Tag Archives: government

The Security of the Small Business

Image by Charlie, used under Creative Commons

In the United Kingdom, as in many other economies around the world, smaller businesses are the lifeblood of national prosperity. In essence SMEs *are* the private sector, according to the Department for Business, Innovation & Skills, they employ more people (60% in the UK in 2014) and generate almost half the total turnover of the private sector (48% in the UK in 2014).

Given the importance of these businesses to the UK economy, Trend Micro decided to attempt to discover just how ready many of these businesses are for the potentially devastating consequences of compromise.

Small businesses represent an attractive target for online criminals for several reasons; of course many of them hold or process a large amount of personal information, identities, legal, financial and medical records just for example. They also have less convoluted financial and banking arrangements, making them easier to exploit with traditional banking malware whilst also being less likely to be compensated for any fraudulent transactions. Quite aside from the dangers of information or financial theft, small and medium businesses are increasingly in the sights of sophisticated criminals looking for ways into larger organisations. In an attack technique that has become known as “island hopping“, determined attackers seek out the smaller business partners of their eventual target in the hope that they will be less security savvy and less well-protected. Fazio Mechanical Services has become the unfortunate poster child of the island hopping attack ever since it was used as a stepping stone to the huge Target data breach in late 2013.

So what did we discover?

We interviewed 500 key decision makers and business owners in UK SMEs to compile the research. Amazingly, only half of them said they rely on internet security tools to protect their organisation from cyber attack. In addition, just 44% said they knew how to check if their laptops, mobiles or tablets had been infected with malware. Three-quarters (74%) admitted to not fully understanding the legal implications of a cyber attack, while 67% said the same was true of the financial implications of an attack.

Tellingly, just 18% said they thought their data was worth stealing.

What now?

It isn’t only the internet security industry that is sounding the alarm and offering assistance to SMEs. The UK government too has recognised the threat. Last month Ed Vaizey, the Digital Economy Minister outlined how the voucher scheme, operated by the government’s Technology Strategy Board,  Innovate UK would be extended to cover cybersecurity. This scheme offers businesses the chance to apply for £5000 in funding for specialist advice to help better secure their businesses and digital assets. Unfortunately right now there isn’t enough in the pot to cover every application, so lucky recipients are selected in a random draw on a quarterly basis, still as they say, you’ve got to be in it to win it…

in the meantime the key to online security lies in the selection of a trusted security partner. As a small business, your core skills are not in cyber security or network or system administration. You are focussed on growing your business, on being succesful and on being the best in your field, and rightly so.

There are other small and medium businesses like yours who are striving to be the best in their field too and their field is security. A specialist partner, providing a managed security service, will be able to provide you with the assurance and peace of mind that you need to focus all your efforts on success and who knows… You may even get the funding!

The research was conducted on behalf of Trend Micro via Vital Statistics – sampled 500 UK business owners and decision makers in August 2015.

Small Business Advice Week runs from 31st August -6th September 2015. More information can be found here: www.smallbusinessadviceweek.co.uk

The “right to be forgotten” is not censorship.

Image used under Creative Commons by Sara Biljana

Enshrining the right to be forgotten  is a further step towards allowing individuals to take control of their own data, or even monetise it themselves, as we proposed in the 2020 white paper (Scenarios for the Future of Cybercrime).

The way the law stands in the EU currently, we have legal definitions for a data controller, a data processor and a data subject, an oddity which lands each of us in the bizarre situation where we are subjects of our own data rather being able to assert any notion of ownership over it. With data ownership comes the right to grant or deny access to that data and to be responsible for its accuracy and integrity.

Continue reading

GCHQ – General Chit-chat, Hazy Questions?

Photo by Jenny Mealing (jennifrog) used under Creative Commons.

Yesterday’s questioning of intelligence chiefs by Members of Parliament is a first in British history. The momentous occasion was preceded by anticipation that the three big authorities, MI5, MI6 and GCHQ, would offer an open and transparent account of the extent of their surveillance operations, in particular GCHQ. While mass data collection has been suspected, or in a few cases disclosed, for some time by the UK security agencies. However, I was struck by how little new information was actually shared and by the disappointingly weak line of questioning. One important area, for example, which wasn’t clarified at all was how the practice of sifting through who is a ‘threat’ and who isn’t is qualified, neither was the deliberate and systematic undermining of international cryptographic standards. The responses in the areas of “mass data collection” even appeared to give the lie to earlier assurance that only metadata was collected and that content never was, yet that area was never explored,. This assurance has now given way to a somewhat disingenuous assurance that “the people who work in GCHQ” would simply do not loo at the content, unless sufficient justification exists. In fact, they would “leave the building” if they were asked to “ Snoop”… Maybe part of the obvious disconnect is that those earlier assurances came from politicians themselves rather than the intelligence community.

For any commercial entity the Data Protection Act regulates and governs processing of personal information. Intelligence agencies and law enforcement, of course,  benefit from a number of exceptions from those same rules, so it has been left indefinite who in the back rooms is looking out for the interests of the general public. A vague personal assurance that data belonging to “non-threats” are not viewed and that candidates for GCHQ would not be employed if they were the sort to be tempted to do so, is not the same as a bound contract within a legal framework. Besides, somebody must have trusted Edward Snowden in a similar way at some point…

Speaking of Snowden, it would have also been helpful for some questions to have been asked to shed light on the relationships between GCHQ and foreign intelligence agencies; do they accept requests from other nations to surrender their data to UK citizens? A recent report on mass surveillance of personal data that came to light on the same day as the inquiry shows that NSA sent millions of records every day from internal networks to data warehouses at the agency’s headquarters. The US National Security Agency (NSA) is clearly working in collaboration with GCHQ, just how much is UK law helping the NSA to circumvent US law and vice versa and what is the relationship here? Just for example, how does a contractor in the US, to US intelligence services, end up with access to so much highly damaging sensitive information about British spy agencies?

It will be very interesting to see how the requirements of the security agencies, which were voiced in the February 2013 response to the Draft Communications Data Bill, (Intelligence Committee response, “Access to communications data by the intelligence and security Agencies (PDF)“) influence the next draft of that same bill. The somewhat chilling conclusion of that Intelligence Committee response includes the statement that:

“Any move to introduce judicial oversight of the authorisation process could have a significant impact on the Agencies’ operational work. It would also carry a financial cost. We are not convinced that such a move is justified in relation to the Agencies, and believe that retrospective review by the Interception of Communications Commissioner, who provides quasi-judicial oversight, is a sufficient safeguard.”

Of course there will be further sessions both in camera and hopefully more public questioning. While it is clear that, in the interests of national security,  many aspects of surveillance programmes cannot and should not be revealed; the level of public trust in the very people that have been charged with protecting our liberty is at such a low that only unprecedented steps stand any chance of restoring our faith.

It seems we truly do live in Interesting Times, which is more often that not, a curse.