It’s no surprise to some that yet another cyber-attack in a long line of cyber-crimes affecting large corporations was reported recently reported.
Many awoke on Monday morning 7th November 2016 to a report of a cyber-security attack on Tesco Bank. The consumer finance wing of the British supermarket giant has frozen its online operations stating that as many as 20,000 customers had money stolen from their accounts. It did make me wonder if this was just the tip of the iceberg, and how many other cyber-crimes actually go unnoticed, or consciously unreported, because they are not directly customer facing or impacting.
(UPDATE: 14th November 2016 Tesco Bank have now confirmed that only 9,000 customers were actually affected, and only £2.5M was actually stolen. The bank advised that all affected customers have now been recompensed. They have also stated that they know how the crime was carried out, but have not revealed details)
Tesco Bank initially revealed they had suffered a cyber-security attack and admitted that approximately 40,000 banking customers have had their accounts hacked over the weekend, with around half this number losing money as a result. Tesco Bank announced that they have frozen customers' online transactions after falling victim to a hacking attack and as a result was having to halt online transactions for current account customers on Monday, in an emergency security measure. They have stated that customers should be refunded any losses within 24 hours, but have admitted that customer services are being inundated with request for updates from affected and concerned customers. No surprise there then!
Unless you want to end up with your organisation’s name on TV, radio and plastered across social media, I’d suggest that you need to take the bull by the horns and invest time and effort into assessing your security framework and controls and improving them. Several recent high profile security breaches including Sage, TalkTalk and Moonpig have highlighted the increased need for security awareness, protection and resilience.
Did you know that Cyber-crime currently costs the global economy about £365bn a year and is rising...
So where do you start? - Within a security framework your first step should be to establish and improve Security Awareness which is required to make ‘all’ staff and suppliers aware that there are ‘bad people’ out there, who are constantly probing and trying to penetrate any gaps or weaknesses in our security.
One way of doing this is to establish, publish and communicate security policies to highlight people’s roles and responsibilities in maintaining security controls.
Awareness can cover a number of areas ranging from identifying day to day security risks to even identifying quickly when a security breach has actually taken place. One way of doing this is to establish, publish and communicate security policies to highlight people’s roles and responsibilities in maintaining security controls.
Cyber Resilience requires an enterprise wide risk based strategy that proactively manages threats, risks and impacts on critical information and supporting assets. RESILIA® maps directly on to current Best Practices like ITIL® to ensure a joined up approach is adopted and implemented.
Awareness can cover not just what to do, or what not to do but can cover a number of areas ranging from staff being aware of how to identify day to day security risks to even identifying quickly when a security breach has actually taken place.
Secondly, Security Protection is required to ensure that we have sufficient security controls in place to manage the security risks that our organisation is vulnerable to, whether it is hardware, software or network based. Identification of actual and potential threats is key to establishing appropriate protection - you can learn how to mitigate the risks associated with Cyber Attacks with our ISO/IEC 27001 Certified ISMS Foundation training course. Obviously we can’t establish a total lock down otherwise we would never do any business, so it needs to be appropriate to business needs.
Thirdly, Security Testing needs to be part of any changes we make to our systems and services. This may involve engaging with security experts with specialist skills in penetration testing… sometimes called ‘Ethical hackers’. Our Certified Ethical Hacker (CEH) training course is coming soon and don’t forget that as well as testing the networks, software and hardware, we also need to test the people. You would be surprised how often people fall for ‘phishing attacks’ despite increased security awareness and training. Testing our vulnerability will help us continually improve our level of security control.
And lastly, Security Resilience is required to minimise the impact of a security breach and to be able to recover from it. After all the best security minds in the world are pitted against the best cyber thieves in the world and occasionally the bad guys win. So if they do win, we don’t want them to win too much!
One way of doing this is to establish, publish and communicate security policies to highlight people’s roles and responsibilities in maintaining security controls, and put in place security processes and procedures across the whole of the service life-cycle.
If you still don't think that it will happen to you, then you are very much mistaken. The odds are stacked against you. Even the UK government is investing in Cyber-security to the tune of £1.9bn, this is in addition to previous investments of more than £860m over the course of the last Parliament. The package of measures was announced recently by Chancellor Philip Hammond to help bolster the UK’s cyber defences. Despite current and planned efforts the criminals are still streets ahead in terms of the technology and methods they use to carry out cyber-attacks.
Also remember that improving both cyber and physical security should never be seen as a one off exercise - the bad guys are constantly evolving and so should we.
If you are really serious about addressing Cyber-security in your organisation you can also take AXELOS's cyber-security self assessment, using their Cyber-Resilience Pathway Tool were you can explore the contents of Cyber-Resilience 'Best Practice'. It will also allow you to download a editable report template detailing your results.
Purple Griffon offer a range of security and Cyber Resilience training courses to help you establish awareness, develop the appropriate level of protection and improve cyber resilience.
We're also excited to announce that we have just launched our RESILIA® Online training courses to supplement our existing classroom based RESILIA® Foundation and Practitioner offerings. You can also take a look at our Cyber Essentials Foundation training session that has been developed by the UK Government to help businesses deal with the business-critical issue of cyber security.
Contact one of our friendly account managers on 01539 736 828 or email firstname.lastname@example.org