Documente Academic
Documente Profesional
Documente Cultură
of cyber
security
A plain English guide to
online risk and resilience
15/09/2015 15:33:48
our pieces of enlightening news landed on my desk on the same day recently. First, there was a story in the Financial Times, quoting the new chairman
of the Institute of Directors, Lady Barbara
Judge, saying that cyber security is so
overwhelming to boards that their reaction is to le it in the too difcult category her words not mine rather than
tackle the issue head-on.
Then there came research from Marsh,
the global insurance broking and risk management rm, which showed that many
UK companies are failing to assess their
customers and trading partners for cyber
risk adequately, and are more vulnerable
to cyber attacks themselves as a result.
Third was a story from the Telegraph
which highlighted that the average cost of
a cyber attack is now 1.46m a year.
And last of all came news from the
United States, that the head of the governments personnel ofce had abruptly
resigned because hackers had stolen the
sensitive information of some 21 million employees, including bank account
details, health reports and even security
clearance assessments.
It was a big news day for information security. But what struck me most was that
collectively it painted a picture of a serious
and expensive problem, which was being
dealt with ineffectively.
02 Avatu advertorial.indd 2
15/09/2015 11:34:50
30 Encription advertorial.indd 30
15/09/2015 11:49:49
CONTENTS
New Statesman
2nd Floor
71-73 Carter Lane
London EC4V 5EQ
Tel 020 7936 6400
Subscription inquiries,
reprints and
syndication rights:
Stephen Brasher
sbrasher@
newstatesman.co.uk
0800 731 8496
Supplement Editor
Jon Bernstein
Design and Production
Leon Parks
Graphics
Leon Parks
Sub-Editor
Prudence Hone
Account Manager
Penny Gonshaw
+44 (0)20 3096 2269
Commercial Director
Peter Coombs
+44 (0)20 3096 2267
First published as
a supplement to the
New Statesman of
18-24 September 2015.
New Statesman
Ltd. All rights
reserved. Registered
as a newspaper in the
UK and USA.
The paper in this
magazine originates
from timber that is
sourced from sustainable
forests, responsibly
managed to strict
environmental, social
and economic standards.
The manufacturing
mills have both FSC and
PEFC certication and also
ISO9001 and ISO14001
accreditation.
20
31
This supplement, and other policy reports, can be downloaded from the NS website at:
newstatesman.com/page/supplements
4 A-Z of cyber security
U is for . . . understanding
Unravelling the code from advanced persistent threats to zero days
15/09/2015 15:40:45
U is for . . .
understanding
Cyber security comes with a language all of its own, often opaque and replete with acronyms.
With some expert help, we unravel the code, from advanced persistent threat to zero days
A is for advanced
persistent threat
An APT is an attack carried out by an
adversary that targets and exploits individuals instead of computers and operating systems. Its intent is to be stealthy,
targeted and data-focused. Typically an
APT targets individuals in an organisation. The adversary performs extensive
reconnaissance and then sends a targeted
piece of information such as a web-link or
email to trick the user to open up vulnerabilities. From this breach, the adversary
uses the compromised system as a pivot
point into the organisations network.
The trick in dealing with APTs is
recognising that prevention is ideal but
detection is a must. Organisations will
get compromised by APTs. The goal is to
minimise the frequency and impact of
this by controlling where the adversary
can get to in the network and how much
damage it can perform.
Here are things you can do to limit the
impact of an APT:
1. Content-ltering and examination of
behavioural anomalies.
B is for biometrics
Biometrics refers to authentication tools
and technologies such as facial recognition, ngerprinting and retina-scanning.
With traditional password-based security features increasingly hacked by cyber criminals, biometrics are becoming
popular as they can be a much harder target for hackers.
Biometrics are more difcult to hack
but should not be seen as a replacement
for password technology. Whether its
voice recognition or ngerprint technology, biometrics do solve some of the aws
inherent in modern password systems,
but they also bring a different set of challenges. For example, ngerprints can be
reproduced; some prints are stronger
C is for cloud
computing
As dened by Gartner, cloud computing
is a style of computing in which scalable and elastic IT-enabled capabilities
are delivered as a service using internet
technologies. In other words, cloud
15/09/2015 15:29:43
SHUTTERSTOCK
E is for encryption: the process is at once intellectually simple and morally complex
18-24 SEPTEMBER 2015 | NEW STATESMAN | 5
15/09/2015 15:29:45
15/09/2015 11:37:22
D is for denial
of service
A denial of service (DoS) is a type of cyber
attack that aims to overwhelm a website
or cloud service so that it cannot function
or accept legitimate requests from other
internet users.
To perpetrate this attack, cyber criminals will stealthily instal software, often
on the PCs of unsuspecting home users,
that on command can generate spurious
trafc directed at the victims website.
These botnets can include tens of thousands of PCs and are referred to as a distributed denial of service (DDoS) attack.
Imagine a telephone switchboard with a
total of eight available phone lines. If attackers keep calling, never giving a chance
for a line to be freed, then the switchboard
can never answer a legitimate call.
DoS attacks are often used by groups
A movie about the North Korean leader Kim Jong-un triggered cyber attacks on the film company
E is for encryption
Encryption is at once intellectually simple
and morally complex.
At its most straightforward, it is the
act of encoding data, turning plain text
into cipher text. Only those with a key
or password can decode or decrypt
the data, meaning that, in theory at least,
sensitive information can pass securely
across networks and be stored safely by an
F is for Flashback
malware attack
The conventional wisdom dictates that
Apple-made devices are less prone to
15/09/2015 15:29:48
G is for
gateway crimes
In the world of addiction prevention,
the notion of a gateway drug is well
understood a relatively benign narcotic
becomes a gateway to harder and more
harmful alternatives. Criminality and
illegality are important components in
the transition. A similar theory can be
applied to the criminality that surrounds
computer hacking.
According to Andy Archibald, head of
the National Crime Agencys cyber crime
unit, digital piracy can become a gateway
to more serious online crime.
I is for identity
management
H is for Heartbleed
Heartbleed is the open-source software
aw that affected more than 60 per cent
of the internet over a year ago. It allowed
access to the private key used by individuals and businesses to encrypt web
trafc. In particular, it allowed anyone
with the right skills to retrieve data from
the memory of a web server without
leaving a trace.
Heartbleed served as a long overdue wake-up call for the IT industry; in
some IT organisations, the percentage of
open-source code used is greater than 25
per cent, meaning theres a lot of opensource code being reused by information
technology programmers. While some
claimed that open-source code was more
secure than in-house-generated code, because millions of eyeballs were looking
at it, the reality showed there were still
basic aws in popular software. OpenSSL is arguably one of the most cared-for
components in the open-source community, yet that community still completely
missed the zero-day vulnerability posed
by Heartbleed.
The moral of the Heartbleed story is
that while IT may continue to rely on
open-source components as it develops
applications, IT personnel must check,
analyse and measure those components
for software quality and security risks.
Lev Lesokhin is an executive
vice-president at CAST Software
H is also for honey pot and
hot wash
J is for jamming
Jamming is a technique used by
15/09/2015 15:29:48
15/09/2015 11:37:43
L is for licensing
It is one of the key weapons in the ongoing
ght against hackers. The importance of
licensing to businesses, software providers and intelligent device manufacturers
cannot be underestimated as we usher in
the Internet of Things. Tamper-resistant
software licensing should help to reduce
the risk of hacking and protect intellectual
property, with techniques such as code
obfuscation and hacker detection being
implemented to help reduce piracy.
The constant struggle to keep a companys software estate correctly licensed
and optimised means that rms often
seek the advice of specialists who are able
to help manage these security, risk and
compliance issues in one fell swoop. Failure to license and manage software assets properly will leave businesses open
to hefty nes from software publisher
audits and invariably leaves them paying
signicantly more than they should for
the technology they use in their business.
Gareth Johnson is the CEO of Crayon
L is also for the law and logic bombs
N is for network
resilience
M is for Melissa
The Melissa virus struck in May 1999,
15/09/2015 15:29:49
now a national emergency in the Americas. The survey went on to say that 86 per
cent of government cyber security professionals believe big data analytics is the key
to helping improve cyber security.
This is because many organisations currently only possess the ability to protect
themselves against previously detected
threats and concentrate on endpoint protection. By combining big data analytics
with cyber security, companies will be able
to identify the threats before they damage
the organisation, enabling rapid activation
of cyber defence strategies against operational, nancial or reputational damage.
The serious crime-ghting software
expert Wynyard Group helps government, nancial institutions and critical
infrastructure organisations nd serious
threats in the masses of network data, by
leveraging the intersection of big data analytics with cyber security.
According to Wynyard, what companies need is a solution that analyses all of
the data that is currently collated, but not
currently analysed, which will provide organisations with a holistic view of threats
to their digital networks and devices, uncovering high-consequence cyber threats.
By monitoring the network and identifying what is normal using rigorous analytical algorithms, anomalies are identied
and presented to the security operations
team for investigation via a powerful anal-
15/09/2015 11:38:14
15/09/2015 11:39:15
18-24
18-24 SEPTEMBER
SEPTEMBER 2015
2015 || NEW
NEW STATESMAN
STATESMAN || 13
13
15/09/2015 11:39:17
As opposed to insider threat, this represents the majority of threats to an organisation. Insider threats typically have some
level of knowledge and privilege.
There are different levels of outside
threat, ranging from reconnaissance
attacks to determine weaknesses in the
perimeter defences of an organisation,
to social engineering where the outside
attacker uses social networking, news
articles and personal calls to gain an insight into the person or companys defences. This knowledge is then typically
used to write a specic email that contains
malware (malicious software).
The majority of organisations focus
their attention on outside threats and put
in place a range of technologies that protect the perimeter of an organisation. But
with the advent of cloud computing and
an increased mobile workforce, these defences are being bypassed.
This is where, with the right security
processes and policies, businesses can
educate their workforce to help reduce the
risk of outside threats.
P is for password
The comedian John Oliver recently
observed that cyber security is the only
reason we know our mothers maiden
name. The use of passwords to grant
access to software and services online is
the most common security measure we
use, and the most vulnerable. To combat
these vulnerabilities, many companies
insist on the use of more complex passwords longer with a mix of letters, upper and lower case, and numbers. They
also insist that the password is changed at
regular intervals.
As more than one security expert insists, the only secure password is the one
you cant remember.
However, theres no getting away from
the impact of human behaviour and the
limits of memory. According to gures
Q is for quarantine
Quarantine is a method of isolating a le
when it is thought to have been infected
with a virus. The aim is to protect other
les on the same or connecting devices
from the spread of the software virus.
Anti-virus software and tools will
O is for
outside threat
REX FEATURES
15/09/2015 15:29:51
Seven steps to
effective training
Company guidelines, training and policy documents are often not fit for purpose.
Griffin House Consultancy offers an alternative approach
15/09/2015 11:40:14
HEADING
IN PARTNERSHIP WITH STUART J GREEN DIGITAL ENGINEERING LTD
Stuart J. Green
digital engineering
So youre serious
about cyber security?
What better way to demonstrate that youre meeting the challenge than by having
someone independent assess your performance, asks Stuart Green
With two levels of certication, Cyber Essentials and Cyber Essentials Plus,
organisations can demonstrate that they
have self-assessed or have been assessed
by an independent auditor. In this age of
consumer cyber-enlightenment, what
better way to demonstrate that youre
meeting the challenges of cyber threats
head on than by having someone independent come in and formally say what a
jolly good job youre doing? Thats worth
shouting about marketers take heed!
Cyber Essentials is in its early days, but
more and more organisations are feeling
the benet of going through the process
of attaining the certication. Even those
with ISO 27001 nd the process reveals
something they didnt know about their
organisation and they see the value in the
process. Cyber Essentials is the one element that we should be insistent about
having in our supply chains.
So, the next time you hear were very
serious about cyber security, look for
that Cyber Essentials badge. Those who
are will have it and can prove how serious
they are. Those who arent? Theyre probably speaking after a cyber attack. l
Stuart Green is managing director of
Stuart J Green Digital Engineering Ltd,
an information security specialist
To find out more, visit:
sjgdigital.com
16 | NEW STATESMAN | 00
MONTH
2014 2015
18-24
SEPTEMBER
15/09/2015 11:42:02
S is for
Snowden, Edward
R is for risk
assessment
A broad set of steps that help an organisation understand the likelihood, implications and potential damage resulting from
a cyber attack. Risk assessments should
be carried out on a regular basis to counter threats that take advantage of large,
highly dynamic and complex IT environments, new technology vulnerabilities
and evolving human processes in other
words, your attack surface.
Risk assessments are often used to support regulatory guidelines and include a
broad series of activities. These can range
from basic steps, such as automated vulnerability scans, to more advanced assessment methods, including replicated
attacks carried out by professional penetration testers. These real-world attacks
culminate in a comprehensive report of
how the attack was perpetrated and the
potential ensuing damage. Such exercises
highlight the exposure of your detect,
contain and respond capabilities missing
in traditional risk assessments.
Consider these questions when contemplating a risk assessment:
1. Is there a set of security policies such as
employee internet and email usage that
meets best-practice guidelines?
2. Is there a dened and regularly carriedout process for detecting an attack or an
actual breach?
3. Is there a response plan for an attack
T is for Target
If ever there was a case of corporate
nominative determinism, this was it.
Think: if your company is called Target,
beware attack. The US retailer with that
name on its back suffered a catastrophic
cyber breach in the run up to Christmas
2013. Malware placed in the retailers
U is for user
You may not realise it, but you are
a target. If you have an email address,
a mobile device, a computer or any online accounts, cyber criminals are targeting you. Fortunately, you can protect
yourself and your family by taking some
simple steps.
1. Use common sense. If you receive an
email, message or phone call that seems
odd, suspicious or too good to be true, it
may be an attack.
2. Use strong passwords to secure your
online accounts and make sure you use
a different password for each account.
Cant remember all your passwords?
Not a problem. Consider using a
password manager. Finally, use twostep verication for all of your accounts
whenever possible; its the most secure
step you can take to secure an account.
3. Protect your mobile devices with
a strong PIN or pass code, or use the
ngerprint authentication. That way, if
its lost or stolen, no one can access your
photos, data or apps.
4. Keep your computers and mobile
devices updated and current.
Lance Spitzner is an instructor at the
SANS Institute
U is also for unauthorised access
15/09/2015 15:29:52
V is for verification
Online verication is established through
cryptographic keys and digital certicates, which act as the foundation of all
cyber security. It is a critical element in
establishing online trust for secure communications, commerce, computing and
mobility. A certicate is a digital form of
identication. Like a passport or other
user identication, digital certicates provide generally recognised proof of identity and are intended to verify and secure
data between users, systems and applications and devices.
Digital certicates rely on public key
cryptography for authentication. When a
certication authority issues a digital certicate, it is signed with a private key. In
order to verify the authenticity of a digital
certicate, the user can obtain the public
key and use it against the certicate to
determine if it was signed by the certication authority. Unfortunately, even this
verication process can be subverted.
Cyber criminals are able to compromise keys and certicates that are
not properly protected to get around
security controls, hiding in your system,
monitoring what you do online and compromising personal data.
Kevin Bocek is a vice-president at Vena
V is also for vulnerability and virus
W is for worm
The one characteristic shared by all computer worms is the capability to replicate.
Whereas a conventional computer virus
will attach itself to le or a software program, a worm will commonly use failings
in the computer security to gain access
X is for X-rated
Beware dark recesses of the web. That
seemed to be the verdict of researcher
Conrad Longmore, who analysed diagnostic data from Google and concluded
that many popular pornography websites are infected with multiple instances
of malware. Longmore told the BBC in
2013 that the root of the malicious les
was some of the adverts featured on these
sites. We call these malicious advertisements malvertising, he said. The website owners disputed the ndings.
Jon Bernstein
X is also for X.509 Public Key Certificate
Y is for Generation Y
The term Generation Y applies to those
who were born after 1980 and were raised
in a world of technology. As a result they
are more tech-savvy and knowledgeable
than previous generations. Generation Y
15/09/2015 15:29:53
bronzeye
IBRM
Cyber security,
a must do for SMEs
For many small businesses, cost has become a barrier to
good protection. It neednt be, says Bronzeye
19 Bronzeye advertorial.indd 19
15/09/2015 11:42:26
Total security is
a futile concept
Where does the biggest threat lie? And what steps should organisations, large and small,
take to mitigate risk? We ask four cyber specialists
Catherine
Askam
Senior manager of
cyber risk services
at Deloitte UK
The recent large-scale
cyber incidents have
demonstrated the increased need for improved security in UK
organisations. Cyber threats are growing
and cyber attacks are moving from disruptive to destructive.
The UK has experienced many largescale point-of-sale compromise and
credit-card thefts, but now were also
seeing new targeted attacks. For example,
there have been large-scale compromises
of healthcare companies and hospitals for
the theft of personal records.
This isnt surprising the personal-data
trading market is starting to generate real
rewards for criminals. The loss of data
from any organisation and the rise of the
destruction of data is very concerning.
John Berriman
Chair of cyber security practice at
PricewaterhouseCoopers
Every
organisation
needs to be condent
that it is t for the digital age. As they have
capitalised on new operating platforms, the
amount of data they hold has increased
phenomenally. Data is the lifeblood of a
business: it underpins its every relationship, decision and interaction.
Information is now a greater source of
competitive advantage than ever before,
but only if it is secure. It is essential to create a risk-aware culture led from the top,
with the boardroom showing it recognises the potential risks at the same time as it
embraces opportunities for growth.
Mark Brown
Executive director, cyber security
andresilience at
Ernst & Young
Cyber threats remain
one of the most signicant risks facing
UK businesses today. The blistering pace
of technological change and the cyber
threats that come with it are only going to
accelerate. The UK government has made
cyber security one of its priorities, so UK
plc should need little convincing about
the seriousness of this threat.
Paul Taylor
UK head of cyber
security practice
at KPMG
Businesses are increasingly realising that cyber security is something that they cannot
ignore. Our own survey of FTSE-350
companies found that 74 per cent of them
thought their boards were taking cyber
security very seriously, yet just 39 per
cent of board members saw cyber risk as
an operational one when comparing it to
other threats.
Businesses need to consider that if
subject to a cyber breach, they risk losing
money or intellectual property, regulatory nes, clear-up costs, reputational
damage and perhaps most importantly
losing customer condence.
15/09/2015 12:03:08
SHUTTERSTOCK
Cyber security makes good business sense and should be seen as an opportunity
18-24 SEPTEMBER 2015 | NEW STATESMAN | 21
15/09/2015 12:03:16
22 Lockton advertorial.indd 11
15/09/2015 11:42:50
15/09/2015 11:43:25
2. The cyber
security industry
trades off peoples
fears often
unsubstantiated.
Discuss
John Berriman
PwC research conducted for the government has shown that nine out of ten organisations reported a cyber-security
breach in the past year, so the threat
businesses face is very real. The cybersecurity industry is driven by the genuine
experiences of organisations that suffer
security breaches.
Others are in denial about the extent to
which they are vulnerable or fail to prepare adequately and then nd themselves
hit by a major breach that causes serious
business disruption.
At PwC we are trying to make organisations more aware and better prepared.
There is a lot that can be done to prevent
a breach becoming a serious issue that
causes long-term and costly damage to a
business, its brand and reputation.
Mark Brown
The fear aspect of cyber security is well
documented, but there are alternative
viewpoints. A modern approach to viewing the role of cyber security is evolving
one rooted in the heart of enterprise riskmanagement rather than compliance. As
organisations recognise that 100 per cent
security is a futile concept, a move towards cyber resilience is evolving, where
detection and response is as important, if
not more so, than prevention.
This change requires a new breed
of cyber-security professional, one as
comfortable in the parlance of business
management as technology, and who can
sell the concept of risk enablement rather
than simply being seen as the inhibitor
of progress.
The risk is very real, but can be managed without detrimentally impacting
operations where a business-centred approach is adopted.
Paul Taylor
Theres a great deal of scaremongering out
there that isnt necessarily helpful. The
Catherine Askam
Cyber risk is often associated with highprole cyber espionage, rather than the
more common reality of direct threats
to day-to-day activities. The basics, such
as regularly updating security software,
are often forgotten as a means to prevent
attacks. The answer is not to stop worrying, but to turn defences in the right
direction. Security ofcers should prioritise the training of employees to understand and prevent the security risks
the organisation faces, instead of being
paralysed by the fear of being blamed in
the event of an incident.
3. Internal or
external: where
does the biggest
threat to a firms
security lie?
Andwhy?
Mark Brown
Although the actual threat remains the
technical vulnerabilities exploited by
the cyber criminals, the biggest risk
is that most of these technical vulnerabilities are exploited in the rst place
due to the actions of internal employees.
Well-intentioned but misinformed staff
continue to expose otherwise safe prac-
Paul Taylor
Both internal and external threats exist. It
really depends on the core business of the
company you are dealing with. The key is
to take a holistic view of the threat thinking about who your adversaries might be,
what they might be after and the various
ways they might achieve their goals.
Moreover, keeping the different aspects
of security in the front of your mind by
means of cyber exercises or resilience
games is a good way of making sure that
all relevant parts of the organisation can
work together to deal with any incident.
In short: attackers wont respect your
stovepipes and you need to think.
Catherine Askam
Employees and non-employees accessing
buildings, data and critical IT systems are
probably an organisations biggest threat.
While malicious users may attack from
the inside of an internal system, causing
greater harm than any cyber attack, employees could also make mistakes that
put the company at risk. Security information and event-management tools can
prevent these, as they can ag up irregular activity. This leads to timely incident
detection and containment.
Smartphones are also becoming a
cyber-security mineeld. The ability to
log in automatically, steal credentials and
break into the back-end systems poses a
real risk.
John Berriman
Theres no doubt that external threats
regularly grab the headlines. Malicious
threats and breaches cause genuine,
serious and high-prole breaches. Many
organisations prioritise external threats,
but internal ones can be just as damaging. Staff can be the strongest or, indeed,
weakest point in the security chain.
PwC research for the government
found that 75 per cent of large organisations suffered staff-related breaches, up
from 58 per cent a year ago. Inadequate
15/09/2015 12:03:30
training, poor security awareness or general negligence can lead to breaches just as
readily as hackers and criminals.
Employee awareness is a difcult area
for information security and many organisations struggle to get it right.
4. What single
statistic should act
as a wake-up call
to those who need
convincing?
Paul Taylor
Every day we hear of new vulnerabilities,
attacks and incidents. The Centre for Strategic and International Studies estimates
that the likely annual cost to the global
economy from cyber crime is between
$375bn and $575bn. These startling gures are more than the national income of
many countries.
Catherine Askam
According to CYRENs 2015 Cyberthreat
Yearbook, the number of successful cyber
attacks on businesses of all sizes increased
by 144 per cent between 2010 and 2014.
Therefore, cyber attacks are clearly a
growing concern for UK businesses. We
often say that its no longer a case of if you
get hacked, but when.
John Berriman
The average cost of the most severe
security breaches for big business is now
1.46m, according to PwC research. That
doesnt take into account the impact on
an organisations reputation and relationship with its stakeholders. Every organisation needs to wake up to the very real
threats they face.
SHUTTERSTOCK
Mark Brown
Cyber crime today is prevalent as a global criminal industry. Organisations are
hacked daily, but the scale of attacks is
often difcult to comprehend.
During 2014 the biggest reported hack
was conducted by the Russian organisedcrime gang CyberVor, which captured
more than 1.2 billion personal IDs the
equivalent of hacking the entire population of India.
Organisations are hacked every day, but it can be difficult to comprehend the scale of cyber crime
Catherine Askam
1. Fix the basics such as passwords and
update security patching and new joiner,
mover and leaver processes.
2. Review current security operations and
invest in them to strengthen this area of
your business.
3. Focus on prevention in addition to
how you would respond to an attack, for
example threat intelligence (detecting
the methods of hackers and using this
intelligence to plan responses) and datadestruction protection, such as technology or insurance policies to avoid data or
information being destroyed if a hacker
accessed it.
John Berriman
Paul Taylor
Mark Brown
15/09/2015 12:03:34
15/09/2015 11:46:37
Fiat Chryslers Jeep Cherokee was the subject of a hacking test earlier this year
15/09/2015 11:46:40
HEADING
IN PARTNERSHIP WITH DIGITAL ASSURANCE
Cyber, cyber,
cyber essentials
A five-step security assessment is an excellent introduction,
writes Digital Assurances Michael Minchinton
arising in common, off-the-shelf products. The Cyber Essentials avour is a respectable starting point that helps protect
your digital assets from the perspective of
an unauthenticated remote hacker across
the internet.
The second, the Cyber Essentials Plus,
includes all the elements of the Cyber Essentials together with an additional review
against internal systems including rewalls, laptops, PCs and email gateways.
The Cyber Essentials Plus variant is a
comprehensive addition, embracing the
unauthenticated remote hacker aspect,
which includes malicious intent to propagate malware and ransomware threats.
For companies that have not had any
security assessment of any kind, I suggest
that going through the ve Cyber Essentials stages is a comprehensive introduction to cyber assurance. l
Michael Minchinton is a security
consultant for Digital Assurance
Digital Assurance is CREST- and
CESG-accredited. Based in ofces in
Westminster, it delivers Cyber Essentials
certication along with conventional
penetration testing services, social
engineering campaigns and the odd bit
of car hacking just for the heck of it!
28 | NEW STATESMAN | 00
MONTH
2014 2015
18-24
SEPTEMBER
15/09/2015 11:48:22
and network facilities are increasingly being run across the same internet protocol
(IP) networks as customer management
systems. These systems have features that
make risk more severe and the proximity
of the threat greater.
For example, the operational systems
that are being accessed across the internet
have longer life cycles than the IT equipment that is used to run enterprise client
management and accounting systems. As
a result, the underlying computer systems
are older and this means that operating
systems are potentially no longer supported and vulnerabilities are not patched.
Similarly these systems are operated from
the shop oor and system management is
carried out on a part-time basis by an infrastructure engineer rather than a dedicated IT professional.
Security is a secondary concern to keeping the plant operational.
15/09/2015 11:49:04
74%
of small businesses experience security
breaches, up from 60% a year ago
1.46m-3.14m
90%
of large organisations
experience security breaches,
up from 81% a year ago
75k-311k
Average cost of worst security
breaches to small businesses
50%
of worst breaches
caused by inadvertent
human error
30%
75% 69%
Staff-related
Unauthorised
outsider
31%
38%
16%
Denial of
service
attack
Staff
related
Large organisations
Unauthorised
outsider
Denial of
service
attack
Small organisations
Source: 2015 Information Security Breaches Survey (commissioned by HM Government and conducted by PwC)
18-24 SEPTEMBER 2015 | NEW STATESMAN | 31
15/09/2015 11:51:07
7Safe_NewStatesman_ad_FP_Sep15_aw.indd 1
15/09/2015 18:47
15/09/2015 11:26:41
newstatesman.com/page/supplements
32 outside back.indd 32
15/09/2015 11:51:31