now browsing by tag


#deepweb | Dark web websites: 10 things you should know

Source: National Cyber Security – Produced By Gregory Evans

Back in the 1970s, “darknet” wasn’t an ominous term: it simply referred to networks that were isolated from the mainstream of ARPANET for security purposes. But as ARPANET became the internet and then swallowed up nearly all the other computer networks out there, the word came to identify areas that were connected to the internet but not quite of it, difficult to find if you didn’t have a map.

The so-called dark web, a catch-all phrase covering the parts of the internet not indexed by search engines, is the stuff of grim legend. But like most legends, the reality is a bit more pedestrian. That’s not to say that scary stuff isn’t available on dark web websites, but some of the whispered horror stories you might’ve heard don’t make up the bulk of the transactions there.

We spoke to some security pros who offered to give us a bit of a guided tour of the web’s nether regions. Hopefully it will demystify things a bit.

Here are ten things you might not know about the dark web.

New dark web sites pop up every day…

A 2015 white paper from threat intelligence firm Recorded Future examines the linkages between the Web you know and the darknet. The paths usually begin on sites like Pastebin, originally intended as an easy place to upload long code samples or other text but now often where links to the anonymous Tor network are stashed for a few days or hours for interested parties. 

While searching for dark web sites isn’t as easy as using Google—the point is to be somewhat secretive, after all—there are ways to find out what’s there.  The screenshot below was provided by Radware security researcher Daniel Smith, and he says it’s the product of “automatic scripts that go out there and find new URLs, new onions, every day, and then list them. It’s kind of like Geocities, but 2018″—a vibe that’s helped along by pages with names like “My Deepweb Site,” which you can see on the screenshot.

fresh onions Daniel Smith

…and many are perfectly innocent

Matt Wilson, chief information security advisor at BTB Security, says that “there is a tame/lame side to the dark web that would probably surprise most people. You can exchange some cooking recipes—with video!—send email, or read a book. People use the dark web for these benign things for a variety of reasons: a sense of community, avoiding surveillance or tracking of internet habits, or just to do something in a different way.”

It’s worth remembering that what flourishes on darknet is material that’s been banned elsewhere online. For example, in 2015, in the wake of the Chinese government cracking down on VPN connections through the so-called “great firewall,” Chinese-language discussions started popping up on the darknet — mostly full of people who just wanted to talk to each other in peace.

Radware’s Smith points out that there are a variety of news outlets on the dark web, ranging from the news website from the hacking group Anonymous to the New York Times, shown in the screenshot here, all catering to people in countries that censor the open internet.

nytimes Daniel Smith

Some spaces are by invitation only

Of course, not everything is so innocent, or you wouldn’t be bothering to read this article. Still, “you can’t just fire up your Tor browser and request 10,000 credit card records, or passwords to your neighbor’s webcam,” says Mukul Kumar, CISO and VP of Cyber Practice at Cavirin. “Most of the verified ‘sensitive’ data is only available to those that have been vetted or invited to certain groups.”

How do you earn an invite into these kinds of dark web sites? “They’re going to want to see history of crime,” says Radware’s Smith. “Basically it’s like a mafia trust test. They want you to prove that you’re not a researcher and you’re not law enforcement. And a lot of those tests are going to be something that a researcher or law enforcement legally can’t do.”

There is bad stuff, and crackdowns means it’s harder to trust

As recently as last year, many dark web marketplaces for drugs and hacking services featured corporate-level customer service and customer reviews, making navigating simpler and safer for newbies. But now that law enforcement has begun to crack down on such sites, the experience is more chaotic and more dangerous.

“The whole idea of this darknet marketplace, where you have a peer review, where people are able to review drugs that they’re buying from vendors and get up on a forum and say, ‘Yes, this is real’ or ‘No, this actually hurt me’—that’s been curtailed now that dark marketplaces have been taken offline,” says Radware’s Smith. “You’re seeing third-party vendors open up their own shops, which are almost impossible to vet yourself personally. There’s not going to be any reviews, there’s not a lot of escrow services. And hence, by these takedowns, they’ve actually opened up a market for more scams to pop up.”

Reviews can be wrong, products sold under false pretenses—and stakes are high

There are still sites where drugs are reviewed, says Radware’s Smith, but keep in mind that they have to be taken with a huge grain of salt. A reviewer might get a high from something they bought online, but not understand what the drug was that provided it.

One reason these kinds of mistakes are made? Many dark web drug manufacturers will also purchase pill presses and dyes, which retail for only a few hundred dollars and can create dangerous lookalike drugs. “One of the more recent scares that I could cite would be Red Devil Xanax,” he said. “These were sold as some super Xanax bars, when in reality, they were nothing but horrible drugs designed to hurt you.”

The dark web provides wholesale goods for enterprising local retailers…

Smith says that some traditional drug cartels make use of the dark web networks for distribution—”it takes away the middleman and allows the cartels to send from their own warehouses and distribute it if they want to”—but small-time operators can also provide the personal touch at the local level after buying drug chemicals wholesale from China or elsewhere from sites like the one in the screenshot here. “You know how there are lots of local IPA microbreweries?” he says. “We also have a lot of local micro-laboratories. In every city, there’s probably at least one kid that’s gotten smart and knows how to order drugs on the darknet, and make a small amount of drugs to sell to his local network.”

xanax Daniel Smith

…who make extensive use of the gig economy

Smith describes how the darknet intersects with the unregulated and distributed world of the gig economy to help distribute contraband. “Say I want to have something purchased from the darknet shipped to me,” he says. “I’m not going expose my real address, right? I would have something like that shipped to an AirBnB—an address that can be thrown away, a burner. The box shows up the day they rent it, then they put the product in an Uber and send it to another location. It becomes very difficult for law enforcement to track, especially if you’re going across multiple counties.”

Not everything is for sale on the dark web

We’ve spent a lot of time talking about drugs here for a reason. Smith calls narcotics “the physical cornerstone” of the dark web; “cybercrime—selling exploits and vulnerabilities, web application attacks—that’s the digital cornerstone. Basically, I’d say a majority of the darknet is actually just drugs and kids talking about little crimes on forums.”

Some of the scarier sounding stuff you hear about being for sale often turns out to be largely rumors. Take firearms, for instance: as Smith puts it, “it would be easier for a criminal to purchase a gun in real life versus the internet. Going to the darknet is adding an extra step that isn’t necessary in the process. When you’re dealing with real criminals, they’re going to know someone that’s selling a gun.”

Specific niches are in

Still, there are some very specific darknet niche markets out there, even if they don’t have the same footprint that narcotics does. One that Smith drew my attention to was the world of skimmers, devices that fit into the slots of legitimate credit and ATM card readers and grab your bank account data.

And, providing another example of how the darknet marries physical objects for sale with data for sale, the same sites also provide data manual sheets for various popular ATM models. Among the gems available in these sheets are the default passwords for many popular internet-connected models; we won’t spill the beans here, but for many it’s the same digit repeated five times.

atm skinners Daniel Smith

It’s still mimicking the corporate world

Despite the crackdown on larger marketplaces, many dark web sites are still doing their best to simulate the look and feel of more corporate sites. 

elude Daniel Smith

The occasional swear word aside, for instance, the onion site for the Elude anonymous email service shown in this screenshot looks like it could come from any above-board company.

One odd feature of corporate software that has migrated to the dark web: the omnipresent software EULA. “A lot of times there’s malware I’m looking at that offers terms of services that try to prevent researchers from buying it,” he says. “And often I have to ask myself, ‘Is this person really going to come out of the dark and trying to sue someone for doing this?””

And you can use the dark web to buy more dark web

And, to prove that any online service can, eventually, be used to bootstrap itself, we have this final screenshot from our tour: a dark web site that will sell you everything you need to start your own dark web site.

docker Daniel Smith

Think of everything you can do there—until the next crackdown comes along.

Copyright © 2018 IDG Communications, Inc.

Source link

The post #deepweb | <p> Dark web websites: 10 things you should know <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Should #Companies be #Fined for Poor #Cyber Security?

Companies in the UK are being fined by the government for not properly securing their data. Is this a model the U.S. and other countries should adopt?

News broke recently that there would be fines of up to £17m in the UK for companies that have poor or inadequate cyber security measures in place. Specifically, if a company fails to effectively protect themselves from a cyber security attack, they could be subject to a large fine from the government as a “last resort” according to Digital Minister Matt Hancock. The U.K. also placed industry-specific regulations on essential services. Essential services industries such as water, health, energy and transportation are expected to have stronger safeguards against cyber attacks.

Cyber Security Inspections to Take Place

In order to keep companies compliant with cyber security regulations, the UK government will now have regulators inspect cyber security efforts in place. Essential services (think water, healthcare, electricity, transportation, financial) will face more scrutiny than other companies. If a regulator finds a company does not have security safeguards in place, the company will have to come up with a plan for beefing up cyber security. Fines will be brought down on companies that continue to fail at implementing the proper securities.

Cyber Attacks Becoming More Dangerous

The essential services people use every day are being targeted by cyber attacks at an increasingly high rate. This can make for extremely dangerous situations, such as the WannaCry attack that hit several National Health Service (NHS) facilities and impacted several hospitals’ abilities to admit patients. It was later found that this attack could have been prevented with proper cyber security efforts in place.  It also means that services people depend on every day — from electricity, to water, to industrial safety systems — could all be at risk.

This makes it clear why the UK government has chosen to regulate cyber security, particularly among companies who provide services they deem essential to the public. It also begs the question as to if the United States should follow suit. U.S. companies have fallen victim to their fair share of cyber attacks. These attacks have disrupted the lives of Americans who depend on the services affected or who are having sensitive information accessed by the attackers.

What Safeguards are Currently in Place?

While it is obviously in a company’s best interest to have cyber security precautions in place rather than cleaning up the mess of an attack afterwards, that doesn’t mean everyone invests as much as they should in cyber security. In the U.S. there are a few federal regulations in place to establish a bare minimum for cyber security in certain essential industries.

HIPAA (1996): HIPPA introduced provisions for data privacy and data security of medical information. All companies and establishments dealing with medical information must have specific cyber security measures in place.
Gramm-Leach-Bliley Act (1999): The Gramm-Leach-Bliley Act states that financial institutions in the U.S. must share what they do with customer data and information and what protections they have in place to protect customer data. Noncompliance means hefty fines for financial institutions and could lead to customers taking their business elsewhere.
FISMA (2002): FISMA was introduced under the Homeland Security Act as an introduction to improving electronic government services and processes. This act ultimately established guidelines for federal agencies on security standards.
Critics state that these three regulations are good for establishing minimum security, but do not go far enough. Compliance with all of these regulations have not been robust enough to safeguard against advanced cyber attacks in recent years. There have been clear breaches of cyber security measures that have occured in the medical, financial and government sectors over the past years. While some state governments have put additional regulations in place, the general consensus is that individual companies should be responsible for beefing up cyber security as they see fit.

Cyber Security Investments Should be Increased
At the end of the day, U.S. companies will need to make the decisions that are best for their businesses and customers about what level of cyber security protection is necessary. Marcus Turner, Chief Architect at Enola Labs Software, often discusses cyber security measures with his clients, stating:

“Ultimately, high levels of cyber security are a necessary and worthwhile investment for businesses that care about protecting their customers and safeguarding their businesses. I often tell businesses that they can pay an upfront cost now to protect their data, or wait until a cyber security attack and pay an even bigger price later to clean up the mess. Waiting may very well cost you your business”.

This year we are expecting a much higher investment in cyber security, so it will be interesting to see if this is enough to hinder government intervention or if additional U.S. government regulation of cyber security becomes necessary.


The post Should #Companies be #Fined for Poor #Cyber Security? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Public #sector executive #pay should be #linked to #cybersecurity

Source: National Cyber Security News

Cybersecurity is constantly in the headlines for all the wrong reasons.

Earlier this month, we heard that all 200 UK NHS Trusts that have been assessed so far failed to meet the standards of the government-backed Cyber Essentials Plus scheme. Some of them even failed on patching, which was the vulnerability that led to the WannaCry ransomware attack. They clearly haven’t learned the lessons from an event which caused massive disruption across the health service, with operations postponed and appointments cancelled.

You would think that, if public sector organisations can’t even manage basic security hygiene such as patching, there would be consequences for those running them. However, while the forthcoming GDPR is bringing in new requirements for the protection of personal data, the large fines (€20m or 4% of global revenue) for a privacy breach will apply to the organisations concerned and will not affect their leaders.

After the TalkTalk cyberattack, its then chief executive Dido Harding may have had her cash bonus halved, from £432,000 to £220,000, but she was still paid a total of £2.81M in 2015, despite the personal and financial details of tens of thousands of customers disappearing into the ether.

Read More….


View full post on National Cyber Security Ventures

Why you should be #checking your #data security

Source: National Cyber Security News

If organisations need an incentive to look at how the upcoming reforms to the Privacy Act (Privacy Act 1988 Cth) affect them, the threat of a $2.1m fine could be the motivator.

From February 22, any organisation that is covered by the Privacy Act will be obligated to notify the Australian Information Commissioner and the affected individuals when there has been an eligible data breach – types of breaches will vary, but examples include bank accounts hacked into, or personal details with potential for identity theft accessed, such as names and addresses.

Organisations most at risk include those holding large amounts of personal information, such as retailers, telecommunications and utilities providers, banks, insurance companies, professional services firms, and medical/health care providers.

The new regime will rightly make some organisations nervous as data breaches are becoming more common thanks to new ransomware and other hazardous software.

The smart response is to prepare early for the notification regime. Waiting until a breach happens and then scrambling to deal with your obligations on the run may attract the Commissioner’s ire and may put your organisation at risk of substantial penalties.

Read More….


View full post on National Cyber Security Ventures

Why #companies should make #security a key #performance #indicator

Source: National Cyber Security News

Businesses can’t just buy a bunch of security products, and think that they’re protected from cyberattacks. Security involves more than that including strategy, education, and training. TechRepublic talked with Secure Anchor CEO Eric Cole to discuss how employers can teach cybersecurity best practices to their employees.

“There’s a lot of different awareness programs where people get phishing emails and if they click they get penalized,” Cole said. “What I found, and I was sort of shocked of how effective this is, make security a KPI. A key performance indicator, not only for individuals but managers.”

If employees get penalized for their actions like using poor judgement when clicking links, they become much more aware and careful of what they do from a cybersecurity standpoint. “I’m not usually a big fan of penalizing, but KPI-based security metrics has had a huge, huge positive impact on all my clients,” he said.

To keep important information secure, companies need to make sure their servers that are accessible to the internet don’t contain critical data. Over the past 12 months, the companies that were hit by cyberattacks should have asked themselves “Do we have any servers accessible from the internet that contains critical data?

Read More….


View full post on National Cyber Security Ventures

Hackers #stole $172 #billion last #year: #Consumers should #avoid these #mistakes

Source: National Cyber Security – Produced By Gregory Evans

Online hackers made out like true bandits in 2017, stealing over $172 billion from people in 20 countries around the world, a new report said.

Norton Cyber Security released its annual insights report and found that 44% of consumers were affected by a cybercrime in the last 12 months with an average victim losing $142.

Read More….

The post Hackers #stole $172 #billion last #year: #Consumers should #avoid these #mistakes appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cryptocurrency will drive #AI adoption but #companies should not lose #sight of #present #dangers

Source: National Cyber Security – Produced By Gregory Evans

Bitcoin and other cryptocurrencies have become a routine part of today’s cyber attack landscape.

The press is awash with cryptocurrency. Reports on the all-time highs, the billionaires who jumped on the bandwagon early, and the news that the likes of Goldman’s are setting up trading desks to exploit the wave are rife.

Read More….

The post Cryptocurrency will drive #AI adoption but #companies should not lose #sight of #present #dangers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

ADS-B and #Aviation #Cybersecurity: Should #Passengers Be #Concerned?

Source: National Cyber Security – Produced By Gregory Evans

Automatic Dependent Surveillance Broadcast (ADS-B) is a technology mandated in all commercial and general aviation aircraft by 2020. It gives the pilot a kind of weather radar and assists with situational awareness, bringing excellent value to the cockpit for professional and private pilots alike. The ability to see thunderstorms and other aircraft in close proximity helps avoid collisions and accidents due to weather.

There is no debate as to the value and effectiveness of ADS-B. However, the technology used to bring all this wonderful situational awareness is rooted in equipment developed and commercialized in the 1960s, and it remains to be seen whether it puts passengers’ privacy at risk.

The Aviation Cybersecurity Challenge
The data format of the transponder was created to help with ground-based radar systems in tracking and to identify aircraft en route. As its name suggests, ADS-B takes the data coming in from the aircraft’s transponder (and related equipment such as a GPS position source) and aggregates it into a broadcast packet much like on an Ethernet network. For example, if two aircraft position reports are received by the ground station, it will broadcast both positions back on a given frequency. The aircraft then takes the data it receives and displays its position and the other aircraft’s position in the cockpit. Much like position data, weather data is aggregated by the ground station and then rebroadcast for display in the cockpit.

So far, so good. Now for the challenge: Like many industrial Internet of Things (IIoT) controllers, ADS-B equipment does not support encryption, so it is possible to forge the broadcast packet with a man-in-the-middle (MitM) attack. In theory, a threat actor could take a 777 and make it appear miles away from its actual location, potentially leading to midair collisions.

The FAA’s Solution
Since aircraft systems do not have enough CPU power for encryption due to backward compatibility concerns with the installed base, the Federal Aviation Administration (FAA) devised other methods to verify authenticity. These methods, while not publicly detailed, involve analytic geometry combined with a database of aircraft performance to calculate an aircraft’s previous position and compare it to the recently received packet.

Think of it like this: If the airplane has a maximum speed of 300 mph and it moves from position A to position B at a rate of 600 mph, it can be assumed that the data received is forged and will be dropped from the broadcast packet. Additionally, since the cyclic redundancy check (CRC) must remain valid, the attacker has limited choices of where he or she can place the victim aircraft. This solves the problem of making an aircraft appear on screen in a location that it is not.

But what if an attacker wanted to do a distributed denial-of-service (DDoS) attack? Could the ground station be overwhelmed with false packets, causing it to go off the air? Worse yet, the default behavior for a packet with a failed CRC is to drop it. Could a MitM attack simply flood the ground station with malformed packets for each of the aircraft received in the previous broadcast packet? Would this make all the aircraft simply drop off the screen in the cockpit?

ADS-B and Data Privacy
The good news is that air traffic control in the U.S. and elsewhere in the world is using the ADS-B technology as a wonderful supplement to situational awareness. It is not being used to replace actual ground radar stations that air traffic control (ATC) uses to control the movement of commercial flights and some general aviation flights. So for the flying public, the risk, while not zero, is indeed very small since only general aviation flights that are not on a filed flight plan are outside of ATC jurisdiction.

While the concern is real, the probability of an attacker causing a midair collision is very small. The real aviation cybersecurity concern is for data privacy. With all this information available in the clear, apps exist to track flights on your smartphone today. Will someone find a way to monetize your location data for a profit, and do you care? Furthermore, drones are not currently required to have ADS-B and, in many cases, are too small for radar to pick up. Should commercial drones be required to have ADS-B?

The post ADS-B and #Aviation #Cybersecurity: Should #Passengers Be #Concerned? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity #101 for #Manufacturers: Why Should You #Care?

Source: National Cyber Security – Produced By Gregory Evans

Anyone living through today’s news cycle who does not recognize cybersecurity as an issue is simply not paying attention. But, until recently, most manufacturing companies have considered it someone else’s issue. Most reported cyber incidents have been aimed at acquiring large caches of consumer data (think breaches at Target affecting 70 million consumers, and Verizon affecting 40 million consumers.) Hackers were historically intent on identity theft, and the acquisition of consumers’ personally identifiable information (PII) is a first step toward that goal. Most manufacturers do not deal directly with consumers or collect their data, so many put cybersecurity on the back burner. However, a recent study found that the manufacturing sector is now the second most frequently hacked industry, after healthcare. (2016 Cyber Security Intelligence Index, IBM X-Force Research.)

Recent cyber breaches have gone far beyond collecting consumer PII. Cyber criminals (and some foreign countries) are after trade secret technology and IP — yours, your vendors’, and your customers’.  Losses from these breaches can include direct payments in the form of “ransom” for shutting down your computerized systems and holding your data hostage (ransomware); business email compromises (BECs), where inside information about upcoming transactions or wire transfers are mistakenly directed to a cybercriminal by your own employees under the misapprehension they are acting on the instructions of a senior executive (phishing); or loss of employee PII or a whole host of other information you may not realize is accessible to a sophisticated cybercriminal.

All Modern Manufacturing Systems are Susceptible to Exploitation. Think about your company’s reliance on computerized industrial control systems (ICS) and supervisory control and data acquisition (SCDA) systems, employees’ use of multiple data storage devices (servers, laptops, smartphones, social media), your vendors’ and customers’ everyday access to your systems to streamline communications or production, cloud computing, vindictive or disgruntled employees with access to sensitive information, or innocent employees opening an email link or attachment without verifying the source. Any and all of these may provide points of entry for a determined hacker or data phisher. Target’s massive data breach in late 2015, for instance, was engineered through access unwittingly provided by a company HVAC vendor that did not have a secure system, despite Target’s own otherwise sophisticated and thorough security and breach prevention program.

Ransomware/BEC attacks have not distinguished manufacturing companies from other targets. A hacker may gain access to a company’s computerized systems by means of an insider/employee opening an official-seeming link or attachment in an innocent-seeming email, and implant a virus into the system that holds critical data hostage or shuts down critical functions. Even payment of the demanded “ransom” to unfreeze the system may not guarantee a return of data or normal functionality.

Data and System Breaches are Expensive. Costs can include business disruption, product discounts, forensic and investigative activities, loss of customers, litigation and regulatory, and reporting costs. According to the 2017 Cost of Data Breach Study recently released by the Ponemon Institute, the total organizational cost per data breach incident for the U.S. was $7.35 million last year, the highest of the 13 countries studied. The study did not address loss of competitive advantage when trade secret technology and IP are stolen, which could be substantially more costly; the U.S. Federal Bureau of Investigation (FBI) estimated that $400 billion of intellectual property leaves the U.S. every year as a result of cyberattacks targeted at manufacturing companies.

BECs increased 2,370% between January 1, 2015 and December 31, 2016, with victims reporting losses of $346 million. The FBI estimated in a May 2017 alert that such crimes have caused losses of $1.6 billion in the U.S. since 2013 and $5.3 billion globally. For instance, in 2015 paint manufacturer Sherwin-Williams reportedly sent $6.5 million to overseas bank accounts of Russian criminals due to BECs.

How Can You Fight Back? There are a number of protections available to manufacturing companies, many of which are relatively inexpensive.

  • Train your employees. People are the weakest link in cybersecurity, since hackers can access your systems through a single point of contact. If employees are alert to potential email threats, confine their work to your secure network, and limit postings on social media, many potential attacks can be blocked.
  • Use two-step authentication to mitigate threats from BECs. Companies that require confirmation of funds transfer requests by secure telephone or a secondary sign-off by company personnel can virtually eliminate unauthorized transfers.
  • Segment your network on a “need to access” basis. This practice limits accidental transfer of critical data and prevents a hacker from using one point of entry to move a virus or malware through your entire system.
  • Encrypt critical data and back up your systems regularly.
  • Audit your vendors’ and contractors’ cybersecurity systems. Contractual provisions can create cybersecurity duties for your business partners and give you the right to examine their systems for weaknesses that might otherwise compromise your network.
  • Use penetration testing or public domain audits regularly to ensure that your sensitive information is not accessible online.
  • Apply software patches and update your systems on a timely basis. Operators of ICS/SCADA tend not to update or apply software patches because these require system downtime or gaps in service, but most of the systems hacked in recent ransomware attacks were running out-of-date software, and the attacks could have been foiled if the victims had simply applied manufacturer-supplied patches regularly.
  • Check the NIST Guide to Industrial Control Systems (ICS) Security for additional cybersecurity guidance.
  • Have a response plan in place in case of a breach.
  • Look into cyber insurance to mitigate the cost of a cyber incident. The current insurance market is competitive and well-priced, so you should be able to negotiate for the appropriate protection.

 While it is impossible to create impenetrable systems, be aware that hackers tend to go after low lying fruit. The more protections you implement, the less likely you are to experience a debilitating cyber-attack.

The post Cybersecurity #101 for #Manufacturers: Why Should You #Care? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity should be a #strategic issue, not just an #IT #investment

Source: National Cyber Security – Produced By Gregory Evans

Part of the problem in managing cybersecurity challenges revolves around the fact that security isn’t seen as a critical business problem by senior executives and board members alike.

The recent 2017 global survey on the changing attitudes towards cybersecurity in business by Fortinet reveals that cybersecurity does not rank amongst the high focus areas for board members of organisations.

Surveying over 1,800 IT decision makers, Fortinet found that almost half of respondents believe that security is still not a top priority discussion for the board. At the same time, they also strongly contend that cybersecurity should become a top management priority, with 77% of respondents indicating that the board needs to put IT security under greater scrutiny, says Paul Williams, Country Manager for Southern Africa at Fortinet.

“One would assume there would have been a substantial uptick in interest by boards as a result of some of the most recent security attacks—and the dire implications they had on the targeted businesses,” says Williams. “However, even though boards do react when security attacks occur, their actions are generally reactive rather than prescriptive. Specifically, boards appear more involved in post-breach management than prevention.”

For example, the survey reveals that 77% of boards demand to know what happened after a security event occurs, and 67% review or increase security budgets. Security leaders obviously still have much work to do in up-levelling security to the board level.

Williams says findings from the survey corroborates the statement that no organisation is immune from the threat of breaches, ransomware attacks, or operational disruptions. Companies of all sizes and shapes as well as all industry segments are targets as 85% of respondents indicated that they suffered a security breach in the past two years, with almost half reporting a malware or ransomware attack.

There are a number of factors driving boards, executives, and IT decision makers to make cybersecurity a top priority in 2018.

According to Williams the more significant ones are:

Security Breaches and Global Attacks. The vast majority of organisations have experienced some type of security breach or attack in the past two years. 49% of survey respondents said their organisations increased their focus on security following a global attack such as WannaCry. Increased publicity and attention, along with implications on brand reputation and business operations makes these board-level issues rather than IT operational undertakings.

Attack Surface. The adoption of the cloud, emergence of IoT, and growth in big data expands both the circumference of the attack surface as well as its complexity. 74% of survey respondents indicate cloud security is a growing priority for their organisations. Half say their organisations plan cloud security investments over the next 12 months. IoT is just as big a factor when it comes to the ever-expanding attack surface. The number of connected IoT devices is predicted to balloon to more than 8.4 billion by yearend according to Gartner. Of these, 3.1 billion belong to businesses. As many IoT devices are difficult to protect, experts concurrently predict that more than 25% of all security attacks will target IoT devices by 2020.

Regulatory Compliance. New government and industry regulations are also increasing the importance of security. 34% of respondents indicated that these regulations heighten the awareness of security at the board level. Passage of the General Data Protection Regulation in the EU, which goes into effect in 2018, is one such example.

“These trends are forcing cybersecurity to be seen as a strategic issue, within an organisation’s broader risk management strategy, rather than a simple IT investment. To succeed in their digital transformation efforts, IT security leaders must rethink their cybersecurity approach with a view to extending visibility across the attack surface, shortening the window between time to detection and mitigation, delivering robust performance, and automating security intelligence and management.”

The post Cybersecurity should be a #strategic issue, not just an #IT #investment appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures