Archive | Qonex RSS feed for this section

Li-Fi Security

10 Jan

Li-Fi has been widely talked about, largely due to its capability to deliver a high data rate wireless connectivity.

Li-FI has some very interesting security characteristics too.

Continue reading

Payment Services Directive

29 Nov

So, Tesco was hacked. Although there is no official word yet on how this happened, the chatter among people far smarter than me are suggesting the issue is related to passwords and the Tesco Club card.

Followers of CyberMatters will recognise that I often blog about password issues. Is there anything new to say on the subject I hear you ask? Yes…  Continue reading

3 key ways to stop ransomware

1 Nov

At the recent East Midlands Cyber Security Forum (EMCSF), I was fortunate enough to have the opportunity to chair a panel session on the topic of ransomware. Continue reading

Cyber Essentials Plus and a Bit More

18 Oct

Cyber Essentials as a standard is now starting to mature, with almost 3,000 certifications now reported.

Cyber Essentials logoCyber Essentials is largely a one-size-fits-all. You are either compliant, or you are not (with a small bit of “comply or explain” wriggle room). This is good for the purpose it was intended, and serves a baseline for all businesses.

This is now mandated for UK Government procurement, but when assessed for use in the Ministry of Defence’s supply chain it was considered the essentials were not enough.

The challenge however is different elements of the supply chain needed greater or lesser security. The solution being trailed is called the Defence Cyber Protection Partnership (DCPP) Cyber Security Model (CSM).

The model describes 4 risk levels, from Very Low up to High (plus a Not Applicable). For each of these a set of mandatory security controls is defined. Even at the Very Low end, Cyber Essentials is required. The higher the risk, the tighter the expected level of control.

Referring to my blog “The importance of having an Asset List”, it’s interesting to note that only at the Medium risk grade is an asset list mandatory – in the blog I argue you find the lower levels hard to do without one.

At the highest end of the CSM, there are controls such as “Proactively verify that the security controls are providing the intended level of security”; i.e., implementing security is not enough – you need to be able to demonstrate your controls are working.

The CSM approach is very much a ladder, you move up rung by rung from Cyber Essentials.

For something more bespoke and comprehensive there is the ISO 27001 based approach, in which you:

  • identify the business’s security objectives;
  • determine the risks;
  • then select a set of controls to mitigate those risks.

Effectively an a-la-carte approach to customise a solution, all wrapped in a security management system.

Within your business, you need to take control and determine the appropriate level of security, but please don’t be paralysed by indecision – at the very least start a Cyber Essentials programme.

How can firms protect themselves from ransomware?

5 Oct

In a previous blog post I wrote about the rise of ransomware over the last year. In this post I will briefly outline what steps organisations should take to avoid becoming the next victim of ransomware. Continue reading

Top cyber crime threats to East Midlands businesses

20 Sep

I recently attended the East Midlands Cyber Crime Breakfast, where a panel of experts outlined what they saw as the principal cyber crime threats that were affecting organisations in the East Midlands. Continue reading

The importance of having an Asset List

6 Sep

In July I attended and presented at the East Midlands Cyber Security Conference and Expo, at the National Space Centre in Leicester.

Asset List blog2In their presentations, Derbyshire’s Assistant Chief Constable –  Martyn Bates, Del Heppenstall – Director, KPMG, and Christian Toon – Cyber Security Specialist, PricewaterhouseCoopers LLP all mentioned in one way or the other the importance of maintaining an asset list.

In my presentation on Implementing Cyber Essentials, I also observed that while not a specific requirement of Cyber Essentials, in practice you will find it hard to manage a certified environment unless you have a good view of the complete list of assets.

If we take a look at the ISO 27001 standard for information security management systems, Section A 8.1.1 declares “Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained”.

So the evidence seems conclusive, if you care about security in your business, you really must make an asset list. Without one, how can you be sure the asset is suitably protected?

What is ransomware?

17 Aug

Computer hacking has evolved considerably over the past 20 years. What was once a “hobby” to demonstrate technical prowess, by breaking into systems and putting graffiti on web sites, then evolved into stealing as a way of gaining criminal financial reward. Continue reading

We cannot let passwords die (yet)

4 Aug

I’m getting fed up with marketing that says “Passwords must die” only to present yet another solution that won’t replace them. 

The challenge to solve is ubiquity – this is why passwords have stood the test of time, even with their obvious and proven shortcomings.

Continue reading

CEOs: How to avoid a cyber pay-cut

6 Jul

The Culture, Media and Sport Committee, appointed by the House of Commons, has produced a report on “Cyber Security: Protection of Personal Data Online

Recommendation 3 states “To ensure this issue [cyber security] receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security”

Continue reading