IT Governance is a leading global provider of IT governance, risk management and compliance solutions, with a special focus on cyber resilience, data protection, PCI DSS, ISO 27001 & cyber security. In an increasingly punitive and privacy-focused business environment, we are committed to helping businesses protect themselves & their customers from the perpetually evolving range of cyber threats.
We’re not going to lie: implementing an ISO 27001-compliant ISMS (information security management system) is hard work. But as the saying goes, nothing worth having comes easy, and ISO 27001 is definitely worth having.
Anyone needing guidance should take a look at our nine-step guide to implementing ISO 27001.
1. Assemble an ISO 27001 implementation team
Your first task is to appoint a project leader to oversee the implementation of the ISMS. They should have a well-rounded knowledge of information security (which includes, but isn’t limited to, IT) and have the authority to lead a team and give orders to managers, whose departments they will need to review.
The team leader will require a group of people to help them. Senior management can select the team themselves or allow the team leader to choose their own staff.
Once the team is assembled, they should create a project mandate. This is essentially a set of answers to the following questions:
What are we hoping to achieve?
How long will it take?
How much will it cost?
Does the project have management support?
2. Develop the ISO 27001 implementation plan
Now it’s time to start planning for implementation. The team will use their project mandate to create a more detailed outline of their information security objectives, plan and risk register.
This includes setting out high-level policies for the ISMS that establish:
Roles and responsibilities;
Rules for its continual improvement; and
How to raise awareness of the project through internal and external communication.
3. ISMS initiation
With the plan in place, it’s time to determine which continual improvement methodology to use. ISO 27001 doesn’t specify a particular method, instead recommending a “process approach”.
This is essentially a Plan-Do-Check-Act strategy, in which you can use any model as long as the requirements and processes are clearly defined, implemented correctly, and reviewed and improved on a regular basis.
You also need to create an ISMS policy. This doesn’t need to be detailed; it simply needs to outline what your implementation team wants to achieve and how they plan to do it. Once it’s completed, it should be approved by the board.
At this point, you can develop the rest of your document structure. We recommend using a four-tier strategy:
The next step is to gain a broader sense of the ISMS’s framework. The process for doing this is outlined in clauses 4 and 5 of the ISO 27001 standard.
This step is crucial in defining the scale of your ISMS and the level of reach it will have in your day-to-day operations. As such, it’s obviously important that you recognise everything that’s relevant to your organisation so that the ISMS can meet your organisation’s needs.
The most important part of this process is defining the scope of your ISMS. This involves identifying the locations where information is stored, whether that’s physical or digital files, systems or portable devices.
Defining your scope correctly is an essential part of your ISMS implementation project. If your scope is too small, then you leave information exposed, jeopardising the security of your organisation, but if it’s too large, your ISMS will become too complex to manage.
5. Baseline security controls
An organisation’s security baseline is the minimum level of activity required to conduct business securely.
You can identify your security baseline with the information gathered in your ISO 27001 risk assessment, which helps you identify your organisation’s biggest security vulnerabilities and the corresponding controls to mitigate the risk (outlined in Annex A of the Standard).
6. Risk management
Risk management is at the heart of an ISMS. Almost every aspect of your security system is based around the threats you’ve identified and prioritised, making risk management a core competency for any organisation implementing ISO 27001.
The Standard allows organisations to define their own risk management processes. Common methods focus on looking at risks to specific assets or risks presented in specific scenarios.
Whatever process you opt for, your decisions must be the result of a risk assessment. This is a five-step process:
Establish a risk assessment framework
Select risk management options
You then need to establish your risk acceptance criteria, i.e. the damage that threats will cause and the likelihood of them occurring.
Managers often quantify risks by scoring them on a risk matrix; the higher the score, the bigger the threat. They’ll then select a threshold for the point at which a risk must be addressed.
There are four approaches you can take when addressing a risk:
Tolerate the risk
Treat the risk by applying controls
Terminate the risk by avoiding it entirely
Transfer the risk (with an insurance policy or via an agreement with other parties).
Lastly, ISO 27001 requires organisations to complete an SoA (Statement of Applicability) documenting which of the Standard’s controls you’ve selected and omitted and why you made those choices.
We call this the ‘implementation’ phase, but we’re referring specifically the implementation of the risk treatment plan, which is the process of building the security controls that will protect your organisation’s information assets.
To ensure these controls are effective, you’ll need to check that staff are able to operate or interact with the controls, and that they are aware of their information security obligations.
You’ll also need to develop a process to determine, review and maintain the competences necessary to achieve your ISMS objectives. This involves conducting a needs analysis and defining a desired level of competence.
8. Measure, monitor and review
You won’t be able to tell if your ISMS is working or not unless you review it. We recommend doing this at least annually, so that you can keep a close eye on the evolving risk landscape
The review process involves identifying criteria that reflect the objectives you laid out in the project mandate. A common metric is quantitative analysis, in which you assign a number to whatever you are measuring. This is helpful when using things that involve financial costs or time.
The alternative is qualitative analysis, in which measurements are based on judgement. You would use qualitative analysis when the assessment is best suited to categorisation, such as ‘high’, ‘medium’ and ‘low’.
In addition to this process, you should conduct regular internal audits of your ISMS. The Standard doesn’t specify how you should carry out an internal audit, meaning it’s possible to conduct the assessment one department at a time. This helps prevent significant losses in productivity and ensures your team’s efforts aren’t spread too thinly across various tasks.
However, you should obviously aim to complete the process as quickly as possible, because you need to get the results, review them and plan for the following year’s audit.
The results of your internal audit form the inputs for the management review, which will be fed into the continual improvement process.
Certification audits are conducted in two stages. The initial audit determines whether the organisation’s ISMS has been developed in line with ISO 27001’s requirements. If the auditor is satisfied, they’ll conduct a more thorough investigation.
You should be confident in your ability to certify before proceeding, because the process is time-consuming and you’ll still be charged if you fail immediately.
This ensures that the review is actually in accordance with ISO 27001, as opposed to uncertified bodies, which often promise to provide certification regardless of the organisation’s compliance posture.
The cost of the certification audit will probably be a primary factor when deciding which body to go for, but it shouldn’t be your only concern. You should also consider whether the reviewer has experience in your industry. After all, an ISMS is always unique to the organisation that creates it, and whoever is conducting the audit must be aware of your requirements.
Want a hassle-free way of implementing ISO 27001??
Even with the advice listed here, you might find the ISO 27001 implementation project daunting. But there’s no need to go it alone.
Our ISO 27001 Get a Lot of Help package takes the hard work out of implementation, providing you with consultancy support, access to training courses, a licence for the risk assessment software vsRisk, two implementation guides and templates for every compliance document you need.
No matter where your organisation is based or what industry it’s in, we guarantee that you’ll gain accredited certification by following our advice.
The hospitality sector has been clamouring for technological innovation recently, with organisations eager to find novel ways to improve the customer experience.
You might have heard about Connie, a Watson-enabled robot concierge that’s been introduced at the Hilton in McLean, Virginia. But that’s just one example of cutting-edge technology sweeping the hotel industry, with many organisations leveraging IoT (Internet of Things) and other ‘smart’ tech to give customers a taste of the future.
However, there’s a growing perception that all this gadgetry is a distraction from the fundamentals of the hotel business: ensuring that guests’ privacy is intact and their information is secure.
It therefore makes sense that organisations plough whatever resources they have into addressing these concerns. This is particularly true for the hotel industry, which is one of the worst-affected by cyber crime and data breaches.
Crooks target hotels because they store large volumes of data, including names, addresses and payment information, and process the majority of transactions through POS (point-of-sale) machines, which are susceptible to malware.
Meanwhile, researchers at Symantec recently found that two out of every three hotel websites inadvertently leak guest information to third parties, giving unauthorised personnel the power to view, change or cancel bookings.
The study, which polled 1,500 hotels in 54 countries, also discovered that 67% of the hotels’ websites leaked booking reference codes and other information to advertising networks and analytics companies.
Additionally, some hotels leaked passport numbers and financial details, including the last four digits of payment cards, card types and expiration dates.
Symantec also reported several other alarming security lapses. For example, 29% of hotels didn’t encrypt initial links containing booking IDs and references to customers, which could enable crooks to eavesdrop and steal these details.
The researchers concluded that many of the hotels “have been slow to acknowledge, much less address” this risk, with 25% of the hotels’ privacy officers failing to respond to Symantec’s findings within six weeks.
Balancing security and experience
If you asked guests whether they’d rather hotels protected their personal information or gave them smart tech, we doubt there’d be much of a debate. But that’s a moot point, because there’s no reason why hotels can’t provide both. They just need to find the right balance.
Part of the issue relates to budget. Security technology is, in most cases, cheaper and simpler to implement than cutting-edge technology. ISO 27001, the international standard for information security management, and guidance related to the GDPR (General Data Protection Regulation), give straightforward instructions on how to achieve effective security.
Smart technology, by contrast, is defined by its lack of guidelines. Its appeal is in its originality, so those wanting to implement new ideas need to invest in the concept and ride out the teething problems. Once the technology is suitably affordable, it can be widely adopted – but with a severe dip in the novelty factor (and, by extension, the competitive advantage it offers).
It’s therefore not a case of what can organisations afford but what’s going to give them the best return on investment. Despite the increased attention that the public pays to information security, it’s usually impossible to know whether an organisation has lax security until it suffers a breach.
That’s hardly an effective security strategy, because customers aren’t going to turn a blind eye to a data breach just because your organisation has an Internet-enabled mini-fridge. Unfortunately, it’s a lesson that hotels are only learning after the fact.
Regardless, hotels will be equally affected if they don’t invest in innovation. A high-end hotel needs to keep up with the vanguard, and that’s becoming an increasingly uphill battle.
But this only calcifies the argument that innovation and security are not in opposition. Rather, hotels need to realise that both smart tech and cyber attacks are inevitable in the future, so their tech needs to be more secure than their competitors’.
Many hotels will rightfully argue that there are security benefits to high-end technology. Let’s go back to robot receptionists, which not only give guests a unique check-in experience but also mitigate the risk of data breaches caused by human error.
By taking the human out of the equation, hotels avoid the risk that a member of staff will provide a guest with incorrect information or enter personal data into the wrong fields. Likewise, it removes the possibility for insider misuse; guests enter their personal and payment details directly into the hotel’s systems, bypassing the possibility of a receptionist misappropriating the information.
On the face of it, there are no downsides. Automating the reception desk enables the hotel to speed up transactions, cut costs and improve its security.
In a development that shouldn’t surprise anyone (particularly fans of MichaelCrichton), things quickly went wrong.
The 243 robots were tasked with managing every aspect of guests’ experience, including check-in, luggage carrying, concierge and in-room assistance, but visitors soon began complaining and the robots were quickly terminated.
Yoshihisa Ishikawa, for example, told the Wall Street Journal that he was repeatedly awoken in the middle of the night by the in-room assistance as his snoring triggered the robot to ask, “Sorry, I couldn’t catch that. Could you repeat your request?”
The hard-of-hearing robot incident isn’t just a case of technology disrupting guests; it’s a privacy breach. The only thing that makes the public trust that personal assistance devices, like Alexa and Siri, aren’t constantly spying on us is the belief that the devices only activate when their owner utters a specific phrase.
If a machine can mistake the sound of snoring for an activation phrase, who’s to say that the technology isn’t always listening in on our conversations?
It’s one thing to have a personal device listening to you at home, but there’s something altogether more sinister about a hotel spying on its guests. Even perfectly well-intentioned consequences, like the windows opening when you mention to a fellow guest that you’re hot, seem unsettling, and that’s before you get on to the ways the tech could be used to make money from you.
It might not have been a Westworld-style nightmare, but the Weird Hotel’s pursuit of novelty created a worrying situation that other hotels need to acknowledge. Innovation cannot be the goal itself; rather, you must consider what the technology achieves and its potential unintended consequences.
But why strive for robots at all? The technology has limited capabilities, with many guests reporting communication issues, and there are plenty of other innovations that are affordable, implementable, and give guests something they actually want.
Which technologies can help?
According to a Hospitality Tech survey, the industry’s top two challenges are a lack of IT budget and outdated technology architecture. These are core principles of security, and must be addressed if any guest-facing technology is going to be effective and secure.
The technology could be used alongside or instead of key cards when accessing your room, and it could be linked to a variety of services across the hotel. With a swipe of your finger, you could add a meal to your tab or enter the VIP lounge.
For your organisation to get the most out of biometrics, or any tech, you need to ensure that it’s integrated with the rest of your systems. You cannot think of technology as a replacement for people; rather, the two support each other alongside processes as the three core aspects of information security.
A version of this blog was originally published on 9 November 2017.
Documentation is a crucial part of any ISO 27001 implementation project, and one of the most important documents you need to complete is the SoA (Statement of Applicability).
In this blog, we explain what an SoA is, why it’s important and how to produce one.
What is a Statement of Applicability?
An SoA summarises your organisation’s position on each of the 114 information security controls outlined in Annex A of ISO 27001.
Clause 6.1.3 of the Standard states an SoA must:
Identify which controls an organisation has selected to tackle identified risks;
Explain why these have been selected;
State whether or not the organisation has implemented the controls; and
Explain why any controls have been omitted.
Every control should have its own entry, and in cases where the control has been selected, the SoA should link to relevant documentation about its implementation.
Which controls do you need to implement?
Organisations are only required to implement controls that are appropriate to the risks they face. They should determine which controls apply to them by conducting an ISO 27001 gap analysis and risk assessment. These processes help organisations identify the risks they face, which they can match to the relevant control.
Annex A provides a useful outline of each control, but you’ll probably need something more in-depth when it comes to the implementation process. That’s where ISO 27002 comes in. It’s a supplementary standard in the ISO 27000 series, providing a detailed overview of information security controls.
ISO 27002 provides detailed information on each control, explaining how each one works and providing advice on how to implement it.
The SoA is a useful document for everyday operational use, because it provides comprehensive coverage of your organisation’s information security measures.
You can refer to it to understand how and why your organisation is tackling certain risks and accepting others.
This is especially important when ensuring continual improvement within your organisation. You can assess whether the controls you’ve implemented are working as intended and assess whether other controls might be more suitable.
Likewise, you can review why you chose to accept risks and determine whether the threat landscape has increased significantly enough to warrant a change.
An SoA also has significant regulatory consequences. If you are investigated for a data breach, you can use your SoA to justify your information security controls and prove that your defences were implemented in line with an ISO 27001-compliant risk assessment.
How to save time writing your Statement of Applicability
This blog has been updated to reflect industry updates. Originally published December 2017.
With the number of data breaches increasing every year, they are now a huge issue for organisations. 46% of all UK businesses identified at least one cyber breach in the past 12 months and and the International Data Cooperation predicts that a quarter of the world’s population will have been affected by a data breach by 2020. It should be obvious that it’s a priority for companies to learn how to keep data secure.
How are breached businesses affected?
A business suffers in many ways when it falls victim to a data breach, one of which is dealing with the financial repercussions. There are a range of different costs associated with a data breach, such as paying back any money taken as a result of the breach, compensating affected customers, share value plummeting and having to pay for the right protection to ensure a breach doesn’t happen again.
In addition, breached companies can be fined by the ICO (Information Commissioner’s Office) with penalties reaching a maximum of €20 million (about £17 million) or 4% of global annual turnover, whichever is greater, under the GDPR (General Data Protection Regulation).
After paying off fines, the breached company also has to deal with reputational damage. Breaches have a massive negative impact on a company’s customer base, particularly if the breach involved sensitive data. Customers lose confidence in the brand and don’t feel that their data is secure. A breach also puts off potential customers.
The impact of a breach is tied to the type of data involved. If the organisation’s confidential data has been exposed, it can have catastrophic effects. If personal and financial details of staff and customers are breached, those people are left open to the risk of identity theft.
In 2015, TalkTalk suffered a data breach in which the details of more than 150,000 customers were stolen, including bank account details of about 15,000 of those customers. The company lost 95,000 subscribers as a result of the attack, costing it £60 million. On top of that, TalkTalk was also fined £400,000 by the ICO. However, TalkTalk subsequently failed to adequately protect its data and, in 2017, the details of more than 21,000 people were unlawfully taken. On this occasion, the company was fined £100,000. If this breach took place now, TalkTalk would almost certainly have received a significantly higher fine.
Data Protection Officer as a Service
Our sister company GRCI Law Limited is a legal consultancy specialising in data protection and cyber security. Under its DPO as a service offering, a qualified, experienced member of the team will act as DPO (data protection officer) for your organisation. The role of the DPO is to monitor your data protection activities and compliance with the GDPR, and to offer advice on a day-to-day basis.
Implementation status: Transposed, with the Implementation Act (Federal Law Gazette, BGBI. I 2017 of 29 June 2017) amending the Act on the Federal Office for Information Security, Atomic Energy Act, Energy Industry Act, Social Insurance Code V and the Telecommunications Act
Implementation status: In progress
Implementation status: Transposed, with Act 134 of 2017 and Government Decree 394/2017 (XII. 13) modifying certain interior-related tasks and corresponding laws.
The number of member states that have implemented the NIS Directive has doubled since the compliance deadline, with only six lagging behind (Belgium, Croatia, Greece, Lithuania, Luxembourg and Malta).
Still, that’s hardly reason to celebrate. The Directive has been in effect for almost a year now, so there’s no reason why any member state shouldn’t have implemented it. Failure of national governments to transpose the legislation into law prevents organisations from making the necessary changes, therefore increasing the possibility of serious breaches.
Fortunately, this isn’t a problem in the UK and many other countries. The UK government was one of the few to implement the Directive before the compliance deadline, and it has published plenty of guidance to help organisations understand their requirements.
Any organisation that wants help meeting the UK’s version of the Directive, the NIS Regulations, should take a look at our green papers. We explain the compliance requirements in an easy-to-understand way and offer tailored advice for OES (operators of essential services) and DSPs (digital service providers):
Information security management remains a serious issue for the legal sector, with law firms reporting an increase in targeted attacks in 2018. Large volumes of client funds and confidential information are irresistible to cyber criminals, so it is unsurprising that 60% of law firms reported that they had suffered a security incident during the year (PwC Law Firms’ Survey 2018).
Leading law firms are tackling cyber threats head-on with ISO 27001, the international standard for information security. By implementing a best-practice ISMS (information security management system) and certifying to ISO 27001, management teams can safeguard their firm. With cyber attacks on the rise, data protection should be a high priority for all law firms.
ISO 27001 certification is increasingly demanded of law firms when tendering for major projects. Achieving accredited certification to ISO 27001 will put your firm in the running for these tenders and demonstrates that you are committed to protecting your clients’ confidential data.
What is ISO 27001?
ISO 27001 is one of the most popular information security standards in the world, with certifications growing by more than 450% in the past ten years. It sets out the requirements for an ISMS, which is a systematic approach to information security focusing on people, processes and technology that helps you protect and manage all your organisation’s information through effective risk management.
Be proactive with your firm’s information security
PwC’s 2018 survey found that 46% of law firms had a security incident related to their own staff where the firm had suffered a loss or leak of confidential information. When asked about IT disaster recovery, only 27% of respondents were very confident that their testing had completely demonstrated that their firm’s end-to-end operable services could be recovered in accordance with business recovery requirements. The survey results indicated that, in the event of a serious incident, some law firms might not be prepared to respond appropriately.
Since the GDPR (General Data Protection Regulation) came into force in May 2018, all organisations are legally required to report certain types of personal data breach to the ICO (Information Commissioner’s Office) within 72 hours of becoming aware of the breach. This makes it essential for law firms to ensure that they can promptly identify and understand the nature and scale of any breaches.
Since employees can jeopardise your firm’s security with a single moment of carelessness, it is clear that addressing information security risks is about far more than simply implementing processes and installing anti-malware and antivirus software. A more proactive approach to information security is needed, and this should include ensuring that all members of the firm are adequately trained.
How will my firm benefit from ISO 27001?
ISO 27001 can help your firm protect the confidentiality, integrity and availability of your firm’s information assets, as well as those of your clients.
It helps you meet your legal and regulatory data protection obligations while improving your firm’s cyber security posture and productivity.
Your firm can achieve independently audited certification to the Standard when you implement an ISO 27001-compliant ISMS, demonstrating your firm’s information security credentials to clients, stakeholders and regulators.
Following certification to the Standard, you can specify that your key suppliers also achieve certification, ensuring that these third parties also maintain suitable levels of security. This supports GDPR compliance.
Your firm will be in good company: approximately 40,000 organisations around the world – including numerous law firms – are already certified to ISO 27001.
Get your firm on track with ISO 27001
We are pleased to have worked with many law firms to implement ISO 27001, ranging from the Magic Circle to medium-sized and smaller firms, so we are well-placed to assist you.
Fast-track your ISO 27001 project, cut your costs and save time with our implementation bundles, designed to suit firms of any size.
Although organisations are devoting more resources to cyber security in order to tackle the growing threat of data breaches, 87% say they don’t have the budget to meet their needs, a new report has found.
This is a worrying trend, as it could exacerbate the problem in the future. So, how can you address it?
Protect the enterprise
The most important part of cyber security is identifying which assets are most important and where they are located. It’s only when you know what needs to be protected that you can build appropriate defences in line with your budget.
Unfortunately, EY believes that few organisations have a clear picture of this. This isn’t a surprise because, according to the survey, more than half of organisations don’t make protecting their organisation an integral part of business operations.
To rectify this, EY recommends that organisations ask:
What are our most valuable information assets?
What are our most obvious cyber security weaknesses?
What are the threats we’re facing?
Who are the potential threat actors?
Have we already been breached or compromised?
How does our protection compare with our competitors?
What are our regulatory responsibilities, and do we comply with them?
That last point is crucial, not only because of the potential penalties for non-compliance but also because legal requirements can guide you towards effective security.
The GDPR (General Data Protection Regulation), for example, includes a comprehensive list of security and privacy best practices. Granted, it’s a complex piece of legislation, and meeting all of its requirements will take time and effort, but that’s the case however you approach cyber security.
Optimise cyber security
Despite budgetary constraints, 77% of organisations say they are seeking to move beyond basic cyber security protections to fine-tune their capabilities.
Although this is good news, it might cause organisations to spread their resources too thinly. The basics – like staff awareness training and security testing – still need to be maintained, and as the threat of cyber crime continues to spiral, the cost of retaining your current level of protection grows.
EY suggests that the best approach might be to rethink your cyber security framework to look for more efficient ways of operating. There’s a good chance that, as organisations expand their defence capabilities, their practices will be duplicated or become outdated.
By making a short-term investment in updating your operations, you could reap the benefits for years to come.
You can assess the efficiency of your defences by asking:
What is our cyber security strategy?
What is our tolerance and appetite for risk?
Are there any low-value activities we could do more quickly or cheaply?
How could technologies such as robotic process automation, artificial intelligence and data analytics tools help us?
Where do we need to strengthen our capabilities?
What can we stop doing?
EY also points to the emerging challenge of data breach notification. Many organisations don’t consider this part of their cyber security strategy, because it doesn’t help prevent incidents.
However, the sheer number of threats you face means you can’t rely on your ability to prevent breaches. With an effective system for identifying and disclosing incidents, you can reduce the costs that follow breaches, protect your reputation and meet your regulatory requirements. These are the same goals as your other cyber security strategies, so you should consider it part of your overall defence strategy.
EY’s final recommendation is to look for ways to integrate security practices within business processes from the outset of any new projects.
Security by design is a fundamental principle of the GDPR, and if your organisation is to follow suit, EY says you’ll need to focus on emerging technologies and customer experience. You should also ask:
Is our entire supply chain secure?
How do we design and build new channels that are secure by design?
Where does cyber security fit into our digital transformation-enabled business model?
Could strong privacy and data protection give us a competitive advantage?
How focused on cyber security is our board as it pursues our digital ambitions?
How are our most senior executives taking ownership of, and showing leadership on, cyber security?
Do we have enough focus on cyber security in our entire ecosystem?
Many organisations now regard emerging technologies as a top priority when considering their cyber security budgets. In most cases, this simply means using the Cloud more, but EY suggests that organisations should also consider making use of robotic process automation, machine learning, artificial intelligence and the Internet of Things.
You must move forward
These three recommendations aren’t stepping stones towards security, warns EY. You can’t expect to progress from protection to optimisation to growth, because that belies the point; they must be addressed in unison as part of your overall cyber security strategy.
You must also accept that cyber security is a moving target, so there’s no need to focus too much on your security posture at any one moment in time. Instead, look for strategies that allow you to address the immediate future while remaining flexible enough to stay prepared for the long-term.
Anyone interested in finding appropriate solutions for their organisation should take a look at our range of products and services. Whether you’re looking for general advice or specific solutions geared towards legal and best practice compliance, we’re here to help.
More than 50 universities in the UK have had their lack of cyber defences exposed, with security testers breaching their systems in under two hours.
The tests were conducted by Jisc, the agency that provides Internet services to the UK’s universities and research centres. The organisation’s penetration testers were successful in every attempt, accessing personal data of students and staff, finance systems and research networks.
These are highly targeted scam emails that are sent to senior personnel in an organisation. The hackers claim to be a trusted source, such as a colleague or a third party, and attempt to lure the victim into clicking a link or downloading an attachment that contains malware.
John Chapman, the head of Jisc’s security operations centre, warned that the vulnerabilities could be a sign of an impending “disastrous data breach or network outage”.
He added: “We are not confident that all UK universities are equipped with adequate cyber-security knowledge, skills and investment”.
“Cyber attacks are becoming more sophisticated and prevalent and universities can’t afford to stand still in the face of this constantly evolving threat.”
It’s not hard to see why Chapman would call these findings a disaster. The education sector is one of the most highly targeted by cyber criminals, with a recent freedom of information request revealing that there were more than 700 data breaches at UK schools and academies in 2018.
Meanwhile, the Times reported last year that there were 1,152 data breaches at UK universities in 2016–17, with many attacks geared towards stealing financial information and intellectual property.
Burden of responsibility
David Maguire, who chairs Jisc, says that universities “accrue huge amounts of data”, which “places a burden of responsibility on institutions, which must ensure the safety of online systems”.
Carsten Maple, the director of cyber security research at Warwick University, agrees that universities need to improve their defences urgently.
“Universities drive forward a lot of the research and development in the UK. Intellectual property takes years of know-how and costs a lot. […] Certainly somebody might attack a university and then provide that information to a nation state.”
Professor Maple added that criminals could make “a very good business case” for hacking universities because of the low costs incurred and their poor digital defences.
Dr Anton Grashion, the head of security practice at Cylance, concurs, telling the BBC that the open networks many universities run make them a “tempting and easily accessible” target.
He added: “It’s no surprise that universities are suffering from an increase in security breaches. Their network environments are some of the most challenging networks to manage, with usually smaller security and staffing budgets.”
Reducing cyber attacks through staff training
As the Jisc project demonstrates, cyber attacks are often caused by human error. Simple training can substantially reduce this risk. Our e-learning is a straightforward and cost-effective way to quickly train all staff and students in spotting threats.
Toyota has disclosed a data breach that may have affected up to 3.1 million customers. It’s the second time the car manufacturer has been breached in the last five weeks.
In a statement released on 29 March 2019, the organisation confirmed that several of its Asian subsidiaries were targeted by criminal hackers. It said that it is taking the situation seriously and will implement security measures at dealers and the entire Toyota group.
Few details have emerged about the breach, with Toyota stating that it is still investigating what data might have been breached, or if anything has been compromised at all.
The only facts that have been established are the subsidiaries that were attacked:
Toyota Tokyo Sales Holdings
Tokyo Tokyo Motor
Toyota Tokyo Corolla
Nets Toyota Tokyo
Lexus Koishikawa Sales
Toyota West Tokyo Corolla
The day after the initial announcement, Toyota subsidiaries in Vietnam and Thailand made separate statements about suspected attacks.
Both organisations said that they have “come to be aware of a possibility” of a breach, and that “while we have no evidence of customer information loss at this moment, details are currently under investigation, and we intend to share further specifics, if any, as soon as details are available”.
One of the few certainties of the incident, according to Toyota, is that no financial information was affected, although we’d push the brakes on that conclusion, given that the investigation is still ongoing.
Erring on the side of caution
You might not expect an organisation to disclose a data breach if it wasn’t sure it had even been breached, but Toyota’s decision is almost certainly influenced by the attack on Toyota Australia in February.
Either way, Toyota’s transparency can only be a good thing, as the damage – from a customer standpoint – is minimal, and the organisation’s response has been exemplary. The only thing missing is a more effective security system.
However, Zurich American says the damage was the result of an “an act of war” and therefore isn’t covered in the policy, which covers “all risks of physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”
Was NotPetya an act of war?
That’s the $100 million question. NotPetya is a Windows-based piece of ransomware that infected organisations across the globe in 2017.
The UK government and the CIA blame the attack on Russian state-sponsored hackers, claiming it was the latest act in an ongoing feud between Russia and Ukraine.
The evidence points towards this. Ukrainian organisations were among the first to be attacked, and the country accounted for 80% of all infections. Later investigations found that the virus was simply masquerading as ransomware, and was in fact designed “to exact maximum destruction and damage”.
Unfortunately, the criminal hackers had little control over which organisations would be hit beyond the initial injection. The fact that the virus focused almost exclusively on Ukraine was simply good fortune, because malware such as NotPetya and WannaCry, which ripped through the UK just weeks earlier, are specifically designed to spread as far and wide as possible.
That means there will always be many bystanders like Mondelez affected by attacks.
Who is in the right?
Most experts agree that Mondelez has a strong claim despite NotPetya’s relation to Ukraine–Russia tensions. Zurich American initially agreed, offering an initial payment of $10 million.
However, the insurer soon changed its mind, claiming an exclusion for “hostile and warlike action in time of peace and war [by] a government or sovereign power”.
Mondelez called Zurich American’s decision “unprecedented” in court papers. Terrorism and acts of war exclusions are common in insurance policies, but no insurer has ever challenged a claim based on those exemptions.
That doesn’t make it an open and shut case, but it does mean Zurich American will have its work cut out. With no precedent to cite, it will have to make an overwhelming case and prove that the Russian government was behind the attack, something investigators have thus far failed to do.
Perilous future for cyber insurance
The result of the case will have huge ramifications for cyber insurance policies. The attack is probably as close as we’ll get to the definition of an act of war in terms of cyber crime, so if Zurich American is found liable in US courts, it shuts the door on any other insurer in the country using the exemption.
We’d expect those firms – and, in all likelihood, insurers across the globe – to re-evaluate their policies to create specific exemptions for attacks such as NotPetya.
But if the court finds in favour of American Zurich, organisations will suddenly find themselves far more exposed to cyber attacks than they might have thought. This could lead to huge numbers of organisations dumping their policies and seeking specific protection against large-scale attacks.
Whatever the outcome, organisations must consider whether their cyber insurance policy is fit for purpose. We can’t think of many things worse than spending a chunk of your cyber security budget on an insurance policy only for an insurer to tell you after an attack: “It’s all there, black and white, clear as crystal. You get nothing!”
The best way to avoid that is to take the initiative when it comes to cyber security. If you spend wisely on security defences, you can prevent most attacks, respond promptly to breaches and mitigate the damage.
That’s easier said than done, but there’s a middle ground between shouldering the responsibilities of security and relying on an insurance policy.
Cyber security as a service
What if there was a way that you could access the expert knowledge and resources you need to manage cyber security threats without having to employ a full-time team? With IT Governance’s Cyber Security as a Service, you can.
Backed by years of cyber security experience and a deep understanding of the challenges organisations face, our experts will transform your organisation from ‘unsure’ to ‘cyber secure and resilient’.