Using Automation To Protect Information On Your Network

IBA Group
Mark Hillary

Companies across all industries face a wave of almost constant change as digital technologies redefine old industries and create new services we never even knew we needed. Think of any industry and it’s clear that digital transformation is creating a period of industrial flux that has no end in sight.

This does not help to create a secure business environment. Ideally your data and systems would be locked down and controlled, but as the recent global WannaCry attack proved, many systems are much more vulnerable than expected. In addition, many security experts are now advising that this type of chaotic information attack is something we should get used to.

So if your industry is chaotic and hackers are adopting chaotic methods of constantly attacking system vulnerabilities then how can you make sense of the chaos so your data can be protected?

This blog suggests several steps for executives worried about the threat chaos can bring to their business, but the main focus is on automating your network management and accepting that manually managing a network leaves it open to attack. Just one open port is enough for WannaCry – or similar – to get in and cause havoc inside your company.

Automated network segmentation is a reaction to the complexity of today’s enterprise networks. With many different platforms, systems, contractors, and a mix of a physical network and cloud the challenge of managing modern networks is huge. Add the potential for human error and the face pace of change and the threat is obvious.

Automating segmentation allows the system to look after itself. The network breaks into several different secure zones limiting the exposure any hacker would have. Even if a hacker gets into your business, by automatically creating these secure zones you can limit any damage.

Automation is often talked about in terms of productivity – allowing more to be done in less time, but when it comes to information security only automation of network security can really provide protection in a chaotic business environment.

How Insecure Are Your Passwords?

IBA Group
Mark Hillary

Creating a secure environment for your information requires investment in technology and processes, but no matter how much you spend on systems it is your people that are the weakest link. Planning a secure information security strategy needs to include measures that fight social engineering and other methods used to steal data.

The most basic problem that occurs in every company is password security. According to research published in Inc magazine, each valid email address has around 130 password-protected services associated with it. That’s a huge problem if each one of us has to remember hundreds of different passwords.

The biggest problems are that people don’t change their password frequently and they often use the same password for many systems. The danger is obvious, but what should be done to make systems more secure when the real problem here is just user behaviour?

Inc has five recommendations for better password security:
1.    Update passwords regularly; apply operating system settings that force your team to regularly change passwords and also enforce a change if you suspect that a system has been breached.
2.    Never reuse passwords; it’s a common mistake, but this practice creates system vulnerabilities.
3.    Use passphrases; long phrases are much more secure than a short password and often are easier to remember – use a favourite line from a book or movie for example.
4.    Multifactor security; for sensitive systems don’t rely on a single password – use a system that creates a temporary password or uses biometrics to add a second level of security.
5.    Never store passwords in plain text; files can be copied and unencrypted files full of passwords are easy to spot. Use a secure password storage system if you really cannot remember every password you need to use.

This is good solid advice, but reality is that if each person has hundreds of passwords then they will almost certainly repeat them across systems. To really enforce information security inside a real company without ‘perfect’ people requires planning. I would advise the use of an enterprise-wide secure password management system so everyone is encouraged to use different passwords, but with the system to support them.

In addition, biometric systems are not expensive and are now very common – look at how the Apple iPhone allows a user to unlock the phone using their fingerprint. Consider protecting your most important systems, those using customer data for example, with multiple layers of security and not just a password.

A good password policy sounds simple, but enforcing good behaviour on users can be difficult. Use pragmatism and support your team so they can work securely.

Five Myths Around Information Security That Leave Companies In Danger

IBA Group
Mark Hillary

Last year the Ponemon Institute published research analysing the cost of information security breaches – the result of a business being hacked or attacked by ransomware or even just incompetence leading to data being exposed. The average figure for a data breach was found to be over $4m – that’s right, four million dollars. Some other estimates suggest an average of over $7m. Each customer record that you lose or expose costs around $158 to clean up according to this research.

That’s serious money and therefore this is clearly now a major issue. For small businesses a multi-million dollar clean-up operation could close the business. For larger businesses the expense may in fact be far higher than this average. Information security is now essential in an environment where ransomware and hacking attacks by criminals (and even state actors) are becoming more common.

But there are still several myths around information security that cause executives to invest poorly in protecting their business. It’s an issue that affects everyone in the business and needs to be treated just as seriously as the physical security of your office premises. These are the most common issues and mistakes companies make:

1. Not dealing with human error; human error causes 33% of data breaches and 36% are just because people don’t understand the need for information security. Everyone in the company needs to understand information security, why it matters, and what protocols must be followed. This is not just an IT problem.
2. Ignorance; ignoring your legal need to follow compliance regulations over the way that data is used will lead to major fines in addition to the lost business you may suffer as a result of the data breach.
3. Trusting brands online; just because an email with a link features the logo of a trusted brand, if you did not expect to receive contact from this brand, don’t click the link. Criminals are using highly sophisticated phishing techniques to install their software and just one infected computer can give access to your network.
4. Personal devices; allowing employees to use personal devices to access work email or work systems can promote efficiency, but even password-protected phones can be hacked. If a phone is lost or stolen and it was being used to access office systems then unless the device was encrypted you now have a criminal with access to your network.
5. Papers; paper is old fashioned right? But most offices are still filled with desks covered in printed reports and spreadsheets. Detailed information is left in the open allowing any contractor with access to your office access to all that information. Even your paper recycling bin can be raided so you should really have a clean desk and shred all trash policy in place – even better discourage the printing of any documents in the office.
These sound simple, but many organisations still don’t appreciate the need for information security to the extent that they are training every staff member. Data breaches can be extremely expensive so it pays to think about your systems, your people, and your processes. Where is your business vulnerable to attack?

How WannaCry Changed The Information Security Landscape

IBA Group
Mark Hillary

Last month one of the biggest information security conferences in the world took place in London. InfoSec attracted 13,500 information security experts for 3 days focused on the latest security issues, but one topic dominated the conference – WannaCry.

The recent WannaCry ransomware attack hit hundreds of thousands of victims in over 150 countries. Users of infected computers found their systems locked and a demand for a ransom payment if the user wants to use their computer again – hence the term ransomware.

WannaCry is possibly the largest simultaneous attack on global computer systems and is a real wake-up call for executives with a focus on information security. Companies are extracting more and more data from their customers defining payments, preferences, and future plans – more detailed information is available for hackers to steal from corporate systems. This month the AA motoring organisation in the UK has been criticised as they accidentally made the personal details of over 100,000 customers visible on their website and when they realised their error they failed to inform customers that their card details may have been made public.

But users of devices in the home are just as vulnerable to ransomware attacks. Homes are now largely wifi-enabled and have many connected devices such as laptops, phones, Kindles, and home control systems like the Amazon Echo or Google Home. Ransom attacks demanding a fee of $1000 to access your home systems again will be paid by many people because losing access to all your personal devices would be even more expensive – not only in replacement value, but because of the data we store on our devices.

The InfoSec conference delegates discussed WannaCry at length and the top tips cited for avoiding these attacks were:

1. Multilayered information security defence; in the office, ensure at least three levels of information security by managing everyday risk, compliance risk, and external risks in a coordinated way, but with different teams able to focus on each area.
2. Stay updated; at home or at work ensure that all software is up to date with automatic patching of updates. Apply a good anti-virus system and ensure it automatically updates itself. Ensure your data is not stored locally or is regularly backed up so you can recover if systems are lost.
3. Staff awareness; train all staff in the risks to the business, not just your IT team. Everyone uses IT in their function today and therefore anyone can be the access point to your business.

Data breaches and ransom attacks are now a serious threat to business and need to be treated as such. Information security no longer means running a virus check once a week, this is a complex environment that can create an existential threat to your business if you become a victim to an attack.

Trends in Data for 2016

IBA Group
Mark Hillary

One of the trends for 2016 that is certain to only increase in importance is the use of data analysis across many different types of organisation. Big Data and the real-time analysis of data in general is reshaping many industries, redefining how companies build a relationship with their customers.

The fact that this change is applicable across all industries is the most important aspect of this trend. Almost every company in every industry is exploring how a better use of data can give them the edge in 2016. Three specific areas I see as being really important for the year ahead are:

1. The Internet of Things (IoT); tech commentators like talking about the smart fridge that knows you need more eggs, but this is going to be a much more serious trend. If every electric device you own is networked then some incredible new possibilities are created from cars that can self-diagnose and fix problems without you even being aware of it to being able to control anything in your home remotely.

2. Machine Learning; many contact centres have been exploring how robots equipped with product knowledge can handle simple customer service enquiries. As they learn more about what customers want they will get far better and eventually even be able to anticipate what the customer needs. This ability to learn and apply knowledge with physical or virtual robots will be really important. It’s 5 years now since the IBM Watson system beat the TV game show Jeopardy, now doctors are training Watson in how to recognise and diagnose illnesses.

3. Data Security; the weak spot in all systems that need customer data is that the customers become too scared to share their information – scared of data leaks and hacker attacks. The Ashley Madison attack in 2015 was an example of how hackers can even threaten the existence of a company, just by stealing data.

Big Data, and data analysis in general, will certainly be more important in 2016 because it is now affecting so many companies, but this final point is important. As customers share more data there is the danger of more leaks and more attacks. The only thing that will prevent the benefits of enhanced data analysis becoming a reality is if people become wary of sharing information.

IDC: Big Data Spending To Soar Over Next 5 Years

IBA Group
Mark Hillary

Concerns have been mounting in the Internet of Things (IoT) recently. Equipment manufacturers have been tussling over standards prompting some to believe that a ‘Betamax’ situation may be created where some devices cannot connect to the IoT grid.

If such a situation occurs it could seriously impact the adoption of Big Data projects. Big Data does not depend on the IoT – there are many other types of large database – but the constant flow of IoT data means that most IoT projects will also require a Big Data element.

However there is some good news from the analyst community. New data from IDC suggests that the growth rate for spending on Big Data between 2014 and 2019 will be just under $50bn – that’s compounded growth of 23.1% each year.

The real elephant in the room for the Big Data market is the security of collected data. There have been several damaging data leaks by major organisation in recent months. The danger for companies that are collecting large amounts of data is that leaks of private data will cause brand damage so serious that companies could even face an existential threat.

IDC believe that large companies are aware of this danger and are planning their Big Data infrastructure with security in mind.

“The ability to leverage big data and analytics to develop an integrated view of customer activities and business operations will provide competitive differentiation to companies across industries,” said IDC programme director Jessica Goepfert.

“However, in addition to the huge opportunities, big data presents some significant risks and liabilities to organisations. Line of business and IT executives will need to approach these ongoing challenges with awareness, flexibility, adaptability, and responsibility.”

This is an area of the technology business that is growing by around one quarter every year right now. There will need to be some big mistakes to derail this market, but it is possible. The constant stream of security stories in the media shows that the public are more aware than ever of the dangers ahead. Companies adopting Big Data need to ensure they are always one step ahead of the data thieves.

Gartner Predictions for Tech in 2016

IBA Group
Mark Hillary

The industry analyst Gartner Group has issued a list of ten technologies to watch for 2016. These are the trends that the analyst firm believes will be shaping the digital agenda next year.

You can go to the Gartner newsroom where they list all of their predictions, but here I want to comment on what I see as their top three.

Adaptive Security Architecture
If a CEO today is not aware of the importance of security then their board should be asking how they got the job. Major companies are now facing existential threats because technology systems were hacked. Consumer companies with personal data on millions of customers are particularly at risk and one hack can destroy many years of trust in a brand. Making security smarter, tighter, and more able to adapt to changing attack methods will be an enormous trend in 2016.

The Internet of Things (IoT)
Despite recent suggestions the IoT is stalling because there is still no single agreed standard, I believe that there is enough momentum in this trend to start creating a significant amount of work. Naturally this connects to an increased need for expertise in Big Data analysis if IoT is creating enormous amounts of data.

Autonomous Agents
Machine learning is getting smarter. People laughed at Apple Siri when it was first launched, but have you tried it recently? Intelligent agents have improved enormously. The Amazon Echo system replicates Siri in the home, allowing a user to ask questions from anywhere in the home. Similarly machine intelligence is set to revolutionise customer service operations as the most common enquiries are recognised and handled by robots – Robotic Process Automation.

As always, the Gartner predictions are interesting, but after checking the complete list of ten, which would you pick as your top three?

Thinking of security

When you think of security, what image do you think of?
A large secure fence around the office? Or perhaps you imagine a big dog and security guard patrolling that space between the office building and fence?

But what about cyber-security?

A few days ago British newspaper, ‘The Sun’, was attacked by international hacking group Lulz Security – the front page was replaced by a notice proclaiming the death of News Corporation CEO, Rupert Murdoch.

The same hackers destroyed almost all the main government websites in Brazil last month.

And as networks and systems get more international, with service providers operating in one country, delivering to clients in another, who may be serving end users in another, how can you begin to protect the systems that are vital to your company?

Fraud, organised crime, electronic espionage, IP theft, terrorism, activism, and even warfare can call fall under the wider label of cyber-crime and all can be perpetrated without much risk if you know how to cover your online tracks. And criminals know how to cover their tracks.
If large governments and major corporations cannot withstand sustained attacks then there is a temptation to give up and feel that it is not possible to protect your company. If they can’t do it, then who can?

But companies can be protected from all but the most sustained attack through a rigorous security audit that examines every possible opportunity for a network attack.

However, companies today are really just loose networks of partners. A large company may have a supplier for the IT network, another for the phones, another for the broadband pipe, another for the local hardware security…

For any security policy to work, all these suppliers need to be considered as genuine partners. Perhaps a deal was entered into in the past as part of a cost-saving outsourcing strategy, but when you consider how important every link in the chain really is, perhaps you need to review your outsourcing relationships if you can’t already call your suppliers true partners?