CS Jul-Aug 2023

Computing
Security
Secure systems, secure data, secure people, secure business
TIMEBOMB THREAT TO BRANDS
Fears blow up over privacy rights
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
‘STOREY TIME’
Managed services:
how they work and
what they deliver
Cyber excellence goes on show
Talking the talk at
Infosecurity Europe 2023
- all the latest trends and
ideas
Ransomware hell
493 million attacks in one
year - can anyone escape
the jaws of ransomware?
Computing Security July/August 2023

comment
UPSKILLING DRIVE LURES THOUSANDS
According to the UK government, more than 3,600 people are looking to embark
on a new career in cyber this year through applications to its 'Upskill in Cyber'
programme. Aimed at people from a non-cyber background and delivered in
partnership with the SANS Institute, the scheme is the latest in a series of ambitious
programmes delivered through the government's £2.6 billion National Cyber Strategy.
Michael Smith, CTO at Vercara (former security advisor for 2014 World Cup) welcomes
the announcement: "Cyber skills are in huge demand across the economy. New industry
and government-led initiatives such as this one can attract more people to the cybersecurity
field, but a long-term solution to the skills gap requires a more holistic
approach, led by cybersecurity leaders, that prioritises developing talent from within"
It's more than a recruitment plan, he points out: it's a practical long-term cybersecurity
strategy. "This is necessary, because, when we hire staff in this industry, we expect them
to have such a wide range of skills that no one person will have the exact combination
that is in the job description. When we do find somebody with all of those skills, they
are usually outside of commuting distance and they're incredibly expensive."
Smith believes this longer-term approach to nurturing talent from within can make
knowledge-sharing and upskilling an integral part of a company's culture, delivering
significant long-term skills benefits for new and existing practitioners within an
organisation, as well as addressing the UK's wider talent gap. "After all, it will be
a collective effort; every organisation has a part to play."
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
Daniella St Mart
(daniella.stmart@btc.co.uk)
+ 44 (0)1689 616 000
Stuart Leigh
(stuart.leigh@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2023 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk July/August 2023 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security July/August 2023
inside this issue
CONTENTS
Computing
Security
TIMEBOMB THREAT TO BRANDS
Fears blow up over privacy rights
Cyber excellence goes on show
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
‘STOREY TIME’
Managed services:
how they work and
what they deliver
Talking the talk at
Infosecurity Europe 2023
- all the latest trends and
ideas
Ransomware hell
COMMENT 3
Upskilling drive lures thousands
493 million attacks in one
year - can anyone escape
the jaws of ransomware?
NEWS 6
Backup Bible's sustainable strategies
IBM expands QRadar brand
Data protection update response
Stepping up cyber resilience
ARTICLES
‘PAM BEFORE IAM’? 8
PAM and IAM are both crucial areas of
protection - though PAM should always
come first, says one advocate
CELEBRATION OF EXCELLENCE 14
Infosecurity Europe 2023 enabled industry
leaders, professionals and aspiring cybersecurity
enthusiasts to come together
under one roof to exchange knowledge
and explore solutions designed to combat
the vast array of ever-evolving threats
RUSSIA'S CYBER RAMPAGE 10
Businesses warned to brace for impact
from barrage of attacks
BELATED HAPPY BIRTHDAY, GDPR! 24
WHY BEING AGILE MATTERS 11
How do you measure the success of
Steve Usher, Brookcourt Solutions, offers
something as complex and far-reaching as
his insights on staying ahead of the game
the General Data Protection Regulation?
when it comes to ransomware
Brought into existence some five years ago to
replace the 1995 Data Protection Directive
TIMEBOMB TARGETING BRANDS 12
used across various European countries, it
Many companies are said to be ‘breaching
has its supporters and detractors
consumers online privacy rights’
FORCES TO BE RECKONED WITH 16
MDR, EDR and NDR - what exactly is the
power behind these acronyms?
AI - APPROPRIATE INTERRUPTION? 28
BURNOUT! 18
Should AI be stopped in its tracks, as many
Stress and breakdown are ‘reaching
influential observers are demanding, on
epidemic levels amongst cyber security
the grounds that it could run out of
professionals’, it is stated
control - or is that simply a knee-jerk
reaction to a technology that will change
IAM AIMS HIGH 20
our lives for ever, to the benefit of all
National roadmap for identity and access
management - IAM - singles out key goals
MAKING OF A MANAGED SERVICE 22
Mike Richmond, Brookcourt Solutions,
RANSOMWARE RAMPAGE 32
discusses how managed services work
Ransomware attacks are continuing their
and bring benefits to a business
rampage. In May 2023 alone, two cities,
SECURITY BY DESIGN 31
many healthcare organisations, an airline,
Cybersecurity measures being imposed in
educational institutions and tech giants
the US will hit software companies hard.
were all victims, according to the Cyber
What might this mean for the UK?
Management Alliance. "Almost nobody
seems to have been spared," it warns
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk
4

Your Sensitive Data is stored in
all areas of your digital estate.
Find out how easy it could be
to manage everything under
the surface
Less Time. Less Resources. Less Costs.
www.geolang.com

news
Gary Barlet, Illumio.
IBM EXPANDS QRADAR BRAND
IBM has unveiled its new security suite
IBM cyber range.
designed to unify and accelerate the
security analyst experience across the
full incident lifecycle. The IBM Security
QRadar Suite is said to represent a major
evolution and expansion of the QRadar
brand, spanning all core threat detection,
investigation and response technologies,
with significant investment in innovations
across the portfolio.
Delivered as a service, the IBM Security
QRadar Suite is built on an open foundation and designed specifically for the demands of
hybrid cloud. "It features a single, modernised user interface across all products," says the
company, "embedded with advanced AI and automation designed to empower analysts to
work with greater speed, efficiency and precision across their core toolsets".
STEPPING UP CYBER RESILIENCE
News of the US launching its
National Cybersecurity Strategy
Implementation Plan (NCSIP) has
prompted the following comment from
Gary Barlet, federal CTO at Illumio.
"The [plan] gives much-needed
guidance for agencies on improving
cyber resilience. It assigns timebound
goals and initiatives to each agency -
giving them direction on how to reach
the strategy's clear objectives.
"These goals and initiatives also display
a sense of urgency, which is important,
as the pace of technology makes it
impossible to imagine the impact it
will have on security in three, five or
ten years.
It focuses on building cyber resilience
now as well as down the road, he adds.
"The plan reflects the urgency of today's
cyber threats, and also demonstrates
an understanding of the resource and
fiscal challenges agencies face in overcoming
these dangers."
MIXED RECEPTION FOR DATA PROTECTION UPDATE
The UK government's claim that its new GDPR
legislation will deliver savings of up to £4.7bn over
the coming decade - while bolstering data protection
and privacy - has drawn this response from Edward
Machin, a senior lawyer in Ropes & Gray's data, privacy
& cybersecurity practice.
"The GDPR is far from perfect and the UK is bucking
the global trend of heavily regulating personal data,
but I think that some of its proposals - those around
scientific research, in particular - will in time come to
be seen as an improvement on the status quo."
Meanwhile, a New Economics Foundation report
estimates that compliance costs alone could reach
£1.6 billion for British businesses.
BACKUP BIBLE'S SUSTAINABLE STRATEGIES
Hornetsecurity has launched its new Backup Bible -
a guide to support businesses through all stages
of preparing for, responding to and recovering
from a substantial data loss event. The Backup Bible
features 150-plus pages of actionable content,
divided into four core parts, including customisable
templates enabling business owners to create their
own personalised backup strategy.
Hornetsecurity CEO Daniel Hofmann believes that
the online content enables businesses "to create
sustainable backup strategies to ensure they are
prepared in the event of a data breach".
Edward Machin, Ropes &
Gray.
Daniel Hofmann,
Hornetsecurity.
6
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

technology focus
'PAM BEFORE IAM'?
PAM AND IAM ARE BOTH CRUCIAL AREAS OF PROTECTION - THOUGH PAM
SHOULD LEAD THE WAY, ARGUES ONE ADVOCATE OF THE TECHNOLOGIES
Graham Hawkey, Osirium.
Identity and Access Management is a
critical consideration in cybersecurity,
says the National Institute of Standards
and Technology, which is working on an
IAM roadmap (see pages 20-21) - that is
welcomed by Graham Hawkey, PAM
specialist, Osirium.
"NIST says the purpose is to present 'a set
of strategic objectives, priorities, and
initiatives' and it's clear that this is a project
looking at the long-term strategy and
requirements," he says. "With that in mind,
it is important that this roadmap should
also seriously consider and factor in the role
of Privileged Access Management (PAM)
and the way it couples with and complements
IAM, combining to create a powerful,
complete solution for a modern IT
environment. NIST says IAM is a 'key
component to creating trusted, modern
digital services' and 'a fundamental and
critical cybersecurity capability'. Some
would view IAM as being so critical that
it is the central view of truth, delivering a
'single pane of glass' to control everything
they can do within an organisation by
knowing everything about a person's
identity. Somewhat akin to George Orwell's
dystopian view of the future."
But this is an illusion, he adds, and breaks
down when it is realised you need to take
into account what a privilege (or attribute
that maps to a privilege) means. "Because
these privileges are so contextual, the
further you are from a device, the further
you are from the truth of privilege-based
risk," states Hawkey. "So, although IAM is
one piece of the puzzle in building robust
cyber resilience, it leaves a hole in the
bigger picture, with a crucial component
missing. What it boils down to is that IAM
is essentially about proving who you are,
but it doesn't provide any help in controlling
what users can do once they've
retrieved credentials and logged in. You
also need to be able to control what you
can do and how you do it. IAM tools authenticate
the person, then PAM manages the
system access for that user. It's a powerful
combination."
Furthermore, he states, IAM and PAM
users enter applications through different
interfaces. "Whilst the audience of IAM
enter through the 'shop door', PAM users
are 'back office' based. Consequently, there
is a difference in attack surface. While both
areas of protection are crucial, it's not a
chicken-and-egg situation. AM should
always come first. This is because PAM
delivers a connection between privileged
users and the role-based accounts that they
need. These accounts exist on the raw
systems before deployment and continue
throughout the lifetime of system, device or
application. In fact, they are so important
that they are the very accounts that are
needed to set up a connection to an IAM
system in the first place. In summary, it's
'PAM' before 'IAM', to protect the 'I' in IAM."
08
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

DON’T
SaaSSS
GET YOUR
KICKED! !
TAKE CONTROL NOW AND
PROTECT YOUR SaaS DATA
Global SaaS vendors like Microsoft, Google and Salesforce
don’t assume any responsibility for your data hosted
in their applications. So, it’s up to you to take control
and fully protect your SaaS data from cyber threats or
accidental loss. Arcserve SaaS Backup offers complete
protection for your SaaS data, eliminating business
interruptions due to unrecoverable data loss.
Arcserve SaaS Backup
Complete protection for all your SaaS data.
arcserve.com
The unified data resilience platform

cyber attacks
RUSSIA'S CYBER RAMPAGE
BUSINESSES WARNED TO BRACE FOR IMPACT FROM BARRAGE OF ATTACKS
Raghu Nandakumara, Illumio.
Gavin Millard, Tenable Network Security.
UK infrastructure faces destruction
from Russian-backed cyber groups,
says UK minister Oliver Dowden -
a warning that further indicates the battle
of wills and ideologies between the Kremlin
and Western capitals following Russia's
invasion of Ukraine.
Dowden said these politically motivated
groups were now rearing their heads on UK
shores and pleaded with businesses to brace
for their cyber impact. He outlined recent
attempts from 'Wagner-like cyber groups' to
damage UK critical national infrastructure.
These adversaries are ideologically, rather
than financially, motivated, he added,
making them less likely to show the same
level of restraint as national actors,
sharpening concerns around these threats.
In response, UK Government has made
a series of announcements aimed at further
strengthening UK resilience. These include:
The National Cyber Security Centre (NCSC)
issuing an official threat notice to
operators to help protect the country
Government to set "specific and ambitious
cyber resilience targets" for all critical
national infrastructure sectors to meet
by 2025
Government exploring how to bring all
private sector businesses working in
critical national infrastructure within the
scope of cyber resilience regulations
Enhanced cyber security measures to
protect the UK Government's critical IT
systems, known as GovAssure.
Gavin Millard, deputy chief technology,
Tenable Network Security, points to how
threats from state-based actors against
critical infrastructure are nothing new and
indeed a constant issue. "With an aging
infrastructure and a vast attack surface
vulnerable to known flaws, it's important to
know the weaknesses threat actors target
and mitigate in a timely manner, as a
successful cyber-attack against critical assets
could have wide-ranging impacts to the
population and economy," he states.
"Attacks, such as those seen against JBS
foods and the Colonial Pipeline, leveraged
flaws such as Remote Desktop Protocol
(RDP) and exposed Virtual Private Networks
(VPNs) to gain initial access. Once a foothold
had been found, gaining privileges and
distributing malicious code was concerningly
easy. To prevent such actions from occurring,
it's critically important that organisations take
a pre-emptive approach to identifying and
addressing these exposures before they are
leveraged."
In response to the comments made by
Dowden, Raghu Nandakumara, senior
director and head of industry solutions at
Illumio, had this to say: ""The introduction
of new targets is a positive move and will
provide a uniform baseline for cyber
resilience across all sectors. However, the
2025 timeline is aggressive and signifies
the severity of the threat. It also raises the
question as to what these targets will be
and how achievable they will be in that
timeframe.
"As a nation, we have to shift the focus
from simply preventing attacks to surviving
them and that requires an 'assume breach
mentality', along with the adoption of riskbased
security models like Zero Trust. The
UK government is leading the way in CNI.
However, I anticipate that cyber resilience will
become an industry-recognised metric for all
companies to achieve and measure against."
10
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
WHY BEING AGILE MATTERS WHEN
IT COMES TO A RANSOMWARE ATTACK
STEVE USHER, SECURITY SERVICES MANAGER, BROOKCOURT SOLUTIONS, OFFERS HIS EXPERT INSIGHTS
Over the course of the last few years,
we have witnessed too many highprofile
companies being featured
in the media who have fallen victim to
ransomware demands. In that moment,
as a business leader, what are your first
thoughts? Imagine for that moment what it
might be like if your organisation was hit by
an attack - would you be ready?
Ransomware attacks are one of the most
significant and rapidly evolving threats in
the cybersecurity landscape. The damage a
ransomware attack can cause to a business
doesn't bear thinking about. The financial
loss, data loss and operational disruption
will all take a toll on the overall reputation
of an organisation.
For senior management, understanding
how and why ransomware attacks happen
is incredibly complex, especially without
knowledge of vulnerabilities, code or a clear
view of the methods, motivations and
current activities of cybercriminals.
In a recent example, a senior security
analyst joined top executives from a Fortune
500 company. He joined the meeting cold,
not knowing what to expect, and was able
to eloquently conduct a live review of threat
intelligence, using the latest technology.
The client struggled to comprehend the
level of detail and how exposed the
business actually was, leading to a greater
understanding and hence the security
posture was elevated.
The threat of ransomware is constantly
evolving and we need to always remain
'threat aware'. It's a game of cat and mouse
where we may often only learn from being
exposed. However, our true strength comes
from how we recover with agility. We need
to educate business leaders to understand
the threat will always be there. There is no
escape; regularly reviewing your security
posture and investing in your cyber security
is paramount to protect your business,
stakeholders and your data.
Here's the five-point plan for better
resilience:
1. Rapid Response: Time is of the essence
in mitigating the impact of a ransomware
attack - helping businesses understand the
key next steps to identify and contain the
attack, minimise its spread and prevent
further damage. Delayed response can lead
to increased data loss, extended downtime
and higher financial costs for the affected
organisation
2. Adaptive Solutions: Ransomware attacks
constantly evolve, with new variants and
techniques emerging regularly. Being ready
to adapt tools, techniques and approaches
to counter an evolving threat is paramount,
having access to the latest threat intelligence,
developing new detection and
prevention mechanisms to help business
with effective solutions to combat the
specific ransomware strain they are facing
3. Collaboration and Information Sharing:
Through active collaboration and information
sharing with relevant stakeholders,
including customers, industry peers,
law enforcement agencies, we can
foster a collaborative environment,
pool resources, share insights and
collectively respond to ransomware attacks
more effectively
4. Incident Management and Recovery:
Helping business to adopt a well-defined
incident management process in place to
handle ransomware attacks. This includes
coordinating with customers, providing
guidance on containment, facilitating
communication and helping organisations
return to normal operations as quickly
as possible, as well as ensuring regular
backups, including tests are put in place
as part of on-going process
5. Continuous Improvement: By analysing
attack patterns, post-incident reviews and
lessons learned from every ransomware
incident, we can refine better solutions
for businesses to update their procedures
and enhance their overall cyber resilience
against future attacks.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security
11

privacy crisis
REPUTATION TIMEBOMB 'WAITING TO BLOW UP MANY BRANDS'
PRIVACY LAW FIRM SCHILLINGS REVEALS THAT MANY COMPANIES ARE
INADVERTENTLY BREACHING CONSUMERS’ ONLINE PRIVACY RIGHTS
Measures taken by companies to
protect consumers data are
"not working" and are exposing
brands to massive reputational risk,
according to research commissioned by
privacy law firm Schillings.
The study found that company data
practices, often owned by marketing and
IT teams, are falling short of legal
requirements - and in some cases are
harming customers by contributing to
incorrect online profiles.
The report, commissioned by Schillings
and conducted by cross-party technology
think tank Demos, tracked volunteers as
they attempted to reclaim and delete the
personal data companies held about
them. In doing so, researchers uncovered
widespread 'data ethics' challenges at
large numbers of companies.
The study found that:
Up to 65% of companies did not
respond to data requests, despite this
being a legal requirement under GDPR
Processes to help consumers take
control of their data - eg, cookie
banners - "actively seek to dissuade"
people from restricting permissions
'Accepting All' cookies on websites
often includes consent for data to be
sold to data brokers - with brands
unable to control how this data is
then used and exposing them to
supply chain risks
Volunteers were "stunned" and
"scared" by how widely their data was
spread and sold by companies - with
one volunteer discovering 2,242
companies were using their 'off-
Facebook' interactions to target them
with advertising
Controlling your data footprint online
is virtually impossible and the idea
that individuals can is "a big lie".
Volunteers found inaccuracies in the
data profiles created about them online -
which can cause real-world problems,
such as applying for credit.
Allan Dunlavy, partner at Schillings, says
the study findings show a crisis waiting
to happen. "Our study shows that we're
in the middle of the largest privacy crisis
in history and there is a reputation
timebomb waiting to blow up many
brands. Brands that are intentionally or
inadvertently misusing our data could
suffer a serious impact to their
reputations, customer base and revenue.
We are in a situation where many
companies are holding consumer data,
not giving people their legal right to
access it, and then selling it on into a
system they have no control over. The
burden is currently on the consumer,
rather than the business, to change this,
but we see the tide turning against
companies that are not helping
consumers."
STUDY AND RESULTS
To create the report, Demos, with
support from consumer rights company
Rightly, worked with volunteers to
discover how far information about them
had travelled online - and how it had
morphed along the way.
Volunteers were helped to exercise their
Right of Access (the right under GDPR to
ask companies if they are using your
personal information and for copies of
what they hold) and The Right To Erasure
(the right to ask for that data to be
deleted - also known as the right to be
forgotten).
Overall, the research found a deeply
frustrating and confusing process, and
12
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

privacy crisis
an inconsistent picture across data
requests to companies. Responses varied
dramatically: of all the access requests
put out, rates ranged from 65% of
companies not responding to one
volunteer to just 10% not responding to
another. Under GDPR laws, companies
are required to respond to consumer
requests - but many did not or made the
process difficult and time-consuming.
The study also found that processes put
in place to help consumers have more
control over their information online in
fact made them more likely to give it
away. The biggest gateway to personal
data for most users is the GDPRcompliant
'cookie banners' - but Demos
concluded the banner's design often
actively sought to dissuade users from
changing data permissions "through
nudges to incentivise you to agree to the
most permissive settings".
The study also found "accepting all"
on cookie banners frequently gave
companies permission to sell consumer
data onto data brokers - creating a black
hole in their ability to protect customer
data. "One of the biggest problems right
now is companies gathering enormous
amounts of data on people, selling it
off to data brokers and even they don't
know where it ends up," commented one
volunteer.
DOUBTS RAISED
This made them question whether they
wished to continue buying from that
company, explaining: "It's not necessarily
that I don't trust them as a brand not to
misuse my data - it's the fact that I don't
know who they're selling it to and who
that broker is selling it on to".
Study volunteers were also surprised by
the inaccuracy of profile information
companies had compiled about them,
based on their online activity. This
'propensity data' is intended to help
advertisers target users who are most
likely to be interested in their products.
However, this data is also used to make
decisions which have far-reaching
ramifications in the real world, such
as whether an individual would qualify
for a mortgage or credit card.
The study states: "We found a chaotic
system that profits from our data, while
doing little to empower users to exert
their rights: data is collected and inferred
about us, and used to make decisions in
the dark about what sort of person we
are, what sort of products and services
we should be offered - from health
insurance to mortgages."
PANDEMIC HANGOVER
Allan Dunlavy goes on to explain that
much of the issue was born out of
the Covid 19 pandemic: "For many
companies, the rush to move to
an online business model during the
pandemic resulted in shortcuts being
taken. We are seeing a lot of data privacy
codes of practice overlooked, despite
the best of intentions - with many
companies often unknowingly
contravening data legislation through
poorly set up processes. But with privacy
becoming a key focus for consumers,
companies need to take these issues
more seriously.
"It's time every company took a long,
hard look at how confident they are of
their data ethics. This is a strategic
reputational problem that
needs addressing in the
boardroom - not in
isolation by a
marketing or IT
team."
Law firm
Schillings
commissioned
the study as part of its 'Accept All:
Unacceptable?' campaign, highlighting
and addressing the urgent need for
society to do more to protect personal
privacy online. Volunteers from the
study can been seen in the documentary,
'Accept All: Unacceptable?', which was
also commissioned by Schillings, now
available to view on YouTube here. The
film sets out to answer the question :
"Why should we care about online
privacy?"
Allan Dunlavy, Schillings: we're in the
middle of the largest privacy crisis in
history.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security
13

Infosecurity Europe
Infosecurity Europe 2023 proved a fertile environment for exploring
innovative solutions to combat ever-evolving threats.
Visitors to the exhibition were able to equip themselves with
the knowledge and tools to help make them more cyber secure.
CELEBRATION OF CYBERSECURITY EXCELLENCE
INFOSECURITY EUROPE 2023 ONCE
AGAIN SHOWCASED THE LATEST
TRENDS AND IDEAS THAT ARE
SHAPING THE WORLD OF
INFORMATION SECURITY
Infosecurity Europe 2023, as ever, proved
to be a captivating, visitor-packed event
that brought together professionals
from right across the cybersecurity
industry. With a range of distinguished
speakers, enlightening panel discussions
and groundbreaking innovations, the
conference showcased the latest trends
and ideas that are shaping the world of
information security.
Kicking off the conference, legendary
Olympic gold medallist sprinter Michael
Johnson delivered a keynote that drew out
a number of parallels between his athletic
journey and the challenges that are now
faced every day in the cybersecurity
domain. Johnson's insights emphasised the
importance of perseverance and teamwork
in overcoming obstacles, a valuable lesson
for all professionals in the field.
Matthew Syed, the journalist, author,
broadcaster and former international table
tennis player, focused his discussion on the
significance of embracing the concept of
'black box thinking', and the connection
between mindset and high performance.
He stressed the need for a growth mindset
and encouraged attendees to innovate to
tackle challenges posed by cyber security
to stop attackers in their tracks.
Cybersecurity analyst Keren Elazari
delivered a keynote on the transformative
power of ethical hacking, emphasising the
importance of ethical hackers in identifying
vulnerabilities, enhancing system security
and driving positive change. Her talk shed
light on the vital role that ethical hackers
play in safeguarding our digital infrastructure
and encouraging collaboration
between security professionals.
14
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

Infosecurity Europe
Matthew Syed's discussion focused on the
significance of embracing the concept of
'black box thinking'.
Cybersecurity analyst Keren Elazari addressed
the transformative power of ethical hacking.
One of the most anticipated events at
Infosecurity Europe 2023 was the Women
in Cybersecurity session, featuring Danni
Brooke. A prominent figure in the industry,
Brooke shared her experiences and highlighted
the need for diversity and inclusion in
cybersecurity.
Her thought-provoking presentation
encouraged women to pursue careers in
the field and showcased the success stories
of female leaders who have already made
a significant impact.
Infosecurity Europe 2023 was very much
about celebrating innovation, with the
announcement of the DSIT (Department of
Science, Innovation and Technology) award.
This year's winner, ANGOKA, was said to have
demonstrated groundbreaking advancements
in for smart cities and smart mobility,
heightening the cybersecurity and safety of
connected devices. ANGOKA's achievement
highlighted the immense potential that exists
for innovative solutions to combat evolving
cyber threats.
Becky Pinkard was inducted into the Hall
of Fame - recognised for her significant
contributions to the field. She commented
on the industry to say, "what I realised is that
security gave me a home." She encouraged
the audience to be open and inclusive in
business and "remember who they are at
home is who they are as a person. That is
who they bring to work and that is why they
are successful". This could be a means to
addressing the cybersecurity talent gap and
the need for more female talent, too.
Overall, Infosecurity Europe 2023 delivered
a valuable platform for industry leaders,
professionals and cybersecurity enthusiasts to
exchange knowledge and explore innovative
solutions to combat ever-evolving threats.
Infosecurity Europe 2024 will take place
from 4-6 June 2024 at the ExCel London.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security
15

MDR-EDR-NDR
ENLISTING THE RIGHT FORCES TO BOLSTER SECURITY
MDR, EDR AND NDR - WHAT
EXACTLY IS THE POWER
BEHIND THESE ACRONYMS?
Mark Watkinson, Adarma: MDR
providers deliver 24/7 threat monitoring,
detection and response outcomes.
MDR (Managed Detection and
Response) and EDR (Endpoint
Detection and Response) and NDR
(Network Detection and Response) have
become really hot topics as security tools. But
what exactly do they do for an organisation?
According to Mark Watkinson, head of
market insights at Adarma, they enable the
move from passive protection to "provide
monitoring, recoding, analytics and detection
capabilities and, most importantly, response
actions to their specific area of coverage -
ie, E = Endpoint, N = Network. These tools
go deep in their coverage of specific areas
and functionality".
There is one major issue, though, he states.
"They create mini 'analytic islands' focused on
doing a particular job very well, but are blind
to other areas of the infrastructure, thus
unable to give coverage or context outside
their specific area. This can create blind spots
and can be difficult to co-ordinate and staff
appropriately to achieve the full coverage
across the various tooling required to cover
your IT environment, from endpoint to
network to cloud."
These issues gave rise to XDR tooling, he
adds. "Buyers can now broaden the scope of
detection beyond the endpoint or network to
cover identify, servers, cloud workloads and
much more. Every vendor has their own
idea of XDR, how it works and
what's included in the X - after
all, 'X' just means extended.
This ambiguity has added
to the confusion across
the cyber security vendor
landscape."
As the security
industry faces an
ongoing talent crisis,
teams often struggle
to recruit and retain the people required
to manage and optimise these tools. The
solution is MDR, he argues. "MDR providers
deliver 24/7 threat monitoring, detection and
response outcomes for the threats the
organisation faces and the coverage they
require. They provide customers with the
people [analysts, hunters, threat intel and
responders], expertise, processes and turnkey
technology stack associated with a Modern
SOC function, in a remotely delivered, shared
model that is easy-to-consume."
Meanwhile, in a survey carried out for
Gatewatcher by Vanson Bourne on APT threat
detection, 25% of respondents said they were
currently seeking to detect and discover APTs,
but faced challenges identifying the method
of entry. A further 21% faced challenges
supporting the technology. When asked to
detail the technology portfolio used against
APTs, Endpoint Detection & Response (EDR)
was the most present, cited by nearly twothirds
(62%) of respondents.
This was followed by firewalls (57%) and
then a very close third and fourth between
Security Information and Event Management
(SIEM), and Network Detection and Response
(NDR), with 56% and 55% respectively.
Philippe Gillet, CTO of Gatewatcher, says
the study shows that businesses are still
relying heavily on endpoint protection,
while recognising that it is visibility across
the network that is now needed to address
APTs. "As recent examples have shown,
these advanced attacks exhibit patience
and strategic thinking. As such, it is time
to evolve and adapt our approach to the
threat landscape and see APTs as the new
normal in cybersecurity. This will mandate
network technologies that offer high visibility
of threats hidden in the network and represent
an essential lever for strengthening the
cybersecurity posture of businesses.''
16
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

Computing
Security
Secure systems, secure data, secure people, secure business
Product Review Service
VENDORS – HAS YOUR SOLUTION BEEN
REVIEWED BY COMPUTING SECURITY YET?
The Computing Security review service has been praised by vendors and
readers alike. Each solution is tested by an independent expert whose findings
are published in the magazine along with a photo or screenshot.
Hardware, software and services can all be reviewed.
Many vendors organise a review to coincide with a new launch. However,
please don’t feel that the service is reserved exclusively for new solutions.
A review can also be a good way of introducing an established solution to
a new audience. Are the readers of Computing Security as familiar with
your solution(s) as you would like them to be?
Contact Edward O’Connor on 01689 616000 or email
edward.oconnor@btc.co.uk to make it happen.

workplace welfare
BURNOUT!
STRESS AND BREAKDOWN ARE SAID TO BE REACHING EPIDEMIC LEVELS AMONGST CYBER SECURITY
PROFESSIONALS. WITHOUT REMEDIAL ACTION, LONG-TERM CONSEQUENCES COULD BE CATASTROPHIC
Burnout has burrowed its way deep into
the cybersecurity industry, but little is
being done to address the attrition it
causes, it is claimed. According to analyst and
research firm Gartner, it is largely overlooked
across the industry. "Insider threat management
is not a focus area for most organisations,
unless they are highly regulated. The
cybersecurity industry has taken limited action
to reduce cybersecurity process friction and
improve user experience." Gartner also states
that poor strategic implementation of topics
like Zero Trust stops organisations from
developing a positive security culture.
According to JJ Gericke, senior manager at
ThreeTwoFour, while burnout is not unique to
the cybersecurity industry, there are certain
factors within cybersecurity that make burnout
and high attrition more likely. "Cybersecurity
professionals are constantly faced with new
and sophisticated threats, which require
continuous learning and skill development.
While learning and development are part of
any job, the scale and rate of emerging
technologies and threats in cybersecurity
create a lot of pressure to stay up to date."
The cybersecurity skills gap and the difficulty
organisations face in recruiting resources is
also a contributing factor, he points out.
"Cybersecurity teams are routinely understaffed
and overburdened with heavy
workloads in which individuals often fill
multiple roles. Protecting an organisation
is a 24/7 job, meaning the industry is
characterised by long working hours, on-call
responsibilities and an 'always-on' mentality.
Cyber security staff responding to incidents
operate in a high-pressure environment,
with a significant risk of substantial losses for
the business. These situations take their toll,
because they often require working extremely
long hours and over weekends, all while
facing significant pressure from the business
leaders to provide a resolution."
There are various initiatives that organisations
can undertake to help reduce burnout,
Gericke says, including:
Ensuring dedicated time off work
for training and development
Offering stress management initiatives
such as mindfulness training and
counselling services
Establishing a long-term relationship
with a trusted service provider that can
provide expert assistance in situations
where there is an increased requirement
for resources, such as after an incident has
taken place or during major transformation
programmes
Making certain that team roles are defined
and there is a clear career path for
progression
Addressing organisational issues that adds
stress, such as excessive bureaucracy and
lack of clear communication
Creating flexible work opportunities by
offering people time off or increased pay
for working on weekends when
responding to incidents.
"Industry wide, it is the responsibility of all
organisations to help grow the talent pool of
cybersecurity resources through internship
programs, training initiatives and ensuring
that people are fairly compensated for
working in a high-stress environment."
MENTAL HEALTH FEARS
Without remedial action, says Jasmine Eskenzi,
founder of The Zensory, it is highly likely that
there will be a further decline in the mental
well-being of cybersecurity professionals, to
the extent where many will be forced to leave
the industry, in order to prioritise their mental
health. "Organisations will then be left to
contend with the decline in staff retention
rates, alongside the existing shortage of talent
18
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

workplace welfare
within the cybersecurity industry, making them
vulnerable to inevitable and potentially
harmful cyberattacks."
Unless organisations are willing to lead the
change towards protecting the mental health
and well-being of their staff, particularly their
security teams, the issue at hand will continue
to grow, she warns. "Evidently, there is a real
need for organisational leaders to commit to
making a difference which can be achieved
by adopting a 'cyber mindful' mindset.
"This could involve supplying cybersecurity
professionals with a mindfulness toolkit that
encourages them to feel empowered to
prioritise themselves and their wellbeing at
work. This could also include encouraging
the practice of mindful exercises during the
working day, such as enforcing breaks
between meetings or tasks, to enable them
to take time out to decompress their minds,
which could also help to boost productivity."
ALERT FATIGUE
Meanwhile, recent research suggests that alert
fatigue is a huge problem in security teams,
with almost half (48%) of respondents
claiming it impacts them, states Lisa Ventura,
founder, Cyber Security Unity. "This typically
occurs in security operations (SecOps) teams
when they are unable to prioritise multiple
alerts from disparate tools. As a result, 93% of
respondents to the survey undertaken by Expel
in its report, 'The UK cybersecurity landscape:
challenges and opportunities' say they've
regularly missed personal commitments
because of their jobs, while 34% state that
this happens most or all of the time.
"Some 52% agreed that their team spends
too much time dealing with unnecessary
cybersecurity notifications. Over half (52%) of
UK IT decision makers (ITDMs) expect security
team members to leave within the year, due to
burnout."
There are a few factors that contribute to
the increase of stress and burnout in cyber
security, Ventura adds. "The rise in the number
of cyber-attacks has grown exponentially since
the start of the pandemic, with 22% of all
data breaches in 2022 involving phishing
attacks and a 72% to 105% spike in ransomware
attacks since the global pandemic hit in
2020. The speed at which cyber-attacks are
happening and evolving means that many
cyber security professionals experience stress
and burnout when trying to keep up with
them all. The speed of innovation relating to
cyber threats is increasing rapidly."
With a skills shortage in cyber security,
increasing regulation, having to secure masses
of data in many places and the threat of
losing their job or of being disciplined, it is
very rare for cyber security professionals to
seek help when they are feeling overwhelmed.
"It is no wonder that many cyber security
professionals are experiencing high levels of
stress and burnout. Addressing workplace
burnout in cyber security is not an
insurmountable challenge. By actively striving
to alleviate stress among your employees and
fostering a company culture that prioritises
security awareness, your organisation can
effectively tackle this issue."
UNYIELDING BURDEN
A recent report carried out by Mimecast
revealed that the burden of ransomware
attacks hasn't relented for the past few years
and it's becoming clear that these attacks carry
an arduous long-term impact on employees.
Other findings from the research include:
61% say that ransomware attacks have
had a negative impact on their mental
health
58% say that their role gets more stressful
every year, which makes sense as attacks
are becoming more harmful each year.
Many professionals are reaching their
breaking point, adds Mimecast, with 42%
"considering leaving their role in the next two
years, due to stress or burnout".
JJ Gericke, ThreeTwoFour: it’s the
responsibility of all organisations to
ensure people are fairly compensated for
working in a high-stress environment.
Jasmine Eskenzi, The Zensory: a real need for
organisational leaders to commit to making
a difference which can be achieved by
adopting a 'cyber mindful' mindset.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security
19

identity & access
THE NEW ROAD AHEAD
A NEW NATIONAL ROADMAP FOR IDENTITY AND ACCESS MANAGEMENT SINGLES OUT STRATEGIC OBJECTIVES,
ALIGNS EFFORTS WITH NATIONALLY DEFINED PRIORITIES AND SUPPORTS LONG-TERM PLANNING
With the National Institute of
Standards and Technology's draft
roadmap for identity and access
management (IAM) clearly signalling a strong
push for meaningful change, NIST is now
carefully considering the responses that it
sought on where it is hitting the mark and
where the roadmap might need to be beefed
up (feedback closed on 1 June).
Amongst the specific questions that NIST
wanted addressed were:
Are the guiding principles clear? Are any
important principles missing?
Do any of the strategic objectives need
clarification? Are any key objectives
missing?
Are there specific activities, research or
guidance that should be included and,
if so, why?
Which strategic objectives are most
likely to have an impact and
should be prioritised?
Why is the roadmap so important? "As we
become more reliant on connected
technologies, we also become more reliant
on authentication," states Tim Hollebeek,
industry technology strategist, DigiCert.
"Offline, we use our handwritten signatures
or show photo ID against which our visages
can be compared. Online, however, our
identities have to be verified remotely and
many of the ways in which we currently do
that are aging badly. Passwords, for example,
have been an enduring part of authentication
for decades. They've also been an enduring
risk for organisations whose passwords can
often be easily guessed, are easily forgettable
and are often reused across accounts."
Similarly, users are now demanding greater
levels of privacy and greater autonomy over
what they share and with whom. 'Mobile
driver's licence' standards are also emerging
out of private and public sectors - such as
the EU's digital identity wallet - which aim
to provide a digital solution to mirror the
authority of an offline photo ID for remote
identity verification. It is amid this shifting
landscape that the NIST roadmap intends
to guide organisations to a modern
authentication framework, he adds.
"Any new guidance on Identity and Access
Management will have to deal with new
realities, such as the rise of remote work and
the increase of workers accessing corporate
resources through VPNs and from noncorporate
Wi-Fi," adds Hollebeek. "The first
stage of improving authentication is to take
authentication responsibilities out of users'
hands. Humans - as they say - are the
weakest link and so the responsibility for
authentication should be shifted away from
them and towards technical solutions. Digital
certificates offer a way to do that, offering
seamless and strong authentication for users,
based on Public Key Infrastructures."
He argues that authentication processes
should be automated to as great an extent
as possible to handle the variety of devices,
users and other assets that will be requesting
access to a given network. "NIST is absolutely
clear on this when it comes to digital
certificates. It states in its SP 1800-16
framework: 'Automation should be used
wherever possible for the enrolment,
installation, monitoring and replacement of
certificates, or justification should be provided
for continuing to use manual methods that
20
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

identity & access
may cause operational security risks.'
"However, NIST's IAM guidance eventually
concludes it needs to tackle the reality of
the modern network. That means relying
on automation to take responsibility for
authentication out of users' hands and
leaning towards technical indicators to verify
endpoint, device and user identities."
NEW ERA OF DIGITAL IDENTITY
According to a report from API-focused
identity and access management company
Curity, UK organisations and consumers
are ready to embrace a new era of digital
identity. Some 63% of UK organisations
either currently use digital identity or have
plans to incorporate digital identity solutions
into their operations, it reports, with 61% of
those planning to do so within the next year.
Additionally, 52% of UK firms have plans to
incorporate new and emerging decentralised
identity solutions. UK consumers are also
displaying a growing familiarity with digital
wallets, with 58% of consumers currently
using them and half of consumers that don't
currently use digital wallets considering them
in the future.
The report, titled 'Plotting the Roadmap
for Digital Identity'. surveyed 200 IT decision
makers (ITDMs) in the UK and US as well as
1000 consumers to better understand the
rapidly changing digital identity landscape.
This report comes as the UK government
introduces a new trust framework for digital
identities.
The findings show that 60% of organisations
surveyed expect digital identity to
have a transformative impact on their
industry, with financial services (89%) and
health (86%) seen as two of the industries
that are likely to benefit most from the latest
innovations in this area, according to ITDMs.
Other key findings show that top security
challenges posed by digital identity for ITDMs
are hacker sophistication (39%) and lack of
appropriate infrastructure (37%). With
organisations facing increasing pressure to
protect customers' data, continued
innovation and development in the digital
identity space could not be of greater
importance, states Travis Spencer, Curity CEO.
"While there are encouraging signs that
businesses are adequately prepared for the
paradigm shift that decentralised identity will
cause, the winners after the move will be
those that cultivate trust among consumers.
"The question of how digital identities are
managed and by who will continue to be key
over the coming years. To keep up with this
pace of change and consumer expectations,
digital identity must be on the priority list of
enterprise architects and strategy makers."
ALIGNMENT OF NEEDS
What Belton Flournoy, managing director,
Technology Consulting, Protiviti, finds most
interesting about the NIST's upcoming focus
areas is the alignment to what he perceives
to be growing business needs. "For example,
people are tired of having 20 passwords they
must remember, many of which must be
changed every few months. People want
a seamless and secure experience. We are
also seeing companies speak about the
importance of the 'employee experience'
today, the way they have the 'customer
experience' for years.
"The NIST IAM roadmap will look to address
some next-generation security areas,", he
says, "including enhanced facial recognition
guidelines, enhanced contactless fingerprint
capture, guidance related to identity
management via mobile devices and
an implementor's guide to modern
authentication technology, to name a few.
"This expansion will provide organisations
with a stronger suite of reference materials to
help take their security to the next level. The
future is now, and it is an exciting time to be
working in the identity and access management
space."
To access the NIST IAM roadmap, click here.
Tim Hollebeek, DigiCert: the first stage
of improving authentication is to take
authentication responsibilities out of
users' hands.
Belton Flournoy, Protiviti: people want
a seamless and secure experience.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security
21

managed services
THE MAKING OF A MANAGED SERVICE
MIKE RICHMOND, TECHNICAL SERVICES MANAGER AT BROOKCOURT SOLUTIONS, TOOK TIME
OUT TO TALK TO STEVE USHER, BROOKCOURT'S SECURITY SERVICES MANAGER, TO UNDERSTAND
MORE ABOUT HOW MANAGED SERVICES WORK AND HOW THEY BENEFIT BUSINESS
What is a managed service and
what types of managed
services exist?
A managed service is typically a service,
product or role that is provided by a third
party, where the third-party reports to the
company they are contracted to.
This can be anything from managing the
endpoint anti-malware, to the mail or web
gateways, or, in some cases, having a whole
job role, such a data protection officer
(DPO) or chief information security officer
(CISO) that is carried out by the third party.
How do managed services benefit
a business?
Managed services are of great benefit for
multiple reasons. However, the primary
reason, in my opinion, is the high-quality
skill sets of staff engaged in the managed
service provision (MSP), which is a cost
benefit to the customer as, if the customer
directly employed staff with those skill sets,
their costs would be higher.
Ability to limit full-time employee
(FTE) head count
Ability to have the latest version of a
product and ensure those managing
it are skilled on that product
Access to highly specialised and
experienced resources that would
normally be outside of the budget
of smaller companies
Access to technology that could be
outside the budget/reach of smaller
companies
Ensure the use of industry best
practices for the various products
and services.
Enterprise organisations like financial
institutions and big brands can afford to
buy into the top technology - how do
smaller organisations fare when it comes
to their security posture?
Access to top-tier technology can be a
challenge to smaller companies, due to the
cost of the technology and the skills that are
required to utilise the technology and gain
the most benefit from it. This is where
MSPs can be leveraged to provide tier
technologies that are wrapped in a
service that enhances a company's
security posture.
Last year, we saw the launch
of Mind Security, a new
managed service offering.
Can you tell me how it
helps organisations with
their security?
The service essentially
supports businesses with
managed public breach
monitoring and
endpoint
protection,
and we
plan to
launch
further solutions into the Mind Security
portfolio in the coming months.
What are the top security challenges all
businesses face today?
There are security challenges facing all
companies daily and this list is expanding
constantly.
22
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

managed services
Unfortunately, many of the challenges that
companies faced decades ago still exist,
alongside newer challenges.
Ransomware
Ransomware is the top of just about every
list, in terms of what concerns not just
cyber security professionals, but anyone
that is involved in the day-to-day activities
of a business. Ransomware can have an
impact on a business, from the internal
disruption, loss or theft of data to the
damaging impact to the company's
reputation and brand in the public eye,
which can result in a loss of income in
the long term. The complexity of the
ransomware is increasing, as are the
vectors for attack and ways in which
the cyber criminals are attempting
to make money from an
incident. Ransomware
is understandably
the top concern,
due to the
numerous
ways in
which an
incident
can impact a company; this is unlikely to
change anytime soon.
Credential Re-use
Closely following ransomware, in terms of
security concerns, is STILL credential reuse,
even in the modern age of security awareness
training, with public campaigns
focusing on password security. Credential
re-use remains a top concern, due to
the fact employees often reuse company
passwords on public sites. An attacker,
with the right level of recon, will be able
to use this to their advantage, if the
employee has appeared in any user
breaches of major sites.
Phishing Attacks
Phishing (Vishing, Smishing etc) and all
attacks of this nature are a major concern,
not just for businesses, but for the public
as well. Phishing is one of the most
common methods of attack and the
complexity of the attacks is increasing
substantially. Phishing is used to deliver
numerous different malicious payloads,
the most concerning being ransomware
or trojans, both of which can have a
devastating impact on the systems and
companies affected.
Mind Security describes itself as Cyber
Security Peace of Mind. Can you explain
the benefits of this service for your
prospective customers?
Mind security provides peace of mind by
addressing two of the most common
cyber security concerns experienced by
businesses. Mind Security has chosen
products that are best-of-breed for
dealing with ransomware and
credential re-use. The endpoint
anti-malware product that has
been adopted has some of the
fastest reaction times of any
product, as well as utilising
AI to detect known and
unknown threats. The
technology adopted for
the breach monitoring service has
demonstrated itself to be one of the most
effective in the industry, utilising one of
the largest and most well-maintained
databases of breached credentials/data.
How do you decide which products are
a good fit for the making of a managed
service?
We look for products that are best of
breed, that are innovative or, if not
innovative, have a solid track record of
providing the service they set out to. There
is a large focus on automation within the
products that have been chosen, along
with additional consideration given to the
use of technologies, such as threat
intelligence and, where feasible, artificial
intelligence. We have been exceptionally
careful to ensure that we only look at
products touting AI, where there is a
legitimate use case for the technology.
The endpoint security offering within the
service is driven by Deep Learning, which is
a variant of Artificial Intelligence. What are
the benefits of this?
I think it is best we allow an AI to answer
this in a few words.
"Deep learning excels at automatically
learning complex patterns from raw data,
enabling hierarchical feature learning and
achieving state-of-the-art performance in
specific domains"
Source: ChatGPT
How do people find out more?
Brookcourt has a team dedicated to
supporting businesses to learn more about
its products and solutions. To find out
more about Mind Security, email the team
at: enquiries@mindsecurity.co.uk
mindsecurity.co.uk
01737 886 111
Useful Link:
https://www.corporatescreening.com/blog/
10-things-to-consider-when-looking-for-amanaged-service-provider
www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security
23

GDPR
BELATED HAPPY BIRTHDAY, GDPR!
GDPR - THE GENERAL DATA PROTECTION REGULATION - HAS REACHED A MEMORABLE
LANDMARK: IT IS NOW FIVE YEARS' OLD. HOW SUCCESSFUL HAS IT PROVED SO FAR?
How do you measure the success
of something as complex and
far-reaching as the General Data
Protection Regulation (GDPR), which was
brought into existence five years ago to
replace the 1995 Data Protection Directive
used across various European countries.
"After the internet becomes commonplace,
the EU parliament decided they needed
a new guideline that adapts to a more
connected world where data is the common
currency. The GDPR is designed to better fit
modern technologies and practices," states
Inspired eLearning. "The 1995 data
protection law allows each country to control
and customise its own privacy laws. This
makes it harder for businesses to introduce
their service between countries, since they'd
have to refer to multiple privacy requirements
and keep up with all of them."
The GDPR eliminates all this, since now
businesses only need to refer to one guideline
and requirement to do business across all EU
member states. It has also undergone several
changes in the past few years. "Notably, in
2021 the GDPR introduced major changes to
its terms," adds Inspired eLearning. "For one,
GDPR removed the Privacy Shield that was
put in place to make it easier for US
companies to do business with EU citizens.
The other major change introduced in 2021
would be the regulations for cookie consent,
as GDPR now prevents companies from
blocking access to content, unless a user
consents to cookies."
However, there is much debate about how
effective this last change is proving, as many
companies are making it extremely hard for
people to refuse cookies, often making
refusal difficult and/or pushing them to
accept with various 'inducements'.
The UK's GDPR, not to be confused with the
EU General Data Protection Regulation, is
a standard based on the EU version created
by the UK Information Commissioner's Office
(ICO) and included within their 2018 Data
Protection Act. "This data protection law
serves as a substitute for the EU version after
Brexit. If you regularly process data of
Europe-based customers, you'd have to
adhere to both European data protection
laws. As a result, the overall sum of fines
significantly increases month after month."
For the 12 months up to 1 March 2023,
1,576 fines were recorded in the CMS
Enforcement Tracker database (an increase
of 545 on 2022), amounting to around
EUR 2.77 billion in fines (up 1.19 billion in
comparison to 2022). The tracker also
indicates1.446 fines have been issued since
2018.
"One might think that the companies who
receive fines maliciously mishandled data, yet
in reality compliance is a complex process,"
points out Inspired eLearning. "When it
comes to GDPR implementation, there are
several grey areas as the provisions cover
many different activities and were designed
to withstand continual innovation. Meaning
GDPR compliance is certainly not an easy box
to check off on a company's to-do list.
"Statistically, the violations with the most
fines are related to data processing noncompliance.
Against this background, luckily,
there are tools put forward by GDPR itself
that businesses can implement to increase
their safeguards and, ultimately, reduce legal
uncertainty and the risk of fines. In this
context, codes of conduct (Art. 40) are one
of the instruments GDPR has introduced to
optimize and harmonise its implementation.
"The EU Cloud Code of Conduct is a tool
24
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

GDPR
that bridges the gap between the general
provisions of the regulation and their
concrete implementation across the whole
cloud industry. Since its approval in 2021,
the Code has been playing a key role when
it comes to cloud compliance, fostering
the application of robust technical and
organisational measures throughout the
sector.
How has the GDPR gone so far within
the industry? We asked several interested
parties and here are their responses:
Sylvain Cortes, VP of Strategy, Hackuity:
"Compliance is essential, but we urge
organisations to take the opportunity to
think beyond baseline requirements to
develop a culture of continuous cyber
improvement. It's important to remember
that achieving compliance shouldn't be
treated like 'exam-cramming' with last-ditch
efforts to achieve annual or quarterly audits.
The goal is to achieve more than the
minimum requirements and move away
from the tick-box mindset. GDPR compliance
is necessary, but it is far from sufficient for
modern organisations."
Rick Hanson, president, Delinea:
"I've been in the cyber community since
the mid-90s and one consistency over the
years is that personal data has always been
paramount. However, even though the
industry often understood what needed to
be done to protect personal data, it was
frequently deemed to be too costly or
complex to implement.
"Five years ago, I applauded the EU for
taking a stand, and providing guidelines and
a framework to ensure that personal data
and privacy were protected with GDPR. Yet
even as this legislation passed and privacy
advocates celebrated, many businesses
were very concerned, due to perceived
burdensome and costly efforts that would be
required of them to be compliant. Looking
back on this anniversary, I am very encouraged
that the technology community has
innovated and evolved to solve many of
these issues and challenges quickly. My belief
is that it sets a solid foundation that the rest
of the world can follow, as we continuously
work to protect our personal data and
privacy.
"We have come a long way since the early
days of cyber and GDPR makes a significant
impact, yet it does not solve the cybersecurity
threat. It offers a framework that helps
classify and protect - yet these policies
are public, giving any attacker a roadmap
on how to circumvent the policy. As good
as GDPR policy is, it does not mean our
personal data is completely secure. We must
continue to educate and innovate to solve
these ongoing data privacy and security
challenges."
Paul Brucciani, cyber security advisor,
WithSecure
"The European Commission is criticised for
many things, but GDPR is the one thing
where it can hold its head up high and say,
'We've led the world in this'. As regulatory
milestones go, it's the equivalent of climbing
Everest. And it seems to be working, as other
jurisdictions are following suit.
"Internet fragmentation, driven by the quest
for digital power, is creating regulatory complexity
and the EU has an important role in
leading the world through this. For example,
AI is the next big field that will need regulating
and the EU has again made a head
start on this with its proposed AI Act, a legal
framework that is intended to be innovationfriendly,
future-proof and resilient to
disruption."
Michael Covington, VP of Strategy, Jamf:
"The EU's GDPR has had a tremendous
impact on how organisations around the
globe handle personal user data since the
regulation went into effect five years ago.
The threat of substantial fines - including the
almost €3 billion that have been levied since
Paul Brucciani, WithSecure: AI is the next
big field that will need regulating and the
EU has again made a head start on this.
Eduardo Azanza, Veridas: trust in biometric
solutions must be based on transparency
and compliance.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security
25

GDPR
Colum Lyons, ID-Pal: five years on from
the introduction of GDPR and there is still
a long road to go.
Andy Robertson, Fujitsu UK and Ireland:
going forward, the rise of AI-driven
cyberattacks will make data protection all
the more critical.
the regulation went into effect - have forced
companies to take privacy and security more
seriously. And the impact is not just contained
within Europe; GDPR has inspired more
than 100 other regional privacy standards,
including those in many of the individual US
states.
"Of course, with a regulation as complex
as GDPR, there's still work to do, both for
the governing bodies and the organisations
that must achieve compliance. Learnings
from the COVID-19 pandemic have raised
concerns about new public health and data
considerations that should be factored into
future legislation. Additionally, the post-Brexit
version of GDPR for the UK is still a work in
progress, as is a firm stance on how data can
be shared between EU member states and
'partner' countries.
"For individuals, GDPR is making a difference
in how their personal data in safeguarded.
And, for CISOs and data protection
officers, the work continues to ensure
organisations achieve regulatory compliance
in a way that minimises disruption to the
core business, while ensuring employees,
customers and partners have confidence in
how their personal data is being managed."
Eduardo Azanza, CEO, Veridas:
"Without question, GDPR has revolutionised
data privacy and protection, and now, with
the introduction of biometrics, the regulation
takes on even more significance, as it celebrated
its 5th anniversary. As defined by
Article 4 of GDPR, biometric data is a form
of personal data - therefore, businesses must
carefully and securely manage it.
"Earlier in May, Mobile World Congress
(MWG) was slapped with a €200,000 fine
by GDPR after they had collected biometric
data from show attendees. The organisers
failed to demonstrate due diligence before
collecting biometric data, therefore infringing
Article 35 of GDPR, which deals with requirements
for carrying out a data protection
impact assessment (DPIA).
"With the rise of biometrics and AI, the
focus on data protection and privacy has
never been more important. Questions
should be asked of biometric companies to
ensure they are following GDPR laws, and
are transparent in how data is stored and
accessed. Trust in biometric solutions must
be based on transparency and compliance
with legal, technical and ethical standards.
Only by doing this can we successfully
transition to a world of biometrics that
protects our fundamental right to data
privacy."
Colum Lyons, CEO and founder of ID-Pal:
"Five years on from the introduction of GDPR
and there is still a long road to go. Even this
week, Meta has been hit with a record €1.2
billion fine by the Irish Data Protection
Commission (DPC) for violating a GDPR rule,
proof that severe consequences are waiting
for businesses, if the right GDPR-compliant
measures are not in place.
"Customers' personal data must be carefully
managed and a lot of organisations still
struggle to do this. As more and more
industries are being asked to verify their
customer identities, this is even more critical
to get right when verifying identities as part
of Anti-Money laundering (AML) or Know
your Customer (KYC) processes. The onus is
on the organisation to capture, verify and
store their customer's personal data securely.
Identity verification processes that use
document verification, alongside biometrics
and database means a solution meets
regulatory guidelines in a more robust way,
making the process more complex for
fraudsters to outwit but makes the journey
seamless for users."
Andy Robertson, head of Enterprise and
Cybersecurity Business, Fujitsu UK and Ireland
"Once a compliance headache for businesses,
GDPR has since been emulated by similar
26
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

GDPR
legislation in other parts of the world. Simply
put, data regulations are here to stay. In
addition to safeguarding corporate and
personal data, protocols have also brought
about significant organisational changes.
Many have been forced to examine how
well they are managing and using data and,
like a ruthless spring clean, have been able to
cut down on unnecessary data they were
paying to store.
"Regulation has also helped to level the
playing field by ensuring data use is standardised
and nobody can gain an advantage
through its unethical use - for customer
targeting, for example. GDPR has given
companies the chance to tangibly show
consumers they can be trusted and it's
positive to see how hard they have worked
to be compliant.
"Going forward, the rise of AI-driven
cyberattacks will make data protection all
the more critical. Generative AI platforms
have the ability to create cyber security
attacks, which means even those with
very little cybersecurity and computing
experience can carry them out. To combat
this, organisations must identify equally
sophisticated methods to protect themselves
and their information. At the same time,
they must review their high-level accounts -
who has access to them and when the
passwords were last changed - taking a strict
approach to Multi-Factor Authentication and
Conditional Access.
"New technology creates advanced avenues
for bad actors and shutting these down as
they emerge - or beforehand when possible -
is always a big challenge. While AI may be
the technology that's being talked about
now, there will inevitably be another down
the track and GDPR will need to be adapted
in kind. Similarly, with so many businesses
investigating the use of AI as a productivity
tool, there may be a need for rules that
dictate how data can be used by these
different platforms. As some rely on user
inputs to train the software, one wonders
whether this would constitute a breach of
GDPR, if a particular tool was used to
reformat or analyse sensitive information."
Gert-Jan Wijman, VP of EMEA, Celigo:
"GDPR's introduction five years ago was an
important step for data privacy in Europe,
needed to keep up with technology's rapid
sprawl and privacy concerns that had plagued
consumers. With so much corporate
and personal data moving between systems,
regulating this exchange was inevitable.
"But, in the years since, complying with
new laws and updates to existing regulation
has proven a challenge. Ensuring data use
is compliant is hard enough when an
organisation is only in one market - more so
when it's spread across the continent and
different rules need to be adhered to. Some
countries have stricter enforcement than
others, or differing complementary privacy
laws, and relying on people to ensure
compliance is sustainable. It's a job that's
menial, repetitive and can be overwhelming,
with any human errors putting firms at
reputational and financial risk.
"For example, if a business receives a
request from a customer that they want to
opt out of a service and request the right to
be forgotten, removing their details from
one system and having others automatically
follow suit is more efficient and failsafe than
individually finding and deleting their details
on each and every system.
"Integration ensures that data can be
kept in sync and standardised across linked
applications and departments, so customers
can be assured their data is only being used
in line with existing usage rights and hasn't
unintentionally been fed into - or left out of -
a particular platform. And if they ask for the
personal data being stored on them, workers
won't need to sift through different systems,
because information should be the same in
every system."
Jean-Philippe Deby, director of Global
Accounts at Genetec:
"Coming from the public safety software
industry, we'd often see companies treating
privacy and security as a binary choice. I'm
delighted to say the EU GDPR helped change
that mindset, acting as a major catalyst for
change in Europe and beyond. Part of its
legacy is that we now have explicit legislation
for data and privacy protection in 137
countries around the world. It's now much
more accepted that privacy can be ensured
without compromising security.
"In terms of improvements, I am surprised
how little attention has been paid to the
specific challenges of ensuring compliance
for the operation of video surveillance, access
control and other physical security systems.
Any public or private organisations using
CCTV to monitor public accessible areas
should be concerned and operators need to
focus on adopting privacy by design. Under
the terms of the EU GDPR, data that is
anonymised or pseudonymised is classified as
lower risk. The appropriate use of encryption
and automated privacy tools is, therefore, a
logical first step. For example, video redaction
that blurs out people's faces in video, unless
there is a legitimate reason to reveal their
identity, can minimise the dangers of having
security cameras deployed in public spaces.
"Don't forget, owners of on-premises video
surveillance, access control or ANPR systems
are responsible for all aspects of EU GDPR
compliance, including securing access to the
systems and servers storing the information.
However, by working with an approved cloud
provider, it is possible to offload some of
these responsibilities and significantly reduce
the scope of activities required to ensure
compliance. It is also highly cost effective.
"Nevertheless, it is important to realise that
it isn't a full abdication of responsibility. You
remain accountable for ensuring data is
classified correctly, and share responsibility
for managing users and end-point devices."
www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security
27

AI
AI - APPROPRIATE INTERRUPTION?
'TO HALT OR NOT TO HALT?' THAT IS THE QUESTION NOW BRINGING
FORTH A SUCCESSION OF ADVOCATES ON BOTH SIDES OF THE AI DEBATE
so many of these processes will continue at
their own pace, regardless of the rate of
release of new LLMs."
Almer recognises there are two sides to the
equation. "The current AI tools DO pose a
significant risk, as well as a huge opportunity
to change business processes that will affect
many workers and open new possibilities,"
he adds. "I find it hard to believe that ANY
government, much less ALL governments,
will be able to understand all implications
and legislate a useful set of laws within a sixor
12-month period."
The fears and concerns over AI and the
threats it may carry as its influence and
power increases are now an ever-present
across business and society. Such is the anxiety
that it has engendered, more than 26,000
people have signed an open letter asking all
artificial intelligence companies to pause the
training of powerful AI systems for at least
six months, because of threats such as the
proliferation of misinformation and the
replacement of human workers by algorithms.
Signatories include Elon Musk and Apply
co-founder Steve Wozniak.
"Recent months have seen AI labs locked in
an out-of-control race to develop and deploy
ever more powerful digital minds that no one
- not even their creators - can understand,
predict, or reliably control," the letter points
out. Is the pause demanded justified or an
overly cautious reaction to progress? Also,
what benefits might a temporary halt bring?
Ultimately, is AI something to be welcomed
or feared, longer term?
It's a debate that is often swayed by which
side of the 'fence' you inhabit. Microsoft
founder Bill Gates, for example, has spoken
out against a hiatus, arguing that he doesn't
think the proposed pause will solve the
challenges. "Clearly there's huge benefits to
these things… what we need to do is identify
the tricky areas," Gates told Reuters news
agency. He also had his doubts as to how
exactly the AI pause would be enforced
and what that would solve. "I don't really
understand who they're saying could stop
and would every country in the world agree
to stop, and why to stop," he told Reuters,
while acknowledging that " there are a lot
of different opinions in this area".
THREATS AND OPPORTUNITIES
Edy Almer, Logpoint product manager for
threat detection and incident response,
believes that a few months' pause in the
development of new AI models would do
little to either affect disinformation spread
or protect jobs. "The current class of LLMs
[large language models], with new members
graduating every week, already offers a huge
opportunity for many business processes to be
overhauled. This automation process is already
longer than the release rate of new models,
He points to the voices that are emanating
from the EU trying to completely bar access.
"They do not seem to be successful at this
stage," he suggests. "Some of these leaders
have issued a new and even more urgent
plea: that mitigating the risk of extinction
from AI should be a global priority alongside
other societal-scale risks, such as pandemics
and nuclear war.
"This request, targeting world leaders, does
stress the risk inherent in those models, but
does not offer specific response paths. I would
take it seriously, because the risks are evident.
In our smaller cyber security realm - like, in
many other areas, ignore LLMs at your own
risk - you need to start experimenting with it
or others will.
"Take security orchestration, automation and
response (SOAR), for example. An automated
system that collects, analyses and prioritises
alerts and security data from many sources
and systems, it provides security teams with
all the contextual information and intelligence
they need for rapid detection and response.
Using highly intelligent language learning
models like ChatGPT, it becomes possible to
28
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

AI
enhance SOAR with a generative AI
integration as part of the SOAR's toolkit.
Doing so can enable security teams to
experiment with the technology to rapidly
speed up time to insight."
UP-CLOSE ENCOUNTERS
For Sophos, the threats AI poses have been
experienced up close - the company has
uncovered multiple apps masquerading
as legitimate ChatGPT-based chatbots to
overcharge users and bring in thousands
of dollars a month, it states. As detailed in
Sophos X-Ops' report, 'FleeceGPT' Mobile
Apps Target AI-Curious to Rake in Cash', these
apps have "popped up in both the Google
Play and Apple App Store, and, because the
free versions have near-zero functionality and
constant ads, they coerce unsuspecting users
into signing up for a subscription that can
cost hundreds of dollars a year".
Comments Sean Gallagher, principal threat
researcher, Sophos: "Scammers have and
always will use the latest trends or technology
to line their pockets. ChatGPT is no exception.
With interest in AI and chatbots arguably
at an all-time high, users are turning to
the Apple App and Google Play Stores to
download anything that resembles ChatGPT.
These types of scam apps - what Sophos has
dubbed 'fleeceware' - often bombard users
with ads until they sign up for a subscription.
"They're banking on the fact that users won't
pay attention to the cost or simply forget that
they have this subscription. They're specifically
designed so that they may not get much use
after the free trial ends, so users delete the
app without realising they're still on the hook
for a monthly or weekly payment."
Sophos X-Ops investigated five of these
Chat-GPT fleeceware apps, all of which
claimed to be based on ChatGPT's algorithm.
In some cases, as with the app 'Chat GBT', the
developers played off the ChatGPT name to
improve their app's ranking in the Google Play
or App Store. While OpenAI offers the basic
functionality of ChatGPT to users for free
online, these apps were charging anything
from $10 a month to $70 a year. The iOS
version of 'Chat GBT', called Ask AI Assistant,
charges $6 a week-or $312 a year-after the
three-day free trial; it netted the developers
$10,000 in March alone, according to
Sophos. "Another fleeceware-like app, called
Genie, which encourages users to sign up
for a $7 weekly or $70 annual subscription,
brought in $1 million over the past month."
The key characteristics of so-called fleeceware
apps, first discovered by Sophos in
2019, states the company, are overcharging
users for functionality that is already free
elsewhere, as well as using social engineering
and coercive tactics to convince users to sign
up for a recurring subscription payment.
Usually, the apps offer a free trial; but, with
so many ads and restrictions, they're barely
useable until a subscription is paid. These
apps are often poorly written and implemented,
meaning app function is often less
than ideal, even after users have switched
over to the paid version. They also inflate their
ratings in the app stores through fake reviews
and persistent requests of users to rate the
app before it has even been used or the free
trial ends.
"Fleeceware apps are specifically designed to
stay on the edge of what's allowed by Google
and Apple, in terms of service, and they don't
flout the security or privacy rules, so they are
hardly ever rejected by these stores during
review," further comments Gallagher. "While
Google and Apple have implemented new
guidelines to curb fleeceware since we
reported on such apps in 2019, developers
are finding ways around these policies,
such as severely limiting app usage and
functionality, unless users pay up.
"While some of the ChatGPT fleeceware apps
included in this report have already been
taken down, more continue to pop up - and
it's likely more will appear. The best protection
is education. Users need to be aware that
Edy Almer, Hors: The current class of
LLMs (large language models) offers
a huge opportunity for many business
processes to be overhauled.
Sean Gallagher, Sophos: his company has
uncovered multiple apps masquerading as
legitimate ChatGPT-based chatbots.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security
29

AI
David Trossell, Bridgeworks: AI should
continue to be embraced by enterprises
and startups developing technologies in
the future.
Boris Cipot, Synopsys Software Integrity
Group: legally, who is the owner or author
of what is provided by AI and what are
the flaws AI may have generated?
these apps exist and always be sure to read
the fine print whenever hitting 'Subscribe'.
Users can also report apps to Apple and
Google, if they think the developers are using
unethical means to profit."
KEEPING CONTROL
People are often suspicious of new technologies,
with Sci-Fi movies, such as 'The
Terminator', playing on this fear, says David
Trossell, CEO and CTO of Bridgeworks. "Sure,
cyber-criminals could use AI against us, but
equally we can use AI to protect ourselves;
or to do more with fewer resources. Machine
learning doesn't mean that autonomous
machines will eventually control us. We
can use AI and ML to maintain control.
For example, new technologies that
incorporate AI to ensure that voluminous
amounts of encrypted data can travel
securely at unrivalled speeds over a Wide
Area Network."
He points to the innovation called WAN
Acceleration, which uses AI, ML and data
parallelisation to mitigate latency and packet
loss. "It permits the secure transport and
ingression of encrypted data. Organisations
can increase their bandwidth utilisation,
without investing in new pipes. Without
AI and ML, data would neither be as secure,
nor as fast, over large distances. Rather than
making IT redundant, it enables CIOs to
focus on strategic tasks," advises Trossell.
"Given the benefits of AI and ML, the
question is: 'Why are they trying to stop the
inevitable?' The genie is out of the bottle.
Rodney Brooks [the Australian roboticist]
argues that you have to be aware that, with
any new technology, 50% of the answers are
incorrect. Don't confuse performance with
competence. It's a bit like the cloud. Everyone
rushed to the cloud to avoid missing out,
only to regret it. In 2017, The Global and
Mail wrote: 'The public cloud provider
Nirvanix, in San Diego, California, went
under in 2013, forcing clients to scramble to
retrieve their data before it was forever lost.'
People should reflect, plan, and re-evaluate
AI and ML, Trossell says. "The big VCs are
piling in with money to get on the bandwagon
and AI isn't new. As for ethics, they've
never prevented the making of a dollar. You
can see this with Meta and Twitter. Generative
AI ChatGPT is going to be the same - just
another tool. Will it cause mass unemployment?
Possibly, but growing global trade
and investment impact these changes as
well. Organisations and consumers adapt,
so AI should continue to be embraced by
enterprises and startups developing technologies
in the future."
LEGAL IMPLICATIONS
Ultimately, there is no denying the importance
AI will have in the future, says Boris Cipot,
senior security engineer at the Synopsys
Software Integrity Group. "AI will change the
way information is generated, processed and
used. However, the primary question at this
point is: who will control the usage of this AI?
It is understandable that some companies
have established policies that their employees
do not use AI-based technology for workrelated
tasks, as there are still many unanswered
questions from a legal or security
standpoint.
"For instance, legally, who is the owner or
author of what is provided by AI and what
are the flaws AI may have generated? Here
the flaws can be interpreted as vulnerabilities
in source code created by AI or misinformation
that it is susceptible to, based on
materials used to train the AI. As learned
from the past, technology can be used for
good, but also for bad. AI, still in its infancy,
is no different.
"We cannot predict every possible decision
for every scenario around which AI may be
used," points out Cipot. "But AI systems need
to be trained with reliable and accurate
information, tested to ensure they're not
spreading vulnerable or inaccurate output,
and maintained to ensure they're leveraged
in a productive and constructive way."
30
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

cyber strategy
SECURITY BY DESIGN
NEW CYBERSECURITY MEASURES BEING IMPOSED IN THE US WILL HIT
SOFTWARE COMPANIES HARD. WHAT MIGHT THIS MEAN FOR THE UK?
The US recently published its national
cybersecurity strategy. Released by
the Biden administration, it seeks to
impose minimum security standards for
critical infrastructure onto larger software
makers. Equally, it means to shift responsibility
for maintaining the security of
computer systems away from consumers
and small businesses. What impact is this
likely to have on the security industry - and
what implications, in particular, might this
have for the UK? Does it have any other
option but to follow the same path?
Phil Tonkin, senior director of strategy
at Dragos, says that the US National
Cybersecurity Strategy aiming to move
from a voluntary approach to cybersecurity
in many industries to more aggressive,
and mandatory, regulatory standards -
a 'fundamental shift' to rebalance the
responsibility to defend cyberspace -
did not come as a surprise. "For months,
administration officials telegraphed the
intent to use regulatory and market drivers
to shift the burden of mitigating cyber risks
away from end users and to those best
positioned to have earliest and broadest
impact. This includes not just critical
infrastructure owners and operators, but
also technology companies, software
makers and service providers," he says.
However, this is not a shift that will not
happen overnight. "While the US National
Cybersecurity Strategy signals a stronger
regulatory environment in the US, many
different standards bodies and regulatory
agencies oversee a patchwork of regulatory
frameworks and requirements for different
industries. Even as the administration has
rolled out new requirements for certain
industries, including railways and pipelines,
others will require new authorities from
Congress."
REGULATORY ESSENTIALS
What this means is that the US government
and experts from industry have time to
work together toward building regulatory
requirements that achieve the best possible
outcomes for securing infrastructure and
the digital ecosystem, with a focus on real
security and not just simple compliance
advises Tonkin, who also points out how
the strategy highlights the importance of
international coalitions and partnerships to
counter cyber threats, devoting an entire
pillar to those shared goals.
"The consequences of cybercrime are not
geographically restricted, requiring a global
approach to countering threats and managing
vulnerabilities. Economies are interconnected
globally as well, with many
companies operating across countries
and regions. So, any time a new security
standard or regulation is adopted, industry
has to react and this often has a ripple
effect globally."
He adds that the 2016 UK National Cyber
Strategy has focused on developing
capability with a particular focus on critical
infrastructure across all areas. "In 2022, it
began to consider this in the context of
increasing digitisation, sustainability and
reducing international dependence. This
continues to mature, in particular as the UK
begins to find its own direction in setting
future Network Security legislation outside
of the European Union. "Both the UK and
EU have begun to move legislation to cover
more entities, closer to the consumer,"
Tonkin concludes. "However, there is a
growing global recognition that the
responsibility to secure digital products
cannot be the responsibility of individuals.
The eyes of the world will be on the US to
learn how security by design is enforced."
Phil Tonkin, Dragos.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security
31

ansomware attacks
RANSOMWARE RAMPAGE
ORGANISATIONS WORLDWIDE DETECTED 493.33 MILLION RANSOMWARE ATTACKS
IN 2022, IT IS REPORTED. THE AVERAGE COST OF THESE ATTACKS WAS $4.54 MILLION,
ACCORDING TO THE LATEST DATA RELEASED BY IBM
The success of ransomware gangs
has spurred a significant trend of
professionalisation amongst
cybercriminals where different groups
develop specialised services to offer one
another, according to a new report from
WithSecure (formerly F-Secure Business).
Ransomware has been around for decades,
but the threat has continuously adapted
to improvements in defences through the
years. One notable development is the
current dominance of multi-point extortion
ransomware groups, which employ several
extortion strategies at once (usually both
encryption to prevent access to data and
stealing data to leak publicly) to pressure
victims for payments.
According to an analysis by WithSecure of
over 3,000 data leaks by multi-point extortion
ransomware groups, organisations in the
United States were the most common victims
of these attacks, followed by Canada, the
UK, Germany, France and Australia. Taken
together, organisations in these countries
accounted for three-quarters of the leaks
included in the analysis.
The construction industry seemed to be
the most impacted and accounted for 19%
of the data leaks. Automotive companies,
on the other hand, only accounted for
about 6%. A number of other industries sat
between the two, due to ransomware groups
having different victim distributions, with
some families targeting one or more
industries disproportionately to others.
While the threat of ransomware has inflicted
considerable pain on organisations in various
countries and industries, its transformative
impact on the cybercrime industry cannot be
overstated, it is pointed out. States senior
threat intelligence analyst Stephen Robinson:
"In pursuit of a bigger slice of the huge
revenues of the ransomware industry,
ransomware groups purchase capabilities
from specialist e-crime suppliers, in much t
he same way that legitimate businesses
outsource functions to increase their profits.
"This ready supply of capabilities and
information is being taken advantage of by
more and more cyber threat actors, ranging
from lone, low-skilled operators, right up
to nation state APTs [advanced persistent
threats]. Ransomware didn't create the
cybercrime industry, but it has really thrown
fuel on the fire."
493 MILLION ATTACKS
Richard Massey, the vice president of sales,
EMEA, at Arcserve, comments that, in 2022,
organisations worldwide detected 493.33
million ransomware attacks. According to
the latest data from IBM, the average cost
of these attacks was $4.54 million.
"Those are astounding numbers," comments
Massey. "And, in response, governments
are taking action. One of the actions they've
taken already is forbidding payments to
ransomware gangs. Recently, the US and UK
announced sanctions, including a payment
ban to Russia's notorious Trickbot ransomware
gang. Florida and North Carolina have
banned state government departments from
paying ransom to cyber gangs; New York is
considering similar legislation."
SPLIT DECISION
Massey continues: "Another action that
governments are mulling is a legal requirement
that companies be ransomware-ready.
Is this a good idea? In a recent survey by
Arcserve, respondents were evenly split on
the question. They were also divided on the
question of whether companies that do pay
a ransom should face penalties. Those
supporting penalties argue that paying a
ransom encourages cybercriminals and
perpetuates the problem. Those against
penalties say that paying the ransom is often
the only way to recover lost data and that
penalising victims amounts to kicking them
when they're down."
These findings demonstrate the complexity
of the issue and the challenges that are faced
by governments and businesses addressing
them, he adds. "For example, legally requiring
companies to be ransomware-ready would
have myriad benefits and drawbacks. On
the benefit side, such laws could improve
cybersecurity and limit ransomware attacks.
They could reduce the financial impact on
companies everywhere and inspire better
consumer confidence in data security. On
the drawback side, such laws would likely
increase compliance costs, more regulatory
complexity, and a false sense of security.
32
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

ansomware attacks
While laws could establish a baseline
standard for cybersecurity, that standard
would be a challenge for many small and
medium-sized enterprises. And besides,
compliance would not be an ironclad
guarantee of immunity to ransomware
attacks."
MOST VICTIMS PAY UP
Meanwhile, according to the latest Cyber
Confidence Index, from cybersecurity firm
ExtraHop, 83% of victims of ransomware
attacks pay up to the criminals. Whether or
not these ransom payments are a good idea
for those whose data is hacked, or even
prevents the publication of their personal
details, they do incentive criminal behaviour.
This incident was seemingly caused by
a vulnerability in a software supply chain,
meaning a component of the application
these HR teams thought they were buying
was compromised, unknown to them.
ExtraHop's research found that 77% of IT
decision makers blame outdated cybersecurity
practices for contributing to at least
half of all their cybersecurity incidents.
"With proper security processes in place,
you can stop an attack before it develops
into ransomware," says Jamie Moles, senior
technical manager at ExtraHop. "Too often
we see businesses fail to properly secure
their networks and data, leading to breaches
and stolen data. No one is exempt from
ransomware gangs, which is why every
business should prepare to be attacked."
ATTACKS HIT HARD
The recent Sophos 'State of Ransomware
2023' report reinforces all of the turmoil that
is generated by ransomware attacks, finding
that, in 76% of ransomware attacks against
surveyed organisations, adversaries succeeded
in encrypting data. This is the highest rate
of data encryption from ransomware since
Sophos started issuing the report in 2020.
The survey also showed that, when organisations
forked out a ransom payment to
get their data decrypted, they also ended up
doubling their recovery costs ($750,000
in recovery costs versus $375,000 for
organisations that used backups to get data
back). Moreover, paying the ransom usually
meant longer recovery times, with 45%
of those organisations that used backups
recovering within a week, compared to just
39% of those that paid the ransom.
Overall, 66% of the organisations surveyed
were attacked by ransomware - which was
the same percentage as the previous year.
This suggests that the rate of ransomware
attacks has remained steady, despite any
perceived reduction in attacks.
"Rates of encryption have returned to very
high levels after a temporary dip during the
pandemic, which is certainly concerning.
Ransomware crews have been refining their
methodologies of attack and accelerating
their attacks to reduce the time for defenders
to disrupt their schemes," states Chester
Wisniewski, field CTO, Sophos.
"Incident costs rise significantly when
ransoms are paid. Most victims will not be
able to recover all their files by simply buying
the encryption keys; they must rebuild and
recover from backups as well. Paying
ransoms not only enriches criminals, but it
also slows incident response and adds cost to
an already devastatingly expensive situation."
When analysing the root cause of ransomware
attacks, the most common was an
exploited vulnerability (involved in 36% of
cases), followed by compromised credentials
(involved in 29% of cases). This is in line with
recent in-the-field incident response findings
from the Sophos '2023 Active Adversary
Report for Business Leaders'.
MOVING IN ON MOVEIT
According to the latest analysis from NCC
Group's Global Threat Intelligence team,
released in July, Ransomware attacks
Richard Massey, Arcserve: organisations
worldwide detected 493.33 million
ransomware attacks in 2022.
Stephen Robinson, WithSecure: ransomware
didn't create the cybercrime industry, but it
has really thrown fuel on the fire.
www.computingsecurity.co.uk @CSMagAndAwards July/August 2023 computing security
33

ansomware attacks
Chester Wisniewski, Sophos: most victims
will not be able to recover all their files by
simply buying the encryption keys.
Steve O'Malley, Callsign: Organisations need
a comprehensive approach, including using
anti-fraud technologies that address all kinds
of fraud.
continue to hit record levels, with 434 attacks
in June 2023, a 221% increase on the same
period last year (135 attacks - June 2022).
June's high levels of activity has been mostly
driven by Russian-speaking threat actor
Clop's exploitation of the MOVEit file transfer
software vulnerability, consistently high levels
of activity by groups such as Lockbit 3.0 and
the emergence of several new groups since
May, says NCC. Clop was responsible for 90
of the 434 attacks (21%) in June.
LOCKED IN
Lockbit 3.0, the most active threat actor of
2023 so far, was responsible for 62 of the
attacks, a fall of 21% from 78 attacks in May.
8base, a new threat actor discovered in May,
stepped up activity with 40 attacks (9%) in
June - making it the third most active threat
group that month. Other notable activity
included 17 attacks from Rhysida and nine
attacks from Darktrace, two ransomware-asa-service
(RaaS) groups that were first
observed in May 2023.
"The considerable spike in ransomware
activity so far this year is a clear indicator of
the evolving nature of the threat landscape,"
states Matt Hull, global head of threat intelligence
at NCC Group. "The better-known
players, such as Lockbit 3.0, are showing no
signs of letting up, newer groups like 8base
and Rhysida are demonstrating what they're
capable of and Clop have exploited a major
vulnerability for the second time in just three
months.
"It's imperative that organisations should
remain vigilant and adapt their security
measures to stay one step ahead,” he adds.
“We strongly advise any organisation using
MOVEit file transfer software to apply the
recent patch, given this vulnerability is being
actively exploited."
SCAMS: KNOCK-ON IMPACT
Meanwhile, Callsign has issued the results of
its annual scams research, revealing what it
describes as "the true extent of the damage
that scams have to business reputation".
Data from 8,000 consumers polled in nine
countries - 1,000 in the UK - about their
experiences of scams has identified a 40%
increase in UK consumers who have received
a scam message, compared to 2021. 23% of
those who have received a scam message
said this was enough for them to stop using
the company or service associated with the
message.
The research found that over a third (38%)
of UK respondents have lost money to scams
and 35% hadn't received any form of reimbursement
from their bank after becoming
a victim of fraudulent activity.
The types of 'scams' consumers said they
can protect themselves from included all
types of fraud such as phishing for PII data,
romance scams, investment fraud, bots or
malware for account take over purposes,
and other undisclosed vectors.
WHAT DENOTES A ‘SCAM’
However, while the definition of what
constitutes a scam varies across regions and
financial institutions (FIs), only authorised
fraud, such as authorised push payments
(APP), are generally considered by a FI to be
a scam. There appears to be a language gap
between FIs and consumers when it comes
to scams. It is possible the risk to corporate
reputation is being underestimated by FIs,
because banks' reputations are being
impacted by fraud more broadly than just
scams.
"Organisations need a comprehensive
approach, including using anti-fraud
technologies that address all kinds of fraud,"
says Steve O'Malley, chief revenue officer,
Callsign. "This is the first step - along with
finding a common language with customers
around the threat of scams - towards
repairing and rebuilding the trust that fraud
can damage so easily, and better protecting
a business' hard-won reputation."
34
computing security July/August 2023 @CSMagAndAwards www.computingsecurity.co.uk

Computing
Security
Secure systems, secure data, secure people, secure business
e-newsletter
Are you receiving the Computing Security
monthly e-newsletter?
Computing Security always aims to help its readers as much as possible to do
their increasingly demanding jobs. With this in mind, we've now launched a
Computing Security e-newsletter which is produced every month and is available
free of charge. This will enable us to provide you with more content, more
frequently than ever before.
If you are not already receiving this please send your request to
christina.willis@btc.co.uk and advise her of the best email address for the
newsletter to be sent to.