Month: April 2018

Take a group of ten people working in the cybersecurity industry globally, and you’ll find that only one of them will be a woman.

The 2017 Frost & Sullivan report, Women in Cybersecurity, goes further in exposing the inequalities of the cybersecurity world. Surveying 19,000 information security professionals from 170 countries, the researchers found that men dominate all senior, board director and management positions. Women are stuck in entry-level positions. This is in a context where more women have a Master’s degree level qualification (51%) than men (45%). It doesn’t add up.

A clear implication from the research is that cybersecurity – just like the wider universe of IT – involves a working culture that’s unsympathetic to women. For example, 40% of women were found to give up on their jobs compared with fewer than 20% of men.

This picture of dysfunction makes no sense for an industry which is struggling to attract enough skilled professionals to meet rapidly-growing demand. There’s a growing realisation that all businesses are now cyber businesses. It might be a small pizza takeaway outlet on the High Street, but the pizzas are available through an app, so it’s a cyber company. Digitisation of public services, of transport systems, logistics, of finance, means life in all developed nations operates in a cyber dimension, and a dimension open to cyber manipulation. Both policing and military activities have to be in a position to manage the new complexity of cyber crime and attacks, a world of threats that is growing and mutating at an unprecedented pace and on an unprecedented scale. But it’s estimated that 1.8 million positions will be left unfilled internationally by 2022. The introduction of the UK’s National Cyber Security Strategy is a reflection of the level of concern: schemes to position cybersecurity as a defined and attractive profession, for re-training IT workers, for more apprenticeships and a new professional body.

Attracting and retaining more women in cybersecurity isn’t just an issue of increasing supplies of willing professionals. Cyber security needs the particular skills, qualities and insights that female recruits at all levels will bring.

A central problem to the development of cybersecurity as a profession has been that it continues to be seen as just another strand of IT: a technical discipline best undertaken and managed by technical people. Cybersecurity is more than that. It’s where IT and all varieties of human behaviour and interactions come together. For organisations in particular, it’s an issue of how all staff make use of digital technologies and all the forms of data involved, it’s about the interplay between IT and each of the business functions, HR, finance, marketing. IT in the hands of everyone, not an esoteric activity that’s best left for the initiated few.

There is a critical role for cybersecurity professionals in acting as the bridge between the two worlds of IT and general business management, to translate IT issues for managers and directors, to broaden out the CIO role, and make cybersecurity part of the everyday working culture, not the updating of software. Women are well-placed to take on these interdisciplinary roles. In general, the women who do advance to more senior roles in IT have more of a variety of qualifications and backgrounds (in social sciences, humanities and management), while men, almost exclusively, have IT or engineering degrees. Women, typically, are recognised as having the softer skills needed to build relationships and awareness of the management issues involved and particular ways of working needed for cybersecurity. Other softer skills needed include adaptability and flexibility to deal with the pace of change, with high levels of ambiguity, in situations which can’t always be controlled. Professionals need to be able to combine a level of technical knowledge with other forms of knowledge, of data protection and other laws. In terms of technical challenges and applications, diversity of perspectives are also important – for understanding the psychology of people and human behaviour in the use and mis-use of digital technologies.

The need for a shift towards gender equality and a new culture for cybersecurity professionals is at the top of the National Cyber Security Centre’s agenda. The Chief Executive, Ciaran Martin, has described the ongoing gender gap as ‘scandalous’ and ensured a 50/50 balance in the senior leadership of NCSC. Current initiatives include working with private sector employers to offer first-job placements for female STEM graduates; introduce a new ‘cyber code of conduct’ to help highlight the working culture issues and ensure women feel respected and treated equally; and ensuring women returning to technological roles after a career break receive mentoring and sponsorship.

At Cranfield University we have a Cyber Masters programme that has 14 modules, and of these nine are run by women. There’s been no conscious effort to redress the balance – it’s happened organically, and more as a reflection of the variety of expertise and skills needed in the field. As part of a commitment to support the NCSC mission, a new Women as Cyber Leaders scholarship scheme has just been launched to encourage women to develop a senior career. The scholarship is worth £6,500 towards tuition fees for the MSc Cyber Defence and Information Assurance starting in October 2018. The programme is designed to develop professionals who can lead in a cyber environment, to effectively exploit the threats and opportunities of cyberspace at the organisational level, and focuses on understanding and articulating the executive-level responses to serious present, and emerging, threats in the information domain. Typically the participants on the programme – supported by the Cabinet Office and the Office of Cyber Security and Information Security – are from the Ministry of Defence, but increasingly are coming from other sectors such as telecoms, banking and insurance.

On the surface, the career opportunities for new entrants into cybersecurity are boundless. The skills shortage means salaries are high (and rose by 10% last year, well above the national average, according to recruitment consultants) and there’s every chance of rapid progression. As an environment for the long-term, however, the current situation isn’t sustainable. There’s too much dependency on older, senior – and male – IT managers and consultants. And while there are growing numbers of degree courses, training programmes and apprenticeships, there will continue to be obstacles, blockages and a waste of skills if the cultural issues aren’t addressed. More diversity in the management and leadership of cybersecurity will be an essential factor in creating a profession with the character and energy capable of dealing with one of the greatest threats to global security.

Ruth Massie is a Senior Lecturer in Cyber Governance Information and Decision Management at Cranfield University. Ruth previously worked as a Business Continuity Manager for Ernst & Young, Citigroup and Swiss Re. She was actively involved with London First and the National Counter Terrorism Security Office (NaCTSO) in developing the ‘Expecting the Unexpected’ business advice.

Full details of the Women as Cyber Leaders scholarship can be found at: www.cranfield.ac.uk/funding/funding-opportunities/women-as-cyber-leaders-scholarship

(95)

Following a letter by Jeremy Hunt, the Health Secretary, to social media companies, online child safety not-for-profit Internet Matters has called for government to consider investment in parent education in order to form a collective approach to keeping young people safe online.
Carolyn Bunting, CEO of Internet Matters, said: “Children’s internet safety is one of the most pressing concerns parents face in the digital age.

“And while there is always more that the tech industry and social media networks can do to enforce age restrictions and protect children’s rights, we need to collectively focus on wider education to address the growing behavioural issues online that can negatively impact children’s health and well-being.

“We know from recent research that the overwhelming majority of parents feel responsible for their children’s safety online (96% of parents feel responsible, 80% feel ‘highly responsible’). Helping children stay safe in the digital world is a part of modern parenting and we would like to see more parents being made aware of the tools and advice available to them.

“With the right support, we can empower parents, giving them the skills to be able to teach their children to be smart and safe online. We can encourage their children’s critical thinking and build their digital resilience, so they can safely benefit from the wealth of opportunity which access to the internet and technology offers.

“To achieve this will require consistent focus from government, industry, schools and  parents, working together around a common message and call to action that we will make the UK the safest place for a child to be online.”

(37)

Bromium®, Inc., the pioneer and leader in virtualization-based endpoint security that stops advanced malware attacks via application isolation, has announced the findings of an independent study that looked into the interconnected dynamics of cybercrime, and examines how new criminality platforms and a booming cybercrime economy have resulted in $1.5 trillion in illicit profits being acquired, laundered, spent and reinvested by cybercriminals. Complete findings will be presented at the RSA Conference in San Francisco by researcher Dr. Michael McGuire, Senior Lecturer in Criminology at the University of Surrey in England.

This is one of the first studies to view the dynamics of cybercrime through the lens of revenue flow and profit distribution, and not solely on the well-understood mechanisms of cybercrime. The new research exposes a cybercrime-based economy and the professionalization of cybercrime. This economy has become a self-sustaining system – an interconnected Web of Profit that blurs the lines between the legitimate and illegitimate.

The research points to an emergence of platform criminality, mirroring the platform capitalism model currently used by companies like Uber and Amazon, where data is the commodity. The report also raises concerns about new criminality models that these platforms enable, which fund broader criminal activities such as human trafficking; drug production and distribution; and even terrorism.

“The findings of Dr. McGuire’s research provide shocking insight into just how widespread and profitable cybercrime has become,” commented Gregory Webb, CEO of Bromium. “The platform criminality model is productizing malware and making cybercrime as easy as shopping online. Not only is it easy to access cybercriminal tools, services and expertise: it means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as The Web of Profit continues to gain momentum. We can’t solve this problem using old thinking or outmoded technology. It’s time for new approaches.”

Revenue Generation in the Hyper-Connected Web of Profit

Conservative estimates in The Web of Profit research show cybercriminal revenues worldwide of at least $1.5 trillion – equal to the GDP of Russia. In fact, if cybercrime was a country it would have the 13^th highest GDP in the world. This $1.5 trillion figure includes:

• $860 billion – Illicit/illegal online markets
• $500 billion – Theft of trade secrets/IP
• $160 billion – Data trading
• $1.6 billion – Crimeware-as-a-Service
• $1 billion – Ransomware

The report finds evidence that cybercrime revenues often exceed those of legitimate companies – especially at the small to medium enterprise size. In fact, revenue generation in the cybercrime economy takes place at a variety of levels – from large ‘multi-national’ operations that can make profits of over $1 billion; to smaller SME style operation where profits of $30,000-$50,000 are the norm. However, the report asserts that comparing cybercrime to a business is misleading. Cybercrime is more accurately described as an economy: “a hyper-connected range of economic agents, economic relationships and other factors now capable of generating, supporting, and maintaining criminal revenues at an unprecedented scale,” says Dr. Michael McGuire.

The report suggests that there is now a growing interconnectedness and interdependence between both the illegitimate and legitimate economies. This inter-dependence is creating what Dr. McGuire terms ‘The Web of Profit’. Dr. McGuire argues that “companies and nation states now make money from The Web of Profit. They also acquire data and competitive advantages from it, and use it as a tool for strategy, global advancement and social control. There is a range of ways in which many leading and respectable online platforms are now implicated in enabling or supporting crime (albeit unwittingly, in most cases).”

Platform Criminality in a Post-Crime Era

Platform capitalism – a term used to describe the likes of Uber, Facebook and Amazon – is offering fertile ground for hackers to further their gains. Whether by hacking companies to acquire user data; intellectual property; disseminating malware; selling illegal goods and services; setting up fake shop fronts to launder money; or simply connecting buyers and sellers, it is evident that cybercriminals are adept at manipulating existing platforms for commercial gain. Yet beyond platforms being the targets and unwitting enablers of cybercrime, the report suggests they have provided inspiration – as a model of platform criminality emerges.

According to Dr. McGuire, “this is creating a kind of ‘monstrous double’ of the legitimate information economy – where data is king. The Web of Profit is not just feeding off the way wealth is generated there, it is reproducing and, in some cases, outperforming it.” The report points to the success of modern ‘platforms’ – companies like Facebook, Google and Amazon – highlighting their role as facilitators rather than creators. “The main contribution of platforms is to connect individuals with a service or product. The platforms produce nothing themselves in this process, but the end-user consumers provide platforms with the most precious of all commodities within an information-based economy – their data. We are now seeing the same thing in the cybercriminal underworld,” states Dr. McGuire.

The report shows that cybercriminal platform owners are likely to receive the biggest benefit from this new wave of cybercrime, and that the owners will distance themselves from the actual commission of crime. In fact, it has been estimated individual hackers may only earn around $30,000 per year. Managers can earn up to $2 million per job – often with just 50 stolen card details at their disposal. Dr. McGuire refers to this as a shift to ‘post-crime’ reality, where cybercriminals are taking a ‘platform capitalism’ approach to selling, rather than committing crime.

In fact, McGuire found criminal sites offering ratings, descriptions, reviews, services, and even technical and customer support. These platforms are improving the criminal ‘customer experience’ and allowing easy access to services and products that support the commission of crime on a global scale. Some examples of services and products include:

• Zero-day Adobe exploits, up to $30,000
• Zero-day iOS exploit, $250,000
• Malware exploit kit, $200-$600 per exploit
• Blackhole exploit kit, $700 for a month’s leasing, or $1,500 for a year
• Custom spyware, $200
• SMS spoofing service, $20 per month
• Hacker for hire, around $200 for a “small” hack

These platforms fuel industrial scale revenue generation, with their own sets of digital currencies and exchanges, production zones, tools supply, technical support, global distribution mechanism and marketplaces. They deal with specialized producers, suppliers, service providers and consumers. Interestingly, advertising is a core revenue generator too: before being taken down in 2016, the ‘Kickass Torrents’ platform was worth over $54 million, with estimated $12.5-$22.3 million annually in ad revenue alone.

Reinvestment and Furthering of Crime

As in the legitimate economy, criminal enterprises are going through digital transformation and diversifying into new areas of crime. Cybercriminals were found to be reinvesting 20% of their revenues into further crime, which suggests up to $300 billion¹ is being used to fund future cybercrime and other serious types of crime – including drug manufacturing, human trafficking or terrorism.

For example, the takedown of Alphabay – one of the largest dark web online markets – revealed that in addition to more than 250,000 listings for illegal drugs, there were also listings for toxic chemicals, firearms, counterfeit goods, malware, and over 100,000 listings for stolen and fraudulent identification documents and access devices. This demonstrates that platform criminality can easily adapt to include other areas of crime.

The report identifies the development of cybercrime growth cycles, where money generated from cybercrime is being reinvested into further crime. Many of the larger cybercrime operations which have been detected typically reinvest revenues into expanding and developing the operation – for instance buying more crimeware, maintaining a website, paying mules, or other criminal requirements. Reinvestment also includes spending money to support other types of crime.

Dr. McGuire continues: “We can clearly link cybercrime to the spread of new psychoactive substances with over 620 new synthetic drug types on the market since 2005. Many substances of this kind are manufactured in China or India, purchased via online markets, then shipped in bulk to Europe. But there is also evidence that groups who acquire revenues from cybercrime are involved in the active production of drugs. For example, the arrest of a Dutch money laundering gang also led to the discovery of ingredients they possessed to make ecstasy – further highlighting a material link between cybercrime actives and organized crime activities.”

The report also points to the fact that platform criminality is contributing to the issue of human trafficking. McGuire continues, “Pimps frequently use the internet as a tool for gathering revenues from clients and workers, and then recycle this back into the logistics (and costs) of trafficking victims from target locations with economically vulnerable populations.”

Dr. McGuire also found a connection between cybercrime and terrorism. The report highlights one case where cybercrimes were committed specifically to generate revenues for terrorist activities. “One British-born follower of Al Qaeda, who provided technical assistance to the terror group in relation to uploading videos, quickly realized that his technical skills could also be used to commit cybercrimes,” McGuire explains. “He began to acquire stolen credit card numbers through transactions on online forums, such as Cardplanet, gathering over 37,000 separate card data files and generating more than $3.5 million in revenues.”

“This new cybercrime economy has created new digital businesses, making it even easier to conduct cyberattacks,” said Gregory Webb, CEO of Bromium. “The walls between the criminal and legitimate worlds are blurring, and we are no longer simply dealing with ‘hackers in hoodies.’ We have to understand and tackle the underlying economic ecosystem that enables, funds and supports criminal activity on a global scale to stem the tide and better protect ourselves. By better understanding the systems that support cybercrime, the security community can better understand how to disrupt and stop them. New approaches to cybersecurity will be required.”

The Web of Profit report is available to download here (Bromium.com/cybercrime). The findings will also be discussed during the RSA Conference in San Francisco. Dr. McGuire will present the full findings during his speaker slot on April 20^th from 09:00-09:45 AM on the Security Mashup track – code MASH-F01.

Methodology

Into the Web of Profit is a nine-month academic study by Dr. Mike McGuire, Senior Lecturer in Criminology at Surrey University. It draws from first-hand interviews with convicted cybercriminals, data from international law enforcement agencies, financial institutions, and covert observations conducted across the Dark Web.

(98)

Child Rescue Coalition (CRC), a nonprofit organization dedicated to combating the sexual exploitation of children, today announced its partnership with Magnet Forensics, a global leader in the development of digital investigation software.  The partnership will further enable child exploitation investigators’ efforts to better identify and convict perpetrators and use technology to rescue and protect children.

“Child Rescue Coalition and Magnet Forensics share a mission of assisting our partners in law enforcement combat the heinous crime of child sexual exploitation,” stated Carly Yoost, Founder and Chief Executive Officer, Child Rescue Coalition. “We at Child Rescue Coalition thank the team at Magnet Forensics for their partnership, sustainable financial support and willingness to integrate technologies to improve child sexual exploitation investigations with the ultimate goal of bringing perpetrators to justice and keeping children safe from sexual exploitation.”

Each year, more than 300,000 children are abused in the U.S. alone, and the number of child exploitation cases globally is rising.  Predators are leveraging common technology tools like cell phones, social media, and chat applications to target and coerce children.  Increasingly sophisticated technologies, including encryption techniques and peer-to-peer networks on the “Dark Web,” provide easier, more anonymous access to child sexual abuse material, and hide perpetrators’ activities.  In addition, as many as 85 percent of online offenders viewing child sexual exploitation material are also sexually abusing children.

The partnership between CRC and Magnet Forensics came together on the recommendation of the national police forces in the United Kingdom and Canada.

As part of the partnership, Magnet Forensics will provide a multi-year donation to help fund CRC’s operations.  “Child Rescue Coalition is an integral partner to law enforcement in the global fight to stop child sexual exploitation,” said Jad Saliba, a former digital forensic examiner, and Founder and Chief Technology Officer of Magnet Forensics.  “We at Magnet Forensics are proud to partner with Child Rescue Coalition and support their operations as we share a common mission of keeping children safe from sexual exploitation and bringing perpetrators of these terrible crimes to justice.”

Details on the technology integration and innovation between CRC and Magnet Forensics will be released later in 2018.

(112)

By Ian Kilpatrick, EVP Cyber Security Nuvias Group

A recent survey shows 64 percent of organisations have deployed some level of IoT technology, and another 20 percent plan to do so within the next 12 months. This means that by the end of 2018, five out of six organisations will be using at least a minimal level of IoT technology within their businesses.

This is an astonishing fact when you consider the lack of basic security on these devices, or any established security standards.

The influx of connected devices onto a company’s network literally creates tens, or even hundreds of new unsecured entry points for cybercriminals. But many companies are turning a blind eye to this, swayed by the potential benefits that IoT can bring their business.

So here are some facts for consideration, before taking the leap into IoT, including a look at the short and medium term consequences of deploying a wave of unsecured devices to your network.

1. IoT – a cybercriminal’s dream

Any device or sensor with an IP address connected to a corporate network is an entry point for hackers and other cybercriminals – the equivalent of an organisation leaving its front door wide open for thieves.

Managing endpoints within an organisation is already a challenge; a 2017 survey showed 63 percent of IT service providers have seen a 50 percent increase in the number of endpoints they’re managing, compared to the previous year.

IoT will usher in a raft of new network-connected devices that threaten to overwhelm the IT department charged with securing them – a thankless task considering the lack of basic safeguards in place on the devices.

Of particular concern is that many IoT devices are not designed to be secured or updated after deployment. This means that any vulnerabilities discovered post- deployment cannot be protected against in the device; and corrupted devices cannot be cleansed. In an environment with hundreds or thousands of insecure or corrupted devices, this can raise huge operational and security challenges.

2.IT or OT

IT professionals are more used to securing PCs, laptops and other devices, but they will now be expected to become experts in smart lighting, heating and air conditioning systems, not to mention security cameras and integrated facilities management systems.

A lack of experience in managing this Operating Technology (OT), rather than IT, should be a cause of concern. It is seen as operational rather than strategic, and deployment and management is often shifted well away from Board awareness and oversight.

And that’s barely touching the visible surface. Machine-to-machine (M2M) technology is already transforming and will continue to transform businesses.

Many AI applications depend on IoT – for example transportation and logistics are being changed by it. These developments can and will impact most organisations.

Nevertheless, the majority of organisations are deploying IoT technology with not only a lack of strategic direction, but with minimal regard to the risk profile or the tactical requirements needed to secure them against unforeseen consequences. These include not just security requirements, but also business continuity challenges.

3.Increase in DDoS attacks

DDoS (Distributed Denial of Service) attacks are on the rise. In the UK alone, 41 percent of organisations say they have experienced a DDoS attack.

IoT devices are a perfect vehicle for criminals to use to access a company’s network. In fact, 2016’s high-profile Mirai attack used IoT devices to mount wide-scale DDoS attacks that disrupted internet service for more than 900,000 Deutsche Telekom customers in Germany, and infected almost 2,400 TalkTalk routers in the UK.

4…and ransomware attacks

Elsewhere, there has been an almost 2000 percent jump in ransomware detections since 2015. Ransomware became a public talking point in 2017 when WannaCry targeted more than 200,000 computers across 150 countries, with damages ranging from hundreds of millions to billions of dollars.

While most ransomware attacks currently infiltrate an organisation via email, IoT presents a new delivery system for both mass and targeted attacks. Consider the potentially life-threatening impact of ransomware on smart devices within critical applications – the ability of criminals to shut down critical business and logistics systems has already been repeatedly demonstrated. So perhaps it is unsurprising that a 2017 survey found that almost half of small businesses questioned would pay a ransom on IoT devices to reclaim their data.

5.Increasing intensity and sophistication of attacks

The sophistication of attacks targeting organisations is accelerating at an unprecedented rate, with criminals leveraging the significantly expanded and expanding attack surface created by IoT for new disruptive opportunities.

According to Fortinet’s latest Quarterly Threat Landscape report, three of the top twenty attacks identified in Q4 2017 were IoT botnets. But it says unlike previous attacks, which focused on exploiting a single vulnerability, new IoT botnets such as Reaper and Hajime target multiple vulnerabilities simultaneously, which is much harder to combat.

Wi-Fi cameras were targeted by criminals, with more than four times the number of exploit attempts detected over Q3 2017. The challenge is that none of these detections is associated with a known security threat, which Fortinet rightly describes as “one of the more troubling aspects of the myriad of vulnerable devices that make up the IoT.”

6.The effects of an attack

The aftermath of a cyberattack can be devastating for any company, leading to huge financial losses, compounded by regulatory fines for data breaches, and plummeting market share or job losses. At best, a company could suffer irreparable reputational damage and loss of customer loyalty.

On top of that, IoT devices have the potential to create organisational and infrastructure risks, and even pose a threat to human life, if they are attacked. We have already seen the impact of nation-state attack tools being used as nation state weapons, then getting out and being used in commercial criminal activity. While the core focus is on defending critical infrastructure, and that is still far behind the curve, weak business infrastructure is a much softer target.

7.Profit over security

It’s crazy to think that devices with the potential to enable so much damage to homes, businesses and even entire cities often lack basic security design, implementation and testing. In the main this is because device manufacturers are pushing through their products to get them to market as quickly as possible, to cash in on the current buzz around IoT.

Though, F-Secure in its Pinning Down the IoT report says other factors include the small size of the chips being used for cost-saving reasons, and that devices are set to the manufacturer’s default password settings, which are set to four zeros or 1234, which are well known to criminals.

Lawrence Munro, vice president SpiderLabs at Trustwave agrees IoT manufacturers are sidestepping security fundamentals as they rush to bring products to market: “We are seeing lack of familiarity with secure coding concepts resulting in vulnerabilities, some of them a decade old, incorporated into final designs,” he notes.

“If consumers aren’t demanding security, manufacturers will never prioritise it,” says the F-Secure report. “But given the extraordinary dependency society is likely to develop on billions of IoT devices, governments may have to step in to demand security requirements.”

8.Can you see the problem?

Another huge problem is that once a network in attacked, it’s much easier for subsequent attacks to occur.

Yet, recent data shows just half of IT decision makers feel confident they have full visibility and control of all devices with network access. The same percentage believe they have full visibility of the access level of all third parties, who frequently have access to networks, and 54 percent say they have full visibility and control of all employees.

This is a worrying lack of confidence in network visibility and should be a concern for organisations. Yet, the same figures show basic security measures like network segmentation are only being planned by 24 percent of businesses in 2018. Without network segmentation, malware entering a network will often be left to spread.

Elsewhere, less than half of organisations have formal patching policies and procedures in place, and only about a third patch their IoT devices within 24 hours after a fix becomes available.

But because updating IoT devices by nature is more challenging, many remain vulnerable even after patches are issued, so organisations need to properly document and test each IoT device on their network.

9.Turning a blind eye

Both consumers and manufacturers seem to be burying their heads in the sand when it comes to IoT security.

Despite security concerns often cited as the number one barrier to greater IoT adoption, Trustwave research shows sixty-one percent of firms who have deployed some level of IoT technology have had to deal with a security incident related to IoT, and 55 percent believe an attack will occur sometime during the next two years. Only 28 percent of organisations surveyed consider that their IoT security strategy is ‘very important’ when compared to other cybersecurity priorities.

More worrying is that more than a third believe that IoT security is only ‘somewhat’ or ‘not’ important!

Some more troublesome stats – fewer than half of organisations consistently assess the IoT security risk posed by third-party partners, another 34 percent do so only periodically, and 19 percent don’t perform third-party IoT risk assessment at all.

10.Efforts to standardise

These security concerns can obviously paint the adoption of IoT in a negative light. But is there anything being done to mitigate these risks?

In the UK, the government’s five-year National Cyber Security Programme (NCSP) is looking to work with the IT industry to build security into IoT devices through its ‘Secure by Default’ initiative.

The group published a review earlier this month that addresses key risks related to consumer IoT and proposes a draft Code of Practice for IoT manufacturers and developers.

Recommendations include: ensuring that IoT devices do not contain default passwords; defining and implementing vulnerability disclosure policy; ensuring software for devices is regularly updated; and a proposal for a voluntary labelling scheme.

While there seems to be some light at the end of the tunnel, it may not be enough. Regulators won’t force device manufacturers to introduce the necessary security regulations and practices before thousands of businesses fall victim to attacks. Turning a blind eye to the IoT security risks could leave your organisation permanently paralysed.

(197)

Many parts of Europe suffered major cyberattacks in 2017 when giant firms were assaulted with ransomware. More, and perhaps even worse, incidents are expected, as The Guardian recently reported UK security chief Ciaran Martin’s predictions, stating that he anticipates a massive attack in the next two years. He said, “I think it is a matter of when, not if and we will be fortunate to come to the end of the decade without having to trigger a category one attack.”

Because of last year’s cases and the increased threats on data, it is of utmost importance for companies to increase digital security. In order to do that, they need to be properly educated, especially considering that the majority of UK companies are unprepared for cyberattacks. Only 31% of firms responded that they are well informed when it comes to cybercrime reports, and only 28% are trained to deal with such cases.

This is why 2018 is the best year for digital forensics to utilise content marketing as a tool to disseminate vital info on cybersecurity. It’s not just a trending marketing tool that businesses need to stay on top of their game. Here are several reasons why content marketing is important as a supplement for digital safety measures:

1) People now live in the age of social media. Digital Forensics Magazine previously discussed how easy is it for people to share content, whether it’s a video presentation or a blog post. Because of social media platforms like Facebook, Twitter, Instagram, and YouTube, you are now able to introduce ideas or spread information to a wider community.

2) The format is ideal for educational purposes. With content marketing, you can lay down the common cybersecurity problems British firms face today, and explain thoroughly the solutions for each one. You can give concrete examples and highlight a particular cybercrime case, for organisations to get a sense of the situation. By providing the needed information, companies will then depend on your expertise.

3) Trust is important in establishing a relationship with clients, especially if your services involve security. Content marketing strengthens that bond by allowing digital forensics teams to educate firms on the threats of cyberattacks. This also improves your authority in the industry, thereby attracting the attention of potential clients.

4) Transparency is in demand more than ever. People now want companies to be more authentic, honest, and dedicated to their customers. They are now desensitised to brand advertising, charitable contributions, environment claims, and other publicity stunts. This is why content marketing is on the rise. With this tool, businesses have an avenue to provide real insight and answers to questions people are really looking for.

5) Content marketing helps your business attract new traffic, especially now that companies are on full alert about cyber threats. Digital Whirr explained that the amount of content you produce improves your SEO standing, increasing the chances of people finding your content in search engine results, social media or other places on the web.

6) Visuals and video are king nowadays. Ayima documented how visual content is a necessity, given that people are now more interested in videos, graphics, and images. Blog posts should not just be filled with paragraphs chockfull of text. There should be at least a visual component, in order to keep audiences interested. The demand for this can be attributed to the introduction of features such as live streaming, Instagram Stories, and other similar functions. Visual content would be an easy way to educate firms on the dangers of data breaches, as well what steps they can do to prevent the risks.

7) Content marketing helps sets you apart from competitors. Because of the trust you gain by sharing your expertise, firms will lean towards you more than other digital forensic services. It’s an effective tool for small businesses to use and leverage their product in a competitive industry.

(276)

Following the news from Under Armour that the company’s MyFitnessPal tracking app was hacked, exposing data of 150 million user accounts, Gabriel Gumbs, VP of product strategy for cybersecurity firm STEALTHbits Technologies, commented:

“Under Armour claims that no government-issued identifiers were exposed in this breach. If this breach occurred 57 days from today, when GDPR enforcement begins, the EU’s Information Commissioner’s Office would draw no distinction as to whether the identifying data was government-issued or not.

You see, GDPR defines ‘personal data’ to mean “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly…”. This is where the privacy rubber meets the proverbial security road.

This breach would still expose Under Armour to the Commissioner’s office scrutiny. Because of the way GDPR defines identifiable information, there is possibly other information in this breach that would also run afoul of GDPR without having to be government-issued. For example, if the MyFitnessPal mobile app collected a phones IMEI number that too would be identifiable data. With less than 60 days to enforcement, companies really should be in full sprint to ensure they are prepared for GDPR.”

(119)