This week, we delve into the government’s FTSE 350 Cyber Governance Health Check report, Microsoft’s Security Intelligence Report Volume 24, and Cisco’s latest Data Privacy Benchmark Study.
Hello and welcome to the IT Governance podcast for Thursday, 7 March 2019.
After – we think – 160 episodes and approaching 200,000 listens, I have to announce that our days are numbered. This podcast has, sadly, reached the end of its life and next week’s will be the last edition. Our producer Jay and quondam producer Lewis are both leaving IT Governance for fresh woods and pastures new, and I can’t be trusted to press the record button on my own. So, for the penultimate time, here are this week’s stories.
Actually, I say ‘stories’, but it’s the time of year when reports about the previous year’s security trends start being released in abundance, so let’s look at a few of those instead.
On Tuesday, the Department for Digital, Culture, Media & Sport published its FTSE 350 Cyber Governance Health Check 2018 report. It found that, although board-level perception of cyber threats is on the up, some of the UK’s biggest companies still don’t properly understand the effects a cyber attack could have on their customers, share price and reputation: only 16% of respondents reported “that their board has a comprehensive understanding of the impact of loss or disruption associated with cyber threats”.
However, that’s not to say that boards are unaware of the risks they face. According to the report, the proportion of them that consider “the risk of cyber threats to be high or very high” increased from 54% in 2017 to 72% in 2018.
This increase can be partly attributed to the EU GDPR (General Data Protection Regulation): 77% of respondents said that board-level “discussion and management of cyber security had increased” since the GDPR took effect, “with more than half of these businesses also introducing increased security measures as a result”.
However, although 95% of businesses have cyber security incident response plans, only 57% test them on a regular basis – an essential part of maintaining their effectiveness. After all, a plan that isn’t tested isn’t really a plan at all – it’s just conjecture.
Ciaran Martin, the CEO of the National Cyber Security Centre, commented: “Every company must fully grasp their own cyber risk […] Cyber security is a mainstream business risk, and board members need to understand it in the same way they understand financial or health and safety risks.”
Microsoft’s recently released Security Intelligence Report for 2018 had a modicum of good news: ransomware, cryptojacking and malware attacks all decreased in number last year. However, phishing attacks increased by a whopping 250% between January and December, with campaigns becoming “increasingly polymorphic”, using multiple URLs, domains and IP addresses to distribute malicious payloads.
Microsoft observed an increase in the use of “hosted infrastructure and other public cloud infrastructure to avoid detection by hiding among legitimate sites and assets”, and “the use of compromised accounts to further distribute malicious emails both inside and outside” organisations.
Common types of phishing lures in 2018 included:
- Domain spoofing, where the email message domain exactly matches the original domain name;
- Domain impersonation, where the email message domain is a lookalike of the original domain name;
- User impersonation, where the email appears to be from someone the recipient knows;
- Text lures, where the email appears to be from a trusted organisation;
- Credential phishing links, where the email contains links to malicious sites that harvest login credentials;
- Phishing attachments, where the email contains a malicious attachment; and
- Links to fake Cloud storage locations.
As attacks continue to evolve to evade automated detection, it’s more important than ever to ensure that staff, as the last line of defence, are properly equipped to respond to phishing threats.
Finally, Cisco’s new Data Privacy Benchmark Study is full of interesting research about GDPR compliance. According to the report:
- 59% of global respondents report that they meet most or all of the GDPR’s requirements;
- 29% said they expect to meet most or all of them within a year; and
- 9% think it will take them more than a year to comply.
In the UK, 69% of respondents consider themselves compliant with the Regulation.
When it comes to compliance challenges, meeting data security requirements came top, with 42% of respondents reporting concerns, followed by:
- Internal training (with 39%);
- Staying on top of developments as the Regulation matures (35%);
- Complying with privacy-by-design requirements (34%); and
- Meeting data subject access requests (also 34%).
However, compliance with the Regulation has benefited companies in numerous ways, with data privacy maturity giving GDPR-ready companies a significant competitive advantage.
Those organisations that were ready for the GDPR:
- Had shorter sales delays as a result of customer privacy concerns;
- Were less likely to have suffered a data breach in the last year; and
- When they did suffer a breach, saw fewer data records affected, suffered shorter system downtime and reported lower overall costs.
As Cisco observes, “privacy investment has created business value far beyond compliance and has become an important competitive advantage for many companies”.
You can find everything you need to help with every stage of your GDPR compliance journey on our website at itgovernance.co.uk/gdpr.
Well, that’ll do for this week. Next week is the last podcast, so if there’s anything you want to hear about or anything you’d like to say, leave a comment and I’ll do what I can. Until then, remember that whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.