« January 2016 | Main | March 2016 »

3 posts from February 2016

26 February 2016

Cyber security - Are you ready for the new data privacy world?

Client webcast: Are you ready for the new data privacy world?

Date: Wednesday 2 March 2016

Time: 11:00 - 12:00 (GMT)

Our recently launched CEO Survey clearly shows that cyber security is now at the top of the risk agenda for many companies. Merely shoring up cyber defences and reviewing these periodically is not enough. Effective cyber security starts with understanding what critical data you have, where it is in your organisation and how you manage and protect it.

The data privacy and protection landscape is rapidly transforming as new regulation puts all businesses at risk of significant fines and sanctions if they fail to protect customer and employee data. Any entity of any size, public or private, anywhere in the world, dealing with data on European citizens is impacted. If you are not already aware of these changes or not responding to them, you may be putting your organisation at risk.

Please join our webcast to understand how you can build confidence in your digital future and prepare for the new data regulation. Throughout the webcast you will have the opportunity to ask the panel questions. If you wish to send any questions in advance please tweet them to us using #ClientwebcastPwC.

To register for the webcast please click here.


04 February 2016

Amazing what you see over lunch…

View John Whitehill’s profile on LinkedIn

I was sitting eating lunch with my daughter a couple of weeks back in Glasgow. We were sitting next to a window beside a busy street, and on the opposite side of the road, a law firm proudly displayed its signage on their office windows. Through the windows, they unintentionally displayed something quite different. Papers everywhere, files stacked up against windows, cabinets clearly bursting full, more files stacked on top. Maybe it's just me, but I wondered how I would feel as a client of that firm to see such a disregard for the protection of my personal information. I am fairly sure there will be a lot of information in those stacks of paper that would cause significant embarrassment if it was exposed to the public.

We have become familiar with the term 'cyber security' to mean security risks, issues and threats linked to the use of technology. Our stakeholders are also familiar when we talk about 'layers of controls' and 'defence in depth' as we describe a control environment built in response to cyber risk. But it's not the full story. Physical security is a key part of the layers of control you require to form an effective response. Although it doesn't immediately feel part of 'cyber', let me explain why I believe it is so important.

When I was in my very early days of my career, a seasoned manager once told me you can tell the state of an organisation’s IT control environment by looking at how tidy and organised their server rooms are. Over the years, I have to say, it was a pretty good rule of thumb. I was once told by an IT Manager 'careful in that server room, people keep tripping over all the cables and a cleaner unplugged one of the boxes by mistake the other day'. That review proved beyond all doubt to me of the link between the server room and control environment!

My view is that a similar rule on clear desk gives a sense on the culture, disciplines and response an organisation has on the wider issue of cyber security. If employees of a company leave hard copies of all your information around, why would you think your electronic information will be handled any differently? Papers and files scattered around the physical floor space will likely be replicated on the 'electronic floor space' as information is spread across a variety of different servers, shared drives and directories. Multiple copies of your customer data, for example, greatly increases the risk that your data will be lost or exposed during a security incident.

I would urge you to consider how you can use a renewed approach to clear desk - or 'secure workspace' as it's often known - as the catalyst to instil better information handling practices across your organisation. The desk space is very visible - changes in how you expect your people to work will be obvious and no-one will be able to say 'I didn't know'. A lot of organisations are now moving to hot-desking, which is a great way of making sure paperwork is not left lying around on desks. But cabinets and printers are often another fruitful source of sensitive information being left unsecured. 'Pull printing' is fairly standard these days. Not only is it good for the environment, it also reduces the risk of sensitive prints being forgotten about.

Secure workspace is a key control that everyone plays a part in. Not just the domain of department A, team B, person C etc. Everyone has a role to play.

If you get this sorted, my contention is that awareness of 'being careful' with information increases. As people become more careful, queries will be raised over poor practice within paper/electronic processes. People will give a second thought to information which is about to be sent to a home email address. A question mark will appear when a USB stick is found in a car park (a classic social engineering trick). All of those small improvements come together to create a much larger win - very much the "marginal gains" line of thinking used by the UK cycling team.

So next time you are presenting an update on cyber security to your board, risk committee or key sponsors, include a view on physical security.

And next time you are visiting a firm for either a business or personal purpose, cast an eye over the work space as you arrive. I reckon you will be able to tell a lot more about the culture of that company now you have read this blog!

John Whitehill | Cyber security director
Profile | +44 (0) 131 260 4664

What the recent JANET attack tells us about Social Media Risk

View Katy Buller's profile on LinkedIn 

You may have heard about the recent attack on JANET, the UK’s higher education research and education network that serves over 18 million users. It was attacked using a series of Distributed Denial of Service (DDoS) attacks, preventing students and Higher Education Institution (HEI) employees alike from gaining access to the internet and their university networks. Such an attack was not anticipated or expected on the external IT infrastructure, which in turn increased its impact. But why is social media an important aspect of this? After the initial impact of the attack, it is believed that the attackers were monitoring the twitter updates on JANET in order to adapt their attacks and to continue disrupting the network. This in itself highlights a number of concerns for organisations – there is a direct conflict between the need to use social media to your advantage to get important messages out to customers and for engagement, however how much is ‘too much’ information and exactly what is appropriate or acceptable to put out in order to ensure you are protected (whether your organisation, your customers or you personally)?

Social media is an increasingly used tool by attackers – whether it to be to social engineer firms, commit identity theft, conduct phishing attacks or worse. You only need to look at some of the statistics on social media cyber attacks and threats to realise the issues we are now facing. For example, 1 in 10 social network users said they had fallen victim to a scam or fake link on social network platforms; more than 600,000 Facebook accounts are compromised every day.  Cyber bullying is on the rise due to social media use, with an astounding 55% of teens witnessing bullying over social networks; there is an increasing amount of account hijacking occurring on high profile accounts - all of this further emphasises the extent to which cyber threats and criminals have evolved through the adoption of social media. 

I’m not saying that social media shouldn’t be used, in fact quite the opposite. It is a brilliant tool for organisations and society in general. It comes with a number of advantages and benefits, but because it is a fairly new tool in society we’ve been slow to grasp the scale of the impact using it can have on an individual or an organisation. This is why it needs a lot of thought and understanding. Once you have this and can govern those risks, the benefits are huge, particularly in terms of increasing competitive advantage, customer engagement and the ability to raise your profile and reputation.

Ultimately, it is becoming increasingly important to ensure that from the board level filtered down throughout organisations and the general public, appropriate education and strategies are in place to effectively mitigate the risks of its usage. It may carry a risk but the benefits it can bring when you get it right are incredible – plus social media isn’t going away any time soon. Find out more here.

Katy Buller 


View Katy Buller's profile on LinkedIn