Cyber Security Europe - Autumn 2018

Page 1


We confidently face security threats. So you can confidently face your customers. IBM Security tackles the world’s most challenging security problems. We continually look for new and better ways to protect the faces behind the data – your customers. Our strategy reflects our belief that today’s defenses will not suffice tomorrow. It challenges us to approach our work, support our clients and lead the industry with forward-thinking solutions that leverage cloud, AI, orchestration, and collaboration. Face your customers with confidence. Let IBM Security be your trusted advisor.



INDEX Cyber security governance in organisations is changing: European executives are now taking a greater role in strategic decision-making. 08 editor’s viewpoint

The aftermath of September’s British Airways data breach disclosure provides a textbook example of how cyber security has become a critical line-of-business issue for boards and c-suites to engage with.

10 it-sa 2018 welcome

Digitalisation is a key driver of growth for new businesses – but it also presents new challenges for cyber security, as it-sa 2018 Executive Director Frank Venjakob explains.

12 IT-SA 2018 floorplan

Our at-a-glance floorplan will help maximise your time at it-sa 2018, and ensure that you find key exhibitors and speaker presentations.


14 news round-up

Report reveals data breach executive job losses; survey find boards face cyber security responsibility dilemma; WatchGuard Technologies launches its ‘Trusted Wireless Environment’ proposal; government guidance for management; GDPR compliance lags, reports Imperva.

19 VIEWPOINT: enisa


ENISA – the European Union Agency for Network and Information Security – will make it-sa 2018 a platform for its latest thought leadership. ENISA’s Florian Pennings and Apostolos Malatras preview their it-sa presentation and ENISA Director Udo Helmbrecht’s keynote.

STRONGER EUROPEAN DIGITAL AUTONOMY 22 Europe is poised to make strides toward a cross-sector, pan-national cyber security ecosystem through a new network of regulated Cyber Security Competence Centres. Luigi Rebuffi, Secretary General of ECSO, the European Cyber Security Organisation, explains.


24 cyber survival guides

There’s a wealth of top quality market intelligence to help inform your organisation’s cyber security posture and plan – and it’s free.

32 costing the crimes: economic impacts of cyber criminality

We know all too well that cyber criminals filch our funds – but there are other, less obvious and less visible ways in which online threats will damage your organisation’s bottom line.

38 happy returns: cyber security return on investment

It pays to understand the factors that must be taken into account when looking at how IT security expenditure delivers business value – but models designed to show where value is measurable must be made more inclusive if they are to provide insights that senior management can meaningfully respond to.


PAULA JANUSZKIEWICZ 28 The it-sa 2018 special keynote speaker CQURE Founder and CEO Paula Januszkiewicz shares her expert perspective on the spectrum of challenges that now face cyber security expertise, and talks about how we are getting better at beating the hackers.




Director Alexander Collis Managing Editor James Hayes Creative Director Digital/Print Lee Gavigan Operations & Production Alena Veasey Accounts Controller Martin Reece Project Services Alex David, Adam Croft, Helen Sinclair

Cyber Security Europe is produced and published by World Show Media Ltd Tel: +44 (0) 203 960 1999 Fax: +44 (0) 845 862 3433 Website: For all sales enquiries: For all corporate enquiries:

44 cyber challenges HIT LIST

Cyber security governance is now a key fixture of the executive agenda, and its pain points are many. Our run down of 10 of the top challenges organisational leaders must confront profiles the key challenges, ranging from ‘attack surface creep’ to penetration tests.

46 insider threats: managing the risk within


Many of the most damaging security threats now come from your ‘trusted’ employees and business partners. We uncover the new faces of insider threat.


It is critical that organisations now properly undertake regulatory compliances and understand their role in business success – so why do surveys indicate confusion in some companies over whether the executives or the IT experts should own this task?

60 a common language for Cyber security

The execs and the techies have to try harder to gain a grasp of each others’ professional lingo if the fight against cyber foes is not to end-up being lost in translation. Can a mutual interest in metrics provide a lingua franca both parties can communicate through?

64 editor’s picks


As a sign-off from Cyber Security Europe’s it-sa 2018 coverage, we look at notable products and solutions that are being showcased at this year’s event.

Cyber Security Europe is published by World Show Media Ltd and provides business and government executives with the intelligence and insight required to prepare their organisations for the ever-changing cyber threat landscape. Copyright © 2018 World Show Media. All rights reserved. No part of this publication may be reproduced, stored in any retrieval system or transmitted in any form or by any means, electronic, photographic, recording or otherwise, without the prior permission of it-sa and World Show Media. The it-sa trademark is owned and protected by it-sa. While every effort is made to ensure information is correct at the time of going to press, neither the publisher nor the organisers can be held responsible for any errors, omissions and changes to the event programme and publication content.



REALITY CHECKING ‘CEO fraud’ is the threat that exploits an organisation’s ‘digital risk surface’. Solutions from Cybersprint reduce your exposure, explains CEO Pieter Jansen. INCIDENTS OF THE CYBER ATTACK FORM KNOWN AS ‘CEO FRAUD’ DO NOT FILL AS MANY media headlines as big brand data breaches, but the challenge they pose is significant, and senior executives should certainly understand them – especially as they are in the firing line. CEO fraud resembles phishing, but is more sophisticated in that attackers go to greater lengths to obtain information on the ‘sender’. They assemble genuine supportive details – logos, signatures, internal codes – that lend credibility to their bogus emails. They ‘cc’ fund transfer orders to actual colleagues using false email addresses. They’ll ask payments to be made to what appear to be known suppliers or contractors – but what are really disguised bank accounts. Some 270bn emails are sent each day. This mass of messages provides malicious online actors with limitless scope for digital deception. Although CEOs have had their job title applied to the threat, cyber criminals target any chief officer with power to authorise financial payments. While awareness is growing, many organisations don’t realise the full extent of their ‘risk surface’, and should be more concerned about the information about them that’s available on the internet. Often victims of CEO fraud are not aware that data valuable to fraudsters is already ‘out there’. Companies without policies in place to govern how their staff should engage with social media surprise me. Employees at all levels are liable to reveal information about themselves and their employer valuable to cyber fraudsters. FURTHER INFO

A richer source of ‘intelligence’ for them is social media. That’s why it is critical to know what details of your organisation are accessible from social media sites. Few organisations have IT resources to search the Web in real-time for this purpose. Cybersprint’s monitoring solutions protect your organisation by tracking emails that use your brand name or include the name of your senior personnel or VIPs. They provide a constantly-updated overview of legitimate domains and sub-domains, email activities, and social media checks. Cybersprint also provides informed guidance based on years of experience safeguarding its clients’ brand integrity and reputations. Stand | Hall 10.0-423


To protect your reputation you need to minimise cyber risks and stay in control over your organisation’s online presence. Cybersprint’s Digital Risk Monitoring platform provides continuous real-time insights into the entire online attack surface of your organisation. We prevent, detect and resolve cases of brand abuse, data leaks,

CEO fraud, phishing or hacking. We make invisible vulnerabilities visible. Interested? Try our free Quickscan and discover where your organisation is currently at risk.

CONTACT DETAILS For more information please go to: | |




The financial costs of data hacks are rising in line with the escalation attacks, as the British Airways security breach fallout is showing. THE AFTERMATH OF THE CYBER ATTACK ON BRITISH AIRWAYS’ DATA SYSTEMS provides a textbook example of why Europe’s senior management must apply more attention to their organisations’ IT security provisions – and gain better understanding of the cyber threats they now face. Embarrassing though the theft of 380,000 customer transaction details has been for the airline, the wider impacts will make themselves felt on BA’s line-of-business. In the UK, the market is waiting to see how the Information Commissioner’s Office (ICO) will react to the BA incident, and it will be months before an investigation concludes. True, BA complied with Article 33 of GDPR, in that it notified the supervisory authority of the breach within 72 hours of discovery. But that won’t save it from a fine for inadequate systems security. If the ICO decides that a penalty is due, it has yet to be determined if it will fine BA itself or parent company, IAG. The regulator can theoretically fine an organisation up to 4% of its annual turnover. BA’s revenue for 2017 was £12.2bn; IAG’s revenue in 2017 was €22,972m. Customers across Europe affected by the data breach have already been urged to stake their claims for due compensation. BA has offered to compensate eligible individuals for direct financial losses because of the breach incident; but it has not agreed to pay compensation for ‘non-material damage’, despite being liable to REACH OUT

do so under GDPR, some sources report. This ‘is not good enough’, says legal firm SPG Law, which has set-up a website for BA customers who feel entitled to more compensation, and want to join a group action to represent their claim. If successful, such a group action could add millions to the total costs of BA’s breach. Then there’s the question of how market investors will react. After September’s disclosure, BA shares fell 1.35%, or 9.2p, to 672p per share.

A successful BA customer group action could add many millions to the total costs of BA’s security. These repercussions are business impacts that will be absorbed by BA’s executive leadership, rather than its IT operations, although that part of the airline will certainly be under renewed pressure to ensure that no further technological mishaps occur. The full extent of business impacts that IT security failures cause is often revealed only after a breach occurs; Europe’s business leaders should learn from BA’s experience. James Hayes

FEEDBACK TO CYBER SECURITY EUROPE Cyber Security Europe is committed to engagement with its readership: if you have feedback on this issue, I’d be pleased to receive it – via email – at the address given here on the right.


DETAILS Please contact: | james.hayes@

Cyberangriffe verhindern. Kritische Informationen schützen. Richtlinien einhalten. Schützen Sie Ihr Unternehmen vor Datenverlust und sich immer weiterentwickelnden Cyber-Bedrohungen. Die Sicherheitslösungen von Clearswift sind in der Lage, jegliche Netwerkinhalte zu überprüfen. Egal ob ein- oder ausgehend, Email oder Web - schützen Sie unternehmenskritische Informationen und verhindern so Cyberangriffe.

Besuchen Sie uns auf der it-sa! Halle 10.1, Stand 414

Email-Sicherheit & DLP

Web- Sicherheit& DLP

Zusätzlicher Schutz Redaction • Sanitization Verschlüsselung • OCR



WELCOME it-sa 2018’s Executive Director Frank Venjakob sets the scene for the event that’s established itself as the ‘home’ of global IT security. DIGITALISATION IS A KEY DRIVER OF GROWTH FOR NEW BUSINESS MODELS, innovative products and increased economic networking, and all promise – at national and societal levels – additional sources of revenue, cost-saving, and greater efficiency. But digital transformation creates several unprecedented challenges for business leaders and decision-makers. Among the most urgent questions is the security of digital business processes. Because trust is a precondition for all business relations, IT security creates the foundation on which new profits will be made. it-sa draws more exhibitors than any other comparable event, making it the ‘home’ of IT security: around 700 suppliers – covering the international IT security market – will showcase products, solutions and services. it-sa is also about dialogue between allies in the fight for secure IT infrastructure. Discussion among decision-makers from different industries is as much of a priority as dealing with specific challenges facing companies. With its extensive supporting programme and the Congress@it-sa congress programme, it-sa offers decision-makers the perfect opportunity to discuss security questions of common interest. Thus, it-sa has its finger on the pulse: the importance of cyber security has long been recognised by senior management with vision and foresight who recognise IT security BIOGRAPHY

as a business enabler. Working with IT security experts, they ensure that the potentials offered by digitalisation can be reliably leveraged. Exhibitors from the US, in addition to Europe and the UK, and as far away as Asia, are strongly represented. Israel, the Netherlands and the Czech Republic are flying the flag with their national pavilions, highlighting the professionalism of their respective security industries: IT security is a global responsibility.

Discussion among decision-makers is as much of a priority as dealing with challenges facing companies. Five open forums, including presentations and discussion rounds on subjects like the EU General Data Protection Regulation, IT security in Industry 4.0, artificial intelligence and the human factor, as well as Congress@it-sa, provide additional opportunities to communicate information on important topics that influence the decision-makers. By joining the many thousands of visitors taking advantage of it-sa 2018 you will learn how you can securely guide your company into its digitally-transformed future. Frank Venjakob

FRANK VENJAKOB, EXECUTIVE DIRECTOR, IT-SA Frank Venjakob and his team have been responsible for it-sa since 2013. He has played a major role in shaping what is now the world’s largest trade fair for IT security, especially its supporting programme.


DETAILS For more information please go to: |

expo plan



NCC West Rotunde

The at-a-glance floorplan will help maximise your time at it-sa 2018, and ensure that you find key exhibitors and speaker presentations. THE IT-SA SUCCESS STORY CONTINUES: VISITORS TO THIS YEARS EXPO AND CONGRESS can look forward to meeting 700 exhibitors across three of the Nuremberg Exhibition Centre’s capacious halls. Whatever your cyber security requirement – product, services, advice – it-sa presents a huge range of options to meet your information needs. The event is an unmatched opportunity for experts and decision-makers to meet top-level developers and providers of products and services. The it-sa 2018 floorplan will help you to maximise your visit and see where the it-sa 2018 halls fit in to the grand scheme at Nuremberg Exhibition Centre.


INTERACTIVE IT-SA 2018 FLOORPLAN... Free Wi-Fi is available throughout the Exhibition Centre. Wi-Fi for sending and use of larger quantities of data is available for €5 per-hour (minute based) or a whole day for €25, dependent on requirements.


U-Bahn / Subway Messe

Please use the QR Code app’s from your mobile devices to access all of the it-sa floorplans.


Fachmesse | Trade Fair Kongress | Congress

10.1 10.0 Franken halle

S 10

NCC Mitte

S 11

S9 Mitte

NCC Mitte

Mitte Eingang Entrance

VIP West Mitte


NCC Mitte

S 8/9 S 6/7


Messepark Service Center Mitte


S1 Mitte

Operation Center


Parkdeck SĂźd


NEWS & products


A selection of news and views from the it-sa 2018 showfloors, plus other news for cyber-savvy executives.


Cloud, mobile or cyber security, data and network security or access management are just some of the many hot topics to be covered at this year’s fair. it-sa is the go-to event for anyone who’s responsible for design and management of organisational IT infrastructures. 31%




45% 33%




27% 15%







DATA BREACH JOB LOSSES When cyber attacks succeed, they can also impact the careers of individuals at the companies breached. A report from Kaspersky Lab and B2B Int. – ‘From Data Boom to Data Doom’ – says that 31% of data breaches in the past year have led to employees losing their jobs. Among these, at 29% of SMBs and at 27% of larger businesses polled, it was senior-level non-IT management who were laid-off. For all kinds of organisations, an attack means more than just lost ‘talent’: 45% of SMBs and 47% of enterprises have had to pay compensation to the customers affected, over a third – 35% and 38% respectively – report problems attracting new customers, and 27% of SMBs and of 31% enterprises have paid penalties and fines. Hall 9 | 9-520 |

THE SHOW IN BRIEF... From Tuesday 9th to Thursday 11th October 2018, some 700 international exhibitors will showcase their ranges of IT security solutions at this year’s itsa. The trade fair and accompanying congress also




Israel, the Netherlands and the Czech Republic will use their it-sa 2018 pavilions to showcase the expertise of their national IT security industries. A total of 27 Israeli companies are registered for it-sa 2018, including 20 that will form part of the Israeli pavilion in Hall 9 – the largest of the three international pavilions. Visitors will here find solutions vendors for specialist applications like network monitoring in industrial production environments, intrusion detection, and denial-ofservice defence, as well as new entrants seeking to break into the international markets. The Czech Republic represents its IT industry in Hall 10.1. Nine IT security vendors will showcase their products and services. And for the first time, 15 Dutch companies will also be coming together to exhibit at it-sa in Hall 10.0. Halls | 9, 10, 10.1 | it-sa.en/news

IT-SA 2018


attract visitors with a programme that offers a varied sources of information, and that will include presentations made in English.

Privileged Access Management is in our DNA We live and breathe cybersecurity. Day in and day out. Our dedication sterns from years of working closely with hundreds of satisfied customers and our global partner network. Our mission is to design the friendliest and most reliable solutions to protect organizations against the abuse of privileges. Our products allow you to keep users fully accountable for their actions by closely monitoring what they are actually doing while accessing your critical assets. Furthermore, we provide strong authentication even for legacy systems and alert you in case of any suspicious user behaviour.

Your trusted partner We combine the strongest security features with a thorough understanding of your business. Our solutions will remove the unnecessary burden from your team to ensure that they can focus on what really matters for your company. Let us prove our outstanding speed and flexibility of deployment, the ergonomic operating modes that vastly improve the acceptance of the solution and shorten the time to actually implement privileged access in your organisation. Not to mention our excellent post-sales support. We will advise you with the best strategy and make sure you get all the necessary assistance during the implementation and maintenance stages of your new PAM solution.

Not just for the big ones We serve all organisations - no matter their size. Every company deserves to be secure. That’s why our offer is tailored to your needs. For growing players we offer a free version of our solution – that’s our commitment to making every business safer.

Always there for you Who could understand your business better than your local supplier? We believe local projects should be managed by the ones who comprehend your specific needs. That is why our partner network is constantly growing. We are happy to educate and equip fellow experts with the perfect tools to fight privilege misuse. We find this affinity crucial in answering the needs of our customers.

Why Fudo? The most advanced Privileged Access solution. Easy. Flexible. Deployable in 1 day. With the best support available. It’s as simple as that.

Privilege Misuse Prevention VISIT US AT Hall 9, booth 352. Stay Safe!

Michał Jarski VP EMEAA

When you ask us, a passwordless future is within reach. Now, it is possible to increase security while reducing complexity. At Soliton, we have all the ingredients to make it happen: Japanese technical roots, European creativity and the right software. Intrigued? Then come talk to us about your company. We’re curious to find out if we can help you! Visit us at it-sa, hall 10.1/stand 624

NEWS & products


NETWORK MEETS SECURITY LANCOM Systems is exhibiting under the theme of ‘Network meets Security’ at it-sa 2018, and will be debuting a product portfolio that’s expanded by its latest security solutions. The infrastructure provider’s hybrid security approach includes ’classic’ on-premises firewall products, along with cloud-based enterprise-grade security solutions. Among the new launches for it-sa 2018 is a security and compliance dashboard for its software-defined networking (SDN) solution. This dashboard (in the LANCOM Management Cloud) offers organisations a central overview of security and compliance-related device information in their local area network (LAN), wide area network (WAN) and wireless LAN infrastructures. Also being showcased at it-sa are the first elements of the next-generation Unified Firewall range from LANCOM affiliate company Rohde & Schwarz Cybersecurity. Hall 10.0 | 10.0-402 |

BOARDS ‘FACE A DILEMMA’ A majority of executives feel they face a ‘specialist-generalist’ dilemma as to who leads on cyber security management due to its critical nature across the company, according to a global survey by The Economist Intelligence Unit and Willis Towers Watson. The survey of more than 450 companies found that almost 40% of executives polled felt that ‘the board should oversee cyber security’, compared with 24% who opined that it should be the role of a ‘specialised cyber committee’. A portion of respondents said it should be the responsibility of ‘audit, risk or some other subgroup’. “It’s no surprise that one of the main challenges companies face when implementing a cyber risk resiliency plan is the communication gap between the board and the CISO,” says Anthony Dagostino, Head of Cyber Risk at Willis Towers Watson. “Cyber resiliency should start with the board, because it understands risk and can help their organisations set the appropriate strategy to mitigate that risk.” |

IT-SA 2018

SECURE WI-FI FRAMEWORK WatchGuard Technologies has launched what it calls a ‘Trusted Wireless Environment’ framework, that’s designed to enable businesses and solution providers to build Wi-Fi services that offer high performance, scalable management and verified, comprehensive security. “Wi-Fi networks serve as low-hanging fruit for cyber criminals,” says Ryan Orsi, Director of Product Management at WatchGuard (pictured), “primarily because vendors and businesses alike have made the mistake of looking at Wi-Fi security capabilities as an added benefit, rather than a primary feature. We’re advocating that businesses of every size – and even competing vendors – examine our framework for what it takes to build and operate a Trusted Wireless Environment.” Hall 9 | 9-216 & Hall 10.1 | 10.1-206 |

UP18@IT-SA RECOGNISES NEW INDUSTRY ENTRANTS UP18@it-sa is the trade fair’s new platform for start-ups in the IT security sector. On 8 October 18 nominated IT security start-ups from Germany, Austria and Switzerland will present themselves to


all the enterprise decision-makers, consultants and potential investors who will then decide the winners of the 2018 UP18@it-sa Award. The

IT-SA LIVE HACK HIGHLIGHTS Cirosec – Hacking of Industrial Control Systems Date: 10.10.2018 Time: 9:20-9:45AM Location: Forum T9 – Technology/Hall 9

PROTECTING INDUSTRY 4.0 Ways in which IT security must play a key role in the evolution of Industry 4.0 will form a prevalent theme for it-sa 2018, its organisers report. Large numbers of Internet of Things (IoT)-enabled sensors being deployed in networked industrial facilities is creating new opportunities to improve operational efficiency and intelligence; but these developments also bring new security risks, and an acknowledgment of this fact must be better understood by management decision-makers. Cyber security has to become as much a part of IT planning in the manufacturing sector, as it is in enterprise IT environments. The situation is exacerbated by the fact that, from an IT perspective, the technology in places like factories is often several generations old. Industry 4.0 systems also often use special network protocols that are not compatible with older IT infrastructure. Hall 10.0 | Forum T10 – Technology |

SECURITY AWARD WINNERS For the first time, the prestigious German IT Security Award from the Horst Görtz Foundation will be presented at it-sa 2018. The Horst Görtz Foundation is a notfor-profit charitable organisation, set-up to support of science and technology in research and teaching. A major part of its support work focuses specifically on the area of IT security. The ten 2018 finalists will present their innovations on Tuesday 9 October, initially in the forum programme, before the ultimate three winners are revealed at an official awards ceremony. The German IT Security Award comes with a €200,000 prize. “The cyber security market will grow and change fundamentally over the next few years – through the integration of AI into security solutions, for example,” Ammar Alkassar, former CEO of Rohde & Schwarz Cybersecurity, and a jury member of the UP18@it-sa Awards, commented. “It’s an excellent environment for these innovative IT security start-ups.” Hall 9 | Forum T9 |

winning start-up can look forward to individual coaching by the two initiators of the UP18 competition, Digital Hub Cybersecurity as well

as the Bavarian IT Security Cluster. The competition complements the special display area Startups@it-sa, which offers young exhibitors their own dedicated presentation networking/area in Hall 10.1.

SySS – How digital attackers are intruding into your systems Date: 10.10.2018 Time: 5:00-5:40PM Location: Forum T10 – Technology/Hall 10.0 Compass Security – How does a hacker reach his goal? Date: 10.10.2018 Time: 5:15-5:45PM Location: Forum M9 – Management/Hall 9 If(is) Institute for Internet Security – Hacking humans and technology Date: 10.10.2018 Time: 5:00-5:40PM Location: Forum T9 – Technology/Hall 9 NSIDE ATTACK LOGIC – How hackers stay under the radar: bypassing current security technologies Date: 11.10.2018 Time: 9:30-10:00AM Location: Forum T9 – Technology/ Hall 9 Kalweit ITS – Just another live:hacking Date: 11.10.2018 Time: 2:00-2:40AM Location: Forum T10 – Technology/ Hall 10.0 Live-Hacking: Hackner Security Intelligence (Thomas Hackner, CEO) Date: 11.10.2018 Time: 2:00-2:40AM Location: Forum T9 – Technology/Hall 9


NEWS & products


GUIDANCE FOR BOSSES The UK National Cyber Security Centre (NCSC) has published new guidance for corporate leaders to equip them with the basic technological details needed to understand the cyber threats they face, and to direct their organisation’s response to them more effectively. The suite of guidance sets-out out five questions that boards should now ask about their company’s IT security provision. “Cyber security is now a mainstream business risk. Corporate leaders need to understand what threats are out there, and what the most effective ways are of managing the risks,” says Ciaran Martin, Chief Executive at the NCSC (pictured). “They need to understand cyber risk in the same way they understand financial risk, or health and safety risk.” The guidance also aims to equip boards/c-suites to ‘ask the right questions’ and how to distinguish ‘good answers from waffle’. |

GDPR COMPLIANCE LAGS Nearly 30% of organisations do not feel ‘completely compliant’ with the EU’s General Data Protection Regulation (GDPR), a survey of IT professionals by Imperva has revealed. When asked if they thought their organisations would pass their first GDPR audit, fewer than 50% of the respondents said they were ‘very confident’ of passing, more than one-third said ‘somewhat confident’, and less than 20% admitted they were ‘not confident’. To assess personal data rights, the Imperva survey asked if respondents knew where all their users personal data resided on their IT systems. More than 30% of respondents said yes, they did know the location of the data, while more than half said they would need an extra three months to ‘get their house in order’. Conversely, nearly 90% said that they could ‘easily respond’ to requests from people who asked them to disclose the information they held on them, with 57% reporting that their organisations ‘had already received such a request’. Hall 9 | 9-412 |

IT-SA 2018

DOWNLOAD THE IT-SA 2018 APP The it-sa 2018 app can help maximise what the event has to offer in terms of exhibitors and products: it enables connected visitors to conveniently search for exhibitors by carrying out a full-text search, and then add them to their watchlist and have their stands, as well as individual favourites, marked on the floor plan. The app provides many useful features, such as global login (if you have already registered on the it-sa website, you can use these login details for the app as well), push notifications/updates (you will be informed of all changes that affect the exhibitors and events on your saved list), location-based messages on the exhibition site, and even an integrated car finder. |

MORE VALUE-ADDED FEATURES Largest range of exhibitors – 700 are expected for this year’s event... Knowledge sharing opportunities and networking... Special Display Areas – such as Start-ups and Secure Identity Access Management...


Gain a knowledge edge through Open Forums... Improve specialist knowledge – comprehensive range of topics and focus areas.

Words | Apostolos Malatras

Words | Florian Pennings

In its role as the foremost European cyber security body, the European Union Agency for Network and Information Security – ENISA – supports the EU as it progresses along its path towards a more cyber secure future. In doing so, we work with the EU institutions, member states and industry, to ensure that cyber security results in more secure systems and processes, and is also an enabler of – and not an inhibitor to – economic progress. In acknowledgment that cyber security is a shared responsibility, we engage public and private stakeholders to raise the bar for cyber security practice in Europe. On Wednesday October 10th, as ENISA expert presenters, we two will take the stage at the itsa 2018 International Forum I10, Hall 10.1 (12.401:00PM) to present ENISA’s efforts on bringing communities together to secure Industry 4.0. Industry 4.0 makes use of intelligent, interconnected cyber physical systems to automate all phases of industrial operations, spanning from design and manufacturing to operations, supply chain and service maintenance. This cross-system, integrated use of Internet of Things (IoT)-based technology will lead to higher productivity and competitiveness. It also comes with special challenges when it comes to cyber security, however. With an impact on European citizens’ safety, security and privacy due to its cyber-physical nature, the threat landscape that faces Industry 4.0 and IoT is very wide. ENISA will present its ongoing efforts towards strengthening IoT cyber security by introducing baseline security measures (as introduced in the seminal study Baseline Security Recommendations for IoT) to support and build a secure and trustworthy ecosystem. Our ENISA presentation will also highlight the significance of the body’s international co-operation and co-ordination efforts as the European cyber security agency. The involvement of government, academia and industry in the establishment of trust relationships is particularly important in the context of Industry 4.0. Therefore, ENISA will take the opportunity to present some of our efforts on stakeholder engagement; in particular, ENISA will present and invite the audience to find more about its activities and mission concerning public private co-operation. The it-sa 2018 offers a pre-eminent opportunity for ENISA to reach out to its constituency in the EU, engage with industrial players, better understand their requirements, and to explore novel opportunities. For that reason, ENISA has determined upon an active presence and visible role at it-sa 2018.

Spearheading ENISA’s presence at it-sa, the organisation’s Executive Director Professor Udo Helmbrecht (pictured below) will deliver a keynote speech on Tuesday 9th October (9:3010:00AM, Forum I10, Hall 10.1) focused on ‘Innovative solutions to enhance cyber security in Europe’: we are witnessing the continuous emergence and proliferation of technological developments, such as Industry 4.0, IoT, AI and quantum computing leading the field of innovation. Regulatory efforts made toward the strengthening cyber security across the EU are gaining momentum. Realising the potential of ENISA, and the need for it to grow stronger, in 2017 the European Commission proposed the Cybersecurity Act, a Regulation that will increase the capacity of ENISA and set up a harmonised cyber security certification framework. This, in turn, creates a situation in which we need innovative solutions for cyber security that respect existing governance and laws, and also further develop our digital society and the its economic growth.

ENISA Director Udo Helmbrecht’s it-sa 2018 keynote will focus on ‘Innovative solutions to enhance cyber security in Europe’.

CONTACTS For more information go to: |






EDITORIAL CONRIBUTORS Cyber Security Europe’s panel of contributing writers come from European industry bodies, solutions vendors, and market-watchers.


FLORIAN PENNINGS An expert in both industry collaboration as well as content stakeholder management, Florian Pennings is Senior Advisor Public Private Partnerships at European Network and Information Security Agency – ENISA. He has experience in setting-up and managing Information Sharing and Analysis Centres and strategic cyber security cooperation models on national and European level. In addition, Pennings co-ordinates on ENISA’s strategic co-operation along side a range of industry stakeholders, from SMEs and multinationals to various industry associations. Pennings also advocates publicprivate co-operation in cyber security that is built on trust and common interests.

DR APOSTOLOS MALATRAS Dr Apostolos Malatras is an Expert in both Network and Information Security with the Secure Infrastructure & Services Unit at the European Network and Information Security Agency – ENISA. Dr Malatras is the ENISA project manager for Cyber Security of the Internet of Things (IoT) and Automotive. Dr Malatras holds a BSc in Computer Science, an MSc in Information Systems, and a PhD degree in Electronic Engineering. He has worked for many years in the industry, academia, and the European Community. He also is the author and co-author of more than 60 research papers and scientific reports on subjects such as the security of IoT, botnets, smart environments, and network management.

DETAILS More information: |

DETAILS For more information: |

LUIGI REBUFFI Luigi Rebuffi is the Secretary General and Founder of ECSO – the European Cyber Security Organisation. After he graduated in Nuclear Engineering at the Politecnico di Milano, Rebuffi worked in Germany on the development of high-power microwave systems for the next thermonuclear fusion reactor. He continued his career at Thomson CSF/Thales in France, where he took on responsibilities for European Affairs (R&D) in different sectors – telecomms, industrial, medical, and scientific – and become in 2003 Director for European Affairs for the civilian activities of the Group.


Rebuffi suggested the European Organisation for Security and co-ordinated its establishment in 2007. He contributed to the creation of ECSO (2016), and has been an advisor to the European Commission for the EU Security Research Programme. DETAILS For more information: |

JAVID KHAN Javid Khan is the Cloud Chief Technology Officer at Layer V (a Pulsant company). A seasoned IT expert with a passion for innovation, Javid has a deep understanding of IT and business alignment issues with extensive enterprise architecture experience, which spans a wide range of technologies and industries including health, finance, energy, and e-gaming. Mr Khan has a proven track record of successfully delivering projects both as a hands-on manager and as a primary technical designer.

‘EDMUND BURR’ ‘Edmund Burr’ is a technology writer and consultant specialising cyber security issues. He has acted as a consultant for cyber security discovery projects for professional bodies and trade associations in the UK and US. He was editor of the first European thought leadership review of automotive cyber security and risk perspectives for connected vehicles (2015), as published by the Institution of Engineering and Technology (IET) and UK Knowledge Transfer Network.

DETAILS For more information: |

DETAILS For more information: |



As an editor and journalist, James Hayes has specialised in the business computing and enterprise ICT sectors. Previous technology publication editorships include Datacom, Network News, Communications News, Information Professional, and Engineering & Technology magazine. Hayes has also written about cyber security issues for titles such as InfoSecurity Professional, Cloud Security Insights, Networking+, Charity Digital News, Land Mobile, and the London Business Magazine. He has also contributed to the Greenhaven study aid ‘Cyber Terrorism and

Ransomware Attacks’. Hayes is the editor of the forthcoming book ‘Penetration Testing: a Guide for Business and IT managers’ (BCS, The Chartered Institute for IT) due for publication in January 2019. He has also presented at several security industry conferences. DETAILS For more information: |

PAULA JANUSZKIEWICZ Paula Januszkiewicz is one of the most highprofile international IT security experts. As the founder and managing director of CQURE Inc, she shares her expertise with the IT security community and provides advice to clients all over the world. Paula Januszkiewicz has already received the Enterprise Security MVP (Microsoft Most Valuable Professional) accolade, and is one of the few people to have access to a source code of Microsoft Windows. Januszkiewicz has been the keynote speaker at well-known symposia and developer conferences in the United States, Asia and the Middle East – and delivers her next Special Keynote at it-sa 2018 (see page 30).

JIM MEYERS As a Europe-based freelance technology and techno-culture journalist, Jim Meyers writes about a variety of technology and non-technology related topics. His areas of interest range from new earthquake forecasting tech and ‘slender’ skyscraper design, to the development of Unified Communications and IT professionalism issues. Meyers also has a special interest in the early history of videoand televisual recording technologies. He has been security manager for a literary festival, and has written scripts for BBC radio. Meyers is currently researching a European vacation and recreational travel guide that will be specially designed for information technologists.

DETAILS For more information: |

DETAILS For more information: |




SECURE FUTURES Europe is poised to make strides toward the creation of a cross-sector, pan-national cyber security ecosystem, explains ECSO’s Secretary General Luigi Rebuffi.

Words | Luigi Rebuffi

ON 12 SEPTEMBER 2018, THE EUROPEAN COMMISSION PROPOSED THE CREATION OF A NEW EUROPEAN CYBER SECURITY INDUSTRIAL, Technology and Research Competence Centre, plus a Cyber Security Competence Centre network. The proposal for a new Regulation to pool cyber resources was announced as part of the annual State of the EU address presented by EC President Juncker. This Regulation is a significant step toward increasing the development of a European cyber security ‘ecosystem’ and strengthening European digital autonomy. It can be seen as the conclusive step in a series of initiatives, which started back in 2013 with the adoption of the ‘Cyber security Strategy of the EU’. It’s a timely initiative: if the EU wants to effectively manage the evolving cyber security domain, it needs to co-ordinate the implementation of its policies and the use of its resources. The Competence Centres will have responsibility for managing EU financial resources dedicated to cyber security under the proposed Digital Europe Programme and Horizon Europe Programme. The envisioned National Co-ordination Centres will facilitate co-ordination across EU countries and regions. It’s important to ensure that investments under the newly-proposed framework are co-ordinated at national and pan-European levels, and among various cyber security stakeholders. It should be a joint effort undertaken by the public administrations and governmental agencies; also by research centres, universities and private sector representatives. Successful co-ordination will occur when all the stakeholders are brought together, possibly within the framework of a European cyber security industrial policy.


The EC has realised that to build-up the European cyber security ecosystem – and have truly structured co-operation – it will have to deal with a diverse ‘community’ of actors. For this, the public-private partnership on cyber security has been established between the EC and European cyber security stakeholders, represented by ECSO. The co-ordination of different cyber security policy issues, and finding common objectives with clear added value for EU capacity-building in cyber security area, are the objectives of the public-private partnership on cyber security. Due to its role and background in cyber security industrial policy, ECSO is co-ordinating the dialogue within the European cyber security stakeholder community, dealing with different cyber security industrial policy issues, including standardisation and certification, the needs of different vertical markets, support to SMEs and regional clusters, cyber security awareness and training. The challenge will be to find an agreement with the national public administrations to finalise the proposals for regulations dealing, among others, with cyber security. Private stakeholders also will have to be convinced to adhere to these initiatives, and to invest in the implementation of innovative technologies and strategic solutions.

The EC has to deal with a diverse ‘community’ of actors to build-up the cyber security ecosystem. MORE INFORMATION / ECSO AT IT-SA 2018 | | Building a European Cyber Security Ecosystem 9:30-10.00PM, 11 October, Forum I10 – Hall 10.1.




Cyber attacks now strike European organisations every day, every hour, everywhere. Businesses, governments, and the other organisations our economies depend on are targeted relentlessly and ruthlessly. With new data protection and corporate governance regulations, along with emerging threat types, and hardline business decisions to make, Europe’s business leaders are in the cyber security firing line. More than ever, they have to stay informed about the key information security challenges. Cyber Security Europe is designed to meet the information requirement of the top-tier European boardroom and c-suite executives who want to keep updated on today’s increasingly critical cyber security management issues. We provide the essential intelligence, insight and information you need to formulate policy and work successfully with enterprise technologists to deliver highly effective security strategies – and part of your cyber intelligence armoury.


Cyber Security Europe is the information platform that meets your information requirement in your preferred delivery format. For more details, content, and to subscribe to our newsletter, go to:

| or email



WORLD SHOW MEDIA Tel: +44 (0) 203 960 1999 | Fax: +44 (0) 845 862 3433 | Website: For all corporate enquiries |




SURVIVALLAVIVR GUIDESSEDIUG There is a wealth of quality free intelligenceecnegilletni eerf ytilauq fo htlae available that enables all executives to makeekam ot sevitucexe lla selbane t properly-informed cyber strategy decisions. .snoisiced ygetarts rebyc demr THERE’S BEEN SUSTAINED, SOMETIMES MISINFORMED, DEBATE OVER WHETHER THE C-SUITE WOULD BENEFIT from a new appointee: ‘Chief Intelligence Officer’. Some viewpoints argue that this would be a logical evolution of the Chief Information Officer’s role; other opinions call for a wholly new job description that scopes the increasing need for cyberthreatened organisations in the private, public and third sectors to ensure that the wealth of insight being placed into the public domain – and could be leveraged for strategic and/or operational advantage – is obtained as a matter of policy. The Chief Intelligence Officer could work closely with commercial directors and IT leaders to align competitive posture and recognise that cyber threats share commonalities with conventional commercial rivals – especially in global markets where challengers are prepared to use any competitive stroke at their disposal to consolidate their status. The bigger expectation is that every c-suite seat-holder, director and president should job-share Chief Intelligence Officer duties; and also that your organisation’s internal systems should be designed to ensure that intelligence can be captured, preserved and made seamlessly available to support decisionmaking and project development. A key consideration revolves around how intelligence enables organisations to withstand and survive CHANGE

INSIGHT ON DEMAND Back in the day, market research from analysts came in thick, ringbound folders, had a shelflife of years. Today’s market intelligence must be updated every week – or every day.


a si erehT ht elbaliava fni-ylreporp





In its 11th year of publication, the Cisco 2018 Annual Cybersecurity Report highlights insights derived from cyber threat intelligence and cyber security trends observed

the rigours of cyber threats. Hoarding intelligence is no longer an option. The ways in which organisations source, share and leverage intelligence is changing. For example, Cisco predicts that digital transformation programmes will lead to smart conferences where AI-powered ‘meeting bots’ will pullup information resources on large displays to enhance workgroup productivity. These bots will work like custom search engines, scanning resources held on internal and external platforms, and presenting relevant research and statistics in real-time. With this in mind, this first installment of the Cyber Security Europe ‘Cyber Survival Guide’ here commends five outstanding examples of cyber intelligence aimed at meeting the diverse information requirement of board level/c-suite decision-makers. The focus areas of cyber insurance and readiness, cyber risk oversight, cyber strategy action planning, cyber threat analysis, and cyber threat intelligence. Each of the reports here impress by the breadth of scope and thoroughness of research. However, what also unites them is that they are designed to meet the information requirement of non-technological senior decision-makers.

THE HISCOX CYBER READINESS REPORT 2018 over the past 12-18 months from threat researches and technology partners. As well as surveying current trends and challenges, the report also polls opinion on how emergent technologies will have a bearing on the future deployment of cyber security solutions. Some of the 3,600 senior security professionals interviewed for the latest edition stated they were reliant and eager to add tools like Artificial Intelligence (AI) and machine learning, but were ‘frustrated by the number of false positives such systems generate’. While still in its infancy, AI and machine learning technologies will over time mature and learn what is ‘normal’ activity in the network environments they are monitoring, the report notes. Meanwhile, security professionals also see value in behavioural analytics tools in locating malicious actors in networks, such as insider threats: 92% of respondents said behaviour analytics tools ‘work well’. And according to those polled for 2018, more than 50% of attacks resulted in financial damages of that totalled in excess of $500,000, including – but not limited to – lost revenue, customers, opportunities, and out-of-pocket (cash) costs. MORE INFORMATION | security/security-reports.html

26 This report is compiled from a survey of more than 4,100 executives, directorate heads, IT managers and other senior professionals in the UK, US, Germany, Spain and The Netherlands – people on the front-line of the business battle against cyber crime. All are involved in their organisation’s cyber security strategy, and 45% make final decisions on how their business should respond. One of the defining characteristics of the cyber experts identified in this report is their take-up of standalone cyber insurance: of 60% cyber experts say they have cyber cover and a further 31% say they plan to take out cover in the coming 12 months For comparison, across the full survey sample, one-third of respondents (33%) say they have standalone cyber security cover, while 25% say they intend to adopt it. Firms in the

financial services sector are the most likely to be covered (48%). The report also reports ‘considerable confusion’ over the extent to which firms are covered for cyber security incidents under their general business policies.

NACD director’s HANDBOOK ON CYBER-RISK OVERSIGHT The National Association of Corporate Directors’ guide is built around five core principles that are applicable to board members of public companies, private companies, and non-profit organisations of all sizes and industry sectors. It helps chief officers and directors learn foundational principles for board-level cyber risk oversight that have been vetted and praised by cyber security leaders in the public and private sectors. Insight issues include: cyber risk oversight responsibilities at board level; legal implications; ways to improve the dialogue between senior executives on cyber security issues.

CYBER SECURITY: ENSURING BUSINESS IS READY FOR THE 21ST CENTURY Survey from the Institute of Directors (IoD) and Barclays bank reveals that a concerning percentage of UK businesses have ‘no formal plan’ to protect themselves from cyber attack. This is despite the fact that there is a strong chance that the defining business challenge of the 21st century will be ensuring that data, bank accounts and intellectual property remain secure. Key findings include: 95% of respondents consider cyber security to be ‘very’ or ‘quite important’ to their business, and yet 45% say they do not have a formal cyber security strategy; 44% have laid on cyber awareness training, and many leave gaps of more than a year between their training programmes; 50% of IoD members report they wouldn’t know which authorities to notify if hit by a cyber attack.

is devolving to. The guide provides boards of directors and c-suite executives with cyber risk management best practices to provoke discussion and encourage better planning. The Playbook reports that boards of directors, chairpersons and CEOs, have become markedly more involved and informed in the past 12 months about their companies’ plans to deal with a possible data breach. Boards have greater involvement in data breach preparedness. The report also saw a significant increase — from 45% to 54% — of respondents who report their boards and c-suite participate in high-level reviews of the data breach response plan. This guide also highlights the importance of making discussion of cyber risk management regularly on the board meeting agenda. This ensures that management establishes an enterprise-

AI-powered ‘meeting bots’ search and pullup different information resources onto huge displays to enhance workgroup productivity.

THE FIREEYE CYBER RISK PLAYBOOK FireEye’s Cyber Risk Playbook provides boards of directors and executives with cyber risk management best practices to provoke discussion and encourage planning. Its recommendations draw on the company’s experience in the prevention, investigation and resolution of cyber attacks for its clients. The Cyber Risk Playbook is part of a limited portfolio of guidance documents that combine proprietary and third-party intelligence sources, written and presented in a style that senior management will find familiar. The Cyber Risk Playbook’s starting point is that responsibility can no longer be relegated to the IT department alone. Data breach preparedness now starts at the top of any organisation, because that it where the responsibility

wide risk management framework with sufficient staffing and budget. To be effective, a risk-management framework should be integrated with the various layers of service management, such as change-, problem- and incident management. The Playbook’s centrepiece is its ‘FiveStep Risk Framework’. This provides a basic model for cyber security strategy teams to start to build cyber risk awareness as needed, and to reinforce risk framework that are already in place.

ACCREDITATION Words | James Hayes Photography | Shutterstock




The it-sa special keynote speaker explains her perspective on the foremost challenges that now face cyber security expertise. POLISH NATIONAL PAULA IS WIDELY ACKNOWLEDGED AS one of the world’s most high-profile international IT security experts. She shares expertise and advice to clients around the world, and speaks here exclusively to Cyber Security Europe. CSE: You are known as one of the few cyber security experts who has access to the entire Microsoft Windows source code. In your view, can a better understanding of computer operating systems contribute to our IT security? PJ: First of all, there are many effective and reliable hack attacks that almost always work. The attack techniques like ‘Pass-The-Hash’, Spoofing or SMB Relay are still examples of awesome tactics that allow attacker or penetration tester to get into a target organisation. New devices, new risks and new threats are appearing every day. Nevertheless, knowing the basis helps to develop better understanding of operating systems, which makes it easier to recognise new unintended actions. Good cyber security experts can predict negative consequences, and prevent consumers from fully welcoming connected devices into their homes and lifestyles, for example. On the other hand, emerging threats also mean that new solutions are developed, and finding a concrete solution is certainly a challenge – but it is not impossible! BIOGRAPHY

CSE: Do you see opportunities that better protect enterprise systems by embedding greater software security into standard business applications? PJ: The more employees there are, the harder it is to ensure cyber safety. But the truth is that cyber security is not a problem for users – it’s a problem for IT departments. So, the first and essential step in enterprise security strategy is to include security controls into Software

Even if you could create a perfect IT security system, you still then have to manage the human factor. Development Life Cycle [a process for planning, creating, testing and deploying an information system]. To reduce the risk of a successful application attack, security aspects should be included in every phase of SDLC. The architecture should be done with great attention to details. The sooner security experts are involved in a process of application development, and the sooner security vulnerabilities are found, the lower the costs of application changes become. What’s more, even if you create a perfect security system, you still have to manage the human factor. Companies need precise processes for code review and employee training.

PAULA JANUSZKIEWICZ Paula Januszkiewicz is Founder and CEO at CQURE and CQURE Academy. Paula is also the Enterprise Security MVP, Microsoft Regional Director, and also a globally-acknowledged cyber security expert.


DETAILS For more information please go to: |




CSE: Cyber attacks sometimes betray the ‘signature’ of the cyber attacker and maybe reveal insights into their future approach. Sometimes they repeat the same techniques, the same approaches, time and again – especially if they have proved successful before. Are we now getting better at anticipating hackers’ future orientation – and at planning our security strategies accordingly? PJ: OK, so this is what happens: a cyber attacker gets into your infrastructure and, using a server misconfiguration, creates an account by himself and… And what? This is the moment that we wonder if we could prevent this action from happening, and trace back a hacker’s activities in our systems. Luckily [with digital systems], nothing can be completely hidden. In order to provide hackers’ future orientation, and to get better than a hacker [in the] cyber security race, we should be constantly carrying-out the research to find all vulnerabilities before they are found by someone wearing a ‘black hat’. It is extremely important to focus not only on the present, but also on the cyber security future. It is simply not possible to secure the infrastructure with outdated knowledge about the potential attack vectors. With every new tool or solution we are getting better and better. CSE: Having a more accurate insight into the nature of the threats an organisation faces can prove useful in organisational defences. How can organisations extend the scope of their threat intelligence to gain better knowledge of who is actually targeting them in cyber attacks? PJ: The most important notes from most contemporary surveys are that cyber criminals’ targets are now bigger and their rewards greater to gain significant data than years before. The simplest answer is that you should be aware of the fact (of) who can get the most from stolen data. While new technology and solutions can help Chief Information Security Officers make better decisions for an organisation faster, nothing is more essential than having a second pair of eyes. To be precise, in order to gain knowledge about potential attackers, organisations may use specialised techniques known as OSINT (Open Source Intelligence) and SOCMINT (Social Media Intelligence). These solutions provide information from both – publicly available sources like media, public government data, reports, CERT publications, and social media – including Facebook comments, Twitter tweets, technical forums, chats, and even forums out there on the ‘dark web’.


CSE: Uptake of enterprise penetration testing has increased, and this has helped organisations understand that hackers can succeed because they find unfixed vulnerabilities, and not just necessarily because they are now technologically ingenious. Does top management in some organisations still view pen-test programmes as a ‘nice to have’, but not essential, part of cyber security? PJ: Unfortunately, there are still people who do not consider penetration tests as a crucial element of reducing the cyber security risk. Luckily, it is changing over time. To make penetration tests more compelling, we often provide our potential clients with the samples of our reports. In many cases they understate the value of penetration tests – simply because they are not aware of all benefits connected with them. Penetration testing is not only about finding the vulnerabilities. Our reports always contain deep technical descriptions and appropriate recommendations on how to mitigate them.

It’s simply not possible to secure your infrastructure with outdated knowledge of your attack vectors. CSE: Does CQURE find that top management (i.e., board/c-suite-level executives) now have – or look to have – more proactive input into their organisations’ cyber security posture than they used to? And if that is the case, what are the factors you see as driving that shift? PJ: The protection of information and corporate resources is an essential element of business strategy, and represents a competitive advantage in today’s economy. Given the real threat to local and global incidents. These include major challenges such as industrial espionage, cyber terrorism, cyber crime, and the illegal trade of electronic data. Appropriate procedures for an access to information and data protection, IT systems and infrastructure are becoming a key area of concern (for organisations of all sizes), ranging from small-to-medium sized business, to enterprise-level companies. Organisations’ approach should be driven by potential losses of both money and trust.

PAULA JANUSZKIEWICZ IT-SA 2018 KEYNOTE 11 OCTOBER 2018 | 12:00pm-1:00pm, Forum I10 – International, Hall 10.1, Nuremberg Exhibition Centre.





All senior executives must now develop a holistic understanding of the full economic impacts that cyber threats have on their companies.

A MEANS BY WHICH TO CALCULATE THE ECONOMIC IMPACT CAUSED BY CYBER CRIME AT ORGANISATIONAL and GNP levels has gained in importance as business leaders gain greater knowledge of how digital adversaries sap their capacity to operate profitably. Cyber crime’s damaging effect on national finances is also raising alarm in governmental circles. Analysts have approached the issue using impact model types which are, and acknowledged to be, somewhat speculative in their assumptions and conclusions. For instance, there is the question of whether investment in defensive cyber security products and services represents a ‘cost of cyber crime’, or whether cost impact models should be confined to quantifiable subtractive losses identified following a cyber attack incident. And if products and services were supposed to prevent an attack fail to do so, does that render them a valueless IT asset?


UNSEEN DRAIN ON COMPANY REVENUES It may not be immediately obvious, but cyber crime and other offensive online threats can pose formidable competitive challenges to your business’s survival. Unlike your known competitors, cyber criminals are unregulated, untaxed, and unconstrained by any rules of the market.





The differential costs of business disruption to the 237 organisations polled in this analysis includes staff productivity and business process failures.

This broader study of business disruption surveyed European (475), APAC (739) and EUROPE APAC Australian (279) organisations.





FY 2016 FY 2015





4% 1%





For all executives seeking to gain a comprehensive understanding of potential cyber crime cost impacts, it’s essential to recognise that those costs come in several forms; it’s not just stolen money. Cyber criminals are out to thieve any assets, and inflict any disruption, that they think they can profit from. They find encouragement in the fact their targets seem to be more co-operative. Ransomware attacks have proved lucrative in a surprising number of cases around the world. The Telstra Security Report 2018, for instance, reports that malware victims see paying for ransomware extortion almost as a more expedient form of recovery — an ‘acceptable business expense’, even. And a survey conducted by McAfee for its How Misaligned Incentives Work Against Cyber Security report found that some executives viewed the financial costs of cyber crime as tantamount to ‘the cost of doing business’, and were ‘more concerned with reputational damage than the actual losses’.

data feeds impact calculations As McAfee points out, cyber crime cost estimations face several problems, such as underreporting by victims and the low level of data collection by governments. For example, the Office of National Statistics has estimated that only around 14% of UK cyber fraud is reported. Understanding the economic impacts of cyber crime is a relatively new exercise. There’s a limited amount it can learn from how the financial costs of traditional criminal activity have been assessed.





20% 21%




40% 43% 41%


31% 44% 37%


27% 34% 33%


33% 35% 33%


27% 33% 32%


30% 35% 26%


27% 29% 25%


19% 20% 20%


21% 23% 20%

‘Governments can tell you the number of postage stamp thefts, but not online crime,’ McAfee adds. ‘A failure to collect data is compounded by reluctance on the part of companies to report when they have been victims. Data collection remains problematic, national estimates are still imprecise. The most significant limitation in developing an estimate of the cost of cyber crime is under-reporting. Only a fraction of losses is reported, as companies seek to avoid liability risks and reputational damage.’ Therefore, the raw data necessary to feed properly-informed calculations is usually not available to third-party agencies — often because targets of cyber crime are not able to audit its effects on their finances. Because of the change-driven dynamics of the cyber threat landscape, such models have to base themselves on variables which are both hard to pin down, and hard to apply across disparate incidents.

Executives seeking to gain an understanding of potential cyber crime cost impacts must recognise those costs come in several forms. Nevertheless, that boards and c-suites gain some grasp of the parameters is important, because it’s becoming an increasingly high-profile aspect of governance in organisations in the private, public and third sectors. It’s also gained importance because decision-making around digital security expenditure is likely to be conditioned by the perceived financial value of the assets cyber criminals want to steal, or of the financial impacts of the disruption their actions cause. There’s not much point in spending more on the protection of assets than they are actually worth — especially if your IT resources are already stretched to provide basic security of digital systems due to business expansion. A third consideration is that actual and projected cyber crime cost estimates will likely become a staple of required financial reporting. For publicly-listed companies, the declaration of some reasonably reliable estimate of financial liabilities due to cyber crime provides a basic metric by which funding of defensive cyber security proposals can be assessed — and justified to regulators, partners, investors and others who challenge decisions that have been taken or not taken. Some proprietary models can be found via a Web search, and can provide useful starting points; metrics help inform a ‘common language’ when boards/c-suites and techies need to talk.






‘THE GREATEST THREAT TO EVERY COMPANY IN THE WORLD’ Economic researcher Cybersecurity Ventures predicts in its latest Annual Cybercrime Report that cyber crime will cost the world $6tn a year by 2021, up from $3tn in 2015. This represents ‘the greatest transfer of wealth in human history’.

Cyber crime is further described as ‘the greatest threat to every company’, and one of the biggest adversities that society faces. This jeopardises incentives for market innovation and investment, and will be more profitable for perpetrators than the global trade of all major illegal drugs combined, the report further suggests. Cyber crime also creates unprecedented damage to both private and public enterprises, and drives up cyber security budgets at all sizes of commercial entity, governments, educational institutions, and other organisations around the world. For some of those organsations, the escalation of costs in this cyber attackdefence ‘arms race’ could prove unsustainable. Until lately, many senior executives have restricted their knowledge of cyber crime costs to reported news of losses that have got into the media domain — from global totals ‘Cyber crime may have cost $600bn last year’ to losses sustained by specific sectors or professions ‘Law firms lost more than £11m of client money to cyber criminals between 2016 and 2017, the National Cyber Security Centre revealed’. But headline figures explain relatively little; and if high levels of cyber crime incidents are not being reported it is impossible to determine the levels of damage that victims have sustained or estimate likely future impacts. The need to agree a value on digital assets for cyber insurance purposes is an additional requirement executive leaders must be aware of. More organisations are investigating and acquiring cyber insurance cover, which sounds like a step in the right direction; but a Lloyd’s/ Cyence report highlights the fact that a holistic approach to cost impacts remains somewhat of a best-guess risk estimation. Lloyd’s/Cyence also suggested that as more organisations see value in cyber insurance, the expanding scale of cyber attacks has the potential to trigger billions of dollars of insured losses in the event of a major incident. Clearly, for insurers to develop this lucrative business without exposing themselves to high-value payouts when cyber crime strikes, they require some common, reliable risk model on which to calculate premiums.


For boards and c-suites, meanwhile, a starting point is to identify and agree the assets that are at risk, prior to associating a loss value to them. Even a simple list, as given here below, shows the range of digital information assets that organisations of all sizes now rely on. A GENERIC SHORTLIST OF TARGETED DATA ASSETS COULD INCLUDE: Loss of monetary funds, cash currency or cryptocurrencies removed from unlawfully-accessed depositories (accounts). Service usage points – fraudulent addition of credits to service accounts (mobile phone credits or frequent flyer points). Loss of resalable data assets (i.e., customer records). Loss of intellectual property (i.e., software code and product designs). Loss of internal planning information (i.e., sales forecasts). Interruption to standard business operations due to denial-of-service attack or a post-breach investigation. Reputational damage – adverse publicity cancels business partnerships. Recovery costs – cleanup of malware-infected systems. As senior executives are drawn more closely into cyber security decisionmaking, they will have to apply a different perspective to how this challenge is apprehended and responded to. It is to be hoped that the different perspective from which business minds will view the issue will bring forth insightful responses that are very different from the technology-driven strategies that have characterised strategy for the last 20 years. Moreover, the challenge of cyber crime for business efficiency and organisational ‘health’ must be re-thought and re-evaluated, and appraised through the business ‘lens’. Once these figures in their totality are projected across individual organisations, and then aggregated across vertical sectors, the likely potential costs start to look daunting. The question of cyber crime’s influence on the post-2008 economic downturn must surely warrant more serious consideration by financial analysts and historians.

ACCREDITATION Words | James Hayes Photography | Shutterstock


Scanley Cybrick fängt dort an, wo Antiviren-Scanner aufhören! Schützen Sie Ihre Daten wie große DAX-Unternehmen so günstig wie noch nie!

Hacker-Angriffe, Erpressung, Datendiebstahl, verseuchte Rechner... ...das kann sehr schnell teuer werden! Im Besonderen für: Führungskräfte Freie Berufe

(Top Management/Geschäftsführer/Leitende Angestellte) (Journalisten, Anwälte, Ärzte, Steuerberater, Wirtschaftsprüfer,Unternehmensberater, Therapeuten, Architekten, Ingenieure,…) Professionals (Gewerbetreibende, Digitale Nomaden, Handwerker,…) Personen mit besonderem Schutzbedarf (NGOs, Politisch aktive,…) sowie kleine, mittlere und große Unternehmen (KMUs, Konzerne)

Kurz gesagt: Alle mit schutzwürdigem geistigen Eigentum oder begründetem Bedürfniss nach Privatsphäre.

Warum aber Scanley Cybrick? Reicht ein Virenscanner nicht? 1




NEIN! Es ist naiv zu glauben man könnte Cybereinbrüche verhindern! Wenn CyberKriminelle auf Ihrem Computer aktiv sind hinterlassen sie Spuren die Virenscanner nicht finden. Und die Kriminellen sehen alles, was Sie auf dem Bildschirm sehen, auch wenn es in der Cloud liegt. Wir finden CyberKriminelle auf Ihrem Computer, wir kennen ihr vorgehen und finden sie auf Windows, Mac OS X und Linux! Wir entdecken Spuren von CyberKriminellen auf Ihrem Computer, denn wir haben Erfahrung mit der dunklen Seite. DSGVO-Konformität: Unser Prüfbericht gibt Ihnen den Durchblick und macht Sie handlungsfähig! Jeden Monat erhalten Sie Ihren Prüfbericht mit klaren Handlungsschritten um Ihren Rechner sauber zu halten. Das signierte PDF ist ein Nachweis der regelmäßigen Überprüfung der Wirksamkeit der technischen Maßnahmen gemäß DSGVO §32.1d. Refinanzierung durch Empfehlungen! Empfehlen Sie Scanley Cybrick weiter und unterstützen einen guten Zweck Ihrer Wahl mit bis zu 20% vom Kaufpreis. Oder Sie schaffen sich dadurch sogar Ihr eigenes passives Einkommen!

Darum Scanley-Cybrick! Was Sie bei uns bekommen, bekommen Sie sonst nirgends! Höchstes Sicherheitsniveau

Minimale Kosten

Ausgereifte Scanner



Prüfbericht DSGVO

Ein Niveau, auf das DAXUnternehmen vertrauen

Unser Scanner nutzt Verfahren die wenigen vorbehalten waren

500€/Jahr Kennenlernpreis 20€ / 60 Tage

Ohne künstliche Intelligenz und ohne Prüfbericht. Nur für CompterExperten die jede Fehlermeldung selbst interpretieren können! Verfügbar ab 2019

Erkennung von professionellen Cyber-Angriffen Prüfbericht (alle 30 Tage) von unseren Experten erstellt mit Hilfe der Cybrick-Al JETZT TESTEN

Erkennung von professionellen Cyber-Angriffen Prüfbericht innerhalb von 7 Tagen!

Verfügbar ab 2019

Wir bieten einen Service, bei dem Menschen prüfen

Win/Mac/Linux ohne Konfiguration, keine versteckten Kosten

§32.1d Konformität durch monatlichen Report.

Ein Prüfbericht mit Köpfchen! So funktioniert unser Sicherheitscheck

Virenscan 150€/Jahr

Wir bieten ECHTEN Schutz bezahlbar und fair


Lokale Auflistung

Wir werten die Scanley erkennt Um die Spreu vom Weizen zu Funde ihres CyberKrimibestehenden nelle an ihrem trennen erfolgt Virenscanners Verhalten und optional die anmit aus! sagt Ihnen was onymisierte und verschlüsselte zu tun ist! Übermittlung zur Zentralen Auswertung.

Zentrale Auswertung


Die Cybrick-AI kategorisiert jeden „Alarm“ und gibt Aufschluss über die Bedrohung. Und Spezialisten überprüfen das manuell.

Monatlich schickt Scanley Ihnen einen DSGVO-konformen signierten PDF-Prüfbericht per Email




Models designed to evaluate if cyber security delivers measurable value for money must become more inclusive to be more revealing.

THERE ARE FEW INSTANCES OF WORKPLACE JARGON THAT CROP-UP IN BOTH THE BUSINESS LEADER’S and information technologist’s lexicons; ROI – return on investment – is one such. But the fact that it carries different shades of meaning for its respective usage often proves unhelpful when it comes to establishing common terms of reference inside a digitallytransformed organisation. Its definition shifts from one planning meeting to the next. Nevertheless, it’s a term that continues to find its way into debates between the board/c-suite and the IT function, so chief officers should ensure that their understanding of ROI is properly up-to-date – especially as executives become more closely involved in the determination of enterprise digital strategy, and may be exposed to vendor superlatives. It’s also a term worth redefining at its simplest level. In IT terms, ROI denotes the ratio between the net cost and profit of an investment that results from an investment of resources of some kind. As a performance measure, ROI is used to evaluate the efficiency of an investment or to compare the efficiencies of several different investments. A high ROI means the investment’s gains compare favourably to its cost. Low ROIs suggest an investment’s propensity to deliver value was poorly judged. Nevertheless, with the latter, it naturally depends on who judges. The definition of ROI is conditioned by the perception of performance ASK

SECURITY INVESTMENT VALUE FOR MONEY European boardrooms and c-suites customarily think in terms of return-on-investment calculations when it comes to validation of sign-off on expenditure – but are standard ROI models applicable to the vagaries of cyber security?




effectiveness – just how well does a product or service do what it’s supposed to do. For many of those working on the practitioner side in the IT industry, ROI is an overused buzzword that’s beloved of solutions vendors and product consultants, but of limited value for those tasked with making comparative evaluations based on technical features. “The term ROI is frequently misused to attach a meaning or connotation that it does not originally have,” says Ilia Kolochenko, CEO at High-Tech Bridge. “Cyber security is primarily designed to serve business by mitigating the risks to the acceptable level. Thus, I would not expect that money invested in cyber security per se will bring you dividends or a common notion of profit.” Kolochenko adds: “I daresay that a cyber security solution also brings ROI if it prevents practical, reasonably certain and measurable losses. Obviously, its overall costs, including (but not limited to) costs of maintenance and personnel training, should be lower than potential losses.”

depends what you mean by ‘return’ A potential pitfall for managers lies in the assumption that there are innate similarities between ROI as applied to standard IT that supports line-of-business applications, and ROI applied to cyber security products and services - a mistake that dates from the time when security was just another facet of mainstream IT operations across the enterprise. As cyber threat levels grew over time, and


the requirement to ensure that organisations’ system security was equally strengthened to withstand increased attacks, the proportion of budget claimed by security products, services and specialists increased. “The difference is that on the business side, ROI denotes a clearly measurable financial benefit.” says Dr Klaus Gheri, VP Network Security at Barracuda Networks. “Among the IT security community, very often ROI refers to avoided potential costs that would have resulted from a security breach. Essentially, this is about risk reduction, making it hard to prove, which in part explains why [as a conceptual model] it is harder to communicate than tangible money saved or earned.” Another complexity is that, arguably, as operating systems and applications become more secure, cyber security becomes the prevalent IT force. This complicates the question of how well cyber security delivers adequate ROI, because it becomes embedded in the hardware and software designed to support line-of-business applications that drive your enterprise forward. An important ROI distinction is that many aspects of enterprise cyber security are now subject to a range of national and international regulatory compliances, such as GDPR (General Data Protection Regulation). This means that organisations are obliged to buy security products and services, even if they have a high ‘risk appetite’. Generally, risk appetite is the level of risk that an organisation is prepared to accept in pursuit of its objectives, and before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats that change can be expected to bring. In this regard ROI is helped by the fact that failure to comply can result in


CLEAR COMMUNICATIONS KEY TO MAKING CYBER SECURITY PROPOSALS COMPELLING IBM Institute for Business Value’s ‘Cyber Security in the Cognitive Era’ study surveyed 700 security leaders from 35 countries and 18 vertical sectors. Principally, IBM wanted to solicit views on advanced cognitive security solutions; but the report also highlights some specific challenges faced in respect to cyber security ROI delivery – especially as executive scrutiny of anticipated security cost rises are deemed ‘unsustainable’.

Some 78% of respondents to IBM’s survey have seen the cost of cyber security increase since 2014, and 84% expect increases to continue into 2019. More than 70% of respondents spend more than 10% of their IT budget on cyber security products and services (the majority spend 10-15%); 92% of respondents report that funding requests for cyber security projects require a ROI or other analysis for board/c-suite justification/approval. Factors used to justify investments include ‘communication of risk exposure in their organisations’ (61%) and ‘support from finance, risk, operations, executives’ (51%).



Most important quantitative variables typically used in ROI-financial analysis for cyber security investments.

Five factors used to justify a request for cyber security related investments. Source: IBM Institute for Business Value









51% 46%


41% 40





24% 20

















‘Cybersecurity in the Cognitive Era’ download | Era.PDF IBM Institute for Business Value |




penalties: so a €50,000 expenditure in secure IT is obviously preferable to a €60,000 fine when enterprise security is found wanting by a regulator. Executives add something to the cyber ROI debate by keeping their organisations’ risk appetitive defined and up-to-date. “Top management and the board should have serious conversations that focus not only on acceptable losses, also on what investors and regulators might consider a reasonable level of cyber defence, detection and response,” according to Norman Marks, author of the book World Class Risk Management. “Any definition of ‘risk appetite’ should probably be based on the likelihood of a serious breach, rather than on the amount of loss.”

new models of return measurement From the technologists’ perspective, organisational risk appetites have tended to be suppressed. The IT function wants to demonstrate that it can select, install and manage all security infrastructure that detects and stops threats. It also implements security policies that can ensure your workforce abides by all the acceptable usage rules. An executive perspective on deciding security exposure may, moreover, take into account priorities that differ from those of the IT function. For instance, it may decide that it’s not absolutely necessary to maintain 100% protection of all data assets. This means security resources can be concentrated on safeguarding the most valuable data assets that hackers try to get at. Emergent models for cyber


security ROI also need to broaden to take into account the indirect cost savings that tech advances can introduce; but these will likely only serve as secondary considerations, says Barracuda Networks’ Klaus Gheri. “There can be direct cost savings through investing into a new security tool which – for instance – requires less human attention to operate. That is the easy part,” Gheri explains. “More frequently, however, that is not the case, and ROI is calculated by assuming average incident cost of a certain type – which the security investment now prevents from happening – times the probability of being hit by such an incident within a certain period of

Executives can add something to the cyber ROI debate by keeping their organisations’ ‘risk appetites’ defined and up-to-date. time – a calendar year, say. The resulting cost savings can then be compared with the associated total cost of the security investment.” If Gheri is correct, probability-based estimations of cyber attack risk will inform the greater part of thinking around this key issue. Threat intelligence of some kind (there are various types) is one area that can helpfully inform cyber security ROI considerations. The more information you have about who is targeting your organisation, the better you can marshal your defences against them, because certain threats favour certain attack route (or ‘vectors’). Security solutions vendors have in recent years seen the value of refining their products and services for specific types of threat and specific targeted sectors, so a solutions provider who already has clients in your business area is worth knowing about. In the final analysis, boards/c-suites have to retain realistic expectations, and understand that cyber security expenditure does not fit neatly into established models of ROI. “Measuring ROI in the cyber security arena is difficult because the main goal is to avoid a breach,” Paul Calatayud, CSO/ Americas at Palo Alto Networks, stated at an industry round table earlier this year. ”Beyond this metric, it’s extremely difficult to measure success.”

ACCREDITATION Words | James Hayes Photography | Shutterstock



FOCUSED AND SECURE Surveillance camera security is an area where a device installer partner can provide inhouse IT with key help, says Edwin Beerentemfel at Axis Communications. SURVEILLANCE CAMERAS BASED ON INTERNET PROTOCOL (IP) ARE DESIGNED to withstand cyberattacks, but need to be configured by installers for optimal resilience – especially as such systems tend to be deployed on a standalone network. IP cameras must also be patched regularly to prevent hackers and threats from exploiting vulnerabilities. While this is an essential procedure often mandated under security policies, the reality is that many organisations fail to do it – usually because of the time and effort involved. This makes it imperative that such devices fall properly within the scope of an organisation’s information security policy. Many equipment vendors provide a ‘hardening guide’ for installers, but these are intended mainly as a starting point for configuration. The installer’s bigger job is to match what’s contained in that guide with a customer organisation’s information security policies. This often involves time-consuming manual configuration. In response, Axis Communications developed technology that streamlines the process while ensuring that devices and systems meet or exceed end-users’ needs. The solution allows installers to configure multiple devices simultaneously, reducing installation time and cost. Establishing ‘trust’ between devices is fundamental to information security policies – something customarily accomplished using X.509 encryption standard certificates. These provide secure communication between networked COMPANY INFO

devices and services, and are deployed using LDAP (lightweight directory access protocol). Active Directory is Microsoft’s implementation of LDAP that covers a range of directory-based, identity-related services to authenticate and authorise users within a network. Active Directory skills are something physical security professionals can lack. This underscores the need to choose installers/integrators with Active Directory and other critical network proficiencies. This is another area where Axis Communications’ device management software can help: it acts as an intermediary for Active Directory. The intermediary is used to integrate third-party LDAP clients into the LDS (lightweight directory services) via proxy authentication.


Sweden-based Axis Communications offers intelligent security solutions that enable a smarter, safer world. The market leader in network video, Axis drives the industry by launching innovative network products based on an open platform – delivering high value to customers through a global partner network. Axis

Communications has long-term relationships with 90,000 global partners in existing and new markets. Meet Axis at it-sa 2018 in Nürnberg, Germany – Hall 10.0/518.

DETAILS For more information please go to: | |




HIT LIST Cyber security governance is now a key fixture of the executive agenda, and its pain points are many: here’s a run-down of 10 top challenges that confront organisational leaders in their expanded remit.

EXECUTIVES REPRESENT high-value targets for cyber threats. They have top-level reach into an organisation’s most sensitive digital assets – especially those whose purview includes sensitive financial data or personally-identifiable information. As corporate figureheads, many executives are also surprisingly visible: some see being digitally accessible as a leadership virtue: sometimes it’s easier to find a CEO’s email address (user-name) than anyone else on their staff, as cyber criminals well know.

OUR FEATURE ON page 46 details the growing challenges of dealing with insider threats. For many organisations, threats from within – stem they from your feckless employees or unwittingly hired hackers – now constitute more of a security concern than external threat actors. This shift plays significantly into the governance remit of boardrooms and c-suites – and means that they can use their executive power to implement change in areas such as recruitment procedures and employee monitoring.


YOUR ORGANISATION’S ‘ATTACK SURFACE’ – the sum of the points at which a cyber attacker can try to enter data to, or extract data from, an IT environment – continues to expand. Today’s business dynamic demands greater digital exposure, greater accessibility and transparency – all of which stretch your attack surface that bit wider. Anything that involves IT introduces a potential entry point for determined cyber threats. Even your in-building visitor Wi-Fi can potentially be hacked as a way into your company systems. Senior executives must be aware that everything that their organisations now do now constitutes some form of exposure to attackers. Therefore, riskawareness should form part of expansion strategies from the earliest stage and at every stage thereafter.

IT SECURITY is a resonant factor when two or more businesses come together for merger or an acquisition. Most obviously, where the businesses have to unite their IT systems, they want to ensure that neither system contains any flaws, vulnerabilities or infected systems that could cause harm, and cyber security ‘health’ audits are a necessary stage of preliminary due diligence in such situations. Any ‘known’ issues could affect valuations.

SURVEYING 500 European c-suite and IT decision makers, the iPass Mobile Security Report found most polled suspect their mobile workers have been hacked or caused a mobile security issue in the previous 12 months: the most incidents occurred using public Wi-Fi in cafés, airports and hotels. Executive policy setters have to decide the extent to which the productivity gains public Wi-Fi brings are offset by security risks that may damage operational efficiency.

‘PEN-TESTS’ CAN be allied to threat intelligence which helps steer the testing focus toward flaws most likely to be targeted by cyber threats. But there can be confusion around the purpose of pen-tests. Boards and c-suites must be aware when they green-light expenditure that penetration testing is not primarily intended to fix security vulnerabilities that cyber-threats could exploit; some of glitches identifies may be deemed non-critical, and left unfixed.

WHO SHOULD HOLD responsibility for managing IT regulatory compliances? Logic suggests the IT function, and yet there are indications that the techies are keen to bat this particular hot potato upstairs and out of their laps. Research from Pulsant (see pages 54-58) shows a lack of alignment when it comes to managing and maintaining compliance. Nearly one-in-three IT decision makers said that they ‘do not know which regulatory frameworks their organisations need to align to’; 33% of respondents said that they see managing IT compliance ‘as a c-level issue’, rather than a challenge for IT.

EXECUTIVES KNOW that their intellectual property has value – but what about other owned data assets, like customer records? Should the value of such data sets sold on the ‘dark web’ determine the amount of technological money and resource that organisations should devote to protecting it from being unlawfully exfiltrated?

GLOBAL CIO SURVEY suggested that shadow IT is ‘now a fact of life’ for most IT chiefs: 90% of those polled reported that they are ‘now bypassed by line-of-business colleagues at least occasionally’. Senior executives should avoid tacitly condoning risky ‘productivity enablers’, however.

CYBER ATTACKS degrade their victims’ share prices, a 2017 study issued by CGI/ Oxford Economics reported. Breaches that had legal or regulatory consequences, involved the loss of hundreds of thousands of records, and damaged brand value, caused share prices to fall on average 1.8%, the analysis of 65 companies found.






ACROSS EUROPE, BOARDS AND C-SUITES ARE ON A CYBER SECURITY LEARNING CURVE THAT’S LEADING THEM TO LEARN much about the nature of threats their organisations face, as well as some incidental home truths about how line management styles can feed into security problems. One discovery that will certainly cause surprise is that many of the most damaging security threats don’t come from offensive outsiders or malware attacks, but from ‘trusted’ employees – malicious or negligent, or both. Indeed, insider threats that emanate from within the workforce can pose a more formidable challenge to their security ‘posture’ than external attackers like cyber criminals (in some cases the perpetrators will be both). Studies suggest that the margin of difference can be as much as 10% greater for insider threats. Such threats include clumsy contractors and disaffected staff who deliberately cause problems motivated by revenge and other grievances. Last year security vendor Clearswift commissioned a survey of 600 business decision makers and 1,200 employees across the UK, US, Germany and Australia about June 2017’s WannaCry ransomware RISK

attack. A key finding was that 29% of UK firms polled intend ‘to add cyber security to the boardroom agenda’, and 29% of companies worldwide have also ‘pledged’ to implement ‘stronger cyber security measures’. As the c-suite changes its approach to cyber security, organisations ‘will need to look at how they update their policies, procedures, and technology to mitigate against future attacks, as well as prepare for the introduction of new data regulations that are on the horizon’, the Insider Threat Index 2017 revealed. But although the insider threat is has become more widely recognised, not enough resources or discussion is

BEWARE THE OPPORTUNIST DATA GRABBER WITHIN... Insider threats don’t have to be technically adept. Poorly-administered access privileges enable even temporary staff to access data that has some resale value on the ‘dark web’. Low-paid employees might be tempted to pilfer any data that they can find on the internal network.


Photograph | Thanks to James Sutton@Pexels

Insiders now pose as much of a cyber security risk as external threats – and it’s not just the hidden hackers: trusted staff can also cause major security problems.





When it comes to the sensitive area of monitoring for suspicious employee IT usage patterns, you first need to decide what actually constitutes ‘suspicious’ behaviour,

David Atkinson, Founder/CEO at ‘AI for cyber defence’ vendor Senseon, points out. “Without the right tools in place it is difficult to be sure if an individual is acting maliciously or just unusually,” says Atkinson, “and even if a cyber incident has occurred it doesn’t mean they are complicit. It is entirely possible that they themselves are the victim of a cyberattack, and perhaps their credentials or devices have been compromised.” Employee behaviour monitoring is new direction for many organisations (see page 51). It is pretty sure to raise governance questions that reverberate across directorates. Boards/c-suites have the authority to greenlight changes and implement technologies that might encounter resistance if proposed by the IT function alone. Again, workers may have to get used to the prospect of being regarded as a potential liability even when they have not done anything untoward. Studies such as Clearswift’s Insider Threat Index may provide evidence that BYOD now ‘presents an immediate data security challenge’. “The blurring (of) lines between personal and work-based technologies… has led to an unabated rise in the insider threat,” Dr Guy Bunker, SVP Products at Clearswift, has stated. MORE INFORMATION | |


given to risks that originate from within, believes Andy Kays, Chief Technology Officer at Redscan. “When you consider the stakes involved, the insider threat is certainly not taken seriously enough,” says Kays. “A rogue IT system administrator, say, can bring a business to its knees.” Another study, he 2018 Insider Threat Report from CA Technologies, is based on the results of an online survey of 472 cyber security professionals who range from executives and managers to senior IT security practitioners. They represent organisations of varied sizes across all industries. Forty-three per cent of the sample comprised respondents identified themselves as functioning at director or vice president level within their organisations. The report’s key findings included the fact that 90% of organisations polled ‘feel vulnerable to insider attacks’, but for different reasons. Tellingly, 51% of respondents to the Insider Threat Report were more concerned about accidental/unintentional data breaches perpetrated by insiders, as compared to 47% whose concern was more for malicious/ deliberate insider action (i.e., willful causes of harm). The repercussions of this threat shift from external to internal security could prove significant for the senior executive and IT leaders alike. IT practitioners have warned of a likely upsurge of insider risks for years, but it’s only comparatively recently that research-based analysis has validated these concerns and provided a more informed understanding of how the spectrum of insider risk factors play out. Many organisations have been slow to acknowledge the existence of insider threats. That’s not necessarily because they are in denial. In recent years, information security teams have had their work cut-out fending-off relentless external threats, and this has been their principle priority. With stretched IT budgets since the 2008 economic downturn, they may well have lacked the software tools necessary to detect internal threats as they have become more of a problem. Some 53% of respondents to CA Technologies’ Insider Threat Report confirmed some form of insider attack had taken place against their organisations had taken place in the previous 12 months (typically, fewer than five attacks). And 27% of organisations polled by CA researchers say attacks have become more frequent, although that could also be because organisations are better at incident detection. Other research from the Ponemon Institute, meanwhile, indicates that the number of attacks by criminal and/or malicious insiders may be



leveling out. According to its Cost of Insider Threats report (co-sponsored by ObserveIT), of 3,269 reported attacks analysed in its sample, criminal or malicious insiders caused 748 attacks (or 23%). These incidents came on top of those caused as a result of ‘negligence’ on the part of employees (permanent or temporary) or contractors. Both the Ponemon Institute and CA Technologies findings suggest that the cost of incidents varies according to organisational size. Large organisations with a headcount of 75,000+ employees spent an average of $2,081m over the foregoing year to resolve insider-related incidents. To deal with the consequences of an insider incident, smaller-sized organisations with a headcount below 500 spent an average of $1.80m. Companies within financial services, energy/utilities and industrial/manufacturing, incurred average costs of $12.05m, $10.23m and $8.86m, respectively. Furthermore, respondents to the CA Technologies findings report that despite being fewer in number, malicious and/or deliberate insider attacks are in fact more damaging to their organisations (31%) compared to external attacks (14%), and accidental/unintentional (11%).

MODELS OF EMPLOYEE TRUST That much insider threat risk stems from trusted and trustworthy employees who cause security problems inadvertently – either by accident or by unwittingly aiding and abetting an external threat attack – bears reiteration. The number of ways ostensibly reliable employees can compromise IT security are manifold. They can accidentally invalidate system data by deleting it, corrupting it, or moving copies outside of the enterprise digital security perimeter by copying them to cloudbased services (such as Dropbox) or just attaching the wrong file to an email sent to the wrong recipient. Minor mishaps perhaps, compared to a British Airwaysscale breach, but a risk nonetheless. And these same employees (including senior managers) are being targeted by phishing attacks and other attempts to dupe them into revealing access privileges (passwords) or let loose ransomware onto the enterprise network. “Accidents happen – even the most loyal employee is capable of making a mistake,” says Heather Scallan, SVP Global Human Resources at NTT Security. “The type of threat posed by employees differs


according to a number of factors. Accidentally cc’ing a competitor on your company’s profitand-loss statement could easily happen when the autofill function is left on, and 10 contacts in your email address list have similar first names. The question is, how do you deal with these everyday security mishaps? And what steps can you take to decrease their likelihood?” One tactic is to adopt a hardliner policy toward risk assignment. “For too long businesses have trusted employees on the network no matter what – but this approach is putting them at risk of both insider threats and malevolent actors,” says Bernd Koenig, Director of Security Products at Akamai Technologies. It doesn’t have to be this way, Koening argues: “By adopting a ‘zero-trust’ approach to security, organisations can limit the reach that employees have and only grant access to those that can verify they need it every time.” Such stern measures are bound to brush up against a host of personal ‘rights’ and employment law sensitivities, as employees may not like being designated a ‘potential liability’ before they have caused anything to go awry. Taken to the letter, ‘zero-trust’ models would call for a radical reform of existing contracts of employment – a daunting prospect for enterprises with large workforces. Discussion of changes like this flags-up how the human resources (HR) function within organisations of all sizes is being drawn deeply into insider threat counteraction. The mandates of employment law naturally must be observed – especially as employee digital monitoring issues are likely to crop-up for other aspects of IT management, such as emergent workplace analytics applications. (These integrate with workplace Wi-Fi and enterprise applications to gather data about their work behaviours.) Studies of insider threats impacts also articulate the fact that, like worldwide threat landscape, internal risk characteristics are shaped by dynamics other than technology: economic, societal, and interpersonal factors are also in the mix. In a depressed economy employees are more vulnerable to entreaties from cyber criminals to breach trust and become complicit in some breach of cyber security. Very often, an organisation’s IT staff are among the first to be subjected to a nobbling exercise.

This broadens the locus of the challenge and transforms it risky behaviours into more of a generic business issue. For instance, could line-of-business procedures be behind aberrant behaviour? Are overworked/undertrained employees more likely to the cause of internal threats? Are lax recruitment procedures allowing cyber criminals (or would-be criminals), or their confederates, to get jobs inside organisations? “As cyber governance requirements increase, alongside the changing personal and corporate costs of failure, security awareness in the boardroom will also increase,” says Ian Kilpatrick, EVP Cyber Security at Nuvias. “This is also driven by changing shareholder awareness of cyber security as a fundamental requirement for the success of many businesses. So, in the medium term, boardrooms will need to continue to raise their game to ensure that they have the right structure – both virtual and physical – in place to provide the best level of defence they can for their key assets.” In this context, remediation strategies that address insider threats become a cross-directorial objective. Unfortunately, different directorates sometimes do not sync well when it comes to concerted action. The senior executive function is, however, empowered to contribute to cyber security defensive strategy in a way that the IT function is not able to do. Amendments to recruitment and human resources polices, for example, or the rules that govern privileged access to most-valuable data assets, are changes that boards and chief officers can implement more easily – and indeed are increasingly required to, as part of their expanded governance responsibilities. This way, the heightened importance of insider threats adds to the executives’ increased direct involvement in the determination of information security policy and application. Re-evaluation of risks posed by insider threats should also lead to changes in how IT expenditure is allocated. Rather than spend the greater part of budgets on defensive technologies like intrusion detection, firewalls, and anti-virus/ anti-malware software, with threats that emanate from inside the security ‘perimeter’ upholds arguments for increased investment in security tools that monitor and analyse employee IT usage and raise alerts when aberrant behaviours appear to be detected. “A fundamental shift in cyber security scenarios is that tools used by organisations and enterprises to sift through the complexity of user behaviour and identify – in some cases nullify – insider-created threats, are now widely available,” says Ian Kilpatrick at Nuvias. “A shift in budget from keeping the baddies out towards monitoring and analysis, is really only keeping pace with the reality of how the cyber attack vector itself has moved towards compromising user systems and log-in privileges. On the positive side, there are several solutions available that provide the kind of analysis of user behaviour needed to identify the key threats.”

Respondents to the CA Technologies’ Insider Threat Survey reported that they are shifting their focus on detection of insider threats (64%), followed by deterrence methods (58%) and analysis and post breach forensics (49%). The use of user behavior monitoring is also scalingup; 94% of respondent organisations deploy some method of user monitoring; and 93% monitor access to their most valuable data and intellectual property. IT departments have been conducting security-led user monitoring for years, to a greater or lesser extent – and they don’t really like doing so. It’s timeconsuming, liable to throw up false positives, and can involve the techies in disciplinary procedures that reflect badly on their reputation as a user-oriented service department. However, such user monitoring does represent a basic form

Many of the most damaging security threats come from ‘trusted’ employees – who may be malicious or negligent, or indeed both. of diligence that fits well with governance expectations. “The way to successfully detect and defend against insider threats is to baseline normal network behaviour, from which you identify activity that isn’t normal, and may be malicious,” explains Andy Kays at Redscan. “Through proactive security monitoring, an organisation can then detect if it has an genuine insider threat, and so determine what data and assets have been accessed – and how to respond accordingly.”

ACCREDITATION Words | James Hayes Photography | Shutterstock




STAY ONE MOVE AHEAD In cyber security, just like chess, winning strategies call for skill, vigilance, and knowledge of your opponent. Martin Borrett from IBM Security explains why. THERE’S A BATTLE RAGING OUT THERE. ON ONE SIDE ARE CYBER ATTACKERS, ON THE other are those who defend our privacy and personal accounts — as well as our businesses, economy and national security. Some call it a ‘war without bullets or bombs’. That’s not exactly right; I think it’s more fitting to say that cyber security is a game. As cyber criminals, nation-state attackers, and hacktivist groups have become more sophisticated, the security industry has grown up to defend our national security, as well as the vital interests of businesses and consumers. Gradually, the battle between attackers and defenders has become something akin to an arms race: new types of attacks lead to new defences to block them. Security innovations become outdated as soon as attackers find ways around them. Meanwhile, the cyber attackers continue to rely on social engineering tricks that can prove hard to defend against. Yet for the Chief Information Security Officer – CISO – or whoever is in charge of information security in your organisation, cyber security is like a game of chess. There are many pieces to move, and your strategy needs to keep tabs on all of them. You must adjust to your adversaries’ moves, move aggressively against attackers and protect your ‘king’ at all costs. The cyber security game continues; but even as the stakes are rising, the rules are changing. It’s now more complicated than ever. COMPANY INFO

And just as the cost of cyber crime is growing, businesses are faced with further issues: they spend enormous sums of money on cyber security products. All of these products have to be installed, configured, learned, managed, patched and upgraded. What a nightmare – especially given the shortage of skilled workers to help manage them. So, what can you do to stay ahead in this always-evolving cybersecurity game? Simply throwing resources at the problem won’t fix it. Tacking on the latest software-as-aservice (SaaS) product with no support won’t solve it, either. Educating employees in security best practices is essential, but it’s still not enough. In fact, nothing you do in isolation will solve the problem – or allow you to ‘win’ the game.


IBM Security tackles the world’s most challenging security problems. We continually look for new and better ways to protect the faces behind the data – your customers. Our strategy reflects our belief that today’s defences will not suffice tomorrow. It challenges us to approach our work, support our clients and

lead the industry. You can read more from IBM Security Europe CTO Martin Borrett at his ‘IBM SecurityIntelligence’ Blog at the second link given below.

DETAILS | | /author/martin-borrett


In 2014, IBM Security worked with business partner Sogeti to create an e-book that helps organisations navigate these challenges. Called ‘Staying Ahead in the Cyber Security Game’. this practical guide aims to provide CISOs, security professionals and IT executives with an insightful view of key considerations for refining cyber security strategies. A lot has changed, of course, since the e-book was published – including the increasing importance of application and cloud security, the emergence of new regulations such as the General Data Protection Regulation (GDPR), advances in cyber crime like crypto-ransomware, and the promise of artificial intelligence (AI) in analysing threats and giving security operations centres an edge. To quote the original authors, “The reality of security is that... hard math will become harder, the tools of today will be enhanced and complemented with new and more powerful tools and science is challenged to come up with the next, harder to break, method of encryption. And the more valuable and long-lived your data-assets are, the more essential it is to be at the cutting edge of innovation.” ‘The cutting edge of innovation’ has, of course, moved on over the last four years; and yet there is also a lot that hasn’t changed, and there’s still plenty of solid, strategic advice in this book – I think it captures roughly 90% of the biggest cyber security challenges businesses faced a few years ago and continue to struggle with today. The book clearly identifies these challenges and offers tangible steps

for dealing with them. Some of the topics covered include: ● Alignment between security and IT operations in creating a plan for incident response. ● Security by design in the software development process. ● Shadow IT and how businesses accommodate cloud based applications to enable workers. ● Making security work for users so they don’t need to work around it. ● Thinking like an attacker and finding your own weaknesses before the bad guys do. ● How to recover from a breach – because it’s a matter of when, not if. ● Learning how to avoid making the same mistakes over and over again. I’ve seen the move from theory and speculation to reality on a number of these topics. Response and preparation have become key steps to manage cyber security incidents, but paper-based exercises no longer cut it; we’re in an era where practice and simulation are necessary. I have found it fascinating to take clients to our X-Force Command Cyber Range and work with them to help prepare.

Adjust to your opponents’ moves, move aggressively against attacks, and protect your ‘king’ at all costs. I often reflect on something seemingly simple, like learning how to swim. It’s hard to learn to swim by simply reading a book or watching a video; you need to get in the water, immerse yourself, and practice and train. The challenge and opportunity of today is to avoid repeating the same mistakes of the past. There are critical, transformative technologies being designed and built right now that will have a lasting impact on the world and they are reaching maturity at a moment where the focus on security has never been more significant. In 2018, as in 2014, it is still very much ‘all eyes on security’. Martin Borrett is IBM Distinguished Engineer and CTO IBM Security Europe.





It’s critical that governance officers properly prepare to engage with regulatory compliances and understand their integral value for today’s successful businesses. REGULATORY COMPLIANCE IS NOT A BRAND NEW TOPIC, NOR INDEED IS IT A NEW CHALLENGE, for businesses. It’s a necessary governance overhead that organisations of all sizes have grappled with for some time, particularly those in highly-regulated sectors, such as insurance and financial services. However, the rise in importance of cyber security assurance has for organisations brought a heightened criticality to being compliant. There are a number of regulations that businesses need to conform to, whether mandated by the Financial Conduct Authority (FCA), a risk management framework such as the IASME Gold Standard, ISO 27001, or a regulation protecting data privacy such as the Europe Union’s General Data Protection Regulation – GDPR – which came into LEGAL

force on 25 May 2018. The consequences of getting compliance wrong can be severe – mandatory financial penalties, loss of revenue, painful cyber security breaches. According to communications solutions provider Verizon, in the 10 years since it has produced its PCI Compliance Report on paymentcard security, not one of the organisations which suffered a disclosed data breach was ‘fully-compliant’ at the time the incident occurred.

COMPLIANCE IS About BUSINESS CHANGE The first lesson in the reduction of the strain of compliance is understanding that the procedure is far from a box-tick exercise that can be undertaken once, then forgotten about. It is an ongoing commitment: it evolves in alignment with changes in the market, as well as changes in businesses. Responsible organisational leaders know that the governance of compliance is a necessary requirement; but there is sometimes somewhat of a

About a third of IT decision-makers surveyed declare that achieving IT compliance is now ‘the responsibility of the c-suite’.

NEW RULES OF BUSINESS, FOR BUSINESS Regulatory compliance describes the goals that legitimate organisations aim at in their endeavors to ensure that they are aware of, and take steps to comply with, relevant national laws and regulations.


Proven violations of some national regulatory compliances can result in fines and other penalties for transgressive organisations.

Snapshots from the Pulsant State of IT Compliance report






Non-compliance disadvantages: negative impact on customer, investor and stakeholder trust =

69% said IT compliance is ‘very important’ to their orgs, but this majority is undermined by lack of understanding, support and budgets.

The four biggest challenges of IT compliance: biggest number say that it’s time and resource =




28% 33%




lack of clarity over who within the organisation is responsible for ensuring that it is properly undertaken. In some organisations this responsibility ends-up batted around between IT departments and legal departments, whereas arguably compliance management should be a shared ownership. More commonly these days, the board/c-suite-level executive will take the lead and ensure that compliance responsibilities are correctly assigned to the appropriate chief officership.

SURVEY TRENDS In the first two quarters of 2018, Pulsant commissioned research on questions around cyber security and compliance, in which 202 IT decision-makers, business executives and compliance officers at UK businesses in diverse industries were surveyed (by research firm Censuswide). Called The State of IT Compliance – Exploring Attitudes and Approaches to the Compliance Challenge, the resultant report revealed that most executives (69%) polled said that complying with IT regulations for cyber security and data privacy was ‘very important’ to their business (accounting for at least 17% of their annual IT budgets). However, 28% apparently do not know which specific cyber security regulations their business had to comply with. Forty-three per cent of those surveyed said that managing compliance with IT regulations was a ‘major challenge’. Other challenges involved in compliance were time and resources, the cost and getting ‘management buy-in and support’.





Reported problems in getting the board’s support for IT compliance are perhaps surprising, given the increasing number of corporate hacks and data leaks that have attracted global media coverage − and dented several highprofile company reputations – in recent times (see ‘Snapshots’, above). The Pulsant research is in line with other research on IT compliance and cyber security. For example, a report by the UK government – FTSE 350 Cyber Governance Health Check Tracker Report – published in 2017, found that more than half – 54% – of the UK’s top 350 companies stated that cyber risk is one of the top risks faced by their business operations. But only 31% of boards polled there report that they got comprehensive information about cyber risks (up from 21% in 2015-2016). Moreover, the majority had not been trained in how to cope with a cyber security risk incident. There seems to be somewhat of a disconnect between what many company leaders are saying about IT compliance – it is a priority for boardrooms – and what companies are doing – some directors still admit to patchy knowledge of IT compliance. However, Pulsant’s research found that 55% of organisations surveyed have between one and five full-time staff dedicated to compliance management; and 26% said they had the equivalent of less than one full-time employee responsible for compliance. One reason for the modest numbers of compliance staff in many companies may simply be because it is hard to find hires with the requisite skills, and the personnel shortage pushes up their salary expectations (so fewer, but better-remunerated, staff).

Some of the viewpoints in the industry are speculating that these fines could also be extended to director or c-level chief officer. Escalating cyber threats, new data regulations – such as the aforementioned GDPR, plus electronic IDentification, Authentication and trust Services (eIDAS), Payment Card Industry Data Security Standard (PCI DSS) – along with pending uncertainty over Brexit (e.g., will it hamper recruitment of EU IT workers?) increased demand (and, again, salaries) for skilled IT compliance staff: all add-up to an estimable challenge for the company head honchos. Most business executives questioned for The State of IT Compliance said that they had the right skills (or access to skills) to cope with IT compliance. Ninety-two per cent said that they had the right skills to deal with compliance − whether their own staff or by using a supplier, or a combination of both.



There are a range of challenges that influence an organisation’s success in its alignment to specific regulatory frameworks.

Organisations use a combination of in-house and third-party skills to manage compliance. NO













22% 20







IT compliance is no longer just an IT matter. Data and IT systems cover all an organisation’s departments (finance, sales, marketing, ‘risk’ departments), people and procedures. People are key to IT compliance. They need to know exactly how their actions affect the compliance processes, what they should be doing (and not doing), and the consequences of non-compliance. Some aver that the most effective approach to compliance is to have initiatives championed at board level. As mentioned earlier, board-level support is not always forthcoming − 22% of respondents in the State of IT Compliance research reported that management support and buy-in was a challenge in their organisation – but that figure is certainly an improvement of what might have been expected just five years ago. It also leads to another key question in the compliance journey, which is: who, ultimately, in an organisation is responsible for IT compliance in the 202 companies surveyed for The State of IT Compliance?

MANAGEMENT SUPPORT The quest for compliance is an organisational initiative that touches all areas of the business: its people, its technology and its processes. The key to success in achieving compliance, and indeed in maintaining it, depends in large part on employees. From an IT compliance perspective, employees need to know exactly how their actions affect the compliance processes, what they should be doing (and not doing) and what the consequences of noncompliance are. When it comes to who, specifically, is responsible, The State of IT Compliance shows that it’s the IT department that is predominantly responsible for compliance (55%), with other roles having some responsibility too (security manager 29%; dedicated compliance officer/manager (where they exist) 26%; risk manager 20%). However, 33% of IT decision-makers declare that achieving IT compliance is ‘the responsibility of the c-level’ (c-suite). Concerningly, perhaps, the lack of management support cited by respondents perhaps highlights a gap between what is needed and what is actually taking place. Whatever the challenges of getting the right compliance staff, one thing is evident: a company’s board will take the flak if their organisations’ IT systems are successfully hacked (‘successfully’ from the hacker’s viewpoint, that is) or if sensitive data they hold is leaked accidentally. In the UK, mitigating cyber risks is a ‘fiduciary’ duty (a legal responsibility) for company boards, as outlined by the Companies Act 2006. A board’s failure to understand and mitigate cyber risk, for example by failing to implement appropriate cyber security measures, could ‘equate to a breach of



these duties’, says global law firm Norton Rose Fulbright in a thought leadership article, ‘Cyber risk and directors’ liabilities: an international perspective’. Internationally, there are other countries – they include Germany and the United States – which place similar legal duties on company boards. There is also the possible likelihood of shareholder/investor litigation to follow a successful, publiclydisclosed cyber attack incident. ‘At a corporate level, most people are now aware that an adverse cyber incident can have significant consequences for an affected organisation,’ Norton Rose Fulbright points out: ‘Legal developments and shifts towards a more litigious culture relating to cyber risk and, in particular, the use of personal data in various jurisdictions, also mean that more litigation is being brought against organisations for matters that relate to cyber risk’. It continues: ‘These increased risks can translate into personal liability for board members in a variety of ways... While the scale and severity of personal liability risks can vary across different jurisdictions, personal liability is possible in all jurisdictions’. Norton Rose Fulbright points out the example of Germany: under German law, organisational directors can be held liable for breach of their duties, which include a duty to ensure that the IT infrastructure of a company is sufficiently protected in order to ensure the security of data and the avoidance of cyber risks. Directors are therefore obliged to ensure that they incorporate the necessary technical




and organisational measures that are set out in the German Data Protection Act (‘Bundesdatenschutzgesetz’) and the German IT Safety Act (‘Bundessicherheitsund Informationstechnikgesetz’). But does this mean that the board or c-level will become more directly involved in the implementation and governance of regulatory compliance? To be sure, liability will certainly play more of a part in that the board and c-level executives will have greater accountability (possibly even face penalties) should something go wrong. A case in point is GDPR: stricter fines are being imposed on businesses if they are found to be out of compliance. But some viewpoints in the industry are speculating that these fines could also be extended to board director or c-suite chief officer. So, while there will not be more involvement in establishing these sets of controls, there will certainly be far more accountability around the ownership of them.

SMARTER COMPLIANCE? So, let’s take stock. Compliance is critical for businesses. Lack of compliance affects the bottom line, and stakeholder trust. In some industries, a failure to comply with rules can stop an organisation’s operations altogether. Consequently, it is a task that many, maybe all, organisations are now in the process of tackling. That’s a good thing; question is, are they doing it as well as they think they are? Given the lack of understanding of IT compliance rules and steps to comply with them demonstrated by The State of IT Compliance and other studies, the answer,


alas, is ‘no’. Boards need to improve their knowledge of IT compliance and explain more clearly how staff parts of a business can help. Technology such as cloud computing, automation, regulation technology (‘RegTech’) and Big Data/data analytics software can help companies comply with IT regulations quicker and more cheaply. Improving IT compliance doesn’t necessarily mean spending more on cyber security and compliance staff. But it will often require company boards and c-suites to take a lead on the matter, educating themselves and all employees about the importance of protecting customer data, how to spot cyber threats, and what to do about them. As cyber threats proliferate, IT compliance is becoming as important a sign of corporate ‘healthiness’ as being able to verify a strong balance sheet or order pipeline. Going forward, it’s likely that there will be even more rules and regulations to be followed, and for boards/c-suites to keep aware of. As stated earlier, organisations already align to big frameworks, like the aforementioned ISO 27001 or FCA guidelines. But as frameworks themselves evolve, there are likely to be additional parameters and requirements to consider; especially when it comes to cloud, the prevalence of hybrid and multi-cloud deployments, and the migration of infrastructure in public clouds. The FCA,

Increased risks can translate into personal liability for boards in a variety of ways... Personal liability is possible in all jurisdictions.

as an example, has already amended its framework to incorporate specific elements around outsourcing to the cloud. And it is also likely that other national/international regulatory bodies or frameworks will follow suit. What this means for businesses is that maintaining IT/cyber security compliance into the 2020s is likely to be a little more challenging as the process turns more prescriptive. But with the right approach, processes and technology, achieving and maintaining compliance need not be an impossible task.

THE JOURNEY TO COMPLIANCE So compliance is critical for businesses, that’s acknowledged; as is the fact that lack of compliance affects the bottom line, stakeholder trust and, in some industries, can stop organisations from operating. As a result, it is a requirement that many – if not all – organisations must tackle. But still the question remains: are they doing it as well as they think they are? Given the lack of understanding of compliance frameworks demonstrated by the sample, perhaps the answer remains ‘no’. There could be a gap between what is now being done and what should actually be done. This is especially true when it comes to maintaining IT compliance. Compliance itself must keep pace with the rate of change within the business, in terms of innovation, new products and new services. Otherwise, organisations may miss out on capitalising on the benefits that cloud and new technologies actually deliver: i.e., staying compliant causes organisations to cede competitive edge. What is clear from the State of IT Compliance research is that while managing and maintaining IT compliance is expensive, time-intensive and complex, businesses are trying to achieve it. Organisations are using a mixture of dedicated staff and technology to effectively manage IT compliance, but they are encountering significant challenges such as lack of budget, time, resources and skills – despite the fact they believe they have the means in place. However, The State of IT Compliance respondents did express a desire for better benefits from their tools and technologies, as well as a need for increased automation around the IT compliance process. Overall, while it is clear that while IT compliance is being addressed, there is a definite need for the process of both achieving it and maintaining it to be optimised, streamlined, and made more effective and easier. This can be accomplished through the use of smarter and more intuitive tools and technologies, and automating processes, in order to gain the benefits that organisations are after, such as real-time alerts, better reporting and bringing all data sources together.

This is reflected in the emerging RegTech sector. RegTech is playing an increasingly important role in supplying organisations with the advanced solutions required to enable them to meet their escalating compliance needs. Regulation is one of a number of services to receive the ‘tech’ treatment in recent times, according to Deloitte: ‘As with FinTech, RegTech will mean different things to different people in this developing area’. Increasing levels of regulation and more challenging regulatory expectation are ‘having significant operational impacts on firms requiring people-, process- and technology-based solutions,’ a report from Deloitte has said. ‘With respect to new legislation and regulations, this can create challenges around understanding, implementing and embedding the new requirements, whereas for existing legislation there can be challenges around understanding and managing the risks.’ While focused largely on the financial services market, RegTech has the potential to become a much-needed helping hand for businesses, especially as the regulatory world becomes more crowded and complex. Going forward, it’s reasonable to expect that there will be an increased demand for this type of technology that can optimise the compliance process, both from a management and maintenance point of view.

ACCREDITATION Words | Javid Khan, CTO, Layer V, a Pulsant company










The execs and the techies have to try harder to establish a common language in their fight against common cyber enemies, if key messages are going to get through.

AS CYBER SECURITY RISES IN THE HIERARCHY OF GOVERNANCE PRIORITIES, SENIOR EXECUTIVES, AS A TEAM, WILL ENGAGE IN DEEPER DISCUSSIONS WITH THEIR ORGANISATION’S TECHNOLOGY specialists and technology partners. Clear and effective communication is vital to ensuring that strategies are clearly articulated and understood by all stakeholders. Whatever their nationality, this area has been somewhat fraught for the execs and techies: these personas have often struggled to establish ‘a common language’, and therefore an altogether common sense of purpose. “Execs talk the talk of business objectives and balance sheets, while the IT experts express their views in terms of technological solutions and balanced risk,” an industry observer has said. “At its least successful, the ‘suits’ are said to be coming out with meaningless management speak, while they reckon the techies will try to ‘blind them with science’ by lacing their language with industry buzzwords. It can become a kind of jargon jousting match, with each side stating their position through buzzy clichés.” But as the cyber security governance role of boardrooms and c-suites grows, executives are compelled to engage in closer, more extensive conversations with the techies; and even with senior technologists in attendance among the chief officers at the top table, there has been a disconnect between the contrasting mindsets. This can be exacerbated by the fact that the worlds of the business executive and IT specialists are filled with buzzwords and terminology that makes straightforward statements hard to ‘decode’. As techies and non-techies enter into a more equitable division HISTORY

THE BUZZWORD YEARS Ironically, it’s probable that proliferation of tech jargon was much influenced by prevalent managementspeak of the 1980s and 1990s – decades when computing words began to enter ordinary offices.


The rapidly pace of work pattern change meant that common terms of reference to articulate the shift had to evolve unusually quickly.





of responsibility it becomes more important that any language difficulties are acknowledged and resolved, argues Matt Cockbill, Partner, IT & digital leadership Practice at Berwick Partners. “Miscommunication breeds confusion and uncertainty… For c-suite executives and those involved in a business’s cyber security, a lack of clarity results in poorlydefined roles and responsibilities, instilling a ‘someone else is taking care of it’ attitude. This ultimately allows holes to appear in cyber defence.” Adds Cockbill, “Senior executives should not be expected to understand functionspecific language. It is the challenge of the Chief Technology Officer (CTO) or Chief Information Security Officer (CISO) to think, act and communicate as senior managers first, and functional cyber experts a close – but definitive – second. Being able to tailor messages to different audiences right across the enterprise is a critical trait of all senior leaders, and this applies to the CTO and the CISO.” According to Phil Richards, CISO at Ivanti, the issue is not whether executives can understand technical jargon, it’s about making the issue holds relevancy for the executives. “When a technical person sees a problem – e.g., an Internet-facing server that cannot be patched – they don’t necessarily see this as a ‘threat’ that would concern (their company’s) executives,” Richard says. “The technical person needs to rethink the problem as, ‘how does this threaten my company?’, and report the answer to that question as the problem.


An executive can then be presented with a vulnerable Internet-facing server which a cyber criminal could compromise, and then use to download customer databases. So, by adding-in the second part about how the risk will affect the entire business, executives become immediately engaged.” Organisations also need to move beyond ‘buzzword summaries’, where management jargon means the information is garbled and what’s important is lost, insists Michael John, Director, Operations at the European Network for Cyber-Security (ENCS): “If you work with critical infrastructure, the stakes are too high to risk that. On the other hand, ‘techno-speak’ can sometimes be incomprehensible too.” John says that to a certain extent, information security experts do “need to make an effort to communicate clearly – but

The language of metrics could serve as the Rosetta Stone of communications between the executives and the techies. also need more decision-makers to develop a better intrinsic understanding of cyber security matters. There’s already quite a few training courses aimed at c-suite personnel on offer, so resources are available out there for the executives who do want to adapt.”

COMMUNICATION OF RISK For Phil Richards at Ivanti, a pivotal responsibility of senior executives is to identify all the kinds of risk that threaten their organisations, be they competitor activity or attempts by nation-state-sponsored hackers out to steal their intellectual property. Executives must come to terms with the fact that the native language of cyber security is jargonistic, and not rely on confused ‘translations’ in order to understand what they mean. “When techies and executives fail to communicate effectively, there is real chance that major risks will not be identified nor managed at the senior level,” warns Richards. In other words, both sides should be willing to learn a smattering of each other’s’ professional lingo. “The treatment of cyber risk often gets lost in translation,” says Dan Brown, Security Consultant at FarrPoint. “This is down to the difficulties in the expression of technical risk in simple terms to senior management. And this itself is particularly in regard to the fundamentals of cyber risk management



Execs and techies often mean the same thing (well, nearly the same thing) even when they both employ different words. Here’s a brief bilingual glossary.

Business growth / attack surface growth Sales are pushing for company growth, increase in products and services, larger headcount, new business partners, extra social media marketing campaigns. All good stuff; but beware, it all presents a bigger target for cyber threats to aim at.

and the inability to implement a single, static, unmanaged control to allay a cyber risk for the foreseeable future. Such a control just is not possible with such rapidly-evolving threats and with expansion of attack surfaces (that most organisations experience).” Brown suggests that the language of risk management could serve as a kind of lingua franca in this context, so to speak, by bringing together the ‘native dialects’ of the boardroom and the data centre. “Controlling cyberrisk effectively requires: continuous threat assessment from cyber security analysts; it requires risk management from cyber security managers; and it requires reviews and decisions on operational risk from senior management,” Brown avers. The common factor that threads assessments, management and decision-making together is another kind of language: metrics. “Rather than translating between exec-talk and tech-talk, a common ground for communication should be sought,” agrees Gavin Millard, Technical Director at Tenable. “Metrics are the Rosetta Stone of interdepartmental communication, enabling conversations to be had, and decisions to be made, on complex areas where one of the parties isn’t an expert. By focusing on key performance metrics, for instance, a conversation can be far more beneficial without having to educate senior staff on cyber security buzzwords.” Millard adds: “Comparison of metrics between different organisational units for context can be hugely beneficial and enable better decision support. For example, sharing the time to remediate critical vulnerabilities in the London office versus the New York office will demonstrate that the security team has good visibility into a foundational control, and also (good visibility of) how each are performing.” If New York’s time to remediate vulnerabilities is significantly worse, decisions can be made on whether investments are required to improve, or if the business risk associated with slower time is nonetheless acceptable. CySure CEO Joe Collinwood points out that while execs and techies might often find it difficult to communicate, it’s not just a question of a difference in language, but also the passing of responsibility: “Execs believe they are employing techies to keep the organisation safe – however, IT departments are full of technical people, not business people,” Collinwood says. “No one sues the IT department for a fiduciary failure – the buck stops with the board.” “The common terms of reference in risk management allow cyber risk to be communicated in a way that senior management can understand using impact and likelihood of the incident to calculate risk,” says FarrPoint’s Dan Brown, “and to allocate funds respectively.”

Mobile enterprise tools / moving targets The newest handset model comes with the latest functionality – and possibly all the latest vulnerabilities. As mobile phones become primary business application platforms they are being increasingly targeted by hackers. Competitor analysis / Threat Intelligence Your sales force devotes hours to sussingout the competition to gain insights into their strategy. Cyber threats pose a similar challenge to your organisation’s fortunes; anything that can be gleaned about them might help in the fightback. User-driven IT / ‘shadow IT’ Business managers fed-up with waiting for the IT department to action requests are setting-up their cloud-based services to meet their needs. But this ‘shadow IT’ can introduce serious cyber security risks for the internal tech teams to deal with. Risk appetite / assured security posture No-one really has an appetite for cyber risk, just as no-one can be 100% sure that their IT systems retain fully-protected status against cyber attacks. Penetration tests often find vulnerabilities that the hackers have missed – or have they? User monitoring and analysis / spying Insider threats are growing, and it’s not just the rogue staff causing problems; ‘trusted’ employees also pose a security risk. But would monitoring systems bring unacceptable levels of oversight?

ACCREDITATION Words | Edmund Burr Photography | Shutterstock


ED’S picks



In IT security everyone’s on a learning curve, and it-sa 2018’s Supporting Programme provides a wide range of knowledge gain opportunities. Here’s a selection of events of special interest to our editorial team.

THE SCOPE OF ‘CYBER SECURITY’ CHANGES EVERY MONTH. New threats call for new solutions from the IT security sector, and new solutions mean additional deployment challenges for IT security practitioners to manage. The it-sa 2018 Supporting Programme has been designed to deliver market education and insight. As well as offering many ways for delegates to widen and improve their knowledge and understanding of key issues, there are unmatched opportunities for them to use these sessions to ask questions and learn from the questions of others. Here, our ‘Editor’s it-sa picks’ selection highlights a few of the sessions that Cyber Security Europe’s editorial team has added to its itinerary.

TUESDAY 9 OCTOBER 2018 I10 HOW TO TACKLE THE GDPR: A TYPICAL PRIVACY AND SECURITY ROADMAP 2:20 - 2:40PM With a new era of privacy regulation now upon us, security and compliance professionals must make the EU General Data Protection Regulation – GDPR – a top priority. The speaker discusses the importance of privacy management within the context of security and compliance ecosystems: how it fits into the larger puzzle, and how it can be integrated seamlessly as a function among the information security, information technology, risk management, audit

and compliance, as well as legal areas in an organisation. The importance of being able to demonstrate ongoing compliance with privacy regulations is addressed – along with how privacy management software supports security and governance/risk management and compliance teams. Speaker: Dominic Schmidt-Rieche, Sales Manager, Central & Southern EMEA / OneTrust T9 ARTIFICIAL INTELLIGENCE TO COMBAT HACKERS AND MALWARE – HYPE OR REALITY? 11:15 - 11:30AM In the fight against cyber criminals artificial intelligence (AI) is now being used. There are different views on where conventional technology ends and AI starts. This presentation looks beyond the hype, and will discuss the benefits and limitations of AI in cyber security. Speaker: Jan Tietze, Senior SE, DACH / Cylance T10 IT-SA INSIGHTS: ‘LOCKED SHIELDS 2018’ – INSIGHT INTO NATO´S BIGGEST CYBER DEFENCE EXERCISE 5:00 - 5:40PM Speaker: Major Bernd Kammermeier, Head of Awareness Training, Centre for Cyber Security / Bundeswehr


PROFESSOR UDO HELMBRECHT, EXECUTIVE DIRECTOR, ENISA ENISA’s Professor Dr Udo Helmbrecht will give a keynote speech on Tuesday 9 October (9:30-10:00AM, Forum I10, Hall 10.1) that focuses on ‘Innovative solutions to enhance cybersecurity in Europe’. He will discuss the challenges and opportunities that arise in this context, and explore optimal synergies.


DETAILS For more information please go to: |


WEDNESDAY 10 OCTOBER 2018 T10 IT-SA INSIGHTS: INITIATIVES FOR PRACTICAL COLLABORATION IN THE FIELD OF INFORMATION SECURITY 12:30 - 1:00PM Speaker: Marc Lindike, Head of Information Security Assurance / Flughafen München M9 HARDEN YOUR HUMAN FIREWALL IN ICS/OT 3:30 - 3:45PM Attacks on production facilities and other critical infrastructure are now a reality of everyday business life. Industrial companies are being increasingly targeted. Production systems typically have a longer operational lifetime than the operating systems that run on enterprise systems. Hackers use these vulnerabilities to install malware, for example. This risk can be significantly reduced by targeted training measures. Security awareness campaigns provide targeted information during certain activities. In this way, the protective measures conveyed are more lastingly remembered. At this presentation you will learn how your organisation’s employees can serve as an additional ‘firewall’ for protection against future cyber attacks. Speaker: Andreas Fuchs, Product Director / DriveLock SE I10 BUILDING A THREAT INTELLIGENCE DRIVEN CYBER SECURITY PRACTICE 11:40AM - 12:00PM Cyber Threat Intelligence (CTI) has been around in the security industry for years. Yet organisations struggle to grasp what CTI in practice actually entails, and how to get the most value out of it. This presentation provides an insight why CTI is one of the most valuable and effective security practices an organisation can implement. Presentation also explains why organisations need to look beyond ‘Indicators of Compromise’, and how knowledge of a threat’s modus operandi will empower them to respond more effectively. Speaker: Jörg Abraham, Senior Threat Analyst, EclecticIQ Fusion Center /EclecticIQ B.V.

M9 PRIVILEGED BY NATURE? WHY TRADITIONAL SECURITY PERIMETERS ARE NO LONGER SUFFICIENT 2:30 - 2:45PM We still try to counter the associated security concerns with traditional and complicated methods. Cyber security solutions help us to minimise the risk of attacks, but they also minimise your employees’ ability to creatively and independently solve complex problems within their job and thus quickly and successfully generate added value. The speaker argues that we need to think about how we can protect our company without ‘leaving behind’ many opportunities and possibilities provided by emerging technologies. A central component of these considerations is access to resources: who can access what, when, what can be done there - and why. Privileged Account Management (PAM) is the first logical step. Speaker: Henning Hanke, Enterprise Solution Specialist/Thycotic



‘Congress’ provides the framework for intensive specialist discussions and dialogue; ‘it-sa insights’ provides a range of best practice knowledge share; in the five ‘Open Forums’ exhibitors talk on technical and management issues; ‘Live hacking’ demonstrates how vulnerabilities can be exploited. 1


2 it-sa insights 3 Live hacking 4 Open Forums 5 Startups@it-sa




EDITOR’S PICKS Whatever your company’s cyber security needs, there’s still time to catch-up with the many new solutions on show from it-sa 2018 exhibitors. THE GROWING RANGE OF PRODUCTS AND SERVICES TO BE SHOWCASED AT IT-SA 2018 DEMONSTRATES HOW THE CYBER SECURITY sector is expanding and evolving. Increasingly, organisations are realising that intelligence-led security should be informed by knowledge about threats gained from outside sources and external evaluations of security provision. Organisations also understand that as more threats come from within, if properly trained their workforces now have the potential to become an integral part of good IT security practice. SPECTRAMI DARKBEAM: CYBER EXPOSURE Many of today’s cyber attacks are now initiated using information that is gleaned from outside of the security perimeter that is found by automated tools or by threat actors who conduct so-called ‘cyber reconnaissance’. If an organisation’s active digital footprint can be delineated and understood, says Spectrami, then they can be mitigated, thus reducing the likelihood of future data breaches. To help identify and reduce these risks, the Darkbeam cyber exposure tool has developed proprietary algorithms and search techniques that allow organisation-wide highlighting of key exposed data: email addresses, IP addresses, certificates, subdomains, and other technical information. Darkbeam also scrutinises the furthest reaches of the web, including the ‘dark web’. Hall | 10.1 / 10.1-718 | EVENT APP

CYOSS: SIMULATION AND TRAINING CENTRE Determined cyber threats know how to gain access to your company’s data assets via your staff; but, says CYOSS, your workforce can also act as a ‘most important internal form of protection against cyber attacks’, and ‘alert employees play a vital role in the prevention of complex cyber attacks’. CYOSS’s interactive awareness training sensitises your employees to be conscious of risks when using workplace IT, and to detect and defend against attacks. Furthermore, an organisation’s IT specialists can also gain extra skills with intensive training in CYOSS’s simulation center: as part of the training, IT professionals experience fully automatic attacks under realistic conditions: in its training, CYOSS models corporate networks with common security technologies. Hall | 10.0 / 10.0-403 |

THE IT-SA 2018 APP KEEPS ON WORKING... The it-sa 2018 app provides many useful features for visitors, such as push notifications and updates, locationbased messages on the exhibition site. It even has an integrated car finder so that you can drive home safely.


DETAILS For more information please go to: |

Warum die Nadel im Heuhaufen auch Sie Millionen kosten kann und wie Sie der dunklen Seite einen Schritt voraus sein können, erfahren Sie bei uns am Stand.

Von 982.000 potenziellen Gefahren sind



echte Angriffe

Ein einziger Angriff kann einen Schaden verursachen in Höhe von ca.

1,6 Mio.€

“Jetzt Termin vereinbaren und direkt ins Gespräch mit dem richtigen Experten” Über:

Bei 23 Angriffen entstehen somit Gesamtkosten von

36,8 Mio.€

: r e m m u n d n a t S 9-240

Wir versprechen Ihnen: Wir erkennen den Angriff innerhalb 30 Minuten.

Cisco @ it-sa 2018 9th-11th October in NĂźrnberg Visit us in Hall 10, Stand 410