CS Jan-Feb 2025

Computing

Security

Secure systems, secure data, secure people, secure business

A TURNKEY EXPERIENCE

How to take your security

levels to ever greater

heights

NEWS

OPINION

INDUSTRY

COMMENT

CASE STUDIES

PRODUCT REVIEWS

COMPLIANCE DEFIANCE

Missed EU deadline

could come back to

haunt offenders

FORCE TO BE RECKONED WITH

Winds of change are

blowing: investment

in people is ramping up

TRUST... IN THE ROUND

Adaptive trust engines are

all revved up for action

Computing Security Jan/Feb 2025

What if there was a way to

Adapt to all Email

Security threats...

Libraesva integrates cloud email and a secure email gateway with our unique

adaptive trust engine to provide award winning protection.

Layered security defends your business against spam, malware, phishing, email

fraud, spoofing, zero-day threats, account takeover, social engineering, business

email compromise, inadvertent disclosure of sensitive information and more.

Test your security for FREE with our Email Security Tester

emailsecuritytester.com

libraesva.com

comment

AYE, AYE TO AI

EDITOR: Brian Wall

(brian.wall@btc.co.uk)

LAYOUT/DESIGN: Ian Collis

(ian.collis@btc.co.uk)

SALES:

Edward O’Connor

(edward.oconnor@btc.co.uk)

+ 44 (0)1689 616 000

David Bonner

(dave.bonner@btc.co.uk)

+ 44 (0)1689 616 000

Stuart Leigh

(stuart.leigh@btc.co.uk)

+ 44 (0)1689 616 000

Is the speed of AI development leaving UK SMEs struggling to plug security gaps? That is the

question posed by a new IT trends report. Findings to emerge included an encouraging 81%

of UK SMEs who responded agreeing that their organisation should be investing in AI, while

33% predicted budgets will rise by 10-20% in the future.

However, as UK SMEs embrace the integration of AI, its growing attack capabilities challenge

UK SME IT security teams, with 25% of cyber-attacks experienced by SMEs attributed to AIgenerated

attacks, the report reveals.

JumpCloud's Q3 2024 SME IT Trends Report also states that there is a measurable increase in

UK SMEs' appetite to embrace AI, compared to its Q1 2024 report. "With this being a bi-annual

survey, it's interesting to see how rapidly general attitudes towards AI, adoption and predicted

adoption, and how it can benefit business, is changing for the better. Over three quarters (81%)

of SMEs agree that their organisation should be investing in AI initiatives for IT, an increase from

70% in Q1 2024. Additionally, 75% view AI as a net positive versus 71% in Q1 2024."

This optimism is impacting AI adoption amongst UK SMEs, according to the report, with 34%

of UK respondents planning to implement AI in the next six months. "Encouragingly, just 9%

of UK SMEs said they have no plans to implement AI, adds JumpCloud.

"Overall, UK SMEs are starting to embrace the idea of implementing AI into their tech stack,

no doubt helped by AI's increasing popularity," the company's Sean Gill, head of sales, Europe,

comments. "However, in classic British style, their optimism is guarded; 37% of respondents

think that the potential impact of AI is the same as six months ago - albeit moving slower than

they thought it would."

Brian Wall

Editor

Computing Security

brian.wall@btc.co.uk

PUBLISHER: John Jageurs

(john.jageurs@btc.co.uk)

Published by Barrow & Thompkins

Connexions Ltd (BTC)

35 Station Square,

Petts Wood, Kent, BR5 1LZ

Tel: +44 (0)1689 616 000

Fax: +44 (0)1689 82 66 22

SUBSCRIPTIONS:

UK: £35/year, £60/two years,

£80/three years;

Europe: £48/year, £85/two years,

£127/three years

R.O.W:£62/year, £115/two years,

£168/three years

Single copies can be bought for

£8.50 (includes postage & packaging).

Published 6 times a year.

© 2025 Barrow & Thompkins

Connexions Ltd. All rights reserved.

No part of the magazine may be

reproduced without prior consent,

in writing, from the publisher.

www.computingsecurity.co.uk Jan/Feb 2025 computing security

@CSMagAndAwards

3


Computing Security Jan/Feb 2025

inside this issue

CONTENTS

Computing

Security

NEWS

OPINION

INDUSTRY

COMMENT

CASE STUDIES

PRODUCT REVIEWS


COMPLIANCE DEFIANCE

Missed EU deadline

How to take your security

could come back to

levels to ever greater

haunt offenders

heights

FORCE TO BE RECKONED WITH

Winds of change are

blowing: investment

in people is ramping up

TRUST... IN THE ROUND

COMMENT 3

Aye, Aye to AI

Adaptive trust engines are

all revved up for action

NEWS 6

Malicious emails surge

Stress takes its toll

'Quantum apocalypse is coming'

Phishing remains business scourge

Snyk acquires DAST provider Probely

ARTICLES

IN WHOM WE TRUST 10

Libraesva's Rodolfo Saccani, on the power

and relevancy of Adaptive Trust Engines

COMPLIANCE DEFIANCE 18

Experts are predicting that the current high

levels of non-compliance will most likely

compromise the EU's goal of creating a

robust European cybersecurity framework,

leaving businesses and the public further

exposed to risk.

MISH, MASH… BASH! 12

Aggressors are constantly finding new

ways - such as Mishing - to exploit email,

to breach an organisation’s defences

A FORCE TO BE RECKONED WITH 22

Many organisations fail to invest in, and plan

'DEFENDING AS ONE' 14

for, the human component of cybersecurity

The 'Security Project of the Year' winner at

until after a breach has occurred. This is too

the 2024 Computing Security Awards

little and way too late, say several industry

showed how Socura, along with CymruSoc,

experts, and can leave those organisations

is enhancing threat detection across Wales

damaged financially and by reputation.

JOURNEY TO CYBER RESILIENCE 16

LevelBlue's Scott Scheppers discusses

the right approach to formalising threat

detection and incident response strategies

PLANNING FOR DISASTER 28

STRENGTH IN NUMBERS 17

Defending against cyber threats requires

Risk mitigation is one of the key steps that

a unity of purpose and of people, states

needs to be taken in the risk management

Pavin Varughese, VP Sales, JetPatch

process. It underpins the whole strategy of

planning and developing options to reduce

A TURNKEY EXPERIENCE 26

those threats to project objectives often

New insights on how best to integrate

faced by a business or organisation.

managed detection and response into an

organisation's existing security make-up

PRODUCT NEWS 34

MAKING THE PEN MIGHTIER 30

New service targets cloud complexity

Sophos in $859 million acquisition

According to the National Cyber Security

Optalysys and Google partner up

Centre, it's not uncommon for a year or

Scam Copilot takes to the air

more to elapse between penetration tests.

"So, vulnerabilities could exist for long periods

BOOK REVIEW 25

of time without you knowing about them,

'Inside Cyber'. Chuck Brooks enters deep

if this is your only means of validating

into a world where fact and fiction collide

security," it points out.

computing security Jan/Feb 2025 @CSMagAndAwards www.computingsecurity.co.uk

4

news

CYBERCRIMINALS UP THE ANTE WITH MALICIOUS EMAILS

VIPRE Security Group's Q3 2024 Email Threat Trends

Usman Choudhary.

Report reveals the sophisticated strategies and

techniques being employed by cybercriminals, with a

particular persistent focus on the highly lucrative tactic

of business email compromise (BEC).

VIPRE processed 1.8 billion emails globally, of which 208

million turned out to be malicious, it is stated.

BEC scams surged, accounting for some 58% of phishing

attempts. Notably, 89% of these BEC attacks involved

impersonation of authority figures.

"The findings of this report yet again illustrate the

sophistication of criminal tactics. BEC email and phishing

attacks are becoming more targeted and convincing,"

commented VIPRE Security Group's chief product and

technology officer Usman Choudhary.

Darren Williams.

STRESS TAKES ITS TOLL

Nearly a quarter of CISOs or IT security

decision makers (ITS DMs) are actively

looking to leave their position, according

to new research that was commissioned

by BlackFog. A further 54%, while not

actively looking to quit, said they were

open to new opportunities.

The research, which explored the cause

and impact of stress on people at work,

also highlights how security leaders are

managing the demands they face and

what they need from their organisations

to feel more supported.

Conducted with UK and US cybersecurity

leaders, the research also reveals that,

of those considering leaving their role,

93% state that the stress and demands

are impacting their decision to leave.

Said Dr Darren Williams, CEO and

founder, BlackFog: "The cost and time

involved in replacing senior level security

leaders is considerable, so it's absolutely

essential that organisations address the

root cause of stress to reverse the cycle

of churn."

SNYK ACQUIRES DAST PROVIDER PROBELY

Snyk, a leader in developer security, has acquired

Probely, a modern dynamic application security

testing (DAST) provider, with coverage of API security

testing and web applications.

Probely also powers Security Headers, a free tool

designed to help users understand and benchmark

the security of their web properties.

"For global security leaders seeking to further

accelerate trusted AI adoption, adding Probely's

technology and expertise further extends the breadth

and depth of Snyk's platform," said Peter McKay, chief

executive officer, Snyk.

NATIONWIDE NAMED CYBER RESILIENCE AMBASSADOR

The world's largest building society, Nationwide, has been

named a National Ambassador of the National Cyber

Resilience Centre Group (NCRCG). In this new role, the

organisation will be helping to shore up the cyber defences

of the UK's small and medium-sized enterprises (SMEs).

Sharon Gould, supplier security and resilience manager at

Nationwide Building Society, commented: "Protecting our

customers against fraud and scams, and preventing

criminals at source, is a priority at Nationwide. It's vital all

areas of the supply chain work together, sharing resources

and the latest technology to stay ahead of criminals."

Peter McKay.

Sharon Gould.

6


Building cyber security

awareness together.

Leading the way in personalised

cyber security awareness.

Keep your staff engaged, cyber-secure, and compliant with our award-winning,

personalised cyber security training.

Designed with real people and teams in mind, our expertly crafted content transforms

cyber security into an informative and captivating experience. By making learning

fun and impactful, we maximise engagement and enhance staff security behaviour,

ensuring constant vigilance against cyber threats.

Our staff fully engaged with our

security awareness program, with

completion rates over 85%

Best cyber security awareness

platform available

news

Daniel Hofmann.

INTEGRITY360 LAUNCHES NEW UNIFIED SECURITY SOLUTION

Integrity360 has launched its Managed Cloud Native

Ahmed Aburahal.

Application Protection Platform (CNAPP) Service, which

has been designed specifically to deliver automated

cloud workload protection, visibility into cloud

environments, proactive threat and exposure detection,

and compliance alignment.

Comments Ahmed Aburahal, technical product

manager at Integrity360: "The need for advanced,

unified security solutions is critical, particularly as

Gartner predicts that 95% of cloud breaches will stem

from user misconfigurations by 2025.

"Our Managed CNAPP Service bridges these gaps,

providing a unified platform that ensures continuous

monitoring, streamlined risk management and robust

threat protection."

PHISHING REMAINS THE

SCOURGE OF BUSINESSES

Hornetsecurity's annual Cybersecurity

Report has revealed that a third (36.9%)

of all emails received by businesses (20.5

billion) in 2024 were unwanted. Of these,

2.3% contained malicious content, totalling

427.8 million emails.

Once again, phishing remained the most

prevalent form of attack, responsible for a

third of all cyber-attacks in 2024.

This was confirmed by the analysis of some

55.6 billion emails, showing that phishing

remains a top concern consistently year

over year. Malicious URLs and advanced

fee scams were responsible for 22.7% and

6.4% respectively.

Commenting on the findings, Daniel

Hofmann, Hornetsecurity CEO, said: "These

findings highlight both progress and new

challenges in the fight against cyber threats.

"While it's encouraging to see some consistency

in attack methods, for defensive

purposes, the shift toward more targeted

social engineering tactics means businesses

must stay vigilant."

WEIGHING UP THE RISKS

Kiteworks has launched its Risk Exposure Index,

which evaluates and prioritises data breaches

based on their severity and potential impact. The new

index has been applied to analyse the top 11 data

breaches of the first half of 2024, offering insights

into the evolving landscape of cybersecurity threats.

The Risk Exposure Index incorporates a range of

factors to provide "a more nuanced understanding of

breach severity, including the type of data

compromised, the extent of exposure, potential

regulatory penalties and long-term impact on brand

reputation", states the company.

"In today's complex cybersecurity landscape,

organisations need a more sophisticated approach to assessing and prioritising data

breach risks," says Tim Freestone, chief strategy and marketing officer at Kiteworks.

"Our Risk Exposure Index offers a standardised framework for quantifying and comparing

the risks associated with different data breaches, enabling organisations to allocate

resources more effectively and enhance their overall security posture."

'QUANTUM APOCALYPSE IS COMING'

Up to 99% of Fortune 500 companies are not adequately prepared for the imminent threats

posed by quantum computing.

Tim Callan, chief experience officer at Sectigo, says that the quantum paradox is evident. "While

the remarkable processing power of quantum holds boundless potential, it simultaneously

poses a significant threat to the foundation of all encryption.

"In the event that a country does develop a quantum computer capable of breaking current

encryption methods, it is likely that they would keep it a closely guarded state secret, as the UK

did when it broke the Enigma code during World War II. For this reason, it is imperative that

businesses take their own proactive measures to prepare for this eventuality by transitioning to

quantum-safe algorithms before it is too late."

8


Layers aren’t just for cakes; they’re

essential in cybersecurity’s secret

recipe for protection!

Bake it happen with VIPRE Security Group. Secure your

bytes before you take a bite with Email Security, Endpoint

Security and User Protection

www.vipre.com

q&a session

IN WHOM WE TRUST

COMPUTING SECURITY SAT DOWN RECENTLY FOR A FIRESIDE CHAT WITH LIBRAESVA'S CTO RODOLFO

SACCANI ABOUT THE POWER AND RELEVANCY OF ADAPTIVE TRUST ENGINES

Computing Security: What is an

adaptive trust engine? How does it

differ from a traditional static trust

model?

Rodolfo Saccani: Adaptive trust engines

(ATEs) use AI to learn the usual patterns

of email communication behaviour for

organisations and individuals. They

continuously assess the strength of

business-to-business trust and

proactively hold anomalous traffic.

In comparison, traditional email security

tools are reactive, relying on attack

vectors and signatures to be already

known. As a result, they are vulnerable

to threats, including new (zero-day)

attacks, business email compromise,

phishing and spoofing. This inflexibility

and inability to be constantly updated is

a serious weakness in legacy systems.

CS: Can you explain some common use

cases for adaptive trust engines in

cybersecurity?

RS: The valuable information that ATEs

collect and constantly learn from is vital

for repelling a range of attack attempts.

Fake replies sent by unusual

correspondents, for example, are flagged

by the friction between the semantics of

the message and the lack of any previous

relationship. Spamming patterns can be

spotted by a uni-directional message

flow from an external entity targeting

multiple internal users, whilst

compromised accounts are rooted out

thanks to ATEs identifying internal email

accounts suddenly sending emails to

many external addresses with no prior

relationship.

ATEs also trigger additional security

checks and policies on emails from firsttime

senders and display warning

banners in the body of emails from

unusual correspondents.

CS: How have emerging cybersecurity

threats necessitated the need for

adaptive solutions?

RS: The evolution of email security has

rendered traditional signals ineffective.

Reputation information, for example,

becomes useless when emails are sent

from compromised accounts on

prominent and reputable email services.

Alternative methods to evaluate

trustworthiness are sorely needed.

In this context, ATEs provide a powerful

solution. By leveraging historical

relationship data - a source harder to

spoof or manipulate - ATEs can provide

more accurate assessments of sender

credibility.

CS: Can these solutions ease the resource

burden for companies affected by the

cybersecurity recruitment crisis?

RS: It's no secret that AI is changing how

we approach tasks in the cyber security

industry. The speed at which these

intelligent systems have developed has

been hugely impressive and has led to

tools becoming increasingly capable of

taking over responsibilities traditionally

assigned to humans. With AI doing the

heavy lifting on several resource-intensive

tasks, cyber security professionals will

have more time for strategic and highvalue

work.

We are spearheading this shift,

investing heavily in AI tools that enhance

the reliability and effectiveness of our

email security solutions. Companies are

10


q&a session

used to a 'set and forget' approach to

email security solutions, where the

system can be implemented, configured,

and left to operate without constant

intervention. AI enables us to ensure that

solutions are continuously updated

without intensive processes so that

emergent threats can be dealt with.

CS: What are some key factors or

attributes that an adaptive trust engine

evaluates when determining

trustworthiness?

RS: ATEs account for all communication

history between individuals in a

company, as well as communications

with other businesses, helping to build a

pattern that cannot be fabricated. This

means that when evaluating potential

threats, including bad actors who are

looking to exploit vulnerabilities, conduct

fake online activity, impersonate

companies, and generally fool humans,

ATEs have a wealth of activity to pull

from to make a decision.

CS: What are the challenges in training a

machine learning model to assess trust in

real-time?

RS: The all-encompassing visibility that

ATEs have allows them to thoroughly

evaluate all inbound and outbound

communications, gaining unparalleled

insights into the relationships between

individuals and organisations over time.

However, with such a vast repository of

data, the challenge for the model is to

make good use of this resource and

provide real-time assessments of sender

credibility, trustworthiness and intent.

For example, our solution can

automatically identify emails from

unknown or new external senders. It can

then establish a 'trusted' label for them,

if they are being sent to a recipient who

has recently been introduced to the

external party by a colleague with whom

they already have an established trust

relationship. This allows us to quickly

recognise that these new relationships

are legitimate and not malicious, even if

there is no prior interaction between the

sender and the recipient.

CS: What security concerns should be

addressed when developing an adaptive

trust engine?

RS: We are already seeing efforts to

circumvent ATEs by exploiting legitimate

services or the mailboxes of trusted

parties. For ATEs to be able to

comprehensively evaluate emails and

identify potential evasion attempts, they

must integrate data from diverse sources,

including other AI-powered systems.

CS: How would you handle a situation

where the trust engine mistakenly grants

high trust to a malicious actor or device?

RS: Our layered security approach

provides comprehensive protection

against evolving threats, meaning that,

even if one section mistakenly grants

access, another layer will detect the

threat. The ATE is just one component,

but it plays a crucial role. By integrating

input from multiple components, our

system analyses the signals holistically

through a final AI layer that detects

discrepancies between various indicators.

This layer focuses on identifying

attempts to bypass protections via

legitimate services, such as PayPal or

Microsoft's invoicing service, to deliver

technically legitimate emails that

attackers can exploit by injecting

malicious content. The goal is to catch

these sophisticated threats before they

reach the recipient's inbox.

CS: How can an adaptive trust engine

handle an emerging threat or a new type

of attack that wasn't previously

considered in its trust model?

RS: Threat actors who are financially

Rodolfo Saccani, CTO, Libraesva.

motivated and well-funded often have

sophisticated skills that enable them to

develop innovative attack techniques. To

remain effective, any security system

must not only detect known threats, but

also be equipped to evolve rapidly in

response to new attack methodologies.

Developing a comprehensive early

detection network to identify emerging

threats has been a key driver for me and

the rest of the company. I've been

impressed by how dedicated our team of

seasoned analysts are to staying at the

forefront of threat intelligence and trying

to get a step ahead where they can. We

continuously monitor and analyse new

attack techniques to keep abreast of the

evolving threat landscape.

Because of this, we can rapidly deploy

new versions of our engines, in response

to emerging threats, in as little as five

minutes. In the fight against security

threats, this agility and dedication are

key to ensuring safety for all our clients -

no matter how sophisticated the

attack is.

www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2025 computing security

11

email protection

MISH, MASH… BASH!

AGGRESSORS ARE CONSTANTLY FINDING NEW WAYS - SUCH AS

MISHING - TO EXPLOIT EMAIL, IN ORDER TO BREACH DEFENCES

Cybercriminals are increasingly

targeting mobile users through attack

methods that exploit the unique

features of mobile devices, like voice calls,

text messages (SMS), cameras and emails,

states Tim Roddy, vice president, product

marketing for mobile threat defence at

Zimperium. "These tactics are collectively

known as 'Mishing', a term that covers all

mobile-targeted phishing techniques."

He identifies common Mishing tactics:

Mobile-targeted Email Phishing:

launched via a standard email message,

but only executes when a link is clicked

by the user from a mobile device

Smishing (SMS Phishing): deceptive

SMS messages lure victims into clicking

malicious links or sharing data

Vishing (Voice Phishing): fraudulent

voice calls, often AI enabled, used to

trick users into divulging confidential

information or taking another risky

action

Quishing (QR Code Phishing): mobile

cameras are exploited to deliver phishing

attacks through malicious QR codes.

Roddy also singles out factors he says are

increasing the prevalence of Mishing:

Increased mobile usage

Expanded access to sensitive data & apps

Limited security measures deployed on

mobile devices

Poor user behaviour.

To safeguard against Mishing, he suggests

that organisations might adopt certain best

practices. For users, he offers this guidance:

Be sceptical of unexpected messages:

treat unsolicited messages with caution.

Verify the sender before responding or

clicking on any links to prevent

unauthorised access to sensitive

information

Avoid clicking on suspicious links: refrain

from clicking links from unknown or

unverified sources. Instead, manually

enter the URL into your browser to

ensure you are visiting a legitimate

site and safeguarding corporate data

Exercise caution with QR codes: be wary

when scanning QR codes from even

known sources.

And, for organisations, Roddy advises:

A comprehensive mobile threat defence:

deploy zero-day, on-device threat

protection to detect and block threats in

real-time, as well as application scanning

for malware and vulnerabilities

Educating employees: provide training

on recognising and avoiding Mishing

attempts.

"Mishing is an increasingly common and

sophisticated threat in today's mobilecentric

world, particularly for organisations

that rely on mobile devices for remote work

and access to sensitive information," he

concludes. "By understanding the nature

of Mishing and adopting proactive mobile

security measures, organisations can better

protect their critical information from

cybercriminals."

RIDING THE TROJAN HORSE

Email is, of course, commonly used as a

route into corporate networks to spread

malware, such as ransomware, spam and

viruses, as well as other attack vectors, such

as phishing and scams. Whether in small

businesses or large enterprises, public or

private sectors, email remains a primary

attack vector, cautions Jack Chapman, SVP

of threat intelligence at Egress, a KnowBe4

company. "This trend is evident in the 8%

rise in phishing emails between April 1-June

30, 2024, compared to January 1-March

31, 2024. Cybercriminals continue to see

12


email protection

email as an opportunity to spread malware,

exploit sensitive data or commit financial

fraud - all of which can be triggered by

a single successful phishing attack."

In 2023, 58% of organisations reported

account takeover (ATO) incidents, with

79% originating from phishing emails that

harvested employees' credentials, he adds.

"With these log-in details, attackers can

move laterally across networks and even

launch onward attacks to compromise

entire supply chains, meaning organisations

must address this issue at the source before

an attack is successful. Cybercriminals are

far from static - they're constantly refining

their attack techniques to bypass traditional

detection technologies like secure email

gateways (SEGs). This is evident in the

52.2% increase in attacks bypassing SEGs

in the first three months of 2024, in

addition to phishing toolkits that are

now widely available on the dark web,

advertising specific SEG vendors that their

attacks can get through."

One example of this evolution can be seen

in the rising sophistication of 'quishing'

attacks, Chapman points out. "Although

still relatively new to the cyber landscape,

Egress threat intelligence analysts have

already observed attackers manipulating

the size and colour of QR codes to more

effectively evade detection. As cybercriminals

grow more advanced, businesses must

invest in intelligent, cloud-based antiphishing

technology capable of detecting

zero-day threats - something SEGs are

unable to do."

A dual approach to email security is

the best solution, he argues - combining

intelligent detection technology with

modern security and awareness training.

"Recognising that people significantly

expand the attack surface via email is the

first step in building a robust security

strategy. This allows businesses to turn their

employees from their biggest email security

risk into their strongest line of defence."

INGENUITY OF CYBERCRIMINALS

Although email is now a decades-old,

commonplace communication practice, it

remains a significant attack vector for

cybercriminals and a significant weakness

for enterprises - and this, says Chris Fuller,

senior director of technical field operations

at Obsidian Security, is mainly as a result of

the ingenuity of cybercriminals, who are

constantly evolving the tactics they use for

phishing campaigns, leaving cybersecurity

vendors and teams playing catch up.

"Where once the aim of the campaigns

deployed by phishers was simply to harvest

credentials, we now see more advanced

techniques, such as adversary-in-the-middle

attacks, which bypass the traditional multifactor

authentication techniques that have

grown in popularity as a phishing deterrent.

If these defences fail, the compromise of

your systems could, in turn, lead to malicious

activity in your network or the exfiltration

of sensitive corporate data.

This is of particular concern in SaaS

applications, which have grown massively in

popularity in recent years across every area

of business function. These applications,

with distributed responsibilities within the

business, and misapprehensions about how

much security the vendor provides, exist

outside the traditional IT and security

structures in many corporations, making

them particularly vulnerable."

Using a variety of techniques to fool users,

from AI-crafted text to QR-code based

attacks, the new generation of phishing

gangs work by gaining access to identity

providers, such as Okta and Microsoft, via

legitimate accounts and reverse proxies

which allow them to access these systems

and bypass traditional defences. "One such

example which we recently observed is

a phishing-as-a-service platform, known

as Mamba 2FA, which is successful as a

Jack Chapman, Egress: threat intelligence

analysts at his company have observed

attackers manipulating the size and

colour of QR codes to evade detection.

byproduct of the ease at which

cybercriminals can register new domains,"

states Fuller.

"Most email protection systems are based

on using URL scanners to identify visual

similarities on phishing pages. However,

cybercriminals, such as those operating the

Mamba 2FA service, have adapted to avoid

this, using Cloudflare turnstiles, which hide

phishing sites behind a CAPTCHA challenge,

meaning automated scanners do not detect

it. This is reflective of our own data, which

indicates that 93% of spear phishing and

AiTM compromises we observed occurred

even when email protection was in place."

The evidence as a result of this is all too

clear, Fuller points out. "Email protection

alone is not enough to defend today's

enterprises from next-generation phishing

campaigns. Understanding this for a

modern enterprise looking to keep their

email systems safe is crucial."


13

Computing Security Awards 2024

‘DEFENDING AS ONE’

THE ‘SECURITY PROJECT OF THE YEAR’ WINNER AT THE 2024 COMPUTING SECURITY AWARDS CLEARLY

SHOWED HOW CYMRUSOC, MANAGED BY SOCURA, IS ENHANCING THREAT DETECTION RIGHT ACROSS WALES

COMPUTING SECURITY AWARDS WINNERS

Security Project of the Year:

CymruSOC - Wales' National Security

Operations Centre

Company: Socura

Project Overview:

How CymruSOC, launched in May 2024, is

supporting a ‘Defend as One’ approach across Wales

Led by the Welsh Government, in

collaboration with Merthyr Tydfil

County Borough Council, CymruSOC -

the first scheme of its kind in the UK -

strengthens the resilience of public sector

organisations across Wales. By fostering

a 'defend as one' approach, it is also

responsible for helping to safeguard the

data of the Welsh population, as well

as 60,000 employees in the public sector.

CymruSOC is managed by Socura, a

Cardiff-based Managed Detection Response

provider. Socura operates as a partner of

more than 21 local authorities and fire

and rescue services in Wales, supplying

the expertise and capabilities they need

to monitor and respond to cyber threats

around the clock.

Socura was awarded the CymruSOC

contract following a competitive tender

process, where the company demonstrated

its pedigree in areas including

cyber and technical expertise, support for

detection technologies and customer

service. It was also selected for its

commitment to driving employment

opportunities in cyber across Wales.

CYBER SECURITY CHALLENGES

IN THE PUBLIC SECTOR

Every day, thousands of people rely

on councils and other public sector

organisations in Wales for essential services

such as social care, education, and waste

collection. Should a cyber-attack impact

the availability of these services, the results

can be devastating.

Unfortunately, many public sector

organisations with tight security budgets

often lack the level of security specialists

they need, in order to adopt a proactive

approach to security monitoring.

In the case of Merthyr Tydfil Borough

Council, the organisation was aware its

ability to minimise security risks was heavily

linked to its ability to detect attacks early

and shut them down before they caused

disruption.

Keeping its Security Incident and Event

Management (SIEM) platform always

optimised, for example, was proving

challenging and Ryan James, chief

14


Computing Security Awards 2024

information security officer at Merthyr Tydfil

Borough Council, was keen to achieve

a more proactive approach. Key security

concerns of the council included:

Preventing disruption to essential

Council services

Protecting sensitive personal and

financial data

Mitigating the risks of phishing and

human error

Keeping security controls optimised

to detect new threats.

”People and businesses rely on the council

for essential services such as social care,

education and waste collection,” says

James. “If our websites, email systems

and telephone systems go down, that’s

going to prevent residents from accessing

information, reporting issues and seeking

assistance.”

HOW SOCURA IS ENHANCING THREAT

DETECTION ACROSS WALES

As the delivery partner of CymruSOC,

Socura is rolling its Managed Detection and

Response (MDR) service out to participating

public sector organisations across Wales.

As the contracting authority of CymruSOC,

Merthyr Tydfil Borough Council was the

first organisation to benefit from the

service. Operating as an extension of an

organisation's security team, Socura MDR

service supplies a 24/7 team of detection

and response specialists. Detection technologies

are included as part of the service,

if required.

To centralise threat visibility, all available

network, endpoint and cloud security

controls deployed within an organisation

are fully integrated with Socura's Security

Orchestration, Automation and Response

platform. New log sources are integrated

regularly and Socura performs weekly

threat-hunting activities to look for evidence

of historical attacks.

"Previously, we may have only found out

about an incident at eight in the morning

when everyone starts work," adds James.

“With Socura monitoring and responding

to threats 24/7, we now get an early

detection warning."

KEY BENEFITS OF THE SERVICE

How public sector organisations across

Wales are benefiting from the CymruSOC

service delivered by Socura:

Enhanced threat visibility: By aggregating

security data from an organisation's choice

of security controls, Socura centralises

threat visibility and identifies coverage

gaps. To increase the detection of adversary

behaviours, Socura's team ingests new log

sources and performs regular threat

hunting activities.

Reduced mean time to respond: Socura's

MDR service doesn't just detect threats such

as malware and phishing attacks, it also

helps organisations respond to them, both

swiftly and effectively. Automated incident

response playbooks are triggered when

specific behaviours are observed, meaning

threats can be shut down in minutes.

Genuine incident notification

Because all security incidents are

thoroughly investigated and triaged

by Socura's SOC team, organisations

participating in CymruSOC are confident

that when they receive a notification,

it is usually a genuine incident that requires

attention. Organisations now spend far

less time investigating and responding to

false positives.

'A defend as one' approach: By monitoring

threat activity across all public sector

organisations participating in CymruSOC,

Socura can respond to security events at

scale. Should threat activity be observed in

one organisation, Socura's can take swift

action to secure others against the same

risk. To further support, CymruSOC's

Ryan James.

'defend as one' approach, Socura shares

regular threat intelligence bulletins to

spread awareness of the latest threats and

exposures.

Instant access to experts: Operating as an

extension of the council, the Socura team

is always on-hand to provide support and

advice when needed. This also includes

responding to service requests, such as

integrating new SIEM log sources.

Measurable outcomes

So that organisations can closely monitor

their security posture, Socura shares

monthly service reports and the data

they need to measure improvements

and identify potential risks. These are

supplemented by regular reviews led by

a dedicated customer success manager.

"The Socura team are experts in their field

and we've already built great working

relationships with their staff," adds James.

"During the early discussions with Socura,

you get the indication that they are very

customer-centric and this has been

demonstrated in all aspects of the work

they do for us."


15

cyber resilience

THE JOURNEY TO CYBER RESILIENCE

FORMALISING THREAT DETECTION AND INCIDENT RESPONSE STRATEGIES:

BY SCOTT SCHEPPERS, CHIEF EXPERIENCE OFFICER AT LEVELBLUE

Developing and

maintaining the right

threat detection and

incident response strategies

is integral to achieving cyber

resilience, which can best be

defined as an organisation's

ability to effectively recover

its entire IT estate from an

unexpected interruption. It

begins by formalising specific

incident response protocols

and reprioritising advancing

cybersecurity into corporate

strategy discussions, while

allocating dedicated IT security

budgets to every project. But it

doesn't end there - achieving cyber resilience

is a journey and there are ongoing initiatives

that every organisation should focus on to

face today's evolving threat landscape.

CHALLENGES TO BUILDING

AN INCIDENT RESPONSE PLAN

Threat detection and incident response

strategies are critical in establishing a

comprehensive security programme, but

they can often be difficult to develop and

maintain. Internal security teams often

struggle with managing multiple point

solutions and keeping up with the day-to-day

activities required to properly run them, as

additional resources are often limited.

Results from the 2024 LevelBlue Futures

Report indicate that less than half (47%) of

organ-isations reveal their cybersecurity

processes are standardised across the

enterprise and just 35% say that their

incident response is significantly formalised.

Identifying these challenges and what is at

stake is the first step in understanding how

best to structure an incident response plan.

PRIORITISING CYBER RESILIENCE

AT THE LEADERSHIP LEVEL

LevelBlue research shows 63% of

organisations believe leadership doesn't

prioritise cyber resilience. With another 72%

indicating organisations do not specifically

invest in cyber resilience beyond cybersecurity,

leadership underestimates the harm a major

cyber incident can cause. Further, we find

cybersecurity budgets are remaining reactive

versus proactive in addressing cybersecurity

threats. This approach, combined with outdated

security practices, undermines other

effective cyber resilience efforts.

Breaking down silos of communication

between cyber teams and leadership has

always been a challenge, but it is one that

still needs addressing. We remain hopeful,

however, as our research shows that,

compared to previous years, there is a

notable increase in resources dedicated to

cybersecurity.

CONTINUING THE CYBER

RESILIENCE JOURNEY

Each organisation will have unique

challenges and opportunities as

they build their threat detection

and incident response strategies.

Once implemented, they will

help fortify their cyber resilience

posture. Organisations should

look to take these additional

steps to ensure a cyber-resilient

future:

Identify Unique Barriers.

This will require a thorough

assessment, in order to determine

where an organisation

may be exposed to areas of risk

Be Secure by Design

Evaluate the organisation's

next-generation computing

needs and implement security at the

start to meet compliance standards and

address future threats

Align Cyber Investments with the

Business. Communication is crucial to

ensuring cybersecurity initiatives

integrate with business objectives

Build and Pressure Test a Support

Ecosystem. Partnerships with external

collaborators are paramount to

enhance an organisation's security

expertise, but they must be tested.

Do this through a company's incident

response exercises

Transform Cybersecurity Strategies.

Adaptability and flexibility are a must

for all security initiatives and tools. so

that they can address the latest threat.

These proactive measures are key as

organisations face the challenges that

prevent them from formalising a threat

detection and incident response plan,

jeopardising their overall cyber resilience.

For more in-depth information, see the

special LevelBlue report here.

16


compliance insights

STRENGTH IN NUMBERS

NO SINGLE BUSINESS, GOVERNMENT ENTITY OR INSTITUTION CAN TRULY DEFEND

AGAINST CYBER THREATS ON ITS OWN, WARNS PAVIN VARUGHESE, VP SALES, JETPATCH

The widespread non-compliance

with the NIS2 directive is definitely

concerning - see also our main

feature starting on page 18 - but it also

highlights an important opportunity,

states Pavin Varughese, VP Sales,

JetPatch. "Cybersecurity isn't something

that can be tackled by individual organisations

alone; it's a collective responsibility!

No single business, government

entity or institution can effectively

defend against cyber threats on its own.

If businesses, regulators and the public

sector work together, we can create a

much stronger and more resilient system

that benefits everyone."

One way to encourage this collaboration,

he says, is through positive

reinforcement. "Rather than focusing

solely on penalties, why not reward

compliance? For example, tax breaks

or financial grants for cybersecurity

improvements could encourage

organisations to take their obligations

seriously. Public recognition programs,

like certifications or awards for compliant

companies, could also provide a

competitive advantage and encourage

others to follow suit. This approach

would shift the narrative around compliance

from being a burdensome obligation

to an opportunity for growth and

recognition. Businesses that meet or

exceed compliance requirements should

feel valued and supported, not simply

pressured to avoid penalties."

Another critical factor is education,

adds Varughese. "Many organisations are

still unaware of what the NIS2 directive

entails or why it's so important. This is

particularly true for small and mediumsized

enterprises (SMEs), which often

lack dedicated cybersecurity resources

or expertise. Running widespread

awareness campaigns and offering free,

accessible resources could go a long way

in bridging that knowledge gap. Regulators

could also partner with industry

associations or chambers of commerce

to provide sector-specific guidance and

training. For instance, manufacturing

companies might need a different

approach to cybersecurity than financial

services firms. Customising these efforts

to the unique needs of various industries

could make a big difference in how compliance

is perceived and implemented."

Equally important, he argues, is creating

a culture of shared responsibility. "Cybersecurity

affects everyone and no organisation

operates in isolation. If one

business is compromised, it can have a

ripple effect on its customers, partners

and the wider supply chain. To address

this interconnectedness, public-private

partnerships could play a key role.

"Governments could work closely with

businesses to develop and implement

compliance strategies, while businesses

could share real-world insights and

feedback with regulators to ensure

directives like NIS2 are practical and

effective."

Information-sharing initiatives are

another way to amplify the impact of

compliance measures. "Cyber threats

are constantly evolving, and staying

ahead of attackers requires real-time

collaboration," adds Varughese. "By

creating secure platforms for sharing

threat intelligence and best practices,

Pavin Varughese: cybersecurity has to

be treated as a collective responsibility.

businesses and regulators can work

together to mitigate risks before they

escalate. This kind of collaboration isn't

just beneficial: it's essential in a world

where cyberattacks are becoming more

sophisticated and widespread."

At its core, compliance with NIS2

shouldn't be seen as a box to check, but

as a shared mission to protect our digital

future, he concludes. "When we work

together, we're not just meeting obligations,

we're building a safer, more

secure Europe for everyone.

"By shifting the focus to collaboration,

incentives and shared responsibility,

we can transform compliance from a

challenge into an opportunity to strengthen

our collective resilience in the face of

evolving threats."


17

compliance special

COMPLIANCE DEFIANCE

WITH UP TO TWO-THIRDS OF EUROPEAN BUSINESSES ESTIMATED TO HAVE MISSED THE LATEST

EU SECURITY COMPLIANCE DEADLINE, THE FALL-OUT COULD PROVE SEVERE FOR UK ORGANISATIONS

The Network and Information Security

Directive (NIS2) deadline for EU member

states to transpose the directive into

national law has come and gone: October 17,

2024. The directive's aim is to improve cybersecurity

across the EU by setting stricter

requirements for compliance. For those in any

doubt, the implications for UK businesses are

significant, particularly those with operations

or digital services in the EU. with fines, nonmonetary

remedies and, in extreme cases,

legal consequences awaiting those who fail

to comply.

Meanwhile, experts are predicting the

current high levels of non-compliance will

likely compromise the EU's goal of creating

a robust European cybersecurity framework,

leaving businesses and the public further

exposed to risk. What can be done to

persuade those organisations that are still

non-compliant to change tack, meet the

obligations of NIS2 and, at the same time,

become less of a target themselves for the

hackers and attackers?

STRUCTURAL FRAMEWORK

"Highlighting the increased enforcement,

penalties and reputational damage from

breaches can motivate action, but equally

beneficial is showing how compliance to ISO

27001 certification can protect their business

and provide a competitive advantage," argues

Luke Dash, CEO, ISMS.online. "The updated

NIS2 directive introduces stricter enforcement

requirements across more sectors than before.

To meet these obligations, a logical first step

for non-compliant organisations would be

to pursue ISO 27001 certification-an

internationally recognised standard for

Information Security Management Systems

[ISMS]."

ISO 27001 provides a structured framework

for protecting critical assets, focusing on risk

assessment, risk management and continuous

improvement. Certification depends on

achieving several key components, including

comprehensive risk assessments, securitydriven

organisational structures, access

controls, physical and technical safeguards,

and well-defined information security policies

and monitoring protocols. "When comparing

these requirements to NIS2, it's clear that

many overlap- they both emphasise risk

management, access control and security

policies. By adopting ISO 27001, organisations

not only align with NIS2, but also gain a

strong head start in their compliance journey."

Beyond compliance, ISO 27001 offers

competitive advantages, adds Dash.

"Certification by an accredited body

demonstrates that your security measures

follow best practices, helping to build trust

with customers and stakeholders. Customers

will quickly recognise that your enterprise

security measures are grounded in best

practices, providing them with the peace

of mind that you are an enterprise that will

take the protection of their data and assets

seriously."

Fortunately, with ISO 27001 certification,

support is readily available, he points out.

"With the proper guidance, what initially

seems challenging can transform into a

manageable and streamlined aspect of your

business operations. By adopting the right

approach and utilising available resources,

organisations can seamlessly integrate best

practices into their internal processes and

effectively promote them externally."

HARMONISATION FACTOR

Over and above the difficulties encountered

in its implementation, the NIS2 directive does

more than simply lay down rules for each

member state, comments Bernard Montel,

technical director and security strategist,

Tenable. "It aims to harmonise cybersecurity

practices across Europe, under the supervision

of ENISA, in order to better respond to

growing cyberthreats and protect critical

infrastructures."

By extending its scope to strategic sectors,

such as healthcare, telecommunications and

digital services, it takes into account the

growing interconnection of infrastructures

and the cyber risks that now affect a large

part of the economy, he says. "However, this

harmonisation poses challenges for

companies, particularly those operating in

several countries, as it requires rigorous

management of national compliance. SMEs,

often limited in resources, will have to be

resourceful in adapting and some implementation

details remain unclear, which makes

navigating this regulatory framework all the

more crucial to the directive's success.

"NIS2 is not too dissimilar in its aspirations

as that of the EU's General Data Protection

Regulation (GDPR). When introduced in 2018,

GDPR had a huge impact, not just across

Europe, but worldwide, increasing the overall

18


compliance special

protection of personal data. NIS 2 will have

a similar impact for the cybersecurity posture

of critical infrastructure operators and the

suppliers they rely upon."

One of the other major changes that NIS2

will impose on companies is a profound

rethinking of their cybersecurity strategy,

encouraging them to build resilience over the

long term, adds Montel. "With this approach,

it's no longer just a matter of complying with

standards to better protect oneself, but of

transforming cybersecurity into a genuine

strategic pillar of the company. This transformation

involves investment in advanced

detection technologies, ongoing training

programs for teams and robust incident

response plans.

CYBERSECURITY POSTURE

Jamie Beckland, chief product officer at

APIContext, underscores how compliance

can streamline operations, increase customer

trust and ultimately make organisations less

attractive targets to attackers by strengthening

their cybersecurity posture. "For instance,

compliance requirements in API development

play a crucial role by establishing a minimum

standard that all organisations must meet,

effectively 'raising the floor' of security, privacy

and functionality across the board. This

approach ensures that even the most basic

implementation meets essential safety and

interoperability criteria, reducing the risk of

severe vulnerabilities and creating a more

consistent, reliable experience for users.

"When specific API standards are used to

achieve compliance - like OAuth2.0 for secure

authentication, FAPI [Financial-grade API]

for enhanced financial security, or FHIR

[Fast Healthcare Interoperability Resources]

for healthcare data exchange - the standards

bodies responsible for these specifications

integrate robust security measures directly

into the technology.

"All these standards are developed and

refined by experts who continuously analyse

and address security threats, ensuring that

implementations adopting these standards

start from a solid, secure foundation,"

says Beckland. "By adopting and actively

monitoring standards like NIS2, companies

will not only adhere to regulatory requirements,

but also establish a stronger, more

resilient ecosystem that keeps pace with

evolving security threats and user

expectations."

RISK ASSESSMENT SHORTCOMINGS

Ngaire Guzzetti, technical director supply

chain, CyXcel, points to how many organisations

are still operating under the

assumption that their supply chain is secure.

"UK government statistics show that still only

36% of businesses have undertaken cyber

security risk assessments in the last year,

with only 10% saying they review the risks

posed by immediate suppliers - this alone is

alarming. Supplier contracts might mention

vague cybersecurity requirements, but lack

the teeth to enforce compliance. Vendor

assessments may be infrequent or overlook

digital risks entirely. Trust, for many, is still

based on reputation, rather than verifiable

security practices. It's a bit like trusting the

cook at your favourite restaurant, because

they've been open for years-without realising

they've never once cleaned the kitchen."

NIS2 has forced a change to that, she says.

"The directive significantly broadens the scope

of industries covered, extending its reach

into sectors that previously flew under the

regulatory radar, such as postal and courier

services, manufacturing, food producers and

research organisations…This means that even

businesses that don't consider themselves part

of 'critical infrastructure' may find themselves

indirectly impacted, if they supply or partner

with a regulated entity. Cybersecurity can no

longer be viewed as a distant concern - it's

about to become a fundamental part of how

supply chains operate."

For many organisations, navigating and

compliance with NIS2 will require more than

just a tweak to existing processes - it will

demand a fundamental shift in how cybersecurity

is integrated into supply chain

management, advises Guzzetti. "The first step

for businesses is to gain a comprehensive

understanding of their current supply chain

security posture. This involves mapping out

and tiering all suppliers, assessing their

cybersecurity measures and identifying potential

points of vulnerability. By prioritising the

highest-risk areas, organisations can focus

their efforts where they will have the greatest

impact. Beyond this, companies will need to

develop and implement robust cybersecurity

policies and procedures. Tailored cybersecurity

requirements for suppliers, building security

into contract negotiations, and ensuring that

both parties are held accountable for compliance

are key."

PAPER TIGER

Innes Muir, regional manager, MSSPs, UK,

EIRE and RoW, at Logpoint, says part of the

problem with NIS2 is that no fines were ever

levied under its forerunner, NIS, and this risks

the legislation being regarded as something

of a 'paper tiger'. "There's no point threatening

to impose million Euro fines, if those aren't

applied. However, many of the other punitive

measures are also likely to be painful. These

include on-site inspections, targeted security

audits [to be carried out by a third party and

charged back to the entity], security scans

and requests for information or access to

additional data or documents, plus there's the

added threat of senior management being

suspended if they are found personally liable

in the event of a breach.

"NIS2 is ambitious and applies to a far wider

range of entities across 17 verticals, affecting

over 160,000 entities. It will also capture

SMEs, except in special circumstances. If the

authorities pull it off, it will be a tide that raises

all ships, effectively baselining security across

the continent, protecting businesses and economies.

What's more, it will see the sharing of

threat intelligence between member states,

improving our understanding of, and ability to


19

compliance special

Luke Dash: certification by an accredited

body demonstrates that your security

measures follow best practices.

Jamie Beckland, APIContext: compliance can

streamline operations and increase customer

trust.

swiftly respond to, national threats" But not

all entities know if they are in scope and the

risk management measures advocated are

deliberately non-prescriptive, which has left

many organisations unsure of how to proceed.

"On top of that, compliance is likely to be

expensive for those SMEs who were previously

out of scope, with estimates that it will cost

the continent 31.2bn euros on an annual

basis," adds Muir. "Small wonder, then, that

many are choosing to do nothing, particularly

as their governments are also behind the curve,

with several having missed the deadline."

Persuading entities to comply will therefore

require more carrot and stick. "Efforts such

as the online tool rolled out by the Dutch

government can help entities determine if

NIS2 applies to them. The security industry,

too, needs to help educate entities on how

they can achieve economies of scale when

becoming compliant by mapping the

requirements to existing standards, such as

ISO27001, and utilising the tools they have,

such as SIEM, to meet the incident reporting

demands. Compliance with NIS2 could also

become something of a merit badge in the

market, because it proves the entity has

met those base level practices associated

with good cyber hygiene."

URGENT POLICIES REVIEW

Beyond the obvious need for compliance,

NIS2 should be a stark reminder for CISOs

to urgently reevaluate their security policies,

says Adam Preis, director of product solution

marketing at Ping Identity. "The key focus

needs to be broad; first, they must rethink

their risk analysis and security policies, then

look at security incident management, business

continuity planning and crisis recovery

management. Important requirements include

supply chain security and the security auditing

procedures at the network and information

system level - forgetting this can be detrimental

to compliance. Organisations must

also continually look at the wider ecosystem,

and ensure standards are driven across

supplier and partner organisations."

What underpins continual NIS2 compliance,

he states, is a strong focus on measures to

evaluate cybersecurity readiness and hygiene,

and appropriate training and procedures for

the workforce. "As well as ensuring policies are

being followed, training should be designed

to help employees get to grips with continuous

authentication, and strengthen and

modernise their IAM," adds Preis.

"How the workforce authenticates and

accesses critical resources - and how they are

secured - is critical to achieving a business's

broader cybersecurity goals, such as zero trust

and layered security, as well as limiting a ripple

effect of risk on partner organisations."

The scope of NIS2 is complex, but necessary,

due to the interconnectedness of the EU, he

states. "It shouldn't take much persuasion to

convince non-compliant businesses as to why

they should care about NIS2 when the stakes

and risk to reputation - and to the overall

resilience of the EU - are so high. Even for

UK businesses, the implementation of NIS2

should be an opportunity to overhaul security

practices and standards for their own sake."

DISRUPTION & DESTRUCTION

As highlighted in recent cybersecurity incidents

like the Volt Typhoon and Flax Typhoon

attacks, state-sponsored cybercriminals are

no longer just targeting data for profit or

espionage -"they're positioning themselves

for large-scale disruption and destruction of

critical infrastructure causing widespread

economic and societal harm", warns Phil

Lewis, SVP - market strategy and development

at Titania.

"The sophistication of these attacks, often

characterised by months or years of undetected

activity, proves that traditional reactive

security measures are insufficient. Businesses

must shift from a reactive stance to proactive,

continuous monitoring and segmentation of

the attack surface of their critical systems and

data to assure operational readiness and

resilience and comply with NIS2."

20


compliance special

To persuade non-compliant organisations to

act, it's essential to highlight the operational

risks they face beyond financial penalties, he

continues. "Cyber threats are becoming more

sophisticated, moving laterally across and then

lying in wait within flat networks. Macro and

micro segmentation, proactive monitoring of

changes to the configuration of the attack

surface and automating detection of indicators

of compromise are not just regulatory

demands, but essential for survival in today's

threat landscape.

"By adopting these measures, businesses not

only reduce their risk of comp-liance fines, but

also significantly diminish their attractiveness

as a target for attackers."

Regulatory mandates like NIS2 are not just

about compliance, he goes on to say - they

are a blueprint for safeguarding the future.

"The emphasis on network segmentation and

continuous monitoring of the attack surface is

key to creating a security-first culture, reducing

vulnerabilities and, ultimately, mitigating the

operational impact of inevitable attacks."

BUSINESS ENABLER

Sean Tilley, senior director of sales at 11:11

Systems, says that, to persuade tardy organisations

to invest in cybersecurity, a shift in

mindset is required. "NIS2 compliance should

be reframed as a business enabler-one that

reduces exposure to risks, builds consumer

trust and ultimately enhances business

resilience. There are several practical

approaches to driving compliance and

encouraging investment in cybersecurity.

First, businesses should be educated on the

financial and reputational costs of a data

breach or cyber-attack. Many companies may

not realise that the direct financial implications

of a breach - ranging from lost revenue to the

costs of recovery - can vastly exceed the cost

of implementing proper security measures

upfront. Demonstrating that cybersecurity

investment is not only about compliance, but

also about long-term financial sustainability,

which could encourage more businesses to

take it seriously."

In order to achieve compliance and effectively

mitigate the threat of attack vectors,

companies must remain ever vigilant and

continually monitor their IT environment, he

adds. "If the incident is significant, organisations

are required to report it within 24

hours of becoming aware of the incident;

while less critical threats are to be reported

within 72 hours of detection.

BREACH WARNINGS

"This requires advanced threat detection

systems, a robust incident response plan and

a clear understanding of the vulnerabilities in

the organisation's systems. Without proper

monitoring, organisations could be missing

key indicators of a breach and may fail to

notify the appropriate regulatory bodies on

time, leading to compounded consequences."

There are other highly important strategies

that organisations should be implementing

to achieve compliance, states Tilley:

Undergo a comprehensive resilience review

and gap analysis, including an incident

response process

Establish board-level accountability for

cyber security

Ongoing monitoring and lifecycle

management.

"Finally, governments and regulatory bodies

should consider offering support, in the form

of grants, tax incentives or training programmes

to help smaller businesses meet NIS2

requirements. Financial assistance or technical

resources could help to bridge the gap for

businesses that are struggling to make the

necessary investments in cybersecurity.

"Ultimately, achieving widespread NIS2

compliance requires a collective effort to

demonstrate that cybersecurity is not a legal

obligation, but a strategic priority for the

future."

Ngaire Guzzetti, CyXcel: there are many

organisations that are still operating

under the assumption their supply chain

is secure.

Phil Lewis, Titania: state-sponsored

cybercriminals are positioning themselves

for large-scale disruption and destruction

of critical infrastructure.


21

training essentials

A FORCE TO BE RECKONED WITH

ORGANISATIONS MUST ADDRESS THE HUMAN FACTORS OF CYBERSECURITY -

AND THAT MEANS CULTIVATING AN INFORMED AND PROACTIVE WORKFORCE

Many organisations fail to invest in,

and plan for, the human component

of cybersecurity until after a breach

has occurred. This is too little, way too late,

and can leave that organisation damaged

financially and by reputation.

More and more, it is being recognised that

employee awareness should be the first

line when it comes to the defence of any

organisation's digital assets. That means

building a cyber workforce capable of rising

up to the challenge of cybersecurity through

recruiting and retaining efforts.

It also entails taking a fresh look at information

security training and awareness efforts,

providing immersive learning opportunities

to reinforce behaviour change.

BEHAVIOUR AND CULTURE SHIFT

"Over the past decade, there has been

a significant shift in how organisations

approach security awareness and training,"

says John Scott, lead cyber security researcher

at CultureAI. "Best practice now involves

moving beyond mere awareness, with

organisations aiming to foster a comprehensive

change in behaviour and culture. The

focus is on transforming beliefs, motivations

and attitudes towards security. That said,

many organisations still see awareness as

the only thing they need to do. While well

intentioned, this often results in increased

pressure on employees, who are unfairly

labelled as the 'weakest link' or the 'problem

exists between keyboard and chair'."

He points to how we talk about security

being everyone's responsibility -true, to some

extent - as we all interact with technology

and assets and should do so as securely as

possible. However, expecting more from

employees increases their cognitive load,

making errors more likely, even among

well-trained professionals.

"Our recent research showed that 79% of

organisations experi-enced a breach with a

human element," states Scott, "even though

100% of these organisations deliver training,

with 78% conducting it monthly. This highlights

the urgent need for a fresh approach."

The answer is not to burden individuals, but

to return to the basics, he says. "People,

processes and technology must be equally

prioritised, and we should invest in layered

controls, including the human element, to

make sure that we have defence in depth.

Investing in secure-by-design systems is

crucial, as is learning from security UX experts

to ensure that secure choices are also easy

choices.

"In cyber security, we often give lip service to

the phrase 'assume breach', but, to truly build

a resilient organisation, it's essential to create

systems where a single human error cannot

compromise the entire company. Human error

is inevitable, but resilience can be achieved by

ensuring that such errors are detected and

remediated as quickly as possible."

Ultimately, he adds, this problem is not

going to be fixed by considering one element

or another. "We need to take a step back and

consider this systemically - if an error occurs,

what was it about the whole environment

that made that error possible, or even likely?

Resilience doesn't mean nothing fails - it

means we can cope with failure."

22


training essentials

AI CHANGES THE BALL GAME

Matt Chinnery, security consultant at Ripjar,

says employees have long been identified by

criminals as being the weak element of an

organisation's defences. Naturally, therefore,

companies have needed to invest in cybersecurity

training for their workforce to bring

them fully up to speed on common and

emerging threats.

"Traditionally, this has been done by training

employees to spot 'red flags', he states. "This

could be by helping them to identify bad

spelling in an email; an indicator of a fake

which is trying to convince the employee

to click through to a website containing

malware or give away personal and financial

details. Or perhaps teaching them to identify

scam behaviour over the phone, such as

clever forms of social engineering used to

bypass traditional Know Your Customer

(KYC) checks."

However, the proliferation of Artificial

Intelligence (AI) has changed the ballgame,

he maintains. "Where once it was relatively

easy to train employees to identify threats,

new AI-powered techniques make it

increasingly difficult. Gone are poorly crafted

emails; instead, we have messages so well

generated that they convincingly imitate

the intended sender. Similarly, Deepfakes

are gaining traction, with criminals creating

videos, and he voices of colleagues and

customers that are incredibly realistic."

In 2024 the Department for Science,

Innovation & Technology reported that the

most common type of cyber breach or attack

is phishing. "The proliferation of AI will only

increase this number and firms will need to

bump up their investment in cybersecurity

training for their employees to combat it,"

warns Chinnery. "It's crucial that, in that AI

era, organisations stay agile, foster a culture

of security and focus on developing diverse

skills for their employees. Operating a zerotrust

policy is becoming increasingly popular,

because those that fail to act and protect their

operations will not just see their business fall

to criminal activity, but likely face significant

fines through associated data protection laws,

such as GDPR."

CHANGE BEGINS AT THE TOP

Ignoring or not investing in the human

element can mean missing the opportunity

to greatly reduce risk, comments Javvad

Malik, lead security awareness advocate at

KnowBe4. "The transformation towards a

more secure posture requires a cultural shift.

What that means in reality is that, unlike

a software update, you can't simply 'patch'

knowledge or change behaviours; rather,

a long-term sustained approach is required."

There are many paths and steps that

organisations can take to embed a strong

security culture and the approaches will

vary, depending upon the maturity of the

organisation and its size. "However, one thing

is for sure; simply rolling out annual security

awareness training is not effective. Like many

programmes, change begins at the top. So,

getting leadership on board to champion

the need for secure practices is important.

Cybersecurity needs to be seen as an enabler,

so the security team should seek to build

good relations with their colleagues across

the organisation."

Security awareness training must be ongoing,

engaging and, perhaps most importantly, it

needs to be relevant, adds Malik. "Delivering

training to the people who need it the most,

when they need it. It needs to be personalised,

relevant and adaptive to the needs

and the mediums through which it is

delivered. By combining structured training,

simulated exercises, games, nudges and

building an accurate risk profile of individuals

and departments, the security team can gain

insight into where gaps are and every employee

understands they have a role to play."

Organisations must also consider the tools

and policies in place. Are they user-friendly?

Do they encourage secure behaviour or do

John Scott, CultureAI: it's essential to

create systems where a single human

error cannot compromise the entire

company.

Javvad Malik - KnowBe4: you can't simply

'patch' knowledge or change behaviour. A

long-term sustained approach is required.


23

training essentials

they push employees towards corner-cutting?

"As for the payoffs, beyond the straightforward

reduction in risk, there's the matter

of trust - both from clients and within the

organisation. A proactive stance on cybersecurity

can be a significant market differentiator,

enhancing brand value and

potentially opening new doors."

Addressing the cost concern, it's about

perspective. "The question is not so much

about whether one can afford to invest

in employee awareness and training, but

whether one can afford not to. The cost of

a single breach often outweighs the investment

in comprehensive security awareness.

Additionally, many strategies for improving

human factors in cybersecurity don't require

hefty investments in new technologies, but,

rather, call for a reallocation of existing

resources towards more effective ends."

NUDGE, NUDGE

According to Tim Ward, CEO and co-founder,

ThinkCyber Security, some studies suggest

that the number of cyber security attacks

caused by human actions accounts for

as much as 90% of total incidents.

"The common misinterpretation of this

statistic is that humans are the 'weakest link,'

but this actually speaks to the systemic problem

of compliance-based training methods

[eg, information overload, out-of-context

learning, generalised topics]. The high scores

that individuals may record in training

scenarios create a false perception that they

are equipped to apply that same knowledge

in real-time situations where cognitive biases,

such as optimism and fear, are most likely

to be exploited."

The cost of facilitating annual training

sessions significantly exceeds the initial

payment, Ward states, presenting itself

in the form of:

Draining billable hours - employees

are required to step away from their

work to attend training sessions

Outdated materials - The time gap

between sessions means that the knowledge

gained quickly loses its usefulness

as threats evolve throughout the year

Misaligned training - the generic resources

do not consider individual cognitive biases

and heuristics before training, meaning

that there is no baseline for measuring

behaviour change.

"Simply put, the return on cyber security

training should not be about meeting training

quotas; it should be about achieving

behavioural change that prevents breaches

and reduces human-driven risk. For instance,

'nudge theory' - coined by behavioural

economist Richard Thaler and legal scholar

Cass Sunstein - suggests that small, frequent

reminders and practical prompts at the right

moments can influence positive behavioural

shifts without overwhelming users. This theory

is well-suited to cybersecurity, where everyday

habits, like checking the origin of emails, can

significantly improve a company's resilience

against threat actors," adds Ward.

While implementing a real-time, nudgebased

approach might require an upfront

investment, it's a fraction of the cost,

compared to the workflow disruptions and

ongoing risks that come with outdated,

compliance-focused training, he argues.

"When individuals can identify phishing

emails, sidestep risky behaviours and adopt

secure habits seamlessly in their daily work,

the return on investment is undeniable -

paying off in fewer breaches and a stronger

overall security culture. It's no longer enough

to just invest in firewalls; it's time to invest

in the people behind them."

ON BOARD

"Cybersecurity is not just about technology;

it's, first and foremost, about an organisation's

culture and its people," points out Richard

Woolfrey, regional director, UK&I at Fortinet.

"This is because employees are the first, and

often strongest, line of defence against

a potential attack. But how can organisations

begin building a cyber-aware workforce?

"The first step is starting at the top and

raising awareness of the importance of

cybersecurity at board-level. Leaders need to

understand the impact a cyber-attack can

have on reputation, finances and staff morale,

and these impacts must be communicated to

workers in a way they truly understand. Doing

so will ensure cybersecurity remains at the very

top of the agenda for both the board and

wider organisation. Positively, recent research

by Fortinet found 72% of organisations

believe their board was more focused on

cybersecurity in 2023 than the year before."

Leaders must prioritise employee training,

Woolfrey continues. "All staff must be

equipped with the knowledge and skills

necessary to stop attacks, regardless of their

job role or title. While this should be tailored

to your organisation's specific needs, it's

important training covers topics such as

passwords and how to spot the key signs of

an attack. It is also essential for organisations

to move beyond offering one-off training

sessions, instead adopting a continuous

learning approach. Doing so will help fill

outstanding gaps in knowledge, whatever the

level of cybersecurity understanding is within

a workforce."

Attacks can have far-reaching consequences.

"For example, over half [53%] of leaders

surveyed in our research reported a breach

cost their organisation more than $1 million in

lost revenue, fines and other related expenses.

"As such, resuming normal day-to-day

operations following an attack can also take

a while, with nearly a third of organisations

[28%] reporting recovery took four months

or longer. Ensuring improved cyber awareness

through educating both the board and

employees will not only help organisations

get back on their feet more quickly postattack,

but also make cybersecurity everyone's

responsibility - bolstering an organisation's line

of defence both now and in the future."

24


book review

WHERE FACT AND FICTION COLLIDE

IN AN ERA WHERE ARTIFICIAL INTELLIGENCE CAN CREATE CONTENT INDISTINGUISHABLE

FROM REALITY, SEPARATING TRUTH FROM FICTION IS GETTING EVER MORE DIFFICULT

In an era where technological innovation

evolves at an exponential rate, 'Inside

Cyber: How AI, 5G, and Quantum

Computing Will Transform Privacy and

Our Security', by Chuck Brooks, seeks to

add some clarity. In the book, he offers

the following paybacks:

Gain clear, accessible explanations of

cutting-edge technologies, such as AI,

blockchain, and quantum computing,

and their impact on the business world

Learn how to navigate the cybersecurity

landscape, safeguarding your business

against the vulnerabilities introduced

by rapid technological progress

Uncover the opportunities that

technological advancements present

for disrupting traditional industries

and creating new value

Here are some excerpts from Brooks' book,

by way of an appetiser:

"Emerging technologies are having a wide

range of effects on cybersecurity strategies.

The overall value of digital transformation

for industry and society might reach over

$100 trillion by 2025, according to a recent

announcement made at the annual WEF

gathering in DAVOS. The announcement

touched on the amazing potential:

"Examples of societal value generated

by digitization include mass adoption of

autonomous vehicles and usage- based car

insurance, which could save up to 1 million

lives a year worldwide by 2025. In the

electricity sector, a cumulative reduction

in carbon emissions worth $867 billion

by 2025 could be achieved through the

adoption of digital technologies, principally

through smarter asset planning.

"The pace of innovation can be illustrated

by the fact that, while it used to take

Fortune 500 companies an average of 20

years to reach a billion- dollar valuation,

digital start- ups are reaching the same

milestone in just four years. The research

suggests that, once limitations preventing

the mass- market commercialization of

enabling technologies such as battery

storage and wireless charging are overcome,

the pace of change could accelerate.

"However, the digital transformation of

industries comes with risks attached that

will require careful management by all

stakeholder groups. One such risk is

inequality, which could be exacerbated if

access to digital skills is not made available

to all. Another is trust, which has been

eroded by growing concerns over data

privacy and security. This will only be

overcome with improved norms of ethical

behaviour."

"We also need a new approach in building

cyber defences with emerging threats,

Brooks argues. "Both business and

government cybersecurity efforts have

focused on responding to the most current

security flaws or threats in recent years.

This is a reactive, rather than proactive,

approach and consequently cyber defenders

were always at least one step behind,

making it challenging to mitigate the risks.

"As a consequence of the sharp rise

in security breaches and the increased

awareness of how crucial IT is to our

operations, safeguarding against breaches

is now seen as more than just an expense

for the company; rather, it is essential to

maintaining reputation and business

continuity."

To order a copy, click here.

PRINT FACTS

'Inside Cyber: How AI, 5G, and

Quantum Computing Will Transform

Privacy and Our Security'

Author: Chuck Brooks

(ISBN: 978-1-394-25494-1)

Published October 2024 by Wiley

E-Book: from 17.99.

Print: from £22.99


25

detection & response


HOW CAN MANAGED DETECTION AND RESPONSE BE INTEGRATED INTO AN ORGANISATION'S

EXISTING SECURITY MAKE-UP TO BEST ADVANTAGE, WHILE AVOIDING ANY POSSIBLE DOWNSIDES?

Gartner defines managed detection and

response (MDR) services as those that

provide customers with remotely

delivered security operations centre (SOC)

functions. "These functions allow

organisations to perform rapid detection,

analysis, investigation and response through

threat disruption and containment. They offer

a turnkey experience, using a predefined

technology stack that commonly covers

endpoints, networks, logs and cloud."

Significantly, MDR offers outcome-driven

security incident management that is

predicated on the detection, analysis and

investigation of potentially impactful security

events, and the delivery of active threat

disruption and containment actions to

respond to and mitigate the impact of

cyber breaches.

So, how can MDR be integrated into an

organisation's existing security make-up

to best effect, and where and how can it

reinforce and add to its ability to resist attack?

DRIVERS FOR SUCCESS

According to Dominic Trott, director

of strategy and alliances, Orange

Cyberdefense, the success of

MDR is driven by its ability

to improve security

outcomes, such

as speed of detection and response at

a predictable cost level that is often lower

than is possible internally.

"But also bear in mind the flexibility of how

MDR can be consumed. For example, there

are a range of options, in terms of working

patterns, ownership models and technology

coverage, to meet a range of budgets and

use cases. This ability to tailor MDR to meet

specific needs makes it an ideal service for

companies that want the benefits of a SOC

function, but don't want the operational costs

or complexity of internal development. By

outsourcing security monitoring to a specialist

third-party managed security services provider

(MSSP), in-house security teams can focus

on service output, rather than frontline work.

Investing in an MDR service can provide 24/7

monitoring, while reducing pressure on

internal resources."

Collaboration between MSSP and customer

is the basis for successful integration of MDR

into existing security approaches, Trott adds.

"This will ensure the service provided is tailored

to meet specific needs. The one thing

businesses will never be able to outsource is

in-depth knowledge of their organisation.

This should be discussed at the start to enable

the MSSP to offer grounded advice on how

the MDR solution can fit with the business

or provide recommendations on what needs

to change to get the most out of it."

When evaluating where to begin, he feels

Gartner's SOC triad of log, network and

endpoint remains a good foundation. "This

involves endpoint detection and response

(EDR) to monitor endpoints, network

detection and response (NDR) to monitor

network traffic; and security information

and event management (SIEM) to monitor

the usage of devices and applications.

Depending on customer needs, this approach

can be augmented with security

orchestration, automation

and response (SOAR), and

increasingly through

extended

26


detection & response

detection and response (XDR), which uses

AI to detect and address threats."

At the same time, organisations must

evaluate their unique environments before

diving headfirst into MDR, as they will each

have different requirements. "For example,

EDR requires software to be installed on

each device, which can be easy for some

companies and hard for others. NDR sensors

need to be physically installed, which can

be complex, depending on the network's

structure.

"When done well, MDR can help customers

benefit from continuous monitoring, early

threat detection, automated incident handling

and enhanced security across their entire

digital environment," he adds. "By enabling

faster responses to minimise damage, while

achieving an optimum balance of resources,

MDR is a strategic necessity."

DOUBLE DRAWBACK

"When organisations face challenges in their

cyber defence posture, it is often due to two

main reasons, says Milan Patel, global head

of MDR at BlueVoyant: the complexity of

managing multiple tools and integrating them

into a unified security system, and a shortage

of cybersecurity talent.

"An MDR provider can help address these

issues. The shortage of cybersecurity skills is

a common problem across the industry,

with more open positions than available

professionals. Additionally, many roles

required for adequate protection are

becoming specialised, needing expertise in

areas such as cloud security or malware

analysis. MDR provides access to external

cybersecurity experts, reducing the need

to attract and retain talent internally."

MDR also enhances cybersecurity by adding

a proactive threat-hunting capability, he adds.

"While automated tools are important for

detecting most threats, advanced persistent

threats [APTs] and other sophisticated

cybercriminals often develop techniques to

avoid detection by existing security solutions.

MDR can help organisations identify and

address threats that might otherwise go

unnoticed, with agreed service level agreements

(SLAs) providing timelines for threat

discovery, triage and mitigation."

Patel also refers to Gartner's remarks on how

security operations have evolved and need to

combine previously specialised technologies

and services. "In this vein, an effective MDR

solution aims to protect against a wide range

of attack vectors, covering both internal

and external threats. This involves not only

securing the internal network and endpoints,

but also extending protection to the entire

digital footprint of an organisation.

"By monitoring key areas, including the

network and endpoints, the solution helps

identify and address vulnerabilities," he states.

"As organisations' own internal networks

become more secure, they are often targeted

via third parties with network access. A nextgeneration

MDR provider should also offer

third-party cyber risk management that both

monitors key suppliers and vendors, and can

also work with them to mitigate issues."

A strong MDR platform also monitors the

dark web for threats such as data leaks and

compromised credentials. "By using threat

intelligence and analytics, it helps detect and

respond to sophisticated attacks before they

cause harm. Ongoing monitoring enables

quick threat identification, reducing exposure

and helping to prevent breaches."

An evolving MDR solution uses automation

and machine learning to improve detection

and response over time, Patel concludes.

"It provides insights that allow security teams

to focus on significant threats, while

automating routine tasks. By integrating

threat intelligence with automated responses,

it not only addresses current attacks, but

also aims to improve the organisation's

cybersecurity posture for the future."

Dominic Trott, Orange Cyberdefense:

investing in MDR can provide 24/7

monitoring, while reducing pressure on

internal resources.

Milan-Patel, BlueVoyant: a strong MDR

platform also monitors the dark web for

threats such as data leaks and

compromised credentials.


27

$4.24 MILLION: COST OF A BREACH

The importance of data risk management

cannot be overstated, says BigID's data and

privacy researcher Alexis Hancock. "According

to IBM's Cost of a Data Breach Report 2021,

the average cost of a data breach globally

was $4.24 million. Beyond financial losses,

breaches erode customer trust and confidence,

leading to long-term implications for

business viability. With the proliferation of

data breaches and cyber threats, understandrisk

mitigation

PLANNING FOR DISASTER

ELIMINATING THREATS ENTIRELY IS SEEKING THE IMPOSSIBLE. THE STRATEGY SHOULD BE ON

PLANNING FOR EXPECTED CALAMITIES AND EASING THEIR IMPACT ON BUSINESS CONTINUITY

Risk mitigation is one of the key steps

in the risk management process,

underpinning the strategy of planning

and developing options to reduce any threats

to project objectives that are often faced by

a business or organisation.

According to IBM: "Risk mitigation is a

culmination of the techniques and strategies

that are used to minimize risk levels and

pare them down to tolerable levels. By taking

steps to negate threats and disasters, an

organisation is going to be in a strong

position to eliminate and limit setbacks."

The goal of risk mitigation is not to eliminate

threats, it adds, but rather it focuses on planning

for inevitable disasters and mitigating

their impact on business continuity.

PATH TO RECOVERY

Disasters impacting computer systems come

in many forms, states Stephen Young,

executive director, Assurestor, and, by their

nature, without warning. "Crucially, what

happens next hinges on plans in place,

technical decisions already made, staff

preparedness and disaster recovery tests

executed. Our recent UK survey of CTOs,

CIOs and IT directors identified that just over

40% lacked confidence in their IT recovery

technologies, while around half were not

confident that they could recover all their

data, in the event of a catastrophic data

disaster. The survey emphasised the

susceptibility of businesses to disasters

affecting their data, particularly from

cyberattacks, and an uneasiness regarding

their ability to recover."

A significant contribution a business can

make to mitigate any risk exposure, he points

out, is to understand their data and scrutinise

how it is safeguarded. "Implementing an

uncompromised structured test regime, with

measurable outcomes that can be reported

on and evaluated, will reassure the business

that recovery is achievable. Developing and

applying a flawed disaster recovery plan

is unintentional. But, without top-down

guidance to steer planning, any ambiguities

can allow misaligned and inappropriate

recovery technologies to be deployed,

compounded by inadequate testing regimes."

How is this recovery technology measured,

who reviews and decides if a disaster recovery

test is successful and what is considered

satisfactory? "When testing is not thorough

or regular and not aligned to any understandable

metrics, who is steering the ship

regarding business survivability?" asks Young.

"Mitigation starts with genuine business

needs influencing the disaster recovery plan.

There is 'no one solution fits all' scenarios with

disaster recovery and the recovery technology

deployed must be a 'no compromise'

implementation.

"Once implemented, frequent non-disruptive

testing for full failover, incorporating both

data and workload recovery, is essential,

which also accounts for often overlooked

aspects, such as networking and security.

Plans should build in these effortlessly

executed non-disruptive tests and the

business should strive to achieve what we

term a 'gold standard' for data recovery."

28


risk mitigation

ing and implementing effective data risk

management strategies is crucial to

safeguarding valuable information assets.

It involves assessing the potential threats

to data security and implementing measures

to mitigate these risks."

Some strategist leaders are conducting

regular data security assessments to identify

vulnerabilities and gaps in existing controls,

she points out. "This may involve penetration

testing, vulnerability scanning and security

audits. This next tip is often overlooked, but

is extremely crucial. IT leaders need to enforce

the principle of least privilege to restrict access

to sensitive data only to authorised individuals.

Use authentication mechanisms, such as multifactor

authentication [MFA], to enhance

access security."

Hancock also advises deploying Data Loss

Prevention (DLP) solutions to monitor and

prevent the unauthorised transmission of

sensitive data outside the organisation's

network perimeter. "The rapid adoption of

artificial intelligence (AI) has revolutionised

data risk management by enabling organisations

to enhance threat detection, automate

security processes and analyse vast amounts

of data for anomalies and patterns indicative

of potential risks. AI-powered solutions can

augment human capabilities, providing

real-time insights into emerging threats and

helping organisations stay one step ahead of

cyber adversaries."

She also says human error must be accepted

as inevitable - and for organisations to design

around that fact. "Employees are the biggest

weakness when it comes to cybersecurity and

companies need to train employees on data

security best practices, such as recognising

phishing attempts, safeguarding passwords

and securely handling sensitive information."

ACCELERATING MITIGATION

David Trossell, CEO and CTO OF Bridgework,

points to how risk mitigation is important

to individuals, organisations of all sizes and

to the global economy. "In this context, risk

mitigation is about preventing attacks while

having a Plan B, in case a cyber-attack is

successful. Based on this, IBM is right to

describe risk mitigation as a culmination

of techniques and strategies."

He also quotes a Google AI overview, which

declares: "In 2024, cybercrime is expected to

cost the world economy $7.46 trillion, and

the average cost of a data breach is $4.88

million. This is a significant increase from

previous years, and experts predict that global

cybercrime damage costs will grow by

15% annually over the next few years."

It also states: "The average cost of a single

ransomware attack is $1.85 million," and

that 88% of cyber-security breaches are

caused by human error.

Says Trossell: "For example, there is the need

to educate staff and partners to ensure that

phishing attacks don't lead to a data breach

or to a ransomware attack. Then there is the

need to back up data not only local, but 'airgapped'

as well, to protect backups from

cyber-attack, which is now the first port of call

for the cybercriminals and be able to rapidly

restore it to prevent downtime.

That can be achieved with WAN Acceleration,

he adds. "It uses artificial intelligence, machine

learning and data parallelisation to mitigate the

effects of latency and packet loss over a Wide

Area Network (WAN).

"It's vital to ensure that datacentres and

disaster recovery sites aren't placed in the

same circles of disruption, so that, when

a natural disaster occurs, one or more of

them can continue to operate and maintain

services. WAN Acceleration safeguards data

and makes sure it's in the right place, at the

right time, for when a disaster occurs. It

allows organisations to mitigate the impact

of cyberattacks, natural disasters, financial

uncertainty, legal liabilities, strategic management

errors and accidents to protect their

organisation and its operations."

Alexis Hancock, BigID: IT leaders need to

enforce the principle of least privilege.

Stephen Young, Assurestor: mitigation

starts with genuine business needs

influencing the disaster recovery plan.


29

penetration testing

MAKING THE PEN MIGHTIER

HOW CAN YOU BE SURE THAT A DAY/WEEK/MONTH AFTER A SUCCESSFUL PEN TEST YOUR

SECURITY HASN'T BEEN COMPROMISED AND YOUR SYSTEMS AREN’T RIPE FOR EXPLOITATION?

As the National Cyber Security Centre

(NCSC) tellingly points out: "It's not

uncommon for a year or more to

elapse between penetration tests. So, vulnerabilities

could exist for long periods of time

without you knowing about them, if this is

your only means of validating security."

Regular pen testing remains a regulatory

requirement for telcos and financial services

companies, but beyond ticking the compliance

box how effective is it? There are, says

Dave Gerry, CEO of Bugcrowd, clues in the

following guidance from the NCSC itself:

"Penetration testing is a core tool for

analysing the security of IT systems, but

it's not a magic bullet.

"Penetration testing should be viewed as

a method for gaining assurance in your

organisation's vulnerability assessment and

management processes, not as a primary

method for identifying vulnerabilities."

"[A] penetration test can give confidence

that the products and security controls

tested have been configured in accordance

with good practice and that there are no

common or publicly known vulnerabilities

in the tested components, at the time of

the test."

Gerry labels traditional pen testing as stuck

in the past. "This typically involves small

teams using automated tools geared to

narrow compliance methodologies. Pen

testing is often slow and cumbersome to

deploy. Scoping tests can be bureaucratic

and costly, heavy on consultancy time and

resource-intensive for internal teams. Testers

may not have the right skill sets or may be

working to a narrow checklist."

THE LONG WAIT

He says customers often wait for weeks for

external test slots to become available, then

experience further delays before the testers

deliver their reports, which may tick the

compliance box, but have a low impact on

the overall hygiene of the system. "These

issues are addressed by the emergence of

pen testing as a service [PTaaS]," he argues,

"a model that embraces the scalability and

agility of SaaS. PTaaS fixes two critical

weaknesses in the old model: management

of the process and ability to scale."

ACCELERATED TESTING

Gerry says PTaaS accelerates the pen testing

process from scoping to reporting. "It also

enables test results to be fed into DevSec

workflows, speeding up remediation." He

adds that the process has been perfected

at Bugcrowd via an elastic pen tester bench

that adds scale, capacity and access to

specialised skills. "We use an AI-powered

platform to manage the testing process and

source the right skills for every project from

a global community of security researchers

and pen testers."

Pen testing is not a standalone solution,

he concludes, but should be part of a

layered approach to security, including

crowdsourced bug bounty and vulnerability

disclosure programmes. "Above all, before

they commission a pen test, customers

should check whether they are paying for

an off-the-shelf methodology or for highimpact

results."

30


penetration testing

ARMED FOR ACTION

The overall strength and benefit of

penetration tests, states Matthew Sciberras,

CISO - VP of Information Security & Information

Technology, Invicti, is that they "are

a fundamental part of the armoury". They

give companies the ability to understand

the efficacy of their own defences, from

an attacker's point of view. "These have

been around for years, are an absolutely

fundamental part of an effective cyberresilience

strategy, and are even often

required by partner agreements and

national regulations."

Yet lapses in schedule, oversights in

analysis or an unknown issue can be all

the opportunity an attacker needs to find

the right breach point, he warns. "Indeed,

those lapses are quite common. Regular

penetration tests are often skipped or

forgotten and, on top of that, they come

with their own blind spots and drawbacks,

and cannot be substituted for other kinds

of security evaluation.

"Take vulnerability assessments, which are

often conflated with penetration because,

on at least a superficial level, they do the

same thing: find vulnerabilities. Conflating

these two, however, will be a dangerous

oversight for any organisation that takes

their vulnerability management strategy

seriously."

Penetration tests generally focus on highprofile

security risks and taking the attacker's

eye view, leveraging human ingenuity to

simulate a real breach. "That's a valuable

task," says Sciberras. "but it's also timeconsuming,

expensive and only periodic.

It can't be easily scaled or automated. That's

why vulnerability assessments are a crucial

missing piece, because they can constantly

comb through an environment to find the

vulnerabilities deep within it."

A vulnerability assessment will start by

identifying all the resources within a given

organisation's systems, assigning values

and priorities to each. "They'll then assess

those systems, using automated security

scanning tools, and then offer a report

of the findings, detailing potential fixes,

patches and long-term solutions. This is

especially important in this era of software,

in which companies are pushing out new

releases and products every day. The

periodic nature of a penetration test will

surely miss a variety of deeply embedded

vulnerabilities that vulnerability

assessments will be able to."

In fact, vulnerability assessment should,

he maintains, ideally be done already

as an automated part of the software

development life cycle (SDLC), typically

using an integrated DAST tool. "From

there, organisations can continuously see

where their problem areas are and improve

upon them over the long term.

"Make no mistake - penetration tests

will always be a crucial part of a security

strategy, but they're not the only element.

Vulnerability assessments provide a regular

automated approach that penetration

testing simply can't and, as such, should be

considered as a critical partner to regular

penetration tests."

MEASURING POTENTIAL DAMAGE

The true value of a security-focused

penetration test comes from knowing

what is vulnerable - and important to the

organisation - in order to understand how

damaging a breach could be, states Barry

Sadler, head of penetration testing at

Protection Group International.

"When focusing on protecting what is

valuable to you, how you see threats

changes. It becomes more about

prevention of loss or minimalisation of

loss, as opposed to minimising cost of

compliance. This can lead to you having

a greater understanding on what the

biggest vulnerabilities really are and what

Barry Sadler, Protection Group

International: it’s more about prevention

or minimalisation of loss, as opposed to

minimising cost of compliance.

Dave Gerry, Bugcrowd: traditional pen

testing is very much stuck in the past.


31

penetration testing

Matthew Sciberras, Invicti: tests help

companies understand the efficacy of

their own defences.

you can do in response to them. There are

also technology-based reasons for increases

in penetration testing. Businesses are more

reliant than ever on technology for their

day-to-day operations, particularly the

cloud. As a result, there are more points

of access for criminals to take advantage

of and if compromised it can have a

devastating impact on a business' ability

to continue operating."

As a result of the increased threat and

high-profile hacks, there is also a complex

regulatory landscape surrounding most

sectors, he adds. "Failing to adhere to

regulations can result in huge fines,

reputational damage, and increased scrutiny

from regulators and the press. There is

also a skills gap within internal teams,

where a lack of knowledge can often be

a vulnerability itself; but can also mean that

practices and technology used [or misused]

can offer cybercriminals opportunities."

All of this means that the need for

organisations to have some understanding

of where vulnerabilities lie and how to

address those weaknesses has never been

more important. "As companies turn to

penetration testing to solve some of the

issues described above, they have to

ensure that they are getting the most out

of their investment and that the testing

is effective," cautions Sadler. "To do this,

businesses need an understanding of the

scope of the testing they've acquired and

whether it includes key areas that can have

the most impact if breached."

Some companies suffer from tunnel vision

when setting up penetration testing,

he continues. "They will often prioritise

areas where they feel confident in their

security measures and are comfortable

being scrutinised. Obviously, whilst it is

important to double-check these, in terms

of budgets they shouldn't be the main

focus. As part of this, we have seen situations

where some IT teams will protect

themselves from criticism from 'outsiders'

and their C-suite, and only put forward

areas in which they have confidence.

So, it is critical that management do not

intentionally restrict the systems allocated

to testing, to ensure that vulnerabilities

across all areas are detected. These might

not include the 'obvious' systems that are

used day-to-day, but back-office functions,

cloud environments and other seldom used

systems. It is these less-used systems that

tend to lie untested and vulnerable to

attack, rather than those that are part of

day-to-day operations."

While penetration testing cannot predict

the future, it can be critical in identifying

possible vulnerabilities that bad actors

could take advantage. "Therefore, both

sides [the customer and the penetration

testing provider] need to have an overview

and understanding of what is included

within the service agreement. Penetration

testing organisations need to be clear

about what the service can provide - and

equally what it cannot do," says Sadler.

SEEK AND YOU SHALL FIND

In an ideal world, advises the National

Cyber Security Centre (NCSC), you should

know what the penetration testers are

going to find, before they find it. Armed

with a good understanding of the vulnerabilities

present in your system, you can

use third-party tests to verify your own

expectations.

"Highly experienced penetration testers

may find subtle issues which your internal

processes have not picked up, but this

should be the exception, not the rule,"

says the NCSC. "The aim should always be

to use the findings of a penetration test

report to improve your organisation's

internal vulnerability assessment and

management processes."

What should a penetration test tell you?

"Typically, penetration tests are used to

identify the level of technical risk emanating

from software and hardware vulnerabilities.

Exactly what techniques are used, what

targets are allowed, how much knowledge

of the system is given to the testers beforehand

and how much knowledge of the test

is given to system administrators can vary

within the same test regime."

A well-scoped penetration test can give

confidence that the products and security

controls tested have been configured in

accordance with good practice and that

there are no common or publicly known

vulnerabilities in the tested components."

Which brings us back to the caveat at the

start of this article - namely, what is actually

discovered "at the time of the test".

As to what sort of system should be

tested, the NCSC comments: "Penetration

testing is an appropriate method for

identifying the risks present on a specific,

operational system consisting of products

and services from multiple vendors. It could

also be usefully applied to systems and

applications developed 'in-house'."

32


REGISTER

FOR YOUR

FREE TICKET

WWW.CLOUDSECURITYEXPO.COM/BTC

product news…product news

SOPHOS ACQUIRES SECUREWORKS FOR $859 MILLION

Sophos has reached a definitive agreement to acquire

Wendy Thomas.

Secureworks for $859 million. Sophos' position as a

leading provider of managed security services and endto-end

security products, combined with Secureworks

security operations expertise, is also expected to deliver

complementary advanced MDR and XDR solutions.

Comments Wendy Thomas, CEO, Secureworks: "Sophos'

portfolio of leading endpoint, cloud and network

security solutions - in combination with our XDRpowered

managed detection and response - is exactly

what organisations are looking for to strengthen their

security posture and collectively turn the tide against

the adversary."

Ahmed Aburahal.

NEW SERVICE TARGETS

CLOUD COMPLEXITY

Integrity360 has launched its Managed

Cloud Native Application Protection

Platform (CNAPP) Service. The offering has

been designed to address the growing

complexity of securing multi-cloud environments

and protecting cloud-native applications

against evolving risks.

Company technical product manager

Ahmed Aburahal comments: "The need

for advanced, unified security solutions

is critical, particularly as Gartner predicts

that 95% of cloud breaches will stem

from user misconfigurations by 2025."

OPTALYSYS ENTERS ENCRYPTION PARTNERSHIP WITH GOOGLE

Optalysys has partnered with Google HEIR

to integrate its photonic processing technology

into HEIR's compiler toolchain for fully

homomorphic encryption (FHE).

This integration aims to address the computational

challenges of FHE, in amove to make

it more commercially viable.

FHE is an advanced, quantum-resilient

cryptography method that allows encrypted

data to be processed, "without ever needing

to be decrypted". It allows organisations

to process data, while maintaining privacy,

opening up opportunities for secure data

collaboration across industries, even in untrusted environments, adds Optalysys.

SCAM COPILOT TAKES TO THE AIR

Bitdefender has launched Scam Copilot,

an advanced technology platform that

is powered by artificial intelligence (AI), and

designed to detect and fight scams, along

with fraud attempts, across devices including

computers, tablets and mobile phones.

The platform has been integrated into

several Bitdefender digital life protection

consumer products, it says, adding "another

layer of defence" to protect against malware,

credential stealing and data theft.

SECTIGO UNVEILS SITELOCK UPGRADE

Christopher Bray.

Sectigo has announced SiteLock 2.0, described as a

major upgrade to its website security and protection

platform. The upgrade is designed to simplify website

protection for small to medium-sized businesses (SMBs).

According to Christopher Bray, senior vice president,

worldwide partner and eCommerce sales, at Sectigo:

"With the launch of SiteLock 2.0, we're not just updating

a product; we're transforming and simplifying how

SMBs manage website security in an environment that

is getting more complex."

34


Computing

Security


Product Review Service

VENDORS – HAS YOUR SOLUTION BEEN

REVIEWED BY COMPUTING SECURITY YET?

The Computing Security review service has been praised by vendors and

readers alike. Each solution is tested by an independent expert whose findings

are published in the magazine along with a photo or screenshot.

Hardware, software and services can all be reviewed.

Many vendors organise a review to coincide with a new launch. However,

please don’t feel that the service is reserved exclusively for new solutions.

A review can also be a good way of introducing an established solution to

a new audience. Are the readers of Computing Security as familiar with

your solution(s) as you would like them to be?

Contact Edward O’Connor on 01689 616000 or email

edward.oconnor@btc.co.uk to make it happen.

CS Jan-Feb 2025

Transform your PDFs into Flipbooks and boost your revenue!

Delete template?

Save as template ?