CS Jan Feb 2022

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

Cover <strong>Jan</strong> <strong>Feb</strong> <strong>2022</strong>.qxd 10-<strong>Feb</strong>-22 10:39 AM Page 1<br />

Computing<br />

Security<br />

Secure systems, secure data, secure people, secure business<br />

NEWS<br />







Celebrating 'Security Company of the Year' and 4 additional award<br />

wins across the Group<br />

Computing Security <strong>Jan</strong>uary/<strong>Feb</strong>ruary <strong>2022</strong>

Comment - PAGE 3 - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:16 AM Page 1<br />

comment<br />



The first ever Government Cyber<br />

Security Strategy was launched on<br />

25 <strong>Jan</strong>uary, in a move to further<br />

protect the public services people rely on.<br />

As part of the initiative, a new Cyber<br />

Coordination Centre is being established,<br />

which will transform how data and cyber<br />

intelligence is shared, it is stated. The<br />

public will be able to contribute to this<br />

effort by reporting cyber incidents or<br />

weaknesses with digital services.<br />

Why is this happening? Because,<br />

according to government sources, the UK<br />

is the third most targeted country in the<br />

world in cyberspace from hostile states.<br />

Indeed, Chancellor of the Duchy of<br />

Lancaster Steve Barclay, unveiling the<br />

strategy, warned that the cyber threat is<br />

clear and growing. "But government is<br />

acting - investing over £2billion in cyber,<br />

retiring legacy IT systems and stepping up<br />

our skills and coordination."<br />

The message is that the new strategy defines how central government and the public sector will<br />

continue to ensure that public services can function in the face of growing cyber threats. "It will<br />

step up the country's cyber resilience by better sharing data, expertise and capabilities to allow<br />

government to 'Defend As One', meaning that government cyber defence is far greater than the<br />

sum of its parts," says government. It's a mighty challenge. Of the 777 incidents managed by the<br />

National Cyber Security Centre between September 2020 and August 2021, around 40% were<br />

aimed at the public sector.<br />

This new action is very much a sign of the times - dealing with wave after wave of assaults from<br />

a seemingly infinite number of sources. As for how successful the Cyber Security Strategy will be,<br />

that is the unknown quantity. Is it even the best approach? Time will tell.<br />

Brian Wall<br />

Editor<br />

Computing Security<br />

brian.wall@btc.co.uk<br />

EDITOR: Brian Wall<br />

(brian.wall@btc.co.uk)<br />

LAYOUT/DESIGN: Ian Collis<br />

(ian.collis@btc.co.uk)<br />

SALES:<br />

Edward O’Connor<br />

(edward.oconnor@btc.co.uk)<br />

+ 44 (0)1689 616 000<br />

Lyndsey Camplin<br />

(lyndsey.camplin@btc.co.uk)<br />

+ 44 (0)7946 679 853<br />

Stuart Leigh<br />

(stuart.leigh@btc.co.uk)<br />

+ 44 (0)1689 616 000<br />

PUBLISHER: John Jageurs<br />

(john.jageurs@btc.co.uk)<br />

Published by Barrow & Thompkins<br />

Connexions Ltd (BTC)<br />

35 Station Square,<br />

Petts Wood, Kent, BR5 1LZ<br />

Tel: +44 (0)1689 616 000<br />

Fax: +44 (0)1689 82 66 22<br />


UK: £35/year, £60/two years,<br />

£80/three years;<br />

Europe: £48/year, £85/two years,<br />

£127/three years<br />

R.O.W:£62/year, £115/two years,<br />

£168/three years<br />

Single copies can be bought for<br />

£8.50 (includes postage & packaging).<br />

Published 6 times a year.<br />

© <strong>2022</strong> Barrow & Thompkins<br />

Connexions Ltd. All rights reserved.<br />

No part of the magazine may be<br />

reproduced without prior consent,<br />

in writing, from the publisher.<br />

www.computingsecurity.co.uk <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />

@<strong>CS</strong>MagAndAwards<br />


CONTENTS - FINAL APPROVED - PAGE 4 - 09-02-<strong>2022</strong>.qxd 10-<strong>Feb</strong>-22 10:18 AM Page 2<br />

Secure systems, secure data, secure people, secure business<br />

Computing Security <strong>Jan</strong>uary/<strong>Feb</strong>ruary <strong>2022</strong><br />

contents<br />

The Cover sponsor for this latest issue,<br />

Shearwater Group - see right - enjoyed<br />

a highly successful evening at the 2021<br />

Computing Security Awards, winning<br />

five awards in total, which included<br />

‘Security Company of the Year’.<br />

Our warmest congratulations to them!<br />

For full details, click here.<br />


Computing<br />

Security<br />

NEWS<br />







Celebrating 'Security Company of the Year' and 4 additional award<br />

wins across the Group<br />

COMMENT 3<br />

Stepping up Britain's defence and<br />

resilience<br />


NEWS 6 & 8<br />

A round-up of recent News stories that<br />

have caught our attention, including:<br />

• 'Vulnerabilities of online security<br />

systems' pinpointed in Which? Report’<br />

• 'Ministry of Justice reveals loss of<br />

184 devices'<br />

• 'Google and Facebook punished over<br />

online tracking failures'.<br />


The use of deep fake tech, 'Killerware',<br />

ransomware and insider threats are all<br />

forecast to rise in <strong>2022</strong>. And cyber-criminals<br />

will be focusing on using existing attack<br />


methods in new ways to hit organisations<br />


even harder in <strong>2022</strong>, warns Nicole Mills,<br />

Paul Harris, Pentest, discusses the<br />

exhibition director at Infosecurity Group<br />

importance of security within tech projects<br />

and how a ‘security by design’ approach can<br />

bring numerous dividends<br />


In the battle to stay ahead of the threats<br />


that are now exploiting a whole gamut<br />


of vulnerabilities, organisations must<br />

implement security strategies on<br />

Facial recognition technology, behavioural<br />

numerous fronts as a matter of urgency<br />

biometrics, biometric authentication,<br />

homomorphic encryption and more - all<br />


are vying to emerge on top as our digital<br />

"If you can't get the basics right, it doesn't<br />

lives come under ever greater scrutiny and<br />

matter how brilliant your strategy is," says<br />

deepening threat<br />

Steven Usher, Brookcourt Solutions<br />


WITH AR<strong>CS</strong>ERVE APPLIANCES 27<br />

In-built ransomware protection enables<br />


rapid recovery of individual files and<br />


emails for Furness College<br />

As cyber transforms our approach to<br />

security, the UK government has launched<br />


the National Cyber Strategy, with the aim<br />

Ransomware hackers have the power not<br />

of strengthening the UK cyber ecosystem,<br />

just to take files, but also to impact the very<br />

and "investing in our people and skills"<br />

running of an entire organisation.<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />

4<br />



More than a third of security technologies<br />

that are curently used by organisations<br />

globally are considered to be outdated -<br />

and this at a time when attacks are being<br />

unleashed like never before

24241541 SE Computing Security Ad_010222c_Outlined.pdf 1 01/02/<strong>2022</strong> 12:22<br />

C<br />

M<br />

Y<br />

CM<br />

MY<br />

CY<br />

CMY<br />


News 6 and 8 - VERSION 2.qxd 10-<strong>Feb</strong>-22 10:19 AM Page 2<br />

news<br />

Amir Nooriala,<br />

Callsign<br />




A recent report from Which? magazine<br />

has again highlighted the vulnerabilities<br />

of online security systems. The findings<br />

have prompted Amir Nooriala, chief<br />

commercial officer at authentication and<br />

verification company Callsign, to address<br />

the issue of flaws in password<br />

vulnerabilities.<br />

"These flaws are well known by both<br />

tech organisations and the general<br />

public," he points out, "especially as we<br />

are constantly reminded to change our<br />

passwords every six months, use special<br />

characters and make sure we're not<br />

using our birthday as a pin code."<br />

It's time to stop focusing on using<br />

passwords and SMS one-time passwords<br />

(OTPs) to authenticate identity, he adds.<br />

"Tech organisations need to stop putting<br />

customers in a position where they're<br />

forced to use channels that aren't secure<br />

to identify themselves online."<br />

Organisations need to shift their<br />

strategies away from these analogue<br />

methods for customer security and<br />

introduce digital solutions for a digital<br />

world, Nooriala advises.<br />

"Businesses should look at building<br />

other verification methods into their<br />

customer security strategies, such as<br />

biometrics and behavioural markers,<br />

which are analysed against thousands<br />

of data points." This enables consumers<br />

to access services such as online banking<br />

rapidly, while giving them peace of mind<br />

that they'll be safe online, he concludes.<br />


Global cyber security and risk mitigation company NCC<br />

Simon Fieldhouse,<br />

Group has launched a new cloud service, Replicate & NCC Group<br />

Recover, with the aim of giving customers maximum<br />

resilience against disruption of third-party cloud-based<br />

software and applications.<br />

Built upon NCC Group's software escrow technology,<br />

Replicate & Recover brings both escrow and data back-up<br />

(Back up as a Service (BaaS) together into a single solution.<br />

Simon Fieldhouse, global managing director, Software<br />

Resilience at NCC Group, comments: "In today's environment,<br />

operational resilience is closely tied to how much an<br />

organisation can minimise vulnerabilities in their cloud<br />

solutions. Businesses that are unprepared for data loss could<br />

be faced with huge downtime, which brings significant<br />

financial implications."<br />


The Ministry of Justice (MoJ) has revealed a total loss of 184<br />

mobile phones, PCs, laptops and tablet devices between<br />

September 2020 and September 2021, compared with 161<br />

in 2019/20. NHS Digital recorded a total of 71 lost or stolen<br />

devices, covering mobiles, laptops and tablets during the<br />

same period. A further 319 laptops were disposed of.<br />

The findings follow Freedom of Information requests from<br />

Apricorn submitted to 16 government departments into the<br />

security of devices held by public sector employees.<br />

"Lost and stolen devices are, in most part, unavoidable," says<br />

Jon Fielding, managing director, EMEA, Apricorn. "Fortunately,<br />

in the case of NHS Digital, despite the mishap in recording<br />

the disposal of a large quantity of laptops, their security<br />

processes ensured all these devices were encrypted and, as<br />

a result, the data they housed was protected."<br />

Jon Fielding, Apricorn<br />


When the pandemic struck, remote working<br />

arrived practically overnight. This, says Oliver<br />

Oliver Cronk,<br />

Cronk, chief IT architect - EMEA, Tanium, saw<br />

Tanium<br />

many organisations turn to collaboration tools,<br />

such as Zoom and Microsoft Teams, to carry out<br />

daily operations. "Yet this increase in use and the<br />

flow of data across these platforms has prompted<br />

more cases of hackers trying to exploit<br />

vulnerabilities to steal sensitive information."<br />

Important decisions need to be made about how<br />

to manage the platforms, such as whether to allow access to people from outside the<br />

organisation or permanent staff members only. "Also, security training programs should be<br />

updated to specifically cover threats that users could encounter on collaboration platforms."<br />

6<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk










Defend on all fronts.<br />

At last, it’s back. After two years away, Europe’s largest<br />

cloud and cyber security event is here to deliver total peace<br />

of mind for security professionals everywhere. Meet with<br />

all the key industry suppliers, learn from and share with<br />

all your peers, and evaluate the very latest thinking in<br />

how to secure your digital business well into the future.<br />

With over 100 hours of inspirational content across<br />

two free-to-attend days, as well as an exciting new<br />

multi-functional zone featuring roundtables,<br />

hackathons, workshops, leadership discussions<br />

and drop-in clinics, it’s the only place to be.<br />

Make sure it’s on your radar.<br />

Register for your FREE ticket today:<br />

www.cloudsecurityexpo.com/BTC<br />



2 - 3 March <strong>2022</strong> ExCel, London<br />

www.cloudsecurityexpo.com<br />

PART OF<br />



2 - 3 March <strong>2022</strong> ExCeL, London<br />

techshowlondon.co.uk<br />

BY<br />

DEVOPS<br />

LIVE<br />



BIG DATA<br />

& AI WORLD<br />


STREAM<br />






SILVER<br />



C<strong>CS</strong>E - London Tech Show <strong>2022</strong>_BTC.indd 1<br />

6/1/22 10:12 pm

News 6 and 8 - VERSION 2.qxd 10-<strong>Feb</strong>-22 10:23 AM Page 3<br />

news<br />

Jake Moore,<br />

ESET<br />



France's data privacy watchdog has<br />

fined Google and Facebook a combined<br />

€210m (£176m) for hampering users'<br />

ability to stop the companies tracking<br />

their online activity.<br />

The Commission Nationale de<br />

l'Informatique et des Libertés (CNIL)<br />

revealed, as reported in The Guardian,<br />

that it had fined Google a record €150m<br />

for making it difficult for internet users<br />

to refuse cookies - small text files that<br />

build up a profile of a person's web<br />

activity for commercial purposes. It fined<br />

Facebook 60m euros for the same<br />

reason.<br />

The watchdog said the facebook.com,<br />

google.fr and youtube.com websites did<br />

not allow the easy refusal of cookies.<br />

Citing the example of Facebook, it<br />

commented: "Several clicks are required<br />

to refuse all cookies, as opposed to a<br />

single one to accept them."<br />

Says Jake Moore, global cyber security<br />

advisor at ESET: "Accepting cookies has<br />

become a normal part of visiting a<br />

website, but many people still have no<br />

real grasp of what they are agreeing to,<br />

much like the complicated Ts and Cs<br />

we often see in small print.<br />

"This acceptance can lead to the<br />

handing over of very personal and<br />

unique data, such as what is in your<br />

shopping cart or even your location, and<br />

most people simply just agree with them<br />

to speed up the entry to the website."<br />


The UK Cyber Security Council and the Security<br />

Simon Hepburn and Martin Smith<br />

Awareness Special Interest Group (SASIG) have<br />

announced a strategic partnership. They will work<br />

together on key webinars and events designed to<br />

improve trust in the online environment and when<br />

it comes to education and knowledge-sharing.<br />

One of the forthcoming events where they will<br />

partner with SASIG is on its third Cybersecurity<br />

Skills Festival.<br />

Simon Hepburn, CEO of the UK Cyber Security Council, says: "Getting more people to<br />

consider entering the cyber security industry is crucial and we look forward to working with<br />

SASIG on this." Martin Smith MBE, chairman and founder of SASIG, comments: "Our Skills<br />

Festivals have already established themselves as a successful way of bringing together those<br />

looking for new talent and those wanting to enter our dynamic and exciting profession, but<br />

there is much more to be done."<br />


Cloudflare is expanding its Zero Trust firewall capabilities<br />

to help companies secure their entire corporate<br />

network across all of their branch offices, data centres<br />

and clouds. The company also announced Oahu, a new<br />

program to help customers migrate from legacy hardware<br />

to the Cloudflare.<br />

According to Matthew Prince, co-founder and CEO of<br />

Cloudflare: "CIOs know that the corporate network is<br />

changing fast, and we want to help make that transition<br />

easy, flexible and scalable. When working from everywhere<br />

became possible, workers migrated from legacy locations<br />

like Palo Alto to work wherever they wanted.<br />

"With our Oahu Program, we are making it easy for<br />

companies to leave legacy tech behind, in favour of an<br />

everywhere firewall delivered from the cloud."<br />

Matthew Prince,<br />

Cloudflare<br />


New research reveals that organisations are<br />

Louella Fernandes,<br />

struggling to keep up with the print security<br />

Quocirca<br />

demands of the hybrid workplace. The findings<br />

appear in Quocirca's 'Global Print Security<br />

Landscape Report <strong>2022</strong>'.<br />

Commenting on the findings, Quocirca research<br />

director Louella Fernandes says: "Despite rapid<br />

digitisation over the past eighteen months,<br />

organisations continue to rely on printing.<br />

Now, however, printer estates have expanded to<br />

include home offices and employee-purchased devices, increasing the risk of accidental data<br />

loss and cyber-attacks. "Organisations are finding it harder to keep up with print security<br />

challenges and they are suffering costly breaches as a result," she adds.<br />

8<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Strengthen your data resilience with<br />

Immutable Backup from Arcserve<br />

Buy an Arcserve Appliance secured by Sophos,<br />

and get OneXafe immutable storage!<br />

Arm your business with a multi-layer protection approach to strengthen your overall data resilience. Arcserve<br />

brings you data backup, recovery, and immutable storage solutions with integrated cybersecurity to defeat<br />

ransomware and provide the best-in-class data management and data protection solution in the market.<br />

Arcserve UDP Data<br />

Protection Software<br />

Unified data and ransomware<br />

protection to neutralize<br />

ransomware attacks,<br />

restore data, and perform<br />

orchestrated recovery.<br />

Arcserve Appliances<br />

All-in-one enterprise backup,<br />

cybersecurity, and disaster<br />

recovery, with multipetabyte<br />

scalability.<br />

StorageCraft OneXafe<br />

Immutable Storage<br />

Scale-out object-based NAS<br />

storage with immutable<br />

snapshots to safeguard data.<br />

Get multi-layer protection!<br />


Pentest 10_11 - BW PROOFED - V2.qxd 10-<strong>Feb</strong>-22 10:25 AM Page 2<br />

tech projects<br />





Whether you're looking to build<br />

a new tech business, develop a<br />

new piece of software for a client,<br />

implement new technology within your<br />

existing company or build a new website<br />

for your organisation, creating and<br />

implementing new tech projects is always<br />

an exciting prospect. But, in the excitement<br />

of it all, it can be all too easy to focus on the<br />

'interesting' functional aspects of the project<br />

and avoid some of the more 'mundane',<br />

or less attractive, jobs until later down the<br />

line. The jobs you know you need to do,<br />

but which aren't considered as exciting,<br />

interesting or transformative as the others.<br />

Security is often one of these jobs and can<br />

be perceived by many as detrimental to the<br />

creative process. In fact, according to the EY<br />

Global Information Security Survey 2020,<br />

just 7% of organisations would describe<br />

cybersecurity as enabling innovation.<br />

With such negative perceptions, it's no<br />

wonder security can be left until the very<br />

last minute.<br />


Take software development as an example,<br />

an industry we work closely with.<br />

Functionality and user<br />

requirements<br />

take priority within the development cycle -<br />

after all, you always want to deliver what<br />

your clients want. But security requirements<br />

don't often feature within the essential<br />

functionality or even within the 'nice to<br />

haves'. In most cases, security considerations<br />

only feature at the end of the development<br />

process, when clients are looking for final<br />

assurances before sign-off and go live.<br />

In some cases, it doesn't feature in the<br />

development process at all and security<br />

requirements only surface once the<br />

application has gone live and issues start to<br />

arise.<br />

No matter what the tech project, leaving<br />

security testing and security assurances until<br />

the last minute is a risky approach, especially<br />

when there are tight timelines to adhere to.<br />

What happens if testing can't be completed<br />

in time due to the last-minute nature of the<br />

request? Do you go live without security<br />

assurances or delay release? Neither is ideal.<br />

What happens if last minute security<br />

investigations find major issues within<br />

the project, issues that will take time to<br />

remediate?<br />

Again, you can go live knowing you<br />

have issues present and take the risk,<br />

or delay and fix the issues. It's not<br />

a great position to be in and it's<br />

certainly not something you want<br />

to be telling the client or internal<br />

management at the very last minute<br />

of the project. Yet, it's a situation we've<br />

seen happen time and time again<br />

when security has been left until the<br />

very end of a project.<br />

So, next time you've got an exciting new<br />

tech-based project underway, how do you<br />

ensure you don't come across security<br />

issues like those above?<br />

10<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Pentest 10_11 - BW PROOFED - V2.qxd 10-<strong>Feb</strong>-22 10:25 AM Page 3<br />

tech projects<br />



Security by design isn't a new concept and,<br />

whilst it has been adopted by many, it<br />

seems that security by afterthought is still<br />

the default setting for many organisations<br />

when it comes to tech projects.<br />

Incorporating a security by design<br />

approach into projects may sound like a<br />

hassle for organisations, taking up valuable<br />

time, resources, and effort, but those who<br />

neglect to consider security from the outset<br />

can often make easy prey for hackers. The<br />

effort is worth it, and you can make the<br />

process as complicated or simple as you<br />

like. The key is that you're considering the<br />

security of the project at the earliest possible<br />

stage and therefore creating a more secure<br />

product as a result. Think of it like baking<br />

a cake: it's far easier to add raisins into your<br />

cake mix before baking than trying to do it<br />

after you have finished.<br />




When developing a piece of software or<br />

an application, it's important to test its<br />

functionality as thoroughly as possible. To<br />

do this, development teams, as well as other<br />

in-house teams, will often 'eat their own<br />

dog food', using the software in the same<br />

way the customer would, helping uncover<br />

potential bugs before it makes its way into<br />

the hands of paying clients.<br />

Conducting your own functionality testing<br />

in-house is one thing, but conducting your<br />

own security testing could be a completely<br />

different proposition.<br />

First, testing can often sit with the<br />

development team, the very people tasked<br />

with creating the software. But do they have<br />

the correct skills to test it fully? They may<br />

have knowledge of security testing, the<br />

tools and approaches used, but can they<br />

interpret the results effectively or delve as<br />

deeply as a<br />

dedicated tester?<br />

It's the same for<br />

ethical hackers;<br />

yes, they<br />

may well have<br />

knowledge of<br />

development<br />

practices, but<br />

many don't<br />

have the skills<br />

to be a<br />

developer.<br />

They are entirely<br />

different mindsets, one is<br />

creative, one is destructive, and you<br />

therefore need to adopt the right<br />

approach, if you are to be successful.<br />

In that case, using developers, or any<br />

in-house team, without the right skillset<br />

or mindset, may mean that issues are<br />

missed and may supply false assurances<br />

that things are fine, when in fact there<br />

aren't.<br />

The second issue is whether in-house<br />

teams are too close to the project and<br />

therefore may not be fully impartial in<br />

their testing. Having your work judged<br />

by an external expert is always a<br />

daunting prospect, but it's far better to<br />

have an independent assessment of the<br />

situation, rather than run the risks of<br />

marking your own homework. As we<br />

always say, external security testing isn't<br />

here to call your baby ugly.<br />



With project resources tight, it can be all<br />

too easy to cut corners in areas which,<br />

while necessary, have less perceived<br />

benefits. Testing is one of these areas<br />

and, although any security testing is<br />

beneficial, not all testing, and not all<br />

assurances, are created equal. Companies<br />

have a variety of choices when it comes to<br />

testing, whether it's conducting it in-house,<br />

which we've discussed above, vulnerability<br />

scanning or penetration testing. They can<br />

choose to conduct a test at the end of the<br />

process, during development or ideally a<br />

combination of both.<br />

They also have choices when it comes to<br />

the scope and approach of those tests. Is<br />

testing to be focused on specific areas of<br />

the project, the ones that are critical or do<br />

you take a wider view? Should you only<br />

consider the threat from external sources or<br />

consider the potential damage that could be<br />

achieved, if a malicious threat was to obtain<br />

internal access?<br />

Compromises often must be made and<br />

there have been many occasions where<br />

limitations mean full, in-depth testing just<br />

isn't possible. But testing should always be<br />

as thorough as possible within your set<br />

limitations, giving you the upmost<br />

confidence in your defences.<br />

Yes, you can always get cheaper testing<br />

services or limit the scope of testing to save<br />

time, and still get the sign-off you need,<br />

but, if there is then a security issue and it's<br />

found that you scrimped on testing, then<br />

the fallout will probably cost more than<br />

the testing ever would have.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Threat Landscape - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:27 AM Page 2<br />

threat landscape<br />




Aseries of recently released reports<br />

have pinpointed the constant<br />

bombardment of attacks organisations<br />

and individuals are under. It does not make<br />

for easy reading, as these assaults are ramped<br />

up to a level where the big question that<br />

comes to mind is: can best practice and<br />

technology combine to avoid a meltdown?<br />

Cisco's latest cybersecurity report, 'Security<br />

Outcomes Study Volume 2' i , surveyed<br />

more than 5,100 security and privacy<br />

professionals across 27 countries, including<br />

the UK, to determine the most impactful<br />

measures that teams can take, in order<br />

to defend their organisations against the<br />

evolving threat landscape.<br />

Investing in a proactive technology refresh<br />

strategy is more critical than ever, states<br />

the report, as on average 39% of security<br />

technologies used by organisations globally<br />

are considered outdated. In the UK,<br />

respondents reveal themselves to be above<br />

the global average, reporting that 56% of<br />

their IT infrastructure is out of date.<br />

Organisations with cloud-based<br />

architectures are said to be more than twice<br />

as likely to refresh than those with more<br />

outdated on-premises technologies. In the<br />

UK, 74% of security and privacy professionals<br />

stated that they are planning to expand their<br />

cloud-based security technology.<br />

52% of respondents from the UK report<br />

they have a strong proactive tech refresh<br />

strategy to stay up to date with the<br />

best available IT and security technologies,<br />

while organisations with integrated<br />

technologies are seven times more likely to<br />

achieve high levels of process automation.<br />

Additionally, these organisations boast more<br />

than 40% stronger threat detection<br />

capabilities.<br />

In the UK only 25.6% excel at retaining<br />

security talent. "More than 75% of security<br />

operations programs globally that do not<br />

have strong staffing resources are still able to<br />

achieve robust capabilities through high levels<br />

of automation," says the report. "Automation<br />

more than doubles the performance of less<br />

experienced staff, supporting organisations<br />

through skills and labour shortages."<br />


The value of cloud-based security<br />

architectures cannot be understated, it<br />

continues. "Organisations that claim to have<br />

mature implementations of Zero Trust<br />

or Secure Access Service Edge (SASE)<br />

architectures are 35% more likely to report<br />

strong security operations than those with<br />

nascent implementations. Organisations that<br />

leverage threat intelligence achieve faster<br />

mean time to repair (MTTR), with rates 50%<br />

lower than those of non-intel users."<br />

In the UK, according to the findings:<br />

30.7% of security and privacy<br />

professionals stated they are able to<br />

manage top risks, while 33.5% of security<br />

and privacy professionals say they can<br />

avoid major incidents<br />


As the threat landscape continues to evolve,<br />

testing business continuity and disaster<br />

recovery capabilities regularly and in multiple<br />

ways is more critical than ever, with proactive<br />

organisations estimated to be 2.5 times more<br />

likely to maintain business resiliency.<br />

"We recognise that today's compliance<br />

requirements, skills shortages, a hybrid<br />

workforce and a threat-filled landscape are all<br />

making security complex," says Lothar Renner,<br />

managing director security, Cisco EMEAR.<br />

"The global data behind Cisco's Security<br />

Outcome Study means that identifying the<br />

most effective security practices is no longer<br />

guesswork. Cisco continues to work with<br />

companies to uphold the best practices<br />

identified and, as such, will continue to<br />

support security professionals in the adoption<br />

of cloud-based security solutions and threat<br />

intelligence, based on our open and<br />

integrated platform SecureX, in order that<br />

they be best positioned to empower their<br />

enterprises securely," he adds.<br />

What is the role of the CISO in delivering the<br />

most positive outcomes? "CISOs have to be<br />

both influencers and educators," says Helen<br />

Patton, Advisory CISO, Cisco.<br />

12<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Threat Landscape - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:28 AM Page 3<br />

threat landscape<br />

"If we're going to be as effective as possible,<br />

we need to be on the leading edge of the<br />

strategy decisions being made in our<br />

organisations. But while we're trying to<br />

convince people that security is important -<br />

that we need the right investments to do<br />

it well and that we should be involved in<br />

every aspect of the business - we must also<br />

educate. Most executives do not have a<br />

background in security, so we need to inform<br />

them every step of the way about the types<br />

of risks we're introducing with each decision<br />

we make."<br />


IT and technology companies in the UK have<br />

experienced an average of 44 cyberattacks in<br />

the last 12 months - roughly one every eight<br />

days - according to new research by Keeper<br />

Security. The company's 2021 Cybersecurity<br />

Census Report ii has revealed that the large<br />

majority of IT decision makers (79%) within<br />

IT and tech companies in the UK expect the<br />

number of attacks to increase next year<br />

amidst concerns that they are missing the<br />

right skills and solutions to adequately<br />

protect themselves against these attacks.<br />

Overall, almost all (95%) IT and tech<br />

companies are aware of where the gaps in<br />

their current cybersecurity defences are, but,<br />

worryingly, only 40% are addressing them,<br />

leaving organisations vulnerable to future<br />

attacks. The acute cybersecurity skills shortage<br />

in the UK is one of the contributing factors to<br />

this, with 59% of IT decision makers stating<br />

that it is impacting the cybersecurity efforts<br />

in their organisation.<br />

"Leaders in the IT and tech space believe<br />

the skills gap doesn't just apply to their direct<br />

teams, but runs deep within organisations,"<br />

reports Keeper Security. "Over half (60%)<br />

state that employees don't understand the<br />

cybersecurity implications of poor password<br />

hygiene. Many IT decision makers (69%)<br />

therefore urge their companies to do more<br />

to educate employees on cybersecurity best<br />

practices, while three in four (73%) are in<br />

favour of mandating basic cybersecurity<br />

training before new starters join a business."<br />

Adds Darren Guccione, CEO & co-founder<br />

of Keeper Security: "The UK's IT and tech<br />

industry is a stalwart for innovation but,<br />

when it comes to cybersecurity, the sector still<br />

has some catching up to do. Our research<br />

has found that cybercriminals are really<br />

turning up the heat, and will continue to<br />

target IT and tech companies in the years<br />

to come. To counter this, it is essential that<br />

organisations address both the current skills<br />

gap and implement stringent IT policies that<br />

include a zero-trust and zero-knowledge<br />

approach to cybersecurity. With the best<br />

cyber defence solutions in place, IT and<br />

tech companies will be able to weather the<br />

cybersecurity storm they continue to face."<br />


Meanwhile, McAfee Enterprise has released<br />

its latest Advanced Threat Research Report iii<br />

that sets out to highlight the most impactful<br />

cybercriminal activity from the second quarter<br />

of 2021, with a focus on ransomware and<br />

cloud security threats.<br />

Despite the most influential underground<br />

forums XSS and Exploit announcing a ban on<br />

ransomware advertisements and the DarkSide<br />

ransomware group abruptly halting its<br />

operations, McAfee Enterprise's global threat<br />

network identified a surge in ransomware<br />

attacks by popular malware families, in<br />

addition to expanded targeted sectors. In<br />

fact, McAfee Enterprise's threats team<br />

identified that 73% of ransomware<br />

detections in Q2 2021 were related to the<br />

REvil/Sodinokibi family and that DarkSide<br />

ransomware attacks extended beyond the oil,<br />

gas and chemical sector to legal services,<br />

wholesale and manufacturing.<br />

Other key findings in the research include:<br />

The most targeted sector by ransomware<br />

in Q2 of 2021 was the government,<br />

followed by telecom, energy and media &<br />

communications<br />

Adam Philpott, McAfee Enterprise: the<br />

public sector must shore up its defences<br />

to mitigate further threats.<br />

A 64% increase in publicly reported cyber<br />

incidents targeted the public sector<br />

during the second quarter of 2021,<br />

followed by the entertainment sector<br />

with a 60% increase. Notably, information<br />

/communication had a 50% decrease in<br />

Q2 2021, with manufacturing down 26%<br />

Financial services were targeted in 50% of<br />

the top 10 cloud incidents<br />


Comments Adam Philpott, EMEA president at<br />

McAfee Enterprise: "The fact that the<br />

government saw a 64% increase in publicly<br />

reported cyber incidents specifically targeting<br />

the public sector should be a warning that no<br />

one is safe from a cyber-attack. As cyber<br />

criminals adapt their methods to target the<br />

most sensitive data and services, the public<br />

sector must shore up its defences to mitigate<br />

further threats.<br />

"By deploying a security strategy that blends<br />

both Zero Trust and SASE approaches,<br />

the public sector can be more confident,<br />

knowing that they have the necessary barriers<br />

in place to protect against sophisticated<br />

attacks. This has become particularly<br />

important as workers split their time<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Threat Landscape - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:28 AM Page 4<br />

threat landscape<br />

Lothar Renner, Cisco EMEAR: today's<br />

compliance requirements, skills shortages,<br />

a hybrid workforce and a threat-filled<br />

landscape are all making security complex.<br />

Ekaterina Kilyusheva, Positive Technologies:<br />

some operators are rethinking their<br />

preference for Ransomware as a Service,<br />

which carries certain risks from unreliable<br />

partners.<br />

between home and the office, with<br />

organisations needing to protect entry and<br />

data at every control point."<br />

The good news is that data shows that<br />

attacks across several other sectors,<br />

including information and the<br />

manufacturing sectors, were down,<br />

he adds. "Organisations shouldn't get<br />

complacent, however, and should use this<br />

as an opportunity to figure out what has<br />

worked well and how they could tighten up<br />

their defences against future attacks. This<br />

could include the use of threat intelligence,<br />

which helps organisations to predict and<br />

prioritise potential threats before preemptively<br />

adapting their defensive<br />

countermeasures, ensuring optimised<br />

security and future business resilience."<br />


Finally, Positive Technologies experts<br />

have analysed the Q3 2021 cybersecurity<br />

threatscape and found a decrease in the<br />

number of unique cyberattacks iv . If that<br />

can be seen as the good news, it also<br />

reports an increase in the share of attacks<br />

against individuals and a rise in attacks<br />

involving remote access malware.<br />

ransomware gangs stopped their operation<br />

and law enforcement agencies started<br />

paying more attention to the problem of<br />

ransomware attacks [due to recent highprofile<br />

attacks].<br />


Positive Technologies also noted a trend<br />

toward the 'rebranding' of existing<br />

ransomware gangs: Some operators<br />

are rethinking their preference for the<br />

Ransomware as a Service (RaaS) scheme,<br />

which carries certain risks from unreliable<br />

partners.<br />

"In Q2, we predicted that one of the<br />

possible scenarios of ransomware<br />

transformation would be that groups<br />

abandon the RaaS model in its current<br />

form," she adds. "It is much safer for<br />

ransomware operators to hire people<br />

who will deliver malware and search for<br />

vulnerabilities as permanent 'employees.'<br />

It will be safer for both parties, as more<br />

organised and efficient all-in-one forms of<br />

cooperation can be created. In Q3, we saw<br />

the first steps in this direction. An additional<br />

boost for this transformation is the development<br />

of the market of initial access."<br />

The number of attacks in Q3 decreased by<br />

4.8% compared to the previous quarter-the<br />

first time since the end of 2018 that Positive<br />

Technologies has recorded a negative trend.<br />

The researchers believe one key reason for<br />

the change is the decrease in ransomware<br />

attacks and the fact that some major<br />

players have quit the stage. This is also why<br />

the share of attacks aimed at compromising<br />

corporate computers, servers and network<br />

equipment has fallen - from 87% to 75%.<br />

Positive Technologies research also shows<br />

that, although the share of malware attacks<br />

decreased by 22%, the attackers' appetite<br />

for data led to an increase in the use of<br />

remote access trojans. In attacks on<br />

organisations, this share grew from 17% to<br />

36%, while in attacks against individuals<br />

remote control trojans made up more than<br />

half of all malware. In Q3, the share of<br />

attacks involving remote access trojans<br />

increased 2.5 times over Q1.<br />

"This year, we saw the peak of ransomware<br />

attacks in April when 120 attacks were<br />

recorded," says Ekaterina Kilyusheva,<br />

head of research and analytics, Positive<br />

Technologies. "There were 45 attacks in<br />

September, down 63% from the peak<br />

in April. The reason is that several large<br />

i https://bit.ly/3IFVr7J<br />

ii https://www.keepersecurity.com/uk-cybersecuritycensus-report-2021.html<br />

iii https://www.mcafee.com/enterprise/enus/lp/threats-reports/oct-2021.html<br />

iv https://www.ptsecurity.com/wwen/analytics/cybersecurity-threatscape-2021-q3<br />

14<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Security Strategies - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:29 AM Page 1<br />

security strategies<br />




When the pandemic first struck,<br />

many businesses were forced<br />

to become remote practically<br />

overnight. This, says Oliver Cronk, chief IT<br />

architect - EMEA, Tanium, saw many<br />

organisations turn to collaboration tools,<br />

such as Zoom and Microsoft Teams, to<br />

carry out daily operations. "Yet this increase<br />

in use and the flow of data across these<br />

platforms has prompted more cases of<br />

hackers trying to exploit vulnerabilities to<br />

steal sensitive information," he states.<br />

Hackers will continue to look for<br />

vulnerabilities related to the new hybrid<br />

workplace model - and Tanium predicts<br />

that during <strong>2022</strong> employees using<br />

collaboration tools at home could come<br />

under siege. "Hackers are aware these tools<br />

are being used for new working processes<br />

and carrying lots of valuable data," points<br />

out Cronk. "Instead of trying to find technical<br />

weaknesses in the tools specifically,<br />

hackers will look to exploit users through<br />

impersonation instead. This could happen<br />

on the platforms, but off of them, too.<br />

For example, we're already seeing Zoomthemed<br />

phishing attacks circulating<br />

through email, text and social media<br />

messages, aiming to steal credentials.<br />

Organisations should make the security<br />

of collaboration tools a key part of their<br />

security strategies, he cautions. "As part<br />

of this, they will need to make important<br />

decisions about how to manage the<br />

platforms, such as whether to allow people<br />

from outside the organisation to use them<br />

or whether only permanent staff members<br />

are given access. Additionally, security<br />

training programs should be updated to<br />

specifically cover threats that users could<br />

encounter on collaboration platforms."<br />


In the battle to stay ahead of the threats<br />

now proliferating across the computing<br />

security industry, endpoint management<br />

and security company Tanium has launched<br />

a new solution that, it states, offers a<br />

"comprehensive, near real-time view of risk<br />

posture" across an organisation, with the<br />

ability to quickly remediate vulnerabilities<br />

and compliance gaps from a single<br />

dashboard.<br />

Tanium ranks Tanium Risk as a key part<br />

of the company's risk and compliance<br />

solution. "By leveraging existing features of<br />

the Tanium platform that establish a holistic<br />

view into all endpoints, the new product<br />

generates an accurate, relevant risk score,"<br />

claims the company. "This allows customers<br />

to quickly prioritise what needs to be fixed<br />

across their environment, without<br />

switching tools."<br />

As the volume and intensity of advanced<br />

threats hits ever higher peaks and puts<br />

organisations at the levels of risk rarely seen<br />

before, solutions are certainly needed from<br />

the industry at large to help stave off the<br />

worst effects and offer the protections that<br />

are needed.<br />

"Managing endpoint risk and compliance<br />

is more challenging today than it has ever<br />

before," points out Pete Constantine, chief<br />

product officer for Tanium. "Today's CISOs<br />

have to manage risk from millions of<br />

globally distributed, heterogeneous assets,<br />

while also responding to ever increasing<br />

audit scrutiny and regulatory compliance<br />

requirements. Whether organisations need<br />

to patch, update applications or set new<br />

configuration policies, Tanium Risk allows<br />

them to leverage the same dataset, agent<br />

and architecture to fix gaps as quickly as<br />

they are found."<br />


According to Phil Harris, research director,<br />

Cybersecurity Risk Management Services, at<br />

analyst firm IDC, a near real-time risk score<br />

with comprehensive visibility into the state<br />

of endpoints enables executives to better<br />

understand the impact of cyber-attacks on<br />

business outcomes. "Decision makers can<br />

prioritise severe vulnerabilities and respond<br />

to breaches much more quickly to reduce<br />

the attack surface radically."<br />

Meanwhile, IPC provider Advantech has<br />

been busily engaged in launching its own<br />

solutions in line with warding off the many<br />

advanced threats that are threatening<br />

organisation. In its case, this is very much<br />

focused on edge AI inference systems that<br />

meet rising demands for AI image<br />

recognition.<br />

"As AI devices are widely deployed at<br />

the edge, remote management and<br />

information security at the cloud/edge<br />

remain key concerns," states Advantech.<br />

The company collaborated with Allxon<br />

on remote Edge-AI device management<br />

solutions back in 2020. Now, Allxon is<br />

collaborating with cybersecurity software<br />

giant Trend Micro's IoT security (TMIS)<br />

division in an effort to create stronger<br />

premier security features.<br />

"The exploding popularity of edge AI<br />

solutions creates new AIoT [Artificial<br />

Intelligence of Things] threats that target<br />

mission-critical operation technology,"<br />

adds Advantech. "Consequently, providing<br />

maximum protection through a range of<br />

system hardening and risk detection<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Security Strategies - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:29 AM Page 2<br />

security strategies<br />

Oliver Cronk, Tanium: Zoom-themed<br />

phishing attacks are circulating through<br />

email, text and social media messages,<br />

aiming to steal credentials.<br />

Matthew Prince, Cloudflare: CIOs know that<br />

the corporate network is changing fast, and<br />

we want to help make that transition easy,<br />

flexible and scalable.<br />

features - both in the cloud and at the<br />

industrial edge - is vitally important.<br />

Indeed, adding IoT protection with disaster<br />

recovery functions delivers the safety and<br />

convenience needed for industrial<br />

operation technology."<br />

Ultimately, the collaboration between<br />

Advantech, Allxon and Trend Micro aims<br />

to deliver the level of security and remote<br />

device monitoring/management solutions<br />

that address diverse management and<br />

security challenges.<br />



Remote Management: Allxon Device<br />

Management Solutions (DMS) are said<br />

to provide a wide range of centralised<br />

cloud-device systems that help businesses<br />

avoid multi-platform interface management<br />

difficulties associated with mass<br />

deployment. Using Advantech MIC-AI's<br />

flexible iDoor Mini PCIe enables these<br />

systems to directly connect to the internet<br />

via LAN and control an integrated reset pin.<br />

This, in turn, enables Allxon DMS to reset<br />

MIC-AI remotely during a system crash.<br />

As a preferred NVIDIA partner (the<br />

multinational technology company that<br />

designs graphics processing units for the<br />

gaming and professional markets), Allxon<br />

delivers diverse functionality to NVIDIA<br />

Jetson. These functions include secure and<br />

remote recovery mode triggering, system<br />

log automatic upload/download, over-theair<br />

(OTA) deployment and out-of-band<br />

(OOB) power cycling.<br />

Information Security: Trend Micro's<br />

industry-leading threat intelligence<br />

leverages a combination of vulnerability<br />

checks and proprietary Web Reputation<br />

Services to engender enhanced security<br />

and blacklisting respectively. Likewise,<br />

Trend Micro's Approved Application Listing<br />

restricts on-device operations to authorised<br />

script files and applications. "Allxon's overthe-air<br />

(OTA) updates enable users to install<br />

and update Trend Micro IoT Security on<br />

edge devices remotely, while blocking<br />

suspicious activities and potential attacks.<br />

Similarly, Allxon Portal optimises and<br />

secures Advantech MIC-AI devices by<br />

further enabling remote monitoring."<br />


But how will AI, IoT and AIoT [Artificial<br />

Intelligence of Things] influence the way<br />

we deal with data and implement cloud<br />

computing in the future? Global information<br />

analytics company Elsevier is very<br />

much at the front edge in recognising the<br />

opportunities this 'brave new world' can<br />

deliver.<br />

"From smart home, smart city to smart<br />

globe, Internet of Things (IoT) is playing a<br />

great role that will dramatically change not<br />

only our daily lives, but human civilisation,"<br />

states Elsevier. "However, with numerous<br />

flows of data streamed from connected<br />

sensors and devices that are increasing by<br />

billion per year, the ability to handle data in<br />

a timely, effective manner will determine<br />

whether we can fully enjoy the benefits of<br />

IoT.<br />

And he adds: "The recent advances in<br />

artificial intelli-gence (AI) have brought<br />

opportunities in overcoming the challenges<br />

of IoT development. Consequently, the<br />

integration of AI and IoT technologies<br />

becomes a promising trend to promote the<br />

benign evolution of the IoT ecosystem."<br />

Recently, the new IoT structure known as<br />

the Artificial Intelligence of Things (AIoT)<br />

has come into play and Elsevier has been<br />

noting its growing influence. "Broadly<br />

speaking, AIoT is a fusion of AI and IoT in<br />

practical applications.<br />

However, AIoT is not a simple AI + IoT,<br />

states Elsevier, but adopts technologies<br />

such as AI and the IoT, supported by big<br />

data and cloud computing, using semi-<br />

16<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Security Strategies - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:29 AM Page 3<br />

security strategies<br />

conductors as algorithm carriers, network<br />

security technologies as implementation<br />

guarantees, and 5G as a catalyst to<br />

integrate data, knowledge and intelligence.<br />

"With the power of AI, comments<br />

Elsevier, IoT devices are not just messengers<br />

feeding inform-ation to the control centre,<br />

but have evolved into intelligent machines<br />

capable of performing self-driven analytics<br />

and acting independently. AIoT disruptive<br />

changes and unique opportunities to<br />

modern society through personalised<br />

services, tailored content, improved<br />

availability, and accessibility, and costeffective<br />

delivery."<br />


Although the advent of AIoT has spawned<br />

a large number of new technologies and<br />

applications, the convergence of IoT and<br />

AI also poses several emerging challenges,<br />

Elsevier concedes. "To fulfil AIoT, one<br />

essential step is to connect various things<br />

in a collaborative manner, because IoT<br />

devices appear in a wide variety of<br />

products. Because AIoT is so huge, it would<br />

have to be self-organised and groups of<br />

things in the AIoT should collaborate for a<br />

common goal. However, simply connecting<br />

them without further collaboration among<br />

different things leads to unnecessary energy<br />

consumption, uncertain security, unstable<br />

performance etc for AIoT."<br />

Another essential step, it points out, is to<br />

link AIoT with other advanced technologies<br />

causing convergence and breaking down<br />

the barriers, which concedes that the link<br />

among cloud, edge, blockchain and AIoT<br />

etc "poses many challenges that call for<br />

advanced approaches and rethinking of the<br />

entire architecture, communication and<br />

processing to meet requirements in latency,<br />

reliability and so on".<br />


In another development, Cloudflare is<br />

expanding its Zero Trust firewall capabilities<br />

to help companies secure their entire<br />

corporate network across all of their<br />

branch offices, data centres and clouds.<br />

The company also announced Oahu, a<br />

new program to help customers migrate<br />

from legacy hardware to the Cloudflare<br />

One suite of Zero Trust solutions. "Now,<br />

CIOs can better connect and secure their<br />

corporate networks with Zero Trust<br />

security-without the traditionally hard,<br />

costly or complex migration," it states.<br />

"Traditional firewalls consisted of<br />

hardware boxes installed on company<br />

premises and were not designed for hybrid<br />

workforces or cloud applications. While<br />

some companies turned to 'virtualised'<br />

firewalls to meet this challenge, these<br />

faced many of the same challenges as with<br />

hardware appliances, such as capacity<br />

planning and managing primary/backup<br />

devices."<br />

With Cloudflare's new cloud firewall<br />

functionality, CIOs can better secure their<br />

entire corporate network, apply Zero<br />

Trust policies to all traffic and gain deeper<br />

network visibility, the company claims.<br />

"And since Cloudflare's firewall runs<br />

everywhere, CIOs no longer need to rely<br />

on centralising traffic on one box in one<br />

location, physical or virtual."<br />

Observes Matthew Prince, co-founder<br />

and CEO of Cloudflare: "CIOs know that<br />

the corporate network is changing fast,<br />

and we want to help make that transition<br />

easy, flexible and scalable. When working<br />

from everywhere became possible, workers<br />

migrated from legacy locations like Palo<br />

Alto to work wherever they wanted. With<br />

our Oahu Program, we are making it easy<br />

for companies to leave legacy tech behind,<br />

in favour of an everywhere firewall<br />

delivered from the cloud."<br />

According to Cloudflare's DDoS attack<br />

trends and highlights from 2021, ransom<br />

DDoS attacks increased by 29% year over<br />

year and 175% quarter over quarter in Q4<br />

of 2021. With this in mind, Cloudflare<br />

investigated which industries and regions<br />

were most commonly targeted by<br />

attackers, as well as the patterns for<br />

various types of assaults.<br />


The first half of 2021 witnessed massive<br />

ransomware and ransom DDoS attack<br />

campaigns that interrupted aspects of<br />

critical infrastructure around the world<br />

(including one of the largest petroleum<br />

pipeline system operators in the US) and a<br />

vulnerability in IT management software<br />

that targeted schools, public sector, travel<br />

organisations and credit unions, amongst<br />

many others.<br />

The second half of the year recorded a<br />

growing swarm of one of the most<br />

powerful botnets deployed (Meris), as well<br />

as record-breaking HTTP DDoS attacks and<br />

network-layer attacks observed over the<br />

Cloudflare network. This besides the<br />

Log4j2 vulnerability (CVE-2021-44228)<br />

discovered in December that allows an<br />

attacker to execute code on a remote<br />

server - arguably one of the most severe<br />

vulnerabilities on the Internet since both<br />

Heartbleed and Shellshock.<br />


Prominent attacks, such as the ones listed<br />

above, are but a few examples from the<br />

report that, adds Cloudflare, "demonstrate<br />

a trend of intensifying cyber insecurity that<br />

affected everyone, from tech firms and<br />

government organisations to wineries and<br />

meat processing plants".<br />

Adds John Graham-Cummings, CCO,<br />

Cloudflare: "Q4 was very busy for DDoS<br />

attacks on the Internet. We saw a big<br />

increase in random DDoS attacks, as well<br />

as standard network-level DDoS aimed at<br />

knocking a service offline.<br />

" This all points to DDoS attacks being<br />

relatively easy to perform and, via<br />

ransoms, a way to make money."<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Ticking Clock - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:32 AM Page 2<br />

attacker tactics<br />




As a follow-up to our <strong>2022</strong> Predictions<br />

feature in the last issue, we've been<br />

canvassing opinions from across the<br />

industry on how they see security shaping up<br />

as we move through the year.<br />

"Yes, the clock is ticking, but the fuse<br />

has also become shorter," notes Peter<br />

Stelzhammer, co-founder AV-Comparatives:<br />

"The times of patting each other on the back<br />

are over - cybercrime is now an organised<br />

activity that has become an extremely<br />

professional operation.<br />

"In the media, you read again and again<br />

about the all too bad ransomware attacks.<br />

However, these are increasingly becoming<br />

'killerware' attacks when they hit systems<br />

in the health sector and put human lives in<br />

danger. Almost forgotten are the other<br />

malware attacks that are just as bad, but not<br />

as visible. Many more Zombie systems exist<br />

with 'normal' malware than systems infected<br />

with ransomware, which are equally as<br />

devastating."<br />

The most important measures against<br />

cybercrime, he says. are still a multi-level<br />

security system consisting of firewall, server<br />

security and endpoint security, supplemented<br />

with a secure backup strategy. "It is equally<br />

important to keep the software up to date<br />

and patched. Cybersecurity is still an<br />

overlooked issue in many companies. This<br />

must change: IT security absolutely belongs<br />

to the business area of management. The<br />

survival of your company could depend on it."<br />


Meanwhile, the organisers of Infosecurity<br />

Europe asked their network of CISOs and<br />

analysts to comment on the major trends<br />

and shifts they foresee<br />

shaping the next several<br />

months. Their response<br />

was that, while <strong>2022</strong>'s<br />

dominant cyber threats<br />

will largely mirror those<br />

faced last year, criminals<br />

will evolve their modus<br />

operandi to boost disruption<br />

and monetisation.<br />

"Cyber-criminals are sharpening<br />

their skills and techniques, with a focus<br />

on using existing attack methods in new<br />

ways to hit organisations harder in <strong>2022</strong>,"<br />

says Nicole Mills, exhibition director at<br />

Infosecurity Group. "Enterprises must be<br />

aware of the tactics attackers are likely to use<br />

to access their networks, systems and data,<br />

and prepare to respond effectively."<br />

The conference programme at Infosecurity<br />

Europe <strong>2022</strong> - 21-23 June at ExCeL London -<br />

will cover the topics raised by the CISOs and<br />

analysts who contributed their thoughts, with<br />

presentations, talks and workshops exploring<br />

the themes across the different theatres.<br />


Egress CEO Tony Pepper sees ransomware<br />

attacks continuing to be a big problem<br />

in <strong>2022</strong>. "The most important step that<br />

organisations can take this year is to tackle<br />

the problem of phishing. Over 90% of<br />

malware is delivered via email. The worst<br />

thing about ransomware is that, once it's in<br />

your organisation's systems, it's incredibly<br />

difficult to stop. By making it harder for<br />

cybercriminals to gain access in the first<br />

place, organisations can protect themselves."<br />

They can take back control by stopping entry<br />

in the first place and the best way to do that,<br />

he<br />

says, is<br />

to invest in<br />

"intelligent antiphishing<br />

technology that<br />

can detect the most sophisticated phishing<br />

attacks".<br />

Pepper anticipates that the supply chain will<br />

become the least trusted channel in <strong>2022</strong>,<br />

following the high-profile attacks against<br />

Kaseya and SolarWinds over the last few<br />

years. "Protecting against supply-chain attacks<br />

will be at the top of every CISO's priorities this<br />

year and loss of trust in the supply chain will<br />

drive adoption of the zero-trust approach.<br />

However, as zero trust concepts become<br />

more popular throughout <strong>2022</strong>, organisations<br />

should be wary of vendors that claim<br />

to singlehandedly be a silver bullet. Instead,<br />

organisations should layer combinations of<br />

technologies to achieve a truly zero trust<br />

approach."<br />

He also expects accidental data breaches<br />

to continue to be a problem, while also<br />

foreseeing many organisations beginning to<br />

realise the scale of their data loss problems<br />

and that they will look to a "combination of<br />

encryption, intelligent data loss prevention<br />

and security awareness training measures<br />

to help secure their data on email".<br />

18<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Ticking Clock - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:32 AM Page 3<br />

attacker tactics<br />


"It is likely <strong>2022</strong> will be a more eventful year<br />

in cybersecurity," says Todd Carroll, CISO at<br />

CybelAngel. "When there is uncertainty, it's<br />

best to gain as much knowledge as possible,<br />

so you can plan effectively. Something we are<br />

seeing is organisations heavily investing in<br />

cloud-based security solutions and cloudbased<br />

monitoring services, in addition to<br />

skilled staff [internal or external] and security<br />

awareness training." His top three suggested<br />

priorities for the rest of <strong>2022</strong> would be to:<br />

Be proactive - look for external threats,<br />

search for data leaks, locate shadow IT<br />

and monitor for Dark Web mentions.<br />

The faster you find the danger, the sooner<br />

you can fix it<br />

Help your third parties - if sophisticated<br />

companies have data lakes, smaller<br />

vendors will, too. You must monitor your<br />

data, so that, when a vendor's data leaks,<br />

you know earlier and can help them<br />

secure your company and your data.<br />

"Be aware of your surroundings," Carroll<br />

advises. "Ransomware gangs and other<br />

cybercriminals love striking on holidays or just<br />

before peak business times when companies<br />

are distracted. Make sure you have enough<br />

staff to stay on top of threats and can also<br />

build in time to let the team rest. InfoSec is<br />

a never-ending fight and you must rotate<br />

your cyber troops to minimise burnout."<br />


According to Justin Lie, founder and CEO<br />

of SHIELD, as the world opens up and travel<br />

restarts, fraud prevention solutions must<br />

be able to scale to keep up with resurging<br />

growth. "However, the effects of the<br />

pandemic will have a lasting impact on the<br />

way fraud is conducted.," he says. "For<br />

example, the shift to online banking has<br />

been a goldmine for fraudsters. As more<br />

users migrate to online channels, companies<br />

with weak cybersecurity measures will be<br />

more at risk. The race to win new customers<br />

has companies fighting for dominance<br />

where the key differentiator will be the<br />

balance between user experience and<br />

security. We can't let bad actors through<br />

the gate, as it's a sure way to lose existing<br />

customers while also making it hard to<br />

obtain new customers."<br />

As companies scale their growth, they<br />

should also make sure they scale their<br />

systems and infrastructure - specifically their<br />

fraud prevention solution. "This means<br />

increasing the volume their platform can<br />

take, as well as making sure the coverage<br />

of the fraud prevention solution can cover<br />

more ground and be effective in fighting<br />

new fraud use cases. It also means detecting<br />

behaviour that has never been seen before<br />

and is more complex," Lie advises.<br />

Next, it will be essential for companies to<br />

invest in AI and machine learning if they<br />

haven't done so already. "Harnessing machine<br />

learning and AI is not just to keep up with<br />

the level of fraud attacks, but to stay ahead<br />

of them."<br />


Ransomware attacks are expected to<br />

continue rising in <strong>2022</strong>, but are likely to look<br />

different, as hackers become aware that the<br />

return on investment they can achieve by<br />

encrypting data is diminishing. "Criminals<br />

are busy exploring alternative means of<br />

monetisation," comments Rik Ferguson, vice<br />

president of Security Research, Trend Micro.<br />

"The act of encrypting data and denying the<br />

owner access to it is actually a minor way of<br />

making money.<br />

"Criminals will focus on their secondary and<br />

tertiary means of extorting money - for<br />

example, threatening to release data for<br />

Peter Stelzhammer, AVComparatives: yes,<br />

the clock is ticking, but the fuse has also<br />

become shorter.<br />

Roland Carandang, Protiviti: if 2021 and<br />

2020 have taught us anything, it's that<br />

change is the only constant.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Ticking Clock - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:32 AM Page 4<br />

attacker tactics<br />

Rik Ferguson, Trend Micro: criminals are<br />

busy exploring alternative means of<br />

monetisation.<br />

Tony Pepper, Egress: organisations can take<br />

back control by stopping entry in the first<br />

place and the best way is to invest in<br />

intelligent anti-phishing technology.<br />

public exposure, contacting people who are<br />

a part of the data set and trying to exploit<br />

them, or piling denial of service attacks on<br />

top of encryption."<br />


This view is echoed by Barry Coatesworth,<br />

director - Risk, Compliance and Security,<br />

Guidehouse. "Ransomware will continue<br />

to evolve and the sophistication of the<br />

techniques criminals use will improve," he<br />

states. "They will become more astute in<br />

what situations their victims want to avoid,<br />

to maximise payment. Attacks affecting the<br />

supply chain will probably also increase -<br />

including managed service providers (MSPs)<br />

that manage parts of infrastructure or<br />

software for other organisations, because,<br />

if adversaries can get to them, they can also<br />

get to many of their clients."<br />

Coatesworth anticipates an increase in<br />

social engineering, which tricks users into<br />

making security mistakes or giving away<br />

information. "Threat actors have been<br />

recruiting insiders with the promise of<br />

millions of dollars if they help them gain<br />

access to an organisation's system to install<br />

malware," he says.<br />

"This, combined with growing attacks<br />

against operational technology (OT) systems<br />

and critical infrastructure services, could<br />

result in serious disruption, potentially even<br />

endangering human life. Improvements in<br />

deep fake technology for instance have<br />

allowed threat actors to bypass multi-factor<br />

authentication [MFA] and also elicit fraud by<br />

using faked audio." Countering these threats<br />

will require organisations to improve their<br />

preparedness for incidents and build their<br />

ability to respond effectively.<br />


For Munawar Valiji, CISO, Trainline, the<br />

recalibration of tooling and capability for<br />

the post-pandemic world will be a priority.<br />

"Organisations need to validate their use of<br />

basic security tooling - such as vulnerability<br />

management, and virus and malware<br />

protection - to make sure that they haven't<br />

degraded against the performance expected<br />

of them. There will be more centralisation of<br />

those functions, and increased focus on<br />

automation and orchestration."<br />

Independent researcher David Edwards<br />

believes that cybersecurity will attract more<br />

senior leadership attention in the coming<br />

year. "I think we'll see an increase in boards<br />

taking more interest in cyber risk, as spend<br />

increases. Meanwhile, vendors will align<br />

their product strategy to empower Zero<br />

Trust; however, we'll see slow adoption<br />

throughout <strong>2022</strong>, as a result of businesses<br />

starting to compete more aggressively in the<br />

digital landscape."<br />

Meanwhile, Rick Jones, CEO, DigitalXRAID,<br />

recalls how everyone spent 2021 wondering<br />

what a post-Covid world might look like<br />

"and, if recent history has taught us<br />

anything, it's that we should expect the<br />

unexpected". Every week, we are seeing new<br />

cybersecurity threats that can seriously harm<br />

businesses and we will see many more by<br />

the end of <strong>2022</strong>, he predicts.<br />

"Developing an holistic cybersecurity<br />

strategy is essential to protecting against<br />

more frequent attacks and businesses can<br />

do this by prioritising three key areas:<br />

people, processes and technology."<br />


States Cloudflare chief security officer Joe<br />

Sullivan: "With any luck, <strong>2022</strong> will see the<br />

waning of the pandemic that drove us to<br />

isolation - but one thing will not return to<br />

pre-covid times: our dependence on the<br />

Internet. We rely so much more on online<br />

connectivity for commercial transactions and<br />

interpersonal connections.<br />

"That's why we felt the pain of cyber<br />

security issues so deeply in 2021 - whether it<br />

was ransomware or currency theft or nationstate<br />

actions. And that is why we need to do<br />

20<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Ticking Clock - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:32 AM Page 5<br />

attacker tactics<br />

more for security in <strong>2022</strong>." Businesses need<br />

to accept that investing in security is good<br />

for business, he advises. "It starts with<br />

employing dedicated security professionals<br />

who can help build the right security<br />

controls. They can help the business own<br />

its online presence more by securing their<br />

websites, so consumers can trust them. And<br />

especially in the more distributed workforce<br />

world we live in now, every business needs<br />

to invest in zero-trust approaches to reduce<br />

the risk of their employees' online accounts<br />

being stolen.<br />

"Account compromises are often the easiest<br />

way for an attacker to get into a company<br />

environment," cautions Sullivan. "And, last<br />

but not least, a third area of investment<br />

should be in security awareness for<br />

employees, ideally with that message<br />

reflected in the right tone from the top<br />

of the organisation."<br />


If 2021 and 2020 have taught us anything,<br />

it's that change is the only constant, states<br />

Roland Carandang, managing director at<br />

Protiviti. "This is partly because of the ‘Big C’<br />

[Covid] and also because of unrelated<br />

innovations, including advancements<br />

in quantum computing, neuroscience,<br />

materials science, even space travel. And<br />

really, who could have predicted the rise<br />

of NFTs? As a leader in information security,<br />

how best to plan for such a dynamic future?<br />

By embracing uncertainty and embracing<br />

our people."<br />

Here are some other Cs that Carandang<br />

recommends, in order to achieve that:<br />

Connection and Control: "Our people<br />

have spent nearly two years adjusting to<br />

disruption in their personal and professional<br />

lives. Many of us just want to feel connected<br />

again... to other people. Even before<br />

the pandemic, scientists like Daniel Pink<br />

presented solid evidence that people want<br />

control - over what they do, who they do<br />

it with and when they do it."<br />

Light Coupling of Capabilities: "2021<br />

delivered continued improvements in<br />

technological capability, driven in large part<br />

by underlying advancements in artificial<br />

intelligence and ecosystem integration.<br />

While some vendors are taking this<br />

opportunity to take over their customers'<br />

architecture, others have embraced<br />

openness and integration. In a world where<br />

uncertainty is high and, practically, where<br />

availability of 'hot product' skillsets are low,<br />

the latter path feels most sensible."<br />

Creativity: "2021 also brought improvements<br />

in low/no code platforms and increased use<br />

of innovation systems, like LUMA, and tools,<br />

like Mural," adds Carandang. "The start of<br />

the year is often a time to enable our people<br />

for success. While this certainly includes<br />

technical training, complementing this with<br />

innovation training will help with the other<br />

Cs presented here by helping our people<br />

better engage with each other to envision<br />

possibilities and deliver meaningful change<br />

in their organisations."<br />


Infosec professionals need to expect the<br />

surge to continue - especially as attack tools<br />

and their 'as-a-service' variants adapt to<br />

increased awareness and strengthened<br />

defences, warns Sean Newman, vice<br />

president, Product Management, Corero<br />

Network Security.<br />

"An area that experienced major growth<br />

was Ransom DDoS [Distributed Denial of<br />

Service] attacks that saw an 29% year-onyear<br />

increase, according to data from<br />

Cloudflare," he points out. "These types of<br />

attacks have the benefit of being open-loop<br />

- or asymmetrical - as an organisation can be<br />

attacked without the perpetrator needing to<br />

gain access to internal systems, establishing<br />

command and control or receiving any<br />

exfiltrated data.<br />

"Worse still, traditional business continuity<br />

plans, such as multiple data centres for<br />

resiliency or data backups, are rendered<br />

useless, as these attacks aim to overwhelm<br />

a victim's ability to benefit from the Internet<br />

or access online services. Organisations must<br />

evaluate their preparedness to counter these<br />

types of attacks and put in place suitable<br />

countermeasures to ensure they don't<br />

become the next victim."<br />


Although supply chains have been exploited<br />

by cybercriminals for many years now as an<br />

easier route to penetrating even the best<br />

guarded organisations, the last 12 months<br />

have seen a spate of high-profile incidents<br />

that have had a massive knock-on effect.<br />

"These have not gone unnoticed by the<br />

criminal gangs," continues Newman. "The<br />

recent Log4J vulnerability disclosure<br />

highlights the broadness of that 'supply<br />

chain' definition and organisations would be<br />

wise to start examining all their suppliers, as<br />

they could be introducing this and other<br />

weaknesses, into your environment, for<br />

attackers to exploit."<br />

An associated, and often-overlooked, area<br />

is service suppliers such as ISPs, UC and<br />

hosting providers. The DDoS attack last year<br />

against Voipfone, a highly regarded UC<br />

provider, impacted connected businesses<br />

across multiple weeks and highlights that<br />

the customers of such providers need<br />

to verify they can demonstrate not just<br />

protection against DDoS, but also<br />

contingency plans to ensure service<br />

continuity. This year, organisations need<br />

to start having these types of blunt<br />

conversations with suppliers - not putting<br />

it off until it's too late.<br />

"Organisations should also think about<br />

doing some testing of their protective<br />

measures," adds Newman. "Will our defences<br />

work, if we are the target of a DDoS attack?<br />

What happens if our ISP or hosting provider<br />

goes down? If the last few years of global<br />

pandemic has taught us anything, we all<br />

need to have a 'Plan B'."<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Brookcourt Solutions - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:34 AM Page 2<br />

strategic thinking<br />


OF TRUTH<br />

"IF YOU CAN'T GET THE BASI<strong>CS</strong><br />





Every business should be considering the<br />

potential opportunities and cyber<br />

threats that the future could bring, but,<br />

with the future more uncertain than ever,<br />

how do you start to plan? Steven Usher,<br />

Senior Security Analyst, Brookcourt Solutions,<br />

offers his insights into the three areas he<br />

believes you should be looking at to stay<br />

ahead in the coming year.<br />

When it comes to cybersecurity, the<br />

likelihood is that the majority of <strong>2022</strong>'s cyber<br />

threats won't be new or unheard of; they will<br />

Steven Usher, Brookcourt Solutions:<br />

organisations should be open to searching<br />

for cyber security candidates with a passion<br />

for the industry.<br />

be well-known issues that have been seen<br />

repeatedly. Yet these 'well-known' issues<br />

continue to catch out organisations yearafter-year.<br />


Always be aware of what is on your network.<br />

Take the time to ensure the asset register is<br />

fully populated, as it can be all too easy for<br />

an organisation to lose track of what is on<br />

their network. Having unknowns on your<br />

network is risky, as it opens up gaps in your<br />

network and ultimately puts the organisation<br />

at risk.<br />

Taking this time to ensure your asset register<br />

is updated, fully populated and that there<br />

are as few items missing as possible should<br />

be a key priority for all organisations. After<br />

all, you can't effectively protect or secure an<br />

asset, if you didn't know it existed in the first<br />

place.<br />

Once you have a clear picture of what exists<br />

on your network, you can then start to<br />

understand where the highest risks are,<br />

patch any outdated software and look to<br />

implement security measures that will<br />

dramatically improve your overall security<br />

posture.<br />


Whether this testing includes penetration<br />

testing, red teaming etc that are in place,<br />

testing should be done continuously on a<br />

regular basis, by external groups, as well as<br />

tested internally, utilising breach and attack<br />

simulation products. If possible, red team<br />

engagements should be run in a purple team<br />

situation to ensure that the defence of the<br />

organisation is also analysed and<br />

reviewed.Often, recommendations made in<br />

reports from penetration tests and red team<br />

engagements are considered and mostly<br />

implemented. However, those changes need<br />

to be tested regularly, as well as maintained<br />

through the various changes that naturally<br />

occur in the environments in question. If<br />

software is displaced, the recommendations<br />

made and the policies implemented need to<br />

be maintained to ensure that the security<br />

posture of the organisation does not<br />

degrade.<br />

Tabletop exercises should also be carried out<br />

internally on a regular basis, ensuring all the<br />

departments and employees who should be<br />

involved in responding to, as well as dealing<br />

with, incidents, have the correct knowledge<br />

and experience to do so. They should also be<br />

provided with the opportunity to look for<br />

and report on any weaknesses that are<br />

currently in the processes. Finally, tests should<br />

be run on restoring backups.<br />


Organisations should change their viewpoint<br />

on the hiring of Cyber Security staff. There is<br />

a well-documented and well-known<br />

shortage of qualified Cyber Security staff in<br />

the industry, resulting in organisations<br />

becoming even fussier about who they hire,<br />

in an already lightly resourced industry.<br />

This problem leaves the responsibilities of<br />

that unfilled role, within an organisation,<br />

open and unaffected a lot of the time, which<br />

ultimately reduces the efficacy of the<br />

company's security overall and opens up<br />

gaps to allow vulnerabilities. Instead of<br />

looking for the most experienced candidate<br />

in the field, organisations should be open to<br />

searching for candidates with a passion for<br />

the industry and who have the potential to<br />

become the ideal candidate.<br />

22<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Document1 14-Dec-21 12:38 PM Page 1

Biometric Technology - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:35 AM Page 1<br />

biometrics<br />







Accelerated by the move to hybrid life<br />

brought by the pandemic, almost all<br />

services and products have shifted<br />

online, points out Amir Nooriala, chief<br />

commercial officer, Callsign. "This also<br />

includes the way we are authenticated,<br />

but the problem is that the ways we are<br />

authenticated online are based on analogue<br />

methods and are not fit for purpose. They<br />

are digitised processes that have not been<br />

built for the digital world, as highlighted<br />

by the amount of fraud and scams that<br />

we continue to see in the news agenda.<br />

Because of this, it's clear that digital identity<br />

is broken and verifying genuine users online<br />

isn't working.<br />

"There are solutions the tech industry can<br />

put in place to resolve this issue. The NEC's<br />

secure biometric authentication technology<br />

is a step in the right direction. However,<br />

it's important to highlight that static<br />

biometrics, such as facial recognition, are<br />

only appropriate in some circumstances and<br />

will not fix the digital identity problem."<br />

For example, facial recognition shouldn't<br />

really be used for day-to-day logins, but<br />

rather for step-up checks when nothing else<br />

can be verified, no matter how secure the<br />

underlying tech might seem, he argues.<br />

"Once our facial features are compromised,<br />

there is no going back. We cannot get a<br />

new face and the fraudsters will own that<br />

information. As a standalone method of<br />

verification, it is not good enough, because<br />

it is not privacy preserving and adds friction<br />

to the user journey," adds Nooriala.<br />

STATIC BIOMETRI<strong>CS</strong><br />

Because of this, organisations must never<br />

rely on static biometrics in the user journey,<br />

he points out. "Instead, businesses should<br />

consider layering contextual data over<br />

authentication, such as behavioural<br />

biometrics, to ensure consumers can access<br />

services quickly, easily, and securely."<br />

Behavioural biometrics considers the<br />

behavioural factors of an individual to<br />

authenticate them. This includes the device<br />

used by the user, how quickly they type,<br />

how they hold and swipe their phone or<br />

the way their mouse moves on a computer,<br />

Nooriala comments. "These contextual<br />

attributes learn and adapt with the<br />

consumer, as the business relationship<br />

progresses. It provides privacy preserving,<br />

frictionless, accessible, and inclusive<br />

methods to authenticate users in robust<br />

and failsafe ways. With all this in mind, it's<br />

easy to see why behavioural biometrics is a<br />

better authentication method than its<br />

physical counterparts to fix digital identity.<br />

It's easy for consumers, businesses and<br />

governments to use, but, importantly, once<br />

consumers understand that behavioural<br />

biometrics doesn't use or store personal data,<br />

we can expect to see more adoption in these<br />

technologies."<br />


Although society has seen drastic<br />

improvements in security, thanks to the<br />

rise of digital technology, new risks, such<br />

as has emerged with impersonation, have<br />

also been introduced. This is why biometric<br />

authentication technology has become a<br />

critical factor in determining authenticity and<br />

protecting privacy, says NEC.<br />

"Border controls, airlines, airports, transport<br />

hubs, stadiums, mega events, concerts,<br />

conferences: biometrics are playing a<br />

growing role not only in the real-time<br />

policing and securing of increasingly crowded<br />

and varied venues worldwide, but also in<br />

ensuring a smooth, enjoyable experience<br />

for those who visit them." Since the 1970s,<br />

NEC has been researching and developing<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Biometric Technology - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:35 AM Page 2<br />

biometrics<br />

Amir Nooriala, Callsign: businesses should<br />

consider layering contextual data over<br />

authentication, such as behavioural<br />

biometrics.<br />

Jim Close, Kofax: digital identity's strength<br />

lies in the way cognitive capture and artificial<br />

intelligence technologies are leveraged.<br />

biometrics authentication technologies,<br />

such as fingerprint recognition, palmprint<br />

recognition and face recognition. NEC has<br />

also established technologies in the fields<br />

of iris recognition, voice recognition, as well<br />

as its original ear acoustic authentication<br />

technologies, and supplemented them with<br />

AI and data analytics to enhance situational<br />

awareness and facilitate effective real-time or<br />

post-event action in both law-enforcement<br />

and consumer-oriented spheres. NEC uses<br />

these biometric technologies under the<br />

'Bio-Idiom' brand in various applications and<br />

in effective combinations to realise a world<br />

where, it states, "anyone can utilise digital<br />

contents safely and securely".<br />

Explains the company: "Face recognition<br />

can often prove one of the best biometrics,<br />

because images can be taken without<br />

touching or interacting with the individual."<br />

With the ability to process and analyse<br />

multiple camera feeds and thousands of<br />

faces per minute, the company adds that its<br />

face recognition is able to "police the largest<br />

and most difficult security challenges with<br />

efficiency, sensitivity and perception".<br />


Meanwhile, NEC has developed a biometric<br />

authentication technology that allows users<br />

to authenticate themselves with encrypted<br />

face information. This technology reduces the<br />

risk of misuse, it states, if face information is<br />

leaked and contributes to the expansion of<br />

safe and secure biometric authentication<br />

use cases. "With the application of this<br />

technology, all face information handled by<br />

service providers is encrypted. Therefore, even<br />

if encrypted face information is leaked, the<br />

risk of being misused for spoofing is low.<br />

Moreover, since users have a secret key for<br />

decryption, service providers cannot decrypt<br />

face information, enabling users to take<br />

advantage of the face recognition service<br />

with peace of mind."<br />

Face recognition is increasingly being<br />

introduced as a means of identity verification,<br />

but, in the unlikely event that registered face<br />

information is leaked, it may lead to misuse,<br />

such as spoofing. "As a result, greater<br />

attention is being paid to technologies that<br />

perform biometric authentication while<br />

encrypting information, such as face<br />

information," states NEC. One such technology<br />

it singles out, is 'homomorphic<br />

encryption'. This cryptographic technology,<br />

which can perform operations such as<br />

addition and multiplication while encrypting<br />

data, is known to perform authentication<br />

processing while biometric features are<br />

encrypted - and without deteriorating the<br />

accuracy of certification.<br />

However, homomorphic encryption can<br />

only perform simple operations and processing<br />

speed is greatly reduced when performing<br />

the complex processing required by<br />

biometric authentication. As a result, it has<br />

been limited to '1:1 Identification', which is<br />

used for logging into online services with<br />

relatively light processing. Conversely, the<br />

method has been difficult to apply for '1:N<br />

Identification', such as facility entry control<br />

and transaction settlements, which require<br />

greater processing speed.<br />

In order to overcome this challenge, NEC<br />

developed a secure biometric authentication<br />

technology that can be applied to 1:N<br />

Identification by streamlining the processing<br />

of face recognition using homomorphic<br />

encryption. Conventionally, 1:N Identification<br />

has required authentication processing that<br />

includes complex arithmetic operations that<br />

are difficult for homomorphic encryption.<br />

However, this technology is said to reduce<br />

processing by focusing on promising<br />

candidates through simple operations,<br />

rather than processing all registered users.<br />

"This narrowing down greatly reduces<br />

the number of authentication operations,<br />

including complex operations, so that 1:N<br />

Identification can be performed at high<br />

speed, even with homomorphic encryption,"<br />

reports NEC. "With 1:N Identification for<br />

25<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Biometric Technology - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:35 AM Page 3<br />

biometrics<br />

10,000 registered users, for example, NEC's<br />

new technology can narrow down the<br />

number of user candidates in about 0.01<br />

seconds. If the system narrows down the<br />

number of candidates to about 1% of the<br />

total number, it can perform face authentication<br />

processing in a speed of about 1<br />

second. In addition, the use of this technology<br />

does not impact the accuracy of<br />

certification. "<br />

Going forward, NEC will further develop<br />

this technology, it confirms, combined with<br />

Bio-IDiom (the company's portfolio of<br />

biometric authentication technologies), "in<br />

order to enhance the safety and security<br />

of personal information, entrance control,<br />

transaction settlements and more".<br />


For Rob Watts, CEO, Corsight AI, passwords<br />

are now very much a thing of the past. "Why<br />

do we need them when we all have a face?<br />

We are already seeing the preference for<br />

biometric authentication on our mobiles and<br />

it's predicted that facial recognition hardware<br />

will be present in 90% of smartphones by<br />

2024. The general public does not see a<br />

difference between cyber and physical<br />

security, they simply want to go about their<br />

daily lives in a safe and secure way. So,<br />

why does the technology industry insist on<br />

creating siloes, when biometric is far safer for<br />

the citizen?"<br />

It is predicted that the total addressable<br />

market for facial recognition technology<br />

(FRT) is set to experience 12.4% CAGR from<br />

2021 to 2025, growing by $3.78 billion.<br />

The explosion here is based upon personal<br />

biometrics used on mobile and FRT use at<br />

the edge. "The traditional use of facial<br />

recognition for security and surveillance will<br />

be overwhelmed by personal consumer use,"<br />

he says. "However, as cybercriminals become<br />

increasingly sophisticated with their targets<br />

and tactics, end-users will need to ensure<br />

that the security of the biometric data in their<br />

systems is a top priority, in order to avoid<br />

situations where data is compromised."<br />

For the financial sector, multi-factor<br />

authentication that pairs facial recognition<br />

with passwords and codes is a popular<br />

solution. "Yet the more sophisticated version<br />

of this, gaining traction over the next<br />

few years, is dual analytics - pairing<br />

behavioural biometrics (like gait or mouse<br />

use characteristics) with voice and face<br />

recognition, for instance - to mitigate risks<br />

of spoofing or fraud."<br />

Ultimately, adds Watts, the speed and<br />

accuracy of FRT has come on in leaps and<br />

bounds over recent years "and the future of<br />

biometric authentication lies in its capability<br />

to accurately recognise faces in challenging<br />

environments: with masks on, from high<br />

angles and in low lighting. Getting it right<br />

and having the highest accuracy is where<br />

customers will gain confidence. While<br />

developers are now also ensuring software<br />

is secure by design and secure by default,<br />

transparency from organisations leveraging<br />

biometric data - in how it is captured, stored<br />

and protected - will be key to greater<br />

adoption moving forward. Security and<br />

personal biometrics using FRT is the future<br />

for us all".<br />

States Jim Close, regional vice president of<br />

enterprise at Kofax, the need for a digital<br />

solution to safe, secure authentication of<br />

identity has gained urgency over the last<br />

couple of years. "Cyber security in general is<br />

a major worry for companies and employees<br />

alike, but the pandemic and adoption of<br />

remote work has put the risk of identity theft<br />

in stark relief. As corporations accelerate their<br />

digital transformation initiatives to support<br />

hybrid work, they'll have to rely on emerging<br />

technologies to ensure privacy and security of<br />

employee information."<br />

One option he also endorses is digital<br />

identity. "In fact, widespread adoption of<br />

this chip-based approach is already well<br />

underway. Seventy countries have set up<br />

a national ID scheme and most are using<br />

electronic national ID cards. In addition,<br />

there are more than one billion users of<br />

digital identity apps today, and that number<br />

is expected to jump to more than 6.2 billion<br />

by 2025, according to a recent study.<br />

"While some may be wary about digital<br />

identity, modern technology has made this<br />

option very secure," he insists. "A key reason<br />

is the digital identity trust framework<br />

requires all providers to use encryption and<br />

set up a security governance framework. As<br />

a result, digital identity presents a significant<br />

obstacle to fraud. Its strength lies in the way<br />

cognitive capture and artificial intelligence<br />

technologies are leveraged. A combination<br />

of multiple data sources, various digital<br />

and biometric attributes, behavioural user<br />

data and more work together with these<br />

advanced technologies to validate and<br />

authenticate a user's identity in seconds,<br />

while also identifying anomalies that may<br />

indicate the possibility of fraud."<br />

"Another advantage he singles out is that<br />

digital identity allows users more control<br />

over their data. "For instance, if a consumer<br />

is using the digital wallet to purchase<br />

tobacco or alcohol, they can choose to<br />

only share that portion of information in<br />

their identity wallet. When the amount of<br />

personal data that needs to be exchanged<br />

is minimised during transactions, it reduces<br />

the reliance on third parties and enhances<br />

security by removing a player from the<br />

equation. Perhaps even more crucially, when<br />

individuals are the arbiters of the attributes<br />

used to create their identity, they gain<br />

a higher level of trust and confidence in the<br />

technology.<br />

"There are numerous use cases for digital<br />

identities, from account creation and website<br />

logins to age verification and know-yourcustomer<br />

certification. Most importantly, this<br />

many-layered approach offers organisations<br />

an effective and robust way of keeping<br />

company, and individual data and<br />

information, safe and secure," he concludes.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Arcserve - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:36 AM Page 1<br />

backup<br />




Darren Stevens, IT manager, Furness<br />

College: Arcserve dashboards show at<br />

a glance that we're consistently meeting<br />

our recovery time objectives.<br />

More than 4,000 students are<br />

progressing their education at<br />

Furness College to improve their<br />

future job prospects, via a range of fulltime,<br />

part-time and distance learning<br />

courses. The college needs to protect<br />

student and staff work against<br />

ransomware attacks, hardware failure<br />

and accidental deletion to safeguard<br />

student grades and the college's<br />

reputation. Arcserve appliances enabled<br />

the college to make a 50% cost saving<br />

on backup. With in-built ransomware<br />

protection, the solution enables rapid<br />

recovery of individual files and emails.<br />


A team of around 350 faculty and staff<br />

support the college's students.<br />

Safeguarding staff and student files<br />

against ransomware attacks, hardware<br />

issues and accidental deletion or<br />

corruption is essential to protecting<br />

student grades.<br />

"We can't expect all our students and<br />

staff to be IT-savvy, so it's our<br />

responsibility to make sure that their<br />

work is safeguarded against the risk<br />

of data loss," says Darren Stevens, IT<br />

manager at Furness College. "If work<br />

is lost, it could impact the college's<br />

reputation, as well as students' grades<br />

and potentially their choice of career<br />

going forwards. We weren't completely<br />

happy with the functionality and<br />

performance of our existing solution.<br />

The backup window was stretching into<br />

the morning, it was time-consuming<br />

to find and restore individual files and<br />

emails, and, with all backups held in the<br />

cloud, it took too long to recover data."<br />


Furness College rolled out two Arcserve<br />

appliances in May 2021. The team<br />

selected Arcserve appliances, due<br />

to their inbuilt protection against<br />

ransomware with Sophos Intercept X,<br />

and a cost reduction of 50% compared<br />

to the college's previous backup solution,<br />

it states.<br />

"There was a spike in ransomware<br />

attacks on colleges and universities<br />

during lockdown," states Daniel Walker,<br />

network infrastructure lead at Furness<br />

College. "We had briefings about<br />

the increased risk from JISC (Joint<br />

Information Systems Committee) -<br />

which provides our academic network -<br />

so we were keen to add an extra layer of<br />

protection with the Arcserve solution."<br />

Furness College has an Arcserve<br />

appliance at its two campuses, each<br />

backing up a different subset of servers,<br />

with a total of 32 servers and nearly<br />

600TB of recoverable data protected.<br />

Using the Arcserve appliance's<br />

snapshots, the college can recover files<br />

or even a complete server in minutes.<br />

"We use the solution on a regular basis<br />

for recovering individual student and<br />

staff files, and emails that have been<br />

accidentally deleted or overwritten,<br />

without having to roll back the entire<br />

server," he adds.<br />

The appliance's automated testing<br />

feature, Arcserve Assured Recovery,<br />

provides complete confidence that,<br />

in the event of an incident, data can<br />

be restored completely and without<br />

impacting its integrity.<br />


With the Arcserve appliances, Furness<br />

College's IT team can restore services,<br />

lost or deleted files and emails four times<br />

faster, which safeguards staff work and<br />

student grades. "Arcserve dashboards<br />

show at a glance that we're consistently<br />

meeting our recovery time objectives<br />

(RTO)," says Stevens. "The solution is very<br />

easy to manage and run on a day-to-day<br />

basis, which means the IT team is free<br />

to focus on supporting users. With the<br />

Arcserve appliances, we've reduced costs<br />

and mitigated the risk of a ransomware<br />

attack. We can protect business<br />

continuity and the college's reputation."<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Ransomware - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:36 AM Page 2<br />

ransomware<br />




Like many of the misfortunes that<br />

plague businesses, ransomware is<br />

something that always seems to be<br />

happening to others - until it happens to<br />

you. It is then that its impact is properly<br />

understood and felt, as the nightmare you<br />

don't seem to be able to wake up from.<br />

According to the head of the National<br />

Cyber Security Centre (N<strong>CS</strong>C), ransomware<br />

attacks present "the most immediate<br />

danger" to the UK, with cyber-attacks<br />

linked to the Covid-19 pandemic also likely<br />

to be prevalent for many years to come.<br />

Lindy Cameron warned that cybercriminals<br />

and other malicious actors continue to see<br />

ransomware as an "attractive route", as<br />

long as firms do not adequately protect<br />

themselves or agree to pay the ransom<br />

when attacked - something the N<strong>CS</strong>C has<br />

consistently exhorted companies not to do.<br />


Chris Harris, Europe, the Middle East and<br />

Africa (EMEA) technical director at Thales<br />

UK, says Cameron's comments should serve<br />

as a stern warning to all companies around<br />

the world. "As we have seen by the<br />

increase in attacks this year and diversity<br />

of victims - from SolarWinds to Ireland's<br />

Health Service, Hackney Council and the<br />

Colonial pipeline - no one is immune to<br />

a hacking attack and the impacts can be<br />

devastating.<br />

"One of the biggest misconceptions around<br />

ransomware is that hackers are only after a<br />

quick pay day and the only real damage done<br />

is to a company's reputation. The reality is<br />

hackers have the ability not just to take files,<br />

but also impact the running of an entire<br />

organisation - from taking down payroll to<br />

compromising critical national infrastructure,<br />

which can have a detrimental effect on the<br />

public. In the worst cases, ransomware can<br />

present a real physical threat to individual's<br />

lives - for example, when hospitals are<br />

attacked and patients put at risk," he adds.<br />

All businesses must wake up to the wideranging<br />

risk of ransomware attacks, he adds,<br />

and enact the right security and backup<br />

controls to ensure their entire company and<br />

its customers don't become victims of a<br />

potential attack. "This means understanding<br />

where data is held and protecting it at its<br />

core with encryption measures that only<br />

those authorised can access."<br />


Research from managed security services<br />

provider Orange Cyberdefense reveals there<br />

has been a 13% increase in cyberattacks on<br />

enterprises over the past 12 months, with a<br />

rise in ransomware incidents and, for the first<br />

time, a noticeable wave of attacks against<br />

mobile devices. The 'Security Navigator <strong>2022</strong>'<br />

provides a detailed analysis of more than 50<br />

billion security events analysed daily over 12<br />

months by the company's 18 Security<br />

Operation Centers (SOCs) and 14 CyberSOCs<br />

across the globe.<br />

Monitoring showed that, of the 94,806<br />

incidents flagged during monitoring as being<br />

potential threats, analyst investigation<br />

confirmed 34,156 (36%) to be legitimate<br />

security incidents - a 13% increase on the<br />

year before. More than a third (38%) of all<br />

confirmed security incidents were classified as<br />

malware, including ransomware - an increase<br />

of 18% on 2020.<br />

The report found that almost two thirds<br />

(64%) of the security alerts dealt with by<br />

Orange Cyberdefense analysts turned out to<br />

be 'noise' and did not represent a genuine<br />

threat - an increase of 5% on the previous<br />

year. The findings suggest that many<br />

organisations, particularly small and medium<br />

sized businesses, will require more resources<br />

to filter this massive amount of data for<br />

potential threats. The risk is that these<br />

businesses will become increasingly<br />

vulnerable to attack as the level and volume<br />

of activity continues to rise.<br />


The Security Navigator also reports that<br />

mobile operating systems like iOS and<br />

Android in a business context are an<br />

increasingly popular target for exploits.<br />

Many of the activities appear to be related to<br />

28<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Ransomware - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:37 AM Page 3<br />

ransomware<br />

commercial companies contracted by law<br />

enforcement and intelligence agencies.<br />

However, the vulnerabilities and exploits<br />

developed will likely not stay in that realm,<br />

but have in the past and will likely in the<br />

future find their way into the criminal<br />

ecosystem as well (such as the WannaCry<br />

attack of 2017).<br />

Orange Cyberdefense predicts attacks<br />

targeting mobile devices are likely to<br />

continue on this upward trajectory. "This is a<br />

development that security professionals will<br />

need to pay closer attention to. Mobile<br />

platforms are key in modern access<br />

protection concepts, namely multi-factor<br />

authentication (MFA), which is commonly<br />

used in corporate environments to protect<br />

cloud access, for instance," it states<br />

Another key finding of the new Security<br />

Navigator is that malware, including<br />

ransomware, was the most common type<br />

of threat reported across the analysis period,<br />

with 38% of all confirmed security incidents<br />

classified as malware - an increase of 18%<br />

on 2020. Among the key malware trends<br />

were:<br />

A decrease in confirmed downloader<br />

activity (malware that downloads and<br />

runs other malware on affected systems)<br />

in November and December 2020 after<br />

the Trickbot botnet was taken down by<br />

law enforcement, and in <strong>Jan</strong>uary and<br />

<strong>Feb</strong>ruary 2021, directly after Emotet was<br />

taken down<br />

An inverse correlation between the<br />

stringency of Covid-19 lockdowns<br />

and the volumes of downloader and<br />

ransomware activity: the more stringent<br />

the lockdowns, the less of this activity,<br />

running contrary to the prevailing<br />

narrative that attacks increase when<br />

users work from home<br />

Large organisations see more<br />

than double (43%) the amount of<br />

confirmed malware incidents than<br />

medium-sized businesses.<br />

"Attacks like Solorigate show that even<br />

trusted software from reliable vendors can<br />

turn into a trojan horse for cunning<br />

attackers," says Hugues Foulon, CEO of<br />

Orange Cyberdefense. "Technology alone<br />

cannot be the solution to this problem and,<br />

as our data shows, we have seen a 13%<br />

increase in the number of incidents in just<br />

one year and these incidents keep increasing<br />

year on year. A large proportion of the<br />

tech-driven security alerts that our analysts<br />

deal with are just noise, but this puts a<br />

tremendous strain on already stretched IT<br />

and security teams.<br />

"Indeed, not all businesses have the means<br />

or resources to employ managed security<br />

services providers to help them sift through<br />

the 'noise' and find the actionable security<br />

'signals'. We thus believe that security<br />

technologies can, and must, do better."<br />


The EY Global Information Security Survey<br />

2021 (GISS) illustrates the devastating and<br />

disproportionate impact that the COVID-19<br />

crisis has had on a function that is striving to<br />

position itself as an enabler of growth and<br />

a strategic partner to the business.<br />

Through a global survey of more than<br />

1,000 senior cybersecurity leaders, it finds<br />

CISOs and security leaders grappling with<br />

inadequate budgets, struggling with<br />

regulatory fragmentation and failing to find<br />

common ground with the functions that<br />

need them the most. "Indeed, the upheaval<br />

of the global pandemic has created a perfect<br />

storm of conditions in which threat agents<br />

can act," says EY. "Since the 2020 GISS<br />

report, there has been a significant rise in<br />

the number of disruptive and sophisticated<br />

attacks, many of which could have been<br />

avoided had companies embedded security<br />

by design throughout the business."<br />

Chris Harris, Thales: no one is immune to<br />

a hacking attack and the impacts can be<br />

devastating.<br />

Amongst the challenges that besiege<br />

them is, not surprisingly, ransomware. As<br />

organisations rolled out new customerfacing<br />

technology and cloud-based tools<br />

that supported remote working and kept<br />

the channel to market open, the speed of<br />

change came with a heavy price. "Many<br />

businesses did not involve cybersecurity<br />

in the decision-making process, whether<br />

through oversight or an urgency to move<br />

as quickly as possible. As a result, new<br />

vulnerabilities entered an already fast-moving<br />

environment and continue to threaten the<br />

business today."<br />


At the time of writing, CISOs and their teams<br />

may not yet have completed a full<br />

assessment of the long-term impact that<br />

their company's new technology will have on<br />

its defences, states EY. But, in the meantime,<br />

it's likely that their colleagues are continuing<br />

to use the technology regardless.<br />

"The urgency of the crisis meant that<br />

security was overlooked, even while<br />

organisations were opening up systems<br />

that had never been open before," reflects<br />

Richard Watson, EY Asia-Pacific cybersecurity<br />

risk consulting leader. "Not all organisations<br />

acknowledge they now need to go back and<br />

address those issues."<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Ransomware - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:37 AM Page 4<br />

ransomware<br />

Errol Gardner, EY: it falls on CISOs to ensure<br />

that CEOs have the right understanding of<br />

the value that investing in cybersecurity<br />

brings.<br />

Hugues Foulon, Orange Cyberdefense:<br />

Attacks like Solorigate show that even<br />

trusted software from reliable vendors<br />

can turn into a trojan horse for cunning<br />

attackers.<br />


The risks of moving on without addressing<br />

the issues are, however, very real and<br />

increasingly urgent. More than three in<br />

four (77%) respondents to this year's GISS<br />

warn that they have seen an increase in<br />

the number of disruptive attacks, such as<br />

ransomware, over the last 12 months. By<br />

contrast, just 59% saw an increase in the<br />

prior 12 months.<br />

"Yet CISOs are struggling to make<br />

themselves heard," points out EY. "Most<br />

respondents (56%) admit that cybersecurity<br />

teams are not consulted, or are consulted<br />

too late, when leadership makes urgent<br />

strategic decisions. While some maintain<br />

that this happens 'not very often', it only<br />

needs to happen once for a flaw in the<br />

defences to be exploited by threat actors."<br />

An additional concern, at least in the US,<br />

says the report, is that the Department of<br />

Justice has raised ransomware attacks to<br />

the same priority level as terrorism and is<br />

coordinating investigations through a task<br />

force in Washington. Might the UK follow<br />

that lead?<br />


"CISOs are central to an organisation's efforts<br />

to transform and deliver long-term value,"<br />

says Errol Gardner, EY global vice chairconsulting.<br />

Discussing how CISOs should<br />

position themselves as enablers of<br />

transformation, Gardner adds: "While CEOs<br />

are on a path to realise their vision and<br />

successfully transform their businesses<br />

through technology, they can't afford to<br />

turn a blind eye to the cyber risks this poses.<br />

"At the same time, it falls on CISOs to<br />

ensure that CEOs have the right understanding<br />

of the value that investing in<br />

cybersecurity brings and that they recognise<br />

that as an integral part of the transformation<br />

journey. Investing in building a strategic<br />

relationship between CISOs, CEOs and the<br />

rest of the C-suite will help ensure that<br />

transformation programs are not only<br />

successful, but also implemented in a cybersecure<br />

way for the organisation and its<br />

people."<br />


BY 70% EVERY MONTH<br />

Meanwhile, as reported by Channel Eye,<br />

cybersecurity and GDPR compliance platform<br />

Naq Cyber has warned that ransomware<br />

attacks are increasing by 70% every month.<br />

Millions of businesses have moved their<br />

proposition online and shifted to remote<br />

working since the pandemic started, but<br />

many still have little or no online protection<br />

in place and are therefore still vulnerable to<br />

these attacks, the report finds.<br />

The data also showed that one in six small<br />

business in the UK that had been impacted<br />

by a cyber-attack almost had to shut their<br />

doors, due to the severity and impact on<br />

their business.<br />

"Ransomware continues to work<br />

tremendously well and shows no sign of<br />

slowing down, due to the ease and speed<br />

with which companies choose to pay," states<br />

Jake Moore, cybersecurity specialist at ESET.<br />

"The figures attributed to ransoms are often<br />

chosen by the attackers, in relation to the<br />

wealth of the business. The problem isn't<br />

always how much a company pays; it is if<br />

they pay anything at all.<br />

"When an organisation chooses to pay a<br />

ransom, they are admitting defeat and<br />

funding the ransomware business cycle,<br />

which continues the problem."<br />

So, where does the solution to the problem<br />

lie? In better protection and quicker<br />

restoration, along with regular tests, he<br />

argues. "It is often not that a business<br />

cannot restore at all, but that it cannot<br />

restore 'back to business as usual' quick<br />

enough. This just adds fuel to the fire and<br />

continues ransomware on its staggeringly<br />

problematic journey ahead."<br />

30<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Cyber Runway - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:38 AM Page 1<br />

skills crisis<br />



Cyber is revolutionising the way that we<br />

live our lives and indeed our whole<br />

approach to national security. It is for<br />

this reason that the UK government recently<br />

launched the National Cyber Strategy, with<br />

the stated goal of "strengthening the UK<br />

cyber ecosystem, investing in our people<br />

and skills, and deepening the partnership<br />

between government, academia and<br />

industry".<br />

An essential part in achieving this overall<br />

objective is the pledge to invest in people<br />

and skills. It's something that resonates<br />

deeply with David Ferbrache, chief<br />

technology officer in KPMG's cyber security<br />

practice, who welcomes, as part of this<br />

process, the Government's 'Cyber Runway'<br />

scheme - in particular, its focus on boosting<br />

the number of skilled workers from diverse<br />

backgrounds in the cyber security sector.<br />

"The lack of cyber talent has become a<br />

critical issue as threat actors have ramped<br />

up their efforts to hack British businesses -<br />

a situation that is only going to worsen. A<br />

more diverse and inclusive team equates to<br />

a more innovative team - one that is better<br />

equipped to stand up against threat actors<br />

attacking organisations across the country."<br />

Recent research from KPMG and the N<strong>CS</strong>C<br />

found that just one in 20 workers in the<br />

cyber security industry is aged 18-24, he<br />

adds. "Increasing this should be a priority<br />

for the future, not least in recognition of the<br />

cyber industry's persistent skills shortage.<br />

While the announcement will help this<br />

endeavour, as cyber criminals have taken<br />

hold during the pandemic the question is<br />

whether this is too little too late?" The<br />

research also showed that just 3% of the<br />

cyber workforce entered via a school leaver<br />

or apprenticeship scheme and 12% via a<br />

graduate scheme. Raising these levels - in<br />

particular of school leavers and apprentices -<br />

could have a positive impact on the diversity<br />

of the sector and, in turn, boost the cyber<br />

resilience of the entire country," he states.<br />

Ferbrache also points to how the National<br />

Cyber Strategy recognises the importance of<br />

securing the broader tech ecosystem - and<br />

the vital role which the private sector must<br />

play in ensuring the UK's future cyber<br />

security. "The establishment of the National<br />

Cyber Advisory Board is a necessary step<br />

forward in bringing senior leaders together<br />

across all sectors as we move towards<br />

professionalising cyber security through the<br />

UK Cyber Security Council, as well as driving<br />

improvements in the standards of security<br />

across the service and product providers at<br />

the heart of our digital economy."<br />


The research that he refers to - 'Decrypting<br />

Diversity: Diversity and Inclusion in Cyber<br />

Security' - also raises many points of concern<br />

around failures to embrace diversity root<br />

and branch, something that Lindy Cameron,<br />

CEO of the N<strong>CS</strong>C, addresses in that report<br />

itself. "At the National Cyber Security Centre,<br />

we say that cyber security is a 'team sport'.<br />

We all have a part to play in making the<br />

profession a thriving eco-system of diverse<br />

minds, that fully reflects our country and<br />

society, and a workforce in which everyone<br />

feels valued, included and equal. That's why<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Cyber Runway - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:38 AM Page 2<br />

skills crisis<br />

Lindy Cameron, N<strong>CS</strong>C: we all have a part to<br />

play in making the profession a thriving<br />

eco-system of diverse minds.<br />

Simon Hepburn, UK Cyber Security Council:<br />

"Getting more people to consider entering<br />

the cyber security industry is crucial.<br />

the research that the N<strong>CS</strong>C has conducted<br />

with KPMG is so important, giving us an<br />

insight into who makes up the cyber<br />

security profession and their experiences<br />

being part of it."<br />

The survey shows a mixed picture, she<br />

confirms in her introductory remarks. "There<br />

are some areas to be proud of: in terms<br />

of who we are, more than a quarter of<br />

respondents identify as having a disability.<br />

But we are still evidently a very male<br />

profession, with disproportionately male<br />

senior leadership. At the N<strong>CS</strong>C, we are<br />

committed to bringing more women into<br />

the profession, for example with our<br />

CyberFirst Girls Competition.<br />


"But there's clearly more to do. We are a<br />

growing profession - so this isn't a structural<br />

problem we have to live with. If we face this<br />

head on, we can ensure we are a profession<br />

that fully reflects our nation's rich diversity<br />

and full range of talent. We will need to,<br />

both to get the skills we need today and<br />

make the most of them, and to avoid a skills<br />

gap tomorrow."<br />

More worryingly. though, Cameron adds,<br />

one in five cyber security professionals still<br />

feel as if they cannot be themselves at<br />

work, with the figure rising for disabled<br />

and neurodivergent colleagues. "None of us<br />

should be comfortable with that and each<br />

of us has a leadership role to play. The<br />

creation of the UK Cyber Security Council is<br />

a really positive step to achieving this goal.<br />

"It will take a leading role in pushing<br />

diversity and inclusion to the top of the<br />

industry's agenda. Driving change within<br />

the profession is a collective effort. As cyber<br />

security leaders, we must also play our role<br />

in delivering positive change. We must work<br />

together continue to challenge the status<br />

quo, and, she points out, "reflect on our<br />

behaviours, practices and assumptions in<br />

the workplace."<br />

According to Alexandra Willsher, senior<br />

sales engineer at Forcepoint: "Differences in<br />

gender, health, location, age, race, sexuality<br />

and social economic factors directly impact<br />

how people engage with technology - and<br />

therefore directly influence critical risk<br />

factors. A company's products can't truly<br />

work for all, unless that same audience has<br />

been involved in its creation.<br />

"If product development is always done<br />

by the same small pool of individuals, with<br />

similar experiences and ways of living in the<br />

world, they will reflect their biases. Products<br />

created by those working in information<br />

technology are used the world over, and we<br />

need full representation of people from all<br />

characteristics and backgrounds during the<br />

development process to make sure that<br />

what's being created is appropriate for all."<br />

Initiatives like the Cyber Runway are<br />

exactly what are needed to start to redress<br />

the balance and reliance on a handful of<br />

areas of the country and groups within<br />

society when it comes to investment and<br />

innovation, she adds. "We already have as<br />

many as 10% of all current UK job vacancies<br />

being within the technology industry,<br />

according to Tech Nation. Filling those<br />

vacancies will mean looking beyond the<br />

usual places. The combination of our digital<br />

economy, and the changes brought on by<br />

the pandemic, has highlighted how physical<br />

location might not be as critical to accessing<br />

opportunities as it once was.<br />

"Cyber hubs like Cheltenham, where there<br />

are close links to large cyber organisations<br />

like GCHQ, will remain important - but<br />

bringing down the barriers for other<br />

innovation and entrepreneurs to get started<br />

means making sure that physical location<br />

isn't a barrier to getting funding and<br />

support." Willsher is pleased to see that the<br />

Cyber Runway aims to provide this. "The<br />

'levelling up' agenda is all about bringing<br />

the economic and business opportunities to<br />

the country as a whole, not just London, the<br />

32<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Cyber Runway - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:38 AM Page 3<br />

skills crisis<br />

Southeast or major cities. Often for those<br />

new to the sector, the first barrier is seeking<br />

funding and knowing where to start with<br />

getting an idea off the ground, so the Cyber<br />

Runway's role as an incubator is much<br />

needed.<br />

"What comes next is putting processes in<br />

place to make sure this talent is nurtured<br />

and stays within the sector, as opposed to<br />

moving elsewhere. Existing cybersecurity<br />

companies would do well to take note of<br />

these innovators and the new ways of<br />

thinking and looking at issues that greater<br />

diversity can bring."<br />


Meanwhile, as a further step towards<br />

greater focus on skills, cyber security and<br />

enhancing and developing careers, the UK<br />

Cyber Security Council and the Security<br />

Awareness Special Interest Group (SASIG)<br />

have formed a new partnership.<br />

The council and SASIG will work together<br />

on key webinars and events designed to<br />

improve trust in the online environment<br />

and to harbour that trust to which they<br />

are committed when it comes to education<br />

and knowledge-sharing?throughout the<br />

community. One of the forthcoming events<br />

on which the council will partner with<br />

SASIG is its third Cybersecurity Skills Festival,<br />

which takes place virtually on Tuesday, 22<br />

<strong>Feb</strong>ruary.<br />

SASIG's Cybersecurity Skills Festival is a<br />

biannual series where skills in cyber are<br />

discussed and those looking for work are<br />

connected directly with those looking to<br />

hire. The conference agenda is packed<br />

with helpful content and the jobs fair will<br />

be "on a scale never seen in our industry,<br />

with backing from public and private sector<br />

alike", it is stated.<br />

The key benefits that are highlighted by<br />

the organisers are as follows:<br />

Showcase your organisation and job<br />

openings to hundreds of potential new<br />

team members<br />

Have your job openings recommended<br />

to the right candidates<br />

Candidates apply directly to you, so no<br />

agency fees<br />

Customise your stall with key<br />

information, documents, job openings<br />

and videos<br />

Review applications within our platform<br />

and set up video interviews the same<br />

day<br />

Your stall will stay open for 30 days after<br />

the event<br />

Stalls are saved and can be imported for<br />

future events.<br />

For those looking to re-skill into a new<br />

career sector, cyber security is an attractive<br />

option. With a new reliance on technology<br />

in all aspects of life, this means that a huge<br />

number of new technology-focused jobs are<br />

constantly emerging. Cyber security is a<br />

growing market and it is estimated that the<br />

cyber industry will need an additional 3.5<br />

million qualified professionals by next year.<br />

With skills, education and training in cyber<br />

security being firmly on the agenda for the<br />

work that the UK Cyber Security Council is<br />

doing, partnering with SASIG in this key<br />

area to help individuals transition into a<br />

career in cyber security was a natural choice,<br />

it states.<br />

Speaking of the partnership, Simon<br />

Hepburn, CEO of the UK Cyber Security<br />

Council, comments: "Getting more people<br />

to consider entering the cyber security<br />

industry is crucial and we look forward to<br />

working with SASIG on this.<br />

"We will be launching a programme of<br />

joint activities in the coming months, such<br />

as webinars and events, and with skills,<br />

training and education in cyber security<br />

very high on the agenda for the UK Cyber<br />

Security Council, this was a very natural<br />

partnership that aligns with the core values<br />

of the UK Cyber Security Council perfectly."<br />

Martin Smith, SASIG: the vital task of<br />

bridging the cybersecurity skills gap is, in<br />

SASIG's view, the single most important<br />

strategic challenge the profession faces.<br />

Alexandra Willsher, Forcepoint: a company's<br />

products can't truly work for all, unless that<br />

same audience has been involved in its<br />

creation.<br />

www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> computing security<br />


Cyber Runway - PROOFED BW.qxd 10-<strong>Feb</strong>-22 10:38 AM Page 4<br />

skills crisis<br />

According to Martin Smith MBE, chairman<br />

and founder of SASIG, the vital task of<br />

bridging the cybersecurity skills gap is, in<br />

SASIG's view, the single most important<br />

strategic challenge the profession faces.<br />

"Our Skills Festivals have already established<br />

themselves as a successful way of bringing<br />

together those looking for new talent and<br />

those wanting to enter our dynamic and<br />

exciting profession, but there is much more<br />

to be done. This new partnership between<br />

SASIG and the UK Cyber Security Council<br />

will be central to these efforts."<br />


David Howorth, VP of EMEA Sales at<br />

Rapid7, says it is both a huge challenge and<br />

a necessity for the UK to create a large and<br />

diverse skill base to support the burgeoning<br />

cybersecurity sector. "In common with<br />

most developed economies, the shortage of<br />

cybersecurity expertise remains a pressing<br />

issue for governments and enterprises<br />

alike. Whilst the last ten years has seen<br />

a large expansion of UK academia offering<br />

cybersecurity courses, there remains a skills<br />

imbalance across the country as many<br />

graduates of these programs end up<br />

working in the south-east attracted by<br />

the breadth of opportunities available and<br />

the higher salaries.<br />

"Through the creation of the Cyber Runway<br />

scheme, the UK government is right to<br />

target the regional level to support the<br />

levelling up of this key industry, in order<br />

to accelerate the development of higher<br />

skilled jobs across diverse regions and<br />

communities," he states.<br />

"Also, with less access to venture capital as<br />

compared to other countries, such as the<br />

US, it is important that the government is<br />

able to target support to small innovative<br />

companies looking to develop and take to<br />

market innovative cyber security solutions,<br />

that may one day enable them to become<br />

the next UK tech unicorn." What benefits<br />

might it deliver? What other, similar,<br />

schemes should the government be looking<br />

at to improve the skills levels needed to<br />

fight against an ever more sophisticated<br />

cybercrime future?" "There are many<br />

potential benefits to the UK economy of<br />

growing and diversifying the cyber security<br />

talent pool," responds Howorth. "By creating<br />

high paid skilled jobs across all regions, the<br />

UK will be better positioned to develop<br />

vibrant hubs of innovative cyber security<br />

companies that are able to closely<br />

collaborate with regional academia.<br />

"This, in turn, will also attract inward<br />

investment from global organisations<br />

looking for opportunities to scale out their<br />

Cyber security expertise. Northern Ireland<br />

offers many examples of successful cyber<br />

security companies, such as Rapid7, which<br />

has established large development hubs to<br />

develop and foster talent."<br />

While these initiatives do make a<br />

difference, there is still a long way to go,<br />

he concedes. "We must also create the<br />

foundations where many more children<br />

from diverse backgrounds have the<br />

opportunities to focus their senior years'<br />

studies in the area of STEM."<br />


Sarah-<strong>Jan</strong>e McQueen, general manager of<br />

CoursesOnline, sees training courses as a<br />

valuable way for organisations to mitigate<br />

risks around skill shortages and keep their<br />

workforce up to date when it comes to<br />

their IT knowledge. "The report reveals a<br />

dangerous situation for companies from all<br />

sectors. Everyone, from small companies to<br />

huge corporations, relies on IT professionals<br />

to work behind the scenes to maintain<br />

essential parts of their day-to-day business<br />

operations," she says.<br />

The key to preventing skills gaps affecting<br />

business may be more obvious than most<br />

companies realise. Instead of putting in<br />

time and resources searching for suitable<br />

employees in a shrinking job pool, looking<br />

at upskilling opportunities with current<br />

staff could be a better long-term solution.<br />

"By upskilling your workforce through<br />

both short courses and in-depth IT training<br />

programmes, you can stay in control and<br />

avoid the chance of coming to a standstill,<br />

if the current skill shortage persists or gets<br />

worse," she notes.<br />

"Searching for new employees with years<br />

of experience and training could become<br />

more difficult, so growing your IT workforce<br />

with eager and talented employees and<br />

then setting them up with advanced<br />

digital skills training could be the best way<br />

forward. Promoting staff from within can<br />

be an excellent way to build strong<br />

relationships with your current employees<br />

while also offering you protection from the<br />

unpredictable changes to the wider digital<br />

labour market," adds McQueen.<br />


Today's Government Cyber Security Strategy<br />

sets out a truly world-leading approach<br />

to strengthening cyber and operational<br />

resilience across critical government<br />

functions is the view of Ollie Whitehouse,<br />

Global CTO at NCC Group.<br />

"This type of comprehensive, measurable<br />

approach sets a strong example for the<br />

private sector and other governments<br />

globally. It will no doubt act as a catalyst for<br />

change - organisations that want to partner<br />

with the government will have to up their<br />

game to meet increasing standards.<br />

"A whole-of-society approach will be<br />

essential to delivering the government's<br />

aims, which I'm pleased to see strongly<br />

reflected in the Strategy. NCC Group is<br />

incredibly proud to have played our part<br />

over the years, providing technical input<br />

into the development of new policies such<br />

as this one and as a delivery partner to<br />

government. We stand ready to support<br />

the public sector as it embarks on delivering<br />

this new framework, " he concludes.<br />

34<br />

computing security <strong>Jan</strong>/<strong>Feb</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk

Product Review cs.qxd 24-<strong>Feb</strong>-21 1:16 PM Page 1<br />

Computing<br />

Security<br />

Secure systems, secure data, secure people, secure business<br />

Product Review Service<br />



The Computing Security review service has been praised by vendors and<br />

readers alike. Each solution is tested by an independent expert whose findings<br />

are published in the magazine along with a photo or screenshot.<br />

Hardware, software and services can all be reviewed.<br />

Many vendors organise a review to coincide with a new launch. However,<br />

please don’t feel that the service is reserved exclusively for new solutions.<br />

A review can also be a good way of introducing an established solution to<br />

a new audience. Are the readers of Computing Security as familiar with<br />

your solution(s) as you would like them to be?<br />

Contact Edward O’Connor on 01689 616000 or email<br />

edward.oconnor@btc.co.uk to make it happen.

PLAY IT<br />


365 TOTAL<br />


2021-11-29_A4_Full_Page_Colour_Ad.indd 1 29/11/2021 17:21:33

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!