CS Nov-Dec 2023
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
THE GREAT ESCAPE<br />
Beating the cybercriminals<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
FACING UP TO AI<br />
The good and the bad,<br />
but which will win out?<br />
DATA PRIVACY DILEMMA<br />
Can the latest rules<br />
and regulations<br />
keep you safe as<br />
an avalanche of new<br />
threats sweeps in?<br />
NIGHT OF TRIUMPH!<br />
Revealed: who<br />
took the laurels<br />
at our <strong>2023</strong><br />
Awards<br />
Computing Security <strong>Nov</strong>ember/<strong>Dec</strong>ember <strong>2023</strong>
comment<br />
LEGAL CHALLENGE<br />
We all need recourse to legal<br />
services at various times in<br />
our lives and rely on these<br />
firms to protect our interests during<br />
those transactions. Yet law firms, as<br />
is now the case with so many other<br />
businesses, are faced with a rapidly<br />
evolving cyber security landscape,<br />
with cybercriminals employing<br />
increasingly sophisticated techniques<br />
to breach their defences.<br />
The shift towards remote work and<br />
cloud services has broadened the<br />
attack surface, says Access Group,<br />
leaving law firms very vulnerable to<br />
a wide range of cyber threats that<br />
include phishing attacks, ransomware and supply chain vulnerabilities. It's a formidable<br />
task to overcome these challenges, but one that has to be actively embraced. Firms<br />
have to set aside the right levels of investment and planning to cope with this rising<br />
threat - which means the involvement of everyone throughout the organisation.<br />
"To protect themselves and their clients, law firms must adopt robust cyber security<br />
measures, such as zero-trust methodologies and conditional access policies," states<br />
business management software provider Access Group. Adds legal IT expert Harry<br />
Fallows: "Staying informed about the latest cyber security trends and working with<br />
reputable IT security providers are crucial steps in safeguarding sensitive data and<br />
maintaining client trust in the digital age."<br />
I cannot end this Comment without singling out the BIG happening that took place<br />
in October: the <strong>2023</strong> Computing Security Awards.<br />
What a remarkable night it was, with a powerful line-up of companies, solutions<br />
and individuals vying for the top prizes. It was a privilege to be there and to have the<br />
honour of presenting the winners with their engraved glassware.<br />
For a round-up of all the winners and some great pictures, see pages 12-13. If the next<br />
awards are up there with this one, we’ve another exceptional event to look forward to.<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Daniella St Mart<br />
(daniella.stmart@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
Stuart Leigh<br />
(stuart.leigh@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© <strong>2023</strong> Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security <strong>Nov</strong>ember/<strong>Dec</strong>ember <strong>2023</strong><br />
inside this issue<br />
CONTENTS<br />
Computing<br />
Security<br />
THE GREAT ESCAPE<br />
Beating the cybercriminals<br />
DATA PRIVACY DILEMMA<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
FACING UP TO AI<br />
The good and the bad,<br />
but which will win out?<br />
Can the latest rules<br />
and regulations<br />
keep you safe as<br />
an avalanche of new<br />
threats sweeps in?<br />
NIGHT OF TRIUMPH!<br />
COMMENT 3<br />
Legal challenge: law firms battered by<br />
breaches to their defences<br />
Revealed: who<br />
took the laurels<br />
at our <strong>2023</strong><br />
Awards<br />
NEWS 6<br />
Hornetsecurity’s 'essential companion'<br />
How email is used to breach accounts<br />
340 million people hit by data breaches<br />
ARTICLES<br />
INSIDE THE REVOLUTION 8<br />
A new book argues why we must act<br />
to overcome powerful technologies<br />
disrupting and transforming our reality<br />
CRUCIAL ROLE OF IDENTITY 11<br />
Zero Trust adopts a 'never trust, always<br />
verify' philosophy, with identity pivotal<br />
RANSOMWARE’S UPS AND DOWNS 14<br />
RANSOMWARE HITS BACKUP FILES 18<br />
Some observers are reporting a drop-off in<br />
Hornetsecurity’s Daniel Hofmann looks<br />
ransomware, although, this is sometimes<br />
into an ever-present danger<br />
where comparisons are made on a monthly<br />
basis. Year on year, the trend has often<br />
VITAL ROLE OF CYBER TRAINING 20<br />
remained upwards. For every more upbeat<br />
How to drive employee engagement with<br />
statistic that emerges, there is more often<br />
departmental cybersecurity education<br />
than not a corresponding downbeat one.<br />
WHY LEADERSHIP SKILLS MATTER 21<br />
How leaders can motivate and guide their<br />
workforces in times of great peril<br />
ON YOUR METAL! 25<br />
THE CRIME-BUSTING BATTLE 22<br />
Metal fabrication company reaches out for<br />
Cybercrime is rapidly spreading and<br />
the right solution to protect its operations<br />
impacting organisations across the world.<br />
According to one company monitoring the<br />
FAKING IT WITH AI 30<br />
worsening situation, global cyberattacks<br />
Scaling new heights can be exhilarating,<br />
increased by 28% in 2022, compared to<br />
but it's also a precipice to tumble over<br />
the same quarter in 2021 - and this trend<br />
is only likely to continue.<br />
DATA PRIVACY CHALLENGE 32<br />
Is the constant battle to keep digital<br />
privacy laws and regulations relevant to<br />
the digital age still being won?<br />
PHISHING ENTERS DARKER WATERS 26<br />
By connecting to world events, anniversaries,<br />
PRODUCT REVIEWS<br />
holidays, as well as the hopes and fears of<br />
ordinary people, cybercriminals can concoct<br />
HORNETSECURITY 365<br />
persuasive emails and many other forms of<br />
PERMISSION MANAGER 10<br />
communication, gaining employee trust<br />
and getting them to open the doors into<br />
ENDACE: ENDACEPROBE CLOUD 29<br />
internal systems.<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk<br />
4<br />
OH, WHAT A (WINNING) NIGHT! 12<br />
The Computing Security Awards <strong>2023</strong> clearly<br />
demonstrated the remarkable breadth of<br />
talent right across our industry. Each and<br />
every category was hotly contested: in the<br />
end, though, there could only be one winner.<br />
We bring you the full rundown of the top<br />
achievers on page 13.
Layers aren’t just for cakes; they’re<br />
essential in cybersecurity’s secret<br />
recipe for protection!<br />
Bake it happen with VIPRE Security Group. Secure your<br />
bytes before you take a bite with Email Security, Endpoint<br />
Security and User Protection<br />
www.vipre.com
news<br />
Daniel Hofmann, Hornetsecurity.<br />
HORNETSECURITY UNVEILS ITS<br />
NEW 'ESSENTIAL COMPANION'<br />
Cybersecurity provider Hornetsecurity has<br />
published 'Microsoft 365: The Essential<br />
Companion Guide', designed for IT administrators<br />
who manage a Microsoft 365<br />
environment. The guide can be accessed<br />
here. It is also aimed at decision-makers<br />
looking to gain an overview of what to<br />
expect when migrating to the cloud and<br />
ways they can adopt services in Microsoft<br />
365 (M365). It complements Hornetsecurity's<br />
recent launch of Plan 4 'Compliance &<br />
Awareness' of its flagship solution 365 Total<br />
Protection.<br />
"The new Plan 4 of Hornetsecurity's cloudbased<br />
solution is its most comprehensive,<br />
taking M365 security management and data<br />
protection to the next level by encompassing<br />
email security, backup and recovery, compliance,<br />
permission management and security<br />
awareness," says the company.<br />
Comments Hornetsecurity CEO Daniel<br />
Hofmann: "Administrators have a big, and<br />
often complex, job on their hands that can<br />
become overwhelming, given the pace<br />
at which technology and business needs<br />
continue to advance." The guide will play<br />
an important role in delivering a thorough<br />
understanding of Microsoft 365 and how<br />
to use it to the best of its abilities, he adds.<br />
"With this guide, we want to save time and<br />
hassles for M365 administrators, helping<br />
them work smarter and not harder."<br />
HOW ATTACKERS EXPLOIT EMAIL TO BREACH AN ACCOUNT<br />
Anew Threat Spotlight by Barracuda researchers shows<br />
how attackers can misuse inbox rules in a successfully<br />
compromised account to evade detection. Meanwhile,<br />
amongst other things, they quietly move information out of<br />
the corporate network via the breached inbox. Not only this,<br />
but attacks can also ensure that the victims don't see security<br />
warnings, filing selected messages in obscure folders, so the<br />
victim won't easily find them or delete messages from the<br />
senior executive they are pretending to be, in an attempt<br />
to extract money. Says Prebh Dev Singh, manager, email<br />
protection product management, at Barracuda: "Malicious<br />
rule creation poses a serious threat to the integrity of an organisation's<br />
data and assets. Because it is a post-compromise<br />
technique, it's a sign that attackers are already in your<br />
network. Immediate action is required to get them out."<br />
THE STRUGGLE TO ALIGN CYBERSECURITY WITH BUSINESS OUTCOMES<br />
Aworrying 97% of respondents' organisations face<br />
challenges in trying to align cybersecurity priorities with<br />
business outcomes. That is one finding a study conducted by<br />
Forrester Consulting on behalf of WithSecure (formerly<br />
F-Secure Business). WithSecure chief information security<br />
officer Christine Bejerasco says it requires cybersecurity<br />
professionals to develop a different strategic approach to how<br />
they think about their jobs. "It can be difficult for security<br />
practitioners to see their work in relation to a business'<br />
purpose or objectives, but that's really how many boards<br />
or executives view security work," she states. "However, the<br />
transition to outcome-based security doesn't necessarily<br />
involve abandoning traditional metrics. It means explicitly<br />
recognising the value of those metrics in relation to how<br />
they benefit the organisation and its objectives."<br />
Prebh Dev Singh, Barracuda.<br />
Christine Bejerasco,<br />
WithSecure.<br />
ALMOST 340 MILLION PEOPLE HIT BY DATA BREACHES IN FOUR MONTHS<br />
The 'Independent Advisor' has just launched<br />
a new Company Data Breach Tracker for <strong>2023</strong>.<br />
A regularly updated, month-by-month timeline<br />
of the latest such breaches and hacks in <strong>2023</strong>, it<br />
also tracks overall business breach statistics for the<br />
year. With almost 340 million people affected by<br />
business data breaches in the first four months<br />
of <strong>2023</strong> alone, staying secure online remains a<br />
growing concern for companies. More and more<br />
fall victim to cyber-attacks, phishing scandals and<br />
ransomware, leading to data leaks, huge payouts and often lawsuits. Lead writer and researcher<br />
Camille Dubuis-Welch comments: "Like it or not, cybercrime is prolific."<br />
6<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
DON’T<br />
SaaSSS<br />
GET YOUR<br />
KICKED! !<br />
TAKE CONTROL NOW AND<br />
PROTECT YOUR SaaS DATA<br />
Global SaaS vendors like Microsoft, Google and Salesforce<br />
don’t assume any responsibility for your data hosted<br />
in their applications. So, it’s up to you to take control<br />
and fully protect your SaaS data from cyber threats or<br />
accidental loss. Arcserve SaaS Backup offers complete<br />
protection for your SaaS data, eliminating business<br />
interruptions due to unrecoverable data loss.<br />
Arcserve SaaS Backup<br />
Complete protection for all your SaaS data.<br />
arcserve.com<br />
The unified data resilience platform
ook review<br />
INSIDE THE REVOLUTION<br />
A RANGE OF POWERFUL TECHNOLOGIES IS DISRUPTING AND TRANSFORMING EVERY CORNER<br />
OF OUR REALITY. A NEW BOOK ARGUES WHY AND HOW WE MUST ACT AND ADAPT TO THIS<br />
Unsupervised: Navigating and<br />
Influencing a World Controlled<br />
by Powerful New Technologies'<br />
examines the fast-emerging technologies<br />
and tools that are already starting to<br />
revolutionise our world.<br />
Beyond that, the book takes an in-depth<br />
look at how we have arrived at this<br />
dizzying point in our history, who holds<br />
the reins of these formidable technologies,<br />
mostly without any supervision, state its<br />
authors, Daniel Doll-Steinberg and Stuart<br />
Leaf. 'Unsupervised' sets out to explain why<br />
we, as business leaders, entrepreneurs,<br />
academics, educators, lawmakers, investors<br />
or users and all responsible citizens, must<br />
act now to influence and help oversee<br />
the future of a technological world.<br />
There are several chilling reminders in<br />
the book of the seeming impasse we<br />
have arrived at in our quest for greater<br />
'advancement'. Take, for instance, this<br />
observation from the two authors: "…<br />
technology in the hands of humankind<br />
is now akin to a massive double-edged<br />
sword - a light saber, in fact, in the hands<br />
of an untrained child. Wielding it can<br />
create instant and possibly irreversible<br />
impact, for good or for bad, faster than<br />
one can realize what has happened".<br />
Quantum computing, artificial<br />
intelligence, blockchain, decentralisation,<br />
virtual and augmented reality and permanent<br />
connectivity are just a few of the<br />
technologies and trends considered,<br />
but the book delves much deeper, too.<br />
It offers a thorough analysis of energy and<br />
medical technologies, as well as cogent<br />
predictions for how new tech will redefine<br />
our work, money, entertainment, transportation<br />
and our home and cities, and<br />
what we need to know to harness and<br />
prosper from these technologies.<br />
Doll-Steinberg and Leaf detail how, when<br />
we look a bit farther into the future, we<br />
can see that the task facing us is to<br />
completely reinvent life as we know it -<br />
work, resources, war and even humanity<br />
itself will undergo redefinition, thanks<br />
to these new and emerging tools. In<br />
'Unsupervised', they set out to examine<br />
what these redefinitions might look like<br />
and how we, as individuals and part<br />
of society, can prevent powerful new<br />
technologies from falling into the wrong<br />
hands or be built to harm us.<br />
ABOUT THE AUTHORS<br />
DANIEL DOLL-STEINBERG created one of the first global standards for digital rights management, securing and delivering<br />
activation keys and content direct to customers, which is said to have helped transform the software industry. Specialising in<br />
disruptive technologies, and focusing on Blockchain and AI, he was later appointed by the European Commission, and then the<br />
UK government, as an expert advisor specialising in education, growth, disruption and Future of Work policy.<br />
STUART LEAF started his career at Merrill Lynch Capital Markets and Goldman Sachs. He held senior positions in smaller real<br />
estate, private equity and asset management firms, before co-founding Cadogan Management, a Fund of Hedge Funds, in 1994.<br />
Investing around the world in a range of strategies, including a significant exposure to technology, he and his partners grew the<br />
funds to $7.5 billion in assets.<br />
8<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Simplify work,<br />
protect devices<br />
and data<br />
with Jamf’s award-winning solution<br />
Trusted Access is Jamf’s vision for<br />
a zero trust experience that users<br />
love and organisations trust. Only<br />
authorised users, on enrolled devices<br />
that are secure and compliant,<br />
can access sensitive data.<br />
Visiting Black Hat Europe<br />
on 6–7 <strong>Dec</strong>ember?<br />
Join us at stand 513.<br />
www.jamf.com<br />
REQUEST<br />
Y O U R<br />
F R E E<br />
TRIAL<br />
TODAY
product review<br />
HORNETSECURITY 365 PERMISSION MANAGER<br />
Microsoft 365 (MS365) is the<br />
productivity and communications<br />
platform of choice for organisations<br />
of all sizes, with it already having<br />
reached a staggering 382 million paid seats<br />
this year. A huge number of companies,<br />
including those with hybrid working<br />
practices, clearly see the benefits of MS365<br />
cloud collaboration services; but ensuring<br />
adequate protection of information assets,<br />
and preventing unauthorised and anonymous<br />
access, can be a major challenge.<br />
Hornetsecurity's 365 Permission Manager<br />
is the perfect solution, as it provides<br />
administrators with all the tools needed<br />
to control access permissions, monitor<br />
violations and enforce compliance policies.<br />
Easily managed from a single cloud portal,<br />
it readily allows organisations to ensure<br />
compliance with internal and external<br />
regulations, and maintain access policies<br />
across sharing sites, folders and files.<br />
Onboarding is very swift, as you simply<br />
select 365 Permission Manager from<br />
Hornetsecurity's Control Panel, provide all<br />
required tenant details and authenticate<br />
with your MS365 account. It avoids<br />
management issues with MS365 global<br />
administrators and potential permission<br />
creep, as it uses API connections and<br />
doesn't store any credentials.<br />
INFORMATIVE DASHBOARD<br />
The Control Panel presents a highly<br />
informative dashboard, with pie charts<br />
showing overall compliance health, plus<br />
separate ones for SharePoint, OneDrive<br />
and Teams. A time-filtered graph reveals<br />
fixed and approved violations, while<br />
others are provided for item-level and<br />
policy compliance, upcoming and overdue<br />
audits, and violation trends over time.<br />
You can also view your compliance<br />
policies and 365 Permission Manager does<br />
all the hard work for you, as it includes a<br />
set of predefined ones. These are all based<br />
on the ISO 27001 information security<br />
management systems standard, so<br />
applying them to your organisation will<br />
help you meet certification requirements.<br />
You can easily create custom policies and<br />
set internal and external sharing criteria,<br />
while, at the site level, you set external<br />
sharing levels for all people in your<br />
organisation, existing and new guests<br />
or anyone; apply default sharing links<br />
and permissions; and set guest access<br />
expiration times in days. Policies are a very<br />
powerful feature as, if any action violates<br />
them, administrators will receive an alert<br />
and an option to approve or fix them.<br />
SharePoint site and OneDrive account<br />
exploration reveals all entities and their<br />
applied policy, while colour-coded icons<br />
show if they are compliant. Further<br />
icons highlight if they have items with<br />
anonymous access granted, those that<br />
have organisation-wide access and with<br />
external user access permitted.<br />
Click the quick actions button and you<br />
will then be presented with five of the<br />
most powerful features of this service.<br />
With no more than three clicks, you can<br />
set an external sharing level for a Share-<br />
Point site or OneDrive account, clean up<br />
orphaned users, remove 'Everyone' permissions,<br />
revoke user or group access or<br />
set site permissions.<br />
There's much more, as 365 Permission<br />
Manager presents a 'To Do' list, with all policy<br />
violations that require your attention. The list<br />
can be filtered and, with one click, you can<br />
either approve the violation or fix it: you can<br />
fix site settings or 365 Permission Manager<br />
can automatically remove user access.<br />
As you'd expect, there are plenty of reporting<br />
tools provided, with options to generate ones<br />
for full site permissions, user and group<br />
access, and also external access. An activity<br />
log provides essential auditing for all administrative<br />
activities and the portal generates<br />
daily alert summaries, which can be sent to<br />
multiple recipients.<br />
MS365 rights management presents many<br />
pain points, as it is far too easy for users to<br />
share files across this platform and so difficult<br />
for administrators to stay in control.<br />
Hornetsecurity's 365 Permission Manager<br />
brings order to this rights chaos and gives<br />
administrators the power to effortlessly<br />
enforce policy compliance and ensure access<br />
to critical data is tightly locked down.<br />
Product: 365 Permission Manager<br />
Supplier: Hornetsecurity<br />
Web site: www.hornetsecurity.com<br />
Tel: +44 (0) 203 0869 833<br />
Sales: sales@hornetsecurity.com<br />
Contact Hornetsecurity for pricing<br />
10<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
zero trust<br />
CRUCIAL ROLE OF IDENTITY IN ZERO TRUST SECURITY<br />
ZERO TRUST ADOPTS A 'NEVER TRUST, ALWAYS VERIFY' PHILOSOPHY, WITH IDENTITY PLAYING A PIVOTAL ROLE<br />
security while allowing for flexibility and user<br />
productivity."<br />
Moreover, Zero Trust extends beyond the<br />
initial authentication process; it emphasises<br />
both continuous monitoring and adaptive<br />
authentication. In this context, identity is<br />
not a one-time verification, but an ongoing<br />
process. Users and devices are continually<br />
assessed for risk and access privileges can be<br />
adjusted in real time, based on changing<br />
circumstances.<br />
Global analyst Gartner estimates that<br />
more than 85% of organisations will<br />
embrace a cloud-first principle and<br />
over 95% of new digital workloads will be<br />
deployed on cloud-native platforms by 2025.<br />
This increasingly digital world accelerates<br />
cybersecurity threats, leading organisations to<br />
embrace new strategies to protect sensitive<br />
data and assets.<br />
The Zero Trust approach, with identity as<br />
the linchpin, has gained prominence among<br />
cybersecurity trends for organisations to mitigate<br />
emerging cyber risks and have better<br />
cyber hygiene, according to Brian Ramsey,<br />
VP of America, Xalient, and Jaye Tilson, field<br />
CTO, HPE Aruba Networking.<br />
"Traditionally, organisations relied on perimeter<br />
based security models that operated<br />
under the assumption that threats could<br />
be kept at bay by securing the network<br />
perimeter," they point out. "However, as<br />
cyberattacks became more sophisticated,<br />
it became clear that this approach was no<br />
Brian Ramsey (left) and Jaye Tilson:<br />
identity plays a pivotal role.<br />
longer effective. Attackers found ways to<br />
bypass these perimeter defences, rendering<br />
them inadequate."<br />
Zero Trust flips this model on its head<br />
by adopting a 'never trust, always verify'<br />
philosophy, they state. "In a Zero Trust<br />
environment, trust is never assumed,<br />
regardless of whether a user or device is<br />
inside or outside the corporate network.<br />
Identity plays a pivotal role in verifying and<br />
authenticating users and devices, ensuring<br />
that access to resources is granted based<br />
on their identity, permissions and the context<br />
of their request."<br />
They single out identity as being right at<br />
the heart of context-aware access control,<br />
a fundamental component of Zero Trust.<br />
"For example, a user attempting to access<br />
a critical database from an unfamiliar device<br />
and location may trigger additional authentication<br />
measures or even deny access entirely<br />
until their identity and intent are verified. This<br />
dynamic approach to access control enhances<br />
"For instance, if an authenticated user<br />
suddenly exhibits unusual behaviour patterns<br />
or attempts to access sensitive data outside<br />
of their usual work hours, the system can<br />
flag this as a potential security threat and<br />
prompt additional authentication or restrict<br />
access until the user's identity and intent are<br />
confirmed."<br />
In a Zero Trust environment, identity-centric<br />
threat detection and response are critical<br />
components. "By closely monitoring the<br />
behaviour and identity of users and devices,<br />
organisations can quickly detect and respond<br />
to suspicious activities. Identity-based threat<br />
detection enables security teams to identify<br />
unauthorised access attempts, insider threats,<br />
and other malicious activities that may go<br />
unnoticed in traditional security models.<br />
However, they also offer a few words of<br />
caution. "A mature, widely deployed?Zero<br />
Trust?implementation demands integration<br />
and configuration of multiple different<br />
components, which can become quite<br />
technical and complex. Success is highly<br />
dependent on the translation to business<br />
value. Our advice is to start small and evolve,<br />
making it easier to better grasp the benefits<br />
of a programme and manage some of the<br />
complexity, one step at a time."<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
11
<strong>2023</strong> <strong>CS</strong> Awards<br />
Magician Nick Einhorn: 'Now you see him….'<br />
https://flic.kr/s/aHBqjAZ4Es<br />
Oh what a (WINNING) night!<br />
THE <strong>2023</strong> COMPUTING SECURITY AWARDS TOOK PLACE AT A TOP LONDON VENUE:<br />
AND WHAT A NIGHT OF SUCCESS AND CELEBRATIONS THEY PROVED TO BE<br />
Guests gather before the dinner and awards ceremony.<br />
The Computing Security Awards were<br />
once again a massive success, clearly<br />
demonstrating what a remarkable<br />
breadth of talent there is right across every<br />
sector of our industry.<br />
While the winners in each category were<br />
rightly applauded and feted by all of those<br />
who attended, what was evident was how<br />
competitive these awards - now in their 14th<br />
year - have become. Category after category<br />
was hotly contested. Everyone could enjoy<br />
their own sense of achievement at making<br />
it into the final.<br />
It was a night of many surprises on many<br />
levels - not least when Nick Einhorn took<br />
to the stage and beguiled the whole room<br />
with his magic skills. A winner on ITV1's hit<br />
show, 'Penn & Teller: Fool Us', in which he<br />
bamboozled two of the most revered and<br />
respected magicians in the world, he's a Gold<br />
Star member of The Inner Magic Circle and<br />
three-times winner of The Magic Circle 'Closeup<br />
Magician of the Year' award and it wasn't<br />
hard to see why. Great entertainment from<br />
an excellent entertainer.<br />
This was a magic night in every sense.<br />
All that remains is to extend our warmest<br />
congratulations to the winners and everyone<br />
who took part, making these awards a truly<br />
unique and unmissable occasion.<br />
On ther following page are all the Winners<br />
on the night for each of the awards:<br />
12<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
<strong>2023</strong> <strong>CS</strong> Awards<br />
THE <strong>2023</strong> WINNERS:<br />
EMAIL SECURITY SOLUTION OF THE YEAR<br />
Smarttech247 - NoPhish<br />
ANTI MALWARE SOLUTION OF THE YEAR<br />
Hornetsecurity - Hornetsecurity 365 Total Protection<br />
INCIDENT RESPONSE & INVESTIGATION SECURITY SERVICE<br />
PROVIDER OF THE YEAR<br />
Cyderes<br />
NETWORK SECURITY SOLUTION OF THE YEAR<br />
macmon - macmon NAC<br />
ENCRYPTION SOLUTION OF THE YEAR<br />
Watchguard - AD360<br />
ADVANCED PERSISTENT THREAT (APT)<br />
SOLUTION OF THE YEAR<br />
Gatewatcher - AIONIQ<br />
DATA LOSS PREVENTION SOLUTION OF THE YEAR<br />
VIPRE Security Group - SafeSend<br />
CYBER SECURITY COMPLIANCE AWARD<br />
Torsion Information Security<br />
AI AND MACHINE LEARNING BASED SECURITY<br />
SOLUTION OF THE YEAR<br />
Heimdal Security - Threat Prevention Endpoint<br />
IDENTITY AND ACCESS MANAGEMENT<br />
SOLUTION OF THE YEAR<br />
SecurEnvoy - Access Management Solution<br />
ANTI PHISHING SOLUTION OF THE YEAR<br />
Metacompliance - MetaPhish<br />
SECURE DATA & ASSET DISPOSAL COMPANY OF THE YEAR<br />
Gigacycle<br />
CLOUD-DELIVERED SECURITY SOLUTION OF THE YEAR<br />
Cyderes - Cyderes Cloud Identity<br />
MOBILE SECURITY SOLUTION OF THE YEAR<br />
Jamf - Jamf Protect<br />
PENETRATION TESTING SOLUTION OF THE YEAR<br />
Edgescan - Edgescan Professional Services<br />
BREACH AND ATTACK SIMULATION SOLUTION OF THE YEAR<br />
Kroll - Redscan<br />
DATA PROTECTION AS A SERVICE PROVIDER OF THE YEAR<br />
Veritas<br />
REMOTE MONITORING SECURITY SOLUTION OF THE YEAR<br />
Cursor Insight - Graboxy Sentinel<br />
SECURITY EDUCATION AND TRAINING PROVIDER<br />
OF THE YEAR<br />
Metacompliance<br />
WEB APPLICATION FIREWALL OF THE YEAR<br />
Cyberhive - Trusted Cloud<br />
THREAT INTELLIGENCE AWARD<br />
VIPRE Security Group<br />
SECURITY RESELLER OF THE YEAR<br />
Next Generation Security<br />
SECURITY DISTRIBUTOR OF THE YEAR<br />
Brigantia<br />
ENTERPRISE SECURITY SOLUTION OF THE YEAR<br />
Libraesva - Libraesva Email Security<br />
SME SECURITY SOLUTION OF THE YEAR<br />
VIPRE Security Group - ATP<br />
INDIVIDUAL CONTRIBUTION TO CYBERSECURITY AWARD<br />
Rob Jeffery, CTO - Next Generation Security<br />
CYBER SECURITY CUSTOMER SERVICE AWARD<br />
Brookcourt Solutions<br />
SECURITY SERVICE PROVIDER OF THE YEAR<br />
Sapphire<br />
SECURITY PROJECT OF THE YEAR - PUBLIC SECTOR<br />
TMC3 - Department for Transport (DfTc)<br />
SECURITY PROJECT OF THE YEAR - PRIVATE SECTOR<br />
Redkey USB - Preloved Tech<br />
SECURITY PROJECT OF THE YEAR - CLOUD COMPLIANCE<br />
Barracuda - NHS Scotland<br />
EDITOR'S CHOICE<br />
Hornetsecurity - 365 Permission Manager<br />
CYBER SECURITY INNOVATION AWARD<br />
MTI - Security Targeted Operating Model (STOM)<br />
NEW PRODUCT/SOLUTION OF THE YEAR<br />
Veritas - Veritas Alta<br />
ONE TO WATCH SECURITY – PRODUCT<br />
Arcserve - Arcserve UDP<br />
ONE TO WATCH SECURITY – COMPANY<br />
Censornet<br />
SECURITY COMPANY OF THE YEAR<br />
MetaCompliance<br />
SECURITY SOFTWARE SOLUTION OF THE YEAR<br />
SecurEnvoy - Data Discovery<br />
SECURITY HARDWARE SOLUTION OF THE YEAR<br />
Arcserve - Arcserve OneXafe 4500 Series<br />
To see the full results – Winners and Runners-up – go to:<br />
www.computingsecurityawards.co.uk<br />
www.computingsecurity.co.uk <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
@<strong>CS</strong>MagAndAwards<br />
13
ansomware<br />
ENEMY NO 1 - IS THE<br />
CROWN SLIPPING?<br />
WHILE THERE ARE INDICATIONS THAT RANSOMWARE MAY BE SLIDING DOWN THE CHARTS<br />
OF PREFERRED ATTACK METHODS, THE OVERALL MESSAGE STILL REMAINS MIXED<br />
Anumber of observers are now reporting<br />
a drop-off in ransomware activity,<br />
although, in some instances, this is<br />
where comparisons are made on a monthly<br />
basis, whereas, year on year, the trend has<br />
often remained upwards. For every more<br />
upbeat statistic that emerges, there is usually<br />
a corresponding downbeat one, as can be all<br />
too readily seen in this article.<br />
Deepen Desai, Global CISO, head of security<br />
research & operations at Zscaler, points to how<br />
Zscaler's ThreatLabz research team reported<br />
earlier this year that ransomware attacks<br />
had grown 37% overall year over year, with<br />
the average cost of an attack reaching a<br />
staggering $5.3 million. "The use of phishing<br />
and spam email has long been a primary<br />
infection vector for ransomware threat actors,<br />
but some actors are switching tactics." Desai<br />
cites how the recent and growing number<br />
of attacks on the gaming industry, along with<br />
the popularity of malware like 'BazarCall',<br />
showcase a technique called 'vishing'.<br />
Vishing involves voice-based attacks where<br />
actors speak over the phone, rather than<br />
through email, finding it more effective, due<br />
to a lack of awareness, compared to emailbased<br />
spam, which often requires mandatory<br />
training at many organisations. "While some<br />
recent attacks didn't involve spam, the ultimate<br />
objective remains the same: infiltrate the target<br />
environment, perform lateral movement to<br />
obtain access to an administrator's account,<br />
identify crown-jewel applications to exfiltrate<br />
large volumes of sensitive data, and potentially<br />
deploy ransomware," he adds.<br />
"Ransomware attacks all follow the sequence<br />
[or similar] to the one I've mentioned above.<br />
To stop these attacks consistently, your security<br />
strategy should aim to disrupt as many stages<br />
of this attack chain as possible, maximising<br />
your chances of stopping the attack, even if<br />
the threat actors evade some of your security<br />
controls. To safeguard your organisation,<br />
I recommend replacing vulnerable appliances<br />
like VPNs and firewalls with Zero Trust Network<br />
Access (ZTNA) for applying consistent security<br />
with enhanced segmentation."<br />
THEFT IS 'THE BIGGEST CONCERN'<br />
Meanwhile, Integrity360 has recently released<br />
research findings into the cybersecurity threats<br />
being faced by 205 IT security decision makers,<br />
with more than half of the respondents (55%)<br />
citing data theft as the biggest concern, which<br />
is followed by phishing (35%) and then by<br />
ransomware (29%).<br />
CIOs (30%) and CTOs (33%) surveyed also<br />
ranked APTs (advanced persistent threats)<br />
and targeted attacks as a bigger concern<br />
than ransomware (28%, 33%). "As APTs are<br />
generally established to deliver objectives with<br />
national-level implications, such as espionage<br />
or destruction of infrastructure, it's no surprise<br />
that, as these threats continue to mount,<br />
the emphasis on ransomware, whilst still an<br />
ongoing concern, is lessening relative to other<br />
threats," points out the cybersecurity specialist.<br />
Ransomware (25%) was ranked fourth<br />
amongst the challenges causing sleepless<br />
nights, likely due to the increased awareness<br />
surrounding backups, states Integrity360,<br />
making ransom attacks less rewarding, "while<br />
data theft alone can have dire consequences,<br />
in terms of reputational damage, hefty compliance<br />
fines and potential loss of IP, to name<br />
but a few".<br />
According to Brian Martin, head of product<br />
development, innovation and strategy, at<br />
Integrity360: "IT environments have become<br />
increasingly complex, with many enterprises<br />
now employing multi-cloud strategies and<br />
multiple products, which can leave gaps<br />
in security, and see businesses paying<br />
for underutilised and overlapping tools<br />
unnecessarily. Consolidation of cybersecurity<br />
architectures can strengthen risk posture,<br />
reduce the number of tools and vendors in<br />
place, eliminating silos, reducing costs and<br />
improving overall security posture."<br />
LOWS AND HIGHS<br />
August <strong>2023</strong> saw a drop in ransomware<br />
attacks, according to NCC Group's August<br />
Threat Pulse, with 390 attacks representing<br />
a 22% drop from July. It comes after back-toback<br />
record months in June and July, largely<br />
the result of Cl0ps MOVEit exploitation and<br />
the ongoing impact of the attack. Lockbit 3.0<br />
14<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
ansomware<br />
returned to pole position in August, responsible<br />
for carrying out the largest volume of<br />
attacks at 125, 32% of total attacks in the<br />
month. It represents a 150% month-onmonth<br />
increase on its July activity. BlackCat<br />
took the second spot with 41 attacks (11%),<br />
followed by 8Base with 32 (8%).<br />
Some 47% of all ransomware attacks in July<br />
took place in North America, consistent<br />
with previous months. However, the region<br />
experienced a 7% relative drop in August, as<br />
compared to July where it held 54% of all<br />
victims. Europe remains in second place with<br />
108 victims in August, representing 28% of<br />
total attacks.<br />
"After two record months for ransomware<br />
attacks, the fall in attacks in August was to<br />
be expected," says Matt Hull, global head of<br />
threat intelligence at NCC Group. "The number<br />
of victims in June and July was somewhat<br />
inflated by the huge success that Cl0p had<br />
exploiting the vulnerability in the MoveIT<br />
platform. This being said, the number<br />
of recorded victims in August was still<br />
significantly higher than this time last year."<br />
HEALTHCARE IN NEED OF A CURE<br />
Vitali Edrenkine, chief marketing officer at<br />
Arcserve, says that, in the face of growing<br />
numbers and sophistication of ransomware<br />
attacks, the highly targeted healthcare industry<br />
continues to grapple with inadequate data<br />
protection and recovery mechanisms. "An<br />
ounce of prevention may be worth a pound<br />
of cure - but our latest market research shows<br />
that, when it comes to ransomware resilience,<br />
too many healthcare institutions have neither,"<br />
he continues. "A robust backup and disaster<br />
recovery strategy is critical for healthcare<br />
organisations to build resistance to malicious<br />
attacks."<br />
Findings from Arcserve's annual independent<br />
global research, focusing on the healthcare<br />
sector's approach and experience of data<br />
protection, recovery, and ransomware<br />
readiness, indicate that 45% of healthcare<br />
respondents experienced a ransomware attack<br />
in the past 12 months:<br />
83% of ransom demands were between<br />
$100,000 and $1 million<br />
67% paid the ransom<br />
45% did not recover all their data after<br />
ransomware attacks.<br />
Some of the key issues around ransomware<br />
highlighted by Arcserve include:<br />
82% of healthcare IT departments lack<br />
an updated disaster recovery plan<br />
Nearly 75% of respondents believe data<br />
backed up to a public cloud is safer than<br />
data backed up on-premises<br />
More than 50% of respondents mistakenly<br />
believe the cloud provider is responsible for<br />
recovering their data.<br />
SONY DATA SOLD ON DARK WEB<br />
A big stumbling block regarding the paying of<br />
a ransom is whether the perpetrators will<br />
return all, or any, of your data, if you pay up.<br />
Whatever the reasoning, when Sony was hit<br />
by a ransomware attack recently and refused<br />
to shell out the ransom demanded, its data<br />
ended up being sold online on the dark web.<br />
Irrespective of the refusal to pay a ransom,<br />
Carlos Morales, SVP of solutions at purposebuilt<br />
global cloud-based security platform<br />
Vercara, stresses how the attack itself highlights<br />
the fact that any company, regardless<br />
of size and level of security sophistication,<br />
can fall victim to this threat. "The sheer<br />
number of entry points into a company,<br />
from supply-chain to contractors, to each<br />
and every employee, makes it impractical to<br />
believe that you are going to be able to seal<br />
all of these up," he says.<br />
"While it is extremely important to educate<br />
your base of users to be on the look out<br />
for these threats and to vet your suppliers<br />
carefully, this alone will not guarantee<br />
prevention. Now that AI is supercharging<br />
bad actors' ability to craft spear phishing or<br />
smishing messages, it is virtually guaranteed<br />
that more, rather than fewer, people will<br />
Brian Martin, Integrity360: consolidation<br />
of cybersecurity architectures can<br />
strengthen risk posture.<br />
Deepen Desai, Zscaler: healthcare industry<br />
continues to grapple with inadequate data<br />
protection and recovery mechanisms.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
15
ansomware<br />
Michael Smith, Vercara: ransomware is<br />
having "catastrophic consequences on<br />
critical national infrastructure".<br />
Carlos Morales, Vercara: impractical to<br />
believe you can seal up all entry points.<br />
become victims of this kind of attack."<br />
CRIMINALS GO FOR THE JUGULAR<br />
September marked 10 years since Crypto-<br />
Locker, the first ransomware campaign to<br />
successfully blend encryption, peer-to-peer<br />
controls, social engineering and cryptocurrency,<br />
first appeared. "This toxic brew<br />
proved to be extraordinarily successful," states<br />
Sophos, "netting the attackers 31,000 Bitcoin<br />
[at that time, over $4 million US] in the first<br />
four weeks, ushering in the modern era of<br />
day-to-day financial e-crime."<br />
Since then, says the company, ransomware<br />
has flourished, with attacks accounting for<br />
69% of incident response cases in the first half<br />
of <strong>2023</strong>. "Comparing 2022 to the first half of<br />
<strong>2023</strong>, the time from the start of ransomware<br />
attacks to detection shrank from a median of<br />
eight days to just five." The median time from<br />
data exfiltration to ransomware deployment<br />
was just 21 hours, while, for exfiltrated data,<br />
the median time until it was publicly posted<br />
was just a little over 28 days.<br />
"Ransomware has had a long history and,<br />
while CryptoLocker is just one of many<br />
inflection points, it's an important one when<br />
we look at the model ransomware follows<br />
today-encrypting data and then demanding<br />
cryptocurrency to decrypt the data,"<br />
comments Chester Wisniewski, field CTO,<br />
Sophos. "Over the years, ransomware has<br />
proven itself as a tried-and-true method<br />
for extorting money from victims. Now,<br />
ransomware is an everyday part of the criminal<br />
threats we face. That's a problem, because<br />
ransomware is still a devastating type of<br />
attack; what's more, organisations have<br />
increasingly less time to minimise damage.<br />
"What we're seeing in the data from our<br />
Active Adversary reports over the past three<br />
years is an increasing mechanisation and<br />
professionalisation amongst the criminals.<br />
Not only are ransomware criminals striking<br />
the final blow in only five days, they're going<br />
for the jugular - your Active Directory<br />
infrastructure, within 16 hours or so. Plodding<br />
ransom attacks that linger for a month or more,<br />
as we saw in the early days of enterprise<br />
ransomware, are no longer the case."<br />
The UK's National Cyber Security Centre<br />
(N<strong>CS</strong>C) and National Crime Agency (NCA)<br />
have published a joint whitepaper, examining<br />
how the tactics of organised criminal groups<br />
have evolved as extortion attacks have grown<br />
in popularity with the ransomware industry<br />
developing into a sophisticated supply chain,<br />
defying western governments and leaving<br />
exposed businesses on the back foot.<br />
RISE IN CYBER-WARFARE<br />
Ransomware is having "catastrophic consequences<br />
on critical national infrastructure (CNI)<br />
and other vital services", states Michael Smith,<br />
field CTO at Vercara. "While many cyberattacks<br />
leave businesses unscathed, 18 ransomware<br />
incidents elicited a national level response or<br />
government intervention. Given increased geopolitical<br />
tensions and a rise in cyber-warfare,<br />
international leaders and governments have<br />
acknowledged this threat at a global scale<br />
and the risk it poses to crucial services. Just<br />
last year, the European Commission proposed<br />
new rules to ensure greater consistency and<br />
efficiency in cyber and information security<br />
measures across EU institutions, bodies, offices<br />
and agencies.<br />
All this data goes to highlight the scale of the<br />
challenge ahead for the cybersecurity sector,<br />
adds Smith. "Cybercriminals attack everybody,<br />
it's their means of revenue. All business leaders<br />
must assume that at some point they will be<br />
one of their targets. The criminals running<br />
these campaigns are looking to cause as much<br />
disruption as possible, with maximum impact<br />
and even bigger reward.<br />
"Earlier forms of ransomware typically<br />
resulted in downtime or unavailable data,<br />
but newer strains are emerging and threat<br />
actors are constantly changing their tactics,<br />
with some threatening a Distributed Denial<br />
of Service (DDoS) style-attack."<br />
16<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
Product Review Service<br />
VENDORS – HAS YOUR SOLUTION BEEN<br />
REVIEWED BY COMPUTING SECURITY YET?<br />
The Computing Security review service has been praised by vendors and<br />
readers alike. Each solution is tested by an independent expert whose findings<br />
are published in the magazine along with a photo or screenshot.<br />
Hardware, software and services can all be reviewed.<br />
Many vendors organise a review to coincide with a new launch. However,<br />
please don’t feel that the service is reserved exclusively for new solutions.<br />
A review can also be a good way of introducing an established solution to<br />
a new audience. Are the readers of Computing Security as familiar with<br />
your solution(s) as you would like them to be?<br />
Contact Edward O’Connor on 01689 616000 or email<br />
edward.oconnor@btc.co.uk to make it happen.
inside view<br />
RANSOMWARE THREATENS BACKUP FILES<br />
COULD THE LAST LINE OF DEFENCE AGAINST ONE OF THE MOST PERNICIOUS FORMS OF ATTACK<br />
NOW BE IN DANGER? DANIEL HOFMANN, CEO, HORNETSECURITY, OFFERS HIS THOUGHTS<br />
Ransomware attackers have become<br />
increasingly focused on targeting<br />
backup storage over the past several<br />
years. Special measures are required to<br />
protect data backups from malicious<br />
manipulation. Immutable cloud storage is<br />
the magic word.<br />
While ransomware attacks have been a<br />
threat for more than 30 years, they have<br />
increased dramatically over recent years due<br />
to many factors including the rise<br />
of Generative AI systems.<br />
A recent Ransomware study<br />
by Hornetsecurity shows<br />
that nearly 60% of<br />
companies are 'very' to<br />
'extremely' concerned<br />
about ransomware<br />
attacks. On top of<br />
this, 76.2% of<br />
respondents have<br />
changed the way<br />
their company<br />
backs up data<br />
partly in response<br />
to the evolving<br />
threat of<br />
ransomware.<br />
At the same time, ransomware attacks<br />
are becoming easier, smarter, and more<br />
dangerous. For example, ransomware-as-aservice<br />
offerings are increasingly appearing<br />
on the darknet, enabling fraudsters to carry<br />
out successful extortion campaigns even<br />
without programming skills and the<br />
corresponding IT infrastructure. A new<br />
dimension has recently been reached with<br />
the spread of generative AI models such as<br />
ChatGPT and WormGPT. With the help of<br />
the innovative AI bot, security specialists at<br />
Hornetsecurity succeeded in developing<br />
sophisticated ransomware with minimal<br />
effort, which can pose high risks for victims.<br />
INCREASED FOCUS ON BACKUP COPIES<br />
In increased ransomware attacks specifically<br />
against backups, hackers are using extortion<br />
software to encrypt data backed up on<br />
storage media devices to deny access<br />
to users. This is particularly perfidious, as<br />
a company relies precisely on backups in case<br />
the data in the production systems is lost or<br />
damaged. The (now encrypted) backups are<br />
only unlocked or restored in exchange for<br />
a ransom and if the payment is not received<br />
in time, the hackers can threaten to delete<br />
or steal the data or even publish sensitive<br />
18<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
inside view<br />
company information. Ransomware costs<br />
companies millions of pounds every year,<br />
with six or even seven figure ransom<br />
demands now being common. If a victim<br />
does not pay, their business can come to<br />
a standstill, and entire workflows and<br />
processes become disrupted. At the same<br />
time, there is a threat of loss and theft of<br />
confidential company data, which can result<br />
in high financial losses. If, for example,<br />
a credit institution loses sensitive customer<br />
data, it can expect not only claims for<br />
damages but also a permanent loss of<br />
image, reputation, and customers.<br />
INCREASED PRESSURE, DUE<br />
TO NIS2 REQUIREMENTS<br />
In addition, companies must prepare for<br />
stricter legal data protection and compliance<br />
requirements. While the EU General Data<br />
Protection Regulation (GDPR) of 2018 has<br />
been the most important of these, the clock<br />
is now ticking on the implementation of the<br />
new EU cybersecurity directive NIS2 (Network<br />
and Information Security) within the UK.<br />
NIS2 tightens the security requirements for<br />
operators of critical infrastructures (CRITIS)<br />
and was designed to enhance cyber<br />
resilience for organisations across the<br />
UK and EU. For the first time, small and<br />
medium-sized institutions in system-relevant<br />
areas of public life such as healthcare,<br />
education and public authorities are also<br />
required to implement baseline security<br />
measures to protect against cyber-attacks.<br />
KEY TAKEAWAYS FROM <strong>2023</strong> RANSOMWARE ATTACKS SURVEY<br />
Since suppliers must also comply with NIS2,<br />
almost all companies and organisations will<br />
be affected by the new EU cybersecurity<br />
directive in the future. If data protection<br />
and compliance breaches occur, NIS2 makes<br />
those responsible personally liable and<br />
imposes penalties of up to 10 million pounds<br />
or 2% of annual global turnover.<br />
NIS2 also contains stricter requirements<br />
for organisations who suffer cyberattacks,<br />
as initial reporting must now be made within<br />
24 hours. UK and EU member states only<br />
have until October 2024 to implement NIS2,<br />
meaning that companies should install the<br />
necessary security measures as soon as<br />
possible.<br />
In its recent survey, Hornetsecurity highlighted the following:<br />
93.2% of respondents rank ransomware protection as 'very' to 'extremely'<br />
important, in terms of IT priorities for their organisations<br />
12.2% of respondents do not have a disaster recovery plan in place,<br />
in the event of a ransomware attack<br />
90.5% of respondents say they protect their backups from ransomware<br />
75% of respondents cited 'end-point detection software with anti-ransomware<br />
capabilities' as the most common tool to combat ransomware<br />
19.7% of respondents said their organisations had been the victim of<br />
a ransomware attack, with the majority, 62.1%, occurring in the past three years<br />
79.3% of ransomware victims reported that they managed to recover the<br />
compromised data from a backup<br />
51.7% of respondents mentioned 'email/phishing' as the main attack vector<br />
for ransomware attacks<br />
81% of respondents said their organisations provide user training to recognise<br />
ransomware attacks, with 95.8% stating the training was 'useful.'<br />
28.9% of Microsoft 365 respondents said they do not have a recovery plan<br />
in place, in case of a ransomware attack.<br />
IMMUTABLE BACKUPS<br />
AGAINST RANSOMWARE<br />
This also applies to the protection of backup<br />
files against the growing ransomware risks.<br />
In principle, ransomware can originate from<br />
different sources and be transmitted in<br />
various ways. At the forefront are phishing<br />
emails that contain ransomware-infected<br />
attachments which can lead to the compromise<br />
of the entire network. To mitigate<br />
these risks, many organisations are<br />
combining various methods, including<br />
endpoint security, advanced threat detection<br />
and response, patch management, multifactor<br />
authentication (MFA), and employee<br />
security training to ensure employees are<br />
equipped to identify and prevent attempted<br />
phishing attacks.<br />
Several methods can be used to achieve<br />
immutability of data backups. Today, WORM<br />
technology, which was developed back in<br />
the late 1970s, is the main method used<br />
to defend against ransomware attacks.<br />
WORM stands for Write-Once-Read-Many,<br />
which means that a backup copy can only<br />
be created once (writing) and is then writeprotected<br />
for a certain period of time.<br />
So, when choosing a backup solution,<br />
companies should prefer a product that<br />
supports immutability through the use of<br />
WORM technology. Various media, such as<br />
memory cards and external hard disks, or<br />
external cloud services can be used to store<br />
the data.<br />
In the wake of rising ransomware attacks,<br />
backups are coming under increasing threat<br />
as the last barrier against the deletion and<br />
manipulation of critical corporate data.<br />
Immutable backup storage provides an<br />
effective defence against the threat of<br />
ransomware. With VM Backup V9 from<br />
Hornetsecurity, organisations can leverage<br />
a new solution to protect their backup data<br />
via Immutable Cloud storage. This ensures<br />
that their data cannot be modified or<br />
deleted within a specified time period<br />
or regulatory or legal retention period.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
19
cybersecurity training<br />
DRIVING EMPLOYEE<br />
ENGAGEMENT WITH DEPARTMENTAL CYBERSECURITY TRAINING<br />
METACOMPLIANCE'S NEW DEPARTMENTAL-FOCUSED CYBERSECURITY TRAINING SERIES AIMS TO ADDRESS<br />
DEPARTMENT-SPECIFIC CONCERNS AND REDUCE RESISTANCE TO USER TRAINING COMPLETION<br />
Each department within an organisation<br />
fulfils a vital function, and each brings<br />
distinctive challenges and vulnerabilities.<br />
For example, the HR department handles<br />
sensitive employee data, while the IT team<br />
manages critical infrastructure. Likewise<br />
privileged users, by nature of their access,<br />
have the potential to cause significant harm,<br />
if their credentials are compromised or if<br />
they engage in malicious activities. These<br />
users require specific cybersecurity training<br />
to understand the gravity of their role in<br />
safeguarding this information.<br />
Despite these distinctions, it's common<br />
practice to provide the same cybersecurity<br />
training to all employees. This generic training<br />
typically provides a broad overview of<br />
cybersecurity concepts, but lacks the depth<br />
required for individuals with specialised roles<br />
and responsibilities. Whilst generic security<br />
training ticks a checkbox, relying on a 'onesize-fits-all'<br />
approach is not enough, states<br />
MetaCompliance. "This approach can result<br />
in employees becoming disengaged and<br />
passive participants in Security Awareness<br />
Training. Cyber threats are now increasingly<br />
sophisticated and targeted attacks based on<br />
individual job roles are on the rise."<br />
HIGHER ENGAGEMENT RATES<br />
By delivering content that directly aligns with<br />
the roles and responsibilities of the end users,<br />
organisations can drive higher engagement<br />
rates and reduce resistance to cybersecurity<br />
training. When employees receive targeted<br />
content that relates to their daily tasks, this<br />
makes them more likely to retain the<br />
information and implement improved<br />
cybersecurity behaviours.<br />
"Departmental cyber training marks a<br />
significant leap forward in the world of<br />
security awareness training and aims<br />
to address the pressing need for more<br />
personalised and effective training solutions<br />
in an era of ever-evolving cyber threats,"<br />
adds Metacompliance.<br />
"Embracing this shift and championing<br />
departmental training can be a game-changer<br />
in safeguarding organisations against the everevolving<br />
cyber threats. This is because departmental<br />
cybersecurity training mobilises each<br />
department, transforming them into a wellcoordinated,<br />
cyber-resilient workforce. It equips<br />
individuals with the knowledge and skills<br />
needed to defend against evolving threats<br />
and make informed decisions that enhance<br />
the organisation's overall security posture."<br />
The departmental-focused approach also<br />
empowers CISOs to communicate the value<br />
and relevance of security awareness training<br />
tailored to each department, it says. "This<br />
level of personalisation fosters a sense of<br />
ownership and commitment among<br />
employees, leading to active participation in<br />
security training. When employees see their<br />
leadership prioritising cybersecurity education,<br />
they are more likely to take it seriously."<br />
Recognising the real need to address<br />
department-specific concerns and reduce<br />
resistance to user training completion,<br />
MetaCompliance hasrecently announced<br />
the release of its new departmental-focused<br />
cybersecurity training series.<br />
GAME-CHANGER<br />
The Departmental Series addresses 12 key<br />
cybersecurity risks and is specifically tailored<br />
to eight organisational departments, which<br />
include human resources, marketing, sales,<br />
finance, privileged users, executive teams,<br />
legal and procurement. The content is also<br />
available in 43 languages, catering to diverse<br />
workforces around the world.<br />
Cybersecurity evangelist at MetaCompliance,<br />
Robert O'Brien, says: "We understand that<br />
employees have diverse responsibilities and<br />
priorities, and security awareness is not<br />
always at the top of their minds.<br />
"This fuelled our mission to advance<br />
cybersecurity training by speaking the<br />
language of each department and delivering<br />
content that truly engages end users.<br />
The Departmental Series will help create<br />
a cultural shift in security awareness.<br />
"By focusing on content that directly impacts<br />
an employee's day-to-day tasks, our training<br />
ensures that end users stay engaged and<br />
retain crucial information, enabling them to<br />
implement positive cybersecurity behaviours."<br />
To learn more about MetaCompliance's<br />
Departmental Series, visit:<br />
www.metacompliance.com/departmental-series<br />
20<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
leadership skills<br />
LEADERSHIP SKILLS - WHY THEY MATTER<br />
AT A TIME WHEN SO MANY THREATS ARE FACED BY EVERY ORGANISATION,<br />
LEADERS WHO CAN MOTIVATE AND GUIDE THE WORKFORCE ARE VITALLY IMPORTANT<br />
Leadership skills help to create<br />
a vision and rally people around<br />
a common cause, boosting morale.<br />
They also pass on the necessary skills<br />
and knowledge to enable those around<br />
them to make informed decisions and<br />
solve problems effectively and with confidence.<br />
When it works, it's a massive<br />
boost to employee unity and self-belief.<br />
But how do organisations identify, recruit<br />
and nurture the right calibre of people<br />
to perform this leadership role in the<br />
first place?<br />
"In the face of today's growing cyberattacks,<br />
leadership is required to invest<br />
in the means to prevent breaches and<br />
to ensure that data is backed up or airgapped."<br />
Such is the view of David<br />
Trossell, CEO and CTO of Bridgeworks.<br />
"Leadership is also about practising what<br />
you preach by communicating with staff<br />
and training them to avoid falling foul<br />
of, for example, ransomware attacks<br />
that could render an organisation's<br />
useless and prevent any form of service<br />
continuity."<br />
It also involves thinking about the longterm<br />
health of the organisation, its<br />
partners and its customers by investing in<br />
training ordinary staff and cyber-security<br />
teams as an increasing number of attacks<br />
involve social engineering, he continues.<br />
"Within this scenario, generative AI is<br />
making cyber-security more challenging.<br />
So, any competent leader needs to know<br />
how to prevent the technology from<br />
being used to social-engineer a weakness<br />
in staff to find a way to create a breach.<br />
Humans are often the weakest link when<br />
it comes to cyber-security."<br />
Leadership should aim to prevent<br />
disasters by focusing on service continuity<br />
as the primary goal, using WAN<br />
Acceleration to rapidly back up and<br />
restore data, adds Trossell. "The common<br />
cause should be continuity more than<br />
disaster recovery, although plans and<br />
procedures should be in place to ensure<br />
that staff and cyber-security teams know<br />
what to do when disaster strikes."<br />
SENSE OF TOGETHERNESS<br />
A sense of togetherness will boost<br />
morale and pride in the organisation's<br />
ability to thrive, no matter what cyberthreats<br />
are thrown at it. "Nurturing<br />
the right talent and finding competent<br />
leaders comes from using aptitude<br />
testing, using team exercises to allow<br />
them to demonstrate their decisionmaking<br />
skills, by enquiring about their<br />
competence in other roles. That person<br />
should show that they have an ability to<br />
innovate - perhaps by having patents in<br />
their name for solutions that nobody else<br />
has considered or been able to achieve."<br />
That leader should want to invest in<br />
future cyber-security professionals by<br />
working with universities, colleges and<br />
schools to encourage, nurture, inspire<br />
and develop new talent, he believes.<br />
"By working with the community -<br />
and offering apprenticeship schemes -<br />
leadership can instil pride in their<br />
organisation and in what it aims to<br />
achieve. This can inspire staff loyalty<br />
and reduce the likelihood of employee<br />
churn. It's not so much about the leader,<br />
but the values of the organisation that<br />
person expresses internally and to the<br />
wider community."<br />
COMMUNICATING RESULTS<br />
From a cyber-security perspective,<br />
says Trossell, this could also be about<br />
communicating to staff how many<br />
cyber-attacks have been forestalled,<br />
how clients have been helped to stave<br />
off attacks, how much money has been<br />
saved, and how policies and procedures<br />
have prevented X number of cyberattacks.<br />
"This requires a leader who<br />
demonstrably leads from the front, who<br />
can identify with people, who engenders<br />
team-working and unity to protect the<br />
organisation from attack - furthering<br />
its commercial and operational success."<br />
David Trossell, Bridgeworks.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
21
cyber awareness<br />
THE CRIME-BUSTING CHALLENGE<br />
CYBERCRIME IS ON THE RAMPAGE, PROMPTING ONE<br />
EXPERT TO SAY: "BEEF UP YOUR EMAIL SECURITY OR<br />
GET READY FOR A WORLD OF HURT."<br />
Cybercrime is rapidly spreading and<br />
impacting organisations across the<br />
world. According to one company<br />
monitoring the worsening situation, global<br />
cyberattacks increased by 28% in 2022,<br />
compared to the same quarter in 2021 -<br />
and this trend is only likely to continue.<br />
"Cyber threat actors can identify and exploit<br />
a wide range of vulnerabilities to gain<br />
access to corporate systems," it states.<br />
"An effective cybersecurity program is one<br />
that provides comprehensive coverage and<br />
protection for all potential attack vectors."<br />
But how do you define 'effective' and how<br />
does an organisation go about identifying<br />
what is the best means to meet its own<br />
particular needs and mode of operating?<br />
Nadia Kadhim, a leading GDPR lawyer<br />
and CEO of global automated compliance<br />
platform Naq Cyber, warns the defence<br />
industry needs to do more to protect<br />
classified data, as the number of attacks<br />
on this sector has increased by nearly 50%<br />
with an average of 1,661, according to<br />
a global report by Check Point Research.<br />
This increased risk has already led to<br />
an increased demand for additional<br />
compliance measures from the Defence<br />
Industry to ensure their suppliers meet<br />
legal and regulatory compliance<br />
requirements such as Cyber Essentials,<br />
JOSCAR, DART, and MOD Risk Assessments.<br />
Naq's platform guides MOD suppliers<br />
through implementing, verifying and<br />
maintaining the security requirements<br />
set by the MOD and Primes. This includes<br />
training in risk management and device<br />
security to ensure businesses meet the<br />
required security controls.<br />
"The number of cyberattacks<br />
within the defence<br />
sector is expected to keep<br />
rising," warns Kadhim. "While it is<br />
crucial to ensure the MOD's systems are<br />
secured, it is also just as crucial to ensure<br />
defence suppliers have a strong cybersecurity<br />
posture or risk putting the entire<br />
defence supply chain in jeopardy. It's a<br />
pattern we see in other highly regulated<br />
sectors, such as healthcare, where attackers<br />
use suppliers to access valuable and sensitive<br />
information. To keep the UK defence sector<br />
safe, we must focus on suppliers and ensure<br />
they are meeting continuous compliance<br />
with the cybersecurity requirements set by<br />
the MOD and their primes."<br />
ESTABLISHING A LANDMARK<br />
October marked National Cybersecurity<br />
Awareness Month (N<strong>CS</strong>AM), a significant<br />
initiative that has helped to focus attention<br />
on the threats organisations everywhere<br />
face. Like all good initiatives, of course,<br />
it is much more than about one month<br />
and then forgotten. It is about bringing<br />
a collective consciousness to bear on a<br />
common enemy - and to ensure that it<br />
stays there.<br />
Launched in 2004 by the US Department<br />
of Homeland Security and the National<br />
Cyber Security Alliance, the goal has been<br />
to reinforce the importance of safeguarding<br />
online presence. While it began as an<br />
American effort, the message has resonated<br />
far and wide. Today, numerous countries<br />
around the globe have embraced the cause,<br />
underscoring that cyber threats don't recognise<br />
borders. It's a united call to action,<br />
urging individuals and organisations to<br />
prioritise online<br />
safety, no matter<br />
where they' may be<br />
located, in what is flagged up as<br />
a global commitment to cyber resilience.<br />
FRONT OF MIND<br />
"Cybersecurity has moved from an afterthought<br />
to one of the more important<br />
decisions in the boardroom, as executives<br />
have come to understand the potential scale<br />
and impact of attacks," states Jason<br />
Dettbarn, founder & CEO, Addigy. "Breaches<br />
don't just cost money - they can debilitate a<br />
company. IT leaders need to ensure they are<br />
leveraging the right security processes and<br />
tools to maintain compliance vigilance,<br />
which includes a layered approach to OS<br />
patching, application patching, adhering<br />
to compliance frameworks and end-user<br />
authentication management. The speed and<br />
impact of Zero Day vulnerabilities highlight<br />
the importance of applying these patches<br />
throughout an organisation's entire fleet of<br />
devices in a timely fashion."<br />
Cybersecurity Awareness Month served<br />
as a critical reminder that effective cybersecurity<br />
isn't solely about building higher<br />
walls against external threats, says Carl<br />
D'Halluin, CTO, Datadobi. "It's equally about<br />
under-standing and managing the data<br />
you already hold within those walls. Illegal<br />
and orphaned data are prime examples<br />
of internal vulnerabilities that often go<br />
overlooked.<br />
The risks of harbouring illegal data are<br />
multi-faceted, spanning potential legal<br />
issues, reputational harm and increased<br />
susceptibility to network compromise, due<br />
22<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
cyber awareness<br />
to embedded malware. Orphaned data,<br />
often accumulating unnoticed due to<br />
employee turnover, can pose governance<br />
and compliance risks."<br />
He calls on organisations to deepen their<br />
commitment to employing the necessary<br />
methodologies and technologies that<br />
enable effective internal data governance<br />
and oversight. "A proactive, inside-out<br />
approach to cybersecurity has never been<br />
more crucial."<br />
OVERHAULING DIGITAL DEFENCES<br />
Don Boxley, CEO and co-founder, DH2i,<br />
sees today's cyber threats escalating into<br />
full-blown crises - a stark warning that<br />
we must urgently overhaul our digital<br />
defences. "Gone are the days when<br />
established security measures like VPNs<br />
sufficed. Hackers are continually advancing,<br />
rendering traditional methods increasingly<br />
obsolete. Proactive security isn't an option;<br />
it's an absolute necessity, if organisations<br />
want to survive into the future.<br />
What does he see as the best way<br />
forward? He points to how Software-<br />
Defined Perimeters (SDPs) are rapidly gaining<br />
prominence as an innovative and intelligent<br />
alternative to VPNs. "They address and<br />
eliminate many traditional VPN vulnerabilities,<br />
such as susceptibility to lateral<br />
network attacks that could compromise<br />
sensitive organisational assets. SDPs simplify<br />
the secure connection of network assets<br />
across diverse infrastructures - from onpremises<br />
to hybrid and multi-cloud setups -<br />
and closely align with Zero Trust Network<br />
Access (ZTNA) principles.<br />
By adhering to the Zero Trust tenet of<br />
'never trust, always verify', SDPs offer<br />
stringent security controls at the application<br />
level. This ensures that resources like servers,<br />
storage units, applications, IoT devices and<br />
users gain access only to the specific data<br />
endpoints required for their tasks, thereby<br />
eliminating potential vulnerabilities such as<br />
lateral movement paths that attackers could<br />
exploit."<br />
He refers back to October and its designation<br />
as National Cybersecurity Awareness<br />
Month, labelling it as an "urgent call to<br />
action for adopting next-generation<br />
solutions like SDPs and Zero Trust principles.<br />
In doing so, we will be equipping organisations<br />
and individuals with the robust<br />
defences needed to outpace ever-advancing<br />
cyber threats".<br />
Amongst the many cyber threats faced,<br />
one that's often pushed to the background,<br />
but deserves centre stage, is email security,<br />
states Seth Blank, CTO, Valimail. "Email is<br />
the battleground where some of the most<br />
sophisticated social engineering attacks,<br />
like spear-phishing and whaling, are waged.<br />
These attacks exploit human psychology,<br />
leveraging the absence of the usual cues we<br />
rely on to assess trust-no facial expressions,<br />
no tone of voice, just cold text on a screen.<br />
"You've probably been inundated with the<br />
same stats again and again, like the fact<br />
that 91% of all cyberattacks start with<br />
phishing. Or that the FBI has reported $50<br />
billion - with a’ b’ - in losses, due to<br />
business email compromise (BEC). And,<br />
due to that inundation, it's easy for some<br />
to look at email as an old problem. But<br />
those stats show the problem is not just<br />
as bad as it's ever been; it's getting worse.<br />
Much, much worse."<br />
The bottom line, concludes Blank, is that,<br />
even if the stats have become somewhat<br />
easy to ignore, the problem is real and one<br />
misstep can wreak havoc. "Beef up your<br />
email security or get ready for a world of<br />
hurt," he advises.<br />
DRY-RUN YOUR RECOVERY PLAN<br />
Simon Church, chairman, Xalient, urges<br />
organisations to make sure they dry-run<br />
their recovery plan, so that, in the event of<br />
an attack, they know they are prepared, and<br />
Nadia Kadhim, Naq Cyber: defence<br />
suppliers must have a strong cybersecurity<br />
posture or risk putting the entire defence<br />
supply chain in jeopardy.<br />
Jason Dettbarn, founder & CEO, Addigy:<br />
cybersecurity has moved from an afterthought<br />
to one of the more important<br />
decisions in the boardroom.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
23
cyber awareness<br />
Don Boxley, DH2i: today's cyber threats<br />
are escalating into full-blown crises -<br />
we must urgently overhaul our digital<br />
defences.<br />
Simon Church, Xalient: invest heavily in<br />
training to enable employees to make<br />
smarter security decisions.<br />
understand the process and who is doing<br />
what. "And I'm not just talking about<br />
technology here, but people and processes.<br />
For example, what communications about<br />
the attack will they share with employees,<br />
customers and other stakeholders? What do<br />
they want employees to do? What do they<br />
want senior executives and the board to do?<br />
All too often I see organisations assume<br />
that, because they have the technology<br />
in place, it will magically and seamlessly<br />
recover their systems, but they neglect the<br />
fine detail around communications and<br />
reassurance."<br />
He also identifies human risk as a major<br />
factor. "In fact (depending on the sources you<br />
refer to) 75-90% of all cyber incidents are<br />
human initiated. So, it is very important to<br />
focus on having employee security awareness<br />
training in play. Today, employees operate in<br />
a blended environment, moving seamlessly<br />
between work applications and personal<br />
apps. Whereas previously they have been<br />
prevented from sharing company data<br />
outside the network perimeter, in our world<br />
of social media we often overshare, which<br />
leads to a lot of freely available open-source<br />
data, or OSINT.<br />
"Cybercriminals use OSINT for social<br />
engineering purposes. They gather personal<br />
information through social profiles and use<br />
this to customise phishing attacks. The most<br />
recent MGM breach, for example, was a<br />
result of a social engineering attack on an<br />
employee who inadvertently gave hackers<br />
access to MGM's systems. Investing heavily<br />
in training to enable employees to make<br />
smarter security decisions will help them<br />
manage the ongoing problem of social<br />
engineering and clever phishing attacks.<br />
Performance should also be regularly<br />
measured to see how employees are<br />
implementing training in the real world<br />
and there must be KPIs around this that are<br />
ideally discussed at senior management or<br />
board level. It is likely that the MGM attack<br />
could have been averted, if the employee<br />
had been more aware and better trained."<br />
Also, as many breaches utilise a vulnerability<br />
or flaw in operating systems' code,<br />
the patching cadence and criticality need to<br />
be agreed and assessed on a regular basis,<br />
so that the organisation prioritises patches<br />
based on risk to the business, Church adds.<br />
"To put this into context, last year there were<br />
approximately 20,000 new patches created<br />
by software vendors; this year, that figure is<br />
expected to increase to 22,000. This means<br />
that the largest organisations have a<br />
backlog of over 100,000 patches to deploy,<br />
which is an almost impossible task without<br />
clear risk prioritisation."<br />
Managing their third parties and any<br />
extended ecosystem cyber risk is equally<br />
critical for CEOs. "It is very difficult from<br />
an outside view to determine which<br />
third party has strong cyber controls and<br />
which ones are already, or likely to be,<br />
compromised. Standard risk assessment<br />
processes tend to be 'point in time',<br />
involving questionnaires and audits. For<br />
cybersecurity, this is a flawed approach that<br />
usually leads to risk tolerance or acceptance.<br />
Rather than just categorising third parties as<br />
high or low risk, organisations should focus<br />
on the nature of the relationship and their<br />
adherence to the same security policies<br />
and practices implemented by the organisation.<br />
Do they control sensitive data or<br />
have they got access to critical systems?"<br />
Cybercrime is predicted to be worth<br />
a massive $10.5 trillion dollars by the end<br />
of the year, Church points out. "If it were<br />
a country, it would equate to the thirdlargest<br />
country in the world, in terms of<br />
GDP, so it is clearly big business. Having<br />
robust security controls, a solid risk management<br />
plan and dynamic risk policies, as<br />
well as a tried and tested recovery plan,<br />
won't totally remove the threat of a cyberattack,<br />
but it will certainly reduce not only<br />
the probability of a breach, but also the<br />
impact to the business."<br />
24<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
case study<br />
ON YOUR METAL!<br />
WHEN ONE METAL FABRICATION COMPANY SUFFERED SEVERAL MALWARE ATTACKS,<br />
IT REACHED OUT FOR THE RIGHT SOLUTION TO PROTECT ITS OPERATIONS<br />
In the last few years, ARKU<br />
Maschinenbau in Baden-Baden,<br />
Germany, has faced an increasing<br />
number of malware attacks. Working<br />
closely with the Freiburg branch of the<br />
IT systems house NetPlans, it introduced<br />
extensive measures to defend itself.<br />
In its search for reliable and scalable<br />
network protection, quickly became clear<br />
to the metal fabrication company that<br />
macmon NAC was the right option:<br />
NetPlans is a Platinum macmon partner<br />
with certified and continuously trained<br />
macom experts that has provided what<br />
is said to be "first-class support" for its<br />
customers - from the SME sector especially<br />
- with the implementation of a vast<br />
number of projects.<br />
To authenticate endpoints, ARKU uses<br />
macmon's integrated RADIUS server to<br />
make the decisions on<br />
ARKU Maschinenbau runs its worldwide<br />
operations from its base in Baden-Baden,<br />
Germany.<br />
granting access. As the ID or means of<br />
authentication, a number of properties<br />
can generally be used, such as the MAC<br />
address, username/password or certificate.<br />
Since the network is not accessed by the<br />
system until the RADIUS server has confirmed<br />
it, there are no unused or insecure ports,<br />
which increases security significantly. While<br />
granting access, the IT team can define and<br />
specify additional rules for the switch to<br />
implement. If the switch is technically<br />
capable of doing so (layer 3), a specific<br />
VLAN, defined ACLs or almost any other<br />
attributes can be assigned in this way.<br />
An access control list (ACL) limits access to<br />
data and functions. The ACL determines the<br />
extent to which individual users and system<br />
processes have access to certain objects<br />
such as services, files or registry entries.<br />
As IT & digitisation team leader at ARKU,<br />
Felix Pflüger, comments: "We use a variety<br />
of security solutions in our company.<br />
Thanks to macmon NAC, we always have<br />
oversight over our extensive IT infrastructure.<br />
Our switches are administered via<br />
SNMP and RADIUS, meaning macmon sets<br />
the appropriate VLAN on the switch port,<br />
or the port is blocked, if there are unknown<br />
devices. That prevents unauthorised devices<br />
from gaining access via network outlets,<br />
for example."<br />
Frequent visits by customers and suppliers<br />
present companies with the challenge of<br />
preventing these users' end devices from<br />
accessing the company's internal network.<br />
The functions of the 'Guest Service' module<br />
provide an intelligent and flexible management<br />
system for an external device with a<br />
granular guest ticket system for controlling<br />
temporary LAN and WLAN access.<br />
Since the number of external visitors was<br />
manageable during the Coronavirus period,<br />
the IT department was responsible for<br />
deciding whether or not visitors were<br />
granted access. In the future, however,<br />
this task will be delegated to authorised<br />
employees with the macmon guest portal.<br />
Without having to deal with the<br />
macmon NAC administration, they<br />
can generate access data directly in<br />
the portal or confirm visitors who<br />
have registered themselves.<br />
The resources shared and the<br />
duration of access can be defined<br />
while creating the access data,<br />
ensuring each visitor can access only<br />
the specific resources approved for<br />
them. For instance, a service<br />
technician who has to maintain<br />
machine equipment has different<br />
access rights to a customer visiting<br />
the company for a meeting.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
25
attacks offensive<br />
PHISHING ENTERS DEEP DARK WATERS<br />
THE SOPHISTICATION OF PHISHING ATTACKS IS ALSO SOARING, WITH CYBERCRIMINALS<br />
USING WORRYINGLY POWERFUL NEW TACTI<strong>CS</strong> TO GAIN ACCESS TO DATA AND SYSTEMS<br />
As the attacks landscape continues<br />
to look ever more sinister, how<br />
exactly to keep your organisation<br />
safe, on multiple attack fronts, from bad<br />
actors intent on using every means to<br />
exploit vulnerabilities has become the<br />
vexing question. With each passing<br />
month, the means to find ways to avoid<br />
joining the ranks of the countless victims<br />
who have already been successfully<br />
targeted becomes increasing beset<br />
with obstacles and uncertainties.<br />
The preferred methods of attack are now<br />
familiar, with phishing continuing to be<br />
one of the most common and effective<br />
ways for cybercriminals to gain access<br />
to data and systems. "By targeting<br />
employees, cybercriminals are looking<br />
to take advantage of what is perceived<br />
to be the weakest element in the cyber<br />
defences of an organisation," points out<br />
AJ Thompson, CCO at Northdoor. "As<br />
a result, phishing attacks are on the<br />
increase. A recent report showed that<br />
there was a 47.2% increase in phishing<br />
attacks during 2022, a huge increase and<br />
one that highlights the growing efforts<br />
of the cybercriminal community to take<br />
advantage of employees."<br />
The sophistication of phishing attacks<br />
is also increasing substantially, with<br />
cybercriminals using new tactics to<br />
gain access to data and systems. "By<br />
persuading an employee to click on<br />
a malicious link or to give them direct<br />
access to internal systems, cybercriminals<br />
can quickly get their hands-on data<br />
with little effort on their part," states<br />
Thompson. "The Egress Phishing Threat<br />
Trends Report has identified the most<br />
phished topics so far in <strong>2023</strong> and has also<br />
predicted what the rest of the year has<br />
in store. By connecting to world events,<br />
anniversaries, holidays, as well as the<br />
hopes and fears of ordinary people,<br />
cybercriminals can concoct persuasive<br />
emails and other of forms of<br />
communication, gaining the trust of<br />
employees and getting them to open<br />
the door into internal systems."<br />
The key to successfully defeating<br />
phishing attacks is for the security industry<br />
as a whole to work together. "By identifying<br />
and sharing new threats, everyone<br />
is able to keep an eye out and deal with<br />
them as and when they come through.<br />
The cybersecurity sector has a tendency<br />
to withhold information under the guise<br />
of security, in order to gain a competitive<br />
advantage. In the face such a sophisticated<br />
threat, this is no longer an effective<br />
way for the industry to behave.<br />
Sharing information about what threats<br />
may look like is not effective. Informing<br />
employees about the latest tactics and<br />
giving them the tools to deal with<br />
potential and future threats makes the life<br />
of the cybercriminal harder, keeping your<br />
data and systems safe," he adds.<br />
IMPERSONATION SCAM<br />
In July <strong>2023</strong>, Menlo Security HEAT Shield<br />
detected and blocked a novel phishing<br />
attack that involved an open redirection<br />
in the 'indeed.com' website redirecting<br />
victims to a phishing page impersonating<br />
Microsoft. Consequently, this makes an<br />
unsuspecting victim believe the redirection<br />
resulted from a trusted source such as<br />
'indeed.com'. The threat actors were<br />
found to deploy the phishing pages using<br />
the phishing-as-a-service platform named<br />
'EvilProxy'. The service is advertised and<br />
sold on the dark web as a subscriptionbased<br />
offering with the plan validity<br />
ranging between 10 days, 20 days, and<br />
31 days. One of the actors, known by<br />
the handle 'John_Malkovich', plays the<br />
role of an administrator and intermediary<br />
assisting customers who have purchased<br />
the service. The campaign targeted C-suite<br />
employees and other key executives across<br />
organisations based in the United States<br />
across various sectors.<br />
The infection vector was a phishing email<br />
delivered with a link that is deceptively<br />
crafted, in such a way that it comes from<br />
a trusted source, in this case 'indeed.com'.<br />
Upon clicking the link, the victim is then<br />
redirected to a fake Microsoft Online login<br />
page.<br />
It seems that HEAT Shield was able to<br />
detect and prevent this phishing attempt<br />
on the fly, by virtue of its real-time analysis<br />
feature. "It detected the phishing site by<br />
leveraging AI-based detection models<br />
to analyse the rendered web page way<br />
before the URL reputation services and<br />
other security vendors flagged this page<br />
for malicious behaviour," says Menlo<br />
Security. "HEAT Shield also generates the<br />
Zero Hour Phishing Detection alerts in<br />
the process, which help provide greater<br />
visibility to the SOC analysts by providing<br />
them with context of the threat and<br />
enriched data that will adequately support<br />
their research."<br />
26<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
attacks offensive<br />
As ransomware targeting healthcare<br />
organisations increases, more advanced<br />
cybersecurity is needed to protect sensitive<br />
patient data and maintain uninterrupted<br />
operations for the continuous delivery of<br />
life-critical medical services. Hospitals and<br />
healthcare organisations face a unique<br />
security and identity challenge. With<br />
shared workstations among staff, they<br />
must determine how they can distinguish<br />
who is doing what, on which device, and<br />
enforce access control policies and threat<br />
protections based on both the user who<br />
logged in at the time and the device's<br />
posture. They also need to keep track of<br />
all user activity, with logs indicating their<br />
actions for traceability and compliance<br />
requirements.<br />
To that end, Zscaler has teamed up<br />
with CrowdStrike and Imprivata to deliver<br />
a zero trust cybersecurity solution from<br />
device to cloud that's custom-made for<br />
medical institutions, it reports. "The new<br />
Zscaler integration with the Imprivata<br />
Digital Identity Platform will provide<br />
visibility, threat protection and traceability<br />
for end-to-end, multi-user, shared device<br />
access control that are required for organisations<br />
to meet regulatory requirements,<br />
including HIPAA and HITECH," says the<br />
cloud security provider.<br />
With this new integration, users of the<br />
Zscaler Zero Trust Exchange platform,<br />
Imprivata OneSign and the CrowdStrike<br />
Falcon platform will be able to more<br />
effectively adopt a zero trust architecture<br />
that offers granular access management,<br />
threat protection, and traceability<br />
capabilities to better protect against<br />
ransomware.<br />
"Cyberattacks on healthcare organisations<br />
are at an all-time high and<br />
protecting patient data is critical to<br />
maintaining trust," says Dhawal Sharma,<br />
senior vice president and general manager<br />
at Zscaler. "Zscaler's integrations with<br />
Imprivata, in addition to CrowdStrike,<br />
provide much needed help to healthcare<br />
organisations in their journey to a zero<br />
trust architecture. We're aiding workers<br />
and technicians with least privileged<br />
access to the healthcare information they<br />
need to provide care and maintain the<br />
privacy and security of patient data."<br />
LACK OF CONFIDENCE<br />
Employees are behind a widening gap in<br />
the cybersecurity of small and mediumsized<br />
enterprises (SMEs) a new survey has<br />
revealed, as over three-quarters of SMEs'<br />
C-suite and senior managers admit they<br />
have no confidence their teams are<br />
operating their own devices securely.<br />
Employees are not the only contributing<br />
factor to risk either, as the C-suite are<br />
also lacking cyber awareness: the survey -<br />
commissioned by Cowbell, a leading<br />
provider of cyber insurance for SMEs -<br />
found over three quarters of those<br />
operating at the helm of UK SMEs are<br />
unable to confidently identify a cyber<br />
incident at work, while a further 50%<br />
believe that they're unable to identify the<br />
difference between a phishing and real<br />
email.<br />
The UK has seen a drastic change in<br />
workforce lifestyle over the past three<br />
years (as of May <strong>2023</strong>, with 85% of<br />
employees currently working from home<br />
wanting a hybrid approach). Cowbell's<br />
findings show that businesses are not<br />
only unwittingly exposing themselves to<br />
risk through lack of awareness of simple<br />
protective measures, but are also putting<br />
too much onus on their employees to<br />
perform safety protocols, such as protecting<br />
devices, updating software and staying<br />
off unsafe networks.<br />
This can leave SMEs with a significantly<br />
heightened exposure to cyber risks, says<br />
Cowbell's Simon Hughes, VP and general<br />
manager (UK): "Business leaders have been<br />
AJ Thompson, Northdoor: the key to<br />
defeating phishing attacks is for the<br />
security industry as a whole to work<br />
together.<br />
Dhawal Sharma, Zscaler: cyberattacks on<br />
healthcare organisations are at an all-time<br />
high and protecting patient data is critical to<br />
maintaining trust.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
27
attacks offensive<br />
Kennet Harpsoe, Logpoint: internetfacing<br />
systems are especially vulnerable<br />
to zero-days and should always be placed<br />
in a DMZ (Demilitarized Zone).<br />
thrown into an ever-changing and complex<br />
landscape with regards to cyber threats,<br />
alongside having to navigate new business<br />
processes associated with a rapidly<br />
transforming world of work. Many have<br />
stepped up to keep themselves as robustly<br />
protected as possible. However, teamrelated<br />
behaviours and gaps in knowledge<br />
highlighted in our research are leaving<br />
businesses exposed, showing the need<br />
for continual monitoring and action. If<br />
employees aren't regularly made aware of<br />
cybersecurity risks, such as public wifi usage,<br />
businesses can find themselves wide open<br />
at every coffee shop and neighbourhood<br />
their employees work and visit."<br />
THIRD-PARTY DATA BREACH<br />
Another major concern is the revelation by<br />
bank Flagstar of a third-party data breach<br />
when its payment processing and mobile<br />
banking services provider Fiserv suffered a<br />
MOVEit data breach, ultimately leaking the<br />
data of an estimated 800,000 customers.<br />
"The incident involved vulnerabilities<br />
discovered in MOVEit Transfer, a file transfer<br />
software used by our vendor to support<br />
services it provides to Flagstar and its<br />
related institutions," Flagstar Bank told its<br />
customers. With assets worth over $31<br />
billion and annual revenue of over $1.9<br />
billion, the New York Community Bankowned<br />
financial services company is one<br />
of the largest banks in the United States.<br />
Kennet Harpsoe, senior cyber analyst at<br />
Logpoint, comments: "Companies must<br />
be very careful to have inventories of the<br />
software they deploy to be able to track<br />
publications of vulnerabilities in their<br />
software and patch them, if necessary.<br />
Zero-days are, by definition, impossible<br />
to defend directly against. "They are<br />
unknown unknowns and the best strategy<br />
is to always minimise impacts of a potential<br />
breach, adopt an 'assume breached<br />
mindset' and defend your networks in<br />
depth, having multiple layers of defence<br />
and monitoring."<br />
He adds: "Internet-facing systems are<br />
especially vulnerable to zero-days and<br />
such systems should always be placed in<br />
a DMZ (Demilitarized Zone), in line with<br />
the defence-in-depth mindset."<br />
BREACH PUTS POLICE AT RISK<br />
One of the most alarming recent attacks was the data breach that exposed the details of 10,000 police employees - including<br />
undercover police officers - putting the names and personal details of police officers at great risk of exposure.<br />
The National Crime Agency (NCA) launched a criminal investigation into the breach at the Stockport-based firm Digital ID,<br />
which makes identity cards and lanyards for a number of UK organisations, including several NHS trusts and universities.<br />
Digital ID said it notified cyber experts last month when it became aware of the incident.<br />
The breach has provoked serious security concerns and raise deeper questions about data protection in UK policing, coming<br />
as it did just weeks after the surnames and initials of 10,000 Police Service of Northern Ireland employees were published online<br />
after being accidentally included in a response to a freedom of information request.<br />
Paul Holland, CEO of leading secure digital communications organisation Beyond Encryption, says that knowing the identities<br />
of undercover officers are now in the hands of unknown threat actors is "an unacceptable breach of policing staff trust, and<br />
could be dangerous for both them and the citizens they protect". And he adds: "While consumers and businesses alike are often<br />
unaware of the security risks impacting their data, these recent breaches demonstrate how detrimental insufficient security tools<br />
are to digital safety. Organisations must ensure that they have robust safeguarding measures in place to mitigate these attacks in<br />
future or we risk more personal data falling into the wrong hands."<br />
28<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
product review<br />
ENDACE: ENDACEPROBE CLOUD<br />
Cloud computing has revolutionised<br />
business operations globally, but the<br />
'shared responsibility' security model<br />
used by providers presents many challenges<br />
for SecOps and NetOps teams. Providers<br />
look after the security of the infrastructure,<br />
data centres and server hardware, leaving<br />
customers to handle cloud application,<br />
data, operating system and access security.<br />
For teams to respond quickly to cyberattacks<br />
and resolve network or application performance<br />
issues, they must be able to capture,<br />
store, index and analyse accurate records of<br />
all traffic activity. Historically, this has been<br />
a major pain point for cloud services, but<br />
packet capture expert Endace has the perfect<br />
solution, as its well-respected EndaceProbe<br />
appliances can now be hosted in the cloud.<br />
Supporting Amazon Web Services (AWS)<br />
and Microsoft Azure public clouds,<br />
EndaceProbe Cloud delivers the same<br />
excellent packet capture and analysis features<br />
found in Endace's hardware appliances and<br />
places them right where they can provide<br />
deep visibility into cloud environments.<br />
Capable of capturing packets from virtual<br />
packet brokers, VPC mirrors, virtual span<br />
ports, load balancers, firewalls, vSwitches and<br />
virtual machines, EndaceProbe Cloud assures<br />
full security, storing all recorded packet data<br />
within your own VPC or virtual network.<br />
Deployed as a virtual machine, using the<br />
recommended sizing, EndaceProbe Cloud<br />
delivers 4Gbps packet to disk write<br />
performance, millisecond accurate<br />
timestamping, and a maximum native<br />
storage capacity of 250TB per instance.<br />
Endace's software compression and Smart<br />
Application Truncation technology further<br />
boosts packet capture capacity to as much<br />
as 500TB. You can also control cloud<br />
subscription costs by sizing the appliance<br />
up or down to your requirements.<br />
Endace adds extreme flexibility. All<br />
EndaceProbes in globally distributed cloud<br />
and hybrid networks can be centrally<br />
accessed through a single console. Endace's<br />
InvestigationManager - which can be hosted<br />
in the cloud or on-premises - provides<br />
centralised search and data-mining.<br />
Using InvestigationManager's integrated<br />
EndaceVision - a browser-based analysis tool<br />
- analysts can choose data sources from<br />
multiple EndaceProbes, view them<br />
simultaneously and use data visualisation<br />
tools to home in on areas of interest, such<br />
as flows, top talkers, protocols and users.<br />
All search operations are performed locally<br />
on each EndaceProbe and only packets of<br />
interest are passed to InvestigationManager.<br />
Data egress charges are significantly reduced,<br />
as there's no need to download huge pcap<br />
files from the cloud.<br />
Management of all Endace deployments<br />
can also be done centrally using EndaceCMS,<br />
which provides a single pane of glass for all<br />
administrative functions, including health<br />
monitoring, configuration and upgrades.<br />
You can host EndaceCMS either on-premises<br />
or in the cloud, too.<br />
EndaceProbe Cloud integrates seamlessly<br />
with a wide range of security and performance<br />
monitoring tools, including solutions<br />
offered by Cisco, Palo Alto Networks, Plixer,<br />
Splunk and many others. Endace's APIs<br />
integrate directly into the user interfaces<br />
of these products, so teams can analyse<br />
packet data directly from within the tools<br />
they already use, without needing to have<br />
specific knowledge of Endace's appliances.<br />
A good example is Splunk. When Splunk<br />
shows an alert or event, analysts can access<br />
related packets directly from within the<br />
Splunk GUI - so they don't need to change<br />
their existing workflows. They can create,<br />
share and customise investigations, accessing<br />
data from multiple EndaceProbes, view<br />
conversations, extract files from suspicious<br />
communications, generate rich logs for<br />
insight into network activity and decode<br />
packets directly in the hosted Wireshark,<br />
thus avoiding more cloud egress charges.<br />
It's no secret cloud infrastructures are<br />
coming under an ever-increasing barrage of<br />
cyberattacks and, for SecOps and NetOps<br />
teams to do their job, they need total visibility<br />
into AWS and Azure environments, too.<br />
Endace's EndaceProbe Cloud provides an<br />
answer, as this highly scalable unified packet<br />
capture and analysis solution is simple to<br />
deploy and ideally suited to hybrid, multicloud<br />
architectures.<br />
Product: EndaceProbe Cloud<br />
Supplier: Endace<br />
Web site: www.endace.com<br />
Sales: +44 (0)800 088 5008<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
29
artificial intelligence<br />
FAKING IT WITH AI<br />
STANDING ON THE CUSP OF A NEW FRONTIER IS EXHILARATING, BUT<br />
IT'S ALSO A PRECIPICE WE RISK TUMBLING OVER, WARNS ONE AI EXPERT<br />
Findings from independent research into<br />
AI's impact on cyber security, the risks<br />
and advantages, have highlighted the<br />
mounting concerns tht are spreading over<br />
the use of AI, and deepfakes in particular, as<br />
68% of respondents noted concerns about<br />
cybercriminals using deepfakes to target their<br />
organisations.<br />
Brian Martin, head of product development,<br />
Innovation and Strategy at Integrity360 -<br />
Integrity360, which has released the findings -<br />
comments: "The use of AI for cyber-attacks is<br />
already a threat to businesses, but recognising<br />
the future potential and the impact this can<br />
have is just the start. We've already seen the<br />
potential for deepfake technology with the<br />
video of Volodymyr Zelensky telling Ukrainians<br />
to put down their weapons and spreading<br />
disinformation. This is just one example of the<br />
nefarious means in which it can be used, and<br />
businesses need to be prepared for how to<br />
defend against this and discern what is and<br />
isn't real, to avoid falling victim to an attack."<br />
A significant majority (59%) of respondents<br />
also agree that AI is increasing the number of<br />
cyber security attacks, which aligns with the<br />
change in attacks that have been noticeable<br />
over the past year as 'offensive AI' is being<br />
used in instances such as malware creation.<br />
It's also being used to create more phishing<br />
messages, with content that accurately<br />
mimics the language, tone and design of<br />
legitimate emails.<br />
In line with this, the survey also indicates<br />
that businesses recognise the impact that<br />
AI will have on cyber security, as 46% of<br />
respondents disagreed with the statement<br />
that they do not understand the impact of<br />
AI on cyber security.<br />
However, when breaking down the findings<br />
by specific job roles, the survey suggests that<br />
CIOs appear to have the least understanding<br />
of AI's impact on cyber security, with 42%<br />
indicating disagreement with the statement.<br />
"AI's role in cyber security is not only a matter<br />
of perception, but a tangible reality," adds<br />
Martin "Conventional cyberattacks will<br />
ultimately become obsolete as AI technologies<br />
become increasingly available and more<br />
appealing. and accessible as attackers look to<br />
expand their use for AI-enabled cyberattacks.<br />
As an MSSP. it's essential to ensure businesses<br />
are considering how this can be used against<br />
them and putting processes in place to<br />
protect against these growing threats."<br />
AI SAFETY SUMMIT<br />
As concerns over AI continue to circulate,<br />
an AI Safety Summit at Bletchley Park in<br />
Buckinghamshire had five key objectives that<br />
were up for<br />
discussion by<br />
global experts,<br />
academics,<br />
politicians and<br />
scientists. These<br />
were:<br />
A shared<br />
understanding of the<br />
risks posed by frontier<br />
AI and the need for<br />
action<br />
A forward process<br />
for international<br />
collaboration on<br />
frontier AI safety,<br />
including how best to<br />
support national and<br />
international<br />
frameworks<br />
Appropriate<br />
measures that individual<br />
organisations should take to<br />
increase frontier AI safety<br />
Areas for potential collaboration on AI<br />
safety research, including evaluating model<br />
capabilities and the development of new<br />
standards to support governance<br />
To showcase how ensuring the safe<br />
development of AI will enable AI to be<br />
used for good globally.<br />
Thomas R Weaver, tech entrepreneur,<br />
computer scientist and author of the book,<br />
'Artificial Wisdom' , has been sharing some<br />
of his predictions around those summit<br />
objectives and had this to say about AI: "While<br />
it's exhilarating to stand on the cusp of a new<br />
frontier in AI, that very edge is a precipice we<br />
risk tumbling over, if we don't approach it<br />
with caution. As someone who has delved<br />
30<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
artificial intelligence<br />
deep into the<br />
ethical murk<br />
of future technologies<br />
through<br />
both fiction and<br />
entrepreneurship,<br />
I can't<br />
stress enough<br />
how vital it is<br />
that we develop<br />
a collective understanding<br />
of the<br />
risks involved -<br />
especially when it<br />
comes to employing AI<br />
in tackling monumental<br />
challenges like climate<br />
change. It's not merely<br />
about drafting safety<br />
protocols; it's about<br />
questioning the very<br />
mandate we give to<br />
these technologies."<br />
The latest N<strong>CS</strong>C<br />
guidance is quite<br />
rightfully<br />
suggesting the<br />
pressing need to 'exercise caution' when<br />
building Large Language Models (LLM),<br />
with the explanation that our understanding<br />
of LLMs is still 'in beta' mode.<br />
Cautions Kev Breen, director of cyber threat<br />
research at Immersive Labs: "As an industry,<br />
we are becoming more accomplished at<br />
using and making the most of the benefits of<br />
LLM, but there is more to learn about them,<br />
their full capabilities, and where their usage<br />
could leave individuals and indeed large<br />
organisations vulnerable to attack."<br />
As organisations rush to embed AI into their<br />
applications, and startups begin to pop up<br />
with new and interesting ways to use this<br />
new form of AI; Language Models, such<br />
as OpenAI's ChatGPT, it is important that<br />
developers understand how these models and<br />
their APIs work before building them, he<br />
points out. "Prompt Injection is currently<br />
the most common form of attack observed<br />
against LLMs, by focusing on defeating<br />
the protections they offer against sharing or<br />
creating information that could be damaging<br />
- for example, instructions on how to create<br />
malicious code.<br />
This is not the only danger, he says, "OpenAI<br />
has introduced ‘function calling’, a method<br />
for the AI to return data in a structured<br />
format that can be used by the application,<br />
making it easier for developers to expand<br />
on the AI's capability or enrich its data with<br />
other sources."<br />
The danger here is that those function<br />
signatures are sent to the AI in the same<br />
context, says Breen, "meaning that, through<br />
prompt injection, attackers can learn the<br />
underlying mechanisms of your application<br />
and in some examples, attackers can manipulate<br />
the AI's response to perform command<br />
injection or SQL injection attacks against the<br />
infrastructure".<br />
To help raise awareness of this issue,<br />
Immersive Labs launched a 'Beat the Bot' AI<br />
prompt injection challenge (available at<br />
'Immersive GPT'). In this challenge, users are<br />
tasked with building the right prompts to<br />
con the AI to give them the password. Of<br />
the 20,000 people that have attempted the<br />
challenge, around 3,000 made it through to<br />
level one, while only 527 made it to level 10,<br />
showing that there is still a lot for people to<br />
learn - "but even with varying levels of control,<br />
it's still easy to find a way to bypass a<br />
prompt", he adds.<br />
By learning prompt injection, even your<br />
average person can trick and manipulate<br />
an AI chatbot. "Real-time, gamified training<br />
becomes essential for not only attempting<br />
to keep up with the efforts of hackers,<br />
but also better understanding the 'practice'<br />
they are putting in themselves around AI<br />
prompt injection."<br />
Author Brian Martin: vital we develop<br />
a collective understanding of the risks<br />
involved with AI.<br />
Thomas R Weaver: tech entrepreneur,<br />
computer scientist and author of the<br />
book, 'Artificial Wisdom'.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
31
data privacy<br />
WHAT DATA PRIVACY MEANS NOW<br />
IS THE CONSTANT BATTLE TO KEEP DIGITAL PRIVACY<br />
LAWS AND REGULATIONS RELEVANT TO THE DIGITAL<br />
AGE BEING WON?<br />
What exactly is data privacy?<br />
The accepted definition is our<br />
ability to control what, where<br />
and how our personal or confidential<br />
information is collected, stored or<br />
shared. Data privacy was important long<br />
before the digital age, but the internet<br />
and electronic records have changed the<br />
meaning of data privacy, says Dashlane,<br />
a provider of password management<br />
solutions.<br />
"Internet service providers continually<br />
track your online activity and IP address,<br />
even when you use private or incognito<br />
browsing modes. Digital privacy laws<br />
and regulations determine how information<br />
gathered during our browsing<br />
sessions can and can't be used and how<br />
we're informed about the process,"<br />
it points out. "The growth of cloud<br />
computing, e-commerce, telemedicine<br />
and other online services highlights the<br />
importance of personal data privacy<br />
practices to protect our identity and<br />
private information from cybercriminals<br />
and prevent consumer data from being<br />
used unethically."<br />
Personal information includes things<br />
such as your name, address, phone<br />
number and Social Security number that<br />
can be used to identify you. Unlike<br />
online preferences or browsing history,<br />
personal information is also relevant<br />
outside the digital world. Financial data,<br />
medical records and employee files are<br />
some of the many forms of personal<br />
information that must be protected.<br />
"Data privacy and<br />
protection are<br />
important to<br />
businesses in many<br />
ways. Maintaining<br />
the privacy of<br />
company<br />
information [intellectual property],<br />
employee data and information shared<br />
with customers and clients is essential,"<br />
adds Dashlane. "A data privacy policy sets<br />
ground rules for tracking, storing and<br />
sharing customer data collected on the<br />
organisation's website. This policy also<br />
helps businesses establish compliance<br />
with a growing list of privacy laws.<br />
"Data privacy helps you control what<br />
information you choose to keep personal.<br />
All individuals have the right to prevent<br />
their personal information from being<br />
used or shared without their consent,<br />
even if this sharing wouldn't potentially<br />
lead to data theft or other cybercrimes."<br />
Due to the importance of data privacy, a<br />
long list of state, federal and international<br />
laws has been established to protect our<br />
privacy online and elsewhere. Important<br />
data privacy and security laws and<br />
regulations include:<br />
Children's Online Privacy Protection Act<br />
Health Insurance Portability and<br />
Accountability Act<br />
General Data Protection Regulation<br />
California Consumer Privacy Act.<br />
Identity theft is one of the most serious<br />
cybercrimes related to personal data<br />
privacy and security. Armed with just a few<br />
key pieces of personally identifiable information<br />
(PII), like your name, driver's<br />
licence number and Social Security<br />
number, an identity thief can begin<br />
accessing credit lines in your name,<br />
stealing your tax refund or draining your<br />
bank account, warns Dashlane. "Since<br />
many identity theft victims don't realise<br />
what's happened until after the damage<br />
is done, dark web monitoring is a recommended<br />
practice used to scan the<br />
depths of the internet for your personal<br />
information and notify you if something<br />
sensitive is found."<br />
Dashlane says that it is dedicated to<br />
creating software that helps users control<br />
their information online. "We include plain<br />
language summaries that make our data<br />
collection, use and sharing practices easier<br />
to understand in our Dashlane Privacy<br />
Policy."<br />
UK EXTENSION SET UP<br />
In an important development in transatlantic<br />
data policy, the UK and US<br />
governments have formally established<br />
a 'UK Extension' to the EU-US Data Privacy<br />
Framework, which, since 12 October<br />
<strong>2023</strong>, is allowing businesses in the UK to<br />
32<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
data privacy<br />
transfer personal data to certified US<br />
organisations in the same way as their<br />
European counterparts.<br />
It's a highly significant move, as Edward<br />
Machin a senior lawyer in Ropes & Gray's<br />
Data, Privacy and Cybersecurity team,<br />
acknowledges. "The UK Extension will be<br />
welcomed by British businesses, who will<br />
soon have an additional mechanism to<br />
transfer personal data to the United States<br />
and which will in part reduce the papering<br />
exercises required to ensure that their<br />
transatlantic data flows are conducted<br />
lawfully."<br />
The EU-US framework has already been<br />
legally challenged, he points out, and says<br />
it would be surprising if privacy interest<br />
groups in the UK don't mount their own<br />
challenge to the UK Extension. "We'll then<br />
see whether the English courts can strike<br />
a workable balance between upholding<br />
privacy rights and securing national<br />
security interests - a balance that their<br />
European counterparts arguably didn't<br />
manage when ruling on previous<br />
transatlantic data frameworks.<br />
PATH OF LEAST RESISTANCE<br />
"The UK's post-Brexit policymaking has<br />
revolved around liberalising its data<br />
protection regime without straying too far<br />
from the GDPR and therefore no longer<br />
being considered by the European Union<br />
to offer adequate protection for personal<br />
data," adds Machin. "A key concern in<br />
Brussels has been that the UK wants<br />
a watered-down transfer deal with the<br />
United States - and, left to its own devices,<br />
the government may have taken the path<br />
of least resistance.<br />
The fact that the UK Extension mirrors<br />
the Data Privacy Framework will help to<br />
assuage European concerns, but the UK's<br />
data transfer deals with other countries<br />
will continue to be subject to scrutiny both<br />
at home and abroad."<br />
What does it all mean, in practical,<br />
day-to-day terms? According to the<br />
Information Commissioner's Office (ICO),<br />
the UK government can assess whether<br />
another country, territory or an international<br />
organisation provides an<br />
adequate level of data protection,<br />
compared to the UK. "Some countries<br />
may have a substantially similar level of<br />
data protection to the UK. In these cases,<br />
the government can make UK adequacy<br />
regulations. This allows organisations<br />
to send personal data to that country,<br />
territory or international organisation,<br />
if they wish."<br />
An adequacy assessment may cover<br />
either general processing, or law<br />
enforcement processing, or both.<br />
The government must consider a range<br />
of factors, including that sending personal<br />
data to that country, territory or<br />
international organisation does not<br />
undermine people's protections.<br />
The Information Commissioner's Office<br />
(ICO) supports the government,<br />
undertaking adequacy assessments and<br />
making regulations. This enables personal<br />
data to flow freely in its global digital<br />
economy to trusted partners. "We do this<br />
by providing independent assurance on<br />
the process followed and the factors<br />
that government officials take into<br />
consideration," says the ICO. "This allows<br />
the Secretary of State to make an informed<br />
and reasonable decision. By doing<br />
this work once for everyone, the government<br />
and the ICO are reducing the<br />
burden of compliance on organisations<br />
that would otherwise have to put<br />
alternative measures in place.<br />
"One of our priorities for this year, as<br />
set out in our ICO25 strategic plan, is to<br />
'enable international data flows through<br />
regulatory certainty'. This includes our<br />
work on adequacy assessments. We<br />
provided advice to the government during<br />
its assessment of the UK Extension to<br />
the EU-US Data Privacy Framework (UK<br />
Extension).<br />
"The Commissioner considers that, while<br />
it is reasonable for the Secretary of State<br />
to conclude that the UK Extension<br />
provides an adequate level of data<br />
protection and to lay regulations to that<br />
effect, there are four specific areas that<br />
could pose risks to UK data subjects, if<br />
the protections identified are not properly<br />
applied. The Secretary of State should<br />
monitor these areas closely to ensure<br />
UK data subjects are afforded equivalent<br />
protection in practice and their rights are<br />
not undermined. He also recommends<br />
monitoring the implementation of the UK<br />
Extension generally to ensure it operates<br />
as intended."<br />
FRAMEWORK ESTABLISHED<br />
The UK's data protection laws set out<br />
a framework for the responsible use of<br />
personal data by organisations. People<br />
may lose this protection when organisations<br />
transfer their personal data to<br />
organisations in other countries or to<br />
international organisations. "This is why<br />
the UK General Data Protection Regulation<br />
(UK GDPR) has specific rules on how to<br />
make international transfers of personal<br />
data," adds the ICO. "These rules mean<br />
that organisations must put in place<br />
continuing protections for people's<br />
personal data when transferring it to<br />
another jurisdiction, or one of a limited<br />
number of exemptions must apply."<br />
One way that UK organisations can<br />
transfer personal data to another<br />
jurisdiction is by relying on UK adequacy<br />
regulations made by the Secretary of<br />
State. "The Secretary of State can assess<br />
a country, territory or international<br />
organisation, or a particular sector in<br />
a country or territory, and decide if its<br />
legal framework offers a similar level of<br />
data protection to the UK. Article 45 of<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> computing security<br />
33
data privacy<br />
Edward Machin, Ropes & Gray: it would<br />
be surprising if privacy interest groups in<br />
the UK don't mount their own challenge<br />
to the UK Extension.<br />
Robin Röhm, Apheris: sees the deal between<br />
the US and UK as a positive step for<br />
companies working in both jurisdictions.<br />
the UK GDPR contains a list of criteria the<br />
Secretary of State must consider when<br />
carrying out an adequacy assessment."<br />
If the Secretary of State decides an<br />
adequate level of data protection is<br />
afforded, then that country, territory or<br />
international organisation, or a particular<br />
sector in a country or territory, can make<br />
regulations to give legal effect to their<br />
decision. These adequacy regulations<br />
allow UK organisations to transfer personal<br />
data to a controller or processor located<br />
in a third country or to an international<br />
organisation. The transfer must adhere to<br />
the particular scope of those regulations.<br />
"For criminal offence data, there may be<br />
some risks, even where this is identified as<br />
sensitive, because, as far as we are aware,<br />
there are no equivalent protections to<br />
those set out in the UK's Rehabilitation of<br />
Offenders Act 1974," points out the ICO."<br />
Significantly, the UK Extension does not<br />
contain a substantially similar right to the<br />
UK GDPR in protecting individuals from<br />
being subject to decisions based solely<br />
on automated processing, which would<br />
produce legal effects or be similarly<br />
significant to an individual. "The UK<br />
Extension contains neither a substantially<br />
similar right to the UK GDPR's right to be<br />
forgotten nor an unconditional right to<br />
withdraw consent," states the ICO. "While<br />
the UK Extension gives individuals some<br />
control over their personal data, this is<br />
not as extensive as the control they have<br />
in relation to their personal data when<br />
it is in the UK."<br />
POSITIVE STEP<br />
In response to the UK-US transatlantic<br />
data adequacy agreement, Robin Röhm,<br />
CEO and co-founder of Apheris, sees the<br />
deal between the US and UK as a positive<br />
step for companies working in both<br />
jurisdictions. "But it does not solve the<br />
long-term issues around governance,<br />
security and privacy that prevents true<br />
collaboration between organisations,"<br />
he comments. "Data is one of business's<br />
most important assets, so why would<br />
businesses want to risk transferring<br />
sensitive information and data across<br />
borders? Developing better models to<br />
securely access and collaborate with<br />
sensitive data is the most appropriate<br />
and pressing response to the problem<br />
of working across organisational and<br />
geographical boundaries, particularly in<br />
the fields of machine learning and artificial<br />
intelligence."<br />
Nadia Kadhim, GDPR lawyer and CEO<br />
of global automated compliance platform<br />
Naq Cyber, warns that the defence<br />
industry needs to do more to protect<br />
classified data, as the number of attacks<br />
on this sector has increased by nearly 50%<br />
with an average of 1,661 according to a<br />
global report by Check Point Research.<br />
This increased risk has already led to<br />
growing demand for additional<br />
compliance measures from the defence<br />
industry to ensure their suppliers meet<br />
legal and regulatory compliance<br />
requirements such as Cyber Essentials,<br />
JOSCAR, DART, and MOD Risk Assessments,<br />
she states. "The number of cyberattacks<br />
within the defence sector is<br />
expected to keep rising. While it is crucial<br />
to ensure the MOD's systems are secured,<br />
it is also just as crucial to ensure defence<br />
suppliers have a strong cybersecurity<br />
posture or risk putting the entire defence<br />
supply chain in jeopardy.<br />
"It's a pattern we see in other highly<br />
regulated sectors, such as healthcare,<br />
where attackers use suppliers to access<br />
valuable and sensitive information. To<br />
keep the UK defence sector safe, we must<br />
focus on suppliers and ensure they are<br />
meeting continuous compliance with the<br />
cybersecurity requirements set by the<br />
MOD and their primes."<br />
34<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2023</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk
SAVE THE DATE<br />
RDS, Dublin: 22-23 <strong>Nov</strong> <strong>2023</strong><br />
Infrastructure • Services • Solutions<br />
DataCentres Ireland combines a dedicated exhibition and<br />
multi-streamed conference to address every aspect of planning,<br />
designing and operating your Datacentre, Server/Comms room and<br />
Digital storage solution – Whether internally, outsourced or in the Cloud.<br />
DataCentres Ireland is the largest and most complete event in the country.<br />
It is where you will meet the key decision makers as well as those directly<br />
involved in the day to day operations.<br />
EVENT HIGHLIGHTS INCLUDE:<br />
Multi Stream Conference<br />
25 Hours of Conference Content<br />
International & Local Experts<br />
60+ Speakers & Panellists<br />
100+ Exhibitors<br />
Networking Reception<br />
Entry to ALL aspects of<br />
DataCentres Ireland is FREE<br />
• Market Overview<br />
• Power Sessions<br />
• Connectivity<br />
• Regional Developments<br />
• Open Compute Project<br />
• Heat Networks and the Data Centre<br />
• Renewable Energy<br />
• Standby Generation<br />
• Updating Legacy Data Centres<br />
Meet your market<br />
Lead Conference Sponsor Platinum Sponsor Lanyard Sponsor<br />
Session Sponsors<br />
For the latest information & to register online visit<br />
www.datacentres-ireland.com
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
e-newsletter<br />
Are you receiving the Computing Security<br />
monthly e-newsletter?<br />
Computing Security always aims to help its readers as much as possible to do<br />
their increasingly demanding jobs. With this in mind, we've now launched a<br />
Computing Security e-newsletter which is produced every month and is available<br />
free of charge. This will enable us to provide you with more content, more<br />
frequently than ever before.<br />
If you are not already receiving this please send your request to<br />
christina.willis@btc.co.uk and advise her of the best email address for the<br />
newsletter to be sent to.