Monday 29 August 2016

"What do you want to be when you grow up?"

My son met one of his heroes, vlogger and YouTuber, Dan TDM. I suspect a majority of you aren't familiar with him and his work, but if you have children they will probably know.  As he introduced his show, 50% of the audience know who he is and the others will have no idea!  He is a man who is famous for playing games on YouTube... 

But before you ridicule the idea, it's much like a DJ who gets famous playing other people's music, a sports commentator or a television presenter.  Rarely do these people create the content they are commenting on, but add an extra depth or dimension to the viewer/listener.  

If you don't understand the concept, you may have become the "grown up" or "old fart" we ridiculed when we were younger.   I remember 30 years ago being mocked for saying decks were instruments, by people who later embraced EDM more than I did!  It's thoughts like this that made me explain to my son that his future career may not exist yet, which was difficult for him to comprehend (as he's the next great gamers/vlogger/YouTuber, obviously). 

Thanks to the inventor of the World Wide Web, Tim Berners-Lee; he released it to the world 25 years ago.  I currently work in IT security, but the World Wide Web didn't exist when I was speaking with career advisors at school. 

The IT industry talks about skills shortages in the marketplace, but I have to say that many people ask for unrealistic experiences, such as demanding experience that is longer than the technology has been available.  We should train our workforce, and give them the technical skills and competencies, but you can't teach attitude or aptitude.  

We need to build a workforce for the future, even if we don't know what those roles could be.  Do I think there is a skills shortage?  Possibly, but do I think it could be overcome with the right people given the right education, mentoring and chance, definitely

Do I know what my son will do for a living in the future? Of course not!  Can I help him have the right attitude and aptitude?  I can only try!

Friday 26 August 2016

Changing environments mean a fight to stay relevant [Link - Channel Pro]

While I was at the CyberArk Partner conference, I was asked to attend a roundtable to cover challenges we see in the UK marketplace.  Here is an article was written by Tim Goodwin, the EMEA Channel Director for CyberArk:


UK resellers face a turbulent time, both currently and in the months to come. Against a backdrop of a changing threat landscape, new data regulations and the uncertainty following the UK referendum result, the opportunity to grow still remains, but channel partners and VARs will have to negotiate potentially treacherous waters to remain relevant for customers.

At a recent customer and partner EMEA event hosted by security vendor CyberArk, Kristian Alsing, a cyber security director at consulting firm Deloitte, together with panellists Andrew Tang from MTI and Hakan Cakar of NTT Com Security, examined these issues, the opportunities they present, and what approaches will be necessary to remain trusted partners for UK end users.

In the context of security, Alsing highlighted that there haven’t been any new crimes in the last thousand years. “People are still defrauding others, still stealing, still doing the things that humans have always done,” he said. “But what we do have that’s different is a connected world.”

The crime has now been decoupled from the location of the asset, explained Alsing, going on to detail what Deloitte are seeing. A notable trend is the service provider model being adopted within the organised crime industry - for example Hacking-as-a-Service for those who don’t possess this particular specialism - as well as the evolution of criminals, with who used to ‘just’ steal credit card details moving into much more complex and ambitious cyber heists.

Increased nation state involvement, malicious insiders and hacktivists form what Alsing referred to as the ‘threat actor’ environment. When combined with a very different looking end user, compared to the recent past, this creates some key considerations to understand for the UK channel community.

Organisations used to control their assets, whether that be money, data or anything else. With the huge use of outsourced and cloud services, plus the Internet of Things (IoT) and mobility, the risk for organisations is higher than it has ever been, because it is concentrated – people or data on a grand scale can be accessed from one access point. So it is critical to understand this in order to be credible for end users.

The panel also discussed how strong regulation in the Finance industry has led to the rising importance of cyber security within organisations (in many cases to c-level), as well as the sheer complexity of organisations driving security concerns. Acquisitions in particular were highlighted as a cause of security issues as legacy infrastructures and different approaches to security come together.

Both NTT and MTI addressed the perception that end users don’t necessarily really know how to separate what is important from the plethora of – sometimes mixed – messages from security vendors. Threats like ransomware were cited as helping people ‘get it’ as it is such a common threat.

An interesting part of the discussion involved education and the question of responsibility for it. There was a feeling on the panel that the industry (vendors and partners) shouldn’t sell a panacea to customers, but should instead concentrate  on finding out what is important to the end user on a case-by-case basis. Partners, with their huge reach, should be part of the education programme. Demand from end users in this area is what has driven NTT to invest in bigger security practices.

Unsurprisingly, the EU GDPR was highlighted as a driver for change. Alsing made the point that certain car manufacturers, decades ago, made safety a selling feature. At the time they were ridiculed, but now safety is very important for all mass-market vehicle manufacturers. In the same vein, data integrity, as enforced by GDPR, should be a partner opportunity.

Finally, the panel talked about Brexit, albeit in the context of what it would mean for the regulatory environment. Will it mean data protection reverts to the more ‘watered down’ form that we had before the EU version came along? The verdict was ‘probably not’; the UK had a leading role in designing the EU regulations.

Concluding, it was noted that collaboration would be the key to remaining relevant in a fast-changing UK. Vendors, partners and customers have to remain connected to maintain the right level of knowledge and expertise to meet IT and environmental challenges. This is the time to embrace change, not retreat into our shells.

Friday 19 August 2016

The General Data Protection Regulation - A post Brexit positive for British enterprise [Link - SC Magazine]

Another proud moment for me, as I have another article published in SC Magazine about the General Data Protection Regulation (GDPR):


A month before the UK chose to leave the EU, The European Union's General Data Protection Regulation (GDPR) was signed into law. The act is designed to change the way businesses approach data protection from its 2018 enforcement date.

Replacing the EU Data Protection Directive, it has considerable scope in standardising and unifying data privacy requirements across member states and any business that markets to EU data subjects.

With strict guidelines around obtaining consent for data collection and individual profiling, alongside far more comprehensive definitions of data, non-compliance will trigger heavy fines - either €20 million (£17 million) or four percent of global turnover, whichever is greater.

Off the hook

If we exit the EU before the GDPR is enforced in 2018, technically the legislation won't apply. In practice, however, the international trading implications of the GDPR means the UK will need to broadly align its laws around handling EU citizens' personal information to maintain a close trading partnership with the EU member states.

So while those IT departments who believe GDPR stipulations impose a heavy burden might consider Brexit a handy escape route, the reality is this: Brexit aside, to continue as trading partners with the EU and remain in the European Economic Area, UK businesses will need to adopt a broadly similar framework of standards to protect EU citizens' information.

This is a positive thing, holding huge opportunity for UK business. The regulation's objectives and framework are vitally important in today's global digital economy. Meeting the new requirements will help protect UK businesses and citizens from much of the catastrophic damage caused from major cyber-attacks and mitigate many of the threats before they occur.

With only two years to meet compliance requirements and implement the changes to business systems and operations, now is the time to start the process of transforming the way businesses collect and use personal information and data.

Key considerations

Firstly, it's important to remember that the GDPR is a set of rules governing the security and management of any data that could be used to identify someone. Companies will have to immediately notify the authorities within 72 hours of any breach of an EU national's data to avoid a fine.

There's currently no UK requirement to do this and many don't due to the potential reputational impact. Recent examples, including TalkTalk's experience, demonstrate the potential damage to profit and trust following public data leaks.

To meet this requirement, businesses will need to deliver huge overhauls of their current systems to ensure breach protocols are compliant. The final draft won't be ready for some time, but companies should closely examine the current version to get up to speed.

From a technical perspective, the GDPR separates responsibilities and duties for both data controllers and processors. Controllers will only be able to engage processors that provide sufficient guarantees to meet the GDPR's standards of protecting data subjects' rights. For example.

Article 32 of the GDPR already outlines these responsibilities and provides specific suggestions for the type of security activities which might be ‘appropriate to the risk'.

Above all, it's worth remembering that from encryption of data to testing and assessing security systems – everything needs to be compliant with the GDPR's new code of conduct.

GDPR readiness

With just two budget cycles remaining until the act becomes law, it seems GDPR readiness is not a priority amongst European IT professionals – and there's a lot to be done.

As an immediate priority, a UK enterprise should start to get its systems ready and implement upgraded breach notification policies. To deliver this effectively, IT must start working with legal teams and other key departments to avoid the potential for heavy fines and get their operations data fit for a new era of global digital trade.

Tuesday 16 August 2016

How to protect against mobile threats [Link - Information Age]

I was asked to provide an insight into mobile threats, and this is the article that appeared in Information Age:


Cybercrime is on the rise, and with the increasing mobility of today’s workforce, it is not just PCs that need to be protected but a whole range of mobile devices.

Whether owned and managed by the company itself or brought in by employees, all mobile devices now need to be considered in businesses’ security plans.

This is especially true when implementing bring your own device (BYOD) policies, where companies can have less control over their employees’ phones.

With 72% of organisations across the financial services, technology, healthcare, government and education sectors now supporting BYOD for all or some employees, it has never been more crucial to ensure company data can remain secure while allowing easy access for employees.

So what are the threats to mobile devices that businesses face and how can they mitigate them?

Public networks

One of the biggest threats facing businesses – especially those with employees travelling abroad – is the use of free Wi-Fi networks to avoid having to use up mobile data allowances or pay costly roaming charges.

Public, password-free Wi-Fi lacks sufficient encryption, which provides hackers with an opportunity to access and steal almost all information on a user’s device.

The Wi-Fi Pineapple, for example, makes man-in-the-middle attacks easy. In this type of attack, a hacker sits in between the device and the Wi-Fi it is connected to in order to extract information from the device while the user remains unaware.

By educating employees of the dangers posed by using unsecured Wi-Fi, organisations can help to mitigate at least some of this threat.

Also, teaching employees to check if the website uses a HTTPS protocol, and ensuring that they have access to encrypted data storage are two more methods that help in keeping valuable corporate information safe from unsecured Wi-Fi.

Apps and channels

It is important to consider where employees are storing data, and what apps they are using on their device.

Apps present a risk to businesses as potentially confidential data is entrusted to a third party’s security protocols. For example, employees storing data from their mobile phone have to rely only on the strength of passwords for protection, rather than robust end-to-end encryption.

Using the appropriate channels for storing information, such as an encrypted VPN that is available to employees’ mobile devices, is one step towards protecting business assets.

While most app stores vet malicious apps, a user can still download apps from third-party stores that appear harmless on the surface but contain malware. Once downloaded, these have the potential to lock users out of their device, install malware, or carry out other activities, as illustrated with the recent case of fake Pokémon Go apps.

Companies that issue a fleet of managed devices can place restrictions on what apps can be downloaded. But with BYOD, employees are free to download what they want.

By creating a separate, corporate app store on the device through an enterprise mobility management (EMM) platform, IT departments can ensure only approved apps can access corporate information, while still allowing employees the freedom to download whatever they wish to use on their device.

Mobile malware

Just as with a PC or laptop, mobile devices are susceptible to malware attacks.

The recent proliferation of HummingBad malware on Android devices is a prime example of highly-sophisticated malware affecting mobile users.

By attaching itself to infected versions of trusted apps, it puts in place applications that generate fraudulent advertising revenue, collecting personal data to sell on along the way.

The key here is prevention rather than cure. There are many anti-virus, anti-malware and firewall products on the market which can be distributed across a whole network of corporate devices, ensuring they can protect against the latest threats.

For BYOD, EMM platforms can mitigate the risk and protect corporate data by creating a ‘wall’ around sensitive information to prevent infection from compromising data. Meanwhile, robust security policies can be put in place on an employee’s personal phone without invading their privacy or forcing too much control over a personal device to an employer.

None of these are 100% fool proof, however, so educating employees has to be a priority.

Part of this process should involve advising employees of the dangers hacking poses, the reasoning behind approved corporate channels for storing information, and clearly defining the role they need to play in securing their device.

IT departments need to be working with the HR team and heads of departments to create a corporate culture around security, and convey that the protection of company data is as much their responsibility as it is for IT professionals.

OS vulnerabilities

While Apple is known to have complete control over its iOS update system, the same is not true of Android, which has to rely on vendors to patch issues.

This was highlighted in the StageFright attack in 2015, which exploited weaknesses in the Android source code and allowed hackers to execute malicious code remotely.

Therefore, it is imperative that IT departments enforce a strong update policy. With a fleet of corporate devices, these can be managed centrally and updated on a regular basis – however, it is also necessary to advise employees using BYOD to ensure their personal device is up to date with the latest patches for the best protection.

There are as many solutions as there are threats in the corporate mobile landscape, but educating staff is the key to preventing the loss or infiltration of corporate data.

This needs to come from the top down. IT professionals need to be sitting round the same table as the C-suite when discussing mobile, and working closely with all departments of a business to create a ‘culture’ around mobile security.