A guide brought to you by

INFORMATIONSECURITY

The Data Protection Law is changing

Are you prepared?

A report by the Department for Business Innovation and Skills has found that the financial cost of security breaches has doubled in the last year attributing to necessary response activities.

To a large organisation this figure is now between £600k - £1.15m and £65k - £115k to a small business.

The average cost per record lost in a breach event in the UK has risen from £86 to £95 and the number of breached records per incident in the last 12 months has ranged from 5,000 to 70,000 records. 1

This guide, produced by Signacure Resilience highlights some of the potential risks facing your business, and what you can do about it now.

The EU Data Protection Directive, adopted in 1995 is likely to be replaced in 2015 by the new EU Data Protection Regulation.

The new regulations will require company owners and data processors (such as cloud and offsite data hosting companies) to share the liability for data breaches. However recent reports show that the vast majority of these service providers are not yet ready to meet these new requirements.

Technological investments in the last 10 years have had many benefits for organisations however much of what was put in place wasn’t designed to be secure in a networked environment, and as a consequence data breaches are on the rise, as are the costs to businesses as a result of an attack.

The European Parliament has agreed that national data protection authorities such as the ICO need to be able to impose effective sanctions in cases where law has been breached.

The proposal will allow fines of up to 5% of the annual worldwide turnover of a company.

FOR EXAMPLE:£95 x 5,000 records = £475,000(and that’s just the minimum)

Every record you lose will cost roughly £95. Think about how many records you hold and what this could mean to your business.

1 2014 Cost of Data Breach Study - Ponemon Institute 02

Breaches cost more than you think

Don’t feel overwhelmedWe’re only a phone call away and can help you reduce your risks.

Lost record cost

EU fine - 5% of annual turnover

Downtime and manpower

ICO fine - up to £500,000

Legal action from customers & suppliers

The real cost of a data breach

Did you know?

what this meansto your business

%

%

%

High-speed internet, Smartphones, Wi-Fi, Social networks and flash storage; the business landscape has changed significantly in the last 10 years and evolving technology continues to alter the way we work and do business.

Unfortunately, criminals are constantly finding new and subtle ways to target businesses with little or no defence, their attacks often going undetected.

It is important to not only ensure you are adequately protected but also plan how you will respond to a breach to limit the potential damage to your business.

of large organisations of small businesses in the UK had a security breach in the last year alone. 2

Of Compromise victims didn’t detect the breach themselves.

It takes on average 13 days longer to contain a breach when detected by a third party. 3

Your business is at risk

2 2014 Information Security Breaches Survey Department for Business Innovation & Skills 3 2014 Cost of Data Breach Study - Ponemon Institute03

Board members have a legal obligation towards information security. Section C2 of the UK Corporate Governance Code (formerly the combined code) requires boards to “maintain sound risk management and internal systems”

This covers digital storage of information as well as other risks facing the business.

14 Days

1 Day

Did you know?

CONTACT US TODAY ON: 0845 052 3945

High-speed internet, Smartphones, Wi-Fi, Social networks and flash storage; the business landscape has changed significantly in the last 10 years and evolving technology continues to alter the way we work and do business.

Unfortunately, criminals are constantly finding new and subtle ways to target businesses with little or no defence, their attacks often going undetected.

It is important to not only ensure you are adequately protected but also plan how you will respond to a breach to limit the potential damage to your business.

of large organisations

Of Compromise victims didn’t detect the breach themselves.

3rd Party Detected. 3

Self Detected. 3

Don’t think of theft as simply payment card details.The new EU law will allow fines of up to 5% of your annual turnover

of business said customers asked about information security credentials in the last year 6

At a glance...

%8 Internet Security Threat Report 2014 Symantec Corporation9 2014 Information Security Breaches Survey—Department for Business Innovation & Skills 04

More than just finances

For peace of mind call us on: 0845 052 3945

The financial implications of a cyber attack can be crippling for even the largest organisations, but the consequences can affect the whole business.

ntellectual property

Staff, customer and supplier details such as logins and passwords

roducts and services purchased

cal or sensitive legal plans such as takeover or court papers. 4

Findings show that fewer customers remain loyal following a data breach. Abnormal churn increased as a result of a breach by 8% in 2014. 7

This risk increases in service sectors, and companies find it harder to win back customers following a reputation damaging incident.

Likewise, suppliers will avoid businesses that have been attacked for fear of contracting a breach indirectly.

brand credibility

The length of time business operations are disrupted continues to increase each year.

Latest findings have reported that thisfigure now stands at 7-10 days for small businesses and 5-8 days for large companies. 3

The time spent fixing breaches has also risen, doubling since 2013. For a small business this is now 12-24 man days and largercompanies this is 45-85 man days. 5

downtime

Just under half of businesses don’t understand the legal obligations of securing data and 1 in 5 have reported losses due to compensation payments and regulatory fines. 4

T nformation Commissioners Office can enforce fines of up to £500,000 for serious breaches of the Dat rotection A vacy and Electronic Communications Regulations.

laws & regulations

55% of lost commercial data is from

theft vandalismSon aystation suffered one of the worst breaches in 2011 and in August 2014 they were targeted again.

Their systems suffered a large scale DDoS attack, the hackers main objective was to cause disruption.

DDoS attacks will bring websites and e-commerce operations to a haltthe modern digital version of graffiti on a wall but the consequences are much more serious.

8 Internet Security Threat Report 2014 Symantec Corporation 9 2014 Information Security Breaches Survey—Department for Business Innovation & Skills05

Where’s the threat?

Hacking continues to be the leading cause for a breach, accounting for 35% of breaches in 2013. 8

Once they breach a network, hackers will generally monitor the compromised computers, to determine weak points which can be exploited.

Weak points can come from inappropriate patches or server maintenance and can often go undetected.

Hackers

2014 saw a 7% increase in businesses using cloud storage and hosting of business critical applications, however there is also an annual increase in breaches relating to cloud computing services. 9

Although an extremely cost effective solution, it is important to recognise that security failures existing in an IT environment are exasperated by moving to the cloud.

The focus should be on preventing breaches, and your ability to gain access and investigate following an incident.

Cloud storage

Many companies are under the illusion that they are protected against data breaches, simply by firewalling their network and using anti malware software, but the continuing rise of successful breaches shows that this is not the case. So where are the real threats?

8 Internet Security Threat Report 2014 Symantec Corporation 06

Where’s the threat?

Last year, the number of phishing campaigns saw a 91% rise from 2012 and there has been a noticeable increase in hacks through viruses and malicious software.

Last year 45% of small and 73% of large businesses reported an infection. 8

Phishing is the atempt to acquire sensitive information such as usernames and passworks by masquerading as a trustworthy entity, usually carried out via email.

Viruses & software

In June 2014, laws on flexible working changed giving allemployees the legal right to request flexible working, including working from home.

Theft or loss of a device accounted for 27% of data breaches in 2013. 8

However many companies have not considered the additional threats outside of the usual working environment such as open wireless networks.

Flexible working

Signacure can help you identify the threats facing your business

7 Internet Security Threat Report 2014 Symantec Corporation 9 2014 Information Security Breaches Survey—Department for Business Innovation & Skills07

www.signacure.co.uk for more information on risks facing businesses today

Where’s the threat?

Although there is an increase in the number of companies adopting security policies, reports indicate that only 1 in 4 businesses believe their staff have a good understanding of it. 7

Human error, whether deliberate or accidental continues to be a problem and users with admin rights are often more responsible for breaches than external hackers.

Staff behaviour

The popularity of bring you own device (BYOD) continues to blur the lines between personal and business life and introduces additional risks to businesses such as unsecured wireless networks, inaccurate inventory records and employees accessing sensitive customer data on mobile devices.

The risk associated with mobile devices continues to increase, only 38% of businesses encrypt data held on mobile phones and only 42% train staff on threats associated with mobile devices. 9

Mobile devices

Being resilient to these risks involves much more than putting an IT “what if” strategy in place, it takes investment of time and thought but your efforts will be rewarded with fewer attacks, more efficient processes and reduced data loss.

51% of businesses now accept the inevitability that some attacks will be successful and have changed their objective to “Cyber resilience” - the ability to minimize the successful attacks and to recover quickly when breaches are suffered. 8

8 2014 Information Security Breaches Survey—Department for Business Innovation & Skills 08

What you can do next

“Cyber security”is becoming an outdated phrase.

Sensitive information is held throughout the whole business, some of which are critical to the achievement of organisational objectives.

When embarking on an information security programme there needs to be clear alignment with the business strategic objectives.

A company wide approach involving all departments will see benefits across the business. For example, sales and marketing will have more opportunities to win business through tendering by demonstrating security credentials.

Create strategic alignment

Identify risks

Manage risks

It’s not just IT and directors that are responsible for defending against security breaches, nor are these the single individuals affected by them.

If your organisation has a thorough understanding of its most valuable assets, it can take steps to protect them.

This can be achieved by undertaking a comprehensive enterprise wide information assets audit, then prioritisation of the assets can take place.

Furthermore vulnerability scanning against servers and applications that house those data assetsshould be completed.

Your policies will be weaker if employees aren’t on board, and new measures and controls will be redundant if your team don’t understand the consequences.

Threats and controls should be regularly reviewed for effectiveness in order to minimise risks.

A lack of regular training and awareness can result in staff clicking malicious links and opening seemingly harmless emails, their actions resulting in costly fines and exposure of sensitive data.

%

Most attacks are financially motivated and come in the form of a phishing attempt, that appears to be a genuine looking email which upon opening downloads a file that begins digging into the system.

In more extreme cases, fake user profiles have been set up and used to process orders through the organisation’s existing operational procedures. This results in stolen funds being deposited into criminals accounts.

These damaging intrusions can be avoidedbut only by taking the appropriate action now.

Did you know?

9 2014 Information Security Breaches Survey—Department for Business Innovation & Skills09

What you can do next

of all contingency plans do not work as expected 9

Businesses that engage in breach response planning are more likely to respond in a measured fashion, however many struggle to find the time and find the right people for the task within the organisation.

Working with specialist professionals will limit damages and greatly increase your chances of survival in the event of a security breach.

Plan your response

Test your programmeDesktop simulations can test response plans in a real time pressure situation.

Particularly sensitive assets may benefit from additional protection that penetration testing in a controlled environment offers.

However, to ensure you are fully prepared,you must regularly review and update your full security programme to incorporate new and emerging risks.

From 1st October 2014 the Government will require all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials Scheme.

Did you know?

10

Where should I start?

Beginning a journey to cyber resilience can seem like a daunting task.

Many businesses are in a ‘cyber-trance’, hypnotised by the volume of information regarding invisible threats and immeasurable risks. They are unsure what to do and overloaded with material regarding the latest tools and techniques.

Cyber resilience should incorporate not only technology, but also processes and training and be adaptable enough to keep up with constantly changing threats.

There are a number of steps you can take to address your own information security issues.

A free service that provides relevant digital security warnings, advisories and good practice from a number of global experts, filtered and processed to add local information and value.

The truth is that for the majority, it’s not a case of if, but when you are breached. Businesses who survive not only manage the risks but also plan how to respond to a breach.

Register for the Free Cyber Early Warning Service

Certain organisations may wish to consider the Information Security Standard ISO 27001:2013. This new standard helps the organisation in establishing, implementing, maintaining and continually improving an information security management system within the context of the organisation. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organisation.

Consider ISO

A government backed, industry supported scheme to help organisations protect themselves against common cyber attacks and provides a framework to gain a basic level of security. The scheme enables organisations to gain 1 of 2 Cyber Essentials badges and is backed by a number of insurance companies offering incentives for businesses.

Certify your business for the Cyber Essentials Scheme

CONTACT US TODAY ON: 0845 052 3945 OR FOR MORE INFORMATION PLEASE VIEW: www.signacure.co.uk

9 2014 Information Security Breaches Survey—Department for Business Innovation & Skills11

Our services

Signacure Resilience incorporate a range of tools and techniques to build bespoke plans for businesses that address issues which may be posing security threats.

No matter if your set up is partially outsourced or incorporates cloud storage we can use a combination of our professional services to ensure your strategy is robust and focused on your needs.

Our consultants are CISSP Accredited and experienced in implementing Information Security risk programmes.

Our programmes are commercially focused with clear objectives that tie in with your specific goals.However our recommendations are underpinned by research and findings from leading academics in the ever changing field of Cyber Security. nformation Systems Strategy Formation

nformation Systems AuditData Breach Response Plan

xecutive Media Trainingnformation Security Staff Trainingesktop Simulations

tal For nvestigationsLegal Protection

StandardsStrategy

Our services include: