PwC’s latest annual breaches survey was published this month.  Backed by an £860 million budget (from 2011 to 2016), the National Cyber Security Programme, now being propelled by Ed Vaizey, the Minister for Culture and the Digital Economy, has continued to commission PwC to conduct its annual survey of information security breaches.  The results provide a richly detailed picture of the UK’s cybersecurity scene. The report gathered responses from 664 companies, all based in the UK but varying greatly in size and focus.  Almost half of the respondents were companies with 500 or more employees that work within the professional services or technology sectors, however, small-to-medium sized businesses from almost all other sectors were included, lending credibility and wide applicability to the reported data. (N.B. large organisations > 250 employees, medium 50-249, small <50.) This year’s key survey findings read a lot like those of previous years: the number of … Continue Reading ››
For the tenth year running, the Ponemon Institute, a data protection and information security research centre based in Michigan, has published its “Cost of Data Breach” 23-page report.  This year’s report is packed full of quantative analysis that confirms the overarching cybersecurity trends that breaches are becoming increasingly expensive and an increasing number of customers switch their allegiance to a competitor after a breach.  It also highlights that certain anticipatory behaviours can help to reduce the cost – the most significant being having an incident response team in place. N.B. the Ponemon Institute’s research has greater applicability to small-to-medium sized businesses than to large businesses, given that the study excludes from the data set any organisation which suffers a breach in which more than 100,000 records are compromised. The key trends and statistics highlighted are as follows:
  • Breaches are becoming increasingly expensive:
Global
  • The International Chamber of Commerce published a “cyber security guide for businesses.”  The aim of the guide is to help management “frame cyber security discussions with information technology professionals – and vice versa – to put a collaborative and ongoing management approach in place.”  The guide provides five main areas of focus: gathering information, developing a resilient mind-set, being prepared to respond, demonstrating leadership and taking action.
UK
  • According to SC Magazine, the Bank of England approved its first commercial provider of CBEST threat intelligence and penetration testing (read more from Datonomy about the financial sector CBEST programme here). The company now approved to assess financial sector companies’ preparedness for a cyber attack is BAE Systems.
  • One of CERT-UK’s weekly updates featured a plug for the importance of public-private cyber threat information sharing as the US looks to follow the UK’s lead with the Cyber Intelligence Sharing and Protection Act … Continue Reading ››
Europe
  • General Data Protection Regulation (GDPR): The introduction of a general breach notification obligation has come a step closer. On 15 June the GDPR reached another key milestone with the EU Council (i.e. Member States) adopting their “general approach” to negotiating the whole proposal with the Parliament and the Commission. This means that all three EU institutions have declared their negotiating stance on the wide ranging proposal and that three way negotiations can now begin.  The first such trilogue took place on 24 June, with the proposal’s Rapporteur MEP Jan Albrecht quoted by the MLex service as saying “the three texts on the table …are far more near to each other than I think all of us thought”. There is a six month provisional timetable for the negotiations, recently outlined by a group of MEPs here, aimed at adoption of the proposal by the end of 2015.
  • Given the complexity of … Continue Reading ››
A small selection of attacks reported in Q2.  Please see our weekly cyber alert on Datonomy for more.
  • The BBC reported that a coordinated effort between the EU Cybercrime Action Taskforce, the FBI and private security firms, Intel, Kapersky and Shadowserver was successful in taking down a very sophisticated piece of malware called “Beebone”. The malware reportedly controlled up to 100,000 computers a day and evaded detection for a long time by being able to change its own identity up to 19 times a day.  Now that the malware has been contained, Operation Beebone is focusing on identifying those behind the attacks.
  • Following the GitHub denial of service attacks (reportedly perpetrated by China), researchers at the University of Toronto, University of California, Berkeley, the International Computer Science Institute and Princeton University claimed that China designed a cyber offensive system called the “Great Cannon”. The Great Cannon can reportedly intercept foreign … Continue Reading ››