Most Companies Worldwide Failing to Measure Cybersecurity Effectiveness and Performance

Thycotic has announced the release of its first annual 2017 State of Cybersecurity Metrics Report which analyzes key findings from a Security Measurement Index (SMI) benchmark Survey of more than 400 global business and security executives around the world. Based on internationally accepted standards for security embodied in ISO 27001, as well as best practices from industry experts and professional associations, the Security Measurement Index benchmark survey provides a comprehensive way to define how well an organization is measuring the effectiveness of its IT security.

According to the findings, more than half of the 400 respondents in the survey, 58 percent, scored an “F” or “D” grade when evaluating their efforts to measure their cybersecurity investments and performance against best practices.

“It’s really astonishing to have the results come in and see just how many people are failing at measuring the effectiveness of their cybersecurity and performance against best practices,” said Joe Carson, Chief Security Scientist at Thycotic. “This report needed to be conducted to bring to light the reality of what is truly taking place so that companies can remedy their errors and protect their businesses.”

With global companies and governments spending more than $100 billion a year on cybersecurity defenses, a substantial number, 32 percent, of companies are making business decisions and purchasing cyber security technology blindly. Even more disturbing, more than 80 percent of respondents fail to include business users in making cyber security purchase decisions, nor have they established a steering committee to evaluate the business impact and risks associated with cybersecurity investments.

Additional key findings from the report include:

  • One in three companies invest in cybersecurity technologies without any way to measure their value or effectiveness.
  • Four out of five companies don’t know where their sensitive data is located, and how to secure it.
  • Four out of five fail to communicate effectively with business stakeholders and include them in cybersecurity investment decisions.
  • Two out of three companies don’t fully measure whether their disaster recovery will work as planned.
  • Four out of five never measure the success of security training investments.
  • While 80 percent of breaches involve stolen or weak credentials, 60 percent of companies still do not adequately protect privileged accounts—their keys to the kingdom.
  • Small businesses are targeted in two out of three cyberattacks.
  • Sixty percent of small businesses go out of business six months after a breach.

“We put out this report not only to show the errors that are being made, but also to educate those who need it on how to improve in each of the areas that are lacking,” added Carson. “Our report provides recommendations associated with better ways to educate, protect, monitor and measure so that improvements can be implemented.”

To download the full 2017 State of Cybersecurity Metrics Report and view all the findings from the Security Measurement Index benchmark survey, visit:



Cyber Security Challenge UK hosts UK’s first cyber crime intervention workshop

Cyber Security Challenge UK worked closely with the NCA and industry partners to deliver a new initiative to rehabilitate young people who have committed low-level cyber crimes and prevent them from re-offending or from becoming involved in serious crime.

The Intervention Day, which was held at PGI’s Cyber Academy in Bristol, was run specifically for young people who have committed minor cyber crimes, and received low level interventions such as cease and desist orders or cautions. Its aim was to prevent them from re-offending and to encourage them to consider ethical and legal jobs in the cyber security sector. The cyber security industry is crying out for more skilled workers. Industry association (ISC)2 estimates the global shortfall of cyber security workers will stand at 1.8 million by 2022.

The day’s attendees were aged 14-18; the majority had previously received either a caution or a cease and desist visit by law enforcement for cyber crime activity. The primary aim of the day was to ensure the young people understand the law and the consequences of offending so they can make an informed choice. These young people took part in workshops and training across the day to highlight how talents could be used constructively in legal and highly lucrative jobs, as well as hearing from a former hacker who transformed his life. Partners include PGI, BT, IRM, Grillatech, Ferox Security and the Challenge’s alumni group, the Whitehatters Academy. This collaboration of public and private organisations is critical to ensuring the industry can provide intervention for young cyber criminals and offer jobs to those who seek second chances.

There are currently no formal cyber crime offending rehabilitation programmes, as there are for other more traditional crimes such as speeding, assaults or drugs. Early intervention is essential to ensure young people do not become involved in further offending with their career prospects being tarnished.

The average age of arrest by the NCA’s National Cyber Crime Unit was just 17 years old in 2015, in contrast to the average age of 37 for those arrested in drugs cases, and an average age of 39 years old for economic based crimes.

Debbie Tunstall, Head of Education Programmes, said: “Many young people unwittingly commit cyber crimes as they are not aware of boundaries – both ethical and legal. We are seeing a rise in the number of young people committing cyber crimes either through lack of education or a lack of a safe space to experiment. This programme can not only help them to realise right from wrong, but also give them an outlet to channel their expertise and a network of contacts to help them build a lucrative career too. These young people often have the exact kind of proficiencies we need to plug the skills shortfall and it is our job as an industry to support the Government in setting them on the right path.”

The NCA and partners plan to develop the approach further so it can be a national resource used consistently alongside existing criminal justice processes to prevent individuals from getting involved in cyber crime or re-offending.

Richard Jones, National Cyber Prevent Co-ordinator at the National Crime Agency said: “Cyber crime is increasingly easy to commit because of the proliferation of easy-to-access tools, tutorials and online forums to share ideas. Even the most basic forms of cyber crime can have huge impacts and the NCA and police will arrest and prosecute offenders, which can be devastating to their future. That means there is great value in reaching young people before they ever become involved in cyber crime, when their skills can still be a force for good.

“Through these events we are helping young people understand the law and the consequences of offending. We want to demonstrate that a career in the industry can pay a lot more than cyber crime and can give them the sense of accomplishment and respect they are seeking.”

Further consortium quotes:

Rob Partridge, Head of the BT Security Academy, BT

“BT is committed to making sure young people are properly equipped to enter the world of work. So, we’re supporting the career aspirations of young people through a number of programmes that help students, parents and teachers understand the vast range of career options available – particularly in the fields of computing and cyber security. This programme is an exciting opportunity to encourage young people to make the right choices when using their computing talent and understand how they can harness their skills to develop a long and fruitful career through which they can realise their full potential. The UK will be needing many more cyber security specialists over the coming years to defend businesses, organisations and individuals from the escalating number of attacks, so BT will be encouraging the talented individuals involved in this project to pursue a career in cyber security.”

Charles White, CEO, IRM:

“IRM are proud to be involved in this initiative and work with the NCA to help guide these young offenders away from crime and ensure they understand that there is another way to use their talents for good.  Here at IRM we are very proud and fortunate to be home to a number of talented individuals, and it is very exciting for me to watch the talent of tomorrow coming together at an event such as this.”




University of Cambridge and MIT CSAIL lead allied forces tackling rogue state developing Weapons of Mass Destruction, in life-like cyber competition

Top talent from UK and US universities have fired up their laptops to battle a dangerous rogue state developing Weapons of Mass Destruction (WMDs) in the life-like cyber security competition, Cambridge2Cambridge (C2C).

The government and industry backed competition – which is the brainchild of two of the most prestigious universities in the world, the University of Cambridge, in the UK, and the Massachusetts Institute of Technology (MIT), in the US – pits teams of the world’s future cyber defenders against each other in a three-day battle.

One-hundred-and-ten future cyber defenders from 24 of the most prestigious universities in the US and the UK are taking part in the competition at the University of Cambridge. The mixed teams of UK and US students are battling for thousands of pounds of prize money, with a total of £20,000 up for grabs over the course of the challenge.

Pupils have formed international cyber hunting teams to mount an offensive cyber-attack to subdue a facility where a fictitious rogue state is developing and caching WMDs. The cyber-attack is necessary, as the weapons are hidden in facilities deep underground, with “bunker-bombs” proving ineffective and poor weather conditions preventing allied ground troops from mounting an offensive.

The competition, held within the historic grounds of Trinity College, at the University of Cambridge, started on Monday, July 24 and will end on Wednesday, July 26. The second ever C2C competition is backed by the National Cyber Security Centre (NCSC), Cabinet Office, and industry partners Leidos, NCC Group, Context, Palo Alto Networks, KPMG, ForAll Secure, Immersive Labs, Wiley and the National Science Foundation (NSF). It is designed to tackle the critical cyber security skills gap, which latest figures suggest will increase to a 1.8m person shortfall globally by 2022.

Leading academics behind C2C also designed the competition to promote greater cyber security collaboration between the UK and USA, and give students the platform to explore creative ways to combat global cyber-attacks, as well as honing and acquiring critical skills.

It also gives budding cyber enthusiasts the opportunity to test and improve their skills in a real-life simulation, meet like-minded individuals, and learn more about careers in the sector by introducing them to key players in the industry and government.

Professor Frank Stajano, Head of the Academic Centre of Excellence in Cyber Security Research at the University of Cambridge and co-founder of Cambridge2Cambridge, comments:

“In the second annual Cambridge2Cambridge challenge we have looked to expand on the success of the inaugural C2C, by welcoming students from top universities from across the UK and the USA. It’s truly remarkable to witness the breadth of talent in Universities throughout these two countries.”

“C2C gives these bright young people the opportunity to implement the skills and theory they have been taught at university in a realistic environment, while learning new ones in the process. We have over a hundred smart kids here in Cambridge today but I hope their achievements inspire hundreds of thousands of secondary school students to take up this challenging and intellectually stimulating path when they go to university. We are growing a new generation of skilled cyber security experts who will protect the digital society of tomorrow.”

Dr Howard Shrobe, Principal Research Scientist at MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) and co-founder of Cambridge2Cambridge, comments:

“The relevance of cyber security has never been greater. Recent attacks on corporations and governments alike have focused our attention towards a need for a strong pool of talent to bolster our defences. Cambridge2Cambridge was born out of a need to spur innovative ideas, bringing together the brainpower from MIT and the University of Cambridge, so it only seems natural to involve more leading universities in the second year of C2C, and continue to inspire the world’s leading minds to tackle an ever-growing issue. Only by giving these talented students the tools needed to enter the industry, will we be able to tackle the growing threat from cyber criminals and terrorists.”

Chris Ensor, NCSC Deputy Director of Cyber Skills and Growth said:

“Cyber Security is one of the most important professions for any digitally enabled country and I am proud that the UK is a world leader in this field.

“We need the brightest and the best talent to stay ahead of rapidly evolving global cyber threats and I am hugely impressed by the skills and enthusiasm of the young people taking part in this competition. I am particularly pleased to see more women taking part this year. The participants I’ve seen here have a bright future in the cyber security field and will be at the forefront of keeping our nation safe and secure.”

Ollie Whitehouse, CTO at NCC Group:

“As cyber attacks become an increasing concern for businesses and consumers alike, the need to equip a new generation of talented minds with security skills has never been greater. By offering their expertise, getting involved in events and speaking to young people, security professionals can encourage a passion for security and bring innovative new ideas to the industry.

“Initiatives such as the Cambridge2Cambridge competition are a great way to inspire young people and demonstrate how exciting, creative and rewarding a career in cyber security can be. We’re very pleased to be so closely involved in this and are looking forward to seeing what the talented students in the competition will achieve.”

Bill Krampf, Leidos Senior Vice President for U.K. and Europe, Leidos:

“Recruitment and developing the capabilities of our workforce is a key enabler to defend our nations and clients”, said Bill Krampf, Leidos Senior Vice President for U.K. and Europe. “We live in a world where new skills have to be honed to defend against adversaries. Only with continued partnerships with universities can we truly help shape the skills that are coming into the future workforce.”




WannaCry Fallout: 58% of UK organisations now feel another attack is imminent

New research by leading information security company Clearswift shows how attitudes to cyber security have changed in the boardroom and among staff in the wake of the recent WannaCry attack, surveying 600 business decision makers and 1,200 employees across the UK, US, Germany and Australia.

Within a day the WannaCry attack, which affected major organisations including the National Health Service (NHS), was reported to have infected more than 230,000 computers in over 150 countries, once again bringing the issue of cyber security into focus for business and consumers alike.

The scale of the WannaCry attack was evidenced none more so than the sheer awareness amongst the general public, with more than three quarters (77%) of people surveyed having knowledge of the attack, with the number even higher (88%) in the UK.

With 58% of firms in the UK expecting another attack over the next few months, it is clear that the attack has sent ripples through the industry and brought cyber security front of mind for both employees and businesses. Following the events, 29% of UK businesses will now add cyber security to the boardroom agenda and 29% of firms worldwide have pledged to implement stronger cyber security measures.

With 80% of UK employees increasingly worried about how companies hold their data and an identical number (80%) worldwide sharing those concerns it’s no surprise that 38% of employees that were aware of the attack worldwide are now reading more about cyber security in the aftermath of the events. Additionally, 33% have changed their passwords, formally enrolled in courses (24%), or are taking steps to ensure their companies raise their game in cyber security (26%).

Dr. Guy Bunker, SVP Products at Clearswift Said: “UK employees are worried about the practices of the custodians of their data, however the gulf between front line security professionals and Board members may at last be bridging, with close to a third (29%) now recognising cyber security has a place at the boardroom table.

“Organisations need to answer the clarion call we are hearing from employees to learn from these events and start to raise their game and update their policies, procedures and technology to mitigate against future attacks as well as preparing for the introduction of new data regulations that are on the horizon.”

Those in the public sector took a slightly more relaxed attitude to how their data is held with more than a quarter (28%) not being worried by the attacks compared to 17% in the private sector.

With one of the UK’s most well-known organisations, the National Health Service (NHS) being front and centre of the attack it may be surprising to learn that UK employees who were aware of the WannaCry attack, were less likely than those in the USA, Australia and Germany to change their passwords, read more about cyber security or even ask their company for advice. The US (49%) proved most likely to action change, followed by Australia (43%), Germany (37%) and then the UK (35%)

The future may be brighter however as more than half (55%) of those aged 18-24 that were aware of the WannaCry attack, have taken the initiative to read more about cyber security with 29% enrolling in courses or certifications.

Dr Bunker added, “An educated workforce that is well briefed on policies and procedures will go some way in limiting the effects of a breach, however Boards need to take a proactive stance on this. Having the latest security technology enables organisations to stop attacks at the boundary, before they enter a network, by removing the source of an attack from documents and attachments shared into an organisation.”




Regent University’s Institute for Cybersecurity to Build State-of-the-Art Cyber Range at Virginia Beach Campus

Officials with the Institute for Cybersecurity at Regent University, an academic center and training facility dedicated to equipping the next generation of cybersecurity professionals in the industry, government, military and academia, announced today that Regent is building a state-of-the-art cyber range training facility.

As one of only a few stand-alone cyber range facilities at a university, and perhaps the only one in the nation at a private university, The Regent Cyber Range will open on Q4 2017 and will offer hands-on training programs where students will acquire the highest level of skills needed for careers in cybersecurity. Regent’s Cyber Range will also be a leading-edge training hub for enterprises, consultancies, government and military organizations, offering several certificate programs at all levels.

According to industry reports, cybersecurity is one of the fastest growing career fields, with demand expected to rise to 6 million jobs globally in 2019 and a projected shortfall of employees for 1.5 million job openings. Median pay for an entry-level position for people with a bachelor’s degree is currently $88,890, according to the Bureau of Labor Statistics, with the highest 10 percent of cybersecurity professionals earning more than $140,000.

“A severe skill shortage exists in the workforce, while at the same time the threats to our country’s security grow ever more sophisticated,” said Regent’s Chancellor and CEO, Dr. M.G. “Pat” Robertson. “Regent’s new training center will address the nation’s need for thousands of additional cybersecurity experts to defend government and commercial networks from cyber attacks.”

Regent will utilize the Cyberbit Range platform created by Cyberbit Ltd., the world’s leading provider of cybersecurity training and simulation platforms. It offers a realistic training experience where trainees are exposed to various attack scenarios and security breaches to improve their hands-on skills. The range can simulate large-scale virtual networks and attacks based on real-world incidents, and can also pinpoint system vulnerabilities and help users develop countermeasures and improved protocols for dealing with cyber attacks on critical network systems. The platform offers numerous security tools and systems, including risk assessment tools, monitoring systems, security information and event management systems, forensic tools and supporting databases, as well as other network, security and cyber components.

“Regent will be among the first in Christian higher education, and one of the few colleges and universities nationwide, to offer hands-on cybersecurity training,” said Dr. Gerson Moreno-Riaño, executive vice president for academic affairs. “This facility will allow Regent to offer complex, system-level training at the highest level, and graduates will emerge with hands-on testing and training that is unmatched in higher education. We’ve found the Cyberbit Range platform to deliver the highest level of training experience that will enable us to achieve our goals, coupled with the unparalleled support of the Cyberbit team.”

“We are excited to partner with Regent University to build their new training facility based on the Cyberbit Range,” said Adi Dar, CEO, of Cyberbit Ltd. “This training program firmly positions Regent as a leader in cybersecurity training in America today, not only for its students at the graduate and undergraduate levels, but also as a destination for businesses, government and military organizations.”

Currently, Regent University offers a Master of Science in Cybersecurity, as well as undergraduate degrees in Information Systems Technology, Computer Science, Cyber & Digital Forensics and Cybersecurity.

Early next year, Regent will also host a Cyber Summit (Spring, 2018) featuring industry and government leaders to discuss innovation and future cybersecurity risks. Details will be announced soon.

For more information please visit:



MASS signs innovative digital forensics managed service contract partnership with Metropolitan Police

Cohort company MASS has finalised and signed a seven year contract to provide an innovative digital forensics (DF) managed service to the Metropolitan Police Service (MPS).

The initial contract value is around £8 million with the option for a three year extension. The contract also allows for other forces and agencies to join the partnership, which could extend the value considerably.

The DF managed service will work in partnership with the MPS to deliver technology, research and development, ensuring the MPS can acquire and interpret a wide range of electronic data related to criminal investigations.  The service has been designed and contracted so that it can be adopted by other police forces and law enforcement agencies throughout the UK, reducing the overall cost of the service.

This contract is a strategic partnership based on the model developed over the past three years by the MPS’ Digital, Cyber and Communications Forensic Unit.  Historically, digital forensics at the MPS was carried out in-house, but constrained by a centralised operating model where devices were sent to a central DF laboratory.

This new innovative service builds on the existing model, by delivering managed DF kiosks in locations across the metropolitan area, where trained officers will carry out selective examinations of seized devices.  This first level of the MASS managed service will give officers rapid access to device content, enabling them to respond quickly at the frontline.

The second level uses DF teams at strategic locations to provide the full range of DF activities, processing more complex exhibits, delivering tactical advice and upskilling police staff.

The third level provides streamlined access to cutting edge forensic capabilities.  It will oversee forensic submissions to external service providers such as DF specialists, vendors and academia; manage access to national databases; develop advanced DF techniques that cannot be outsourced and provide links to other national Digital Investigation and Intelligence (DII) strands.  A key part of the contract is the partnership in research and development that can deliver new capability into all three levels of the managed service.

To deliver the service, MASS will utilise and retain, at the core of the new service, the knowledge held within police Hi-Tec Crime Units (HTCU).  Through MASS, trusted suppliers will be selected to deliver DF service outputs based on their expertise, capability and value for money.  This technique encourages healthy competition and enables successful suppliers to contribute towards developing the service, increasing their accessible market to include other police forces and agencies.

MASS Managing Director Chris Stanley explained: “The DF environment is changing rapidly.  The emphasis is no longer only on device forensics but must also consider networked and cloud environments.  This places additional pressure on the need for real-time DF at the operational front-line of policing.”

The new managed service will be a key enabler for the Metropolitan Police in its drive to transform the way it delivers policing.”  

We also recognise that the evidentiary nature of DF requires rigorous standards to stand up to cross examination in court.  We will therefore exploit the technical discipline that we have established in the defence and security markets to deliver the service and introduce future technological innovation.”

We believe that this exciting development with the MPS will provide a model for the way police forces throughout the UK satisfy their future DF requirements.”

The Head of Digital Forensics in the MPS, Mark Stokes, said: “This is a ground breaking contract for the MPS which will ensure the MPS maintains a dynamic and operationally effective service over the next seven years in a rapidly changing and developing area of forensic science.”

The partnership is also key in delivering the complex Research and Developments requirements in this challenging and fast moving area of digital forensics. It is only with a partnership such as this that has the reach into the wide and varied capabilities of the private sector can we maintain the required level of technical innovation.”

He added: This is a very exciting time for digital forensics and the MPS is looking forward to the partnership delivering real transformation in the delivery of digital forensics within the MPS and across policing.”



SaltDNA Enters Top Half of Cybersecurity 500

SaltDNA is delighted to announce its position as the top secure enterprise communications company (ranked 244) within the CyberSecurity 500, a list that ranks the world’s hottest cybersecurity companies. This is SaltDNA’s first inclusion in the Cybersecurity 500, published by Cybersecurity Ventures, the world’s leading researcher and publisher of reports covering global cybersecurity.
“We’re excited with SaltDNA’s inclusion in the Cybersecurity 500 list. This continued recognition by a respected research group such as Cybersecurity Ventures is a fitting end to the company’s most successful two quarters ever,” said Joe Boyle, CEO at SaltDNA. “We’re growing fast and will focus on expanding our partner base throughout the rest of 2017. With significant traction in the legal, oil and gas and security sectors everyone at SaltDNA is gearing up for a busy second half of the year.”
SaltDNA’s top half ranking makes it the highest ranked Irish company in the Cybersecurity 500 list. This announcement comes only a few weeks after SaltDNA celebrated its four year anniversary and also won ‘Innovative Business of the Year’ Award at the Business Eye First Trust Awards.
To avail of a free trial of the SaltDNA secure communications solution, or to discuss a potential partnership, contact the team on



Forensic Science Experts Set to Gather in Abu Dhabi this November for Two New Forensic and DNA Conferences

Abu Dhabi will be playing host to a brand new set of forensic and DNA Conferences in November, both fully supported by Abu Dhabi Police; The GCC Forensic Science Conference 2017 and The GCC DNA Symposium 2017, supported by INTERPOL.

Both Conferences will be held from 14-15 November with a day of workshops on 16 November at the Fairmont Bab Al Bahr, Abu Dhabi. The expected attendance of the Conference is over 350 regional and international delegates, speakers and sponsors.

The GCC Forensic Science Conference will focus on the latest innovations and challenges facing the forensic science community, from crime scene to court room. The GCC DNA Symposium will bring together law enforcement, forensic medical examiners, legal experts, policy makers and experts in human identification to discuss the applications of DNA in criminal investigations.

These ground-breaking events are the only forum in the region dedicated to the entire forensic sector and supply chain to source innovative forensic products, equipment and services, as well as providing the definitive source of education, best practice, training and networking throughout the Middle East region. Around 50 exhibitors are expected to take part, displaying products and services to the forensic community, from laboratory equipment, digital forensics, CSI equipment and forensic analytics services.

The Conferences will cover a range of specialisms within forensic science such as crime scene investigation, biometrics, legal applications of forensic science, databasing, investigation bias and errors, digital forensics, cybersecurity and several other key areas. Speakers include globally renowned experts that have been individually selected by a scientific committee put together by Abu Dhabi Police especially for the event. As a result, presentations will focus on the main themes of interest to forensic practitioners with a special emphasis on the future of the sector and areas for greater regional cooperation in order to achieve national objectives for a safe society.

Speaking of the importance of the GCC Forensic Science Conference, Brigadier General Abdul Rahman Mohd. Al Hammadi, Forensic Evidence Department Director, Abu Dhabi Police GHQ, commented: “This high level Conference will bring together forensic experts from the GCC, Middle East and International community. The event will also act as a platform for technology companies to showcase their products & services through the exhibition and is also a chance for Abu Dhabi Police to meet current and potential suppliers to discuss requirements and future projects.”

In addition to the main Conferences, there will several side line meetings taking place for senior members of forensic community. The INTERPOL DNA Monitoring Expert Group will congregate to discuss important topics for their members alongside the GCC DNA Symposium. Other regional leaders will also meet to discuss channels of collaborations that could enhance processes and increase the success of investigations.

The outcomes of the Conference are intended to develop into longstanding, implementable strategies and aim to establish Abu Dhabi as a hub for innovation and leadership within the forensic science sector in the region.

At the launch of the GCC DNA Symposium Colonel Maryam Ahmed Al Qahtani, Expert and Chief of the Forensic Biology and DNA Section at Abu Dhabi Police Forensic Evidence Department said: “The United Arab Emirates is the Middle East member in the INTERPOL DNA Monitoring Expert Group Meetings. As such, we are proud to host a symposium that will bring together regional and international forensic biology experts in order to exchange better practices and highlight landmark cases that are developing new standards in the field. In addition to full support from INTERPOL, the event will also act as an opportunity for Abu Dhabi Police to meet providers of DNA and human identification equipment that will greatly benefit the Forensic Evidence Department.”

Both conferences are accepting abstracts from potential speakers and registrations from delegates now at and