Author Archives: Luke Irwin

New online gambling rules might increase the likelihood of data breaches

The UK introduced new rules intended to make online gambling safer earlier this month, but there are concerns that they have created additional information security risks.

Under the new requirements, which came into effect on 7 May, anyone who registers for an online gambling site needs to provide proof of their age, name and address. However, this could be an extra incentive for cyber criminals to target gambling organisations, as the additional personal details alongside financial data is a potent combination for conducting fraud.

Why are gambling operators asking for this information?

Previously, it had been possible to create an account with a gambling operator without having to verify your identity and date of birth. You would only need to provide this information if you were trying to withdraw money from your account.

The new rules require gambling operators to confirm this information before users deposit funds or access free-to-play games. According to the Gambling Commission, operators can generally find the necessary information by matching the details that users give to them with existing databases.

However, it adds that “there may be occasions when this information is not enough to be sure who you are. For example, if information has been spelt wrongly or people with similar names live at the same address.

“In these situations you may be asked to provide copies of documents that prove who you are. This could include passports, driving licences and household bills.”

These checks are primarily intended to ensure the user is old enough to gamble, but they can also help operators see whether the user has self-excluded from the gambling company’s site and that they aren’t using criminal proceeds.

They are also part of a wider move to better regulate the gambling industry. The UK recently cut the maximum bet on fixed-odds betting terminals from £100 to £2 and is now turning its attention to gambling on credit. In a report published last year, the Gambling Commission said it would consider “whether gambling on credit should continue to be permitted” as it “increases the risk that consumers will gamble more than they can afford”.

Culture Secretary Jeremy Wright has called on banks and bookmakers to meet to discuss gambling industry regulations. “Protecting people from the risks of gambling-related harm is vital and all businesses with connections to gambling – be that bookmakers, social media platforms or banks – must be socially responsible,” he said.

“The government will not hesitate to act if businesses don’t continue to make progress in this area and do all they can to ensure vulnerable people are protected.”

Is your personal data at risk?

Any time a system requires organisations to access more personal data, the risks associated with that information increase. The risk of data breaches also increases whenever financial records are involved, because they are more valuable to cyber criminals.

Whereas most personal data is worth only what someone is willing to pay for it on the dark web, financial information can be used to access funds directly. In many instances, all crooks need to do is transfer and then launder the money. This tactic has become increasingly popular in recent years as the value of personal data decreases on the dark web due to the surplus in supply.

Depending on the additional information that online gambling companies use to verify an account, crooks could potentially have a route into users’ bank accounts. At the very least, they’ll probably have enough information to launch a sophisticated phishing attack.

As such, it’s essential that gambling operators introduce appropriate technical and organisational measures to protect the information they obtain to verify a user’s identity.

Want to know whether your organisation is doing enough?

You can learn everything you need to stay secure by reading our free green paper: Gambling Commission Annual Security Audits – Increase your odds.

This paper is essential reading for any gambling operator that wants to ensure their organisation complies with the Gambling Commission’s remote gambling and software technical standards. It covers the security requirements you need to meet and offers guidance on the steps you should take to pass your audit.

Find out more >>

The post New online gambling rules might increase the likelihood of data breaches appeared first on IT Governance Blog.

How to write a business continuity plan: the easy way

Earthquake. Flood. Cyber attack. The threat of disruption looms over organisations more ominously than ever, thanks to the increasing infiltration of technology in business processes, consumer expectations and the rapid rise in cyber crime.

You’ll rarely get advance warning about disruptions, so you need to prepare for whatever might come your way with a BCP (business continuity plan).

In this blog, we explain how a BCP works, what it covers and how to create one.

What is a business continuity plan?

A BCP outlines the processes and procedures that an organisation must follow to continue operating in the event of a disruption. The steps outlined in a BCP are typically a set of temporary measures or quick fixes to ensure that the most important business operations remain functional, even if at the cost of overall productivity.

Organisations’ top priorities tend to be their technologies, and for good reason. Network connections, online systems, phone lines, network drives, servers and business applications are all vulnerable to a range of disruptions and can cause huge headaches if they are compromised.

But business continuity planning isn’t about recovering IT. It’s primarily concerned with critical activities that, if disrupted, could immediately jeopardise your productivity or the availability of your services. In that regard, it simply considers IT a critical resource for preserving those activities – in other words, a dependency.

However, recovering your IT may take some time, so you should have a plan on how to manage in the meantime. Such temporary solutions may well be lo-fi; even so, organisations must outline them in a BCP to ensure employees know what’s expected of them.

Business continuity vs disaster recovery

BCPs shouldn’t be confused with DRPs (disaster recovery plans), even though they both tackle the immediate aftermath of a disruption.

Business continuity focuses primarily on ensuring that you maintain functionality – even if at reduced capacity – in the event of an incident while attending to the disruption. Disaster recovery is a purely corrective measure that looks to recover to full IT functionality as quickly as possible.

These concepts might sound similar enough, but business continuity’s focus on first and foremost reviving the most critical business functions is a crucial difference, and one that makes it a good idea to separate it from disaster recovery. The latter is usually just used in an IT context, as only semi-functioning technology often isn’t good for operations, but achieving full recovery may take some time.

Business continuity recognises that time is of the essence, and often involves temporary fixes that ensure vital operations continue. Recovery is also time-sensitive; temporary solutions don’t tend to offer the same level of productivity, so you don’t want to rely on them for long.

Whether taking a disaster recovery or business continuity approach, your objective should be to create a plan that buys you enough time to recover within an acceptable timeframe as defined by your RTO (recovery time objective). Just remember that business continuity has to consider two timeframes: when to be up and running again, and when to be back to full functionality.

Common threats to business continuity

Most disruptions that you will experience fall into one of these categories:

  • Natural disasters

Earthquakes, hurricanes and wildfires might spring to mind when you think of natural disasters, and although they often disrupt business, you only need to worry about them if you live in a part of the world where they are known to occur.

However, natural disasters also include snowstorms, heavy wind and floods, which are less dependent on geography but can still disrupt business, and which you should therefore plan for.

  • Man-made disasters

Your main concern in this category should be events that damage or disrupt transport routes, like car accidents and train crashes. If a major road or rail network is shut down, you might be unable to receive deliveries, and employees and customers might not be able to reach you.

Other man-made disasters include oil spills, terrorist acts, industrial accidents and acts of war.

  • Utility failures

Electrical fires and burst pipes can cause huge problems for organisations and are liable to occur at any time.

A fire or flood could damage expensive equipment or require a room to be vacated. If a sewage line is broken, the sanitary risk (not to mention the smell) could force the organisation to send its employees home.

  • Technological failures

Sometimes technology can simply stop working. Systems crash, files are lost and documents go missing. The whys of technological failures are so manifold and unpredictable that it’s impossible to anticipate how or when they will occur – just consider them an ever-present risk that will materialise at some point, so be ready for when they occur.

  • Human error

An organisation’s staff is often its biggest security weakness. Employees will lose or accidentally expose data from time to time, and although staff awareness training will reduce the risk, it won’t eradicate the threat. Humans inevitably make mistakes, and you need to be aware of that when planning for disruptions.

  • Sabotage

Employees might also breach data deliberately. This typically happens if they are disgruntled at work (maybe they were turned down for a promotion) or have left the organisation acrimoniously and their login credentials are still active.

There’s also the possibility that staff will simply be lured by the financial gain from stealing sensitive information and selling it on the dark web.

  • Cyber attacks

The most frequent examples of cyber attacks include phishing emails (which are designed to steal information), brute-force attacks (in which crooks use automated software to crack an employee’s password) and ransomware (which locks down an organisation’s system until a fee is paid).

These are far from the only threats you need to plan for, though. Organisations’ networks and the applications used will contain dozens of vulnerabilities that crooks are always looking to exploit.

Why business continuity planning is so important

The most obvious reason to implement a BCP is to ensure that your organisation remains productive in the event of a disruption. Customers must still be able to use your services, employees must be able to continue doing their job and you can’t allow yourself to face a huge backlog of work as the delay continues.

But business continuity isn’t only about short-term goals. The cyber security landscape has become increasingly volatile in recent years, with cyber crime continuing to spiral and organisations’ reliance on technology leading to vast numbers of accidental and deliberate data breaches. As a result, organisations need to prove to customers and stakeholders that they are prepared for anything.

Business continuity is especially important for OES (operators of essential services) and DSPs (digital service providers), as a disruption could cause major problems for a large section of the population. To ensure that such organisations are sufficiently prepared for risks, the EU adopted the NIS Directive, which was transposed into UK law as the NIS (Network and Information Systems) Regulations 2018.

DSPs within the Regulations’ scope are explicitly required to put business continuity measures in place. Although the same isn’t true of OES, they should still consider implementing a BCP as a means of providing a more reliable service.

Benefits of business continuity planning

Beyond the obvious reasons to implement a BCP (to remain functional in the event of a disruption), you should also consider its ability to:

  • Protect your organisation’s reputation: In demonstrating a fast and efficient response to disruption, the public will almost certainly be impressed by the way you operate. This will mitigate any negative sentiments that will accompany the loss of productivity, and it might even improve your reputation.
  • Boost employees’ morale: No one wants to work in a chaotic environment, so your staff will be pleased to know that management has a plan in case things go wrong. If the plan is well written (which we’ll show you how to do shortly), everyone in the organisation will be accounted for, which will prove to employees that management has considered their needs.
  • Build your relationship with third parties and subsidiaries: An effective BCP demonstrates that the organisation is being run well from top to bottom, which will encourage anyone that you work with. It shows that you are a reliable partner that has taken into account its responsibilities to customers, employees and partners.

Writing your business continuity plan: 8 simple steps

  1. Purpose and scope of the BCP

Your first task is to define the purpose and scope of the plan. This is especially relevant if your organisation comprises several subsidiaries or is based in different locations, as each one will have its own requirements.

If this is the case, it’s up to you to decide whether to create one plan that covers each subsidiary/location separately or to focus on just one part of your business.

  1. Responsibilities

The next step is to decide which employee(s) will be responsible for enacting the plan. You might opt to put one person in charge of the plan or delegate responsibility to people across your organisation.

Small organisations might be able to get away with a single leader, as there’s a good chance that a senior member of staff will have oversight of every department and its needs. However, if that’s not the case, a group of employees will need to share responsibility.

You also need to identify who has the authority to grant financial costs outside of the normal department budget. This could be the same person (or people) responsible for enacting the plan, or it could be a specific duty assigned to someone else.

  1. Invoking the BCP

This step defines when and how the plan will take effect. After all, it’s not always clear that a serious (and possibly planned-for) disruption has occurred; it’ll often begin with, say, the office lights going out and employees looking across the room at each other asking: ‘What’s going on?’

It’s only when someone takes charge that you can determine what caused the problem and how to respond. You don’t need to get into specifics here (that’s covered in step five), but you do need to document who will get the process started, how response teams will be mobilised and where those responsible for enacting the plan should meet.

  1. Specific BCP content

This is the meat of your plan, containing the actions you will take to recover from various incidents. It will be the result of two other processes – the risk assessment and BIA (business impact assessment) – in which you identify the threats you face and the way your organisation will be affected by them.

Once you’ve collected this information, you should take each business disruption and outline:

  • Steps that must be taken to protect individuals (staff, customers and third parties) during the business disruption;
  • Actions that should be taken to contain the disruption and prevent further loss, disturbance or unavailability of prioritised activities;
  • Guidelines on record-keeping requirements during and after the incident (such as what needs to be recorded and where);
  • Prioritised recovery objectives and the actions and resources that are needed to achieve them; and
  • Internal and external (inter)dependencies and interactions, and how these might impact one another during a disruptive incident.
  1. Communications

This stage focuses on internal and external communications. Internal communication refers to the way you will keep employees informed about the state of the business, something that’s particularly important if your usual modes of communication are disabled due to the disruption.

In the event of serious disruptions, you should also consider contacting employees’ next of kin to update them of their wellbeing. This is both thoughtful and prevents your organisation’s phone lines being jammed by concerned family members.

External communication refers to the way you will deal with the media regarding the incident. If the disruption is severe enough, you should release a statement explaining the nature of the incident, what has been affected and how you are responding. In extreme cases, you might also be obliged to give interviews, in which case you should decide who will represent your organisation and what your strategy will be.

  1. Stakeholders

You will be required to contact stakeholders as soon as possible following a disruption, so your BCP should contain their contact details for easy reference.

  1. Appoint a business continuity manager

The business continuity manager is responsible for documenting the plan and keeping it safe. They are also responsible for reviewing the plan to make sure the information is accurate. For example, if someone with BCP responsibilities leaves the organisation, the business continuity manager should flag this, so the team can appoint a successor.

  1. Change management

Once the plan is finalised, it should be published in hard copy and as a digital file, and be made accessible to all members of staff.

Every time changes are made to the BCP, you must ensure that the digital and hard-copy forms are updated.

Don’t forget to test your plan

The only way to be sure that your plan works is by testing (or ‘validating’) it. How often you test the plan is up to you, but we recommend doing it at least twice a year or whenever there are substantial changes to your organisation.

There are three types of test that you can conduct:

a. Table-top exercise

A table-top exercise is essentially a read-through of the plan. Senior employees and those with BCP responsibilities should go through the plan together, looking for gaps and ensuring that all business units are represented.

b. Structured walkthrough

A structured walkthrough is like a rehearsal, with each team member role-playing their responsibilities according to specified disruptions. The objective is to familiarise employees with their responsibilities and to make sure the plan works as intended.

You might choose to simulate the process across the entire organisation, but it can obviously be difficult to make everyone available at the same time, particularly given that the walkthrough will probably have to occur outside of office hours. As such, you might choose to split the walkthrough across the week, with one or two departments playing out a disaster at a time.

c. Disaster simulation testing

A disaster simulation test is essentially a dress rehearsal. You create a test environment that simulates an actual disaster across the entire organisation and then put the plan into action.

Unlike other types of test, you aren’t looking for gaps as you go. Instead, you should see the plan through to its conclusion, so you know exactly what the consequences of your actions (or lack thereof) are. Only after you’ve seen the plan through to the end should you review your actions and look for ways to improve.

Business continuity planning made simple

Anyone looking for help on how to develop and document their BCP should take a look at our free BCP template.

It expands on the eight steps we’ve listed in this article, showing you exactly how to structure your plan.

BCP template

Download our template >>

The post How to write a business continuity plan: the easy way appeared first on IT Governance Blog.

Pharmaceutical companies exploited by phishing scam targeting job seekers

Earlier this month, two major pharmaceutical giants issued warnings about phishing emails targeting job hunters.

GlaxoSmithKline and AstraZeneca say they are victims of recruitment scams, in which crooks create fake job adverts to obtain people’s personal and financial details. The bogus ads can be hard to spot, because they use legitimate logos and material, and hide the scammers’ email addresses effectively.

How the scam works

Based on AstraZeneca and GlaxoSmithKline’s statements, this is a fairly standard case of recruitment fraud. Job seekers find the fake advert on a recruitment site and provide their CV, which will typically include the applicant’s name, email address, current employer and other personal details.

The scammers will then email the applicant to say they are being considered, before offering them a job. At this point, one of two things will happen.

The scammers might refer the victim to an employment agent (also fake), who will ask for money to complete registration fees. Alternatively, the victim might report directly to the HR department of the bogus employer.

Either way, the final step of the crooks’ plan is to ask for financial details to pay the employee’s salary into. They will instead use the details to steal money, before cutting all ties with the victim.

Why it’s so successful

Recruitment fraud seems like one of the more obvious scams to spot. How could anyone’s alarm not be raised if they are offered a job without an interview?

Unfortunately, red flags like that are ignored in all kinds of phishing scams, and this scheme is a perfect example of why that happens. Most of us know how disheartening it is to send off application after application knowing that you probably won’t ever hear anything back. It’s therefore completely understandable that curiosity and/or hope might get the better of you when you hear that you’re not only in consideration but have also been offered a job.

Sure, you’re likely to be a little suspicious, but it’s a highly respected organisation like GlaxoSmithKline or AstraZeneca, so it must be legitimate, right?

It’s only in retrospect that you see all the clues that should’ve confirmed your suspicions.

What should you be looking for?

GlaxoSmithKline says job hunters can determine the legitimacy of an advert by asking:

  • Are there major spelling or grammatical errors in the communication?
  • What is the sender’s email address? Does this seem consistent with previous communications?
  • Who is sending the email? Search the name online to determine whether it’s a real employee and whether they are the appropriate person to be managing the application process.

It adds that an advert posted by a third party isn’t necessarily fraudulent, but recommends that job hunters research the company to see if they represent the organisation.

It’s not the end of the world if you don’t spot a scam during the application process. The crooks will have your contact details and any other information on your CV, but at least they won’t have your financial details. Preventing that from happening is simple, provided you remain cautious.

AstraZeneca and GlaxoSmithKline remind job hunters that they never ask for money during the recruitment process (no legitimate organisation would). The latter adds that:

If you receive a genuine job offer of a job with us, whether the offer is made directly by us or through an agency, you will not be required to pay any money towards administration fees.

We also recommend that you do not disclose personal or financial details to anyone you do not know.

As is standard, GlaxoSmithKline says that interviewees or those who have been offered jobs might be asked to provide passport information or other personal identification, such as a National Insurance number.

If you receive and accept a job offer, you will obviously have to provide financial information; this will typically be at the same time as you sign your employee contract. However, you should only be asked for account information, which is used to deposit funds, rather than the card number, which is used to withdraw funds.

Can you spot a phishing scam?

The warnings issued by AstraZeneca and GlaxoSmithKline show just how big of a threat phishing poses. The methods for spotting and preventing it are the same no matter what form the scam takes, yet millions of people fall victim in both personal and work environments.

When it comes to recruitment scams, it’s up to individuals to protect their own data, but organisations have a lot more at stake. An employee who can’t spot a malicious email is liable to hand over vast amounts of sensitive information or expose the organisation to further threats. For example, most ransomware attacks are spread via phishing emails.

Organisations can tackle that threat with our Phishing and Ransomware – Human patch e-learning course.

This ten-minute course explains the basics of email-based threats, showing staff how to spot and avoid phishing scams and ransomware.

The post Pharmaceutical companies exploited by phishing scam targeting job seekers appeared first on IT Governance Blog.

Why ISO 27005 risk management is the key to achieving ISO 27001 certification

If you’re familiar with ISO 27001, you’ll know that it’s the international standard for information security and contains the certification requirements that are expanded upon throughout the ISO 27000 series.

There are 46 standards in total in the series (although only a few apply to every organisation), of which ISO 27005, the risk management standard, is arguably the most important and easiest to get wrong.

What is risk management?

Risk management is the process of analysing how an organisation will be affected by a disruptive incident and what the consequences might be. This includes any scenario in which the confidentiality, integrity and availability of data is compromised.

Assessing these risks helps inform your decision about the best way to reduce risk to an acceptable level.

Getting this process right is essential, because your entire ISMS (information security management system) is shaped around your response to risks. You need an accurate estimation of how risks will play out in order to prioritise the biggest threats and adopt the appropriate controls.

What does ISO 27005 say?

As with every standard in the ISO 27000 series, ISO 27005 doesn’t prescribe a specific approach to risk management. This is because organisations have their own challenges and must tackle them in a way that suits them.

This is markedly different from other popular risk management standards such as OCTAVE and NIST SP 800-30, which adopt a one-size-fits-all approach and are perceived to restrict business efficiency and productivity.

That’s not to say organisations have to figure everything out themselves. ISO 27005 provides a detailed but flexible structure to meet its requirements, comprising five stages.

1. Identification

  • Identify assets: First, you need to locate every piece of information you hold and determine whether it is a ‘primary’ or ‘supporting’ asset. Primary assets are information or business processes, and supporting assets are related IT systems, infrastructure and people resources. Organisations are required to identify primary assets, and supporting assets that could have an impact on the primary asset, typically giving details about asset ownership, location and function.
  • Identify threats: Threats are many and varied, and should be continuously monitored to take into account new and emerging threats.
  • Identify vulnerabilities: Your organisation will have weaknesses in its technology, people (human error, malicious action, social engineering, etc.) and processes, all of which need to be identified.
  • Identify existing controls: Unlike other risk assessment methodologies, an ISO 27005 risk assessment requires an organisation to identify all of its existing controls and to take into account the protection provided by these controls before applying any new ones.

2. Assessment

ISO 27005 encourages organisations to focus their response efforts on the biggest threats, so you should use the information you’ve gathered about your assets, vulnerabilities and threats to prioritise the biggest risks.

There are many ways to do this, but the most common approach involves the following equation:

Risk = (the probability of a threat exploiting a vulnerability) x (total impact of the vulnerability being exploited)

Find out more about risk assessment >>

3. Treatment

Now that you know the level of risk that each threat poses, you need to decide how you’ll treat them. There are four options:

  • Modify the risk by implementing a control to reduce the likelihood of it occurring. For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
  • Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too big to manage with a security control. For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them off-site. This option will make things less convenient for your employees but will drastically improve your security posture.
  • Share the risk  with a third party. There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster. Neither option is ideal, because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
  • Retain the risk. This means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.

The method you choose depends on your circumstances. Avoiding the risk is the most effective way of preventing a security incident, but doing so will probably be expensive if not impossible. For example, many risks are introduced into an organisation by human error, and you won’t often be able to remove the human element from the equation.

You’ll therefore be required to modify most risks. This involves selecting the relevant information security controls, which are outlined in Annex A of ISO 27001 and explained further in ISO 27002.

4. Communication

You need to keep a record of how you are tackling the risk and inform anyone who might be affected.

For example, if you’ve modified the risk of certain sensitive documents being misappropriated by applying access controls to them, you should tell your employees. This ensures that, should a staff member be denied access when they have a legitimate need to view the information, they know what the issue is and what action to take.

Likewise, if you’re avoiding a risk by no longer doing whatever it is that caused the problem, you also need to pass on the message to your staff.

5. Review

Risk management (and ISO 27001 compliance generally) is an ongoing process, so you need to regularly monitor your management plan. This serves two purposes. First, it enables you to check whether the treatment options you selected are working as intended. You might find that a control you implemented isn’t addressing the risk as well as you’d hoped or that it’s simply not appropriate. Likewise, you might have chosen to avoid certain risks but found that they are still present.

Second, it enables you to assess the changing threat landscape. New risks will have emerged and existing ones might have transformed, forcing you to reassess your priorities and your approach to risk management.

Learn how to deliver effective ISO 27005 risk management

Our ISO 27005 Certified ISMS Risk Management training course is the ideal starting point for anyone who wants to know more about how to deal with information security threats.

This three-day course develops your understanding of the key areas of information risk management, and is based on recognised best practice and real-world examples.

Find out more >>

A version of this blog was originally published on 8 May 2017.

The post Why ISO 27005 risk management is the key to achieving ISO 27001 certification appeared first on IT Governance Blog.

WhatsApp urges users to update app after massive security failure

If you’ve recently had a missed call on WhatsApp from a number you didn’t recognise, cyber criminals might be spying on you.

The Facebook-owned app has admitted that cyber criminals have exploited a major vulnerability in its voice call function and are planting spyware on users’ phones. This enables crooks to turn on devices’ cameras and microphones, read emails and instant messages, and collect users’ location data.

The breach was discovered earlier this month, and WhatsApp released an update addressing the issue on Friday. The messaging service is now urging users to install the patch to ensure they don’t fall victim. Updates are often installed automatically, but it’s worth checking that this feature is enabled.

Who is responsible for the attack?

The technology behind the attack was developed by the Israeli cyber surveillance organisation NSO Group, but the firm has denied playing a part in the breach. It said that the Pegasus spyware is licenced to authorised government agencies “for the sole purpose of fighting crime and terror” and that it doesn’t use it itself.

WhatsApp believes the “attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems”.

The identity of that company is currently unclear, but we would guess the attack was politically motivated. The spyware has been planted on a relatively small number of devices, which wouldn’t be the case if crooks were trying to obtain personal information for financial gain, and those who have reported being targeted hold politically and socially important roles, such as human rights activists, journalists and lawyers.

The severity of the breach means an investigation is bound to be launched, but we doubt that the perpetrators’ identity will ever be discovered. It’s incredibly difficult to investigate sophisticated attacks like this, and it’s even harder to find the necessary evidence to bring about a conviction.

Things should improve as new technologies become available to cyber crime investigators like the National Crime Agency, the FBI and Europol. They will also be helped by organisations paying greater attention to cyber security and engaging in threat intelligence sharing, but it’s always worth remembering that the best defence is prevention. By making it harder for crooks to breach your systems, you’ll make cyber crime a less prosperous endeavour and reduce the likelihood of being targeted.

Subscribe to our weekly newsletter for all the latest cyber security news and advice >>

The post WhatsApp urges users to update app after massive security failure appeared first on IT Governance Blog.

How to create an ISO 27001-compliant risk treatment plan

An RTP (risk treatment plan) is an essential part of an organisation’s ISO 27001 implementation process, as it documents the way your organisation will respond to identified threats.

It’s one of the mandatory documents you must complete as part of your ISO 27001 implementation project, and forms the final stage of the risk assessment process.

What are your risk treatment options?

Once you’ve completed your risk assessment and defined your risk appetite, you’ll be left with a list of ‘unacceptable’ threats that need to be addressed.

ISO 27001 recommends that organisations take one of four actions:

  • Modify the risk by implementing a control to reduce the likelihood of it occurring. For example, you might address the risk of a work-issued laptop being stolen by creating a policy that instructs employees to keep devices with them and to store them safely.
  • Avoid the risk by ceasing any activity that creates it. This response is appropriate if the risk is too big to manage with a security control. For example, if you’re not willing to take any chances of a laptop being stolen, you might choose to ban employees from using them outside the premises. This option will make things less convenient for your employees but will drastically improve your security posture.
  • Share the risk with a third party. There are two ways you can do this: by outsourcing the security efforts to another organisation or by purchasing cyber insurance to ensure you have the funds to respond appropriately in the event of a disaster. Neither option is ideal, because you are ultimately responsible for your organisation’s security, but they might be the best solutions if you lack the resources to tackle the risk.
  • Retain the risk. This option means that your organisation accepts the risk and believes that the cost of treating it is greater than the damage that it would cause.

Selecting appropriate controls

The most common risk treatment option is to modify the risk, because it typically offers the best combination of security and cost.

Organisations can determine the best way to modify a risk by looking at the controls listed in Annex A of ISO 27001. It lists 114 controls, which are split into 14 sections (or ‘control sets’), each one tailored to a specific aspect of information security:

  • Information security policies: how policies are written and reviewed.
  • Organisation of information security: the assignment of responsibilities for specific tasks.
  • Human resource security: ensuring that employees understand their responsibilities prior to employment and once they’ve left or changed roles.
  • Asset management: identifying information assets and defining appropriate protection responsibilities.
  • Access control: ensuring that employees can only view information that’s relevant to their job role.
  • Cryptography: the encryption and key management of sensitive information.
  • Physical and environmental security: securing the organisation’s premises and equipment.
  • Operations security: ensuring that information processing facilities are secure.
  • Communications security: how to protect information in networks.
  • System acquisition, development and maintenance: ensuring that information security is a central part of the organisation’s systems.
  • Supplier relationships: the agreements to include in contracts with third parties, and how to measure whether those agreements are being kept.
  • Information security incident management: how to report disruptions and breaches, and who is responsible for certain activities.
  • Information security aspects of business continuity management: how to address business disruptions.
  • Compliance: how to identify the laws and regulations that apply to your organisation.

Deciding which control to use is relatively straightforward. The ISO 27001 implementation team should meet with a senior employee from the relevant department to agree on the appropriate control.

For example, communications security issues should be discussed with IT, staff awareness issues with HR, and supplier relations which whichever department the third party is working with.

As with all major security decisions, you should run your decisions past senior management.

Once you’ve finalised which controls you should use, you should refer to ISO 27002 to learn more about implementing them.

Before you begin

It’s worth remembering that your RTP must be appropriate to your organisation. Implementing controls takes time, effort and money, so you need to pick your battles carefully.

You almost certainly won’t have the resources to apply controls to every risk, even if they are small controls, such as a new process or policy.

Even a new policy requires a team of people to write and approve it, generate awareness among employees and ensure that the rules are being followed and working as intended.

That’s not to say you should abandon a control if you think that it will be expensive to implement and maintain. However, you should constantly assess whether there’s a less expensive control that could generate similar results.

Help with creating your risk treatment plan

Below is an example of what a risk-based RTP might look like, extracted from our bestselling ISO 27001 ISMS Documentation Toolkit. The toolkit also contains an asset-based RTP template.

Risk Treatment Plan (RTP) Example Template

Example of the risk treatment plan template included in the ISO 27001 ISMS Documentation Toolkit

Developed by expert ISO 27001 practitioners and used by more than 2,000 clients worldwide, the toolkit includes:

  • A complete set of mandatory and supporting documentation templates that are easy to use, customisable and fully ISO 27001-compliant;
  • Helpful gap analysis and project tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.

Learn more >>

The post How to create an ISO 27001-compliant risk treatment plan appeared first on IT Governance Blog.

UK businesses are reporting fewer data breaches, but is this as positive as it sounds?

A third of businesses and a fifth of charities were hit by a cyber attack or data breach in the past year, the UK government’s Cyber Security Breaches Survey 2019 has found.

This is a marked improvement on the previous two years, in which 43% (2018) and 46% (2017) of businesses were breached, but it doesn’t tell the full story of the UK’s threat landscape. Although the number of organisations being targeted seems to be decreasing, those that are vulnerable to attacks are experiencing them more often, with two in five organisations saying that they come under threat at least once a month.

The threat is much higher among medium-sized businesses (60% being breached in the past year), large businesses (61%) and high-income charities (52%).

So why is this bad?

The fact that fewer organisations are being targeted by attacks is a major plus. The report says this may be because businesses and charities are going to greater lengths to become cyber secure. For example, it found that:

  • More businesses (57% vs 51% in 2018) and charities (43% vs 27%) update senior management on their cyber security actions at least once a quarter;
  • Cyber security policies are becoming more common in businesses (33% vs 27%) and charities (36% vs 21%);
  • Businesses (56% vs 51%) and charities (41% vs 29%) are more likely to have implemented controls in all five technical areas of the government’s Cyber Essentials scheme;
  • Staff awareness training is becoming more common in businesses (27% vs 20%) and charities (29% vs 15%);
  • Charities are getting better (60% vs 46%) at implementing measures such as health checks, audits and risk assessments; and
  • More medium-sized (31% vs 19%) and large businesses (35% vs 24%) have invested in cyber insurance.

These improvements have coincided with the introduction of the GDPR (General Data Protection Regulation), indicating that its compliance requirements are working.

However, the report suggests that it’s not as clear-cut as that, and that the seemingly positive conclusions might be hiding serious failures.

The effects of the GDPR

The report found that 30% of businesses and 36% of charities surveyed have made changes to their cyber security practices as a result of the GDPR. This is an incredibly low figure, given that the Regulation is mandatory and has been in effect for a year.

Even among those that have addressed the GDPR, very few have done so comprehensively. For example:

  • 60% of businesses and charities have created new policies;
  • 15% of businesses and 17% of charities have had extra staff training and communications;
  • 11% of businesses and 4% of charities changed firewall or system configurations; and
  • 6% of businesses and 10% of charities have created new business continuity or disaster recovery plans.

This suggests that, although the GDPR has benefited the small proportion that have implemented its requirements (at least partially), the majority of organisations have done little if anything to improve their cyber security practices.

This is probably a major reason that cyber attacks are becoming focused on a select group of organisations. Those that have implemented the GDPR’s requirements have protected themselves from most attacks, forcing cyber criminals to seek out more vulnerable targets.

The trend might also be explained by a change in the way organisations interpreted the survey’s questions. The government suggests that some organisations fear the repercussions of GDPR violations and might not admit to suffering cyber security breaches.

If this is true, those organisations are only making life harder for themselves. The GDPR was designed to improve transparency and make organisations take responsibility for cyber security.

Organisations that own up to data breaches (provided they weren’t caused by major security failures) have little to fear. Regulators and the public are becoming a lot more forgiving, and incidents occur with such regulatory that they are practically inevitable.

However, that leniency is based on the assumption that organisations will be honest when it comes to their security measures. You can try to hide your security failures, but regulators will almost certainly discover them and levy severe fines.

Demonstrate your GDPR compliance with our documentation toolkit

One of the most important steps you can take to become transparent and accountable for your data protection practices is to document them.

The Regulation specifies that organisations must be able to demonstrate that they have adopted the necessary technical and organisational security measures, which means keeping a list of everything you’ve done, justifying why it’s been done and how often you’ve reviewed your measures.

This is a big task, but you can simplify it with our GDPR Documentation Toolkit. It contains more than 80 indispensable policies, procedures, forms, schedules and guidance documents written by our expert practitioners, which you can use to prove that you have met the GDPR’s requirements.

The post UK businesses are reporting fewer data breaches, but is this as positive as it sounds? appeared first on IT Governance Blog.

Small businesses spent £13.6 billion recovering from cyber crime in 2018

One in three UK companies fell victim to cyber attacks in 2018, with the majority of the damage occurring in small businesses, according to a report by Beaming.

The study found that cyber crime cost UK organisations £17.8 billion last year, of which £13.6 billion came from small businesses.

The average cost of a cyber attack for small businesses was £65,000 per victim. This accounts for damaged assets, financial penalties and business downtime.

Small businesses are becoming more vulnerable

Large organisations have always been the most likely target of cyber attacks. That remains true, according to Beaming’s study, with 70% of large organisations falling victim to an attack in 2018, compared to 63% of small organisations. However, in 2017 only 47% of small organisations were attacked, meaning the gap is narrowing.

That, along with the fact that small organisations make up the majority of UK businesses, explains why they contributed so much towards the cost of cyber crime last year. After all, multiple small breaches are more expensive to handle than one incident affecting the same number of people because standard processes – like detection and breach notification ­– are largely the same regardless of the scale of the incident.

Sonia Blizzard, managing director of Beaming, said: “Our research shows that cyber criminals don’t care how big your business is, everyone is a potential victim and the cost of an attack can be devastating. Larger businesses fall victim at the greatest rate because they have more people and more potential sources of vulnerability.

“However, they also tend to have multiple layers of protection in place to limit the spread of an attack and are able to recover more quickly after one.

“Small businesses are trusting more data to the cloud and accessing it from lots of locations. This provides greater flexibility and efficiencies, but also adds to the importance of ensuring data is held and transported securely.

“A specialist ISP can help here by managing a network with the security of business traffic in mind, assisting with the implementation of additional security measures such as managed firewalls and provide advice to clients to enhance the protection on offer. When choosing cloud products, businesses should ensure they have the right connectivity to go with it.”

Subscribe to the GRC Weekly to receive the latest cyber security news and advice >>

The post Small businesses spent £13.6 billion recovering from cyber crime in 2018 appeared first on IT Governance Blog.

Survey reveals just how bad the UK is at creating passwords

There are more than 171,000 words in the English language, and yet millions of us can’t look beyond the word that’s right in front of us when selecting a password.

Yes, the NCSC (National Cyber Security Centre)’s Cyber Security Survey found that 3.6 million Britons use ‘password’ as their password. Just as bad are the 23.2 million who use ‘123456’ and the 3.8 million who use ‘qwerty’.

Other common passwords include people’s names (‘ashley’, ‘michael’, ‘daniel’, ‘jessica’ and ‘charlie’ were the most used), football teams and, bizarrely, the pop punk act ‘blink-182’.

But rather than simply castigate the British public for their ineptitude when selecting login credentials, the NCSC provides some much-needed advice on how we can better secure our accounts.

How to make your passwords stronger

When creating passwords, many experts advise using a combination of letters, numbers and special characters (which might explain the interest in Blink-182). However, the NCSC suggests that we might be better off with a combination of three random words.

The reason for this is simple. Despite the requirement for a mix of characters, most systems only require that passwords be six characters long. This might seem to be more than enough – a combination of 26 letters, 10 numerals and 33 special characters gives you 107 billion possible permutations – but reality rarely plays out this way.

For example, the number ‘1’ appears far more often than any other letter, and the special character (for there is typically only one) is almost always ‘-‘. Most of us have therefore given crooks a decent shot at two characters in your password – and they’ll typically be the last two characters.

If you try to outsmart crooks by gorging yourself on special characters, using passwords like ‘a3g^%s’, you’ve only made life harder for yourself. The password is almost impossible to memorise, and criminal hackers are aware of common substitutions, factoring them in when trying to access accounts.

However, as the NCSC advises, you can make your password much stronger simply by making it longer. Each additional letter you use makes your password 26 times harder to crack, meaning a ten-character password that uses letters alone has 141 trillion combinations.

To put it another way, How Secure Is My Password? predicts that the seemingly complex phrase ‘a3g^%s’ could be cracked in 400 milliseconds, whereas a ten-letter combination of three words, like ‘hardtocrack’, would take about a day.

That’s a decent result, but with the number of crooks in the wild churning through passwords, you can do better. Make your password a little longer, like ‘typingmypassword’, and you have a phrase that could take 35,000 years to crack – and that’s with the concession of making your password a literal description of itself.

Anyone capable of conjuring up three genuinely random words could create a password that would take trillions of years to crack without having to compromise on memorability.

Subscribe to the GRC Weekly for all the latest cyber security news and advice >>

The post Survey reveals just how bad the UK is at creating passwords appeared first on IT Governance Blog.

ISO 27001 Lead Implementer, Lead Auditor and Internal Auditor – what’s the difference?

A version of this blog was originally published on 25 June 2018.

Anyone interested in getting into or advancing their career in cyber security probably knows that they will need training and qualifications. But given that the field is so broad, how are you supposed to decide which course is right for you?

This blog will help you make that decision. We take three of our most popular training courses – ISO27001 Certified ISMS Internal AuditorISO27001 Certified ISMS Lead Auditor and ISO27001 Certified ISMS Lead Implementer – and explain what they cover and who they are suitable for.

ISO 27001 Certified ISMS Lead Implementer

A lead implementer takes charge of an organisation’s ISO 27001 compliance project. They are responsible for the big decisions, such as setting out the ISMS’s scope, and for ensuring the Standard’s requirements have been addressed.

What you learn: The nine key steps involved in planning, implementing and maintaining an ISO 27001-compliant ISMS.

Who it’s for: This course should be attended by the person responsible for ISO 27001 compliance (typically the CISO) and the person leading the project (this might be the same person). You’ll need a solid understanding of ISO 27001’s risk assessment process, and should have already taken a foundation-level ISO 27001 course.

Length: Three days

ISO 27001 Certified ISMS Lead Auditor

A lead auditor can work internally or audit a second or third party’s ISMS. Their expertise is usually required when the organisation is seeking ISO 27001 certification, or if a partner organisation requests a supply chain audit.

What you learn: The first half of the course teaches you about auditing in general, and the second half covers best-practice advice for how to audit an ISMS.

Who it’s for: Anyone who wants the responsibility for implementing and maintaining their organisation’s ISMS. It’s also suitable for those who want to work for a specific auditing organisation, such as the BSI.

Length: Four and a half days

ISO 27001 Certified ISMS Internal Auditor

An internal auditor assesses the effectiveness of the organisation’s ISMS (information security management system) and whether it meets the requirements of ISO 27001, reporting their findings to senior management.

What you learn: The course begins with an introduction to ISO 27001 and how auditing fits into the compliance process, before explaining how to plan for and execute an internal audit.

Who it’s for: It’s ideal for compliance managers, but it’s obviously suitable for anyone interested in conducting internal audits. You should have a decent understanding of ISO 27001, but your main strengths should be in policy reviews.

Length: Two days

What are the differences between these courses?

Even though each of these courses cover similar areas, they are geared towards specific job roles. Take the internal and lead auditor courses as an example.

An internal auditor could be an employee within the organisation (hence ‘internal’), but they ideally wouldn’t have played a major role in the ISMS’s implementation. Otherwise they are being asked to find faults in their own work, which they might be reluctant to do.

Meanwhile, a lead auditor will have the specialist knowledge required to conduct second- or third-party audits. Although the tasks involved in these two roles are similar, the day-to-day work is very different. Whereas an internal auditor only has to be familiar with their organisation’s ISMS, a lead auditor that works for an auditing company deals with many organisations and interacts with even more people.

Then we come to the lead implementer course, which teaches you how to fulfil a completely different job role. Lead implementers are the heart of the team that puts the ISMS together. As with auditors, they need a strong understanding of ISO 27001’s compliance requirements, but their job focuses on how to meet those requirements, as opposed to reviewing whether they have been implemented correctly.

Of course, consultants will need to be implementation and auditing experts. They should therefore consider our ISO27001 Lead Implementer and Lead Auditor Combination Course, which covers everything you’d learn on each course separately. You’ll move straight from one topic to the other, helping you solidify your knowledge and understand how the two roles interact.

Interested in other ISO 27001 training courses?

These courses are just the beginning when it comes to ISO 27001 training, so if you’re not sure which course is right for you, why not take a look at IT Governance’s full range of training options?

With a variety of courses available in classroom, Live Online and distance learning format, we have you covered, whether you’re an information security beginner or looking for the right qualification to boost your career.

Find out more about our ISO 27001 training courses >>

The post ISO 27001 Lead Implementer, Lead Auditor and Internal Auditor – what’s the difference? appeared first on IT Governance Blog.

UK-based organisations are getting better at preventing ransomware

The UK is one of the few countries that has seen a year-on-year reduction in ransomware attacks, a new study has found.

According to the 2019 SonicWall Cyber Threat Report, ransomware infections in the UK decreased by 59% in the past year, a stark contrast to the 11% increase globally.

Has the UK learned a lesson?

Several experts believe the UK’s astounding resilience to ransomware is a direct result of 2017’s WannaCry attack. The ransomware tore through organisations across the globe but struck most acutely in the UK – at the NHS in particular.

The attack did little to demonstrate the financial appeal of ransomware for crooks. The incident became so high profile that most organisations learned that it wasn’t worth paying the ransom, and those behind the attack struggled to recoup the money that was paid into their Bitcoin account.

Likewise, the attack didn’t provide an accurate reflection of how incidents normally play out. The malware is usually most successful when it stays under the radar and catches out organisations that lack backup protocols, thereby seemingly forcing them to comply with the blackmailer’s request.

However, WannaCry taught the UK two huge lessons – that ransomware is dangerous and that organisations need to plan for it.

Bill Conner, president and CEO of SonicWall, said that, following WannaCry, “you guys [the UK] were all over [ransomware].”

The attack prompted the UK government, along with the National Cyber Security Centre and UK-based businesses, to confront ransomware head on.

“Most of the vendors in the UK and their customers put solutions in place to protect against multiple family variants of ransomware,” said Conner.

Ransomware solutions

There are two key steps to protecting your organisation from ransomware. First, you should regularly back up your important files. This enables you to delete infected files and restore them from backups.

The process will take a long time – often more than 24 hours – but the loss in productivity will almost certainly be less costly than paying a ransom. Plus, you need to factor in issues other than simply the cost of returning to business. There’s the possibility that crooks won’t keep their word once you’ve paid up. Equally, there’s the risk that complying with their demands has made yourself a target for future attacks.

It’s therefore always advisable to use backups where possible rather than paying a ransomware.

Of course, it’s even better if you don’t get infected at all, and the best way to do that is to boost staff awareness of ransomware. That brings us to the second key step to protecting your organisation.

Most ransomware (and malware generally) is delivered via phishing scams. Cyber criminals plant the malicious code in an attachment and trick employees into downloading it. If you can train your staff to spot a malicious email and report it, you can dramatically reduce the risk of becoming infected.

Get started with staff awareness

Our Phishing and Ransomware – Human patch e-learning course makes staff awareness training simple.

This ten-minute course introduces employees to the threat of phishing and ransomware, and describes the link between the two. Armed with this knowledge, your staff will be able to detect suspicious emails and know how to respond.

The post UK-based organisations are getting better at preventing ransomware appeared first on IT Governance Blog.