-time thing. It continues to be effective for any organisation that processes the personal data of, or monitors the behaviour of, EU residents.

A brief summary of the GDPR

The GDPR works like this: there are data subjects (that’s individuals like you and me), and we own our own personal data. The GDPR considers personal data to be anything that identifies, or can be used to identify, a living person, such as your name, National Insurance number or email address, whether it’s a personal or work account.

To GDPR outlines a list of steps organisations must take to protect that information. It also contains eight data subject rights that give individuals more control over the way organisations use their personal data.

These include:

  • The right to access the personal information organisations store on them;
  • The right to request that organisations rectify any information that’s inaccurate or incomplete;
  • The right to erase personal data when it’s no longer necessary or the data was unlawfully processed; and
  • The right to object to processing if the individual believes the organisation doesn’t have a legitimate reason to process information.

Organisations that fail to meet these requirements face fines of up to €20 million (about £18 million) or 4% of their annual global turnover, whichever is greater.

GDPR compliance in schools

Schools have a particularly hard time of it when it comes to the GDPR. They often work with tight budgets and lack the resources to retain a dedicated information security team.

Additionally, schools process large amounts of children’s data, which merits extra protection. In some cases, there are specific rules that apply to children, which means data processors must work out whether the data subject qualifies as a child (defined as under 13 in the UK) before proceeding.

If that’s the case, the data processor must account for requirements concerning:

Can you use consent?

Organisations cannot legally obtain consent from children. Instead, they must seek the approval of a person holding “parental responsibility”, and make “reasonable efforts” to verify that the person providing the consent is indeed a parental figure.

This requirement doesn’t apply in the context of preventive or counselling services offered directly to a child.

Understand your consent requirements >>

Privacy notices

Organisations must ensure that privacy notices targeted at children are written in plain language that could reasonably be understood by data subjects.

This is similar to general rules about privacy notices, but it’s important to remember that the language you use must be appropriate to the intended audience. What’s considered plain language to a 12-year-old will probably be a lot different than, say, a 5-year-old.

Find out more about privacy notices >>

Online services offered to children

In most cases, consent requests for children will relate to online services, or what the GDPR refers to more generally as information society services. These include things such as online shopping, live or on-demand streaming and social networks.

The GDPR states that consent must be closely regulated in these services because children “may be less aware of the risks, consequences and safeguards” of handing over their personal details.

Schools aren’t GDPR-compliant

These are reasonable requirements, but many schools still fail to understand the importance of compliance or make the necessary changes. The ICO (Information Commissioner’s Office) reported that breaches in the education sector increased by 43% in the first three months that the GDPR was effective.

The number of security incidents increased from 355 in the second quarter of 2017­­–18 to 511 in the same period last year. Meanwhile, the number of incidents involving data breaches increased from 239 to 353.

The ICO found that common disclosure issues included:

  • The loss or theft of paper or digital files;
  • Emailing information to the wrong recipient; and
  • Accidental verbal disclosure.

There has also been a sharp increase in the number of cyber attacks targeting schools, with a 69% rise in malware, ransomware and phishing scams between 2017 and 2018.

Mark Orchison, managing director of cyber security firm 9ine, warned that “schools don’t have the internal expertise” to deal with cyber attacks, and they lack “the skills to understand the risks or what to do when [an attack] happens”.

“Schools are seen as an easy target,” he added. “Sending false invoices, for example, is easy money.”

The figures aren’t all bad news, though. Orchison suggested that the rise in data breach reports may well be a case of schools becoming more aware of what breaches are and when they need to be reported.

GDPR checklist for schools

Staying on top of your GDPR compliance requirements can seem daunting, which is why we encourage all organisations to create a plan of action.

Anyone looking for help on what that should include should take a look at our GDPR checklist for schools. It will help you record your school’s progress towards GDPR compliance and identify any areas where development may be required.

A version of this blog was originally published on 28 March 2019.

The post Is your school GDPR compliant? Use our checklist to find out appeared first on IT Governance Blog.

What is incident response management and why do you need it?

The threat of cyber attacks and other security incidents looms over all organisations. There are simply too many things that can go wrong – whether it’s a cyber attack, a technical malfunction or another delay – to assume that operations will always be functional.

But that doesn’t mean you need to accept that delays are inevitable. You should be constantly assessing what might go wrong and how you would deal with it, because the way you respond to an incident may well be the difference between a minor disruption and a major disaster.

Every second counts

The longer it takes an organisation to detect a vulnerability, the more likely it is that it will lead to a serious security incident. For example, perhaps you have an unpatched system that’s waiting to be exploited by a cyber criminal, or your anti-malware software isn’t up to scratch and is letting infected attachments pass into employees’ inboxes.

Criminals sometimes exploit vulnerabilities as soon as they discover them, causing problems that organisations must react to immediately.

However, they’re just as likely to exploit them surreptitiously, with the organisation only discovering the breach weeks or months later – often after being made aware by a third party.

It takes 175 days on average to identify a breach, giving criminals plenty of time to access sensitive information and launch further attacks.

As Ponemon Institute’s 2019 Cost of a Data Breach Study found, the damages associated with undetected security incidents can quickly add up, with the average cost of recovery being £3.17 million.

If your organisation is to reduce financial losses and stay in control of the situation, you must have an incident response plan. This allows you to mitigate the damage and reduce the delays and costs that come with disruptions.

But incident management isn’t only good business sense, as we discuss next.

The GDPR and the NIS Regulations

Incident response management is a key requirement of the GDPR (General Data Protection Regulation) and the NIS Regulations (Network and Information Systems Regulations).

Failure to implement adequate response protocols could therefore not only endanger your organisation’s long-term productivity but also lead to substantial penalties. Breaches of the NIS Regulations can attract fines of up to £17 million, and the stakes are even higher when it comes to the GDPR, with penalties reaching €20 million (about £17.8 million) or 4% of the organisation’s global annual turnover – whichever is greater.

So, what do you need to do to stay compliant? Article 32 of the GDPR states that organisations must take necessary technical and organisational measures to ensure a high level of information security.

This includes implementing an incident response plan to contain any damage in the event of a data breach and to prevent future incidents from occurring.

Doing so also helps you comply with Article 33 of the Regulation, which requires organisations to contact their supervisory authority if they suffer a breach that poses a risk to the rights and freedoms of individuals.

The notification must be made within 72 hours of becoming aware of the breach, and should include as much detail about the breach as possible.

It should also describe the measures taken, or proposed to be taken, to address the breach, including steps to mitigate possible adverse effects.

Meanwhile, the NIS Regulations require organisations to produce:

  • Detection processes and procedures, which should be regularly monitored to ensure that they are up to date and effective;
  • Processes and policies for reporting vulnerabilities and security incidents;
  • Procedures for documenting the response to cyber security incidents; and
  • Incident analyses to assess an incident’s severity and collect information for the organisation’s continual improvement process.

The incident response lifecycle

We recommend that your incident response plan draws on ISO 27001, the international standard for information security, and ISO 27035, which contains principles and guidelines for incident management.

You might also be interested in our approach to incident response, which combines those elements with processes to help you prepare for incidents and aspects of business continuity.

You can adopt this approach by following these eight steps:

1. Identify risks, vulnerabilities and threat exposure

You can’t plan for disaster if you don’t know what might be coming, so the first step is to identify risks by conducting a risk assessment.

This process will also give you an idea of how much of a threat each risk poses and whether it’s worth addressing. For example, if you decide that a risk is highly unlikely to occur or will only cause minimal damage, planning for it might be more trouble than it’s worth.

2. Review cyber security controls

Your organisation more than likely already has certain controls in place; these could be as basic as antivirus software or firewalls.

Such measures could also stretch to existing policies or procedures, e.g. maintaining a schedule for regularly updating devices and software, or even physical security, such as CCTV.

These controls and measures should be reviewed to make sure they are still up to date, and ultimately capable of saving you any unnecessary work – if an existing measure suffices, ensure it is documented and cross it off the to-do list.

3. Conduct a business impact analysis

A BIA (business impact analysis) is a process that uses critical activities to determine priorities for recovery following an incident.

A BIA will also help you work out how quickly each activity needs to be resumed following an incident. Importantly, the analysis will give you an RTO (recovery time objective) for each activity, which is the ‘acceptable’ length of time it takes to get your systems up and running again.

4. Form the incident response team

A dedicated incident response team analyses information about incidents, discusses observations, coordinates activities, and shares important findings internally.

The team could include a director or senior manager, information security manager, facilities manager and IT manager.

Whatever the exact roles are, the team needs to have enough authority to act quickly in response to incidents, and sufficient access to information and expertise to make sure decisions are made on the basis of the best information available.

5. Develop incident response plans

Your plan should focus on the identified critical assets – including the risks to those assets, asset owners and asset locations – as well as the summarised results of the BIA.

You also need to put a reporting process or communication plan in place to ensure that both the incident response team and relevant stakeholders will be informed of any incidents.

For that process to work, you need to include contact details – both of team members and relevant authorities – and call trees, as well as checklists or steps to be taken in the case of specific scenarios.

6. Test incident scenarios

To be sure that the checklists or steps for specific scenarios actually work, you must test them.

Testing these steps at least biannually ensures that they are and remain effective, but also enables the documented plan to be as detailed as possible. And no matter how familiar staff are with the plan, theory is no substitute for practical experience.

Testing does not simply confirm that the plan works, but also trains staff to respond as efficiently as possible. All lessons learned should be documented, and resulting improvements incorporated into the scenarios as necessary.

7. Conduct incident response training

Human error and process failures are the underlying reasons for the majority of security incidents.

To reduce this risk, you must teach your staff about the importance of effective security and how they can avoid making mistakes.

Employees with incident response duties should receive additional training in relation to their role, whether this concerns incident notification, reporting or classification, or scenario testing.

Those with business continuity duties should also receive appropriate training.

8. Establish a continual improvement framework

Like any framework, incident response processes must be regularly reviewed to take into account emerging threats and areas where the current framework isn’t working as intended.

As such, the steps outlined here should be repeated annually or whenever there are major changes to your organisation.

Experiencing a cyber security incident?

If you’re facing a disaster or worried about what will happen when an incident occurs, you should turn to IT Governance.

Our experts help you take immediate action no matter what the situation. We can mitigate the damage if you’re in a crisis or optimise your existing resources and provide support where needed.

Following the incident, we aim to get you back to business, armed with the knowledge to manage your risks and improve your security posture.

A version of this blog was originally published on 14 May 2018.

The post What is incident response management and why do you need it? appeared first on IT Governance Blog.

Is cyber security software worth the investment?

‘Do we really need to spend a load of money on cyber security software?’ you might ask. You have built-in antivirus, so won’t that do?

No. Cyber security is about more than preventing viruses and malware. Criminals have plenty of other tricks for breaking into your organisation, so you must purchase software to close as many gaps as possible.

Why cyber security software is so important

Over the past few years, organisations and individuals have acknowledged the severity of the threat posed by cyber crime. We tracked 557 data breaches last year alone, with organisations of all sizes coming under attack.

Meanwhile, the introduction of the GDPR (General Data Protection Regulation) has raised the stakes when it comes to effective security. Organisations that fail to secure data properly, or that violate individuals’ privacy rights, face fines of up to €20 million (about £18 million) or 4% of their annual global turnover.

If organisations are to avoid suffering data breaches, they need to protect their systems. Many people believe that refers to technological solutions – but although that’s our focus here, it’s only one way to secure your organisation.

After all, it’s no good purchasing cyber security software if no one knows how to use it or employees expose data in other ways. That’s why technology must always be complemented with security policies and staff awareness training, in what is often known as the people–processes–technology model.

The reason so many people focus on technology, as opposed to people or processes, is that it does a lot of the heavy lifting in a security framework.

Most data breaches are the result of basic mistakes that all three parts of the model address, but whereas ‘people’ and ‘processes’ are designed to change poor security habits – something that takes time and effort – security software can be plugged straight into the system.

It doesn’t address the root cause of the problem, but it prevents breaches from occurring.

For example, access controls, which limit who can view certain information, doesn’t stop an employee from wanting to view sensitive information (or even explain why this is a security concern), but it does ensure that a breach doesn’t occur.

There are myriad programs designed to protect your organisation in ways like this. In the next section, we run through some of the most common types of software and how they work.

Examples of cyber security software

  • Antivirus and anti-malware

Antivirus software is the quintessential example of cyber security technology. It was originally designed to root out viruses, but modern software now generally includes protection against a broad range of malicious programs, including malware, ransomware, keyloggers, Trojan horses, worms, adware and spyware.

The software scans your computers, looking for files that match its built-in database of known viruses and malware, and either deletes them or alerts you to their presence.

Antivirus and anti-malware software are essential for all businesses that use online systems. Malicious programs are hidden in all kinds of files, and it’s only a matter of time before an employee downloads something harmful or a criminal otherwise infects your organisation.

  • Firewalls

Firewalls create a buffer between your IT systems and external networks. They monitor network traffic, and identify and block unwanted traffic that could damage your computers, systems and networks.

Implementing firewalls helps protect organisations from criminal hackers trying to break into their networks, and from outgoing traffic originating from a virus.

  • System monitoring

There are several inexpensive tools you can use to detect suspicious activity on your organisation’s networks.

Such activity includes attempts to access privileged information (whether from an employee or external actor), login attempts from unusual locations, and unusual activity related to the way information was viewed.

Monitoring this information gives you a head start when it comes to active or attempted system compromises.

  • Access controls

Access controls ensure that staff can only view information that’s relevant to their job. For example, someone in marketing must be able to view contact information for those who have signed up for a service, but they won’t need access to, say, HR files and payroll data.

Walling off those parts of the system ensures that staff can’t compromise that data, either accidentally or maliciously. It also protects organisations should a criminal hacker break into an employee’s account, as they will only be able to view a select amount of data.

How do you know which software is necessary?

The examples we’ve listed will be essential for almost every organisation, as they address universal issues. But what about other types of software, like encryption programs? Should you invest in those?

The answer can be found by conducting a risk assessment. This is a process in which you identify, analyse and evaluate security risks and determine appropriate solutions.

If, once you’ve completed the assessment, you decide that certain software is necessary, then you should purchase it. If you don’t need it, then invest your money elsewhere.

A software solution to help you decide

There’s a lot at stake when you conduct a risk assessment, so it’s a good idea to get expert advice. That’s where vsRisk Cloud comes in.

This online tool helps you conduct an information security risk assessment aligned with ISO 27001, the international standard for information security.

With vsRisk Cloud, you’ll get repeatable, consistent assessments year after year. Its integrated risk, vulnerability and threat database eliminates the need to compile a list of risks, and the built-in controls helps you comply with multiple frameworks, including the GDPR.

The post Is cyber security software worth the investment? appeared first on IT Governance Blog.

Essential security: Cyber Essentials and its 5 controls

Most criminal hackers aren’t state-sponsored agencies or activists looking for high-profile targets, and they don’t spend countless hours staking out and researching their targets.

Instead, they tend to be opportunistic, looking for any available target. In that regard, you can think of them like a burglar; sure, they’re aware of high-value marks, but it’s more effective to go after easier targets.

And just as a burglar will look for those marks by scouting neighbourhoods and looking for empty houses and easy access, cyber criminals will look for poor security practices by sending phishing emails or conducting network scans.

In a single day, cyber criminals can assess millions of potential targets. Attacks often target as many devices, services or users as possible using the ‘openness’ of the Internet.

Basic security controls prevent about 80% of cyber attacks

Cyber Essentials is a government-backed scheme that outlines basic steps that organisations can take to secure their systems. Implementing the five controls effectively will help you prevent about 80% of cyber attacks.

The Assurance Framework, leading to the awarding of Cyber Essentials and Cyber Essentials Plus certificates for organisations, has been designed in consultation with SMEs (small and medium-sized enterprises) to be light-touch and achievable at low cost.

Whether or not you achieve certification to the scheme, these controls provide the basic level of protection that you need to implement in your organisation to protect it from the vast majority of cyber attacks, allowing you to focus on your core business objectives.

What are the five controls?

  1. Firewalls

These are designed to prevent unauthorised access to or from private networks, but good setup of these devices either in hardware or software is important for them to be fully effective.

Boundary firewalls and Internet gateways determine who has permission to access your system from the Internet and allow you to control where your users can go.

Although antivirus software helps to protect the system against unwanted programs, a firewall helps to keep attackers or external threats from getting access to your system in the first place.

The security provided by the firewall can be adjusted like any other control function (in other words, the firewall ‘rules’).

  1. Secure configuration

Web server and application server configurations play a key role in cyber security. Failure to manage the proper configuration of your servers can lead to a wide variety of security problems.

Computers and network devices should be configured to minimise the number of inherent vulnerabilities and provide only the services required to fulfil their intended function.

This will help prevent unauthorised actions being carried out and will also ensure that each device discloses only the minimum information about itself to the Internet. A scan can reveal opportunities for exploitation through insecure configuration.

  1. User access control

It is important to keep access to your data and services to a minimum. This should prevent a criminal hacker being presented with open access to your information.

Obtaining administrator rights is a key objective for criminal hackers, allowing them to gain unauthorised access to applications and other sensitive data. Convenience sometimes results in many users having administrator rights, which can create opportunities for exploitation.

User accounts, particularly those with special access privileges, should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers and networks.

  1. Malware protection

It is important to protect your business from malicious software, which will seek to access files on your system.

Software can wreak havoc by gaining access and stealing confidential information, damaging files and even locking them and preventing access unless you pay a ransom.

Protecting against a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware) and including options for virus removal will protect your computer, your privacy and your important documents from attack.

  1. Patch management

Cyber criminals often exploit widely known vulnerabilities. Any software is prone to technical vulnerabilities.

Once discovered and shared publicly, vulnerabilities can rapidly be exploited by cyber criminals.

Criminal hackers take advantage of known vulnerabilities in operating systems and third-party applications if they are not properly patched or updated.

Updating software and operating systems will help to fix these known weaknesses. It is crucial to do this as quickly as possible to close any opportunities that could be used to gain access.

The ‘sixth control’

The five controls outlined in Cyber Essentials are fundamental technical measures for security, but you must remember that technology is only as effective as the people using it.

Employees are always liable to make mistakes, and organisations must mitigate the risk by conducting staff awareness training.

What you cover in these sessions depends on your employees’ job roles. For example, if they’re involved in data processing, you should provide training on the GDPR (General Data Protection Regulation). Likewise, if they handle payment card data, they should be taught about their responsibilities under the PCI DSS (Payment Card Industry Data Security Standard).

Meanwhile, there are topics that almost every employee should study, like information securityphishing and the security risks associated with social media.

Teaching your employees about all of these issues might sound onerous, but it’s actually quite simple if you use an e-learning provider.

This enables employees to study at a time and place that suits them, and means you don’t have to worry about finding a trainer or halting productivity to haul your workforce into a classroom.

Free download: ‘Cyber Essentials: A guide to the scheme’  

Cyber Essentials offers the right balance between providing additional assurance of an organisation’s commitment to implementing cyber security to third parties, and retaining a simple and low-cost mechanism for doing so.

Download our free guide for more information about Cyber Essentials and how it can help you guard against the most common cyber threats.

Download now >>

A version of this blog was originally published on 29 August 2018.

The post Essential security: Cyber Essentials and its 5 controls appeared first on IT Governance Blog.

How to avoid the security mistakes that cost an estate agency £80,000 in fines

Last month, Life at Parliament View was fined £80,000 by the ICO (Information Commissioner’s Office) after security errors exposed 18,610 customers’ personal data for almost two years.

The incident occurred when the London-based estate agency transferred personal data from its server to a partner organisation but failed to implement access controls.

This meant that tenants’ and landlords’ bank statements, salary details, passport information, dates of birth and addresses were publicly available online between March 2015 and February 2017, when Life at Parliament View learned of the breach.

During its investigation, the ICO discovered many security practices that contravened the DPA (Data Protection Act) 1998. Had the incident occurred after the GDPR (General Data Protection Regulation) took effect on 25 May 2018, Life at Parliament View would have faced a much higher penalty.

Unfortunately, many organisations are vulnerable to the same mistakes. So how can you be sure that your systems and processes are secure?

Anonymous access

The breach at Life at Parliament View can largely be attributed to the company’s failure to turn off ‘Anonymous Authentication’ after completing its file transfer. This caused two major security issues.

First, the information was no longer subject to any kind of access control, meaning anyone who found the database was free to view or copy the information it contained.

That’s bad enough, but it also meant that those who accessed the database did so anonymously. Life at Parliament View had no way of knowing whether the people opening or amending the database were employees doing their job or whether the information had been compromised by an unauthorised person – be it another employee or a criminal hacker.

There were other security mistakes that exacerbated the issue, like a lack of encryption and poor staff awareness training to identify security lapses, but the root cause was the lack of access controls to ensure only authorised employees could access the sensitive information in question.

What are access controls?

Put simply, access controls are measures that restrict who can view data. They consist of two elements:

  1. Authentication: a technique used to verify the identity of a user.
  2. Authorisation: determines whether a user should be given access to data.

To be effective, access control requires the enforcement of robust policies. This can be difficult when most organisations operate in hybrid environments where data is mobile and moves between on-premises servers to the Cloud, external offices and beyond.

Organisations must determine the most appropriate access control model to adopt based on the type and sensitivity of the data they’re processing. They have several options:

  • Discretionary access control: employees control the programs and files they use, and determine the permissions other users have relating to that information. It is commonly referred to as a ‘need-to-know’ access model.
  • Mandatory access control: the administrator defines the usage and access policy, which cannot be modified by users.
  • Role-based access control: provides access based on a user’s role, and applies principles such as ‘least privilege’ and ‘separation of privilege’. This means the user can access only the information that is required for their role.
  • Attribute-based access control: based on different attribute types: user attributes, attributes associated with the application, and current conditions. This provides dynamic, fine-grained access control but is also the most complex to operate.

Whichever model you adopt, it’s important to keep access to your data to a minimum, as this limits the opportunities for a criminal hacker to access your information.

Access controls and Cyber Essentials

Organisations that want understand how to implement access controls should look at Cyber Essentials, a UK government assurance scheme based on “10 Steps to Cyber Security” and administered by the NCSC (National Cyber Security Centre).

Cyber Essentials has two objectives:

  1. To set out five basic cyber security controls that can protect organisations from common cyber attacks.
  2. To provide a simple and affordable certification process for organisations to demonstrate that they have implemented essential cyber security measures.

Access control is one of the five basic controls outlined in Cyber Essentials, along with secure configuration, boundary firewalls and Internet gateways, patch management, and malware protection.

Find out more about Cyber Essentials >>

The post How to avoid the security mistakes that cost an estate agency £80,000 in fines appeared first on IT Governance Blog.

IT Governance’s 2019 Cyber Resilience Report reveals major data protection weaknesses

Anti-malware technology is one of the most basic cyber security mechanisms that organisations should have in place, but according to IT Governance’s 2019 Cyber Resilience Report, 27% of respondents haven’t implemented such measures.

This finding is even more surprising given that our customer base is naturally more knowledgeable about information security than the average organisation. Our results represent the most optimistic assessment of organisations’ cyber resilience, so the chances are things are even worse in the wider world.

Anti-malware technology isn’t the only area where organisations are neglecting essential cyber security measures. The report also found that:

  • 43% of organisations don’t have a formal information security management programme.

An information security management plan provides a comprehensive assessment of the way an organisation addresses data protection risks. It ensures that preventative measures are appropriate to the scale of the risk and that every necessary precaution is being taken.

Organisations that lack a formal plan will be tackling security measures piecemeal, if at all.

  • 33% of organisations don’t have documents that state how they plan to protect their physical and information assets.

Without documented plans, it’s impossible to track whether they work and what adjustments are necessary. More to the point, it’s possible that the organisation has no plans in place at all, exposing them to myriad threats.

  • 30% haven’t implemented identity and access controls.

Sensitive information should only be available to those who need it to perform their job, otherwise you run the risk of someone in the organisation using it for malicious purposes.

In some cases, an unauthorised person simply viewing the information is a serious privacy breach. You wouldn’t want everyone at an organisation being able to look at your medical information or political affiliations, for example. That’s why it’s essential to implement controls that ensure that only approved employees can access certain information.

Where do these figures come from?

The report has its origins in our Cyber Resilience Framework, which we developed last year to help organisations improve their ability to prevent security incidents and respond when disaster strikes.

Alan Calder, the founder and executive chairman of IT Governance, said: “Attackers use cheap, freely available tools that are developed as soon as a new vulnerability is identified, producing ever more complex threats, so it is evident that, in the current landscape, total cyber security is unachievable.

“An effective cyber resilience strategy is therefore the answer, helping organisations prevent, prepare for and respond to cyber attacks, and ensure they are not only managing their risks but also minimising the business impact.”

As part of the framework, we offered a self-assessment questionnaire, which helped organisations see how their existing measures compared to the framework and how much work was necessary to achieve cyber resilience.

We collated the results of the self-assessment to create this report, which provides a broader insight into how organisations are addressing cyber security risks and which threats are most commonly overlooked.

How does your organisation compare?

Download the report for free from our website to see the survey results in full and guidance on where organisations are going right and wrong.

If you’d like to know how your organisation compares to the survey’s respondents, our self-assessment questionnaire is still available.

CR report

The post IT Governance’s 2019 Cyber Resilience Report reveals major data protection weaknesses appeared first on IT Governance Blog.

PCI SSC warns organisations about growing threat of online skimming

Organisations that accept online payments must urgently address the threat of web-based skimming, the PCI SSC (Payment Card Industry Security Standards Council) has warned.

The alert, issued in partnership with the Retail & Hospitality ISAC (information sharing and analysis centre ), highlights a recent increase in malware attacks targeting e-commerce websites to gain payment card data.

There’s a good chance that organisations and individuals have been compromised and aren’t yet aware, because the attacks are designed to draw as little attention to themselves as possible.

How does online skimming work?

Online skimming is a variation of a criminal tactic used to gain access to payment card information. Until recently, it was more commonly associated with physical fraud, in which criminals use a device (‘skimmer’) that interacts with a victim’s payment card.

One of the most common skimming methods is to place a duplicate card reader on top of an ATM’s payment card slot. Criminals can then siphon off card details as the card enters the machine.

This reader will typically be paired with a pinhole camera or duplicate keypad placed over the machine so that the fraudsters can log the customer’s PIN.

Online skimming works in much the same way, except the ATM is replaced by an online payment form and the physical skimming device is replaced by malicious code.

Magecart is the umbrella term used involving criminal groups exploiting vulnerabilities that mostly target Magento-based online stores or content management systems. A number of recent data breaches such as Ticketmaster/British Airways was believed to be part of such credit card skimming operations.

These skimming malwares such as JS Sniffer/Magecart targets Web Hosting companies/3rd party development firms that develops code for ecommerce firms. Once within the code hackers can manipulate the code and infect any other websites within the environment affecting other websites and its users.

These malwares are known to extract credit card details from shopping baskets and forms. When customers enter their payment card details, the malware ‘skims’ the information. The transaction continues as normal and neither the organisation nor the customer notices anything is amiss.

The only way to tell is if the organisation performs a thorough assessment of its security practices or the customer notices fraudulent payments coming out of their account. And by then, it is too late.

How are organisations infected?

There are many ways that an organisation’s website can be infected. The PCI SSC and the Retail & Hospitality ISAC highlight the threat of:

  • Plugin vulnerabilities;
  • Brute-force login attempts (aka credential stuffing);
  • Phishing scams and other social engineering techniques; and
  • Attacks targeting third-party applications, such as advertising scripts, live chat functions and customer rating features.

Any organisation that takes online payments is at risk, and those that are infected are often targeted again within days. They should therefore take extra care to clean affected systems and address any underlying vulnerabilities to prevent reinfection.

How to detect online skimming

The PCI DSS (Payment Card Industry Data Security Standard) outlines everything organisations need detect online skimming. They should focus on:

  • Reviewing code in order to identify vulnerabilities;
  • Using vulnerability security assessment tools to test web applications and vulnerabilities;
  • Audit logging and reviewing logs and security events for all system components to identify suspicious activity;
  • Running file-integrity monitoring or change-detection software;
  • Performing internal and external network vulnerability scans; and
  • Performing penetration tests to identify security weaknesses.

Organisations should also take this opportunity to review which third-party services they use.

It’s not good enough to say you weren’t to blame for a breach because the vulnerability occurred at a service provider. Organisations are responsible for who they work with, so they must only use services from providers they trust.

Protect yourself from online skimming

As a CREST-accredited provider of security testing, and a certified PCI QSA (Qualified Security Assessor) company, IT Governance can help with all your PCI DSS compliance needs.

Find out more about our cyber security and security testing products and services.

The post PCI SSC warns organisations about growing threat of online skimming appeared first on IT Governance Blog.

How to conduct an ISO 27001 internal audit

To maintain compliance with ISO IEC 27001 (ISO 27001), you need to conduct regular internal audits.

An ISO 27001 internal audit will check that your ISMS (information security management system) still meets the requirements of the ISO 27001 standard.

Regular audits can be beneficial, since they enable continual improvement of your framework.

The ISMS audit process can pose a challenge, though. This is because unlike ISO 27001 implementation, there is no formal internal audit methodology to follow.

Get started with your ISO 27001 audit plan

To help you achieve ISMS internal audit success, we have developed a five-step checklist that organisations of any size can follow.

1) Documentation review

You should begin by reviewing the documentation you created when implementing your ISMS.

This is because the audit’s scope should match that of your organisation.

Therefore, doing so will set clear limits for what needs to be audited.

You should also identify the main stakeholders in the ISMS.

This will allow you to easily request any documentation that might be required during the audit.

2) Management review

This is where the audit really begins to take shape.

Before creating a detailed audit plan, you should liaise with management to agree on timing and resourcing for the audit.

This will often involve establishing set checkpoints at which you will provide interim updates to the board.

Meeting with management at this early stage allows both parties the opportunity to raise any concerns they may have.

3) Field review

This is what you might think of as the ‘audit proper’. It is at this stage when the practical assessment of your organisation takes place.

You will need to:

  • Observe how the ISMS works in practice by speaking with front-line staff members.
  • Perform audit tests to validate evidence as it is gathered.
  • Complete audit reports to document the results of each test.
  • Review ISMS documents, printouts and any other relevant data.

4) Analysis

The evidence collected in the audit should be sorted and reviewed in relation to your organisation’s risk treatment plan and control objectives.

Occasionally, this analysis may reveal gaps in the evidence or indicate the need for more audit tests.

5) Report

You will need to present the audit’s findings to management. Your report should include:

  • An introduction clarifying the scope, objectives, timing and extent of the work performed.
  • An executive summary covering the key findings, a high-level analysis and a conclusion.
  • The intended recipients of the report and, where appropriate, guidelines on classification and circulation.
  • An in-depth analysis of the findings.Conclusions and recommended corrective actions.
  • A statement detailing recommendations or scope limitations.

Further review and revision might be needed, because the final report typically involves management committing to an action plan.

Need help with your ISO 27001 audit?

At IT Governance, we’re serious about security.

Our unique combination of technology, methodology and expertise will give you the peace of mind that your organisation is secure and compliant.

You can take the hassle out of the audit process and save time and money with our market-leading ISO 27001 ISMS Documentation Toolkit.

Developed by expert ISO 27001 practitioners, it contains a customisable scope statement as well as templates for every document you need to implement and maintain an ISO 27001-compliant ISMS.

The ISO 27001 ISMS Documentation toolkit includes a template of the internal audit procedure.

A version of this blog was originally published on 18 July 2018.

The post How to conduct an ISO 27001 internal audit appeared first on IT Governance Blog.

What is ethical hacking? A guide to white-hat attacks and penetration tests

It sounds crazy to the uninitiated, but organisations across the globe pay people to break into their systems and find sensitive information.

The reason they do this is simple: to catch a thief, you must think like one. Organisations hire ethical hackers to make sure they have someone who’s one step ahead of the tactics that crooks use.

What is ethical hacking?

Ethical hacking (or penetration testing) refers to the exploitation of networks and applications, with the intention of informing the organisation about the vulnerabilities you discover.

With the vulnerabilities the ethical hacker discovers, organisations can implement defences to stop criminals before they’ve had a chance to target the organisation.

What does an ethical hacker do?

Ethical hackers identify and exploit vulnerabilities using the same methods as a criminal hacker. The only difference is that ethical hackers operate within the law, and don’t use any of the information they’ve discovered maliciously.

Attacks may involve exploiting system misconfigurations, sending the organisation’s staff phishing emails, with the intention of gathering their login credentials or breaching the physical perimeter.

As the threat landscape has evolved, ethical hackers are sometimes commissioned to commit long-term cons. They will watch and analyse an organisation, looking for patterns that can be exploited. One method they might use is to leave removable devices containing malware in a public area to see if an employee plugs it into one of the organisation’s computers.

Can I trust ethical hackers?

You might be unnerved at the prospect of allowing an ethical hacker to root around in your organisation, but there’s nothing to fear as long as you hire a qualified ethical hacker through a trusted third party.

How to become an ethical hacker

You can gain all the skills you need to become an ethical hacker by taking our Certified Ethical Hacker (CEH) Training Course.

This five-day course gives you practical, hands-on experience with ethical hacking. You’ll be shown the strategies, tactics, technologies, tools and motivations of criminal hackers, and be given the opportunity to replicate their methods.

After the course, our tutor will be available to provide support and answer any questions you may have. You’ll also be given six months online access to EC-Council iLabs to further develop your skills.

When you’re ready, you can sit the CEH Practical exam, where you’ll be tested on your ability to identify and exploit vulnerabilities in operating systems, databases and networks.

Those who pass will receive the CEH (Practical) certification, which is globally recognised as the vendor-neutral qualification of choice for developing a senior career in ethical hacking and penetration testing.

Find out more >>

A version of this blog was originally published on 2 May 2017.

The post What is ethical hacking? A guide to white-hat attacks and penetration tests appeared first on IT Governance Blog.

The psychology behind phishing attacks

With 3.4 billion malicious emails sent every day, phishing poses a massive risk to organisations of all sizes.

However, the threat doesn’t just come from the volume of scams, but their idiosyncrasy. The measures you put in place to protect you from most cyber attacks – anti-malware, perimeter scans, vulnerability assessments, etc. – are inadequate when it comes to phishing, because fraudsters doesn’t exploit technological weaknesses.

They instead target employees using a tactic known as social engineering.

What is social engineering?

Social engineering is a collective term for the ways people are manipulated into performing certain actions.

In an information security context, it refers to the methods fraudsters use to get people to hand over sensitive information and expose themselves to malware.

Phishing is a classic example of social engineering, as the scams emulate legitimate organisations and attempt to trick people into complying with a request.

How do phishing scams manipulate us?

In some ways, it seems impossible that people could fall for phishing. Awareness is at a record high, popular targets like Amazon have dedicated phishing prevention pages and many bogus emails do a poor job of imitating their target.

Yet phishing is as successful as ever. Why? Because it taps into people’s fears to such an extent that they can’t spot the signs of bogus emails.

See also:

For example, many messages replicate services that possess sensitive information or are essential for the user’s quality of life. This explains the prevalence of phishing emails that relate to tax forms or entertainment services like Netflix.

A 2017 PhishMe survey found that fear was the most effective motivating factor for someone to click a link or open an attachment in a phishing email.

The organisation sent a series of benign phishing emails to respondents and found that the most successful scam spoofed a bar association that claimed that a grievance had been filed against the recipient. It tricked 44% of respondents.

A similar scam email imitating an accountancy firm that claimed a complaint had been filed against the recipient was successful 34% of the time.

Catching us off guard

Although people are always susceptible to phishing, cyber criminals increase their chances of success by sending scams at times when we are most vulnerable.

Phishing has a comparatively low success rate when the recipient is busy or thinking about something else when they receive the message. The sense of urgency is diminished on, say, Monday mornings, when employees have plenty of other urgent tasks.

When they come back to the email a few hours later, they are more likely to notice the things that seem suspicious. Or, if the message is imitating a colleague, they’ll see that person in the office, ask about their request and realise that it was a scam.

Criminals therefore try to send scams when people are most likely to take action right away, which means scheduling them for times when recipients are least likely to be busy. Fridays are sometimes considered the peak time for phishing, but you’re just as likely to fall victim during the middle of the week.

Whatever day it is, the consensus is that you’re most vulnerable during your lunch break and in the early afternoon. This is because most of us take a break from whatever task we were doing. We might use the time to check our emails, and the message may appear as we sit there with no other tasks at hand.

How vulnerable are your staff?

There’s a simple way to assess how big of a threat phishing poses to your organisation: send your employees a scam email.

This might sound reckless, but it’s perfectly safe. Our Simulated Phishing Attack service sends your employees a typical example of a phishing email without the malicious payload.

This gives you the opportunity to monitor how your employees respond. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact a senior colleague to warn them?

You can use the answers to guide your information security measures and to act as a reference point when it comes to staff awareness training.

Find out more >>

A version of this blog was originally published on 23 November 2016.

The post The psychology behind phishing attacks appeared first on IT Governance Blog.

List of data breaches and cyber attacks in July 2019 – 2.3 billion records leaked

Remember after last month’s relatively serene cyber security scene we said this wasn’t the beginning of the GDPRevolution?

July was bound to be a bounce-back month, but we couldn’t have expected the frighteningly high total of 2,359,114,047 breached records.

Granted, a big chunk of those come from a single incident – a mammoth breach involving a Chinese smart tech supplier – but as unimaginative football commentators say, ‘they all count’.

Let’s take a look at the full list:

Cyber attacks


a business will fall victim to a ransomware attack every 14 seconds in 2019, and every 11 seconds by 2021.

Data breaches

Financial information

Malicious insiders and miscellaneous incidents

In other news…

The post List of data breaches and cyber attacks in July 2019 – 2.3 billion records leaked appeared first on IT Governance Blog.