Friday, 23 April 2021

The Future of Service Management in the DevOps Era


By Gary Blower, Solutions Architect, Clearvision

Whether you view your organisation as having an agile approach or not, in 2020, companies had no choice but to drastically change their way of working as the world rapidly pivoted to remote working. Organisations that had already embraced agile principles had the advantage of being able to adapt faster to the pandemic and meet the demands of their employees, who were suddenly all working from home. Now, as we start to slowly emerge from multiple lockdowns and restrictions, one interesting side effect of COVID-19 is that it has lowered our collective tolerance for slow, overly bureaucratic processes. We all crave an agile approach, whatever our definition of agile might be.

COVID-19 has Accelerated Digital Transformation
Digital innovation has fundamentally changed how the world operates. COVID-19 demonstrated just how much we rely on technology. And, as modern technology permeates every area of our lives, our expectations around the availability of information and the speed with which we can obtain it are even higher than they were pre-pandemic. Therefore, as lockdowns ease, the world is continuing to change just as rapidly to keep pace with the demands on businesses, who must accelerate out of recession and aggressively compete to remain relevant.

The knock-on impact of this acceleration is that organisations need their IT teams working together as efficiently and effectively as possible. Likewise, their IT service management (ITSM) capabilities must be nimble and efficient to support shifting organisational priorities, capitalise on new opportunities, and satisfy growing end-user demands for immediate and seamless service, wherever users are located.

To meet this increasing demand and requirement for speed, the flow of work between the support, DevOps and operational teams must be unified, and teams need to be empowered to deliver work with agility. IT teams are under huge pressure and are required to become even more adaptable to the challenges they face. This means that practices and workflows need to remain flexible so that teams are better positioned should situations like we just experienced in the past 12 months arise again in the future.

Traditional Service Management Approaches can’t keep pace with Demand
However, even the smallest request for change is not an easy task for some organisations and must be approved by layers of bureaucracy, which can take weeks or sometimes months. Additionally, this increased demand, combined with the ongoing pressure to lower costs, runs counter to traditional approaches to service management that emphasise risk mitigation and control over efficiency and agility—leaving some IT teams hamstrung and unable to play to their full potential. In our ‘always on’, digital world, this will disadvantage those companies unable to respond, with end-users and customers no longer willing to accept long wait times. And why should they? The COVID-19 experience showed that, when we really need to, we can completely change our way of working overnight. Therefore, many customers are now unforgiving of those that cannot accommodate their requirements or promptly meet their expectations.

One way that organisations can accelerate their service management initiatives and introduce more efficient methods to serve ever-growing business demands is by implementing Jira Service Management. This is the only ITSM solution built on the Jira software development platform. This means that users don’t have to seek the Jira application separately, and they benefit from having everything they need in one platform.

DevOps, IT Support, and IT Operations must all Collaborate
This accessibility is important because IT teams using other service management tools often end up integrating their application with Jira for additional functionality, which can be clunky and not as streamlined. The co-existence of Jira Service Management and the Jira software development platform has huge benefits because it means that support and development teams can collaborate on the same platform and fix software issues and incidents faster. Jira Service Management was also designed with both IT and development teams in mind and provides streamlined requests and change management processes. This allows teams to make change requests without complex approvals and link incidents to problems in one click.

With other service management platforms, siloed tools between development and IT operations can result in context switching, lack of visibility, and decelerated work. As a result, integrations between Jira Software and service management tools tend to be weaker and cumbersome to manage. In contrast, tight integrations between Jira Software and Jira Service Management mean seamless and accelerated workflows between development and IT. Teams can link issues across Jira and ingest data from other software development tools, providing IT support and operations teams with richer contextual information to respond rapidly to requests, incidents, and changes.

Jira Service Management also offers customisable templates for ITSM, customer service, and business teams such as HR and finance. Furthermore, an intuitive portal in Jira Service Management makes it effortless for customers to ask for help, while the simple UI makes it easy for teams to use. And, with easily configured automations, IT teams can prioritise and resolve requests quickly.

Service Management Built for the DevOps era
In today’s world of digitised services and support, being able to deliver a rich and collaborative service desk, modern incident management, and change management is critically important. The world is changing fast and, to keep pace, organisations need a service management platform built for the DevOps era. An open, collaborative platform enables teams to scale operations quickly and ensure the organisations’ critical services are always on and operating at high velocity. This will ensure they can respond quickly to business change while delivering great customer and employee service experiences.

Monday, 19 April 2021

Flexibility and Security, You Can Have it All!


Every organisation is on a mission to achieve agility; if 2020 taught us anything, it’s the need to be flexible is essential in order to adapt and thrive in new and uncertain environments. The increased adoption of technology in all forms - from increased connectivity to the cloud or collaboration tools for remote working - has greatly enabled organisations to achieve this. Powered by the adoption of software-defined wide-area networking (SD-WAN) technology, organisations have been able to take advantage of this newfound flexibility, ease of management and ability to scale, but many have realised that the compromise to data security is too big a risk.

The dichotomy is real: ignoring the benefits that SD-WAN technology can bring only leads to dated and costly solutions being used for connectivity; not only impeding the ability to realise the real-world direct cost savings available with SD-WAN but also limiting the scope for building the future-proof agile environment that’s needed as part of any organisation’s ongoing digital transformation. On the other hand, for the public sector and other highly regulated industries in particular, securing data has never been a simple task, but adopting an SD-WAN model has only highlighted that traditional security solutions are no longer enough. These solutions simply do not have the flexibility, performance or interconnectivity that SD-WAN connections require, and because of this, data is increasingly being left unprotected and vulnerable to malicious actors. The numerous data breaches that the industry has seen over the last few years are only proof of this.

Something clearly must change and organisations need to be able to deploy the benefits of SD-WAN with the confidence that the necessary controls are in place to ensure guaranteed levels of protection for high assurance data. As Paul German, CEO, Certes Networks, explains, a software-defined approach to data assurance will enable organisations to remain flexible and reap cost savings whilst ensuring their data is kept private and handled in accordance with compliance needs.

Turning Business Intent into Business Value
Business intent is defined by the key goals that an organisation sets out to meet with its data security strategy in order to achieve business value. For example, this could include being proactive to meet new and existing regulatory compliance requirements; being agile to move to hybrid environments; or being protected to keeping data secure and staying ahead of malicious actors.

Business value will be achieved when the organisation’s data security posture is visible, scalable, observable, and above all, provable. In practice, a provable security strategy is quantifiable, measurable and outcomes-driven, and will turn data security into a strategic investment that mitigates risk and that delivers a quantifiable contribution to the overall value of the business.

Having the intention to make changes and meet business goals, though, is only one part of the process as there are numerous challenges to overcome in order for business intent to turn into business value.

Achieving Business Value within SD-WAN
An example of business intent is an organisation moving toward SD-WAN and adopting Zero Trust as an approach to ensure their data is kept secure, whilst staying flexible. However, the challenge that stops business value from being reached in this example is that the separation of duties cannot be achieved when security protocols are tied into the network infrastructure, which is often the case when organisations have not yet adopted a network-agnostic approach to data security. Business value will be achieved by deploying a secure overlay that’s agnostic to the underlying network infrastructure, giving security teams total control and visibility of the security posture.

Similarly, an organisation might have the aim of being agile and moving to a hybrid or SD-WAN environment, but the challenge of a disaggregated or antiquated network infrastructure will often mean that this intent cannot be turned into value for the business. By decoupling security from the network, the organisation can be safe in the knowledge that the data will be protected wherever it travels. Furthermore, by matching security policies to business intent requirements, organisations won’t be beaten by continuously evolving regulations, solving two challenges and delivering business value with a future-proof approach to data security as a result.

Overcoming these challenges with a provable security strategy that encompasses auditing and analytics and that automates cryptographic key rotation for each classification of business intent, ensures that even if a hacker is able to infiltrate the network, there will be no lateral movement between applications. And, with real-time monitoring of the data assurance posture, CISOs can react and remediate the attack at speed, greatly limiting any damage that could be caused and enabling business value to be achieved.

Making Flexibility and Security Entirely Possible
Ensuring that data remains secure should be front of mind when making any organisational changes, particularly when it comes to the adoption of new technology. There is simply no point in making the company’s processes and operations flexible and agile to suit the new working environment if data is left vulnerable and open to compromise as a result.

But organisations don’t have to choose between flexibility and security - both can easily be achieved with a strategy that not only overcomes the data security challenges presented by an SD-WAN environment, but that also provides value by achieving business intent. A software-defined data assurance strategy successfully delivers ‘data first’ security to ensure that data remains protected and is handled in accordance with compliance needs, whilst providing the ability to react and adapt to both external and internal changes as required.

It’s a win-win, so now is the time for organisations to really consider the viability of an SD-WAN environment where data security is decoupled from the network in order to truly realise the benefits.

Friday, 16 April 2021

Adapting Security Awareness to the Post-Pandemic World


It's time for Security Awareness to adapt by thinking Cyber
The transition to working from home, as well as the necessary technological change, has had an effect on businesses all over the world. This has serious consequences for cybersecurity. Current approaches to human user security are antiquated, infrequent, complex or patronising. Yet, in a world where 90% of cyber attacks begin with a human user, technological controls can never guarantee 100% security.

To keep up, security awareness must build new methods. The days of an annual awareness course are long gone. Instead, security awareness is becoming more and more about drip-feeding brief snippets of information to users, with content production periods of hours or days rather than weeks or months. Adjust easily, with minimal effect on workers, to win the battle for recognition while still passing on those benefits.

Belfast based cybersecurity company SaltDNA, a LORCA 3 Cohort Graduate, recently attended LORCA Live’s online event, a global ecosystem together to explore the role cybersecurity can play as an enabler for the emerging technologies set to define our world. During the event, there was a wide range of workshops, panel discussions and live broadcasts, tailored to today's cyber landscape.

According to a panel on LORCA Live ‘Understanding the changing risk landscape for business', the panellists highlighted the importance of security awareness finding new ways to be part of the context. Security awareness must find new ways to incorporate itself into the environment. Since physical cues are no longer present, we must build virtual cues to promote safe behaviour by integrating security into people's daily computing activities. These initiatives should be quick, attractive, social, and timely for optimal impact. They should preferably be delivered at the point of risk, going well beyond merely reminding people of their professional responsibilities. We can shift the context to drive secure behaviours by offering the right feedback at the right time.

Remote working is here to stay - why it's even more important to secure your organisation
2020 moving into 2021, there has been a substantial change toward working from home. Businesses, for the most part, seem to have dealt with the logistical and health and safety implications of the transition, people seem to have adapted to remote working arrangements and processes fairly well.

Undoubtedly, there's more to it than that from a security standpoint. It's not enough that the dangers have shifted. More importantly, the environment in which most work is performed has changed. Given that all behaviour is influenced by its environment, approaches to ensuring your business and employees safety must evolve.

Data enforcement, data hacks, and malware attacks are all issues that CISOs and CIOs must deal with. As more people work from home, their jobs are becoming more difficult. Cyber-security threats and breaches are a concern that any company has to face. They can be highly disruptive, resulting in major, long-term financial and reputational harm.

When workers operate remotely, such an assault can be much more difficult to manage, so make sure you have a safe setup in place to reduce the risk as much as possible. The importance of providing frequent security training for employees, as one of the most serious threats to your security is human error. Responding to a phishing email, downloading malicious material, or clicking on a dangerous connection is all too convenient. Furthermore, since the security threat environment is constantly changing, workers are often unaware of the risk that their activities can pose. As a business owner, you must ensure that the workers undergo daily training and updates to ensure that they have as much information as possible.

Organisations need to build trust to succeed in a post-pandemic world
Forward-thinking business executives who took steps before 2020 were more likely to survive the past year's turmoil and place their businesses to succeed in the future. They created organisations with forward-thinking strategies, which offered a strong commitment to their stakeholders, and effective use of technology to gain a competitive advantage. Improving organisational resilience to plan for potential disruptions starts with an honest assessment of the organisation's readiness, adaptability, collaboration, trustworthiness, and responsibility.

The pandemic has hastened the adoption of technology, and many companies have had to change their digital operations in order to remain operational and expand. Users must have confidence in how their data will be used, stored, and secured in order to participate in the digital economy. This poses a number of issues for companies.

The ‘Building trust to succeed in the post-pandemic world’ workshop held by DELL technologies shared a number of strategic actions businesses can take to build resilience. The first option was to conduct crisis scenarios on a regular basis with key decision-makers from different roles and departments. Scenario preparation assists leaders in preparing for change and predicting what businesses will need in the future to not only succeed but also prosper.

Secondly, to encourage employees to learn new cyber skills, develop training or rotational programs. This could improve an organisation's ability to redeploy employees based on business requirements and employee preferences. Finally, invest in a secure communications platform that promotes collaboration and private communications within your organisation. The collaboration will improve resilience by helping organisations communicate more effectively and promote trust among employees.

Although the future remains unclear, it would be unrealistic to expect that coronavirus vaccines would usher in a full return to pre-pandemic conditions. Now is the time to accept and plan for a more permanent remote-work environment. Firms can do this by integrating secure technology that encourages secure digital communications among employees and teams, making their businesses more appealing to customers while also promoting broader strategic growth objectives.

A constructive approach is more likely to be safe and resilient, as well as to survive in the data-driven digital economy. Change and disruption will be the norm in the future, so leaders who put the building blocks of resilience in place now will be in the best position to succeed.

About SaltDNA
SaltDNA provides enterprise managed encrypted communications between mobile devices, safeguarding the confidentiality of voice, message and conference call communications, and file transfers. To sign up for a free trial of SaltDNA or to talk speak with the SaltDNA team, contact them at info@saltdna.com.

Thursday, 15 April 2021

Important Strategies for Aligning Security With Business Objectives


What is the objective of implementing cybersecurity in a business? The answer might vary depending on whether you ask a security professional or a business executive.

However, in any cybersecurity implementation, it’s very important to stay focused on the big picture: cybersecurity is there to secure the business and its assets, so the business can concentrate on achieving its business objectives.

For example, if we are a coffee shop, then cybersecurity should be implemented to help the restaurant sell more coffee, and cybersecurity by itself is not an end goal.

To do so, security professionals and executives must align cybersecurity with business objectives, which can be quite challenging in certain cases.

Below, we’ll share important strategies that can help cybersecurity teams move business and cybersecurity alignment in the right direction, starting with the first one.

Know the business objectives inside out
One of the key challenges in aligning security with business objectives is that information security/data security executives (i.e. CISO/Chief Information Security Officer) are often too concerned about security and not the overall business objectives.

Each top stakeholder in the company might have different business and security concerns. For example, the marketing manager might be more worried about the success of the upcoming marketing campaign, while the CFO might be more worried about the cost of security infrastructure and potential losses due to security concerns.

With that being said, explore the following areas to consider how security should align with business objectives:
  • Compliance with local regulations and policies
  • Data assurance, security, and integrity
  • Market trust and brand reputation
  • Availability and performance
  • Culture, policy, and governance
  • Cost efficiency in implementing security controls
Maintaining two-way discussions with management and employees is very important so the security team can prioritize which areas they should focus on to help achieve organizational business objectives.

Upgrade connectivity to improve cybersecurity and productivity
With remote working becoming the norm nowadays, especially due to the COVID-19 restrictions, more employees are now actively accessing cloud resources from home. Even in a traditional office setting, regularly accessing cloud resources in various forms is now also a common practice.

To prevent potential issues, organizations must ensure a more reliable connectivity solution that is also more secure, and SD-WAN (Software Defined-Wide Area Network) can be a viable solution in the following ways:
  • Better security: SD-WAN allows businesses to integrate security directly into the connection, for example by integrating VPNs, encryption, IPS, sandboxing, and firewalls.
  • Reliability: SD-WAN can prioritize critical applications to ensure more reliable connectivity for all employees.
  • Centralized management: security teams can easily integrate essential security functions into a single location, allowing better efficiency.
The implementations of SD-WAN as well as other types of security-focused connectivity solutions, can help businesses in aligning security with business objectives by ensuring fast, reliable, but secure network at all times.

Implement cybersecurity automation to free up time and resources for pursuing organizational objectives
Implementing automation in executing cybersecurity practices has two core benefits:

First, is that while human resources are and should be an organization’s most important security asset, human errors are also often an organization’s biggest security vulnerability. In fact, more than 95% of successful cybersecurity breaches are caused by human errors. Automating the execution of your cybersecurity can help reduce or even eliminate these human errors.

Second, is that automating cybersecurity practices can free up your employees’ valuable time so they don’t deviate from their core competencies, allowing these employees to contribute more in pursuing organizational objectives.

For example, investing in automated bot detection and management solutions like DataDome can help implement advanced, AI-powered bot mitigation. DataDome will stop bot attacks on autopilot and in real-time.

Establish a security-focused company culture
Again, human resources are an organization’s most important security assets and also the most vulnerable security vulnerabilities.

It’s very important to ensure regular training so employees and management can better spot various forms of cybersecurity attacks especially phishing and social engineering attacks.

Creating a security-focused company culture start by building awareness and knowledge of end-users by ensuring:
  • All employees must understand the symptoms of key attack vectors with the highest potential of affecting the organization, so they can recognize these threats in real-world situations
  • Communication is key. Management and employees should maintain clear, two-way communication about security and keep them updated.
  • Monitor and evaluate progress regularly, including updating the employees with new training modules when required
Creating an organization-wide security culture requires commitment both from management and from employees, and improving awareness can be the most important asset an organization should invest in to ensure alignment of security with business objectives.

Recognizing that cybersecurity is a prerequisite, not the end goal
A very common mistake performed by organizations, especially security executives and officers, is treating cybersecurity as the end goal, while in truth cybersecurity is only a means to an end. We need cybersecurity to achieve the end goal and not the other way around.

This is why every cybersecurity initiative should consider the related business objective it’s pursuing, and the cybersecurity team should provide an assessment to explore different options and possible outcomes rather than forcing the idea of security for the sake of security.

We wouldn’t want security teams and executives to get caught up in being like an overprotective parent, hindering the business’s performance by treating security as the end goal.

Thus, cybersecurity should help the business’s goals, and not the ultimate objective by itself.

Conclusion
With various cyber-attacks are continuously growing, both in terms of scale and quality of attack, the negative impacts of these attacks on any business are increasingly becoming more threatening.

This is why aligning cybersecurity to business objectives is now a necessity, ensuring the organization is becoming more capable of mitigating security risks that can hinder the organization’s success while ensuring positive ROI in security investments.

Friday, 9 April 2021

Building a Security Conscious Workforce

Article by Daniel Warelow, Product Manager at Giacom and Charles Preston, CEO & Founder of usecure

Employees are a vital part of the security strategy

Security Awareness Training the foundation of a Cyberculture
Life and work as we know it is changing as a result of the COVID-19 crisis, and cybercriminals are using this to their advantage. A new report has found that more than one in four UK cyber-attacks have been related to the pandemic, and as attackers continue to come up with sophisticated and dangerous methods to attack businesses and individuals, cyber security measures must be prioritised. 

Businesses can no longer rely on technology alone to mitigate the risks that come from cyber threats, especially while many workforces work remotely through the pandemic. Instead, they need to encourage their employees to work mindfully and responsibly on the frontlines of cyber defence. Daniel Warelow, Product Manager at Giacom and Charles Preston, CEO & Founder of usecure,  highlight the importance of implementing continuous security awareness training in order for employees to be more security conscious as part of their overall IT security strategy and protection.

Human Error
Employees are a vital part of any business’s security strategy – they are the soldiers on the front line in the battle against hackers. However, if they are not educated or trained in what to look out for when it comes to security, the human can also become the open gateway for cyber attacks to take place, playing upon user vulnerabilities. 

This is the case, especially when working from home. Users have additional pressure to work harder and faster, which is when more mistakes can happen. It has been found that 95%of cyber security breaches are due to human error, demonstrating how dangerous humans being the weakest link can be. These internal business risks, such as sending an email to the wrong person or with an incorrect attachment can be detrimental to a business – not only in terms of financial repercussions, but also its reputation. 

This is when cyber security training and tools that educate the user have never been more important, as employees need to be trained to be vigilant, cautious and suspicious.

Security Awareness Training
The cyber threat continues to evolve too as hackers and their methods become more and more innovative. However, businesses cannot expect their employees to stay ahead of growing threats without having the education and training in place in response to the changing and modern landscape. Elements such as security awareness training and simulated phishing resources can help mitigate end-user cyber risk and drive secure user behaviour.

These programs are designed to help users understand the role they play in helping to combat security breaches. Additionally, using phishing simulations, as part of the wider security strategy will help to provide realistic situations that often occur, particularly via email, that employees must be aware of. Further, training allows businesses to assess the nature of the workforce regarding its security awareness posture, and provide employees with the information to understand the dangers of social engineering attacks and how to take appropriate actions to protect themselves and the organisation. 

However, security awareness training should not be a one size fits all approach. Instead, training should be continuous and tailored to each user's unique vulnerabilities, creating an optimised and effective cyber strategy. By highlighting any cyber weaknesses in the workforce, these can be targeted through educational resources to ensure that the human is aware of and knows how to detect such risks, and more importantly, how to reduce the likelihood of an attack. Regular training, in addition to complementary security tools, can provide a layered defence for organisations to reduce the threats that any business faces. 

The Role of the Channel
The channel plays a key role in the fight against cyber crime too. Organisations cannot be expected to stay one step ahead of cyber criminals and adapt to new threats on their own, but by relying on the help of their MSP, businesses can feel confident that they have the right education and tools in place to combat the risk of cyber attacks. 

There remains a large cyber skills gap across many businesses, and with the immediate move to remote work over the last 12 or so months, being away from the help of on-site IT teams, organisations are more vulnerable than ever. Finding the right vendor and solutions to tackle these evolving threats is crucial, and end user organisations need to work effectively with Managed Service Providers (MSPs) to stay ahead of the attackers. This enables MSPs to become trusted IT security advisors for the businesses they support, helping them to create a secure business and custom-fit security approach.

In addition to this, to meet growing cyber security threats to organisations, channel partners can increase their value to their customers by ensuring they have the right security solutions and training programmes in place across their existing portfolio. MSPs must take a proactive role in understanding the current state of a customer’s ability to protect against, prevent, detect and respond to modern cyber threats when recommending the best approaches to being cyber resilient. 

By addressing pain points and providing assurance around the security of their working environments, partners can build and strengthen the relationship with their customers, while recognising the opportunity surrounding the related additional revenue streams. 

Thursday, 1 April 2021

Cyber Security Roundup for April 2021

  

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, March 2021.

How not to disclosure a Hack
UK fashion retailer FatFace angered customers in its handling of a customer data theft hack.  The clothes retailer revealed a data theft which included its customer's full names, home addresses, email addresses, and partial debit\credit card details. The payment card details included the last four digits and the card's security verification code, the latter code is never permitted to be stored after a payment card authorisation under Payment Card Industry Data Security Standard requirements, so it would appear the business was not PCI DSS compliant at the time of their hack, which strongly suggests the business may not doing enough of the expected IT security good practices to prevent being hacked in the first place, a poor IT defence posture which appears to have even been corroborated by their hackers.

FatFace CEO Liz Evans released a statement which said “On 17th January 2021 FatFace identified some suspicious activity within its IT systems. We immediately launched an investigation with the assistance of experienced security professionals who, following a thorough investigation, determined that an unauthorized third party had gained access to certain systems operated by us during a limited period of time earlier the same month. FatFace quickly contained the incident and started the process of reviewing and categorising the data potentially involved in the incident.”

Customers were said to be angered that it took FatFace over two months to notify them of the breach, under the UK Data Protection Act (GDPR), UK businesses are required by law to notify data subjects (customers) within 72 hours of learning their personal data had been compromised.  Customers were said to be even further incensed that emails sent to them by FatFace were titled "Strictly private and confidential", which they considered implied they should help FatFace cover up the breach, and there was no apology by the FatFace CEO to boot.

Computer Weekly said it had learnt that FatFace paid a £1.5m ($2 million US dollar) ransom to the Conti Ransomware gang, disclosing the gang gained access to FatFace network and their IT systems via a phishing email on 10th January 2021. The ransomware attack was said to be executed on 17th January 2021 and over 200Gb of data was exfiltrated.  As part of ransomware negotiation, the original ransom ask for $8m worth of Bitcoin, was said to have included the Conti gang providing the following cybersecurity advice to FatFace:
  • IT teams to implement email filtering
  • conduct employee phishing tests
  • conduct penetration testing
  • review Active Directory password policy
  • invest in better endpoint detection and response (EDR) technology, apparently recommending Cylance or VMware Carbon Black
  • better protect the internal network and isolate critical systems
  • implement offline storage and tape-based backup
All very sound advice.

More and More Ransomware Attacks
The Harris Federation, which runs 50 primary and secondary schools, and Birmingham College probably wished they had followed the alleged Conti gang's anti-ransomware security advice after they were taken out by ransomware attacks. 

The ransomware epidemic dominated the 2021 Palo Alto Networks Unit 42 Report, echoing the constant stream of IT media headlines, namely that ransomware gangs continue to evolve their tactics and operations, and are making more and more serious money.  We are within a golden age of ransomware crime, and there are no signs of a rest bite. PA Unit 42 found that the average ransom paid by organisations nearly tripled over the past year, from $115,123 in 2019 to $312,493. High-end ransoms have gone up significantly too. Between 2015 and 2019, the largest-known individual ransom demand was $15 million. In 2020 groups were demanding as much as $30 million to unlock a victim’s files and systems.

A Russian man in the US pleaded guilty to plotting to extort money from the electric car company Tesla, after he was accused of offering an employee £721k ($1m) to place ransomware on Tesla's network. He was quoted as saying that he and his co-conspirators would steal the data and if Tesla refused to pay the ransom the company's secrets would be placed on the internet.


Microsoft Exchange Zero-Day, Exploitations Led by Hafnium

Further information about the Exchange Server zero-day vulnerability exploitations came to light throughout March, as summarised below. 
UK Gov to Ramp up Cyber Offenses and Defences
Prime Minister Boris Johnson announced he was creating a "cyber corridor" in the North of England, to bolster Britain's cyber warfare capabilities against hostile countries and terrorist groups.  A new UK National Cyber Force (NCF) will lay out "a new cyber strategy to create a cyber ecosystem."

The NCF review will "set out the importance of cyber technology" to the UK's way of life "whether it’s defeating our enemies on the battlefield, making the internet a safer place or developing cutting-edge tech to improve people’s lives.“ Basing this task force in the North of England is intended to generate economic growth in the digital and defence industries while drawing in the private sector and academia to work with the government on projects.

Britain's biggest banks, including Barclays, HSBC, and NatWest, and insurance companies, including Aviva and Direct Line, will face new tougher testing of their cyber defences by the Bank of England's Financial Policy Committee (FPC). Industry sources said the FPC will test their ability to withstand a coordinated global series of cyberattacks to form the centrepiece of the Bank of England's stress scenario reporting.

However, one recently introduced UK cybersecurity law, which was meant to boost the resilience of the UK's energy sector by obliging gas and electricity firms to report to hacks, doesn't appear to be very effectively adopted. Network & Information Systems (NIS) Regulations 2018 were introduced into UK law three years ago and has parallels with the DPA\GDPR law which was introduced at the same time. Like the GDPR, NIS requires the UK critical national infrastructure firms (i.e. ISPs, utilities) and energy sector firms (i.e. gas and electricity firms) to quickly report any hacks to their regulating authority, Ofgem. According to Sky News, only one company has ever tried to file a report informing the regulator that it had been hacked, but they were dismissed as the incident did not meet the threshold for being reported.

Recently, the British government confirmed Russian state-sponsored hackers have successfully penetrated the computer networks of the UK's energy grids, without disrupting them, and former defence secretary Gavin Williamson warned that "thousands and thousands and thousands" of people could be killed if an attempt at disruption was made.  Responding to Sky News about NIS compliance, a UK government spokesperson said: "The UK's critical infrastructure is extremely well protected and over the past five years we have invested £1.9bn in the National Cyber Security Strategy to ensure our systems remain secure and reliable." UK Gov then added that a formal review of the impact of NIS will take place within the next 12 months.

Stay safe and secure.

BLOG

VULNERABILITIES AND SECURITY UPDATES

Wednesday, 24 March 2021

Reducing Human Error Security Threats with a Remote Workforce

Article by Beau Peters

For better or worse, the COVID-19 pandemic changed the way we work and our corresponding cybersecurity needs. Now, millions of us across the world are adapting to remote work. And this requires securing our networks for the new normal of IT infrastructures.



Surprisingly, a large portion of cyberattacks can be best prevented by reducing the risks to a remote workforce created by human error. Lack of employee knowledge, distraction, and neglect all can leave remote networks vulnerable.

While there is no way to guarantee against data breaches, securing the human element can help mitigate security threats and improve the integrity of your remote work systems. This article will explore not only the cost of human error but the practices you can employ to prevent it.

The Cybersecurity Cost of Human Error
While many security executives agree that ransomware poses the greatest threat to security infrastructure, a majority believes that human error is the greatest risk to their business operations. In a survey of UK&I CISOs, 55% said that human error posed a risk no matter what protections are in place.

Damaging employee mistakes often come in the form of clicking or downloading malicious content, interacting with phishing emails, and unauthorized use of a device or app. In the shift to remote work, these risks can be even more damaging, as they have the potential to take down entire networks, increase downtime, and result in massive security costs.

With an estimated 900% increase in ransomware attacks during the first half of 2020 alone, hackers are stepping up their game to infiltrate vulnerable systems. On average, these attacks cost even smaller businesses as much as £520,000 ($713,000). This makes securing systems and employee behaviour against these attacks an important cost savings priority.

Fortunately, there are plenty of simple strategies you can employ in your tech processes to mitigate the risks of staff error, even while working remotely.
How to Reduce Human Error

Reducing human error to alleviate cybersecurity risk can be done through a few different approaches. From creating an employee education program to enhancing your application of modern tech, your remote workforce can interact more safely with your virtual workspace. These five strategies can help you reduce human error security threats:

1. Invest in Employee Education
Employee education is one of your best tools in combating the risks posed by human error. As technology changes, so do the phishing and social engineering methods of scammers and hackers. No matter how up-to-date on trends in cyber threats your workforce is, an employee education program can be a great way to increase employee awareness.

Create an employee cybersecurity education program or find a third-party course to provide your employees with some additional training. As a result, they can approach their remote work more cautiously.

2. Follow Cybersecurity Best Practices
Employee education is also a great place to instil a pattern of best practices surrounding cybersecurity. These will be a necessary foundation for ensuring that cybersecurity is considered in every aspect of the business. For remote workers, these best practices include:
  • Understand the resources and IT staff available to you.
  • Always use a virtual private network (VPN).
  • Build an authorization system that is secure and traceable.
  • Encrypt all sensitive materials.
  • Secure systems over cloud databases.
Build these practices into company culture to give your employees better methods to approach security.

3. Utilise Highly Secure Infrastructures
Cloud databases are a must-have with a remote workforce. These ecosystems make data communication and storage simple and functional outside of an office, and with the right security protocols, they can also make cybersecurity easy.

A decentralized system like blockchain, for example, provides access and communication from anywhere all in an environment secured by cryptographic links. At the same time, immutable data storage offers greater transparency into access and authorization tracking.

Employing secure infrastructures like blockchain can go a long way in reducing the risk of human error through better security overall.

4. Provide Security Tools and Understanding
The success of your team in securely handling data often comes down to the tools they have to work with. For remotely working teams, additional challenges and distractions add to the risk of human error. That risk, however, can be better reduced by the right communication tools and strategies. These include:
  • Collaboration software for check-ins and cybersecurity reviews
  • Project management tools to track workflow and system access
  • Video conferencing tools with multi-factor authentication and encryption potential
Choosing the right tools requires a review of how each platform allows for foolproof security measures. Then, reviewing these measures and how workers can support them will assist in reducing human error.

5. Constantly Stress Cybersecurity
Finally, review and stress cybersecurity concerns with your employees on a regular basis. Mention best practices in all your meetings, and even create metrics and incentive programs aimed at promoting better security.

With all the distractions surrounding remote workers, they need a reason to make cybersecurity a focus of their everyday efforts. Provide helpful tools like VPNs to all your remote workers and ensure they are supported by renewed education regarding best practices.

While human error can never be fully eliminated, these strategies can help you reduce the risk to your own systems. Stress the importance of thinking before you click in all your systems and practices, and choose the right tools to support these efforts. With cybersecurity best practices built into the culture of your remote workforce, you can better keep employees and their data protected.

Wednesday, 17 March 2021

Cybercrime to cost over $10 Trillion by 2025

Cyber attacks are a threat to businesses of all sizes and in all industries. With cybercrime rising by 600% during the pandemic, businesses are more vulnerable than ever to the financial and reputational repercussions of cyberattacks. This makes it even more important for businesses and organizations to make cybersecurity a priority.

Costs of Cybercrime
Global cybercrime costs are on the rise, increasing 15 per cent year over year, according to a 2021 cyberwarfare report by CyberSecurity Ventures. By 2025, it is estimated that cybercrime will cost businesses worldwide $10.5 trillion annually.

With the global cost of cybercrime at $3 trillion in 2015, that’s more than a threefold increase over a decade. This represents the “greatest transfer of economic wealth in history,” stated the report.

To put this into perspective, if the total of $6 trillion in cybercrime losses in 2021 were measured as if it were a country, this would be the world’s third-largest economy after the U.S. and China.
The consequences of cybercrime extend beyond financial repercussions. According to the report, businesses may also suffer from:
  • Loss of data
  • Theft of intellectual property
  • Theft of financial or personal information
  • Reputational harm
  • Lost productivity
As cyber-attacks become more frequent and advanced, businesses need to be prepared to respond to incidents.

Ransomware as a Threat
Cybersecurity Venture’s report also highlighted ransomware as a major threat. A ransomware attack occurs when malicious software infects computers and restricts their access to files until a ransom is paid.

It’s estimated that global ransomware damage costs will reach $20 billion in 2021, 57 times the amount in 2015. The report also predicted that a ransomware attack will occur every 11 seconds in 2021, up from every 40 seconds in 2016.
Since the healthcare industry is one of the industries most susceptible to cyber attacks, the FBI is especially concerned with the impact of ransomware on healthcare providers, hospitals, and first responders, as it poses a threat to the safety of American citizens.

Mark Montgomery, executive director of the U.S. Cyberspace Solarium Commission, identifies ransomware as the fastest growing and one of the most damaging types of cybercrime. For this reason, business leaders need to prioritize cybersecurity measures in order to protect their data and their company.

Cybersecurity Best Practices
With increasing cyber threats, especially due to the rise in remote work, businesses need to be as prepared as possible to mitigate the risk of cyberattacks. Here are some cybersecurity best practices that your company should follow to strengthen security and prevent cyber attacks.
  1. Minimize data transfers. In a corporate setting, it’s nearly impossible to prevent the transfer of data between devices. Be mindful of how many devices contain important data and try to make transfers as minimally as possible, especially when it comes to sensitive data.
  2. Verify download sources. Before making any downloads, scan the website you’re downloading from to ensure that it’s verified, and only click on legitimate download links.
  3. Update software regularly. Software developers are continuously updating their applications with the best available security measures, so updating your programs and devices whenever possible is a great way to protect against cyber attacks.
  4. Encrypt where possible. Encryption tools can be used to protect data from outsiders. When encryption isn’t possible, password protection is a great alternative. Be sure to choose complex passwords with a mix of letters, numbers, and characters, and to change your passwords regularly.
  5. Monitor data. Data breach monitoring tools will alert you when there is suspicious activity regarding your data. These tools will help you prevent data theft in real-time.
  6. Have a breach response plan. Breaches can happen to even the most prepared businesses. When they do, having a codified, organization-wide plan can help prevent further damage and speed up recovery efforts.
Rather than waiting to respond to cyber incidents, be proactive by bolstering your security measures to reduce the risks and consequences of cyberattacks. To learn more about cybercrime trends and different types of cyberattacks, check out Embroker’s post on cyber attack statistics for 2021.

Sunday, 14 March 2021

Book Review: Born Digital by Robert Wigley

There is a growing generation of adults who have grown up in the digital age, not knowing a life without almost immediate access to a digital connected world. Most adults and children either carry or have access to connected computers, whether they be smartphones, tablets, games consoles, or good old-fashioned PCs, computers have become an essential human tool. Even toddlers seem to have an inherent ability to pick up and use tablet devices to play and learn. While the digital age has brought countless benefits for society, what of the trade-offs in our sleepwalk towards a lifetime dependency on digital technology?

In his book ‘Born Digital’, Bob Wigley shines a light on the darker side of humanity’s relationship with digital technology, pulling out and expanding on the serious issues which are all too often underplayed or brushed aside by a technology distracted and addicted world. Throughout Born Digital Bob cites a series of sobering statistics which brings a reality check in his exploration of the various psychological issues caused by society’s new devotion to digital technology. Indeed, reading Born Digital is a thought-provoking experience, which makes you question whether tech giants, governments, schools, and even yourself as a parent, are doing enough to protect and educate children born into the digital age.  
Born Digital by Robert Wigley is available at Amazon in Hardback, as a Kindle eBook, and as an Audiobook
Born Digital examines the most digital distracted generation of all, ‘Generation Z’, namely anyone born between the late 1990s and early 2010s. Generation Z has grown up psychologically hardwired with digital technology, their smartphones are an extension of themselves, enabling a relentless habit of synchronising their real-world and digital lives with endless social media and digital communications. Generation Z does not regard themselves as a digital addicted and distracted generation, their digital way of life is their normal, so we should not expect them to have epiphany moments of ‘admitting to having a problem’, which is as any alcohol, drug, and gambling addiction counsellor will tell you, is the first and most important step to taper a lifestyle with a harmful dependency. The unhealthy elements of living digital are in plain sight, Born Digital explores the grim reality of harmful effects experienced by Generation Z, such as addiction, anxiety, depression, low self-esteem, stunned empathy development, troubled relationships, fake news, propaganda, and even threats to democracy.

Born Digital is written as a wakeup call to the dangers and the negative outcomes which comes with all our dependency on the digital world, with the book concluding with a call to urgently reset society’s relationship with technology. Tech giants, governments, schools, parents, and each of us must be more informed about the dark side of digital tech, so we can take the necessary steps to better safeguard our society, ourselves, and the next generations from the detrimental side of our relatively newfound digital dependency. 

Firstly, I believe improving education is essential, particularly within schools, and at young ages. We cannot count on parents to educate children about digital dangers, as parents tend not to have little understanding of their children's digital realms. Secondly, there has to be stronger regulation of tech and social media giants, they must be made far more accountable for the digital services they provide, given the profound impact they have, especially on young lives. The ugly truth is social media and big tech companies are highly incentivised to culture addictive habits with their consumers to increase screen time, as more screen time means greater profit through increased advertising revenue. So it is not really in their nature to curtail addictive digital behaviours.

Some help is on the horizon in the UK, with a revolutionary Online Harms Bill, which at present appears to have sufficient teeth to force social media companies to act, by removing and limiting the spread of harmful content, or else face fines of £18m or 10% of their global turnover. If this parliamentary bill is written into UK law as it stands, the potential global turnover linked fine will certainly focus the minds of executives at social media giants like Facebook, TikTok, and Twitter. The bill, which will be regulated by Ofcom, will also require platforms to follow a new code of conduct that covers their responsibilities towards protecting children that are born digital.

Thursday, 11 March 2021

HR Strategies to Drive Cybersecurity Culture in the New Normal

The COVID-19 pandemic has forced businesses across all industries to revise their working processes and requirements. From shifting overnight to a remote working model, furloughing staff and operating in a challenging economic climate, many businesses were unprepared for these transitions. However, these changes highlight the important role of Human Resource departments in communicating, supporting and responding to the necessary adjustments and helping employees through the process. 
HR's role in enforcing a strong cyber aware culture in the new normal
As HR departments rethink and reconsider how they foster talent and strengthen their organisations, front and centre to that shift needs to be IT security, underpinned by digital tools and a cyber-aware culture. With a 31% increase in cyberattacks during the height of the pandemic, reinforcing cybersecurity should be at the top of HR’s agenda. Andrea Babbs, UK General Manager, VIPRE SafeSend, discusses what this new way of working means long-term for HR departments and the importance of innovating their cybersecurity approach.

Managing Dispersed Teams
With social distancing measures in place and decentralised workforces, there is extra pressure for HR teams to effectively manage and monitor their employees. As the ‘Bring Your Own Device’ (BYOD) phenomenon creates a security concern due to the lack of consistent security and antivirus software, as well as the heightened pressure of staff feeling the need to work harder, faster and for longer, it’s no surprise that mistakes will be made.

Recent research has found that more than half of businesses believe working from home has made employees more likely to circumvent security protocols, such as using personal devices and failing to change passwords. Inappropriate use of business equipment might also be an issue that could arise, including the circulation of improper imagery or browsing unsuitable websites, which must be managed with caution and appropriate controls, such as blocking access to websites that could drain productivity.

With the combination of untrained employees and creative hackers, the challenges of maintaining security are evident. However, by implementing the correct software and security solutions across all employees’ devices, these risks can be mitigated.

Protecting Employee Data
As well as managing their employees, Human Resource departments have a vital role to play in keeping information safe and secure. HR managers deal with sensitive information on a daily basis, including health records, financial information, redundancies and CVs for potential and existing employees – a gold mine for cyber hackers.

Additionally, the personal information stored within HR must comply with General Data Protection Regulation (GDPR), meaning that if this data was to be stolen or revealed by cyber hackers, the consequences could be devastating. Results from the latest GDPR data breach survey found there was a 19% increase in the number of breach notifications, from 287 to 331 breach notifications per day. And it’s not just SMBs getting it wrong, but also big tech giants like Twitter, which was fined €450,000 after violating GDPR, because it failed to notify the regulator within 72 hours of discovering the breach.

Email is a key communication channel for HR managers to share this personal and sensitive information – which is a risk in itself. The repetitive and familiar nature of email usage means that users can often forget that without the right protocols in place, email can be a window to serious cybersecurity breaches. But, luckily there are digital tools available which offer that critical second check.

Heightened Email Security
Throughout the pandemic, there has been an increase in the number of attacks using COVID-19 and remote working as a lure to vulnerable employees. Also, email addresses of those in HR are typically made publicly available for job applications, which is also an open opportunity for spoofing or malicious attachments, disguised as CVs perhaps, to be sent. For example, phishing emails were previously sent to employees asking them to attend a Zoom call with their HR department regarding the potential termination of their contract.

HR teams can support employees to avoid not only making mistakes but also be wary of potential email attacks, by deploying innovative technology. Digital tools, such as VIPRE’s SafeSend, provide a simple safety check, prompting the user prior to sending an email to confirm it is correct – going to who it should, with the right information. Parameters can also be set to add certain domains to an allow list, or using a DLP add-on to flag sensitive information. Such tools can also help in the event of a phishing attack by highlighting external email addresses which try to look like they have come from someone internally, and most modern email security solutions also include the ability to prevent domain spoofing.

Email encryption can play a critical role in ensuring that sensitive and confidential email is sent both internally and externally securely. The data within the email can be encrypted so that it is not intercepted in transit. Tamper-proof email archiving solutions can also help HR Teams easily find old email communications for use in employee disciplinary procedures or internal enquiries. Being tamper-proof, the communications are locked away, safe from deletion or editing. Even if an employee deletes the offending email from their inbox, it stays in the archive for later retrieval.

SAT Programmes
Despite the creativity and advancements of hackers, the employees themselves are often the number one gateway for cyber attacks, and according to CISOs, human error has been the biggest cybersecurity challenge during the COVID-19 pandemic. It’s even more crucial than ever for Human Resources to reinforce and emphasise the need for a strong cyber aware culture within the workforce, and this can be done through Security Awareness Training programmes.

HR teams are often involved in choosing and implementing the right programme to suit the needs of their workforce. Key considerations here should be around the frequency of training, how engaging the training is for your workforce and the reports available to management to show improvement over time.

With many employees being the middleman between a cyber attacker and a hack, it’s vital that workforces understand their role in keeping business information safe. As well as implementing training for their employees, HR departments should also receive their own continuous training, which focuses on mitigating the legal, financial and reputational risks that come with cyber attacks. Not only will training mean employees are aware of how personal data should be handled, but it will also increase responsibility and accountability.

Conclusion
COVID-19 has not only presented new challenges to Human Resources teams but has also changed the future of the workplace, with many employees now having to adapt to remote or hybrid working. However, among these many transitions, cybersecurity must remain a priority. As threats continue to become more advanced and target those who are vulnerable during challenging times, it is the job of HR to act now and deploy a layered approach to cybersecurity in order to highlight and resolve any weaknesses in the workforce and to keep sensitive data safe. However, above all, in order for this secure infrastructure to be effective, employees must understand their responsibility and value when it comes to cybersecurity by taking a proactive role in keeping business information safe.

Wednesday, 3 March 2021

Reasons Why the Security Industry is Protecting the Wrong Thing

Article by Paul German, CEO, Certes Networks 

Why is it that the security industry talks about network security, but data breaches? It’s clear that something needs to change, and according to Paul German, CEO, Certes Networks, the change is simple. For too long now, organisations have been focusing on protecting their network, when in fact they should have been protecting their data. Paul outlines three reasons why the security industry has been protecting the wrong thing and what they can do to secure their data as we move into 2021.

They’re called data breaches, not network breaches, for a reason

Looking back on some of the biggest data breaches the world has ever seen, it’s clear that cyber hackers always seem to be one step ahead of organisations that seemingly have sufficient protection and technology in place. From the Adobe data breach way back in 2013 that resulted in 153 million user records stolen, to the Equifax data breach in 2017 that exposed the data of 147.9 million consumers, the lengthy Marriott International data breach that compromised the data from 500 million customers over four years, to the recent Solarwinds data breach at the end of 2020, over time it’s looked like no organisation is exempt from the devastating consequences of a cyber hack.

When these breaches hit the media headlines, they’re called ‘data breaches’, yet the default approach to data security for all these organisations has been focused on protecting the network - to little effect. In many cases, these data breaches have seen malicious actors infiltrate the organisation’s network, sometimes for long periods of time, and then have their pick of the data that’s left unprotected right in front of them. 

So what’s the rationale behind maintaining this flawed approach to data protection? The fact is that current approaches mean it is simply not possible to implement the level of security that sensitive data demands as it is in transit without compromising network performance. Facing an either/or decision, companies have blindly followed the same old path of attempting to secure the network perimeter and hoping that they won’t suffer the same fate as so many before them.

However, consider separating data security from the network through an encryption-based information assurance overlay. Meaning that organisations can seamlessly ensure that even when malicious actors enter the network, the data will still be unattainable and unreadable, keeping the integrity, authentication and confidentiality of the data intact without impacting the overall performance of the underlying infrastructure.

Regulations and compliance revolve around data

Back in 2018, GDPR caused many headaches for businesses across the world. There are numerous data regulations businesses must adhere to, but GDPR, in particular, highlighted how important it is for organisations to protect their sensitive data. In the case of GDPR, organisations are not fined based on a network breach; in fact, if a cyber hacker was to enter an organisation’s network but not compromise any data, the organisation wouldn’t actually be in breach of the regulation at all.

GDPR, alongside many other regulations such as HIPAA, CCPA, CJIS or PCI-DSS, is concerned with protecting data, whether it’s financial data, healthcare data or law enforcement data. The point is: it all revolves around data, but the way in which data needs to be protected will depend on business intent. With new regulations constantly coming into play and compliance another huge concern for organisations as we continue into 2021, protecting data has never been more important, but by developing an intent-based policy, organisations can ensure their data is being treated and secured in a way that will meet business goals and deliver provable and measurable outcomes, rather than with a one-size-fits-all approach.

Network breaches are inevitable, but data breaches are not

Data has become extremely valuable across all business sectors and the increase in digitisation means that there is now more data available waiting for malicious actors.

From credit card information to highly sensitive data held about law enforcement cases and crime scenes, to data such as passport numbers and social ID numbers in the US, organisations are responsible for keeping this data safe for their customers, but many are falling short of this duty. With the high price tag that data now has, doing everything possible to keep data secure seems like an obvious task for every CISO and IT Manager to prioritise, yet the constant stream of data breaches show this isn’t the case. 

But what can organisations do to keep this data safe? To start with, a change in mindset is needed to truly put data at the forefront of all cyber security decisions and investments. Essential questions a CISO must ask include: Will this solution protect my data as it travels throughout the network? Will this technology enable data to be kept safe, even if hackers are able to infiltrate the network? Will this strategy ensure the business is compliant with regulations regarding data security, and that if a network breach does occur, the business won’t risk facing any fines? The answer to these questions must be yes in order for any CISO to trust that their data is safe and that their IT security policy is effective.

Furthermore, with such a vast volume of data to protect, real-time monitoring of the organisation’s information assurance posture is essential in order to react to an issue, and remediate it, at lightning speed. With real-time, contextual meta-data, any non-compliant traffic flows or policy changes can be quickly detected on a continuous basis to ensure the security posture is not affected, so that even if an inevitable network breach occurs, a data breach does not follow in its wake.

Trusting information assurance

An information assurance approach that removes the misdirected focus on protecting an organisation’s network and instead looks at protecting data, is the only way that the security industry can move away from the damaging data breaches of the past. There really is no reason for these data breaches to continue hitting the media headlines; the technology needed to keep data secure is ready and waiting for the industry to take advantage of. The same way that no one would leave their finest jewellery on display in the kitchen window, or leave their passport out for the postman to see, organisations must safeguard their most valuable asset and protect themselves and their reputation from suffering the same fate as many other organisations that have not protected their data.