CS Oct 2021

Computing
Security
Secure systems, secure data, secure people, secure business
SUPPLY & DEMAND
The supply chain has never
been more vulnerable and at risk
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
BACKING YOURSELF
How to achieve backup
protection - with your
workforce fully engaged
RANSOMWARE PAYDAYS
If you are a victim, should
you give in or fight it out?
CYBER THREAT INTELLIGENCE
Some resources you just can’t do
without and top intel is one of them
Computing Security October 2021

A First & Last
Line of Defence
Against Cyberattacks
CREATE A SINGLE STRATEGY FOR DISASTER RECOVERY, BACKUP,
CYBERSECURITY, AND APPLICATION AVAILABILITY WITH ARCSERVE!
Arcserve best-in-class solutions - that manage, protect, and recover all data workloads,
from SMB to enterprise - eliminate standalone, discrete products for threat prevention,
ransomware disaster recovery and application availability. Safeguarded by Sophos
Intercept X Advanced for Server, Arcserve uniquely combines deep learning server
protection, immutable storage, and scalable onsite and offsite business continuity that
delivers complete data resilience for the next generation of hybrid data centres.
arcserve.com/ransomware

comment
POLICE POINT FINGER AT TECH GIANTS
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
Jake Moore, ESET: blaming social media and
other technology companies is a desperate
and empty argument.
The Metropolitan Police commissioner recently accused tech giants of making it harder to
identify and stop terrorists, according to the BBC News. The tech giants' focus on end-to-end
encryption was making it "impossible in some cases" for the police to do their jobs, Dame
Cressida Dick wrote in The Telegraph. In her piece marking the 20th anniversary of the 9/11
attacks, she stressed that advances in communication technologies meant terrorists were now
able to "recruit anyone, anywhere and at any time" through social media and the internet. In
response, the UK was needing to constantly develop its own digital capabilities to keep up with
terrorists exploiting technology to their advantage.
Perhaps not too surprisingly, her message echoed that of Home Secretary Priti Patel, who, at
a meeting of the G7 interior ministers, launched the Safety Tech Challenge Fund. The fund will
award five applicants up to £85,000 each to develop new technologies that enable the detection
of child sexual abuse material (CSAM) online, without breaking end-to-end encryption.
But is the stance taken by Dick and Patel fair - or even accurate? Jake Moore, Cybersecurity
Specialist at ESET, who sees the endless encryption debate from the police showing no sign of
slowing down, believes not. "While more needs to be done to combat online crime, blaming
social media and other technology companies is a desperate and empty argument," he says.
"Encryption should never be generated with a backdoor - for any use whatsoever. If it were
possible, it not only breaks the internet, but would also be abused: used for hacking, tracking
and more. It makes a mockery of any attempt at online privacy, which is slowly becoming more
important for many people."
Moore adds that what is needed now is better privacy and security, and that "criticising the
current encryption system makes the police look like they've lost the war on digital crime".
The answer, he argues, lies with a different approach to investigations altogether, adding:
"Long gone are the days where the police can call upon an organisation to retrieve logs and
communications between two suspects to surveil their actions."
Clearly, it is high time that the forces of law become forces for good by getting out of the blame
game and taking some of the burden and responsibility on their own shoulders.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
Lyndsey Camplin
(lyndsey.camplin@btc.co.uk)
+ 44 (0)7946 679 853
Stuart Leigh
(stuart.leigh@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2021 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk October 2021 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security October 2021
contents
CONTENTS
Computing
Security
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
SUPPLY & DEMAND
BACKING YOURSELF
How to achieve backup
The supply chain has never
protection - with your
been more vulnerable and at risk
workforce fully engaged
RANSOMWARE PAYDAYS
If you are a victim, should
you give in or fight it out?
COMMENT 3
Police point finger at tech giants
CYBER THREAT INTELLIGENCE
Some resources you just can’t do
without and top intel is one of them
ARTICLES
ACHIEVING A SECURE WIPE 8
Gareth Owen of Redkey USB delves into
the world of Data Wipe Standards
SECURITY AND THE SUPPLY CHAIN 10
With supply chains under heavy pressure
and shortages forecast, Paul Harris,
Pentest Limited, looks at the implications
NORTHERN IRELAND: HELPING TO
BUILD A CYBER-SECURE FUTURE 12
A new type of expertise is helping to safeguard
personal, business and government
data - and to defend critical infrastructure
against hostile attacks
4
A SHAPE-SHIFTING WORLD
ATTACKERS USE TRUSTED CLOUD SERVICES AND CONSTANTLY CHANGE THEIR
TACTICS TO AVOID KNOWN PATTERNS OF BEHAVIOUR. CAN ADVANCED THREAT
PROTECTION STILL BE EXPECTED TO KEEP PACE AGAINST SUCH FORCES?
A
Patrick Wragg, Integrity360: the key to
advanced threat protection is layers
ensuring your operating systems and
applications are up to date; users are
educated; and that you have the latest
security solutions in place.
dvanced threat protection (ATP)
refers to a category of security
solutions that defends against
sophisticated malware or hacking-based
attacks, targeting sensitive data. ATP
solutions can be available as software or
as managed services. They can differ in
approaches and components, but most
include some combination of endpoint
agents, network devices, email gateways,
malware protection systems, and a
centralised management console to
correlate alerts and manage defences.
But how do they operate and perform 'in
anger', so to speak, and where might there
be any weaknesses? At the same time,
in a world where the threat levels alter
i ally and rapidly at an alarming rate,
d to be adapted to
HEART OF THE ORGANISATION
email attack is phishing [ie, harvesting login
information using spoofed web pages of
trusted brands]; once attackers have the
ability to remotely log in to a corporate
network, they can launch convincible fraud
campaigns and surveil the environment to
find the most sensitive data to steal or the
most business-critical servers to infect with
ransomware."
Security controls beyond the gateway
have traditionally focused on data loss
prevention, sophisticated malware analysis
and endpoint security solutions, he points
out. "However, advanced email threats still
evade detection and containment largely
because attackers use trusted cloud servic
and constantly change their tactics to avo
known patterns of behaviour. Endpoint
security agents can quickly spot a
compromised device, but it may be too
loss prevention can detect sensiti
rganisation, but
i
A SHAPE-SHIFTING WORLD 14
Can advanced threat protection (ATP) outwit
attackers who now use trusted cloud services
and constantly change their tactics to avoid
known patterns of behaviour? Or is keeping
ahead of such potent forces slipping out of
the grasp of those under fire?
CALLING FOR BACKUP 20
ALL THE LATEST INTEL 17
What approach should an enterprise take to
Steven Usher, Brookcourt Solutions, offers
ensure it has the best protections in place -
his insights on measuring the success of
a cyber threat intelligence program
as well as employees who are fully engaged
in making the process work? Getting this
DATA IMPACT ASSURANCE LEVELS 18
right is a complex, but essential, process
The time has come to 'DIAL' it in, states
and the payback its own reward!
ADISA founder Steve Mellings
SHOULD YOU PAY THE RANSOM? 23
When threatened with a ransom demand,
should you just submit? Steven Usher, of
Brookcourt Solutions, weighs up the pros
and cons
TO PAY OR NOT TO PAY? 28
Paying ransomware is a topic that greatly
OPERATIONAL RESILIENCE 24
divides opinion, especially in the corporate
James Drake, of XCINA Consulting, looks
boardroom. Cold logic might dictate that
at the challenges and many opportunities
any demand should be firmly rejected.
that new regulations will bring
What if it turned out to be a matter of life
THE FLAWS IN HOME WORKING 25
or death, though - wouldn’t that change
Organisations have been opened up to
everything?
a world of new and unmanaged cyber risk
AUTHENTICATION VS INSURANCE 26
Nick Evans, of SecurEnvoy, considers a
KNOWING YOUR ENEMY 32
perplexing dilemma - and the role of MFA
Threat intelligence is massively important
STING IN THE TALE 34
for all levels of organisations, since even
Tim Callan, of Sectigo, on how easy it is to
large companies have limitations on
manipulate and falsify business emails
resources. So, efforts must be put into
projects that will pay off and help keep
PRODUCT REVIEWS
enterprises that much safer
• Redkey USB 6
• Zivver Secure Email 27
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

product review
REDKEY USB
With all the focus on cybercriminals
and internet attacks,
it's easy to forget that data
breaches can easily occur, if businesses
fail to remove confidential data when
discarding or selling on their old
computers. It's more environmentally
friendly to recycle. rather than destroy
them. but simply formatting a drive or
deleting the data residing on it is not
enough. as they must be securely erased
to ensure it cannot be recovered.
There are plenty of free disk wipe
utilities available, but few provide
any certification of data removal for
auditing purposes and regulatory
compliance. Redkey USB looks the ideal
solution, as this unassuming memory
stick is loaded with military-grade tools
for securely erasing SATA HDDs and
SSDs, plus USB, NVMe, M.2, PCIe and
eMMC storage devices.
Some commercial erasure utilities
enforce pay-per-drive licensing, but
RedKey USB can be used as many times
as you want. A single payment allows
you to use the device an unlimited
number of times on any number of
Windows or Mac computers, and it
includes perpetual online updates
and support.
Three editions are available and we
review the Ultimate version, which
enables every feature the company
has to offer. All three editions deliver
certified secure erase technology, plus
25 defence wipe standards with an
Ultimate license, enabling editable
reports with field pre-fill options and
automated scripting, so the device runs
a custom sequence of events when
a computer is booted from it.
Security starts before you've even
received the product, as it is sent via
tracked delivery, with the Redkey USB
supplied in a tough tamper-proof
package. It arrives blank and is prepared
using the Redkey USB Updater utility -
a portable executable that must be run
on a Windows system with internet
access.
Activation is simple, as you insert
the device and enter the 20-digit
authorisation code hidden under
a scratch panel inside the package.
Once the code is verified, you can leave
the utility to download all required
files and prepare the Redkey USB as
a bootable device.
At this point, you can use the default
automated erase settings or customise
them from the utility, while scripting for
the Ultimate edition uses a text file
on the device that can be modified to
define specific wipe sequences. You
can, for example, set priorities for
erase functions, create a sequence of
events, including automatic computer
shutdown on wipe completion, and
enable auto-saving for erasure reports.
To test the Redkey USB, we left it on
its default settings, inserted it in a Dell
Precision Windows 10 Pro workstation
and selected its UEFI one-time boot
option. On first contact, you can choose
the default GUI or swap to a text-based
version, if the former isn't supported.
Countdown timers and audio assistance
are provided throughout and, if
you do nothing, it will start the erase
process on discovered storage devices
after one minute. Our test system had
a 3TB WD Red SATA HDD, which the
Redkey USB automatically 'unfroze' to
allow the SATA secure erase command
to be used, and then took seven hours
to complete the full wipe process,
accompanied by screensavers and
music.
A detailed PDF report is generated on
completion, which can be manually
edited with information such as where
a backup has been stored and who
conducted the erase. This can then
be saved directly to the Redkey USB
or another removable device.
The Redkey USB is an elegant and
affordable solution for professionals
and businesses that want certified,
standards-based disk erasure services,
with lifetime support. If you need to
know without any doubt that your data
is gone for good, you need Redkey USB.
Product: Redkey USB
Supplier: Redkey USB Ltd
Web site: www.redkeyusb.com
Sales: contact@redkeyusb.com
Price: Home, £19.95, Professional,
£39.95, Ultimate, £59.95
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
06

ADISA ICT Asset Recovery Standard 8.0
is formally approved by the UK ICO
(Approval ICO – CSC/003 and ICO – CSC/004)
Use an ADISA Certified company to be assured of UK GDPR compliance
when disposing of your IT assets.
Visit adisa.global to find out more
Want to know how to retire assets
so you can promote reuse AND meet
data protection legislation?
ADISA offers a range of training courses all presented by
leaders in the field, including a brand-new course which helps
data controllers write an asset retirement program to achieve
the objective of meeting sustainability and security targets.
Visit adisa.global/training to find out more

data management
ACHIEVING A SECURE WIPE
GARETH OWEN, MANAGING DIRECTOR OF REDKEY USB, DELVES INTO THE WORLD
OF DATA WIPE STANDARDS AND, WHERE THERE IS ANY DOUBT OR CONFUSION,
ADVISES HOW ORGANISATIONS CAN HANDLE THIS PROCESS RESPONSIBLY
When a computer is liquidated,
recycled or repurposed, it is
standard practice to sanitise all
user data. Typically, this involves erasing
the contents of the hard drive to eliminate
the possibility of a data breach.
Various regulations exist to ensure
organisations handle this process
responsibly, so most organisations will
either take care of the process in-house
or outsource the procedure altogether.
DATA WIPE STANDARD
Except in the case of physical destruction,
a certified data wipe product will likely be
at the heart of the process and, with this,
a data wipe 'Standard' will be applied.
Data wipe standards provide a convenient,
defined and repeatable process. If
a data wipe standard is already specified
within organisational policy, then little
consideration is required. However,
if a specific standard is not established,
or you suspect your current procedure is
inadequate, where do you start?
EXTERNAL ERASE
Traditionally, data wiping involves
overwriting a drive with a continuous
stream of binary data until the drive is
full. This has the effect of destroying any
previously stored information.
Conventional data wipe standards, such
as US 'DOD' and the 'Gutmann 35 pass'
wipe method, may sound familiar, but it's
common knowledge that traditional data
wipe standards are ineffective with
modern drives. For example, SSDs and
NVME use internal wear management,
causing part of the storage medium to
be hidden from the user.
INTERNAL ERASE
More than one method of sanitising
a drive has existed for some time now.
Drives can now be wiped internally/
securely. When the ATA command set
was introduced, it enabled the ability to
directly interact with the internal functions
of a drive. With the right tool, modern
drives can be instructed to self-erase.
Even more modern drives use the NVMe
command set, which implements similar
internal erase functions.
A fringe benefit of employing these
methods is that the process is relatively
fast, because internal erasing is not
hampered by any sort of interface
bottleneck. Full support for the ATA/NVMe
command sets varies between drives,
because the implementation of the erase
functions is manufacturer dependent.
Also, it is not always possible to be 100%
sure that a data wipe has been successful,
using internal erasure alone.
Besides this, many internal erase
compatible drives contain 'hidden areas',
such as the Host Protected Area (HPA)
and Device Configuration Overlay (DCO).
These hidden areas are not ordinarily
accessible, yet can potentially hold any
form of sensitive data, including malware.
Therefore, it's essential that your data wipe
standard incorporates the elimination of
hidden areas into its process.
CONCLUSION
The most secure data wipe standards must
then eliminate any hidden areas before
wiping a drive, using a combination of
both internal and external erasing
methods. More modern standards, such
as AGISM (Australian Government
Information Security Manual), BSI-GSE,
NIST 800-88 Purge and the ADISA
Certified Redkey Level 1 standard, already
incorporate this degree of complexity into
their processes, so are firmly compliant
with respect to GDPR, HIPPA and NIST
guidelines for data destruction.
However, one minor drawback of the
most secure data wipe standards is that
they can be time-costly and perhaps even
overkill for some low-risk situations. For
example, when a computer is redeployed
internally within an organisation. Under
such circumstances, a more efficient HPA
and DCO Reset, combined with a secure
erase, may suffice.
8
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

supply chain threats
Paul Harris, Pentest: Digital supply chains can
be seen as an easy target for malicious threats.
SECURITY AND THE SUPPLY CHAIN
WITH SUPPLY CHAINS UNDER EXTREME PRESSURE AND SHORTAGES
FORECAST, PAUL HARRIS, MANAGING DIRECTOR, PENTEST LIMITED,
LOOKS AT THE IMPLICATIONS OF SUCH THREATS FROM AN ECONOMIC,
BUSINESS - AND SECURITY - STANDPOINT
As I write this article, supply chains
are hitting the headlines. Retailers
are warning there could be a
shortage of toys at Christmas, McDonalds
ran out of milkshakes and Nando's were
forced to close restaurants, because their
supply chain was, and I quote, "having a
bit of a 'mare". These are the more trivial
headlines, but things could be serious
and everyone from car manufacturers to
building merchants, the NHS to food
producers, are talking about supply chain
issues.
Whether these supply chain issues
are because of Brexit, Covid, increasing
demand, staffing levels or a combination
of things is up for debate and it's yet
to be seen whether many will play out.
But, whatever the cause, or whatever the
outcome, these scenarios clearly
demonstrate the effects supply chain
disruption can have from an economic
and business standpoint, as well as on
a personal level.
DIGITAL SUPPLY CHAIN
Physical supply chains are the focus of
these headlines and the threat of empty
supermarket shelves, as well as raising
prices, is always going to hit the news.
But, for organisations, supply chains
aren't just physical, they can also be
digital. Many, if not most, of today's
organisations rely on digital products
and software suppliers to ensure day-today
operations, and if that supply chain
was disrupted, for any reason, then
organisations, and ultimately consumers,
could see similar negative effects.
An example of this occurred in June this
year, when a 'bug' within the software
of the content delivery provider (CDN),
Fastly, was triggered by a customer. The
flaw ultimately took down 85% of the
company's network and caused outages
for many of its well-known customers,
such as BBC News, Spotify, Amazon and
10
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

supply chain threats
the Gov.uk website. The outage lasted
for just under an hour and, for many, it
wasn't too serious, but for those reliant
on website traffic and online orders - for
example, Amazon - the outage could
have cost the company $32m in sales,
according to one calculation. This just
shows the business impact when part
of your digital infrastructure, supplied by
a third-party, is disrupted.
Companies will obviously want to
mitigate against disruptions such as the
one above by having contingency plans
in place, but technology issues aren't the
only consideration organisations need to
be making when looking at their digital
supply chain: they also need to look at
security.
Digital supply chains can be seen as an
easy target for malicious threats and, in
some cases, they can provide the most
effective route into an organisation,
especially those with robust security
measures in place. Why spend time trying
to breach an organisation with tough
security measures when you can target
a smaller, less security mature company
within their supply chain and look for
a way to move between them? It can be
as easy as that.
ON TARGET
Take the example of Target, the US
retailer. In 2013, attackers managed
to access Target's point of sale (POS)
systems, gaining access to 40 million
payment card credentials and 70 million
customer records. But Target wasn't the
original target, so to speak; it was a
heating, ventilation and air conditioning
supplier, which used Target's vendor
portal to monitor stores.
With access to the portal, attackers were
able to move across Target's network and
ultimately access the POS systems. That's
not the only example. The British Airways
breach, which affected around 400,000
customers, was achieved through a
breach of a payment software provider,
not the company itself.
SOLARWINDS BREACH
For me, one of the most interesting
examples of a digital supply chain attack
was the recent SolarWinds breach. This
breach wasn't simply about criminals
stealing credit card details, but a
sophisticated, potentially state-sponsored
attack, which used compromised
SolarWinds software to successfully gain
access to, and spy on, their customers -
mainly US government agencies and highprofile
Fortune 500 companies.
Whether the threat is from criminal
enterprise, nation state operations or
hacktivists, these examples clearly show
the potential consequences of supply
chain attacks and even, if you think you're
not a target, someone in your supply
chain just might be. Security, throughout
the supply chain, should be everyone's
responsibility, but how do you go about
making your supply chain more secure?
GET YOUR OWN SECURITY IN ORDER
Supply chain security improvement
needs to start within your own company
and you'll want to ensure, as much as
possible, that supply chains attacks aren't
going to be able to affect your business,
its operation, sensitive data or be able
to utilise your company to target others
within your supply chain.
Simple measures can make a big
impact and measures such as network
segregation, robust privilege levels and
monitoring tools can help you detect
potential breaches, restrict access to
sensitive information and reduce the
chances of a malicious threat being able
to move from a compromised network
onto your main company networks.
Every organisation will be different, of
course, and security measures should be
tailored to the real-world risks faced.
That's why scenario and risk analysis
planning can be useful to undertake,
helping you uncover the potential risks
of a supply chain attack and to ensure
effective measures are put in place to
mitigate against the most likely scenarios.
Undertaking this improvement work
isn't just good from a security standpoint,
however; it's also good from a business
aspect. GDPR compliance, as well as
potentially hefty fines, has forced
organisations to become more security
conscious and customers, both inside
and outside the supply chain, are now
requiring robust security assurances
before they commit to working with a
company. So, by having the good security
practices in place and being able to
provide evidence of security testing or
compliance, it can make your life much
easier when it comes to winning business.
SEEK SECURITY ASSURANCES
FROM YOUR SUPPLIERS
Just as customers will be asking for
security assurances from you, you should
be asking for security assurances from
your suppliers. Have they had an
independent security audit? Do they have
evidence of infrastructure and application
security testing? Are they working
towards ISO 27001 standards or have
certification? Does the company have
Cyber Essentials?
The assurances needed will obviously
depend on the nature of the relationship,
the information and services that are
being procured and the potential risks
involved. Some relationships will require a
light touch, in terms of security assurance,
but some may require rigorous standards.
It's up to every company to define what
level of security they want from their
suppliers and to ensure these are in place,
before committing to working with them.
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
11

special focus on NI
HOW NORTHERN IRELAND IS
HELPING TO BUILD A
CYBER-SECURE FUTURE
naturally. From pioneering digital banking to the evolution of Fintech and
Regtech, the region has played a significant role in driving and shaping the
future of law, finance and commerce - and it continues to do so today.
Digitalisation has been a crucial catalyst in this respect, creating
opportunities for these industries to connect and grow through data,
technology and information. This has established a fertile ground for new
types of professional services and home-grown success stories like First
Derivatives, Kainos and FinTru, while also attracting major investment from
players keen to futureproof their businesses for the digital age, such as EY,
Deloitte, PWC, Citi and KPMG.
At the same time, however, the digital world has opened Pandora's box,
unleashing ever-evolving threats in the sinister shape of cybercrime. One of
the world's least-welcome growth industries, it costs the global economy an
estimated $2.9 million per minute. The resulting challenges are many and
varied - and could potentially counter the many positives that digital progress
has sought to create.
But with challenges come opportunities, and with digital transformation
happening rapidly in the professional services sector, Northern Ireland's cyber
security sector responded accordingly. The need to safeguard personal,
business and government data from theft, protect computer networks against
intrusion, keep devices clean of malware and defend critical infrastructure
against hostile attacks has generated demand for a new type of expertise
which Northern Ireland has been able to deliver in abundance through its
talent pipeline and through R&D.
"Over the last 20 years, effective cybersecurity has become one of society's
critical needs. Here at QUB we recognised we had the skills and ambition to
tackle this need head-on and, in doing so, boost economic renewal in Belfast
and Northern Ireland."
Professor Máire O'Neill, CSIT's Principal Investigator
A
t the recent National Cyber Security Centre's CYBERUK conference,
Foreign Secretary, Dominic Raab, referred proudly to Northern Ireland
as a "…world-leading cyber security hub, and a top international
investment location for cyber security firms." Raab's comments may have been
news to those unfamiliar with the region - but, to US tech investors, it is the
No.1 place to be, and has been for several years.
Indeed, in little more than a decade, Northern Ireland has taken a small,
nascent cluster of native businesses and nurtured it into a global centre of
excellence that's bursting with talent, academic prowess and commercial
expertise. Together, local industry, academia and the region's public bodies
have seized a mounting threat (which now costs the global economy over
US$600 billion/per year) and carved out a unique role for Northern Ireland in
an ever more digital world.
But how has this been achieved, and what does the future hold? Let's take a
closer look.
EARLY ORIGINS
The professional services sector, in the form of legal, financial and business
consultancy, has been part of Northern Ireland's economic and skills repertoire
for several decades now, which is why leadership in these areas has come so
BUILD IT AND THEY WILL COME
Today, the region is home to around 4% of the UK's cyber security workforce),
which for an area that represents around 2.8% of the UK population, is just
one indicator of its strengths in this field. What's more, almost 5% of cyber
firms in the UK market call Northern Ireland home, helping to deliver its
ambition to grow its sector workforce to 5000 by 2030. At the heart of this
lies CSIT - the award-winning Centre for Secure Information Technologies at
Queen's University Belfast.
Where digitalisation has been the spark, CSIT has undeniably been the
catalyst that's turned Northern Ireland's cluster into a thriving ecosystem
encompassing finance, banking, insurance, legal, telecoms, threat
intelligence, defence, security, healthcare… for the cyber risk is everywhere.
As a result, the centre has not only attracted millions in global investment
from the likes of WhiteHat, Rapid7, Proofpoint, IBM Q1 Labs and Black Duck -
it has triggered new start-ups, supported over 2000 local jobs in the Belfast
area alone and produced proven solutions to some of the biggest cyber
challenges facing economies globally today.
It all started in 2009 as a greenfield site at what is now known as Catalyst,
which was previously the Northern Ireland Science Park and part of one of the
world's biggest urban-waterfront regeneration projects. By bringing
academia, industry and public sector support together under one roof, CSIT's
partners and funders (EPSRC, Innovate UK and Invest Northern Ireland)
12
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

special focus on NI
believed they could create a hub where leading-edge research could translate
rapidly into market-relevant, market-ready products and services. And they were
right.
CSIT is now home to a 90-strong team of industry-experienced engineers,
electronic and computational researchers, business development specialists and
passionately motivated postgraduates. But this is only one ingredient in the
recipe for CSIT's success. An impressive roster of business members such as
Thales, Allstate and BAE Systems help shape its research strategy, while close
collaboration with First Derivatives, Seagate, Nvidia and other IT giants, and with
leading global cybersecurity institutes, adds an extra dimension to its expansive
vision and worldwide reach.
"Because we are a relatively small region, the government, the universities, and
regional development organisations work very closely together… We are acutely
aware of the market's demands and the types of companies coming in, so we
can be more agile in developing novel programs to support them."
David Crozier, head of strategic partnerships and engagement, CSIT
EXCELLENCE IN ACTION
As you might expect from a centre of excellence with such extensive global
reach, CSIT has attracted much recognition during its short lifespan. In 2015, for
example, it won a Queen's Anniversary Prize, celebrating excellence, innovation
and public benefit at UK universities, and four years later, Máire O'Neill, CSIT's
Principal Investigator, secured a prestigious Blavatnik Award, recognising her
work as an outstanding young scientist. More recently (February 2021), Queen's
University was recognised for its cybersecurity education program and work
promoting cyber-skills by the National Cyber Security Centre (NCSC).
Such plaudits are well deserved. CSIT has delivered a consistent stream of
cutting-edge, real-world cybersecurity advances - including 10 new product
concepts with a clear route to market. For example:
Working with a US insurance firm, it has developed graph-mining analysis
systems that automatically detect anomalous and potentially fraudulent
insurance claims by pinpointing suspicious patterns
Algorithms developed at CSIT are enabling a major financial services company
to spot malicious trading activity over its communication channels and data
flows, protecting against regulatory non-compliance and potentially massive
fines
Working with vendors of control systems that underpin electricity, water and
other key infrastructure to pinpoint and eliminate vulnerabilities to cyberattack
Helping satellite developers keep their hardware cyber-safe in Earth's orbit, with
enormous benefits such as future-proofing the security of communications by
introducing quantum-safe cryptographic algorithms
"This is an extremely exciting time for cyber security in Northern Ireland but
also for the sector globally... At CSIT, our researchers are leading cutting-edge
research in cyber security. We are also developing the next generation of
industry leaders to meet the huge demand from industry for cyber security
professionals."
Professor Máire O'Neill
WHAT'S NEXT?
For as long as the digital age prevails, cyber security will be needed, and with
that, the only way is up for CSIT and the Northern Irish industry. It is now an
authoritative source of counsel among governments and other organisations
worldwide (including the London Office for Rapid Cybersecurity Advancement
(LORCA)), and its appeal as a destination for investors, big and small, shows
no sign of waning.
In the past 18 months, for instance, the market has seen a new or increased
Northern Ireland presence established by Angoka, Aflac, Cygilant and Rapid7,
while a new centre of excellence was established by consulting giant, KPMG.
This is the tip off the iceberg.
Thanks to an ever-expanding track record of achievement, CSIT and the
innovation ecosystem that surrounds it are set to flourish further, gaining
more momentum, for example, by planned investment in infrastructure as
part of the Belfast Region City Deal.
A major project connected to the deal is the Global Innovation Institute (GII),
which will be a nexus for co-innovation between researchers and industry in
data security, connectivity and analytics. As we are faced with the data deluge
in our increasingly connected world, secure, connected intelligence will
become ever more critical.
So, as with CSIT, GII hopes that, by creating a space where local and global
companies, entrepreneurs and researchers can come together, Northern
Ireland can continue this story of success - and keep playing its part in
building a safe, cyber secure, future for all.
Invest Northern Ireland is the region's business development organisation. Its
role is to grow the local economy by helping new and existing businesses to
compete internationally, and by attracting new investment to Northern
Ireland.
Find out more about how we can work together with you and your business.
InvestNI.com/Europe
Crucially, underpinning all the above is access to local talent, and so far, a
pipeline of students have enrolled onto CSIT's Masters programme, producing
experts with the state-of-the-art skills the cybersecurity sector needs. At the
same time, 17 cybersecurity start-ups have graduated from the CSIT Labs
incubator programme and six CSIT spinouts have been established in fields
ranging from content inspection to automated image and video processing.
As you might expect from the tech industry, these fledgling success stories
have subsequently brought bigger names to Northern Ireland's shores: Titan IC,
for instance, was acquired by Nvidia in 2020, giving the US chip manufacturer a
firm foothold in the Belfast cybersecurity ecosystem.
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
13

advanced threat protection
A SHAPE-SHIFTING WORLD
ATTACKERS USE TRUSTED CLOUD SERVICES AND CONSTANTLY CHANGE THEIR
TACTICS TO AVOID KNOWN PATTERNS OF BEHAVIOUR. CAN ADVANCED THREAT
PROTECTION STILL BE EXPECTED TO KEEP PACE AGAINST SUCH FORCES?
Patrick Wragg, Integrity360: the key to
advanced threat protection is layers -
ensuring your operating systems and
applications are up to date; users are
educated; and that you have the latest
security solutions in place.
Advanced threat protection (ATP)
refers to a category of security
solutions that defends against
sophisticated malware or hacking-based
attacks, targeting sensitive data. ATP
solutions can be available as software or
as managed services. They can differ in
approaches and components, but most
include some combination of endpoint
agents, network devices, email gateways,
malware protection systems, and a
centralised management console to
correlate alerts and manage defences.
But how do they operate and perform 'in
anger', so to speak, and where might there
be any weaknesses? At the same time,
in a world where the threat levels alter
dramatically and rapidly at an alarming rate,
where might they need to be adapted to
counter future emerging challenges?
"Perhaps it's become a cliché, but advanced
threat protection requires detection and
containment, 'beyond the email gateway',"
says Mike Fleck, VP marketing at Cyren.
"Cybersecurity and industry professionals
have been using this term to describe the
need for organisations to have a layered
security approach with security controls and
incident response capabilities to deal with
the advanced threats that slip past the email
perimeter and arrive in a user's mailbox.
HEART OF THE ORGANISATION
"Email is the most common method of
delivering threats - advanced and otherwise
- because it is one of the few ways to
transport an attack straight to the heart of
an organisation, through its people. What's
more, the most favoured approach to an
email attack is phishing [ie, harvesting login
information using spoofed web pages of
trusted brands]; once attackers have the
ability to remotely log in to a corporate
network, they can launch convincible fraud
campaigns and surveil the environment to
find the most sensitive data to steal or the
most business-critical servers to infect with
ransomware."
Security controls beyond the gateway
have traditionally focused on data loss
prevention, sophisticated malware analysis
and endpoint security solutions, he points
out. "However, advanced email threats still
evade detection and containment largely
because attackers use trusted cloud services
and constantly change their tactics to avoid
known patterns of behaviour. Endpoint
security agents can quickly spot a
compromised device, but it may be too late.
Data loss prevention can detect sensitive
data as it leaves the organisation, but only
after the initial compromise. There is clearly
a gap in advanced threat protection
capabilities between the email server and
the end user device. This gap is easy to see
when you understand the degree to which
enterprises rely on employees to identify
advanced threats in their mailboxes."
A better way is to simply add a layer of
automated detection and incident response
to the mailboxes, Fleck adds. "As enterprises
migrate their email servers to cloud
offerings like Office 365, it becomes easier
to close this gap by using APIs to connect
advanced threat protection clouds to
email mailbox clouds. This layer of
control complements the detection and
containment efforts already underway by
14
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

advanced threat protection
cloud providers, enterprise email security
gateways, network intrusion detection and
endpoint security agents. It also relieves
users from the expectation that they will
reliably spot and avoid advanced threats like
spear phishing and business email
compromise."
EVOLUTION OF TECHNOLOGIES
The advanced threat protection category is,
of course, nothing particularly new, points
out James Preston, security architect for
ANSecurity, but rather "an evolution of
technologies including anti-virus along with
intrusion prevention and detection systems -
packaged under a new heading". However,
no matter what it's called, technology alone
cannot protect against every type of threat,
he cautions.
"ATP solutions generally don't understand
where your organisation has weaknesses.
From a threat actors' point of view, there
is always a stage where they will try to
reconnoitre a target looking for weaknesses.
This could be a long-forgotten VPN server,
an unpatched application or badly designed
user sign-in process. In fact, this
reconnaissance phase is often the deciding
factor for a cyber threat actor to expand real
effort to break in - or find a more open
victim. Most ATP solutions don't emulate
this reconnaissance process, so enterprises
need to initially focus on finding and fixing
structural weaknesses to make themselves
less attractive targets."
A great place to start is by using a cyber
security framework such as the MITRE
ATT&CK framework - with free tools like the
ATT&CK navigator, Preston advises. "These
allow you to map out the likely avenues for
exploit and then work out where you have
adequate protections and best practice
processes - versus areas where you are
lacking. This is a task you can do internally
or, if you have limited resources, through a
trusted expert third-party. Either way, it will
give you a better starting position to fix any
issues than just deploying lots of vendor
solutions in an ad-hoc fashion."
Integration is also key. "It's unlikely that any
enterprise will have a complete stack of
cyber security products from a single
vendor. And, as such, disparate security
solutions often work in little silos, without
sharing the valuable security information to
make early breach detection easier. So, it's
essential that organisations must also
establish what is integrated - and, in some
cases, this might require a dedicated
integration layer like a SIEM or SOAR
platform. This might not always mean
spending more budget as, in some cases,
a SIEM can allow you to reduce the number
of overlapping security tools and focus on
better utilising a smaller set of
technologies."
One of the biggest security issues now,
he adds, is how fast cyber criminals can
escalate a slight breach into a full-blown
extortion attempt of theft of sensitive data.
"Sometimes, the tell-tale signs are spotted
by cyber security systems, but the decision
to quarantine PCs, servers or network
functions requires manual action. This
approval delay can mean the difference
between successful defence or a painful
breach. As such, enterprises are going to
need to start trusting automated response
a bit more - even if it means that the
occasional false alarm impacts the business."
Yes, this is a big step, he concedes -
and there will be a bedding in period as
these systems start to understand the
environment and learn from mistakes.
"However, to deal with the next generation
of advanced threats, APT systems must be
given the freedom to start mitigation faster
than a typical human operator."
'BIG PICTURE' VIEW
Patrick Wragg, cyber incident response
manager with Integrity360, points to how
traditional basic threat prevention strategies
James Preston, ANSecurity: technology alone
cannot protect against every type of threat.
Mike Fleck, Cyren: there is clearly a gap in
advanced threat protection capabilities
between email server and end user device.
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
15

advanced threat protection
rely on a singular approach, whereby each
unique security tool/component in an
organisations defence arsenal has one
job and is relied upon heavily for that job.
"Advanced threat prevention, however, takes
a multi-faceted approach whereby the
detection capabilities of multiple security
tool/components in an organisations
defence arsenal are combined to provide
a 'big picture' view of a possible compromise.
For example, a combination of EDR
(Endpoint, Detection and Response) agents,
network monitoring agents, email gateways,
user privilege/account monitoring and cloud
monitoring solutions all submitting their
alerts to a centralised management tool that
correlates them and alerts a security team in
real-time."
However, there is no one size fits all
approach, in terms of advanced threat
protection. "Solutions need to be scalable,
flexible and intelligent, and enable
organisations to bolster those defences that
work well and can evolve to meet the everchanging
threat environment. Businesses
need to cover all bases with systems in place
designed to manage, detect and respond
(MDR), monitor, mitigate/prevent and,
where necessary and applicable, remediate
with incident response (IR)."
On top of automating where possible, and
an overall strengthening of the security
posture, the key to advanced threat
protection is layers, he adds - ensuring your
operating systems and applications are up
to date; your users are educated; and you
have up to date security solutions in place.
"The future of advanced threat protection
comes down to having the right service
provider in place to provide on-demand
access to highly skilled cybersecurity experts
who can deliver emergency support for any
cyber threat, including proactive guidance
on MDR and IR planning, and new and
evolving threats. The security team should
also be able to respond instantly, in realtime,
via pre-built automated incident
response playbooks."
BATTLESHIP WARFARE
"For years, threat actors like nation states
and cybercriminals had distinct motivations
and different tools," comments Sam Curry,
chief security officer, Cybereason. "Nation
states, or 'advanced persistent threats', as we
called them, moved like submarines stalking
ships in the waters of target networks,
carrying out the policies of their
governments and providing asymmetric
options aside from the normal diplomatic,
economic, and military strategies and
tactics. By contrast, the fight against
cybercriminals more resembled battleship
warfare than submarine. The motivation
among criminals was profit and, as such,
it was about maximising the number of
victims and wringing every drop from an
infection for as long as possible. Even in the
old days, the security industry was not up
to the task of stopping either the malicious
operations of nation states nor the smashand-grab
theft of cybercriminals."
The silver lining, however, is the emergence
of endpoint detection and response (EDR),
which is often mistaken for a mere extension
of existing endpoint protection technologies
like antivirus or personal firewalls. "It is a tool
for finding the advanced operations and
provides the hunter-killer options for the
cyber conflicts being waged on corporate
and government networks," he explains.
"EDR has evolved first into managed
detection and response (MDR), providing
the men and women behind screens in
managed services, and into extended
detection response (XDR), uplifting the
telemetry recording from formerly
ubiquitous endpoints to the transformed
enterprise of SaaS, Cloud Infrastructure
and beyond."
Fast forward to today and the dark side
ecosystem is very different, states Curry. "The
attackers have not slowed down and have,
in fact, evolved at a faster rate than
defenders have, except perhaps among the
most sophisticated defenders. Not only are
they attacking the newer infrastructure
associated with SaaS services, but they are
now targeting the new IT stack in the form
of IaaS and PaaS compromise.
"In the last five years, the lines among
attackers have become more blurred, with
sharing of tools and relationships that mirror
the alliances, investments and partnerships
of the more normal and legitimate
industries. Further, the motivations for each
actor have become less distinct, with nation
states pursuing currency in the case of North
Korea, fostering ransomware in the case of
Russia, and development of supply chain
compromises in the case of Russia and
China, to name just a few."
The most insidious examples of these are
developments in the last six months. "The
first is ransomware, which is really a
combination of the old APT-style delivery
mechanism through stealthy submarine-like
operations but doing so for profit. The
second and most recent is evident in the
recent Kaseya attack: supply chain
compromise for the purpose of delivering
ransomware as the payload. This is a killer
combination."
This is the reason for the mandate of EDR
(or MDR or XDR) for the US Federal
government in the recent White House
Executive Order. "Having a means of finding
the attacks as they move in the slow, subtle,
stealthy way through networks isn't an
option. This class of tool isn't the be-all and
end-all, but it's at the top of the toolkit,
along with more advanced prevention,
building resilience, ensuring that the blast
radius of payloads is minimised and generally
using peace time to foster anti-fragility." The
most significant takeaway? "It's not about
who we hire or what we buy. It's about how
we adapt and improve every day."
16
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

cyber threat intelligence
ALL THE LATEST INTEL
HOW DO YOU MEASURE THE SUCCESS OF A CYBER THREAT INTELLIGENCE PROGRAM? STEVEN USHER,
SENIOR SECURITY ANALYST, BROOKCOURT SOLUTIONS, OFFERS HIS INSIGHTS ON A CHALLENGING TOPIC
Cyber threat intelligence can be found in
numerous ways. One of the most
popular ways to gather intelligence is
via feeds, both open source and commercial
feeds. These feeds can be fed into various
tools to be searched and produce actionable
data that can be added to Block and Watch
Lists.
INGEST
Most companies who can make use of this
'raw' intelligence and be able to act on the
results usually have a mature approach to
cyber security - typically including a SOC
(Security Operation Centre), IR (Incident
Response) and at the very least a job role that
will exclusively deal with cyber threat
intelligence.
Feeds are not the only way cyber threat
intelligence can be used. Some of the most
common alternative uses for cyber threat
intelligence include the production of reports
for a customer by a company that specialises
in the topic, monitoring of specific datapoints
for mentions online and monitoring publicly
known data breaches for company
information. Services of this nature are more
common with smaller companies that do not
have the staff or internal knowledge to carry
out the monitoring and analysis of cyber
threat intelligence. However, this is not to say
larger companies do not also use these
services to augment the intelligence
generated internally.
QUANTIFY
How do you measure the success of a cyber
threat intelligence program? This is not an
easy question to answer, simply due to the
nature of what cyber threat intelligence is.
There are naturally the obvious examples of
success, such as finding data that is linked to
or belongs to a company online or finding
information relating to an attack planned on
the company - effectively anything that
would show an obvious and direct benefit of
cyber threat intelligence to the company.
However, incidents of this nature make a
small minority of the uses and successes of
cyber threat intelligence.
The general value in cyber threat intelligence
is knowing what is going on in the busines
world and in many cases your industry, this
allows for preventative measures to be taken,
as well as the ability to better prepare for
potential incidents in the future. The MITRE
ATTACK framework is a brilliant example of
intelligence that can be used to better
prepare and test a company's readiness.
IMPROVE AND EXPAND
There is always room for improvement when
it comes to this type of work. There are
alternative data sources, different tools and,
new approaches that should, at the very
least, be considered when collecting and
interpreting the data and information that is
available. As the methods of attack evolve,
change and die out, being replaced with
completely new tactics and techniques, so
should the views, processes and runbooks
that are used to combat them.
Cyber threat intelligence is often a part of
threat intelligence as a whole and it should
be considered that some of the services that
are offered to businesses can be used for
more than simply cyber threat intelligence.
Some of the other uses are geographic
intelligence, intelligence relating to real world
products and activities related to those
products, and intelligence that is more
focused on the high-level individuals within
the company.
Steven Usher, Senior Security Analyst,
Brookcourt Solutions
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
17

data impact assurance level
DATA IMPACT ASSURANCE LEVELS EXPLAINED
THE TIME HAS COME TO 'DIAL' IT IN, STATES ADISA FOUNDER STEVE MELLINGS
By completing your Data Impact Assurance Level (DIAL) and using a company certified to 8.0, you are assured of meeting UK GDPR compliance
Over the coming weeks, businesses
should start to be asked to create a
Data Impact Assurance Level (DIAL)
by companies who they engaged with to
collect their redundant equipment and
sanitise the media. But what on earth is a
DIAL and what is the benefit to you by
creating one?
This article explains what the DIAL
concept is and why it was crucial in the
approval of ADISA Asset Recovery Standard
8.0 by the UK Information Commissioner's
Office. And most importantly, why this
helps organisations comply with UK GDPR
when disposing of redundant equipment.
WHERE DID IT ALL BEGIN?
When ADISA launched in 2010, our
ambition was to help improve risk
management for companies when they
dispose of their redundant equipment by
the development of Standards. Our ICT
Asset Recovery Standard has gained
significant traction in the UK and is well
supported by the leading IT Asset Disposal
(ITAD) companies in the sector. When EU
GDPR was passed into law, we saw that
approved Certification Schemes were
covered within the articles and so we
started exploring how we might evolve our
program by achieving official recognition
under the overarching data protection law.
WORKING WITH THE UK
INFORMATION COMMISSIONER'S
OFFICE.
In July 2019 ADISA submitted our ICT Asset
Recovery Standard to the ICO for approval
18
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

data impact assurance
as a EU GDPR Certification Scheme. (This
would later move to UK GDPR post-Brexit!)
Our Standard was structured such that risks
to data were identified and
countermeasures were required to remove
or mitigate those risks. These
countermeasures were presented as
prescriptive criteria which were included in
the Standard and companies being certified
were required to meet those criteria to
evidence how they were managing those
risks on behalf of their customers.
When we started working with the ICO it
soon became clear that rather than
focusing on the industry we needed to look
at the process from the data controller's
viewpoint. Whilst the previously identified
risks remained the same, who determined
whether the countermeasures were
appropriate was not. Previously it was
either ADISA, via the publication of the
Standard, or the ITAD, through provision of
the service, who determined the
appropriateness of the countermeasures to
be deployed. Clearly, within UK GDPR what
is deemed "appropriate" will vary from one
data controller to the next, so how could a
binary standard claim to represent all data
controller's own requirements?
This created a quandary; how do we allow
the data controller to first see all the points
in the process where risk exists, and then
secondly how can they then influence the
risk treatments to suit their own specific
requirements.
The answer to this was to create the
concept which is Data Impact Assurance
Levels.
When working with the regulator it was
clear that to deem whether something is an
appropriate risk treatment, we must first
understand a range of variables for each
data controller. ADISA identified five
variables.
Threat - Who are we protecting our
data from and what are their
capabilities.
Risk Appetite - Do we permit additional
treatments to be available, at a price, or
do we require all possible risk
treatments to be applied?
Volume of Data - What is the
aggregated risk we are trying to
manage?
Categories of Data - What data are we
having processed?
Impact of a data breach - If we suffered
a data breach what would happen?
Share price impact, loss of reputation or
regulatory action?
Within each of these variables a data
controller can determine what is their own
position by following the workings laid out
in Part 1 of the ADISA Standard or using
the free to use software on our website. By
working through these questions, the data
controller produces a single DIAL rating
which can be used to indicate what level of
controls would be appropriate to be
applied to each of the risks which are being
managed on their behalf by their certified
ITAD partner. This simple approach finally
gives the data controller a means of
influencing risk management in a process
which is often both out of sight and out of
mind.
WHY IS DIAL GOOD?
By introducing the DIAL concept to our
Standard, ADISA was able to meet the UK
ICO's expectation on how risk was to be
managed by the data controller when they
dispose of redundant equipment. This is
particularly important where the disposal of
redundant equipment is concerned as the
volume of data being processed is
enormous making it one of the biggest
risks within enterprise data protection. Due
to the transactional nature of the process
including moving physical assets outside of
existing security environments, there are a
significant number of points in the process
where risk exists. By presenting DIAL to the
ITAD partner a data controller is indicating
what controls they want to have in place
on those processes which is reflective of
their own situation. This is achieved by
there being different levels of risk treatment
for each identified risk which offer
increasingly better levels of risk
management.
Of course, increased controls for
unnecessary reasons could lead to
unnecessary cost, which is why the DIAL
concept enables data controllers to manage
risk directly attributed to their own
situation.
CREATING YOUR DIAL
Companies already certified by ADISA are
working towards the new 8.0 Standard and
as such will be able to issue you a URL to
the ADISA website where you can answer
five questions which then create your DIAL
and a certificate. Even if your existing
partner is not certified, you can go to the
ADISA website yourself and complete the
same process to create your own DIAL.
Each ITAD when being certified will
achieve their own DIAL rating which
indicates the potential DIAL they are
capable of operating at. You should verify
that your ITAD partner's DIAL rating meets
your requirements. If they do not have a
DIAL or operate at a lower level than you
require, they will either need to become
certified, improve their capability or you
should deem them unsuitable.
Standard 8.0 incorporating the DIAL
concept assures you of meeting UK GDPR
compliance not because your ITAD partner
is telling you nor because ADISA is telling
you. You are assured of meeting UK GDPR
because the ICO has confirmed that using
an ITAD who is certified to 8.0 by a UKAS
approved audit process is UK GDPR
compliant.
To find out more, click here.
adisa.global/dial
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
19

ackup & recovery
CALLING FOR BACKUP
What approach should an enterprise take to ensure it has the best
protection in place - as well as employees who are fully engaged in
making it work? Getting this right is a complex,but essential, process
The purpose of backup is to create a
copy of data that can be recovered in
the event of a primary data failure.
Such failures can be the result of hardware
or software malfunctions, data corruption
or a human-caused event, such as a
malicious attack (virus or malware), or
accidental deletion of data. Backup copies
allow data to be restored from an earlier
point in time to help the business recover
from an unplanned event.
Storing the copy of the data on separate
medium is critical to protect against
primary data loss or corruption, but what
works to best advantage? The additional
medium could be as simple as an external
drive or USB stick, or something more
substantial, such as a disk storage
system, cloud storage
container or tape
drive. The
alternate medium can be in the same
location as the primary data or at a remote
location. The possibility of weather-related
events may justify having copies of data at
remote locations.
But what approach should an enterprise
take to ensure it has the best protection -
as well as employees who are fully
engaged in making it work? One of the
preventive measures and possibly the most
efficient layer of defence, in the case of
any cyber-attack threat, is simply enforcing
healthy security habits and having the
discipline to follow them, says Robert
Allen, European director of marketing &
technical services at Kingston Technology
Europe. "Following these best
practices and procedures
that were created
before a
cyber security attack, whilst backing them
up with several protective frameworks to
make a layered defence, is the most ideal
strategy in mitigating attacks. Pro-active
thinking, threat intelligence and
continuous risk assessment can help
prepare the initial response to the
anticipated 'what if' scenario."
MITIGATING INITIAL IMPACT
As one of the proactive measures, daily
data backups can help to mitigate initial
impact on systems, which were
compromised through ransomware attack.
"In the ideal case, it would be a good
practice to be aware of the value of the
data in storage, and then being selective
in accordance with their priority level and
back them up on a daily basis. This
practice can help to recover from initial
'denial of access' to compromised systems
through a ransomware attack.
IronKey DataTraveler.
20
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

ackup & recovery
"Furthermore, this method can help to
restore systems elsewhere, so you can
continue your daily activities, with
relatively low inconvenience. Backup of
data needs to be part of a larger cyber
security mitigation plan. This strategy
could be also seen as the last line of
defence in a critical system failure
scenario."
Daily backup of sensitive data can help us
to recover from ransomware or other
attacks. "To put it simply," adds Allen, "if
the worst was to happen, it's always the
better option to lose one day's data than
months or years. Here, you can use the
benefits of an encrypted USB drive, which
ensures further cryptographic protection
for data, critical if you need to take data
elsewhere to restore a compromised
system. This practice is again completely
dependent on your efforts in following
good security habits and information
security hygiene."
As the possible vectors or attacks are
constantly evolving, we will be always part
of this game of chess where one needs to
think several moves forward, he continues.
"There will be always a new vector of
attack or system vulnerability and then the
reactive countermeasure to negate it.
But good security habits, and your
organisations discipline in following them,
on a daily basis, combined with overall
contingency plans., will help mitigate loss
to your business, if the worst were to
happen."
MIT
Having a data backup in place is now
a critical component to any IT/security
strategy. "Threats to data come in many
forms, as the OVH datacentre fire earlier
this year highlighted," says Jon Fielding,
managing director, EMEA Apricorn. "It was
not simply a case of needing to have a
solid backup in place, but it stressed the
importance of where, and how, data
backups are stored. Unfortunately for
OVH, its customer data was backed up in
the same location, resulting in both sets of
data being destroyed, with no means for
recovery or business continuity."
When disaster strikes, every minute
counts. "Data loss, particularly on this
scale, with large data sets at risk, could be
costing your business resources, money
and customers, so by implementing
a recovery plan, businesses can get back
up and running as soon as possible. We
work in a 'real-time' culture and, in the
case of data loss, users expect it to be
restored at once and can't afford to wait
weeks, days or even hours. By having
backup recovery processes in place,
businesses can ensure mission-critical
applications are functional and data is
recovered quickly."
That said, physical disasters are only
the tip of the iceberg. Cyber-attacks are
wreaking havoc for businesses everywhere
and ransomware demands are making
headlines on an almost daily basis.
Not to mention the ongoing stream of
vulnerabilities, malware and viruses we've
come to expect. "A regular and reliable
backup process will protect businesses
from unexpected data loss from all
potential sources," adds Fielding. "One
of the easiest ways to create backups of
business data is to simply store copies of
important files on hard drives, or other
storage devices connected to your systems
or network. Having an offline & off-site
copy, in addition to on-premise and cloud
storage options, is crucial. These storage
devices should be encrypted, ideally in
hardware, to ensure data privacy
compliance."
An offline backup is particularly
important as a defence against
ransomware when data can't be
reinstalled. Copying files to hard drives,
USB flash drives, external drives or other
devices is an effective way of ensuring
backups are available locally when you
need them and businesses can restore
from a clean, protected data set, he says.
"On top of this, businesses are facing
increased threat from the rise in remote
working, which has intensified the need
for backups as data continues to move
beyond the corporate boundaries. By
providing employees with removable USBs
and hard drives that automatically encrypt
all data written to them, companies can
deliver the capability to securely store
data offline. When correctly implemented,
hardware encryption offers much greater
security than software encryption and PIN
pad authenticated hardware encrypted
USB storage devices enable employees to
move sensitive and often regulated data
of the corporate network. These devices
can also be used to backup data locally,
mitigating the risk of targeting in the
cloud."
In line with this, businesses should test
their backups regularly, he adds - verify
that the operating system, applications,
and data are intact and functional. "This
allows them to recover systems and files
more efficiently, should an incident occur."
AVOIDING WORKING LIFE PITFALLS
Backups are more common than you
think, says Sarah Doherty, product
marketing manager at iland, impinging on
just about every aspect of our daily lives.
"Every day, you most likely have a backup
in place, whether it be someone who
can cover for you to watch your puppy, if
something interrupts your schedule, or
even that spare tyre that is in your car in
case of a puncture. Backup and recovery
plans apply to just about everything that
you can think of in your daily life."
Focusing on the business end of things,
she turns to some of the top reasons why
you need to have a secure and reliable
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
21

ackup & recovery
Jon Fielding, Apricorn: we work in a 'realtime'
culture and, in the case of data loss,
users expect it to be restored at once.
Robert Allen, Kingston Technology Europe:
a most efficient layer of defence, in the face
of any cyber threat, is enforcing healthy
security habits and having the discipline to
follow them.
backup solution. "Everyone makes
mistakes. This happens more than we
would like to admit. Emails and documents
containing some type of virus are
accidentally opened all the time, while
critical documents are unintentionally
deleted.
"One way to combat these problems is
to continually back up your data and
therefore allow for the ability to restore
your data. Or, more importantly, recover
the file prior to it being deleted."
Audit and compliance requirements.
"Many, if not most, organisations are
required to keep records for extended
periods of time, depending on local or
industry requirements. There may come
a time when an audit forces your business
to look at something from a few years
ago. The big mistake here is that most
assume that data is available on a
computer when, in fact, it may not be.
"Relying on one copy of the data may be
a mistake that you just don't want to have
to deal with when it comes to an audit.
Creating offsite backups of critical data
can really save you time and money,
with fewer headaches for all involved.
Governing agencies won't really care if
you say that you had a data disaster.
It is critical for your business to remain
compliant."
Avoid any deadly downtime. According
to Doherty, studies show that 40-60%
of small businesses won't reopen after
data loss. "Of companies that suffer
catastrophic data loss, 43% never reopen
and 51% close within two years. Not every
data loss event is caused by a disaste; it is
also possible that human errors can cause
data catastrophes. The solution is to be
sure to have an effective backup and
disaster recovery plan in place that will
help mitigate these types of data threats.
Planning and preparing ahead of time
when it comes to data security and
availability can allow your business to
be the winner."
A step ahead of your competitors. "If your
organisation experiences a disaster, it will
be critical to get back online, and up and
running fast. It is a race to remain competitive,
while winning over other businesses.
A pre-planned backup strategy
means you can be that much more
prepared and win the business while
others struggle. You will survive the data
disaster, while others may not be so lucky."
If you don't have time to do it right,
when will you have time to do it… all over
again? "Doing it right the first time will
save time and money when it comes to
protecting your data," she points out. "If
you don't have backups, you may only be
able to recover some of your data and
you may never know what critical data is
really missing. Major data loss can mean
possibly recreating or re-doing everything
that has ever been done at your business
and very rarely do companies survive these
types of data losses."
The leading causes of data loss are
similar in just about every type of business.
"Most of us believe that once the data
is saved to a computer it's safe and can
always be accessed. The reality is that
backing up data is critical -because data
loss is unpredictable."
It might be just the right time to consider
migrating to a cloud service, she adds.
"Organisations that have chosen cloud
backup have moved away from capital
expenditures and simplified the process of
protecting vital information. Choosing an
industry leader for your business means
that data protection is looking after your
data and a global cloud platform that
delivers the much-needed automation
and orchestration to protect your critical
business workloads and secure your data."
22
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
SHOULD YOU PAY THE RANSOM?
WHEN THREATENED WITH A RANSOM DEMAND, SHOULD YOU SIMPLY SUBMIT? THERE IS NO SIMPLE ANSWER
TO THE QUESTION, AS STEVEN USHER, SENIOR SECURITY ANALYST, BROOKCOURT SOLUTIONS, EXPLAINS
Every incident has a different impact,
circumstance and various nuances
that cannot be accounted for in a
general answer to the question: should
you pay the ransom? We would all like to
think that no one should ever pay the
ransom, but that simply is not the case in
the real world.
Home users have a complicated
situation, in that they do not have the
access to IT skills, tools and teams that a
business does. In addition to this, there is
a sentimental and home business point of
view that involves personal items, such as
photos, texts, videos or even data linked
to a home business that hold sentimental
value to people, putting them at risk of
having more to lose.
WHEN PAYING SEEMS WORTH THE
RISK
For this reason, these smaller ransoms can
easily be worth the risk for some in
paying, with the hope that their data can
be returned. These personal attacks also
do not carry the responsibility of having
to report the incident. There is also the
psychological aspect of shame linked to
these incidents that makes them less likely
to be shared, if one pays the ransom and
it fails.
Businesses, however, have numerous
other concerns when it comes to this
question: should we pay the ransom or
not? Businesses have to consider factors
such as public perception, which could
result in a loss of business, incidents not
only having to be reported in an official
capacity, but formal public
announcements have to be carried out
when personal data is involved. Then
there are factors for some businesses
whose daily responsibilities could include
vital services - and paying the ransom
may be the quickest and easiest cure to
restoring systems.
WHAT CAN YOU DO? PRACTISE,
EDUCATE, PRACTISE, PREPARE
Practise your response to a ransomware
incident by war gaming or tabletop
gaming an incident and testing the
response of the IT teams who would be
involved. This will allow for the issues,
choke points and confusion to be
addressed before a real-world incident
occurs.
Educate all your users to a level and in a
manner that is equivalent to their
technical knowledge in potential ingress
points for ransomware and what to do, if
a ransomware infection is suspected.
REGULAR TESTING ESSENTIAL
While many companies have backup
processes in place, the restoration of
those backups is rarely comprehensively
tested and numerous issues have been
found when the restoration is not
regularly tested. This will, once again,
allow any issues and confusion for choke
points to be identified.
PREPARE FOR A RANSOMWARE
INCIDENT
While this could be linked to practising
your response - and, in some ways, it is -
preparing for an incident in this sense
means having email templates for internal
and, if needed, external users prepared,
ensuring that, if a public statement is
needed, that it is prepared, together with
any potential formal responses required.
Steven Usher, Senior Security Analyst,
Brookcourt Solutions
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
23

masterclass
RANSOMWARE - HOW CAN CHANGES
IN REGULATION HELP AGAINST THIS
EVER-EVOLVING THREAT?
THE UPCOMING OPERATIONAL RESILIENCE REGULATIONS WILL BE
TAXING. BUT “LOOK ON THEIR INTRODUCTION AS AN OPPORTUNITY”,
SAYS JAMES DRAKE, SENIOR DIRECTOR AT XCINA CONSULTING LIMITED
James Drake, Senior Director,
Xcina Consulting Limited.
Ransomware has been on the threat
radar for many years now and is not
new to many businesses or industry
sectors, yet we are all still feeling the effects
and the approach to dealing with this threat
is varied.
Some organisations will invest in new
technologies and tools to assist in its recovery
from an attack, whereas some will prefer to
simply pay the ransom.
While we are trying to defend ourselves
against the constant threat of ransomware,
organisations are often challenged with an
ever-evolving legal and regulatory landscape.
We all experienced this with the introduction
of GDPR and there is not a day that goes by
that I do not speak to a client regarding their
challenges relating to this, even years after its
introduction.
SO, WHAT CAN WE DO NOW?
It is widely recognised that good basic security
hygiene measures will reduce the impact or
likelihood of a ransomware attack significantly
- eg, maintaining regular patching of critical
systems or ensuring that systems and data
recovery processes are in place.
If your business is in the financial sector,
you may already be aware of the FCA rules
coming into effect on 31/03/2022 regarding
Operational Resilience. This will certainly
be a challenge, but I always look at the
introduction of new rules and regulations as
an opportunity. When trying to decide where
to invest limited funds and resources into new
security controls, the introduction of new
mandatory rules is one of the best drivers for
prioritisation of those resources or potentially
securing more.
WHAT ARE THE NEW RULES AND HOW
DO THEY HELP WITH RANSOMWARE?
The FCA describes 'Operational Resilience' as
follows: "Operational resilience is the ability
of firms, financial market infrastructures and
the financial sector as a whole to prevent,
adapt and respond to, recover and learn
from operational disruption."
The reason this is so important, in terms of
ransomware, is that the principles of the
controls to be in place are commensurate with
the controls to significantly reduce the impact
or likelihood of a ransomware attack even
further.
The principles are as follows:
Identify your important business services -
equally as important when designing
controls to defeat ransomware
Set impact tolerances - Business Impact
Assessment
Carry out mapping and testing to a level of
sophistication necessary to classify critical
business services and identify vulnerabilities
in its operational resilience
Conduct 'lessons learnt' exercises to identify,
prioritise and invest in your ability to
respond and recover from disruptions as
effectively as possible
Develop internal and external
communications plans for when important
business services are disrupted
Maintain a self-assessment document,
detailing the firm's Operational Resilience
journey.
Whether your business is in the financial
sector or not, the employment of the new FCA
rules regarding Operational Resilience would
significantly reduce the impact or likelihood of
a ransomware attack affecting your business.
You can find out more about how Xcina
Consulting helps clients to address risk
management challenges by clicking here.
24
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

emote working
MASSIVE FLAWS IN HOME WORKING
NEW WORLD OF WORK HAS OPENED UP ORGANISATIONS TO NEW AND UNMANAGED CYBER RISK
David-Cummins
(right), Tenable: as
more businesses
establish remote
and/or flexible hybrid
working policies, the
corporate attack
surface has exploded.
Some 72% of UK organisations attribute
recent business-impacting* cyberattacks
to vulnerabilities in technology that
were put in place during the pandemic, while
more than two-thirds (68%) suffered attacks
that targeted remote workers.
The data is drawn from 'Beyond Boundaries:
The Future of Cybersecurity in the New World
of Work,' a commissioned study of more than
1,300 security leaders, business executives
and remote employees, including 168
respondents in the UK, conducted by
Forrester Consulting on behalf of Tenable.
Over a year after work-from-home
mandates went into effect, many
organisations are planning their long-term
hybrid and remote work models. In fact,
70% of UK organisations now support
remote employees, compared to 31%
prior to the pandemic, while 86% plan to
permanently adopt a remote working policy
or have already done so. But embracing this
new world of work has opened organisations
to new and unmanaged cyber risk.
Enabling a workforce without boundaries:
Only 48% of UK organisations are adequately
prepared to support hybrid working models
from a security standpoint. The result is that
78% of security and business leaders believe
their organisation is more exposed to risk as
a result of remote working.
Cloud adoption accelerated for critical
systems: As part of changes made in
response to the pandemic, 46% of
organisations moved business-critical
functions to the cloud, including accounting
and finance (42%) and human resources
(33%). When asked if this exposed the
organisation to increased cyber risk,
80% of security leaders believed it did
Attackers are taking advantage: 90% of
organisations experienced a businessimpacting
cyberattack* in the last 12 months,
with 51% falling victim to three or more.
Hybrid work models and a digital-first
economy have brought cybersecurity front
and centre as a critical investment that can
make or break short- and long-term business
strategies. To address this demand, 75% of
UK security leaders plan to increase their
network security investments over the next
12 to 24 months; 73% will increase spend
on cloud security; 66% plan to spend more
on vulnerability management.
"At the outset of the pandemic, and
following the work from home mandate by
the UK government, many employers had
no choice but to enable remote employees,"
says David Cummins, vice president of EMEA,
Tenable. "Today, and as more businesses
establish remote and/or flexible hybrid
working policies, the corporate attack surface
has exploded. Many of the remote work and
cloud tools that were pressed into service,
sometimes without security controls and, in
some cases, the tools themselves are nascent
and their security controls are immature,
leaving businesses vulnerable to cyberattacks."
With consequences such as loss of
customers, employees, confidential data,
operational disruptions and ransomware payouts,
businesses must look to prioritise cyber
security. "A joint advisory issued earlier this
year by the National Cyber Security Centre
(NCSC), the Cybersecurity and Infrastructure
Security Agency (CISA) and Australian
Cybersecurity Centre (ACSC) confirmed that,
rather than creative threat vectors, bad actors
will typically target known vulnerabilities to
compromise unpatched systems and breach
an organisation's defences," he states.
"This means basic cyber hygiene practices
can eradicate the majority of threats."
*'Business-impacting' relates to a cyberattack or
compromise that results in one or more of the following
outcomes: a loss of customer, employee, or other
confidential data; interruption of day-to-day operations;
ransomware payout; financial loss or theft; and/or theft
of intellectual property.
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
25

MFA in the spotlight
AUTHENTICATION VS INSURANCE
ARE YOU BEING FORCED INTO THE MULTI-FACTOR AUTHENTICATION MARKET? NICK EVANS, PARTNER
ENABLEMENT MANAGER (US & NORDIC REGIONS), SECURENVOY, EXAMINES WHY THIS IS HAPPENING
Nick Evans, SecurEnvoy: demanding that
MFA is in place will become the norm.
Atrend that we are seeing in the
marketplace is businesses being
forced to investigate MFA (Multi-
Factor Authentication) by Cyber Insurance
providers. But why? Cyber-Insurance
vendors understand that large and
enterprise-sized companies are no longer
the only target for cybercriminals: the
reality is that EVERYONE is a target.
Everyone's at risk and it's no longer a case
of IF, but WHEN, regarding cyberattacks.
Insurance vendors don't want to leave
themselves open to constant pay-outs to
their policy holders, so demanding that
MFA is in place will become the norm.
WHAT IS MFA?
'Authentication' in technology is the act of
verifying that a user is who they say they
are. Typically, this is a Username/Password
scenario.
The problem with passwords is that
they can be cracked easily. And once
they’ve been cracked, they're distributed
throughout the cybercriminal network.
WHAT ARE MFA FACTORS?
Factor 1 - Something you know
(a Password/Pin/Security Question)
Factor 2 - Something you have (Hardware
Token/One-time authentication code/SMS)
Factor 3 - Something you are (Biometrics -
Fingerprint/Retina/Voice/Face)
Factor 4 - Somewhere you are - a known
location (Home/Office).
WHAT CONTROLS NEED
TO BE PUT IN PLACE?
Most carriers now require these MFA
controls to be in place:
MFA for remote networks - A massive
increase in remote-working due to
Covid-19. (MFA for remote networks
reduces the potential for a network
security breach caused by comprom -
ised password)
MFA for admin access - This area is
of massive importance; your business
solution admins hold the keys to your
business! (MFA for admin access
limits an attacker's ability access
a compromised network)
MFA for remote email access - So
much detail in the data that is
bouncing around in your emails.
PRESSURE TO EMBRACE MFA
Why are insurance carriers demanding that
we have MFA, rather than recommending?
Here’s what Microsoft say on this:
“By providing an extra barrier and layer of
security that makes it incredibly difficult
for attackers to get past, MFA can block
over 99.9 percent of account compromise
attacks. Knowing or cracking the password
won't be enough to gain access."
Passwords cannot be your only form
of defence, and hackers can crack your
password and immediately gain access
to all services available to you, within
seconds/minutes. MFA provides a massive
obstacle that needs to be put in place, so
those criminals can't just walk into your
house and take what they want - ie, your
data!
Microsoft and Google suggest that
MFA can block over 99% of account
compromise attacks
The Cyber insurance market is expected
to grow by 21% in 2021 making it
a $9.5 billion industry
31% of cyberattacks are aimed at
businesses with under 250 staff
Microsoft registers over 300 million
fraudulent sign-in attempts, daily
60% of your customers will think about
leaving you, should a cyber breach ever
occur and become public knowledge.
30% will walk away.
Is the loss of 30% of your business more
or less than an adequate cyber resilience
budget? And what about reputational
damage as well? The loss of 30% of
business is one thing, but what about
the loss of future new business?
26
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

product review
ZIVVER SECURE EMAIL
Email is responsible for the majority
of data breaches - and leaks with
human error are cited regularly as
the main cause. The reasons are manifold
and range from misaddressed emails to
using CC, instead of BCC; and, if the
message contains confidential information,
companies could be violating
GDPR compliance and facing hefty fines.
This is where Zivver steps in, as its
Secure Email is a deceptively simple
solution that combines machine learning,
AI and end-to-end encryption to protect
outbound email throughout the entire
creation and delivery processes. A key
feature of Zivver is extreme ease of use,
as it slips seamlessly into existing working
practices with minimal disruption and
integrates neatly with Outlook, OWA
and Gmail, so users only require basic
training.
Fundamental to Zivver is its business
rules, as these are applied in real-time to
every message during creation and prior
to sending. Examples include options to
enforce 2FA when sensitive information
in the subject, body or attachment is
detected, BCC checks and non-recent
sharing of confidential information.
Zivver detects NHS and credit card
numbers in emails and uses checksum
algorithms to confirm they are genuine
numbers. Rules have three actions where
they highlight possible rule breaches,
warn users that they should rectify the
breach or block them, if they don't.
Deployment is, indeed, a simple process
and starts by providing organisation and
email domain details in your Zivver cloud
portal account. Customisation features
are extensive, and include portal branding
and creating personalised notification
messages for recipients.
Setting up Zivver users is simple, as
you can add them manually where
they receive an invitation to create a
personal account and set up 2FA.
Larger organisations can employ Zivver's
SyncTool to synchronise Active Directory
and Exchange accounts.
Our test users were running Outlook
and just needed to download the Zivver
Office plug-in. This added a new option
to the Outlook menu ribbon where they
could log in to their account and, if
permitted, access its message control
settings.
Procedures for creating new Outlook
emails are exactly the same, but Zivver
adds an upper toolbar to the message
highlighting actions required by the user.
Each new recipient must be verified and
methods include sending them an email,
providing a one-time access code,
applying an organisational code and
sending an SMS to a valid mobile number.
If sensitive information is detected,
the toolbar highlights this and reacts
dynamically to changes made to any part
of the message. Attachments are scanned
when added and a standout feature is
that Zivver supports file sizes up to 5TB.
To open secure emails, recipients simply
click the message body link and they are
transported to the Zivver portal where
they enter their verification details. They
don't require a Zivver account, and can
receive secure emails and reply to them,
irrespective of their location or email
client.
We all know how ineffective standard
email recall processes are, but Zivver
users can confidently recall messages
sent in error. Furthermore, if they haven't
been accessed by any recipients prior
to withdrawal, Zivver guarantees that
potential data leaks have been contained
and won't need reporting.
Along with extensive auditing features
in the admin portal, users can view
all emails from their client, see which
recipients opened them and who
downloaded attachments. They can also
log in in to their personal Zivver portal
account and view them from there as
well.
Zivver Secure Email is a simple solution
to a major problem that plagues businesses
of all sizes. It's incredibly easy to
deploy, requires no changes in working
practices and ensures that confidential
information sent by email is totally secure.
Product: Secure Email
Supplier: Zivver
Web site: www.zivver.com
Tel: +44 (0)20 3285 6300
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
27

ansomware
TO PAY OR NOT TO PAY?
PAYING RANSOMWARE IS A TOPIC THAT GREATLY DIVIDES
OPINION. COLD LOGIC MIGHT DICTATE THAT ANY DEMAND IS
TURNED DOWN. BUT WHAT IF IT'S A MATTER OF LIFE OR
DEATH?
Some say 'yes', others say 'no' - should
you pay the ransom? Law enforcement
does not encourage, endorse, nor
condone the payment of ransom demands.
Why? Because they say that, if you do pay
the ransom:
There is no guarantee you will get access
to your data or computer
Your computer will still be infected
You will be paying criminal groups
You're more likely to be targeted in the
future.
How true is this? Doesn't paying up and
having your data access reinstated give the
hackers a better image? Or are there so many
'pickings' put there, they don't really care one
way or the other?
Then there are all the other issues around
what has become a massive enterprise in
itself. Since there's no way to completely
protect your organisation against malware
infection, what should you do to keep
ransomware at bay? Is a 'defence-in-depth'
approach the right one, using layers of
protection, with several mitigations at each
layer? You'll have more opportunities to
detect malware by adopting that approach
and then stop it before it causes real harm
to your organisation. That said, should you
assume anyway that some malware will
infiltrate your organisation, at some point,
whatever strategies you put in place? For
every possible plus point there appears to be
a minus, so what is the best way to limit the
impact a ransomware attack would cause
and speed up your response?
IN THE TEETH OF A GALE
Brooks Wallace, VP EMEA at Deep Instinct,
says that the argument as to whether or
not an organisation should pay a ransom is
"causing quite a dilemma" in the corporate
boardroom. "While it may be easy to say that
an organisation shouldn't pay ransom, there
are many factors to consider. Imagine you are
the family of someone in the intensive care
unit of a hospital taken offline by
ransomware attack. Think of critical
infrastructure providers or banks. At that
significant point in time, when hours count,
you don't care about principles or policies.
You just want the situation to be fixed."
There appears to be increasing discussions
among board members about what to do in
the case of a ransomware attack, how to
overcome it should one occur and whether
their insurance policies will help. "Trying to
make decisions during an attack itself only
adds to the pressure and could worsen the
crisis, so it is best to make these decisions
beforehand and plan in case of an attack.
This should include the decision of whether
to pay for the attack or not."
Condemning those organisations that are
unfortunate enough to have been hit be a
ransomware attack doesn't help anyone or
change behaviours, he adds. "Having best
practice guidelines and the rationale behind
28
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
these would be more valuable. There should
be a strong encouragement not to pay
ransoms, but, in parallel, investment needs to
be made in stopping the attack in the first
place. Prevention is far better than cure."
PREVENTION FIRST APPROACH
Any intelligence that can be gathered post
breach helps understanding for the future.
"But what's even better is a 'prevention first'
approach that features a multi-layered
defence system, with more than one swing at
the ball to stop an attack. We need to spend
more time on stopping these attacks preexecution
before the damage is done. Many
technologies need an attack to execute and
run before they are picked up and checked to
see if they are malicious, sometimes taking as
long as 60 seconds or more. When dealing
with an unknown threat, 60 seconds is too
long to wait for an analysis."
In order to ensure business continuity,
organisations need to invest in solutions that
use technology such as deep learning, "which
can deliver a sub-20 millisecond response
time in stopping a ransomware attack, preexecution,
before it can take hold, actually
predicting the ransomware attack and
therefore protecting the organisation,"
Wallace states. "Using this type of technology
means organisations no longer need to worry
about whether or not to pay a ransom, as
there is a solution that prevents the attack
altogether.
"Furthermore, investing in a solution that
offers a 'ransomware warranty', whereby the
organisation receives a certain amount if they
experience a ransomware attack, using that
provider's technology is beneficial. Warranties
ensure an extra level of protection, should a
ransomware attack occur, and allow for some
alleviation, in terms of how much it will cost
the organisation to recover after the attack."
BACKED INTO A CORNER
Callum Roxan, head of Threat Intelligence
at F-Secure, accepts that the payment of
ransoms to cyber criminals is not a "socially
optimum outcome, but in the moment,
faced with the loss of income, data and
reputation, many organisations will feel
backed into a corner where they will 'have to'
pay. "Ever-evolving extortion models and
technological advances ensure organisations
need to continually invest to keep up to
speed with the latest threats posed by the
sprawling ransomware ecosystem. In purely
financial terms, the judgment is often made
that accepting the risk of ransomware is
more palatable than investing heavily into
cybersecurity to mitigate the risk."
The continued payment of ransom demands
funds additional advancements, continued
operation and acts as an incentive to
attract new actors to conduct ransomware
attacks. "Breaking this cycle is something
governments and the cyber security industry
need to fix, shifting the balance of incentives
to not paying ransoms and making securing
your organisation against these threats less
costly and more effective."
WHERE DID IT ALL GO WRONG?
All too often, organisations put too much
focus on the detection and response of a
ransomware attack, instead of looking at the
steps that has allowed an attacker to get to
the point of demanding ransom, argues Mike
Fleck, VP marketing at Cyren. "The ransom of
an attack is so far along the attack chain
that, by the time the 'ransomware' attack has
already been deployed, it's too little, too late."
He divides ransomware attacks into two
categories: a 'drive-by attack', which tricks
users into installing malware onto their
devices, whether that be a PC at home or
a healthcare kiosk in an emergency room.
While these attacks directly affect those users,
they are random as to whom they affect. "The
more serious attacks are the ones that target
a specific organisation. The attackers look
for the most impactful way to infect an
organisation through the vulnerabilities they
find and then launch a ransomware attack.
In order to get to that point, the attackers
would have had to identify the organisation,
find the vulnerabilities within that organisation,
launch the malware and then deploy
the ransomware attack."
Often the cause of a ransomware attack
and the attacker's access point into an
organisation, adds Fleck, is through a
phishing email where an unsuspecting user
has clicked on a link, which then deploys a
backdoor on the device, allowing the attacker
to gain access into the organisation's network
and find its vulnerabilities. "Organisations
need to look at the precursors to ransomware
attacks and the steps that get the attacker to
where they need to be before they launch the
malware itself."
Phishing attacks will always enter your
network and breach your organisation, he
points out. "Therefore, the focus needs to
be on the antecedents to the attack and
understanding what they are, in order for the
organisation to deal with the attack better.
Only then will organisations be able to
remediate properly, rather than focus on
detection of, and response to, the final step
in the attacker's plan. At present, email
security is overly focused on prevention,
which demonstrates diminishing returns for
each new layer of detection. By adding a realtime
detection and automated remediation
capability to identify and eliminate phishing
threats rapidly, we can minimise the impact
of when a phishing email makes it through
our defences."?
At Bitdefender, while the company expects
to see ransomware operators continuing to
offer new and more dangerous versions of
ransomware, the company's director of
Threat Research and Reporting, Bogdan
Botezatu, states that it will maintain its
commitment to helping users regain control
of their digital lives and denying profits to
attackers. "Collaboration between major
cyber-security solution providers and law
enforcement agencies allows us to combat
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
29

ansomware
Bogdan Botezatu, Bitdefender: collaboration
between major cyber-security solution
providers and law enforcement agencies
allows us to combat the devastating effects
of ransomware.
Brooks Wallace, Deep Instinct: the argument
about whether or not an organisation
should pay a ransom is causing quite
a dilemma in the corporate boardroom.
the devastating effects of ransomware and
help victims whose data would otherwise
either be lost forever or generate large
amounts of money for the cyber-crime
underground."
INCREASING DEVASTATION
Computing Security also wanted to get some
'historical' perspective on ransomware, such
as instances of who has paid up, where
attacks have been state-sponsored and the
emergence of ransomware-as-a-service.
Well versed in such matters is LogPoint CTO
Christian Have and he provided a detailed
inside view on all those issues.
"Ransomware attacks are becoming
increasingly devastating to companies. Not
only do they inflict massive disruptions to
operations, but criminals are also asking for
ever-larger ransoms to unlock the encrypted
files and machines hit by the attacks.
Throughout the last months, state-sponsored
ransomware attacks inflicting damage on
critical infrastructure have dominated the
headlines. JBS recently paid 11 million dollars
following an attack that shut down all the
companies' US beef plants. Just before that,
an attack paralysed Ireland's health services
for weeks in the middle of a pandemic. The
attack happened in the wake of the Colonial
Pipeline attack that caused fear of gas
shortages.
"CNA Financial, one of the largest insurance
companies in the US, reportedly paid 40
million dollars to get access to its files and
to restore its operations, making it the
largest reported ransom paid to date. In
comparison, 40 million dollars is more than
most companies spend on their cybersecurity
budget - it is even more than what many
companies spend on their entire IT budget.
"Due to the surges in state-sponsored
ransomware attacks in the US and Europe,
many government institutions, including
the White House, have urged companies to
bolster their defences to help stop the
ransomware groups. The G7 group has
called on Russia, in particular, to identify,
disrupt and hold to account those within its
borders who conduct ransomware attacks
and other cybercrimes. One of the few
outcomes of the Biden-Putin summit is
an agreement to consult on cybersecurity.
However, the agreement is ambiguous
without any specific actions."
A RANSOM PAYOUT ISN'T
ALWAYS THE END GOAL
"Stopping ransomware groups is no small
task. The scale of the economy behind these
groups is significant. Many active groups
have corporate structures, with roles and
responsibilities that mirror regular software
development organisations," Have points out.
"These criminal organisations are well funded
and highly motivated to develop their attacks
- but their revenue streams do not begin or
end with victims paying up a ransom.
There is an entire ransomware ecosystem,
capitalising on successfully executing attacks."
This includes:
Groups selling access to platforms that
deliver end-to-end ransomware-as-aservice
for other groups to use.
Brokers that deliver teams of highly
specialised developers that can build
and deploy malware. Think of this as
malware recruiting.
Certain groups only gain access to
corporate networks. They will not actively
disrupt the operations or demand
ransom; instead, they sell access to
victims for other groups to capitalise on.
The increasing sophistication of
ransomware groups has led many
organisations to implement a multitude
of tools to help detect and prevent
attacks. But what really works?
BASIC SECURITY ESSENTIAL
TO PREVENT ATTACKS
For the last 15 years, CISOs, security
operations teams and security vendors have
put a significant focus on complex attacks
30
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
and staying on top of the cutting edge of
what adversaries can do, he continues. "For
example, the malicious computer worm
Stuxnet launches extremely advanced
campaigns. The result is that a lot of
organisations have a relatively extensive
portfolio of advanced technologies. These
technologies are expensive, complex to use
and even more complex to integrate with
each other and the surrounding security
ecosystem.
"The Colonial Pipeline breach happened
because a remote access platform
failed to enforce or require multi-factor
authentication. Combined with a shared
password used among several users,
attackers found a way into the infrastructure.
Advanced detection tools are not meant to
detect such basic mistakes.
"Failing to cover the basics - patching,
secure configurations or following best
practices - is a pattern repeating itself in
many of the recent attacks. It is not without
reason that every authority on cybersecurity
has patching and baselining configurations
as some of the first recommendations for
companies to strengthen their cybersecurity
efforts."
So why are companies not just patching
everything, implementing the Zero
Trust model and forcing multi-factor
authentication everywhere? Especially when
the most considerable material risk to the
operations and existence of the organisation
is a ransomware attack? "IT operations is
hard," he responds. "The security operations
team, IT operations team and enterprise
risk management team often have siloed
thinking, with different objectives and
incentives. Aligning activities and goals
across various departments is, without
a doubt, part of the problem.
"One of the things we hear from our
customers is that they need a unified
overview of the technical risk aspects.
Implementing a unified solution such as
ZeroTrust orchestration or XDR is complex
and, in many cases, expensive. Some of our
customers are turning to fewer vendors and
relying on open standards - for example,
MITRE for a taxonomy of attacks, MISP
to share threat observations and YARA to
identify malware indicators to offload
some of the headaches of aligning different
departments' ways of working."
THE WAY FORWARD
When critical infrastructure is under attack
through large and small companies, it is
obvious that more technology will not solve
the issue alone, Have insists. "Outsourcing IT
operations or security operations alone is not
solving the problem either. With that in
mind, I see three paths forward."
Law enforcement agencies must cooperate
across borders to target ransomware groups,
track payments and ultimately change the
operational risk for these groups, so that it is
more expensive to do illicit business.
Breaking down silos within organisations,
getting the cybersecurity, IT operations and
risk management teams to speak the same
language and align expectations. Who owns
the backup - IT? Who is responsible for the
disaster recovery - Security? Who owns the
business continuity planning - Enterprise risk
management?
More laws and regulations on the matter.
GDPR has done a lot to bring focus and
awareness about reporting breaches to
infrastructure. "But more is needed," Have
insists. "GPDR works for personal data, but
disruptions to critical infrastructure following
a ransomware attack are not necessarily
under the umbrella of GDPR and, as such,
can go under the radar. With more sharing,
increased focus and potentially fines levied
against organisations that fail to prevent
or protect their infrastructure adequately,
boardrooms will begin to take the threat
seriously."
Callum Roxan, FSecure: ever-evolving
extortion models and technological
advances ensure organisations need to
continually invest to keep up to speed
with the latest threats.
Christian Have, LogPoint: many active groups
have corporate structures, with roles and
responsibilities that mirror regular software
development organisations.
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
31

threat intelligence
KNOWING YOUR ENEMY
CYBER THREAT INTELLIGENCE DOESN'T COME EASY OR CHEAP. HOWEVER,
A CONTINUOUSLY EVOLVING THREAT LANDSCAPE IS MAKING IT A VITAL RESOURCE
Paul Prudhomme, Insights, a Rapid 7
company: good cyber threat intelligence
companies create reports on the
ransomware gangs that organisations
should watch out for.
According to Paul Prudhomme,
head of Cyber Threat Intelligence
Advisory at Insights, a Rapid 7
company, the goals of cyber threat
intelligence are to provide network
defenders with the specific information
they need, in order to improve their
defences against the continuously evolving
threat landscape and ultimately to prevent
those threats from compromising
organisations in the first place.
"Cyber threat intelligence programs
should aim to inform stakeholders about
potential attacks before they happen,
not after they happen. Many security
leaders learn about significant threats
and incidents, such as the May 2021
ransomware attack on the Colonial
Pipeline by Darkside ransomware
operators, from mainstream news media
coverage. If they had robust cyber threat
intelligence programs, however, they
would have already been familiar with the
Darkside ransomware affiliate program
well before the Colonial incident."
Darkside had already made a name for
itself in underground criminal circles and
should have shown up in any cyber
threat intelligence coverage of dark web
communities before the Colonial incident,
he points out. "Good cyber threat
intelligence companies create reports on
the ransomware gangs that organisations
should watch out for. If Colonial had been
receiving those reports, perhaps it could
have taken steps to improve its defences
against Darkside attacks and reduced the
attackers' likelihood of success."
In a multi-layered network defence
strategy, cyber threat intelligence is the
outermost layer, adds Prudhomme. "It
enables organisations to adjust their
defences in advance of a potential attack.
If cyber threat intelligence fails, and the
targeted organisation is unaware of, and
32
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

threat intelligence
has not prepared for the threat, it must
fall back on its inner layers of network
defence and hope that they were already
robust enough to prevent the intrusion."
INVISIBLE FORCES
There are certain types of threats that are
nonetheless advanced enough to evade
many, most or all of an organisation's
multiple layers of defence, including cyber
threat intelligence, he adds. "Advanced
threat actors, which usually [but not
always and not necessarily] come
from state-sponsored groups, invest
considerably more time, effort and other
resources in their attempts to avoid
detection by security researchers and
security solutions. The state-sponsored
groups that are the source of most
advanced threats are also more relentless
in their pursuit of targets, as the
intelligence requirements of their
government stakeholders give them less
flexibility in their targeting than their
criminal counterparts."
The greater challenges of detecting
advanced threats that go to greater
lengths to evade detection have given rise
to the variety of security solutions known
as advanced threat protection (ATP),
Prudhomme continues - see page 24.
"Simpler and more conventional
detection methods, such as indicators of
compromise (IoC), are often inadequate
for detecting threats in this category. For
example, advanced threat actors may alter
their malware payloads more frequently,
in order to avoid IoC-based detection of
their file hashes. They may even monitor
security research publications to see if and
when security researchers have identified
their infrastructure as malicious and make
changes accordingly. Heuristics, machine
learning and artificial intelligence are
among the many ways that security
solutions can overcome these
countermeasures."
LIMITED RESOURCES
Todd Carroll, CybelAngel CISO, says threat
intelligence is massively important for
organisations, since even large companies
have limitations on resources, so efforts
must be put into projects that will pay off
and keep them safer.
"Cybercriminals are calculated. They have
preferences on who they target - hospitals
generally pay out more often, but EUbased
targets tend to have more to offer.
Threat actors also have a pattern of
preparation for attacks, including buying
batches of credentials, using Shodan
to locate assets and hiring penetration
testers to see what access can be granted.
Next, they have a pattern of attack,
which includes accessing an RDP
(Remote Desktop Protocol), then
upgrading permissions with the chosen
CVE (Common Vulnerability Exposure) and
using a particular type of malware on
IP addresses to gain a foothold over
command and control servers. Finally,
they have a pattern of extortion: single
extortion, double extortion, potentially
data exfiltration and making decisions on
giving up decryption keys upon payment."
How do you choose to interrupt that
modus operandi and where will the
lightest touch have the biggest effect?
"Cyber Threat Intelligence is the answer,"
he states. "It informs a company that,
by updating their servers with a particular
patch, the crucial CVE is mitigated.
Maybe you block some IP addresses,
so that command and control servers
can't communicate with the malware/
ransomware program. Perhaps this cyber
threat is not interested in attacking your
company."
How analysts go about this is through
cyber forensics and dark web monitoring.
"The forensics gives us the hard data: it
was this CVE, on that server type, port
number #### was used and this
person's password was compromised.
Dark web monitoring is useful, since many
criminals like to brag. Dark Web forums
have advertisements to recruit pen testers,
people with access and passwords for
sale: 'Join our ransomware gang!' 'Fair
pay!' 'Easy work!' 'All the steps are in this
playbook!' 'Helplines are available!'
Similar to solving a mystery, threat
intelligence combines the physical
evidence with motive to other companies
to see if they are at risk, too. "If yes, here
are tactical options, update that, block
this, monitor those. Then there are
strategic options - make RDPs harder to
spin up, automate security settings for
new databases and institute multifactor
authentication."
MALWARE LOGS FOR SALE
Since the start of this year, Accenture
Cyber Threat Intelligence has, according to
its '2021 Cyber Threat Intelligence Report',
observed a slight, but noticeable, increase
in threat actors selling malware logs,
which constitute data derived from
information stealer malware.
Information stealers can collect and log
a wide range of sensitive system, user
and business information. "A threat actor
can use malware logs to masquerade
as a legitimate network user and avoid
detection, gaining initial access to a victim
system by using valid credentials. Threat
actors often use malware logs to access
an organisation's Web resources and
attempt to access privileged administrator
accounts on an organisation's webservers."
In some cases, they may try to access
computers on a victim's network via
services like RDP or SSH. A common
alternative action is for threat actors
to sell malware logs directly to hackers
or in bulk to 'malware log' Dark Web
marketplaces, such as Genesis Market or
Russian Market.
www.computingsecurity.co.uk @CSMagAndAwards October 2021 computing security
33

email spoofing
BEC ATTACKS - THE STING IN THE TALE
BUSINESS EMAIL COMPROMISE (BEC) ATTACKS ARE FUELLED BY PERPETRATORS WHO RELY ON SOCIAL
ENGINEERING TECHNIQUES AND IMPERSONATION - AND THEIR VICTIMS ARE PAYING A MASSIVE PRICE
Tim Callan, Sectigo: it is scarily easy to
manipulate and falsify business emails
in myriad ways.
Business Email Compromise (BEC)
attacks are a technique where
cybercriminals spoof emails to
impersonate someone recognised, such
as an employee's supervisor, executive or
vendor. This is so they can exploit trusted
relationships and trick employees into
wiring company funds, the sharing of
proprietary information or even granting
access to the system.
As Tim Callan, chief compliance officer,
Sectigo, points out, the FBI's 2020 Internet
Crime Report i revealed how BEC-related
losses increased from some $1.29 billion
in 2018 to $1.86 billion in 2020. "Phases
of setting up an attack include the initial
researching and identifying of targets, and
then setting up the attack by performing
activities, such as spoofing email
addresses," he points out.
"In the execution phase of a BEC attack, it
could take place in one email or an entire
thread, often using language of persuasion
and urgency to gain the victim's trust, also
including instructions to facilitate making
payments to fraudulent accounts. Once the
money has been acquired by the attacker,
it is quickly collected and disseminated to
reduce traceability and retrieval chances."
COMMONALITY OF BEC ATTACKS
"Virtually every single business relies
upon email as a fundamental form of
communication, especially in the era of
hybrid work, and ironically, it is scarily easy
to manipulate and falsify business emails
in myriad ways. Cyber-criminals are aware
of companies' reliance on them and are
perpetrating a variety of attacks to profit
from it," adds Callan.
The number of estimated business email
compromise (BEC) scam attempts that have
been perpetrated worldwide from 2017-
2020 ii has risen dramatically, from 9,708
to 17,607 attacks. Additionally, a total of
74% of organisations are not prepared for
phishing iii and malware attacks, with the
majority of these attacks being carried
out through BEC attacks specifically.
"Now it is even more concerning that
these cybercriminals are recruiting English
speakers iv for these forms of attack,
making them harder to spot and therefore
all the more effective. This will inevitably
see more of an increase of successful
campaigns, if businesses do not look at
ways to spot and prevent the attacks."
HOW TO BEST DEFEND AGAINST BEC?
As a social engineering scam, employees
should be informed how to spot fraudulent
emails, advises Callan. "Most businesses are
successfully targeted, due to most employees
lacking IT-specific technical skills and
knowledge. Speed is paramount during an
attack, meaning industries must rapidly train
their employees to spot and avoid the latest
attack vectors."
Implementing email certificates is a quick
and easy fix to decrease the chances of BEC
attacks, combined with ongoing employee
training, he points out. "An ideal solution
should also integrate with secure email
gateways, allowing the gateway to decrypt,
encrypt, so that it can continue to deliver on
its valuable function. It should provide the
recipient better delivery choices and use the
native mail client to decrypt the email
without leaving the application.
CERTIFIED WAY FORWARD
"The appropriate certificate type to secure
public email is called a Secure/Multipurpose
Internet Mail Extension (S/MIME) certificate.
These certificates offer a logical approach
for preventing business email compromise
attacks. With this," he states, "businesses will
be able to block malicious actors."
ihttps://www.ic3.gov/Media/PDF/AnnualReport/202
0_IC3Report.pdf
iihttps://www.statista.com/statistics/820912/numbe
r-of-attempts-of-bec-scams-ceo-fraud
iiihttps://www.techrepublic.com/article/companiesare-losing-the-war-against-phishing-as-attacksincrease-in-number-and-sophistication
ivhttps://www.zdnet.com/article/scam-artists-arerecruiting-english-speakers-for-business-emailcampaigns
34
computing security October 2021 @CSMagAndAwards www.computingsecurity.co.uk

Computing
Security
Secure systems, secure data, secure people, secure business
Product Review Service
VENDORS – HAS YOUR SOLUTION BEEN
REVIEWED BY COMPUTING SECURITY YET?
The Computing Security review service has been praised by vendors and
readers alike. Each solution is tested by an independent expert whose findings
are published in the magazine along with a photo or screenshot.
Hardware, software and services can all be reviewed.
Many vendors organise a review to coincide with a new launch. However,
please don’t feel that the service is reserved exclusively for new solutions.
A review can also be a good way of introducing an established solution to
a new audience. Are the readers of Computing Security as familiar with
your solution(s) as you would like them to be?
Contact Edward O’Connor on 01689 616000 or email
edward.oconnor@btc.co.uk to make it happen.