High-profile cyber security incidents, such as the one that recently cost TalkTalk an estimated £35 million, are guaranteed to grab the headlines, but it’s vital to remember that ordinary organisations are also struggling to protect their data every day: the nature of the Internet means that every organisation is at risk.
IBM has been monitoring the security issues its Emergence Response Services team has observed in 2015, which it discusses in its new X-Force Threat Intelligence Quarterly report. And although it acknowledges that 2015 has “been a tough year for security teams [… the] good news is that organizations can take stronger responsibility, make a few small changes and see a big impact for the long term.”
According to IBM X-Force Threat Intelligence Quarterly, 4Q 2015, the top four cyber crime trends of 2015 have been:
- Onion-layered security incidents
In such incidents, “a second, often significantly more damaging attack is uncovered during the investigation of another more visible event.” Basically, a clumsy attack by a ‘script kiddie’ (I hate that phrase) will draw attention to a much more sophisticated one by a stealthier attacker that would otherwise be overlooked. Both commonly exploit the same vulnerabilities to get into your network in the first place. As IBM explains: “The common trait among a number of compromised systems we investigated was that they were running old operating system versions that hadn’t been patched in a long time.” The best way to remedy this is to apply rigorous patch management processes and employ regular penetration testing to identify vulnerabilities.
Malware that locks users out of their systems, or steals their data and then demands a ransom to return it, is becoming increasingly common. In some cases, ransomware infections regularly recur because underlying issues are not addressed. Principally, these issues are not backing up data, poor patching procedures, and a lack of user awareness. A “company-wide training program on safe computer practices” is one of the best ways to mitigate this threat, so that, for example, every employee knows “how to recognize the signs of phishing attempts.”
- Malicious insiders
In the majority of malicious insider attacks, disgruntled former employees had prepared for their departure “by installing remote administration tools (RATs) such as LogMeIn or TeamViewer for access to the employer’s network.” These allowed a way back in, and with it the ability for them to “cause a lot of damage for a long time”. Disabling administrators’ “personal accounts did not limit their ability to perform unauthorized activity on the network via one or more of the shared accounts they had routinely used in their job.” Shared accounts and a lack of accountability were the main issues – these could be addressed via proper termination and privilege management procedures, and good password policies.
- Greater management awareness of cyber security threats
A positive trend to end, as “people in positions of oversight—management, boards of directors, audit committees—are asking more questions about their organizations’ security posture”. Good information security covers the entire organisation and has to be led from the top down. Board-level involvement in cyber risk management isn’t just advisable – it’s essential.
Information security management best practice
A robust information security management system (ISMS) addresses people, processes and technology, and will address all of the issues highlighted above, from patch management, penetration testing and staff awareness training to effective policies and procedures, and board-level oversight of security issues.
ISO 27001 is the international standard for information security management, and sets out the requirements of an ISMS that can be employed by organisations of all sizes and sectors to ensure robust defences are applied. Certification to the Standard reassures customers, stakeholders and staff that a best-practice approach to cyber risk is being taken.
Implementing an ISO 27001-compliant ISMS and achieving certification to the Standard can, however, be a complicated undertaking, so ensuring you have the right skills to lead or audit an ISO 27001 project is essential to its success.
It’s well known that there is a significant shortage of skilled and qualified information security professionals around the world, with salaries rising dramatically to reflect rising demand.
According to the latest ISO Survey, there was a 17.6% growth in the number of ISO 27001 certificates in the UK last year. As more and more organisations seek to implement best-practice information security practices based on the Standard, an ISO 27001 qualification is something that IT executives, compliance managers, and management systems professionals can no longer afford to be without.