GLOBAL CYBER attacks increased in volume by 38% in 2022 when compared to 2021, but six in every ten directors suggest that their company is ineffective in understanding the risks. That’s one key finding of ‘Effective Board Governance of Cyber Security: A Source of Competitive Advantage’, the latest report published by Savanti, itself one of the UK’s leading cyber security consultancies.

he report finds that those businesses who are ‘cyber-engaged’ have increased revenue growth, a greater success rate in attracting clients and higher investor confidence.

Increasing numbers of UK businesses are struggling to understand how to combat cyber crime, which puts them at increased risk of cyber attacks resulting in crippling costs such as multi-million pound ransoms, litigation and reputational damage.

In terms of numbers, across all UK businesses, there were 2.4 million instances of cyber crime in the last 12 months. According to Cyber Security Ventures, the cost of cyber crime to business could reach £8.4 trillion annually by 2025. If it was measured as a country, cyber crime would be the world’s third largest economy after the US and China.

Recent high-profile incidents include the cyber attack on The Electoral Commission in which a breach undetected for 14 months resulted in access to voters’ personal data including home addresses, images, e-mail addresses, names and telephone numbers. There were also the cyber attacks on British Airways and Boots.

Read the full story here.

THE BRITISH Security Industry Association (BSIA) is calling on the Government to clarity how it intends to “fill the void” created by the recent resignation of the Biometrics and Surveillance Camera Commissioner and the proposed abolition of the Office of the Commissioner at the Home Office.

Professor Fraser Sampson, the current Biometrics and Surveillance Camera Commissioner, will remain in post until the end of October before the functions of the role are expected to be subsumed by the Investigatory Powers Commissioner as part of the Data Protection and Digital Information Bill, which is proceeding through Parliament. As currently written, the Bill removes the need for the Government to publish a Surveillance Camera Code of Practice.

For its part, the BSIA has worked closely with the Office of the Surveillance Camera Commissioner since its formation in 2014. Tony Porter QPM, the inaugural Surveillance Camera Commissioner, welcomed the opportunity of engagement from the BSIA.

Indeed, the Trade Association went on to lead two of the key industry strands of work around the National Surveillance Camera Strategy for England and Wales. In this capacity, the BSIA engaged with other stakeholders to create several foundation documents, including the list of key recommended standards for use in video surveillance systems, a buyers’ toolkit, the passport to compliance and also a ‘Secure by Default’ self-certification scheme aimed squarely at manufacturers.

A great deal of this work is set to be ‘archived’ when the Office of the Biometrics and Surveillance Camera Commissioner is closed. It’s also unclear as to how the transfer of the functions of the Biometrics and Surveillance Camera Commissioner will be carried out in practice and whether or not engagement with industry practitioners will even be a consideration.

Read the full story here.

Draft post-quantum cryptography (PQC) standards have been published by the US National Institute of Standards and Technology (NIST). The new framework is designed to help organizations protect themselves from future quantum-enabled cyber-attacks.

The draft documents were published on August 24, 2023, and encompass three draft Federal Information Processing Standards (FIPS).

These standards were selected by NIST following a process that began in December 2016, when the agency issued a public call for submissions to the PQC Standardization Process.

After several rounds of selection, NIST announced the four encryption algorithms that would form its PQC standard in July 2022. The CRYSTALS-Kyber algorithm was chosen for general encryption (used for access to secure websites) and CRYSTALS-Dilithium, FALCON and SPHINCS+ were selected for digital signatures.

These algorithms are incorporated into the three FIPS published by NIST.

Read the full story here.

The technology secretary has drawn the ire of encryption experts by repeating false claims and half-truths about the Online Safety Bill.

The proposed legislation will effectively force private messaging companies that use end-to-end encryption to scan their users’ content for child abuse material. This would require users to download client-side scanning software to read messages on their devices before they’re encrypted.

Michelle Donelan told Radio 4’s Today program: “Technology is in development to enable you to have encryption as well as to be able to access this particular information.”

This prompted a furious backlash from experts.

Matthew Hodgson, CEO of secure messaging app Element, branded the statement as “factually incorrect.”

“No technology exists which allows encryption and access to ‘this particular information.’ Detecting illegal content means all content must be scanned in the first place. By adding the ability to use scanning technology at all, you open the floodgates to those who would exploit and abuse it,” he said.

“You put the mechanism in place for mass surveillance on UK citizens by the ‘good guys’ and the bad. It is utterly unacceptable to attempt to force tech companies to implement mass surveillance within their products.”

Read more on the Online Safety Bill: Security Experts Raise Major Concerns With Online Safety Bill

Donelan added that “the onus is on tech companies to invest in technology to solve this issue.” It’s an argument often repeated by lawmakers and law enforcers but roundly dismissed by technology experts as either disingenuous or ignorant.

“Countless experts, from private companies to academics and civil society organizations have told you this technology is impossible to build,” Hodgson responded. “Is the government expecting every tech company to plough money into a never-ending R&D project that will never result in a workable product?”

Read the full story here.

THE HEAD of the Financial Conduct Authority (FCA) has stated that Artificial Intelligence (AI) could disrupt the financial services sector “in ways and at a scale not seen before”, in parallel issuing a warning that the regulator would be forced to take action against AI-based fraud.

In a speech delivered to company executives in central London, Nikhil Rathi (CEO of the FCA) noted that there are risks of “cyber fraud, cyber attacks and identity fraud increasing in scale, sophistication and effectiveness” as AI becomes more widespread.

Prime Minister Rishi Sunak is fervently hoping to make the UK a centre for the regulation of AI, while the FCA’s work on this subject area is part of a much broader effort designed to work out how to regulate the big tech sector as it increasingly offers financial products.

During his delivery, Rathi warned that AI technology will increase risks for financial firms in particular. Senior managers at those firms will be “ultimately accountable for the activities of the business”, including decisions taken by AI.

“As AI is further adopted,” observed Rathi, “the investment in fraud prevention and operational and cyber resilience will have to accelerate simultaneously. We will take a robust line on this. There’s going to be full support for beneficial innovation alongside proportionate protections.”

Deepfake video

Rathi cited the example of a recent deepfake video of the personal finance expert Martin Lewis supposedly selling speculative investments. Lewis himself said the video was “terrifying” and has called for regulators to force big technology companies to take action in order to prevent similar scams.

Responding to Rathi’s comments, cyber specialist Suid Adeyanju (CEO of RiverSafe) said: “AI is set to become a regulatory minefield for the FCA, so maintaining a clear line of communication with businesses about the challenges and opportunities ahead is going to be critical in terms of maintaining high standards within the market.”

Adeyanju continued: “The tidal wave of AI-enabled cyber attacks and online scams adds an even greater level of complexity, so it’s vital that financial services firms beef up their cyber credentials and capabilities in order to identify and neutralise these threats before they can establish a foothold.

Read the full story here.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released joint guidance on hardening Baseboard Management Controllers (BMCs).

Published on Wednesday, the document aims to address the overlooked vulnerabilities in BMCs, which can serve as potential entry points for malicious actors seeking to compromise critical infrastructure systems.

Read more on similar attacks: NCSC Warns of Destructive Russian Attacks on Critical Infrastructure

For context, BMCs are essential components embedded in computer hardware that facilitate remote management and control. They operate independently of the operating system and firmware, ensuring seamless control even when the system is powered down. 

However, because of their high privilege level and network accessibility, these devices make them attractive targets for malicious actors.

The joint guidance emphasizes the importance of taking proactive measures to secure and maintain BMCs effectively, adding that many organizations fail to implement even minimum security practices.

These shortcomings could result in BMCs being used by threat actors as entry points for various cyber-attacks, such as turning off security solutions, manipulating data or propagating malicious instructions across the network infrastructure.

To address these concerns, CISA and NSA recommend several key actions. These include protecting BMC credentials, enforcing VLAN separation, hardening configurations and performing routine BMC update checks.

Further, the agencies said organizations should also monitor BMC integrity, move sensitive workloads to hardened devices, use firmware scanning tools periodically and treat unused BMCs as potential security risks.

Read the full story here.

The Sussex Police & Crime Commissioner has denied the county’s CCTV could be switched off from April.

Katy Bourne was questioned during a meeting of the Police & Crime Panel about problems with the renewal of a contract with service provider BT.

According to a police spokesman, BT has only offered a one-year fixed price contract rather than the three-year contract which had been expected.

Ms Bourne said an inspector was working on the issue full-time and that “nobody’s going to get switched off”.

The meeting also heard a “significant price increase” was forecast on the £250,000 per year already being paid, due to upgrades being made to the circuit technology.

Ms Bourne said: “The contract is BT’s. If they decide they don’t want to renew, they don’t have to renew – we can’t force them.

“They’ve agreed a price. It’s their price and we can’t afford it, effectively.

“My understanding, having spoken with the team in Sussex Police, is that nobody’s going to get switched off, so let’s just allay that concern.”

Read the full story here.

Ransomware attacks tumbled in 2022, offering hope that the tide was turning against the criminal gangs behind them. Then things got a whole lot worse.

Amid a concerted effort by global law enforcement to crack down on ransomware attacks, payments to hackers and even the volume of attacks fell in 2022. But the trend doesn’t seem to be holding for 2023, and attacks have shot up again.

Data from cryptocurrency tracing firm Chainalysis indicates that victims have paid ransomware groups $449.1 million in the first six months of this year. For all of 2022, that number didn’t even reach $500 million. If this year’s pace of payments continues, according to the company’s data, the total figure for 2023 could hit $898.6 million. This would make 2023 the second biggest year for ransomware revenue after 2021, in which Chainalysis calculates that attackers extorted $939.9 million from victims.

The findings track with general observations from other researchers that the volume of attacks has spiked this year. And they come as ransomware groups have become more aggressive and reckless about publishing sensitive and potentially damaging stolen information. In a recent attack against the University of Manchester, hackers directly emailed the UK university’s students telling them that seven terabytes of data had been stolen and threatening to publish “personal information and research” if the university didn’t pay up.

“We think as a result of their budgetary shortfalls in 2022 we’ve seen these more extreme extortion techniques, ways to kind of twist the knife,” says Jackie Burns Koven, head of cyber threat intelligence at Chainalysis. “In 2022 we were very surprised to find that decline. Then we talked to external partners—incident response firms, insurance companies—and they all said, yeah, we’re paying less, and we’re also seeing fewer attacks.”

Read the full story here.

FIBER SENSYS, itself part of the OPTEX Group, has launched EchoPoint distributed acoustic sensors for advanced intrusion detection across even the highest-level security sites.

Dubbed the latest evolution in fiber optic sensing technology, the new EchoPoint sensors make use of intelligent detection algorithms to provide point detection of +/- 6 metres in a range of up to 100 km. This highly accurate and reliable detection renders the sensors ideal for larger perimeters and high security sites, such as airports, logistics centres, railway networks and critical infrastructure, and to protect data conduits and pipelines, where being able to locate and identify the precise point of intrusion is critical.

Thanks to their highly advanced pattern-recognition classification algorithm, the sensors are able to distinguish between common causes of false and nuisance alarms, such as wildlife and environmental conditions, and genuine intrusion attempts. The system is also immune to electromagnetic interference, radio frequency interference and lightning.

The flexibility and versatility of the EchoPoint sensors is such that they can be operated across multiple applications and installed on fences, buried or commissioned in a hybrid layout. When mounted on a fence, the sensors can identify someone cutting the fence or attempting to climb it. When buried, the system can differentiate between footsteps, manual and machine digging and vehicle movements.

To meet the individual needs of every site, the EchoPoint sensors features intelligent software zoning. This means different detection zones can be configured. End users have the ability to independently adjust the sensitivity and output within each zone, thereby helping to provide maximum capture rates and minimise nuisance alarms.

Read the full story here.

OVER THE years, approaches designed to support employee well-being have evolved. Delivering job satisfaction, mental health support and flexible and hybrid working are just some of the measures adopted, but what about ensuring people feel safe and protected? Workers feeling vulnerable poses a significant risk to employee well-being, as Michel Roig discovers.

While security has always been a priority, one of the most recent approaches to facilitating employee well-being – flexible and hybrid working (or ‘Working from Anywhere’) – might have created new risks.

Despite most pandemic restrictions having now been lifted, it appears that ‘Working from Anywhere’ is here to stay. Surveys of UK employees have revealed that the proportion of ‘Working from Anywhere’ employees almost doubled between February and May of this year.

It’s easy to see why. Offering ‘Working from Anywhere’ as part of the job remit is now a significant factor in attracting candidates and retaining employees. Signs are emerging that it’s also the key to enhanced productivity.

However, ‘Working from Anywhere’ means that employers have to secure digital estates wherever and whenever employees are working. This represents a significant challenge as companies have to respond to increased digital threats and apply enterprise security for domestic settings.

There are also challenges in physical access that are worrying workers. Even before the pandemic, findings from the Society of Human Resource Management revealed that roughly one-in-seven Americans, for example, don’t feel safe in the workplace.

In essence, the scale of the challenge requires companies to critique their own current security solutions and consider carefully whether the existing regime provides a smart and secure workplace that supports employee well-being.

Read the full story