Data/Cyber

‘Petya’ cyber attack affects thousands

in ,

by Richard Summerfield

Fresh off the heels of the ‘WannaCry’ ransomware attack, a fresh global cyber attack disrupted computers across the world on Tuesday and Wednesday. Russia's biggest oil company, Ukrainian banks and multinational firms across Europe, the US and the Asia-Pacific region were affected.

The latest attack, known as ‘Petya’ or ‘GoldenEye’, included code known as 'Eternal Blue', which cyber security experts believe was stolen from the US National Security Agency in April and was also used in WannaCry. It is the Eternal Blue code which facilitated the speed of the assault. Indeed, the attack spread rapidly, affecting machines running Microsoft’s Windows operating systems, encrypting hard drives and overwriting files before demanding $300 in bitcoin payments to restore access. "We are continuing to investigate and will take appropriate action to protect customers," a spokesman for Microsoft said.

Globally, Russia and Ukraine were most affected by the thousands of attacks, according to Kaspersky Lab. In Ukraine, government systems as well as banks, state power utilities and Kiev’s airport and metro system were all affected. Elsewhere, advertising giant WPP, French construction materials company Saint-Gobain, Danish shipping giant Maersk, US pharmaceutical company Merck, Russian steel and oil firms Evraz and Rosneft, and the Australian manufacturing facilities of the Mondelez owned Cadbury’s chocolate factory, along with many others, were all affected. In total, more than 2000 organisations are believed to have been hit.

The effectiveness of this latest attack, and the speed at which it has spread, so soon after the WannaCry attack, is cause for alarm among companies, cyber security professionals and the general public.

After the WannaCry incident, governments, security firms and industrial groups advised businesses and consumers to make sure all their computers were updated with Microsoft patches to defend against the threat. This latest attack, believed to be smaller than WannaCry, could be more harmful than its predecessor as it renders computers unresponsive and unable to reboot. The resourcefulness of the attackers is also a concern for cyber security professionals, particularly as Petya does not appear to have the same ‘kill switch’ which was used to neutralise the WannaCry attack.

Though they are not a new development, ransomware attacks are becoming more frequent. The Petya attack is yet another reminder that many organisations are neglecting to patch their systems, allowing malicious actors to exploit weaknesses. Companies must do more to protect their networks, their data and, ultimately, their cash.

News: New computer virus spreads from Ukraine to disrupt world business

IoT breaches hit US firms

in ,

BY Richard Summerfield

Nearly half of all companies in the US using an Internet of Things (IoT) network have been the victims of recent security breaches, according to a new survey from Altman Vilandrie & Company.

The survey, ‘Are your company’s IoT devices secure?’, which included nearly 400 organisations, notes that security systems protecting 48 percent of organisations’ IoT networks have been breached at least once in the last two years. Overall, the cost of the IoT security breaches represented 13.4 percent of smaller companies’ annual total revenues. For larger companies – those with annual revenues in excess of $5m – the cost of a breach can run into the tens of millions.

“While traditional cybersecurity has grabbed the nation’s attention, IoT security has been somewhat under the radar, even for some companies that have a lot to lose through a breach,” said Altman Vilandrie & Company director Stefan Bewley, who co-directed the survey. “IoT attacks expose companies to the loss of data and services and can render connected devices dangerous to customers, employees and the public at large. The potential vulnerabilities for firms of all sizes will continue to grow as more devices become Internet dependent.”

The survey also highlights a connection between the amount companies spend on IoT security and the likelihood that they endure a breach. Typically, those companies that have not been breached have invested as much as 65 percent more in IoT security than their counterparts. Preparedness is key, though the risks for companies of all size, and at all levels of preparedness, will continue to grow as more devices become internet-dependent.

“We see it being critical for security providers to build a strong brand and reputation in the IoT security space. There are lots of providers developing innovative solutions, but when it comes to purchasing decisions, buyers are looking for a brand and product they trust,” said Ryan Dean, a principal at Altman Vilandrie & Company, who co-directed the survey. “Price is a secondary concern that buyers tend to evaluate after they have narrowed their options down to a few strong security solutions.”

Report: Are your company’s IoT devices secure?

Detection and understanding: getting cyber security off the back burner

in

BY James Williams

A “worrying” number of UK businesses have no formal plan to protect themselves from a cyber attack – a position that has improved little since last year – according to a new survey from the Institute of Directors (IOD) and Barclays bank.

The survey, ‘Cyber security: Ensuring business is ready for the 21st century’, reveals that although 94 percent of UK businesses believe that the security of their IT software is crucial for protection, only 56 percent have a system in place to preserve their data and devices.

In addition, only 44 percent of survey respondents said their company provided cyber awareness training schemes for staff, a figure deemed to be a “significant problem”. Pointedly, the survey states that the key cyber security vulnerability is human error, and that such errors become ever more likely in the absence of training or clear guidelines as to what constitutes appropriate good practice.

Furthermore, despite the number of cyber attacks that over the last year, as many as 40 percent of survey respondents admitted that they would not know who to contact to report online fraud – an unawareness which will become much more acute in May 2018 when the new General Data Protection Regulation (GDPR), which makes companies much more accountable for their customers’ data, comes into force.

“Cyber criminals attack systems, data and networks virtually without intervention and traditional defences are no longer adequate”, said Troels Oerting, group chief information security officer at Barclays. “For the financial sector in particular, the game has changed. Barclays has already implemented a strong protection for our business and we will continue to adapt to the rapid change in cyber space.

As part of its bid to tackle the cyber security issue, the UK government has taken a number of positive steps in the last year to protect business and consumers, with the opening of the National Cyber Security Centre (NCSC) one of the more high-profile initiatives. By bringing together several different agencies and placing the NCSC within the Government Communications Headquarters (GCHQ), the aim is that UK authorities will be well-placed to detect and understand cyber threats. That said, the survey makes clear that the ultimate responsibility for businesses in the UK will always lie in the boardroom.

Mr Oerting concluded: “For centuries, society and banks have steered through unprecedented events. Cyber crime is another challenge, and it too can be managed by implementing a strong strategy built on resilience and intelligence.”

Report: Cyber security: Ensuring business is ready for the 21st century                    

Millennials key to worldwide cyber security workforce shortage, says new study

in ,

BY Fraser Tennant

A severe shortage of talent in the information security workforce is looming, with employers needing to look to millennials to fill the gap, according to new research from the Center for Cyber Safety and Education, published this week.

The research, part of the Centre’s eighth Global Information Security Workforce Study (GISWS), which includes feedback from over 19,000 information security professionals worldwide, indicates that employers must look to millennials to fill the projected 1.8 million information security workforce gap that is estimated to exist by 2022. This is a 20 percent rise from the 1.5 million worker shortfall forecast by the GISWS in 2015.

The publication of the GISWS coincides with a major initiative to tackle the UK skills deficit due to a lack of millennials recruited into the field: the National Cyber Security Centre, which was officially opened this week in London.

"Supporting and developing the next generation of cyber security talent is essential to the future of the industry,” said Richard Horne, cyber security partner at PwC. “We are on track to recruit more than 1000 technology specialists over the next four years at both graduate and experienced levels. It is important to help graduates experience the many different paths a career in this field could follow by offering a rotation programme around our teams, ranging from threat intelligence and incident detection and response to security transformation programmes and legal and regulatory compliance.”

The 2017 GISWS features a series of reports and analyses focusing on millennial respondents, with key takeaways for employers and hiring managers as to how they should go about attracting and retaining the millennial workforce. These include: (i) millennials value career development opportunities and are more likely to pay for them, if not offered by their employers; (ii) they are more likely to aspire to become security consultants than move into managerial roles within an organisation; and (iii) salaries were not the highest priority for millennials, but they do receive higher salary increases than other generations.

Mr Horne continued: “Cyber security roles can often be seen as purely technical but today's well-rounded cyber security expert has a diverse skillset, with not only technical knowledge but also wider business skills like creativity, organisation, relationship-building and communication."

With addressing the impending information security workforce shortage clearly a major concern, David Shearer, chief executive of the Center for Cyber Safety and Education, is confident that millennials “are the future of cyber security and hold the key to filling the information security workforce gap".

Report: Meet the Millennials – the Next Generation of your Information Security Workforce

Cyber attack aftermath a big issue for global organisations

in

BY Fraser Tennant

Global organisations are more adept than ever at detecting a cyber attack but are struggling to cope with the aftermath of a breach, according to a new survey by EY.

In ‘Path to cyber resilience: Sense, resist, react’, EY’s 19th Global Information Security Survey (GISS) 2016-17, some of the most compelling cyber security issues facing businesses in today’s digital ecosystem are examined, with respondents indicating that cyber security threats, such as malware, phishing, cyber security to steal financial information, or cyber attacks to steal intellectual property or data, are on the rise.

EY’s findings show that although 50 percent of the 1735 global organisations surveyed said they could detect a sophisticated cyber attack – due to investments in cyber threat intelligence to predict what they can expect from an attack, continuous monitoring mechanisms, security operations centres (SOC) and active defence mechanisms – 86 percent said that, despite these investments, their cyber security function does not fully meet their organisation's needs.

Additionally, 64 percent of organisations stated that they did not have a formal threat intelligence programme or had only an informal one at best. When it came to the matter of identifying vulnerabilities, 55 percent of respondents said they did not have vulnerability identification capabilities or had only informal capabilities. Moreover, 44 percent indicated they did not have a SOC to continuously monitor for cyber attacks.

"Organisations have come a long way in preparing for a cyber breach, but as fast as they improve, cyber attackers come up with new tricks,” said Paul van Kessel, EY global advisory cyber security leader. “Organisations therefore need to sharpen their senses and upgrade their resistance to attacks. They also need to think beyond just protection and security to 'cyber resilience' – an organisation-wide response that helps them prepare for and fully address these inevitable cyber security incidents.

When asked about any recent cyber security incidents, 57 percent of respondents said they had experienced an incident. Furthermore, 48 percent cited outdated information security controls or architecture as their highest vulnerability – a 34 percent increase on the findings of the 2015 survey.

Mr van Kessel continued: “In the event of an attack organisations need to have a plan and be prepared to repair the damage quickly. If not, they put their customers, employees, vendors and ultimately their own future, at risk."

Report: ‘Path to cyber resilience: Sense, resist, react’.

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.