A new survey commissioned by the UK Government’s Department for Business, Innovations (BIS) has revealed the scale of cyber attacks on UK companies.The 2013 Information Security Breaches Survey, which collected data from 1,402 respondents, presented results for large organisations (in excess of 250 employees) and small firms (less than 50 members of staff).
One of the key findings of the report was the level of attacks sustained by businesses –with breaches reaching record levels. The survey discovered that 93% of large organisations experienced a security breach last year, a figure that is broadly in line with 2012 reports. Smaller businesses, however, saw a marked increase in the number of attacks levied against them. Some 87% of smaller firms reported experiencing a data breach last year, which is up significantly from 76% the previous year.
An average of 113 security breaches
The number of security breaches within each of the affected companies also showed a sharp increase too. Larger companies experienced an average of 113 breaches and smaller firms reported 17 such incidents, an increase across the board of almost 50% year on year.
It’s not only the number of breaches that have increased amongst survey respondents though – the financial impact has also risen. The survey concluded that the worst security breaches were costing large companies an average of £450,000 – £850,000 each. Smaller businesses typically experienced losses of between £35,000 – £65,000.
The survey determined that the attacks faced by businesses over the last year came from both outside and inside the organisation.
A whopping 78% of large organisations reported attacks from outsiders over the last year with 39% of those incidents being denial of service attacks. Smaller companies fared slightly better in both regards with 63% reporting outside attacks. The number of smaller firms which experienced a DoS attack was 23%.
The survey respondents did not just experience random attacks though – 14% percent of larger businesses reported the theft of confidential data or intellectual property by external attackers, while 9% of smaller firms experienced such losses too.
36% of the worst breaches down to human error
Insider threats also pose a risk to organisations though. The survey found that technology, people and processes were to blame in several cases. Of the worst security breaches during the year, 36% were attributed to human error. Alarmingly, an additional 10% of the reported security breaches were pinned on staff and their misuse of systems.
On a more positive note the survey discovered that attitudes towards information security are generally good and continually improving too.
The survey found that 76% of larger organisations believe that senior management place a high level of priority on information security. Interestingly, smaller firms were better, with 83% placing a strong emphasis on security.
It should be noted that while the vast majority of larger companies now have a written security policy in place, most respondents indicated that staff understanding of the policy is still relatively poor, in turn leading to twice the number of internal security breaches than in organisations where employees had a good understanding of the policy.
Another contributory factor with regards to internal breaches could be a lack of staff training. Survey respondents indicated that many large organisations only prioritised training after a breach. At the time of induction 10% of new staff were given no security training whatsoever and 42% of large firms failed to employ any kind of ongoing training in terms of security awareness.
Given the level of security incidents experienced by firms of all sizes it is not surprising to learn that many of those surveyed expected security spending to either stay the same in the coming year or to increase.
Larger organisations expect to spend more next year in customer data protection and compliance, but just how much a business spends on security seems to be highly dependent upon the outlook of senior members of the management team.
The survey ends by saying that the majority of firms believe that the number of breaches next year is likely to be higher. As per this year, attacks are expected in every industry though the public sector and financial services showed more concern than other sectors.
Dealing with security breaches
Respondents’ replies would suggest that the best course of action in dealing with security breaches, which will likely affect most companies this year, is to have a strong set of contingency plans in place. It would also be advisable to have an incident handling plan in place before a breach takes place rather than afterwards.
Likewise, training people in security best practices from day one is a sound investment. Good quality training is likely to minimise the risk of being the next company facing a PR challenge following a high profile security incident.
After all, bad publicity can have a very negative influence upon consumer trust in a business, a fact that has been borne out by another recent survey undertaken by Populus. That survey suggests that around one quarter of UK residents have had their online accounts hacked with a significant number of victims saying they would cease to do business with any entity that had been breached.
Article from Sophos Lee Munson
Acquisitions will be leading cause of cloud vendor reduction, says Gartner
I am not a fan of cloud computing for many reasons, ask me and I’ll tell you or read my archive blogs. So far it has all the attributes of misselling allong with endowment mortgages, PPI and extended warranties. Its a bandwagon, there are so many people offering it and its pay a little for a long time making it expensive in the long term.
We are being offered white package cloud services at a rate of three a day, its being sold as a “trap a client and get rich quick”, that worries us but the main worry is handing everything over to someone elkse who doesnt have to give it back.
Now Gartner has made this prediction it means the bubble will burst earlier than even we thought it would.
Cloud users face serious risk in the next two years because of the strong possibility that their provider will be acquired or forced out of business, according to Gartner.
The research firm is predicting a major consolidation in cloud services and estimates that about 25% of the top 100 IT service providers in the infrastructure space won’t be around by 2015. “One in four vendors will be gone for whatever reason — acquisition, bankruptcy,” said William Maurer, a Gartner analyst. Most of the time, the changes will come through acquisition.
“There is real risk,” said Maurer to a packed room for his presentation at the Gartner Data Center Conference in Las Vegas
“We’re in the phase of buyer beware with cloud,” said Michael Salvador, who attended the presentation. He is a technical solutions manager at Belden, which makes cable, connectivity and networking products. “You better do your research — there’s no safety net out there,” he said.
Concerns about risks may drive some users to large vendors, Salvador said, but smaller providers may offer better prices or some additional guarantee that a large provider may not offer.
There is pressure on providers to cut costs, but Maurer told his audience to be gentle with their vendors.
“You need to make to make sure that your service providers are successful,” said Maurer. “Give them a chance to make a reasonable return on their investments, give them a chance to make some money. Don’t take all the money off the table, because if you do, you are not going to have a lot of them around.”
The standing-room-only audience was already convinced of the risks to cloud, based on their responses to an audience participation question, which recorded answers electronically.
The audience question was asked: “At what level do the risks associated with outsourcing some/all of your data center solutions to one or more of the ‘aaS’ models (meaning infrastructure-as-a-service, software-as-a-service, platform-as-a-service and others) prevent you from making the decision to move forward? (Select one)”
Nearly 50% saw cloud-based solutions as having “a great deal of risk” while 33% saw “somewhat” risk. Only 12% indicated there was little risk.
Gartner also predicts that the portion of organizations using cloud services will reach 80% by the end of this year.
I’ve said it before, “The best thing about standards is there are so many to choose from”
USB is to get a new, smaller connector that will be reversible.
Designed to support both USB 3.1 and USB 2.0, the new connector, dubbed “Type C”, will be the same size as an existing micro USB 2.0 plug.
That’s big improvement over existing USB 3.0 micro “Franken-connector” jacks which extend the tiny “USB 2.0 Micro B” connector with a bigger, USB 3.0 plug. This compromise came about because of the need to ensure backwards compatibility with USB 2.0-only systems. USB 3.0’s performance improvements are delivered through an entirely separate bus.
The new connector will still carry two separate buses – though not necessarily simultaneously – but will not fit into existing USB ports of any kind. Gadgets will require new slots, then. Users will need new cables to hook up to their existing computer-hosted USB ports and AC adaptors for power.
Speaking of power, the Type C jack will support power charging across a range of voltages in order to support not only devices able to operate off standard USB power lines, but also kit like laptops that require much more power than USB usually delivers.
It’ll also be able to support future USB speed upgrades, paving the way for the bus to become a one-size-fits all system for connectivity and energy. Almost that – there’s still display data, of course. But if they can manage to cram DisplayPort or HDMI in there too, we’d be able to run everything off the same kind of cable.
The USB Implementers Forum, overseer of the USB standard, said it expects to have the USB Type C specification ready during the first quarter of 2014, with the final specification published around the middle of next year. Products using the connector won’t appear for another 18 months or so after that.
Don’t blame RBS for its failure, most of you have made the same decisions
“For decades, RBS failed to invest properly in its systems.”
This further breakdown may come as a shock to RBS customers and instill a sense of smugness elsewhere but be very, very, careful, ask any IT consultant if this is surprising news and not only will they not be surprised they will be shocked it doesn’t happen more often.
He went on “We need to put our customers’ needs at the centre of all we do. It will take time, but we are investing heavily in building IT systems our customers can rely on”
I would take a bet that 99.9% of IT spend is done like this, we are always having to backtrack our proposals to a lower cost, and usually the more expensive the cars outside the lower the IT spend in proportion to the turnover of the company.
The major interest of anyone spending anything on IT is not “will it do the job now and in five years?” but how much can we trim down the price to get it something more reasonable?
When was the last time a Director thought “I want that MERCEDES / LEXUS/ PORSCHE/ MASERATI outside my office but I will go for a lower price model because it will do the same and I don’t need everything that it offers and I will save money, I will go for Ford Focus Cmax instead?
There seems to be two misconceptions. 1. It is always more expensive than it should be and 2. They are trying to make as much out of me as they can. Let me blow the myths away for us, and our fellow consultants (the good ones not the ones who are guessing). It will be the price it is, you get what you pay for, Everyone is trying to make as much as they can to survive and thrive, but not at your expense. If the Answer is £5,000 why should I say £7,000? I am less likely to get the business and why overspecify, unless I don’t know my job. However if I say £3,000 then that, in your mind will be too much and we start again..
Imagine you have had a heart attack and the Consultant tells you its going to cost £5,000 to make you better, would you say “You’re wrong, I only want to spend £3,000, give me a cheaper part and budget operation” . Of course you would, wouldn’t you, you don’t value yourself do you? Wrong, you’d soon find the extra dosh.
So why jeopardise your business health? Find someone you can trust and take their advice, that’s the hard part isn’t it – trust? Do your clients trust you? or will they be like RBS customers and go elsewhere when the service drops because the IT breaks, never mind you did buy the MERCEDES / LEXUS/ PORSCHE/ MASERATI because you needed it and it was the right decision at the right price, didn’t you?
A problem that plays on less tech savvy users – messes with data – Blackmails you for £300?
No its not cryptlocker, it’s a phone call
The aim is the same; to get money with your credit card details.
This one has various forms but it always starts with an unexpected phone call, usually from BT or Microsoft, well they don’t actually say that.
This is typical:
“A person called and identified themselves as a representative of Microsoft and stated that I had a virus just entered my computer system. Microsoft was watching as I have a Windows OS.”
They then ask to dive around the computer screen asking questions, eventually they ask you if you can see a particular icon, they may even take control of your machine by sending you to an official looking website.
They then show you the offending “virus” which for a small payment of £6.50 they will remove for you. Which they do. All is well and you go away happy!
If you are suspicious, they will tell you they are from BT and they can seize your line to prove it. They tell you to replace the receiver and then pick it up to dial. NO DIAL TONE! then you put it down, the phone rings and there they are again proving they are from BT, then of course you trust them.
No what has actually happened; They call saying they are working with BT, Microsoft etc, well suprise, suprise not a lie, so are most of us. I also work with Tesco and the Bank of England (we use their fuel by using money).
Taking control of your computer is easy, you don’t have to do anything apart from clicking on a website, they then find a useless file “proving” they know what they are talking about, well you do trust them don’t you?
They then take the credit card payment but you have just given them all the details they need to make many transactions that will add up to your credit limit, not just the few pounds they said.
Oh and how do they do the phone trick? get someone to phone you, tell them to stay on the line while you hang up, you’ll be back in a second, pick up the phone again and you will hear silence, just say ring me back and hang up, they, if they like you, will ring back. Hey presto! Trick complete, and you are poorer if it was a phishing scam.
Remember no one from any reputable company will do this. Ask for their number and extension and tell them you will ring them back as your computer is not on and it’s a UNIX system. You have just a. called their bluff and proved you are more tech savvy than them. If you think you have a virus then call us on 01206 256459 or 01473 231800, we’ll advise you for free.
Then then show you the