The things you say Write to: Professional Security Magazine Westcroft, Cannock Road, Wolverhampton WV10 8QW Phone: 01922 415233 Email: info@professionalsecurity.co.uk Web: www.professionalsecurity.co.uk Respect for retail Theft from shops can often be a trigger for violence, threats and abuse against shop workers, so the rising trend in shoplifting worries a union rep. Is this a consequence of the Conservative seven-year record on retail crime? Since 2010 there are 20,000 fewer police, shoplifting is rising, but fewer shop thieves are going to court. We have long been concerned that theft from shops is not taken seriously and sometimes regarded as a victimless crime against large companies, but the reality is very different. Only this week it was reported that the Metropolitan Police are scaling back on investigations into theft from shops as they try Wannacry was nothing new A recent official audit found that despite warnings the authorities failed to protect NHS trusts against the Wannacry ransomware attack in May. The philosophy behind a business’ security approach should adhere to key principles, something that can be overlooked by certain organisations. And, it’s important to address internal and external threats by looking at everything through the lens of data security. Only once key security principles have been decided can a company improve its entire approach to data security. We know that no one is 100 percent safe from cyber-attacks, but to get ahead in security, companies must identify how an unauthorised person with bad intentions is capable of not just extracting data, but also rendering encrypted information into readable and usable text. From here, companies can start to identify the best security solution. Simon Bain CEO, BOHH Labs Basic security processes need to be followed and unfortunately the NHS appear to have been caught out by their lack of cyber-hygiene when it comes to building-in a robust response to a technological failure that should have been contained, like any outbreak, as close to ‘patient zero’ as practically possible. It appears that the behaviour of keeping software and systems patched up- to-date was not followed, that preventative firewall rules were not regularly verified, and the basic user training of what to do in the event of this particular scenario, was not carried out. Mike Simmonds CEO, Axial Systems WannaCry started because someone unwittingly opened an attachment sent via an email and unleashed the malware – it could, and does, happen to anyone. What was different in this ransomware attack from previous examples is that the attackers had laden it with, what we now know as, EternalBlue. This previously unknown malicious software checked for filesharing arrangements the computer had, and begun exploiting them and so it was able to spread from Patient Zero to 200,000 computers across the globe. Wannacry and EternalBlue to save £400m. Is this a green light to shop thieves, therefore leaving our members further exposed? Shop theft is a very serious issue that leads to abuse of shop workers. Life on the frontline of retail can be pretty tough for many. We launched our Freedom From Fear Campaign in the face of growing concerns amongst retail workers about violence, threats and abuse. The campaign works with retailers to promote respect and make workplaces safer for staff and customers alike and we need the help of the police to deliver that aim. There needs to be Government action to protect shop workers. I have been shocked by the leniency of some of the sentences for assault of workers. Some violent criminals charged with remind us that current email security solutions that live on the ISP and/or gateways and employee education and awareness training on its own, are simply not working. Attackers are too smart; too patient and too determined to defeat the cybersecurity status quo. We must do better as an industry to quickly detect, mitigate and remediate email phishing attacks if we are to have any hope of getting the ransomware epidemic under control. Especially given that about eight in ten ransomware attacks begin with phishing. Eyal Benishti CEO and Founder, Ironscales To be honest, for most cyber-security professionals this report tells us nothing that we don’t already know. The Wannacry infection would only target systems that were not patched; its no different to what the NHS actually do- they patch us humans to be safe from virus attacks. If you don’t keep your immune system up-to-date, then you will be susceptible to old virus attacks. The worrying bit in the report is the statement that reads ‘NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software.’ If you have someone of perceived authority giving you instructions on how to protect your systems, then why was it not acted on? We are not talking about mass upgrades or huge costly system changes here, these are patches that are not overly hard to instigate and ensure they are in place. We all know how much it will cost the NHS to replace all their computers and devices, with the latest operating systems and to be frank, it would cause a massive strain on an already underfunded authority- but I would assault do not get to court and those who are can receive derisory sentences. In other cases the offender isn’t even charged and victims are left feeling that no one cares that they were assaulted. The Conservatives in government have repeatedly blocked attempts to stiffen penalties for those who assault shop workers. We need the police to respond to incidents, investigate and prosecute theft from shops. Around 200 shop workers are assaulted every day and it is time to say enough is enough. Retail staff are an important part of our communities and their role must be valued, respected and protected. John Hannett Usdaw General Secretary assume the recommendations would take into account the costs involved and would meet current budget levels. It does seem like a huge breakdown in communications and would highlight an urgent need to get things right for the time when a sophisticated attack gets hold- unlike Wannacry, that technically was not sophisticated at all! Hopefully not just the NHS, but many companies around the world, suddenly jumped into action to avoid further outbreaks and have put plans in place to stop the next unnecessary cyber disaster from happening …. Mark James Security Specialist, ESET Many small to medium sized businesses and their staff do not realise the true value of the information they hold, whether that be financial, customer records, or intellectual property. The potential impact if this information were to be lost or stolen through a cyber-breach could be catastrophic and result in loss of business and damage to reputation amongst a whole list of other possible repercussions. For businesses of all sizes, cyber security should be as second nature as cashing up or locking the doors at night. Educating the workforce on cyber threats and getting them to play their part in protecting information can be a big step in protecting valuable business intellectual property and making them realise it’s not just an issue for big firms. It’s essential for small businesses to review what important information they hold and how they put a padlock on it in the cyber world. Paul Taylor UK head of cyber security at KPMG The reality is, we should always be operating under the assumption that the UK may face another significant cyber-attack. Just this past year, the effects of global campaigns such as WannaCry and NotPetya have shown us the devastation that can be caused by cyberattacks. Organisations need to ensure that they have automated analysis in place, giving security professionals access to the data they need for greater insight into the inner workings of threats, and the individuals and organisations behind them. Once they have this, organisations will be able to spot a potential threat and protect themselves against it.. Raj Samani Chief Scientist and Fellow at McAfee l Pictured: Norwich University hospital car park 82 DECEMBER 2017 PROFESSIONAL SECURITY www.professionalsecurity.co.uk p82 Letters 27-<strong>12</strong>.indd 1 17/11/2017 11:29
SSR 27<strong>12</strong>.indd 1 31/10/2017 11:47