Tuesday 6 December 2016

Cyber security in 2016 – why is it still not happening? [Link - ITProPortal]

I was asked to write an article reviewing the cyber security challenges for 2016, Here is the article that was published on the ITProPortal website: 

===================================

It's 2016, and businesses are generally still not taking security seriously.

Image source: Shutterstock/jijomathaidesigners

Perhaps the surprising, and damning, thing about 2016 in terms of security is that businesses are generally still not taking security seriously. Nobody wants to admit to being slack when it comes to cyber security, but the indisputable fact is that during 2016, many organisations simply didn’t show up, whatever they claimed.  

The basics are still not being done. Updates aren’t being applied, patching strategies are not in place, admin credentials are easy to find. Let’s be blunt, people are still trying to do security on the cheap, using, for example, free antivirus software.  This was most evident in the amount of ransomware that infected companies. 

A Trend Micro report claimed that 45 per cent of UK businesses were hit by ransomware this year. We believe the figure is much higher, closer to 60 or 70 per cent. 


Ransomware scourge


In the US, hospitals have paid massive amounts of money when their databases have been encrypted by ransomware. The Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom for the decryption key for patient data. It was infected by the delivery of an email attachment disguised as a Microsoft Word invoice. In the UK some hospitals had to cancel operations.  

Hundreds of planned operations, outpatient appointments, and diagnostic procedures were put on hold at multiple hospitals across Lincolnshire.  The damage done by ransomware in 2016 is largely attributable to the infamous Locky and its many variants. It was first identified in February and made it to the top of the ransomware charts only two weeks later. 

It initially used malicious macros in Office documents to infect its victim’s computer, and these documents were distributed attached to spam emails. Locky has been through several versions since then. A new version was released on October 24, and less than 24 hours later yet another version was launched. It’s carried through phishing campaigns and the email subjects are centred on pay cheques, receipts, invoices, orders, or wrong credit card charges all of which are themes designed to fool recipients into opening attached files.   

Heads in the sand


In a sense it’s staggering that people are still falling for these tricks, given the exposure about ransomware dangers. There still seems to be a general mindset that ‘it will never happen to me’, when it clearly is happening to lots of businesses and individuals.  It’s frustrating because basic security measures offer protection. Being on the front line we tend to get a good sense of what is happening on the ground and it can be best summed up with the phrase ‘blind panic’ when a company is hit.  

But this lack of awareness, or ‘head in the sand’ scenario, is also playing out across other areas. Security in 2016 can also be defined by the large number of replay attacks that have taken place. Ransomware is included in this but it’s not exclusive. Yahoo is perhaps one of the biggest culprits. 

In 2012, a security breach exposed 450,000 usernames and passwords from a site on the huge web portal with the company failing to take even basic precautions to protect the data. Two years later it happened again with 500 million account details stolen.

Enormous DDoS attacks


Yahoo cried ‘state-sponsored actor’ in its defence but clearly it’s still not adequately protecting its customer data. This defence is usually code for ‘don’t blame us, it was a really sophisticated attack’. And Yahoo only came clean in 2016. These serious errors are clearly an illustration of some fundamental flaws at the online giant. Is it any wonder that it’s gone from an operation worth close to $100 million at its peak to today’s evaluation of $4.8 million? 

Another large 2016 security event, which ironically few noticed at the time, was the largest DDoS attack recorded, a whopping 540Gbps directed at public facing websites belonging to organisations affiliated with the 2016 Rio Olympics. These attacks were sustained, sophisticated, and actually started months before the Olympics began.  

These attacks were clearly aimed at the global stage and foreshadowed the equally massive IoT botnet based DDoS attacks which, in contrast, caught the attention of the mainstream media because they were launched from compromised everyday household devices such as internet connected video recorders and cameras.  

Plundering millions


The industry, at large has been warning about the parlous state of IoT security for some time, but it seems no one really wants to listen until an attack hits home and hurts bank balances.  

The Swift’s global payments network hack that resulted in $81 million being siphoned from Bangladesh central bank was also noteworthy due to the huge amounts of money involved.  Hackers also exploited the Swift system to steal a reported $10 million from an unnamed bank in Ukraine, while back in Bangladesh an eye watering $1 billion cyber theft was only stopped when an eagle-eyed employee spotted a typo. 

In an ironic way it’s almost fitting that a hack to see out 2016 was the attack on Tesco Bank. The company was forced to repay £2.5 million of losses to 9,000 customers in a heist described as ‘unprecedented’ by regulators. It may seem small when compared to the Swift system hacks but there’s worrying significance that the company apparently ignored warnings that its vulnerable software was being targeted by cyber criminals for months before the attack. What is just as shocking is that the bank didn’t even encourage two-factor authentication for its customers. 

How many more financial organisations are going to be nailed by cyber thieves before the message gets through? If the EU General Data Protection Regulation had been in force, which is due to come into effect in 2018, Tesco would have been hit by a fine up to £1.9bn. And who could say that Tesco and other organisations with terrifyingly lax cyber security wouldn’t deserve it?

Monday 5 December 2016

Cyber-security in 2017 – brace yourself [Link - ITProPortal]

I was asked to gaze into my crystal ball and write a piece around the Cyber Security challenges for 2017.  Here is the article as it appeared on the ITProPortal website: 

=================================

If there’s one thing you can say with certainty about cyber-security in 2017, it’s that many companies are going to fail because they are simply not doing the right thing. Fundamental flaws still exist.

Image source: Shutterstock/jijomathaidesigners

It's about the business


Until the technical people lift their heads up and see that security and business are different sides of the same coin, we will inevitably see more damaging attacks. When security people learn to speak in the language of business they will begin to understand just where in the organisation they need to apply their expertise. 

This might be smart configuration options, cautious security policies, vigilance and a willingness to read server logs like some people read the newspaper in the morning to identify targeted attacks.  

Of course, this won’t stem the malware tsunami but it will help defend against it. Leading the malware charge in 2017 will be ransomware. Like 2016 it will be more of the same, with an important and fundamental exception; ransomware will be more sophisticated.

Advanced attack vectors


Encryption keys are becoming more complex while ransomware attack vectors are becoming alarmingly advanced. Ransomware can mount previously mapped drives, encrypt them, and then unmount them, reaching deeper into the network.  

However, the efficiency of ransomware as a tool for fraud will also be slowly undermined. One misconception about ransomware is that once the ransom is paid, the victim receives the keys to unlock their files. Increasingly we are seeing instances of this not happening. The fraudsters are simply taking the money and running.

Criminals dumbing down


As ransomware is now available as-a-service, it is reaching down into the lower levels of the criminal underworld and organised crime networks. The type of villain who uses the ‘service’ might have previously been involved with keeping crooked books for instance.

As such they can’t be bothered to send decryption keys which of course will erode the value of ransomware as victims increasingly refuse to pay the ransom.

IoT security


Another major area of concern is the security of IoT devices. It’s fair to say that the existing state of device security isn’t great. Some devices are managed by web consoles that don’t even have encryption. Some devices have passwords hard coded into them that you can’t change. It would be good to see manufacturers take some responsibility but this is unlikely as they operate with tight margins and are unlikely to take on tasks that eat into thin profits. 

If we’re lucky, we will see the emergence of pressure groups consisting of industry vendors and third parties who are no longer willing to sit back and watch major hacks unfold. 

Questioning machine learning


Another area to keep an eye on is machine learning. As with any new technology it’s usually proclaimed with a loud fanfare and over exaggerated claims that often fall just short of guaranteeing freedom for all and world peace. In terms of security, machine learning does promise a lot of potential but when you drill down some serious questions need to be asked.  

In 2017 we’re likely to see these questions put forward with some force, as it becomes apparent that machine learning in the security realm has flaws. For instance, how are the machines learning, are millions of good and bad results being fed into the machine to ensure accurate analytics and what kind of input is coming from security labs and research teams?  

These are important questions and with the advent of next-generation endpoints, such as mobile devices and laptops designed to respond to machine learning security in depth is vital to ensure success. If machine learning vendors can’t answer these questions with confidence, then you can expect to see machine learning and security take a dive.

Shock of GDPR


An area where you can expect to see panic break out is the European Union’s General Data Protection Regulations or GDPR as it’s more commonly known. At the moment UK organisations are displaying naivety towards GDPR which comes into effect in May 2018. Many are hiding behind Brexit and taking the view that the UK won’t be in the EU come May 2018 so GDPR won’t affect them. However, if a business operates in Europe, it will.  

To meet GDPR requirements, measures need to be put in place in 2017. Many companies have already finalised budget for 2017 but haven’t made any provision for GDPR. With no budget provision, there’s going to be an awful lot of flapping when companies realise that it’s nowhere near compliance ready. 

Big fines, big panic


GDPR also reaches up to the board and any data breaches can result in enormous fines of up to 4 per cent of revenue. This can and will translate in some cases, to fines that run into millions of pounds. Are executive directors aware that if they show negligence in protecting customer data they’re going to be hit really hard?  

In summary, it would be uplifting to say that we’re not going to see any more major breaches, that fundamental flaws will be addressed, that new technologies are going to change the security landscape for the better and everyone is set for GDPR. In reality, while we will see some positives we also need to prepare our businesses for more breaches and more hacks. 

Tuesday 8 November 2016

Trump or Clinton? DDoS or Protection? Who will be the winner?

In a recent blog post by Arbor Networks, it was shown that DDoS attacks increase significantly during global events.

With the Presidential election in the United States happening in a matter of hours, will we see another significant, sustained attack on major websites, such as US media sites, political parties websites, etc?

I suspect we will, but much like the US election, we won't know who wins for a couple of days.

We can only hope that these sites have adequate protection from such an attack.  As for the election, we'll see...

Thursday 3 November 2016

How businesses can protect Office 365 from ransomware attacks [Link - MTI Bytes]

After a recent webinar from Chris Taylor, Director of Product Marketing from Trend Micro around Ransomware, I created a blog post around this: https://www.mti.com/mtibytes/how-businesses-can-protect-office-365-ransomware-attacks/

=============================

In the last year, businesses have seen a large increase in ransomware threats. The Guardian recently reported that 54 per cent of businesses have been threatened with ransomware in the last 12 months alone. When we consider the money that can be made from a career in cyber crime, this is hardly surprising.

Ransomware refers to malicious software (malware) which is designed to block access to a computer system until a sum of money is paid.

But how can you protect your cloud environments from it? In a recent webinar, Chris Taylor, Director of Product Marketing, Trend Micro, looked at exactly that:

How does malware work?


Email is a common method that attackers will use to infect their victims, most often businesses. The malware is embedded in an email either in the form of a web link in the body of the text, which vulnerable users click on or a link within the attachment.

It is becoming increasingly more common for malware to be laced within documents in email attachments. Embedded JavaScript within the text encourages users to unknowingly click, starting the download of malicious software. It can be more difficult to detect the malware via the email attachment as it could be compressed within a common office file, such as a CV from a job-hunter, or an invoice, which seem convincing.

Prevention is better than cure


There are a number of recommendations that can be made, such as always back up your system, make sure it’s fully patched and train users not to open suspicious attachments. However, there are opportunities to stop many ransomware attacks before it even gets to that point. The best way is to block ransomware before it has a chance to reach users. There are certainly fix measures that can come in and save the day should the worst happen, but this can take up a lot of the IT team’s time.

What can businesses do to protect their Office 365 environment?


Office 365 includes anti-spam and anti-malware protection, which block every known malware. But the majority of malware is unknown, as criminals are increasingly using automated tools to change their malware, to beat the system.

In order to remain one step ahead from threats, businesses can implement advanced threat protection, which looks for malware in different ways, malicious URLs in attachments as well as the body of emails, and full data loss protection.

To set up a free evaluation of your Office 365 protection, email ukmarketing@mti.com

Saturday 22 October 2016

VMworld 2016 Europe - Barcelona

After a number of years of meaning to go, I have finally attended my first VMworld.  As the recent strategy is the incorporate security into VMware solutions, it makes sense that my years in the security field would finally coincide with the virtual world.


I attended with my friend and work collegue, Anthony Poh, who runs this blog dedicated to all things virtual: https://thevirtualunknown.co.uk/


The experience was incredibly valuable from a work front.  VMworld allowed me to meet and engage with some very high level executives, allowing me to honestly share our thoughts, challenges and ideas.  I got the opportunity to attend a number of roundtables with my peers from across the world and understand where they are at.

It also led me to be asked participate in a Q&A session around MTI's strategy and approach to VMware NSX.  It meant going on stage in front of 400-500 people and be quizzed about what we do, which led me to write a LinkedIn post about it: https://www.linkedin.com/pulse/stage-fright-presence-andrew-tang


My only criticisms about VMworld is the amount of walking between the breakout sessions, Solution Exchange and lunch.  While I'm talking about lunch, it would have been good if there was enough to feed everyone who attended.

Despite these issues, the value from attending outweigh the minor niggles, and I hope to enjoy VMworld Europe again in 2017.

Below is a transcript of my LinkedIn post:

=================================================

I've just got back from my first VMworld in Barcelona. I had no idea of the scale, content and knowledge available in one massive conference centre, predominantly around one vendor.

My world has been IT Security for over a decade, with little appreciation that virtualisation is on a completely different scale in IT minds. I would have been very lost were it not for my colleague and friend, Anthony Poh, who is much more experienced in all things VMware and VMworld!

I was asked to attend a Q&A session at one of the Partner Exchange, which turned out to be Accelerate Network Virtualization presented by Rajiv Ramaswami, EVP and GM, Networking and Security at VMware; Dom Delfino, VP of Worldwide Sales and Systems Engineering, Networking & Security at VMware; and Louise Ostrom, VP Network & Security, EMEA at VMware.

I felt like a little known support act to some of greatest artists in the world, worried that what I had to say in front of other partners and vendors wouldn't be of interest and value, but when you get a chance to get your thoughts straight, I realised that MTI had a lot to offer and I was comfortable talking about it on a big stage to an audience of a few hundred people.

The confidence of being on stage came from a familiarity of the topic, rather than memorising a script. I was able to show that MTI is a solutions and service provider in Europe; having offices in the UK, Germany and France, providing Datacentre, Security and Managed Services. We discussed MTI's adoption of VMware NSX and how NSX is the foundation to some of our offerings with integration to our key security partners in Trend Micro and Palo Alto.

Like life, the presentation wasn't scripted and, equipped with my new found confidence, I hope I get the opportunity to do some more in the future!

Tuesday 27 September 2016

CLOUDSEC takeaway – Cyber security is not just an IT issue [Link - Trend Micro Blog]

After attending CLOUDSEC 2016, I was asked to create a guest blog on the Trend Micro blog site, including standout statistics and take-away lessons: http://blog.trendmicro.co.uk/cloudsec-takeaway-cyber-security-is-not-just-an-it-issue/

===========================

With a fantastic turnout at CLOUDSEC 2016, attendees comprised of security and IT practitioners from numerous industries. Despite these varying sectors, one thing became abundantly clear: the same issues are keeping IT security professionals awake at night – securing cloud environments, securing privileged access accounts and user education.


Many enlightening statistics were shared. Trend Micro’s research found that in the last two years, 44% of UK businesses were hit by ransomware attacks, and a third (33%) of their employees were affected by the infection. We also heard that over $2.3 billion was lost to phishing attacks over the past three years (FBI), though the real figure is likely to be higher.

While this makes the somewhat abstract world of cyber threats very real indeed, if there’s one point to take away from CLOUDSEC, it’s that cyber security isn’t just an IT issue. When the entire workforce is educated around safe IT usage, the chance of a business network being hacked is significantly reduced.

Everyone needs best practice training 

Organisations can defend against cyber-attacks; they don’t have to be victims. While in any organisation the CIO ultimately takes responsibility for cyber security, the rest of the organisation needs to accept responsibility too and not just shrug their collective shoulders. Regardless of seniority, companies should invest in best practice training when using a corporate network.

Best practice knowledge should percolate through the entire organisation from board directors, to employees and IT people involved in daily operations. It should explain why businesses have approved channels for storing data, the risks of using personal cloud storage platforms for data storage, and the need to question email content if it arouses suspicion – even if it’s from the CEO’s office.

Employees must understand the importance of cyber defences within the context of the business and how to safeguard against internal and external intrusions. Are they aware of the importance of setting difficult to crack passwords, as well as understanding that password variations of existing passwords are a source of vulnerability when used in other parts of the network? Do they know that in the last six months or so, ransomware attacks have spiralled as ransomware-as-a-service kits became commonplace on the dark web?

Serious business implications

The whole organisation must realise the possible business implications of a major hack – spiralling revenues, lost customers and plummeting share price, and this could all happen well after the event. Furthermore, jobs could be on the line if declining income hits the business badly.

Despite the growing evidence suggesting otherwise, many organisations still believe they won’t be hacked. With that said, however, if cyber security education is a part of the organisational culture, the chances of a serious breach are dramatically reduced.

Wednesday 21 September 2016

The Right Train of Thought [Link - Computing Security]

I was asked to contribute to an article for Computing Security, focusing on IT security practices on how an effective cybersecurity strategy must include employee training: http://www.btc.co.uk/Articles/index.php?mag=Security&page=compDetails&link=7074

===========================

INSIDER THREATS

Any effective cybersecurity strategy should include information about how employees can safeguard against, not only external threats, but insider threats too, cautions Andrew Tang, service director, security, MTI Technology. "It also needs to include perimeter protection, but, as companies are increasingly working with cloud-based solutions, remotely and from various devices, it also needs to be sophisticated and fool-proof. Companies should invest in training all employees, regardless of seniority, on best practice when using a corporate network.

"Staff should understand how to protect against internal and external intrusions, as well as how to stay safe when accessing and sharing sensitive corporate data, opening emails from non-trusted sources and why businesses have approved corporate channels for storing data. It shouldn't just be a case of setting procedures and guidelines; staff should understand the consequences and risks of misuse or misjudgement when accessing corporate networks," he says.

"Employees should also be educated on the importance of password setting, as those that use a variation of the same password across different platforms leave the network vulnerable to attack. IT can also implement two-way authentication to add an extra layer of protection," adds Tang. "While the CIO should ultimately be responsible for implementing and monitoring employee guidelines and policies around cyber security, they should work closely with the HR team and heads of departments to ensure that safe computer usage becomes company culture. When a workforce is educated around safe IT usage, the chance of a business network being hacked is significantly reduced."

Thursday 15 September 2016

Managing the keys to the kingdom [Link - Professional Security Magazine Online]

After the recent breach at Sage, I was asked to write a piece about insider threat for Professional Security Magazine Online: http://www.professionalsecurity.co.uk/products/cyber/managing-the-keys-to-the-kingdom/

==================================

The recent data breach at Sage, in which sensitive customer data was accessed internally, raises a wider question on whether UK companies are doing enough to defend against hacks, writes Andrew Tang, Service Security Director, MTI Technology, pictured.


After all, data breaches have become so commonplace that the widely accepted maxim of ‘Not if, but when’ stands true for most companies. The implication is that every major company is going to be hacked at some point. Of course, some keep it quiet and do their best to roll down the blinds so it stays in-house, while others have no choice but to come clean, usually when the breach is made public. The irony is that it doesn’t have to be like this. Attacks can be defended against. Internal breaches can be stopped. Data can be protected. It’s just a question of refocusing and committing to security as a business priority, rather than an IT need. The problem with internal attacks is that they undermine trust; a finger of doubt is pointed at all employees. People who were once held in high regard are now viewed with narrow-eyed suspicion. Paranoia rules.

In with the new

Traditional security has focused on building the castle, digging a moat and raising a drawbridge. Or in other words, putting in place rigorous and robust network defences that keep hackers out. But today we need a zero-trust model, one in which the enterprise is viewed as a hotel. Access to rooms, for example, are restricted to certain people. You can’t just walk through the front door and roam around unchallenged. You can only gain access to certain rooms according to the authorisations you have been given.

At the technology level it’s about introducing internal controls such as micro segmentation of the network, access controls and reducing administrators’ rights. Admin rights are often available to a wide number of people in any given organisation, but it’s a fact that between 80 and 100 per cent of system compromises have been carried out using admin credentials. For someone who knows what they are doing, and it doesn’t require a lot of technical knowledge, admin rights can be used to erase firewall logs, scrub back-ups, disable antivirus software and even erase CCTV footage if cameras are digitally connected to the network.

Only the few

Securing an organisation internally is about introducing privileged access, so only a small number of people who have the need can move through a company’s systems. It’s about recording these sessions so there is an audit trail and it’s easy to see who has gone where and when. It’s about introducing two factor authentications for internal access so people can’t just roam through the network at will.

In small organisations it’s relatively easy to introduce these controls precisely because the operations are small. As you step up in size, however, analytics engines need to be introduced so you can see what is going on internally and also set rules. Is someone, for example, trying to access Dropbox and have they just visited a corporate database that holds customer payment details? Of course, if this is the case the klaxons should be blaring loudly. While this is an obvious example, it illustrates how with the right technology you can see and stop potentially deviant behaviour and in fact can block it before it happens. For instance, you might want to stop all access to cloud-based storage for some employees while allowing it for others, depending on role-based needs. Data loss prevention (DLP) technologies have been around a while and are a powerful tool for identifying sensitive data and raising alerts if sensitive data suddenly starts moving across the network when it shouldn’t.

Transformation

This approach to security is transformative for the business because it introduces fundamental changes to the way people work, limiting their ability to roam around networks at will, pick up information from databases, or probe internal servers. But internal security is not just about getting the right technologies in place; it’s about a different mindset. It’s about looking at IT spend through the eyes of a realised IT soul. Do you really need an all singing and all dancing firewall or would a next generation firewall suit you better? Do you want to keep spending on the same technology or should you be looking at two factor authentication? Do you want to put 80 per cent of your budget into traditional security or would an investment in proactive analytics and DLP serve you better?

Ironically, this zero-trust approach engenders greater trust. You know who is doing what, and if someone does try to walk off with a rake of customer credit cards numbers, they will be stopped in their tracks.

Wednesday 14 September 2016

CyberArk Expands Global Channel Partner Program [Link: CyberArk Press Release]

http://www.cyberark.com/press/cyberark-expands-global-channel-partner-program/
===========================

CyberArk Expands Global Channel Partner Program

CyberArk Expands Access to New Training and Technical Sales Tools Enhance Partners’ Privileged Account Security Expertise and Help Drive New Business Opportunities Global Channel Partner Program

Newton, Mass. and Petach Tikva, Israel – September 14, 2016 – CyberArk (NASDAQ: CYBR), the company that protects organizations from cyber attacks that have made their way inside the network perimeter, today announced new CyberArk Global Channel Partner Program offerings to enhance its partners’ privileged account security expertise and ability to drive new business opportunities. Partners can now benefit from access to expanded training and technical certification programs as well as enhancements to the CyberArk Discovery and Audit (DNA) tool that helps quantify security risk within enterprise networks.

CyberArk University: New Technical Certification, Growing Course Catalog
CyberArk is committed to helping its partners develop their own CyberArk practices, comprised of internal CyberArk-trained professionals to address customers’ cyber security skills gaps and maximize the effectiveness of CyberArk solutions. CyberArk is expanding its Global Certification Program for sales and technical learning, recently adding a new CyberArk Certified Delivery Engineer (CCDE) option. Achieving CCDE certification requires passing a rigorous course that involves an in-depth technical introduction to the CyberArk Privileged Account Security Solution as well as a shadowing and technical challenge component.

“Access to the evolving CyberArk University curriculum enables our team to expand the application of business-critical privileged account security knowledge and experience,” said Kyle Kappel, advisory principal, KPMG Cyber Services. “As a result, we’re helping CIOs and their teams build competence and confidence in their risk management strategies, while improving the skills needed to positively impact business growth and innovation goals. We’re excited about the expanding program and look forward to more KPMG professionals becoming CCDE certified.”

CyberArk regularly adds courses that closely mirror its product line, such as the addition of the CyberArk Viewfinity class, as well as new advanced level classes that complement its popular fundamentals courses. CyberArk University offers certified training through several flexible options including a new self-paced online option via the CyberArk Partner Portal, in addition to virtual classroom or face-to-face classroom training. More than 2,000 individuals across CyberArk’s global partner network have taken advantage of training courses through CyberArk University.

“The IT security talent shortage is something we hear about every day, with customers needing help ranging from implementation to driving value from existing software,” said Charles Drum, director of security technology, Integral Partners LLC. “With new certifications and expanded training options available through CyberArk University, we are creating internal CyberArk experts who can augment customers’ existing teams and help close skill gaps to evolve privileged account security strategies as part of customers’ proactive security programs.”

CyberArk DNA: Data-Driven Insight to Increase Deal Impact
CyberArk DNA is a valuable tool for quantifying privileged account security-related risks, and gaining visibility into the vulnerable attack surface that exists within enterprise environments. In 2015, CyberArk DNA was used to scan seven million machines.

“It’s widely accepted now that most – if not all – major data breaches in recent times have involved the compromise of privileged accounts as an essential part of how attackers got to what they wanted, or where they wanted to be,” said Andrew Tang, service director, security at MTI. “Organizations often have little to no idea of how many privileged accounts exist in their network and thus the extent of their vulnerability. MTI uses CyberArk DNA as a precursor to consulting projects, mapping networks to identify all privileged accounts and vulnerable machines. CyberArk DNA allows MTI to show prospective customers the weak points in their security posture and helps accelerate their security purchasing decisions.”

Partners using CyberArk DNA can generate comprehensive reports for customers and prospects identifying privileged accounts on the network as well as privileged passwords – including hard-coded passwords in applications and scripts – and their status in terms of policy compliance. New CyberArk DNA reporting features help customers better visualize and understand the extent of their security vulnerabilities, with recommendations on how to prioritize risk mitigation using the CyberArk Privileged Account Security Solution. CyberArk recently received another patent for innovative security risk detection technology that has been implemented in the CyberArk DNA tool.

CyberArk Partner Program Momentum
CyberArk works with more than 250 channel partners around the world and is increasing collaboration with advisory firms, systems integrators and value added resellers worldwide and across key vertical markets such as healthcare and government. CyberArk’s success in the channel has contributed to increased sales momentum with indirect sales representing approximately 60 percent of CyberArk business in 2015. CyberArk has more than doubled its channel management team in the past 12 months.

“With cyber attacks increasing in prevalence and sophistication every day, organizations need the right know-how, products and processes in place to effectively minimize risk and better protect their businesses,” said Andy Welsh, vice president of partner management, Optiv. “Optiv has built a strategic relationship with CyberArk to help us deliver end-to-end cyber security solutions and services that help organizations solve their unique cyber security problems. We look forward to leveraging CyberArk’s new global technology partner program to continue meeting the evolving needs of our clients.”

CyberArk recently launched the C3 Alliance, its new global technology partner program. Providing the channel with greater access to integrated technology solutions is another strategic differentiator. The C3 Alliance delivers certified technology integrations between CyberArk and alliance member products that make it easier for channel partners and customers to extend the power of privileged account security across their organization and enhance their overall security posture.

“CyberArk views the channel as an important growth engine and is committed to driving differentiation for our partners. Our focus on the channel has spurred new business opportunities over the past year across virtually all vertical industries and company sizes. We continue to have valuable, productive conversations with our partners who are helping to educate C-level executives about prioritizing privileged account security programs,” said Udi Mokady, chairman and CEO, CyberArk. “We value the important business relationships we are building with influential partners and view CyberArk-led programs, like the C3 Alliance, as well as CyberArk DNA and expanding training and certification offerings as strategic for helping partners uncover new revenue drivers.”

Are our data centres insecure? [Link - SC Magazine]

I was asked to contribute to an article on whether datacentres are secure following from the disclosure of the Fortinet and Juniper firewall vulnerabilities: http://www.scmagazine.com/are-our-data-centres-insecure/article/522463/

===============================


Likewise, Andrew Tang, service security director for MTI Technology said: “Data centres are only as secure as you configure them to be. You can have a top of the range burglar alarm and locking system on your front door, but if you don't use them, or use them incorrectly, they aren't going to be very secure. Most data centres will have two firewalls: the front firewall which will come from one manufacturer, and a second firewall from a different manufacturer, with the ‘crown jewels' inside. If you're using two different firewall manufacturers, it's rather unlikely that someone will find the first firewall and then go on to find the second firewall – though that can't be ruled out completely. But again, while bad programming causes some issues, bad configuration causes more issues in data centres than the actual manufacturer of the firewall.”

Wednesday 7 September 2016

WatchGuard Secure Cloud Wi-Fi

Today I attend a WatchGuard wireless training session.  I like to think of myself as a bit of wireless geek, as I have seen a few wireless solutions in my time.  Over three years ago, I created this blog post around Planning a Wireless Network.

I have seen high density wireless solutions, secure wireless solutions, retail solutions, education solutions, hospitality solutions, bean flexing solutions, controller based solutions, cloud controller solutions, cloud managed solutions, etc.

When I'm told that I'll be looking at a cloud-based secure wireless solution from WatchGuard, my mind wondered off the some of market leaders in this area, and I started to analyse what I was being told.

I was told that this solution had a military grade WIPS (Wireless Intrusion Prevention System) which sounded too familiar to me.  You see around 4 years ago I was introduced to a solution which was sold to me in the same way, which was the solutions offering from AirTight Networks, which recently rebranded to Mojo Networks.  It turns out WatchGuard is partnering with Mojo Networks, which assured me that we were looking at one of the most secure wireless solutions available in the market.

The solution is able to detect rouge access points on your network.  A rouge access point is an unauthorised access point plugged into your network, giving wireless access to your network, where you haven't deployed one.  Using patented technology, the wired network will send a packet out of the authorised access points, which can then be detected by the wireless network.  By connecting and analysing both the wired and wireless networks, it is able to detect the access points you have authorised, and disable the ones which are not.


When I attend the AirTight training around 4 years ago, I pulled in a USB access point into the network, and hid it in the wiring.  Look at the picture above and see if you can find the access point.  A physical search of the server room wouldn't have uncovered the rogue access point, but the solution was able to detect and disable the access point in less than a minute.

The WatchGuard wireless solution will give wireless access, wireless security, marketing portals and user analytics.  A very rounded solution already, but combined with the WatchGuard UTM, you have the preferred solution to meet the Friendly WiFi criteria.

Tuesday 6 September 2016

CLOUDSEC 2016

Today I attend CLOUDSEC 2016 in London, which gave an insight in how to take control of the cloud and have a good cyber security strategy.


The speaker of the day for me was Rik Ferguson, who made a few interesting points.

During the Panel Discussion: "Key Questions Every CEO Should be Asking About Cyber Security", he made the comment, that we should sandbox our users.  This may have brought a laugh to some of the more technically focussed audience who would blame users for everything!  What Rik clarified was that organisations should allow users to make mistakes safely, and be able to learn from their mistakes.

During his session "Take Control: Empower the People", there was a delay setting up the presentation, where Rik began to discuss the IT Skills Shortage.  Why do employers looks for certifications rather than people?  Many job adverts look for qualifications such as CISSP, CISA, CISM, etc but not character traits.  As Rik points out, organisations should be looking for people with tenacity, who are analytical, lateral thinkers, natural problem solvers, and people who can think differently.  Much like my belief, there isn't an IT Skills Shortage, employers aren't looking for the right things!

A few takeaways include:

  • "The board don't understand Security" - They don't need to, security need to understand the business.
  • "Compliance is the obligation, Security is the aspiration" 
  • Have an Information Security program in place
  • Ensure employees are educated, aware and engaged
  • Form an incident response team - Include technical, legal, finance, PR, marketing and the board
  • Investigate and fix incidents in a timely fashion - Look at people, process and technology
  • Notify customers in the event of a breach
  • Learn and Improve

Monday 5 September 2016

How Technology and Employees Must Combine to Fight Cyber Crime [Link - VMware Blog]

VMware asked for my opinions around Cyber Security for a guest blog piece to appear on the VMware EMEA Blog site: http://vmwareemeablog.com/uk/guest-blog-how-technology-and-employees-must-combine-to-fight-cyber-crime/

=============================

Risk and security are two of the most often debated topics in IT in terms of the smooth and effective running of any organisation. Following our research campaign into the subject, we have been busy collecting the views of our partner community, gathering perspectives from across the market on all things security.



Here is Andrew Tang, Service Director of Security at MTI, a global provider of IT & security solutions and VMware partner, to share his views and explain how IT departments can make sure the board is listening…

Although used as a plot device for countless Hollywood movies – from Swordfish to Die Hard 4 – it is only more recently that cyber security breaches have become a significant talking point for businesses, especially when it is their reputation, IP and competitiveness that is at risk. Due to the misfortune of security breaches at brands such as TalkTalk, Sony and Ashley Madison, business decision makers are beginning to look to cyber security, not simply as an IT afterthought but as an important investment.

And it’s about time. Cyber security has never been so crucial.

The landscape is changing, with organisations becoming more open in how they manage data and IT services. This has caused difficulty for the tech community, and many IT departments are struggling to balance the demands of employee mobility with traditional security methods.

At the same time, we are seeing numerous specialised players popping up with new fixes for niche problems. However, these incremental tactics are proving ineffective – like trying to fix a broken leg by covering it in sticking plasters – and organisations are crying out for a holistic solution that can go beyond the perimeter defence and siloed data. This is where VMware NSX comes in.

However, technology is only half the story. Effective cyber security will always be limited if the end-users continue to let threats in through the back-door. Phishing scams and Trojan viruses often get their entrance through employee mistakes. It’s vital that everyone – from the CEO to the receptionist – is clear on the organisation’s security policies. And while all employees should have a basic understanding of cyber security, training can’t simply be a one-size-fits-all lecture. The board will be targeted in different ways than other roles in the business, so training should be bespoke and appropriately suited to the day-to-day risks employees can expect.

Ultimately, we advise customers to ask three critical questions to tackle the insider threat:

Where is your data?

Data is crucial, it is the lifeblood of your organisation. Keeping track of it means that you are best placed to protect it.

Who can access it?

This is just as much about who should access data, as who should not. To this end, MTI has a dedicated department of fully qualified Penetration Testers – also known as white hat/ethical hackers – who can test your infrastructure to identify weak points and ensure that your data is only seen by those with the right permissions.

How is it protected?

What safeguards do you have in place? Is this enough? Cyber attacks, especially using ransomware, have increased exponentially in recent years and its now a case of when – not if – an attack will occur. Have you secured all endpoints?

It might seem paranoid, but when it comes to cyber security paranoia is good! It’s vital that businesses are able to ask these questions. It is only when you can answer them that you know your organisation is once again safe. Additionally, putting into place solutions such as VMware NSX can help mitigate the inevitable insider threat. Thanks to microsegmentation even if an employee mistakenly clicks on a malware link the threat can be locked down and dealt with, instead of compromising the entire system. Although nothing is as effective as eradicating poor employee behaviours – after all, an ounce of prevention is worth a pound of cure – NSX offers a backstop in case something does go wrong. And the more checks and balances in place, the better.

Monday 29 August 2016

"What do you want to be when you grow up?"

My son met one of his heroes, vlogger and YouTuber, Dan TDM. I suspect a majority of you aren't familiar with him and his work, but if you have children they will probably know.  As he introduced his show, 50% of the audience know who he is and the others will have no idea!  He is a man who is famous for playing games on YouTube... 



But before you ridicule the idea, it's much like a DJ who gets famous playing other people's music, a sports commentator or a television presenter.  Rarely do these people create the content they are commenting on, but add an extra depth or dimension to the viewer/listener.  

If you don't understand the concept, you may have become the "grown up" or "old fart" we ridiculed when we were younger.   I remember 30 years ago being mocked for saying decks were instruments, by people who later embraced EDM more than I did!  It's thoughts like this that made me explain to my son that his future career may not exist yet, which was difficult for him to comprehend (as he's the next great gamers/vlogger/YouTuber, obviously). 

Thanks to the inventor of the World Wide Web, Tim Berners-Lee; he released it to the world 25 years ago.  I currently work in IT security, but the World Wide Web didn't exist when I was speaking with career advisors at school. 

The IT industry talks about skills shortages in the marketplace, but I have to say that many people ask for unrealistic experiences, such as demanding experience that is longer than the technology has been available.  We should train our workforce, and give them the technical skills and competencies, but you can't teach attitude or aptitude.  

We need to build a workforce for the future, even if we don't know what those roles could be.  Do I think there is a skills shortage?  Possibly, but do I think it could be overcome with the right people given the right education, mentoring and chance, definitely

Do I know what my son will do for a living in the future? Of course not!  Can I help him have the right attitude and aptitude?  I can only try!

Friday 26 August 2016

Changing environments mean a fight to stay relevant [Link - Channel Pro]

While I was at the CyberArk Partner conference, I was asked to attend a roundtable to cover challenges we see in the UK marketplace.  Here is an article was written by Tim Goodwin, the EMEA Channel Director for CyberArk: http://www.channelpro.co.uk/opinion/10093/changing-environments-mean-a-fight-to-stay-relevant


========================================

UK resellers face a turbulent time, both currently and in the months to come. Against a backdrop of a changing threat landscape, new data regulations and the uncertainty following the UK referendum result, the opportunity to grow still remains, but channel partners and VARs will have to negotiate potentially treacherous waters to remain relevant for customers.

At a recent customer and partner EMEA event hosted by security vendor CyberArk, Kristian Alsing, a cyber security director at consulting firm Deloitte, together with panellists Andrew Tang from MTI and Hakan Cakar of NTT Com Security, examined these issues, the opportunities they present, and what approaches will be necessary to remain trusted partners for UK end users.

In the context of security, Alsing highlighted that there haven’t been any new crimes in the last thousand years. “People are still defrauding others, still stealing, still doing the things that humans have always done,” he said. “But what we do have that’s different is a connected world.”

The crime has now been decoupled from the location of the asset, explained Alsing, going on to detail what Deloitte are seeing. A notable trend is the service provider model being adopted within the organised crime industry - for example Hacking-as-a-Service for those who don’t possess this particular specialism - as well as the evolution of criminals, with who used to ‘just’ steal credit card details moving into much more complex and ambitious cyber heists.

Increased nation state involvement, malicious insiders and hacktivists form what Alsing referred to as the ‘threat actor’ environment. When combined with a very different looking end user, compared to the recent past, this creates some key considerations to understand for the UK channel community.

Organisations used to control their assets, whether that be money, data or anything else. With the huge use of outsourced and cloud services, plus the Internet of Things (IoT) and mobility, the risk for organisations is higher than it has ever been, because it is concentrated – people or data on a grand scale can be accessed from one access point. So it is critical to understand this in order to be credible for end users.

The panel also discussed how strong regulation in the Finance industry has led to the rising importance of cyber security within organisations (in many cases to c-level), as well as the sheer complexity of organisations driving security concerns. Acquisitions in particular were highlighted as a cause of security issues as legacy infrastructures and different approaches to security come together.

Both NTT and MTI addressed the perception that end users don’t necessarily really know how to separate what is important from the plethora of – sometimes mixed – messages from security vendors. Threats like ransomware were cited as helping people ‘get it’ as it is such a common threat.

An interesting part of the discussion involved education and the question of responsibility for it. There was a feeling on the panel that the industry (vendors and partners) shouldn’t sell a panacea to customers, but should instead concentrate  on finding out what is important to the end user on a case-by-case basis. Partners, with their huge reach, should be part of the education programme. Demand from end users in this area is what has driven NTT to invest in bigger security practices.

Unsurprisingly, the EU GDPR was highlighted as a driver for change. Alsing made the point that certain car manufacturers, decades ago, made safety a selling feature. At the time they were ridiculed, but now safety is very important for all mass-market vehicle manufacturers. In the same vein, data integrity, as enforced by GDPR, should be a partner opportunity.

Finally, the panel talked about Brexit, albeit in the context of what it would mean for the regulatory environment. Will it mean data protection reverts to the more ‘watered down’ form that we had before the EU version came along? The verdict was ‘probably not’; the UK had a leading role in designing the EU regulations.

Concluding, it was noted that collaboration would be the key to remaining relevant in a fast-changing UK. Vendors, partners and customers have to remain connected to maintain the right level of knowledge and expertise to meet IT and environmental challenges. This is the time to embrace change, not retreat into our shells.

Friday 19 August 2016

The General Data Protection Regulation - A post Brexit positive for British enterprise [Link - SC Magazine]

Another proud moment for me, as I have another article published in SC Magazine about the General Data Protection Regulation (GDPR): http://www.scmagazineuk.com/the-general-data-protection-regulation--a-post-brexit-positive-for-british-enterprise/article/514976/

=======================

A month before the UK chose to leave the EU, The European Union's General Data Protection Regulation (GDPR) was signed into law. The act is designed to change the way businesses approach data protection from its 2018 enforcement date.

Replacing the EU Data Protection Directive, it has considerable scope in standardising and unifying data privacy requirements across member states and any business that markets to EU data subjects.

With strict guidelines around obtaining consent for data collection and individual profiling, alongside far more comprehensive definitions of data, non-compliance will trigger heavy fines - either €20 million (£17 million) or four percent of global turnover, whichever is greater.

Off the hook


If we exit the EU before the GDPR is enforced in 2018, technically the legislation won't apply. In practice, however, the international trading implications of the GDPR means the UK will need to broadly align its laws around handling EU citizens' personal information to maintain a close trading partnership with the EU member states.

So while those IT departments who believe GDPR stipulations impose a heavy burden might consider Brexit a handy escape route, the reality is this: Brexit aside, to continue as trading partners with the EU and remain in the European Economic Area, UK businesses will need to adopt a broadly similar framework of standards to protect EU citizens' information.

This is a positive thing, holding huge opportunity for UK business. The regulation's objectives and framework are vitally important in today's global digital economy. Meeting the new requirements will help protect UK businesses and citizens from much of the catastrophic damage caused from major cyber-attacks and mitigate many of the threats before they occur.

With only two years to meet compliance requirements and implement the changes to business systems and operations, now is the time to start the process of transforming the way businesses collect and use personal information and data.

Key considerations


Firstly, it's important to remember that the GDPR is a set of rules governing the security and management of any data that could be used to identify someone. Companies will have to immediately notify the authorities within 72 hours of any breach of an EU national's data to avoid a fine.

There's currently no UK requirement to do this and many don't due to the potential reputational impact. Recent examples, including TalkTalk's experience, demonstrate the potential damage to profit and trust following public data leaks.

To meet this requirement, businesses will need to deliver huge overhauls of their current systems to ensure breach protocols are compliant. The final draft won't be ready for some time, but companies should closely examine the current version to get up to speed.

From a technical perspective, the GDPR separates responsibilities and duties for both data controllers and processors. Controllers will only be able to engage processors that provide sufficient guarantees to meet the GDPR's standards of protecting data subjects' rights. For example.

Article 32 of the GDPR already outlines these responsibilities and provides specific suggestions for the type of security activities which might be ‘appropriate to the risk'.

Above all, it's worth remembering that from encryption of data to testing and assessing security systems – everything needs to be compliant with the GDPR's new code of conduct.

GDPR readiness


With just two budget cycles remaining until the act becomes law, it seems GDPR readiness is not a priority amongst European IT professionals – and there's a lot to be done.

As an immediate priority, a UK enterprise should start to get its systems ready and implement upgraded breach notification policies. To deliver this effectively, IT must start working with legal teams and other key departments to avoid the potential for heavy fines and get their operations data fit for a new era of global digital trade.

Tuesday 16 August 2016

How to protect against mobile threats [Link - Information Age]

I was asked to provide an insight into mobile threats, and this is the article that appeared in Information Age: http://www.information-age.com/technology/security/123461862/how-protect-against-mobile-threats

==============

Cybercrime is on the rise, and with the increasing mobility of today’s workforce, it is not just PCs that need to be protected but a whole range of mobile devices.

Whether owned and managed by the company itself or brought in by employees, all mobile devices now need to be considered in businesses’ security plans.

This is especially true when implementing bring your own device (BYOD) policies, where companies can have less control over their employees’ phones.

With 72% of organisations across the financial services, technology, healthcare, government and education sectors now supporting BYOD for all or some employees, it has never been more crucial to ensure company data can remain secure while allowing easy access for employees.

So what are the threats to mobile devices that businesses face and how can they mitigate them?


Public networks


One of the biggest threats facing businesses – especially those with employees travelling abroad – is the use of free Wi-Fi networks to avoid having to use up mobile data allowances or pay costly roaming charges.

Public, password-free Wi-Fi lacks sufficient encryption, which provides hackers with an opportunity to access and steal almost all information on a user’s device.

The Wi-Fi Pineapple, for example, makes man-in-the-middle attacks easy. In this type of attack, a hacker sits in between the device and the Wi-Fi it is connected to in order to extract information from the device while the user remains unaware.

By educating employees of the dangers posed by using unsecured Wi-Fi, organisations can help to mitigate at least some of this threat.

Also, teaching employees to check if the website uses a HTTPS protocol, and ensuring that they have access to encrypted data storage are two more methods that help in keeping valuable corporate information safe from unsecured Wi-Fi.

Apps and channels


It is important to consider where employees are storing data, and what apps they are using on their device.

Apps present a risk to businesses as potentially confidential data is entrusted to a third party’s security protocols. For example, employees storing data from their mobile phone have to rely only on the strength of passwords for protection, rather than robust end-to-end encryption.

Using the appropriate channels for storing information, such as an encrypted VPN that is available to employees’ mobile devices, is one step towards protecting business assets.

While most app stores vet malicious apps, a user can still download apps from third-party stores that appear harmless on the surface but contain malware. Once downloaded, these have the potential to lock users out of their device, install malware, or carry out other activities, as illustrated with the recent case of fake Pokémon Go apps.

Companies that issue a fleet of managed devices can place restrictions on what apps can be downloaded. But with BYOD, employees are free to download what they want.

By creating a separate, corporate app store on the device through an enterprise mobility management (EMM) platform, IT departments can ensure only approved apps can access corporate information, while still allowing employees the freedom to download whatever they wish to use on their device.

Mobile malware


Just as with a PC or laptop, mobile devices are susceptible to malware attacks.

The recent proliferation of HummingBad malware on Android devices is a prime example of highly-sophisticated malware affecting mobile users.

By attaching itself to infected versions of trusted apps, it puts in place applications that generate fraudulent advertising revenue, collecting personal data to sell on along the way.

The key here is prevention rather than cure. There are many anti-virus, anti-malware and firewall products on the market which can be distributed across a whole network of corporate devices, ensuring they can protect against the latest threats.

For BYOD, EMM platforms can mitigate the risk and protect corporate data by creating a ‘wall’ around sensitive information to prevent infection from compromising data. Meanwhile, robust security policies can be put in place on an employee’s personal phone without invading their privacy or forcing too much control over a personal device to an employer.

None of these are 100% fool proof, however, so educating employees has to be a priority.

Part of this process should involve advising employees of the dangers hacking poses, the reasoning behind approved corporate channels for storing information, and clearly defining the role they need to play in securing their device.

IT departments need to be working with the HR team and heads of departments to create a corporate culture around security, and convey that the protection of company data is as much their responsibility as it is for IT professionals.

OS vulnerabilities


While Apple is known to have complete control over its iOS update system, the same is not true of Android, which has to rely on vendors to patch issues.

This was highlighted in the StageFright attack in 2015, which exploited weaknesses in the Android source code and allowed hackers to execute malicious code remotely.

Therefore, it is imperative that IT departments enforce a strong update policy. With a fleet of corporate devices, these can be managed centrally and updated on a regular basis – however, it is also necessary to advise employees using BYOD to ensure their personal device is up to date with the latest patches for the best protection.

There are as many solutions as there are threats in the corporate mobile landscape, but educating staff is the key to preventing the loss or infiltration of corporate data.

This needs to come from the top down. IT professionals need to be sitting round the same table as the C-suite when discussing mobile, and working closely with all departments of a business to create a ‘culture’ around mobile security.

Wednesday 20 July 2016

Gemalto hunts for partners for its encryption solutions as GDPR approaches [Link - CRN Magazine]

I was asked to give my opinion on our working relationship with Gemalto and GDPR by CRN and may comments were published: http://www.channelweb.co.uk/crn-uk/news/2465454/gemalto-hunts-for-partners-for-its-encryption-solutions-as-gdpr-approaches 

============================

MTI has been a partner with Gemalto for around eight years, and its services director Andrew Tang said that he has noticed the increased demand for the encryption products Gemalto provides in the run-up to GDPR.

"We have had a couple of organisations in the finance industry that have started asking us about how we can help them with their GDPR strategy. There are organisations out there that are on the ball, but more companies were in limbo because of the referendum," he said.

"People forget that when you look at all the different options, whether it's the Norway, Switzerland, Canada or Turkey models, they all have to adhere to EU regulation, which means GDPR in some fashion or another. It is still about education and evangelisation at the minute."



Saturday 16 July 2016

Euro 2016: A lesson in BYOD security best practice [Link - ITProPortal]

I was asked to write some thoughts around the security during Euro 2016 for ITProPortal: http://www.itproportal.com/2016/07/16/euro-2016-a-lesson-in-byod-security-best-practice/

==================================

One of the stories away from the pitch at this year’s Euro 2016 event was the significant spike in cybercrime on mobile devices.

Attending football fans, trying to keep on top of work or attempting to access tournament information, became victims to cyberthreats as hackers took advantage of insecure public Wi-Fi networks and applications.

Reports suggest that the host country was targeted in a highly calculated way by hackers during the event, with 72 per cent of malicious websites and 41 per cent of exposed passwords were detected on smartphones in France alone.

The UEFA EURO 2016 Fan Guide App, one of the official UEFA mobile applications, was a prime target for hackers during Euro 2016, having been being downloaded onto more than five million devices.

Designed to provide practical tourist information for fans travelling to France for the tournament, the app leaked user data including usernames, addresses, phone numbers, and passwords due to an insecure connection.

The BYOD threat is real

The scale of the attack during the event highlights just how strong the threat is for businesses, especially for companies operating BYOD policies, as employees are free to access malicious websites, fake apps and connect to unsecured Wi-Fi on the same device they store corporate data.

An additional report also suggests business travellers are more likely to be mugged of valuable private and corporate data than of their travel money. The report found that 59 per cent of staff in senior roles claim to log on as quickly as possible upon arrival abroad, while 48 per cent of senior managers and more than 43 per cent of mid-level managers use unsecure public access Wi-Fi networks to connect their work devices when abroad.

So how can businesses protect themselves against mobile threats and prevent mobile hardware and apps from leaking corporate data, and what are best practices around BYOD security?

Mobile management

With company owned mobile pools now rapidly becoming out of date and workplace bring your own device (BYOD) policies steadily growing, controlling what an employee does on their device has become far more difficult and complex.

Enterprise Mobility Management (EMM) platforms have become crucial in protecting corporate data. Apps and documents can operate separately from the rest of the device, allowing employers to create a ‘wall’ around sensitive information to prevent infection from compromising data.

EMM also allows for robust security policies to be put in place on an employee’s personal phone without invading privacy or forcing too much control of a personal device to an employer.

Right apps, right channels

It is also important to consider where employees are storing data. Some cloud-based storage applications can present a risk as the data is often entrusted to a third party. This means businesses have to rely on the strength of an employee’s password for protection.

Using the appropriate channels for storing information, such as an encrypted VPN, and making these available to employees’ mobile devices is another step towards protecting business assets. This ensures all information is properly encrypted through storage managed by the company itself, rather than entrusted to a separate party.

Another consideration for most businesses is how to prevent staff downloading apps that can leak data. Companies that issue a fleet of managed devices can place restrictions on what apps can be downloaded, but with BYOD, employees are free to download what they want.

By creating a separate corporate app store on the device, IT departments can then ensure that only approved apps can be used to access corporate information, while still allowing employees the freedom to download whatever they wish to use on their device.

Public dangers

One of the biggest threats during the Euro 2016 tournament was the use of free Wi-Fi facilities.

Public, password-free Wi-Fi is a particular threat to both individuals and businesses due to the lack of encryption which allows hackers to access almost all information on a user’s device.

The Wi-Fi Pineapple, for example, makes man-in-the-middle attacks easy. In this type of attack, a hacker sits in between the device and the Wi-Fi to which it is connected in order to extract information from the device.

These type of attacks are especially dangerous for travelling football fans and business people alike, as users often try to avoid having to pay expensive data roaming charges while in foreign countries.

By educating employees of the dangers posed by using unsecured Wi-Fi and unauthorised applications, organisations can help to mitigate at least some of the potential threat.

Part of this process should involve advising employees of the dangers hacking poses, the reasoning behind approved corporate channels for storing information, and clearly defining the role they need to play in securing their device.

IT departments need to be working with the HR team and heads of departments to create a corporate culture around security and convey that the protection of company data is as much their responsibility as it is for IT professionals.