21.1.17

Cybersecurity skills shortage ‘still a global problem’


The global skills gap for cybersecurity professionals has shown improvement over the last two years, but is still a serious problem for some of the world’s leading economies.
That is the main finding of a new study conducted by Indeed.com, which found Israel to have the highest skills shortage, followed by Ireland, the UK and the US.
A shortage in skills was found in all of the 10 countries surveyed, although there are signs of improvement. Ireland made the greatest strides, closing its skills gap by 14%.
Other countries to see improvements included the US (7%), Italy (six per cent), France (6%), Israel (5%, Germany 3%, Australia (1%).
The numbers for Israel will be seen as particularly encouraging, given that the country comfortably has the strongest demand for cyber security professionals – 89.2% higher than second-placed Ireland.
Such strong demand is likely to be down to Israel’s reputation as an increasingly prominent technology hub, with the nation boasting more startups and scientists per capita than any other on earth.
Elsewhere, the UK (5%), Brazil (11%) and Canada (12%), have all seen their skill gaps widen.
The figures for Brazil will be particularly disappointing, given that it contains the lowest level of demand out of all the nations surveyed.
However, it was Britain’s poor performance that was picked up on by Indeed economist Mariano Mamertino.
The UK has seen a 32% increase in the number of cybersecurity jobs over the last two years, and Mamertino believes many British companies are leaving themselves exposed.
Beyond the headlines, cybercrime is a threat to organizations of all sizes,” he was quoted by Computer Weekly as saying.
Writing about this last month, ESET’S Stephen Cobb encouraged cybersecurity professionals to do their bit to “encourage others to join our ranks”. He added: “The biggest single attraction for current and aspiring cybersecurity professionals is probably a high level of commitment to security, which is also something that brings many other benefits to your organization.”

18.1.17

Ransomware: Should you pay up?


If you’re a victim of ransomware, cybercriminals will encrypt your data and documents and demand a fee for them to unlock it. Once your data is locked, you face a tough choice: whether or not to pay. If you pay, will you really get your data back anyway? Here, we look at some tips on what to do if it happens to you.
Who are you paying?
Is there any way to really know if your bitcoin ransom – increasingly the currency of choice for cybercriminals – will go to the person with the digital keys? What if they come back and ask you for more money? What if you pay and then they reveal they don’t have the keys anyway and your data is still unusable? What if you pay and they don’t get back to you at all?
How much are you paying?
The amount of the ransom will depend on the size of your organization, how much data is affected, and how likely, historically, it is that people in a similar position have paid. Easy targets with deep pockets are likely to get higher bills; whereas those who don’t pay are typically less likely to be targeted, and therefore the ransom amounts will be closer to a nuisance fee, not something that’s higher than a house payment.
“We all can help reduce the likelihood of a payout, and defund the scammers.”
How bad is the impact?
As revealed in our recent blog about the incorporation of the insidious KillDisk component into the ransomware mix, you could now not only face having your data locked, but actually getting your entire hard drive irreversibly scrambled (short of forensic recovery). If you just have one machine affected, that’s certainly less of an impact than some modern ransomware attacks which lock up data across internal networks.
What is your organization’s policy?
Increasingly, organizations are adding ransomware to the disaster recovery (DR) plans that they practice. If you don’t have a DR, you may want to use some of the templates or other boilerplate documents from folks like NIST that give you some general guidelines. Luckily, there are lots of organizations that have already given it some thought and can advise on the practical steps to take in case it happens.
How good are your backups?
If they are close at hand, offline, and easy to restore, you can breathe a sigh of relief; you’ve definitely passed the test. On the other hand, if you’re restoring bulk data across the network from the cloud or a remote site, the network pipe can be a significant factor. At times, it’s easier to send a courier or overnight service to retrieve a box of hard drives. Still, if you have the data in its original form and a fairly recent data set, you’ll be miles ahead of those who haven’t.
“If backups are close at hand, offline and easy to restore, you can breathe a sigh of relief.”
What data is really important?
If you have critical data, it should be far less easy to access, and therefore much less likely to be affected in a ransomware attack than, say, a laptop used by salespeople in the field. This means if you have a laptop that gets compromised, it may be easier to just re-image, restore your data and get on with your life.
Know how to spot a scam
Many ransomware campaigns use phishing emails as an entry point, and while user training makes it easier to spot these, the emails can be very convincing. For this reason, upstream email gateways, or even on the endpoint (depending on your environment) can spot rogue emails before they get a chance to act.
As long as it’s profitable, ransomware will continue to flourish. By taking these steps, we all can help reduce the likelihood of a payout, and defund the scammers. As soon as the money stops, they will too.

17.1.17

Invest in encryption and get it right


Fines by the UK’s Information Commissioner’s Office (ICO) for security breaches have been a matter of discussion for some time. For most, they seem fairly small; and if we think about the actual monetary value when compared to a large company’s earnings, they are.
The ICO is an independent authority set up to uphold information rights in the public interest. They have issued some fairly substantial fines that have included – but are not limited to – record fines of £400,000 for a telecoms company; £100,000 for a county council and £180,000 for an NHS trust in London – and that’s just 2016. As more and more companies are found to be negligent in their protection of our private data, these fines will have to rise to reflect the growing concern by the public on why they are not doing more.
The fine itself may seem fairly insignificant; but that, of course, is not the whole story. The negative PR exposure and the damage done through the act in the first place both have a cost.
“You should be able to take reasonable precautions to ensure you have done all you can to protect the data of your users.”
These days, the topic of security is on everyone’s lips and is something that every company needs to take seriously. Whilst it’s not possible to protect against every possible attack vector, you should be able to take reasonable precautions to ensure you have done all you can to protect the data of your users.
One of the simplest and often easiest methods of protecting data from being seen by unauthorised persons is encryption. However, as with many common “IT” procedures, it needs to be seamless and easy to use for the average user to utilise it effectively.
Even companies that have purchased encryption have ended up being on the wrong end of the ICO’s long arm because they failed to implement it correctly or even at all, as demonstrated by the recent case concerning Royal & Sun Alliance Insurance PLC.
Therefore choosing the right encryption depends on many things, including ease of use, validation and being flexible and easy to deploy.
Encryption is not new; it has a relative low cost and can be rolled out and maintained with ease. It would not have stopped the theft of the hard drive in this case but it would have stopped the data being accessible.
“Encryption is not new; it has a relative low cost and can be … maintained with ease.”
Fines need to be in place but more importantly there needs to be a follow-up procedure of some kind: if you are holding other people’s data you need to do all you can to keep it safe.
Data loss or theft is something we have to deal with. With so many breaches taking place through lapsed security or outdated applications, companies need to do more to keep it safe. Stopping them is nearly impossible but making it harder is not as difficult as it sounds.