Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • Insights

    6 signs that you need to conduct a pen-test!


    Since 2013 do you know how many data has been lost or stolen?
    Source: (http://breachlevelindex.com/)
    9,053,156,308 records
    Let’s break it down by frequency-
    Per Day– 5,191,030 records
    Per Hour– 216,293 records
    Per minute– 3,605 records
    Per Second– 60 records
    Scary right?

    It’s alarming to see the number of attacks that keep increasing every year and what makes it worse is that the biggest giants in the industry getting hit. The question is, who is at fault? The security team, the board or an employee within the organisation?
    Now we don’t want to play the blame game, it’s time for all businesses, big, medium or small to start looking into the mirror and do a review of their own security infrastructure.
    Cybercriminals are only going to increase. They target the easy ones with the simple tools and then use more sophisticated networks through zero days and advanced persistent threats to attack government bodies, private international, national or local businesses across the globe.
    One of the biggest challenges an organisation faces in Information Security is determining how secure you currently are versus your risk profile, your security policy requirements and best practices. Penetration Testing is an extremely valuable tool in helping you determine your current security posture by safely identifying and trying to exploit vulnerabilities in your infrastructure or applications. Penetration testing helps eliminate any false positives as to the exploitability or impact of vulnerabilities. The following scenarios help you identify reasons why you need to conduct a penetration test for your business.

    Is there a lot of breach activity in your sector or has your competitor been hit?

    Breaches in your sector may be a good early indicator that you might be vulnerable. Firstly, it points to possible targeted activity in your sector. Cybercriminals, hackers as we know, have lots of success through targeting organisations and sectors. Patterns of a breach in your sector usually mean that they have template approaches and toolsets for successfully attacking that sector. Hackers, Cyber criminals also have specific motivations, financial return or brand damage of a particular organisation or sector. Again breach patterns in your sector may point to your sector coming into their sights for some particular reason. Success builds success and copycats. If a hacker or cybercriminal have had success in a sector, then that particular hacker or organisation may look to repeat that success on other victims in the sector or they will usually have no shortage of copycats. If you have had the luxury of seeing your competition suffer from breaches, then it might be an opportune time to quickly assess how vulnerable your organisation might be and use the time to fix before you become another breach casualty in the sector.

    You have a nagging doubt that you truly know the up to date security posture of your high and medium risk systems:

    The misconception of a lot of business is that they think they are safe or know their security posture because they did a pen-test last year. Too often people only get a penetration test to meet compliance or financial audit requirements. What they fail to realise is so much can happen in months, weeks and even days. The reality is that in a very dynamic threat landscape driven by strong motivation and success on the part of the cybercriminals and hackers, ad hoc and infrequent penetration testing means you are leaving yourself effectively blind to potentially preventable risks.  A system or application that appeared secure 12 months ago may now be at significant risk due to new vulnerabilities that have been discovered or configuration changes that may have been made on that system or in supporting security infrastructure in the intervening period. Regular Penetration Testing is required to get an up to date picture of your security posture. Best practice recommends penetration testing higher risk production systems more often and lower risk systems at a potentially lower frequency. Best practice would also recommend penetration testing systems that have gone through change before releasing that change to production.  Organisations are often reluctant to penetration test regularly because of cost or disruption. Whilst there is no one size fits all answer, it is important to build a granular approach to testing rather than a monolithic approach, i.e. penetration test specific high risk systems more frequently, penetration test changed or new systems before release, perform round-robin penetration testing on lower risk systems that might mean they are assessed at a lower frequency than the higher risk systems, penetration test the whole perimeter etc. This more granular approach ensures pragmatic, affordable testing that provides full coverage of your systems, but focuses the effort based on clearly identified risks and potential impact to the business. If you can’t say with confidence that you know the security status of your IT estate is reasonably up to date as you would like then it most likely means that you are not performing enough penetration tests.

    You think penetration testing is a pain? This shows you or your team in a bad light or you only do it because auditor or customer asks you to.

    Roll back 10 years, lots of people in the industry were questioning the value of penetration testing and whether it needed to be conducted at all. We had next-generation firewalls, heuristic anti-malware technologies, integrated security suites from the perimeter the endpoint, evolving threat intelligence security solutions that were offering bulletproof preventative security. So where did that get us? The threat landscape and rapid growth in everything from cyber criminality, data breaches, extortion in the last 10 years in Information Security has proven that preventative security infrastructure cannot make up for basic information security hygiene practices, an appropriate strategy that mixes identification, protection, detection and recovery/response capabilities coupled with a layered security. One of the key tools from the identification phase to help understand your security posture and to know where to deploy your resources is security testing with an appropriate mix of audit, penetration testing and vulnerability testing. Vulnerability testing is useful but on its own doesn’t provide the full picture of your security posture. A business identifies their security holes through a pen test which a vulnerability scan cannot pick up. For eg; leaving an admin portal with default credentials open to the general internet.  Penetration testing leaves no doubt as to whether a vulnerability is exploitable and what the potential impact might be. Penetration testing is a growth industry once more. Organisations that gain the most value from penetration testing do a number of things well:

    • They embrace penetration testing as a positive tool – they want the tests conducted regularly and comprehensively so that they can measure their posture, understand what they are doing well and where they need to improve.
    • They are very clear on their testing strategy, frequency, scope and their goals for the testing.
    • They cooperate with the penetration testing organisation, they are hungry for the outputs from the test and quickly work on prioritised remediation.
    • They continuously improve by embracing the learnings from the output so that they don’t repeat the mistakes of the past
    • They have an appropriate mix of audit and testing ranging from risk assessment, penetration testing, vulnerability scanning (and management) to social engineering tests, ensuring they have appropriate coverage.
    • They take a risk-based approach rather than a compliance-only approach.The thing about pen-test is that there is a human behind this kind of tests that goes through a detailed scan and creates an analysis report. The human factor identifies the gaps manually and exploits them creating a report on where and how exactly you need to prioritize your vulnerability.

    You are about to deploy a new service or solution or migrate to a new service.

    Implementation of a new solution, upgrade or migration to a new service are very busy and stressful times for businesses and in particular for IT teams. IT resources are focused on meeting user acceptance criteria, deadlines and go live dates. What often gets lost or left until the last minute is verification that the system is, in fact, secure, meet your policy or compliance standard or is implemented to best security practice. Organisations often go live and then schedule a penetration test during production – which is pretty reckless. Other organisation test but leave it to a point where they have no time between to conduct the penetration test and then go live without fixing any of the issues. They are then left with an unenviable dilemma of “Do we go live now and fix later or postpone?” These approaches typically point to a bigger organisational problem – the absence of any sort of controlled secure systems development lifecycle (SSDLC) or methodology. If security testing is an afterthought then it usually means that security requirements probably weren’t properly specified at requirements stage, security design wasn’t designed in at the design stage, therefore an ad hoc build that may encompass some ad hoc security is possibly what was implemented or built. This leave the enviable problem at test/verification stage – what is the penetration tester testing against? – What policy, what requirements? Quite often in our experience of this scenario, you are left testing against industry best practices and some sort of retrospective risk analysis and retrospective security requirements. All of this points to a chaotic approach to security which doesn’t bode well for the particular project or the organisation risk management and Information Security generally. Making security part of you SDLC – i.e. having an SSDLC means a much more effective, much less chaotic and costly approach to security.  You identify your security requirements up front, the project has security baked in from the start. It is crystal clear to the business stakeholder the developers, implementers and support organisations what security is required, the project does not get past each gated stage until functional and security requirements are met. The penetration tester has very clear objectives in terms of their testing. Apart from making the project and organisation more secure, it reduces costs. The IT industry is well aware of the costs of bug fixing (security issues are non-conformance to specification and thus a security “bug”) in implementation is 6 times costlier than fixing during design and 15 times costlier if found during the testing phase.

    Your infrastructure or application managed service provider had a guy who is pretty handy at penetration testing, he did your last one as part of their service to you.

    Security audit and penetration testing is a key part of your overall Information Security Governance. Letting Joe the vendor support guy who happens to have read “Penetration testing for Dummies” penetration test your systems is the equivalent of letting your office supplies delivery guy wire your data center because he has an interest in electrics. Letting providers of your service audit or test your IT services, applications or infrastructure is riddled with conflicts of interest. Are they really going to point out in their test report what a poor job they might have been doing in keeping your systems patched, the configurations of the systems they are responsible for, or properly managing your firewall rulebase and risk, breach the SLA or lose the contract? Do they really have the expertise to conduct the test to the levels required?  Will they do it to agreed penetration testing protocols? Whilst their report might be something that you can show to non-expert financial or compliance auditors who might only be interested in ticking the box that a penetration test has been completed, is their report something that you can credibly show to knowledgeable customers that would demonstrate competence, completeness, expertise, and experience or even a professional approach to Information Security? Is it even something that your organisations or the provider’s professional indemnity and crime insurances would cover? If you are serious about Information Security, then you get penetration testing conducted by non-conflicted professional penetration testing organisations. Look for the expertise, experience, and accreditation of the organisation and its testers. Look at their approach. Request sample reports, Discuss testing scope and approach with them:

    • Is it a risk-based approach?
    • Will there be specific, measurable, achievable, timely recommendations in the test report?
    • Will the provider do full knowledge transfer of the findings and recommendations to your staff or suppliers?
    • Is it grey box, white box or black box testing?
    • Are they testing infrastructure or applications or both?
    • What is the testing window and protocol?
    • Will you need a re-test after your remediation work?
    • Do you need the consent of third parties to test and if their consent isn’t given or is very restricted then what might this mean?

    The penetration testing organisation you decided to go with was half the price of all the other organisation who provided proposals.

    True penetration testing requires expertise, experience, real people, an appropriate amount of time, effort, tools and a very methodical approach. All of this does not come cheap. You know the saying “you pay peanuts you get monkeys”. Also in a lot of cases “you pay peanuts you get vulnerability scanning dressed up as a penetration testing”. Remember the objective of penetration testing is to identify vulnerabilities and to determine the exploitability of these vulnerabilities and their impact on your organisation. A vulnerability scan can be conducted in minutes using off the shelf or open source tools. Vulnerability scanning has its value to an organisation – however it is only part of penetration testing. Too many supposed penetration testing organisations ask a security analyst to cast their eyes over an automated vulnerability scan report make some recommendations and then re-label this report a penetration test. In truth this isn’t a penetration test – it’s a souped-up Vulnerability Scan and it’s the reason why that organisations “penetration test” is a fraction of the price of professional penetration testing organisation who go to the bother of spending the time ethically trying to exploit the vulnerabilities to determine the probability of exploit and the impact on your organisation. So like all consumers, if you got something that was priced at a level that was too good to be true, then most likely you didn’t get what you paid for and doesn’t provide the level of security visibility that you required. I would respectfully suggest that you take your money elsewhere and get a proper penetration test so that you know what your true posture is.
    Penetration testing is a key tool in your armoury of verification of your security posture. Use this tool often and well and your organisation will benefit in terms of better security. Use well-established penetration testing organisation with real penetration testing expertise and experience to get the best value for your organisation. Embrace the experience positively and your security can only improve continuously as a result. Beware of penetration testing provided by conflicting or non-expert parties. Be very suspicious of providers and supplier who resist penetration testing.
    Here’s our download on penetration testing, if you would like to speak to any one of our penetration experts in Ireland or Northern Ireland, contact: grainne@ward.ie and we’ll be in touch with you shortly.

    Insights

    GDPR- A Fundamental 'Right'

    [powr-countdown-timer id=5137ae2d_1491490870751]

    It’s less than eight months to go …. How are you doing?
    At this stage you may be beginning to feel saturated with GDPR – so many articles, blogs – is there a day that goes by when there isn’t some discussion relating to GDPR on your LinkedIn home page? For those of you out there who are feeling like this or disheartened at what you perceive as a mammoth task ahead of you (you might be surprised how liberating it actually feels to get rid of all those contact details you were holding on to just because) you might bear in mind that data protection is actually a fundamental right under the Charter of Fundamental Rights of the European Union– it isn’t something new that was created by GDPR. A fundamental right … take a second to think about that. Is it just because I am a lawyer or do those two words not make your heart beat just a little bit quicker? Of course fundamental rights are not absolute – they can be limited once the limitation respects the principle of proportionality and this a balance which GDPR aims to achieve throughout its various articles.
    I was musing to myself the other day at the different meanings of the word “right”. A right in this sense is obviously an entitlement of a data subject to the protection afforded under the Charter. However right in the context of doing the right thing is about being fair, moral, honest, principled. Most companies today put considerable focus on their vision and values as a company and spend considerable time in coming up with interesting and quirky ways to communicate them. I have yet to come across any company that mentions in its vision or values that it strives to be unfair, immoral, dishonest or not principled. Putting GDPR at the fore front of how your company organises its business is about upholding the rights of your customers and employees and doing the right thing.
    If you require assistance in relation to getting your organisation GDPR ready contact gdpr@ward.ie.
    To keep up to date with what you exactly need to know about GDPR, download our whitepaper here:
    [lab_subscriber_download_form download_id=2]
     
    By providing the contact information above, I agree that Ward Solutions Limited may collect, use, disclose and retain my personal data, which I have provided in this form and share it with third party organisations through which Ward carries out it’s marketing further details of which can be accessed at our website www.ward.ie, for providing marketing material, in accordance with the Data Protection Acts 1998 – 2003 and our privacy/data protection policy (available at our website www.ward.ie).
    If you do not wish to receive this information please e-mail us at     privacy@ward.ie.

    Insights

    Why does data processing play a critical role in…

    [powr-countdown-timer id=5137ae2d_1491490870751]

    With under nine months to go until the commencement of GDPR, we hope that your organisation is well on its GDPR road of discovery at this stage.
    A processor is an organisation (can be a natural person) that processes personal data on behalf of a controller. Bearing in mind the expansive definition of processing – any operation carried out on personal data which includes collection, destruction to storage; there are a number of organisations out there that fulfil processing activities.  As data protection legislation stands (pre GDPR commencement), the obligations of a data processor are limited and therefore processors may not be aware that GDPR introduces a big change for them as they now have serious obligations under GDPR and become responsible for any breaches they commit under the new regime. Any such breach can result in legislative fines, and/or actions by data subjects that have suffered material or non-material damage as a result of a breach and contractual claims from controllers.
    Although, these obligations may not always have been adhered to in the past, since the introduction of the Data Protection Acts there has been an obligation on controllers to ensure that where data is processed by a processor on behalf of the data controller that there is a written contract in place between the controller and the processor which included certain conditions. These requirements however have been expanded under Article 28 of the GDPR which sets out detailed conditions which must be included in any contract between a controller and processor. It is the obligation of both the controller and the processor to ensure this requirement is met. (There is of course nothing stopping you from agreeing more stringent conditions in the contract – the requirements of Article 28 set the minimum threshold).
    Some processors are only now waking up to the relevance of GDPR to them. This may happen when a controller client at contract renewal is taking a new attitude to the required agreement to be entered into, security audits etc. Remember where you are entering into a one-year contract now it needs to take into account the requirements of GDPR as GDPR will commence during the term of the contract. In entering into a contract for a new service we ourselves have had a processor refuse to sign a data processing agreement in accordance with Article 28 saying “nobody has ever asked us to sign this before”. This required some (free) education for the processor on the requirements of GDPR! For those processors out there who have not yet started their GDPR journey of discovery you need to get your skates on because your GDPR aware controller customers may end up going to your GDPR ready competitors as with so much now at stake under GDPR they will just not be happy to take the chance on you.
    If you require assistance in relation to getting your organisation GDPR ready contact gdpr@ward.ie.
    To keep up to date with what you exactly need to know about GDPR, download our whitepaper here:
     
    [lab_subscriber_download_form download_id=2]

    Insights

    Ward Solutions appoints Orlagh Moylan to the role of…

    Ward Solutions, Ireland’s leading information security provider, today announces the appointment of Orlagh Moylan as Business Development Executive. Orlagh’s key role will be to identify new business opportunities and build existing client relationships.

    With over 12 years’ team management and commercial experience in the technology sector, Orlagh brings an understanding and depth of experience to her new position which will enable her to identify new opportunities and develop Ward Solution’s sales team. She will play a crucial part in developing Ward Solutions’ sales strategy for information security solutions to protect customers against increasing security threats.

    Prior to joining Ward Solutions, Orlagh held the role of New Acquisitions and Channel Manager for Sage for four years. In this role she was responsible for new acquisitions, working with channel partners to help them achieve revenue targets and managing the sales team. Previously Orlagh worked with Xerox Europe for 10 years and her last role with the company was Senior Business Advice Manager where she was responsible for the management of a team of 40 focused on customer services and renewals.

    Insights

    Vulnerability Scan & Penetration Test- How are they different?


    Five differences between a vulnerability scan & penetration test:
    As a security company we get asked these questions a lot of times and surprisingly we see the number of businesses that actually think these two are just the same but here are the main reasons why you need to know the difference between the two.
    Please note the below are drawn from industry best practice standards e.g. PCI-DSS.
    Vulnerability Scan:
    Objective: The process includes to identify, rank and report the list of vulnerabilities or potential vulnerabilities that, if exploited, may result in a compromise of your system.
    Plan the scan: It is recommended your business should conduct scans quarterly or after any significant changes have been made to your system. (Ref: PCI_DSS Requirement 11.3)
    Duration: Vulnerability scans take a short period of time; typically scanning can be completed within a day, of course this may differ based on size of project but it’s much shorter when compared to a penetration test.
    Functionality: A vulnerability scan is an automated scan which produces a report which is then analysed in third party vendors like Ward. An external and internal vulnerability scan is conducted by Ward Solutions.
    Reports: The vulnerabilities are typically ranked in accordance with the common vulnerability scoring system which is what we mainly use and another ranking tool that’s used for these kind of scans is the national vulnerability database.
    Now let’s look at penetration testing:
    Objective:
    To discover and exploit exposures that exist on the network which is internal or external in order to gain access to sensitive information or resources. In addition, a detailed report is provided in order to provide prioritisation and remediation advice so that necessary mitigations can be actioned.
    Plan the scan:
    It is recommended that a pen test needs to be conducted annually or after any significant changes made to the system. (Ref: PCI_DSS Requirement 11.3)
    Duration:
    Penetration testing takes more time, and differs depending on  the nature of the testing (e.g. web application or infrastructure), the size, and the complexity of the environment. Before the implementation of this type of testing, all projects should be scoped in detail to understand the estimate of effort required.
    Functionality:
    This process involves manual testing by one of our in house pen testers which includes reconnaissance, discovery and exploitation phases. The output delivers a comprehensive report.
    Reports:
    The comprehensive report consists of  three sections:

    • An executive summary.
    • A detailed table of findings from the penetration test.
    • An information gathered section which describes the results of all the testing carried out both positive and negative.

    Now the only piece of advice we can give before you conduct a scan or a test is that you develop a plan in place. Discuss the reasons why you need and what you want to achieve from this and involve the key decision makers in your organisation. Once you know what you really want to achieve from testing, set expectations and decide which are the areas of risk you need to focus on. Involving a third party is not going to disrupt your plan, it only helps you with a clearer perspective from all sides so that you are not left with a gap that might have been missed if it’s done internally.
    Ward advises to make sure when you receive proposals from third parties you understand the above differences before you select which option is correct for your organisation and so which one you want to go ahead with.
    If you want to speak to one of our experts to proceed with this discussion:
    E-mail me at grainne@ward.ie or what you can also do is call our office. If you’re based in Ireland call +353 1 6420100 or in Northern Ireland, call, +44 28 90 730 187 to discover our range of information security solutions and discuss your unique requirements.
    To have a look at our latest survey results, checkout our latest whitepaper edition of our mapping cyber security solutions – [lab_subscriber_download_form download_id=1]
     
    By providing the contact information above, I agree that Ward Solutions Limited may collect, use, disclose and retain my personal data, which I have provided in this form and share it with third party organisations through which Ward carries out it’s marketing further details of which can be accessed at our website www.ward.ie, for providing marketing material, in accordance with the Data Protection Acts 1998 – 2003 and our privacy/data protection policy (available at our website www.ward.ie).
    If you do not wish to receive this information please e-mail us at     privacy@ward.ie.
     
     

    Insights

    Should I be afraid of my fridge? Threats of…

    The Internet of Things (IoT) is a term that causes much confusion, but doesn’t need to. IoT simply refers to the huge range of devices that are all connected to the internet and, therefore, to one another. Aside from the standard fare of computers and smartphones, the IoT really refers to the vast range of connected devices we would not usually associate with the internet, from cars, to kitchen appliances, to thermostats. The array of devices with the potential to make the shift from ‘dumb’ to ‘smart’ seems almost endless, with around 8.4 billion IoT devices currently in use around the world, and a predicted 20.4 billion to be in use in households and businesses by 2020. The majority of IoT devices are currently found in the US and Chinese markets, but Western Europe will be the other major region driving this growth. However, the rapid growth in numbers of connected devices in circulation is also driving very real security concerns.

    The security threats facing companies are constantly evolving with new technologies. For example our recent survey found that 77% of companies predict cybercriminals will use AI to strengthen attacks in the next 12 months. Despite the forecasted growth of the Internet of Things, consumers too have expressed justified security fears which will need to be addressed before widespread adoption. The worries surrounding the IoT read like features of a dystopian novel, but are in fact a very real concern. A study from Hewlett-Packard found that 70 percent of the most commonly used IoT devices were not secure.  On one hand, there are concerns around the use of these unsecure devices for government surveillance, as evidenced by Wikileaks’ release of CIA documents highlighting the targeting of consumer electronic devices. Our Android devices, iPhones, and Smart TVs are all open to being spied on and targeted, due to their often paper-thin security levels.
    On the other hand, these devices are frequently targeted by hackers for a range of criminal activities, which can be divided into two categories. Firstly, devices may be taken over by hackers and used to do something they are not intended to do. Distributed Denial of Service (DDoS) attacks are one example of this. DDoS attacks attempt to make an online service unavailable through overwhelming it with traffic from multiple sources. Due to the relative ease with which hackers can access a range of IoT devices, they are often employed in these attacks. Your smart toaster may unwittingly be contributing to these large scale disruptive botnet attacks.

    Secondly, devices can be commandeered and put to their intended use, but in devious ways. For example, a drone device may be taken over mid-flight, and simply redirected into the hands of the hacker. More nefariously, we may have cause for worry if our future self-driving car can be overridden and directed off the road. In the future, hackers may conceive of a multitude of ways in which to use our devices that we simply can’t comprehend beforehand.

    It’s clear then, that the cyber threat to IoT devices is less about the traditional viruses we associate with our computers and laptops, and more the re-purposing of open devices for criminal activities. While there is no simple fix for IoT security, there are simple ways in which we can greatly improve the security of our own devices. Too often consumers fail to change the default password of their devices. This simple step may not shut out hackers completely, but it will at least close the front door.

    A culture change should also be adopted within organisations, where cyber security should be made a top priority. The first step for organisations in IoT security is to identify how many connected devices are on their network. A survey from AT&T shows that almost half of enterprises base the number of connected devices in their business simply through estimations. Penetration testing is an effective method to get on the front foot and understand the extent of the IoT security challenge facing your organisation. Employees should also receive basic security training, and risk assessment and information system audits should be commonplace.

    Securing the Internet of Things is a daunting challenge, complicated by the fact that many devices use only simple processors and operating systems, incapable of supporting sophisticated security approaches. Placed on the top of Gartner’s list of 10 IoT technologies for 2017 and 2018, security will remain an ongoing issue for manufacturers and regulators as IoT device use expands. However, consumers should remain aware of the risks and take it upon themselves to adopt whatever steps possible to secure their devices.

    For further advice and support on how to secure your IoT assets and protect your business speak to our subject matter experts, e-mail us at info@ward.ie or call 1800 903 552 to discuss your unique requirements.

    Insights

    Your safety guide to Cloud Shadow IT!


    Missed our webinar? Don’t worry! We recorded this for you: Click here
    How to turn the potential threat of Shadow IT into an advantage?
    In our webinar we looked at the hidden threat at the heart of many Irish organisations that is shadow IT, i.e. the use of software or systems that are not authorised by the IT department. The growth in cloud services has made it extremely easy for users to access unauthorised programs, and as a result we have reached the point at which Cloud Shadow IT now poses a significant threat to Irish organisations. Companies need to decide how best to deal with shadow IT trends in their organisation but the best option might not necessarily be to clamp down on users.
    When it comes to dealing with the threat of shadow IT, it’s important to first understand the reasons behind its spread. In the majority of cases it stems not from malicious intent, but rather from employees aiming to be proactive and implementing software that they feel will benefit their organisation. The proliferation of cloud services has made it easier than ever for users to implement unauthorised apps, as they typically only require a browser rather than any installation of programs on local devices. However, in doing this, many employees unintentionally turn to unauthorised programs while attempting to fill a perceived gap in their existing software suite.
    Security awareness training is crucial
    When deciding on the correct approach to effectively tackle shadow IT companies need to ensure that they bear this in mind, and create a culture of acceptance and protection rather than one of detection and punishment.
    Employee education is central to developing such a culture. Providing your employees with security awareness training that gives them an overview of the reasons for the existence of particular security processes can help them to appreciate the necessity of adhering to company policies.
    Identifying unauthorised apps
    As well as ensuring that your team is aware of the inherent risk associated with cloud shadow IT, it’s also important to make certain that you have oversight of the apps that are being accessed on your network. Utilising a tool such as Microsoft Cloud App Security (CAS) can give you the visibility and control that you require.
    CAS allows you to collect information from firewalls and proxies and identify exactly which apps are in use from your network. This can help you to assess risk, and also identify which users are utilising apps that fall outside company policy.
    Having identified individual users who are using cloud apps without the authorisation of the IT department it is a good idea to ask them to outline their reasons for doing so, in order to establish whether or not there exists a genuine need for such an app. If it transpires that providing employees with access to a particular app would be likely to increase productivity or have an otherwise positive effect on the company then it might be worth reassessing current policies and investigating the possibility of integrating this app into your overall software suite. Doing this will help you to ensure that these programs are contained within your security infrastructure, rather than existing outside it in a position that could leave your network open to vulnerabilities.
    When seeking to on-board CAS initially it’s a good idea to take a phased approach, utilising the tool as a proof of concept to increase visibility over the network and justify an ongoing governance and compliance strategy.
    ISO 27001 and GDPR
    General Data Protection Regulation, which comes into force in May 2018 will require organisations to know precisely where their data is stored. The unauthorised use of cloud storage solutions could result in organisations being unable to track exactly where their data flows, leading to them being considered non-compliant, This could leave  companies open to fines of €20M or 4% of global turnover, depending on which is greater. This highlights the need for Irish organisations to tackle shadow IT tendencies sooner rather than later.
    Using solutions like CAS can be a powerful and effective way of uncovering the movement of data from your network to cloud services. Following the initial discovery, organisations should continue to use CAS to perform their due diligence, to regain control over their data flows and ensure ongoing governance and information protection.
    A good approach to ensuring GDPR compliance is to employ an overarching framework such as ISO27001 to ensure information security best practices are in place from an early stage. Striving to adhere to a standard such as ISO27001 will help you to uncover and effectively deal with shadow IT practices that exist in your organisation.
    Acting now and taking the right approach can not only help you to identify software that may benefit your organisation, but also help you to take the initial steps towards GDPR compliance.
    Ward Solutions can help companies to tackle cloud shadow IT practices, using Microsoft Cloud App Security to regain control of the software being used from their networks. Ward’s expert team also provides comprehensive consultancy to help Irish organisations become ISO27001 and GDPR compliant. E-mail cloud@ward.ie to find out how we can help you.
    [lab_subscriber_download_form download_id=3]
     
    By providing the contact information above, I agree that Ward Solutions Limited may collect, use, disclose and retain my personal data, which I have provided in this form and share it with third party organisations through which Ward carries out it’s marketing further details of which can be accessed at our website www.ward.ie, for providing marketing material, in accordance with the Data Protection Acts 1998 – 2003 and our privacy/data protection policy (available at our website www.ward.ie).
    If you do not wish to receive this information please e-mail us at     privacy@ward.ie.

    Insights

    WEBINAR ALERT: Awareness, Discovery and Control of Cloud Service…

    Ward Presents: Awareness, Discovery and Control of Cloud Service Usage

    When and where?

    Start: 4:00 PM, 15/08/2017
    End: 4:30 PM, 15/08/2017 (GMT)

    Missed it? Here is the recorded session: Click here

    Do you know what the hidden threat is at the heart of many organisations?

    It’s called shadow IT!

    Let’s explain this in the simplest way possible.

    Shadow IT refers to the implementation and utilisation of IT solutions and platforms without any organisational authorisation.

    The growth of cloud services combined with business drivers of mobile workforces and greater collaboration within and between organisations has added a different set of challenges like data governance and control issues for organisations. The ease in which a user can adopt a cloud service, usually at limited or no cost and without the need to install software except a browser, means we are faced with likely scenarios that cloud services which haven’t been vetted or authorised by the organisation, are in use within our networks. This poses a significant risk, if this usage is undetected and unmanaged, especially if users are utilising cloud services for storage, sharing or processing of data, which may be in direct conflict with your information security policies. It may result in exposure of sensitive data to unauthorised audiences.

    It’s worth noting that adoption of these unauthorised services is usually for non-malicious reasons, driven by the needs of the user to increase efficiency, be more productive or as a work around to perceived organisational blockers to their tasks.

    A simple example; I need to get a file to a customer, which is larger than the limit allowed by our email service. We don’t have a business file sharing service, so I will copy the file to a public cloud storage service that I happen to have a personal account with, and share the file from there.

    Problem solved for the member of staff!

    Problem created for the organisation!!!

    • What data is in the file & how sensitive is it?
    • Who else can access it now?
    • How long will it stay up there?
    • We have no control over the cloud service or the file, what do we do?

    According to our recent survey where we interviewed 170 senior IT decision makers, 72% of them believe that the explosion of cloud services has led to shadow IT becoming an issue for a number of organisations. Our experience is that organisations don’t have the adequate assessments and controls in place to prevent shadow IT which further leads to risks and incidents that ultimately affects your organisations’ reputation.

    We think it’s important to give you a head’s up about this crisis and that is why we bring you one of our experts. In this webinar, Allan Cahill, head of secure identity and information solutions will explain Shadow IT, how the risks associated with it can impact your business and how to manage these risks.






      By providing the contact information above, I agree that Ward Solutions Limited may collect, use, disclose and retain my personal data, which I have provided in this form and share it with third party organisations through which Ward carries out it’s marketing further details of which can be accessed at our website www.ward.ie, for providing marketing material, in accordance with the Data Protection Acts 1998 – 2003 and our privacy/data protection policy (available at our website www.ward.ie).

      If you do not wish to receive this information please e-mail us at privacy@ward.ie.

      For more information on our cloud security solutions e-mail: cloud@ward.ie

      Insights

      One in five Irish businesses held to ransom in…

      Irish businesses held to ransom - image
      Ward Solutions’ recent survey revealed that one-fifth of Irish businesses were held to ransom by cyber-criminals in the past 12 months.

      Ward Solutions recently revealed the results of its 2017 information security survey, carried out in association with TechPro magazine. Among the findings, Ward revealed that one-fifth of Irish businesses were held to ransom by cybercriminals in the past 12 months. The survey was carried out among 170 senior IT professionals and decision makers throughout Ireland just prior to the recent WannaCry attacks and the results serve to highlight the scale of the current ransomware issue.

      Ongoing risk to organisations of all sizes
      According to the survey, IT security threats are continuing to rise, with 57% of organisations saying that they noticed an increase in the number of security incidents in the past year. Of those who said that their business was held to ransom, 64% said that the amount demanded by cybercriminals was less than €1,000. The fact that cybercriminals are continuing to demand small amounts of money enables them to target organisations of every size and highlights the risk that ransomware poses to all businesses, from corporations to SMEs.
      When it comes to paying ransoms, just 14% of survey respondents said that they would pay the ransom if the value of the data merited it. However, nearly half (48%) said that they would not pay, regardless of the value of the data that was held to ransom.

      Stricter requirements under GDPR
      The results of Ward’s survey also reveal a host of findings about Irish organisations’ preparedness for incoming General Data Protection Regulation (GDPR). GDPR will place stricter requirements on companies to alert both the authorities and data subjects in the wake of a data breach. When GDPR comes into force on May 25th next year, businesses will also be obliged to implement an established incident management plan following a data compromise.
      However, despite these requirements being less than a year away, the results of Ward’s survey indicate that some companies do not currently fulfil these obligations. While 75% say that they would report an incident to the authorities, including the Data Commissioner, just 53% say that they would report a breach to impacted third parties. Failure to achieve compliance to the regulation and adhere to the guidelines outlined in the new law could leave companies vulnerable to huge fines.
      Under GDPR, those unable or unwilling to notify regulators or third parties within 72 hours of becoming aware of a breach could find themselves liable to fines of up to €10 million or 2% of global turnover, depending on which is greater. These fines could have a catastrophic effect on certain Irish organisations, and to protect their interests companies need to ensure that they are aware of the intricacies of the legislation.
      Employee training part of the solution

      Employee training can tackle ransomware outbreak - image
      Employee training can play a significant role in reducing an organisation’s threat level.

      Despite the growing threats and impending legislative changes, 52% of IT decision makers in Ireland and Northern Ireland say that they do not believe that their board has sufficient understanding of their current information security situation.
      Companies are becoming more aware of the importance of employee training as part of the overall solution though, with almost two thirds (62%) saying that they audit their employees on their awareness of information security best practices.
      65% of respondents stated that their cyber security spend will increase in the next 12 months, indicating that companies are responding to the increasing threat level by reinforcing their information security infrastructures.
      Reassuring but still room for improvement
      Commenting on the survey results, Pat Larkin, CEO of Ward Solutions, said: “It’s clear from the results of our latest survey that cyber-crime has continued to grow and evolve over the past 12 months, leaving Irish and Northern Irish businesses more vulnerable to attack than ever before. Ransomware continues to present a real threat to companies, affecting one in five of those surveyed. It’s interesting to see that just 14% of organisations would pay the ransom, while almost half would not pay, regardless of the value of the affected data.
      “It’s reassuring to see some organisations responding to the information threat by investing in their security protection, and employee training and auditing. The ‘human firewall’ is consistently one of your greatest strengths or weaknesses when it comes to protecting your information.
      “However, the results indicate that there is still room for improvement when it comes to reporting security incidents to the authorities and affected third parties. This will hamper companies’ ability to achieve GDPR compliance, and so organisations need to ensure that they have the systems in place to quickly and effectively react in the wake of a data breach.”
      To learn more about how Ward Solutions can help to protect your business against the growing cybercrime threat, contact us today. Call 1800 903 552 or e-mail info@ward.ie