The cost to TalkTalk of the 2015 cyber attacks

In our post of 31st December 2015, we discussed the lessons learned from the TalkTalk cyber attack debacle.  Now TalkTalk have published their Q3 results, offering a truer picture of the costs to date.

The original emergency damage forecast in November by the telecomms company was £30-£35 million (largely for unconditional free upgrades for customers and £15 million in reduced trading revenue).  This has now been doubled to £60 million.

Additionally, and of little surprise, there has been significant reputational loss, resulting in the loss of 4% of their customerbase (some 101,000 customers), following the attack.

Recovery will be slow and despite City share prices rising 5% this morning, this follows a 30% drop following the attack at the end of October 2015.

This, in a week where it was revealed that two other organisations felt the pain of attack:

•      Lincolnshire County Council’s systems shut down for four days following a malware attack contained within an email and a document that was opened in error by staff.  The £1m ransom was not paid and staff have been working off paper all week.  CIO Judith Hetherington-Smith said: “People can only use pens and paper, we’ve gone back a few years. [The attack] happened very quickly. Once we identified it we shut the network down, but some damage is always done before you get to that point – and some files have been locked by the software.  A lot of the files will be available for us to restore from the back-up.”

•      HSBC was also hit on Friday 29th January when customers couldn’t access their personal bank accounts. It was a DDoS attack and whilst HSBC sought to assure customers on Twitter stating they “successfully defended their systems“, the process to restore then caused considerable disruption for their customers. The timing couldn’t have been worse for many; the first pay day after Christmas, and the last working day before the tax return deadline.

What this amply illustrates is the urgent need for businesses to change their behaviours and instead of relying on a dim hope that they won’t be the target of an attack at some point in the future, businesses should assume they will be attacked.

NB.  Whatever the size of your company you are at risk.  So ensure that proper IT governance steps are undertaken through pen testing, robust cyber defence software, allied to round the clock monitoring and threat intelligence to put yourself in a stronger position defensively and an agile stance for responses.  That way you start to stem financial loss and costly reputational damage.

talktalk_logo_0

Hactivists unmasked over BBC website collapse on New Year’s Eve 2015

“New World Hacking” finally claimed responsibility two days into 2016, following the attack on the BBC website which was a relatively common Distributed Denial of Service (“DDoS”) cyber attack.  The high profile targeting ensured that the BBC’s news service, iPlayer online TV and radio services were down for several hours on 31st December 2015, resulting in an error message being shown instead of the BBC homepage.

A DDos attack is where a website becomes overloaded with a surge of traffic it cannot handle, with result that the website’s servers stop responding to requests.

The targeting of the BBC was purportedly friendly fire!  The hactivists claim to concentrate on taking down websites supporting ISIS (Daesh) or sites affiliated to the terror group – and this exercise against the BBC was just to test the capabilities of their machines, because of the BBC’s high capacity to respond to traffic.  No doubt this made the BBC feel very comforted.

Amicus ITS security specialist Mark Heather added:  “This has been described as a DDoS attack but it appears to have been designed as a scoping exercise; not to attack the BBC per se, but to give the hactivists more insight as to their efficacy.  Unfortunately, there is little that companies can generally do to thwart this type of attack. But threat management can be deployed as part of a wider cyber security protection strategy”.

“Organisations can take certain preventative positive measures to thwart, circumvent or manage cyber threats.  ‘Threat analysis’ can be undertaken as part of an ongoing reputation exposure exercise. Your cyber security team can look out for any ‘Dark Chat’ underground threads published on web hactivist forums for example – and with this intelligence, then direct traffic towards a ‘honeypot’ mechanism for example” (see below)

honeypot-diagram

Honeypots can be used to check content before anything is passed through the firewall, as one of an organisation’s strategic steps to beefing up their data security.  As Mark comments:  “Much like the weather, you cannot stop rain from happening, but you can wrap yourself up warm and get your umbrella out knowing what the forecast is likely to be”. 

New-World-Hacking

The Week’s Technology News – 19th December 2014

IT security needs embracing in the boardroom
Talking from GCHQ headquarters this week, Minister for the Cabinet Office, Francis Maude has urged businesses to make IT security a boardroom issue.  Amicus ITS has recommended this point repeatedly in blogs this year.  Government is now urging businesses to review IT security as an integral part of strategic thinking for the Board, to ensure secure data management remains at the heart of the agenda.

With recent breaches affecting major household names both in the UK and the US, Maude warns against complacency:  “All companies, large or small, face threats from vulnerabilities on a daily basis”.

The Government’s launch of Cert UK earlier this year, created a cyber security information sharing partnership, now enabling 750 organisations to exchange information in real time on threats and vulnerabilities occurring.   Maude pointed to GCHQ data which showed that 80% of attacks were preventable, if best practice was followed.

As organisations are reflecting on 2014 with their staff at Christmas parties up and down the land, a cautionary ice cube should be travelling down the spine of any Board members whose businesses have not thought to place IT security at the forefront of their business continuity plans.  For them, January will be the time to really start pulling this into focus on the 2015 Agendas to review, consult, embrace and invest as required, to ensure the bottom line of their business is not threatened – either profitability or reputation.

Professional header image @ 1000 px

Nats on the rack for IT system failures
Thousands of travellers in UK airports were delayed last weekend due to a software problem from a faulty line of coding at the London Air Traffic Control Centre at Swanwick in Hampshire. National Air Traffic Services (Nats), which controls 200,000 m2 of airspace, reportedly had a power system failure on an internal telephone switch controlling nighttime ‘standby’ to daytime ‘live’ operation.

The partially privatised company (owned 49% by the UK Government, 41.9% by The Airline Group, 4% by Heathrow (formerly BAA)) and 5% by Nats’ employees), has been running air traffic control for commercial UK flights since 2002.

The company handled over 2.1million flights last year, carrying 220 million passengers in the UK.  Nats had problems with its IT in 2008. Additionally, the CAA criticised Nats in a report about a telephone failure which grounded 300 flights in 2013 – and flights in Southern England were delayed earlier in 2014 due to “technical problems”.

The problem software came from a package originally being developed by the US air traffic control network. When this project collapsed, it was left to Nats to work through the outstanding development to make it serviceable and raised the price of Swanwick’s delivery by £150m from an original £475m budget.  Some of the blame is said to lie with an aged IT infrastructure.  Nats CEO explains, “There are 50 different systems at Swanwick and around four million lines of code”.  Nats’  decision last year to make a significant number of its most experienced, older IT engineers redundant when these were the specialists most used to working with the older technology, will not have helped. Especially worrying with this failure is that the fault had not been seen before.  The latest incident follows accusations about a corporate failure to invest in new technology and opens Nats to an increased risk of repeated outtages in future – this despite CEO Richard Deakin’s promise that £575m was being invested over the next five years.

A CAA inquiry will now be launched to assess whether Nats has learned from its previous failures, with the risk of its licence being reviewed. It will be a bumpy ride for the UK’s Transport Secretary, Patrick McLoughlin who will be providing a full account to Parliament about what went wrong.   Clearly any organisation, whatever type, lumbered with legacy infrastructure whether hardware, software or both will see operational effectiveness and bottom line profitability suffer if the Board does not grip the bull by the horns and review and assess the best way to upgrade and secure their IT systems.

13843338_s

Microsoft and Skype attempt to eliminate the language barrier 
Back in May, during the Code Conference event, Microsoft demoed a breakthrough, upcoming feature for Skype which would let people who speak different languages talk to each other without a human translator. Users can either voice or video call each other with translations appearing in near real-time with options for spoken and sub-title like written translations.

This week Skype has opened up a preview of this new feature to Skype users who would like to give the in-development service a spin. Interested parties can go to the Skype website and register their interest. Currently the preview is limited to just English and Spanish languages with more promised coming soon. Initial reactions report – although not perfect yet – the service does exactly as you would expect, allowing two people who can’t speak the same language hold a conversation.

The business applications for an accurate auto-translator that can handle both voice and video calls are enormous. For example a single-language Service Desk could be enabled to communicate with customers worldwide without the traditional language barrier or costly multilingual employees. Skype Translator if successful will shake up the translating business even more, with the need for a dedicated human translator being brought up into question and the knowledge of knowing additional languages not being as valued as is currently.

As the technology develops and matures it is also likely we will see Skype Translator being incorporated into Microsoft’s enterprise communication tool Lync, which was recently announced to be later rebrand Skype for business, and if so, adds further reasoning for the name change decision.

The future for Skype is looking very promising and this announcement more than any so far, including the cross-compatibility of Lync and Skype makes Microsoft’s Skype acquisition in 2011 more justified than any announcement the two companies have made since. With Skype being pre-installed into Windows and tight integration with its own Microsoft account system Skype now more than ever fits very nicely into the Microsoft ecosystem.

With Microsoft’s current Mobile first, Cloud First mantra we will likely see Skype translator eventually being integrated into the Skype app for smart phones and tablets and with near real-time translations built into your phone, Microsoft may be the first to successfully smash the language barrier for all.

skype-logo-open-graph-800x420

Financial services benefiting from outside help
The financial sector has seen major changes since the start of the credit crunch in 2008.  Changes have occurred in working practice, organisational restructures, cost cutting exercises with branch closures in banking and jobs cuts with people replaced by technology as part of a digital strategy, which has seen sector employment decline by 16% since 2009.  Lloyds bank is cutting 9,000 staff as part of its digital strategy and Dutch bank ING has a similar project that will result in 1,700 staff losing their jobs.

Financial services organisations have increasingly turned towards using more third-party IT products, services and talent, as well as outsourcing their IT, which has boosted the number of workers in the IT sector.  According to an analysis by accountancy practice experts Nixon Williams, in 2009 there were 403,000 jobs in the IT sector compared to 459,000 in 2014 (12% up). In comparison, financial services jobs have fallen from 1.18m in 2009 to 986,000 today (16% down).

With the sector witnessing a major increase in automation software replacing manual roles and the rise in public expectation for truly 24×365 customer services, this places enormous pressure on financial institutions to manage such huge data volumes in highly regulated, highly secure environments and needing to resist any downtime or DDos.

Whilst traditionally the banking sector will have had huge in-house IT teams, the costs, regulations and pace of technology evolution has whetted the industry’s appetite for using third parties with expert knowledge and robust solutions.  This lies alongside the disconcerting reality of often uncomfortably large legacy IT systems that continue to create vulnerabilities whilst they remain unchanged and instead rely on being patched up, versus long term strategy and commitment to invest in new IT infrastructures with more flexible integrated systems.

Some of the larger banks are starting to think laterally by turning to third parties for IT innovation to develop and implement non-core systems and apps, involving joint ventures with other institutions or even working with start up firms.  These include Sumeet Chabria, CIO of HSBC Global Banking and Markets and Deutsche Bank who have recently set up a JV innovation project with IBM, Microsoft and Indian IT services firm HCL Technologies to improve its digital credentials.

The motivation to sharpen the pencil, starts to look clearer when recent studies such as those   from specialist retailer Bizrate Insight reveal that 72% of the public still trust banks with their details, over that of retailers.   However there is no room for complacency over ‘trust’.  Potential competition for marketshare should they move into banking could be on the horizon from established transactors Paypal and Amazon who jockey for position on the trust rankings at 48.9% and 45.4% respectively.   Tech giants Apple and Google lag further behind at 21.4% and 12.9% respectively.  Nonetheless all of these, as well as Facebook, all have systems that contain details about people and businesses and handle monetary transactions.   So the circling pirranhas angling for additional income streams and greater global dominance may include some new names in the future.

33596896_s

Public Sector changing outsourcing habits in 2014
Market watcher ISG’s north Europe President, John Keppel, reports that the UK has seen a major boost in outsourcing from the public sector in 2014. This has included small and large contracts remaining in this country, versus being awarded offshore with spending levels nearly doubling in comparison to the UK’s private sector.

This has involved some big-ticket outsourcing deals but also a lot of mid-market government business.  Annual Contract Values (ACVs) from IT outsourcing in 2014 has risen 16% across EMEA, with France’s ACV increasing by 250%, whilst the UK with its more mature outsourcing market has seen a steady increase in line with cautious post recessionary optimism.  This is seen as largely due to the complexity of services required in the UK public sector, as well as a lack of appetite just to exploit cheaper resources from offshore suppliers.  The old adage buy cheap, pay twice perhaps resonating more closely with those responsible for procurement. “The challenge for buyers will be to understand how they can get the most value from their outsourcing efforts, and to understand the real business impact,” concludes Keppel.

Director of Sales at Amicus ITS, Les Keen comments:  “With the increase in Cloud services, this presents ever greater opportunities in 2015 for IT MSPs.  Those who can demonstrate the breadth of their experience, deliver the highest levels of data security, be a true 24×365 IT provider AND respect their customer as a business partner not a number – should see the benefit of working in this sector in 2015”.

18330013_s

End of 2014
This is our last review of IT for the year and the blog staffers at Amicus ITS would like to take this opportunity to wish all our customers and everyone reading these posts, a very Happy Christmas and a peaceful New Year.   We will be back looking at the latest technology developments and worldwide IT business news once again in January.  See you in 2015.

The Week’s Technology News – 12th December 2014

 

 

Have you planned IoT into your business strategy in 2015?
Increasingly it is now possible to connect any powered device to a network.   The Internet of Things (IoT) is an enormous technical development to comprehend let alone incorporate. However, from a business point of view, the real value in IoT will not just be in the connection of ‘things’, but the opportunity (if done properly), to manage the data and bring the customer needs into focus, alongside the product or services on offer.  This suddenly makes it a transformative technology applied through hardware and software and becomes highly interesting commercially.

Cisco’s Internet Business Solutions Group estimates that next year there will be around 25 billion connected devices, which will double to 50 billion by 2020 and Gartner recently suggested that IoT is peaking now in its ‘Hype Cycle’ of expectation around the subject.

If intelligent services are applied from the insights gathered from collated data and interrogated, this has the potential to radically improve customer experience and cost savings in the long run through prompt performance, increased trust and access (given the right security procedures and policies) and bond an existing relationship more more strongly between provider and customer.

Seen in practical terms, an IoT print-enabled supplier, could remotely monitor their customer’s ink levels to advise on re-supply, simultaneously run diagnostics for updates or repairs needed and advise, upsell improved models matching day-to-day needs and immediately have higher level feedback on how the customer is physically using the equipment in real-time.

From an MSP perspective applying three simple concepts, ‘connecting’, ‘managing’ and ‘engaging’ will create a proactive environment and a more bonded relationship attracting because of the intelligent assistance given.  To get there you have to have an agile infrastructure providing quick, simple and secure connections.  Some businesses worry about how to build the infrastructure to connect their devices. There are admittedly many aspects to consider ie. storage; messaging and routing protocols; security; directories; analysis; automation; and APIs to name a few.

According to a recent global KPMG survey of technology business leaders, 20% of businesses find the concept of implementing IoT too complex looked at from the outside without expert help.  However, by utilising ready-built networks, offering fast, secure and scalable connections alongside a range of tools provided as a Platform as a Service (PaaS), businesses can concentrate their efforts on creating innovative connected products.   Now that sounds like a plan!

internet-of-things-IoT

Sony hacked again – one week later

Last week Sony Pictures Entertainment was hit by a huge cyber-attack, leaking unreleased films and 47,000 personal records.

Since then even more data has been leaked including confidential E-mails between Sony Pictures Chair, Amy Pascal and well known Hollywood film producer Scott Rudin. The e-mails in question mock Barack Obama in an exchange of racist messages, with Pascal asking producer Scot Rudin what she should ask Obama at an upcoming event.  “Although this was a private communication that was stolen, I accept full responsibility for what I wrote and apologize to everyone who was offended.”

This week a new attack aimed at Sony’s PSN (PlayStation Network) took the service down on Monday. The attack came in the form of a Distributed Denial-Of-service (DDOS). Although the timing comes hot off the heels from the Sony Pictures attack they did not come from the same source. The PSN attack came from a group called Lizard Squad who boasted about the attack on their Twitter account.

With fresh information still leaking, including plans for unannounced films, Sony may be playing damage control for some time.  These events only highlight the need for stringent malware protection and tightened defences against ever increasing DDoS attacks, as well as perhaps a pertinent reminder to staff about the appropriate use of email content, which in this case could have saved several blushes.

Sony

Data breach red flags for 2015
Global information services company Experian have published their Second Annual Data Breach Industry Forecast for 2015 after reviewing cyber attacks of 3,000 organisations.  In their report, Experian details a change of attitude amongst business leaders when it comes to cybersecurity.  This will affect organisations and regulators in the year ahead.

Not only is reputation critically at stake alongside security and trust, but the demand by consumers for more communication, as well as remedies in restoring the status quo, whilst ‘data fatigue’ from an expectation of resolution against personal apathy for individuals to take more vigilant steps personally.  With almost 50% of businesses having suffered at least one data breach in 2014, the need to increase investment in security technologies and policy planning and guidelines around this is paramount and accountability goes right to the top of the Board.  A company now without a data breach response plan could be the first to fall largest victim to unscrupulous criminal targeting.

New trends are anticipated for 2015.   These are anticipated to include:
• New payment technology
• The continued rapid expansion of Cloud and e-commerce
• The consistently high value of healthcare data on the blackmarket
• Employees as one of biggest threats
• Internet of Things (IoT)

1. Payment technology   The deadline for retailers to adopt EMV (Chip and PIN) credit card technology is October 2015  if they want to accept Visa or MasterCard payments. As a result, breaches may increase as the window for hackers closes.

2. Cloud technology   With the increased adoption of Cloud technology, businesses can do much to ensure they protect theirs and their customer’s data, as the value of consumer online credentials continues to grow.  A great starting point is to take extra steps to safeguard passwords, as hackers will be seeking to target progressively more Cloud data as the volume of data explodes exponentially by companies in the Cloud.  This involves the capability and measures to re-set passwords on an enormous scale and to communicate with affected users to advise them to maintain transparency as part of maintaining trust in the relationship.

3. Healthcare data   In the US, the increased number of access points to Protected Health Information (PHI), sensitive data via electronic medical records and increasing popularity of wearable technology, makes the entire healthcare industry vulnerable and attractive for cybercriminals.  On top of this, the FBI reportedly sent a private notice in 2014 to the healthcare industry that their cyber security systems were lax compared to other sectors.  Given the budget constraints facing the healthcare sector in the UK, it would be remarkable given how many have legacy IT infrastructures and constant downward pressure on budgets, to be able to avoid breaches entirely.

4. Human error   One of the least reported issues is the impact from employee breach – either through human error or malicious endeavour.   They remain the leading cause of breaches, accounting for 59% of reported cases – and companies should therefore take the necessary steps to have policies in place to circumvent or minimise any impact.

5. Internet of Things   With the expansion of the Internet of Things, businesses will be seeking to benefit from reviewing data to optimise performance and consumerisation response.  So with more devices being created with Wi-Fi capabilities and sensors that create the opportunity for everyday items eg. car keys, alarm system or wearable devices – these will relay confidential information over the Internet and communicate with each other. Cyber attacks will therefore likely increase via data accessed from third-party vendors.

Takeaway – so, what action is required?  There will be an expectation for Board members to have a better understanding of their organisation’s data breach response plan and comprehension of new technologies and security protocols in the workplace, along with a clearly defined chain of response should such a breach occur.  Currently less than 17% of Board executives surveyed knew if their organisation had suffered a breach in the previous 12 months. Alongside this, should be security awareness training for employees as legal and regulatory scrutiny is anticipated to increase in 2015.

padlock

This Week’s technology news – 6th December 2013

Little chance of privacy on Liberty’s shores
America’s NSA is trawling a whopping 5 billion mobile phone records per month in an attempt to connect terrorists by location and conversations. The volume almost defies analysis when only 1% is useful in anti-terror work. Microsoft plans to counter this invasion of privacy by encrypting its services to thwart tracking. The power player also confirmed it will continue to fight legal orders to release consumers’ details to government departments. Commercial security for customers with a mobile workforce remains a key priority for MSPs. Top players including Mobile Iron, Airwatch and Good ensure that the positivity of identifying location, plus wipe and lock device management remain a desirable paid-for feature with their audiences and not a threat.

DDoS caused Natwest’s service failure last Friday
Last Friday shoppers around the UK were unable to use their Natwest accounts. RBS Group have reported the reason for service failure was due to a Distributed Denial of Service (DDoS) attack. This news comes shortly after Monday’s IT failure, where cash machines and card payments were also affected. RBS are stating Monday’s IT failure and Friday’s DDoS were not connected and no customer information was compromised. No comment has been made whether any further action has been taken to prevent future attacks, but whether customers trust them enough to remain with the bank remains to be seen.

Apple add Topsy to the shopping basket
Apple may have recently bought the 3D sensor company PrimeSense but their shopping spree has not ended yet. This week Apple purchased Topsy a Twitter analytics firm for an estimated $200m. Topsy is one of a few companies with access to Twitter’s entire data stream and archive of 400 billion tweets. Apple has mostly stayed out of the social networking game, with iTunes Ping their now closed social network attempt, falling flat on its face shortly after release. Although Apple has no native search tools (unlike Google or Microsoft) to take advantage of this large datastream, they could be looking to integrate it into their virtual voice assistant tool Siri for iPhone and iPad. The other advantage this data could have for Apple is a better understanding of consumers’ habits, utilising what people are talking about to help place effective advertising in social media.

Amazon drones on about their courier service
Online retailer, Amazon, has announced plans to launch Prime Air, a possible new drone delivery service expected to be in development till 2015. Using a gyrocopter to fly small packages under 5 lbs, it would have a range of 30 minutes from its distribution centres. The hurdles are considerable and create more questions than answers currently: FAA approval needed for flightpath clearance, limited address viability (delivery to flats, offices and pavement access headaches), plus a very limited payload. Similar drones are being developed in Australia and China, so no opportunity for patenting. However, if approved, the upside for the US economy is a potential $13.6 billion injection plus 70,000 new jobs over 3 years and an estimated economic development of $82 billion over 10 years. Like all good technology revolutions there is lots of hype – whether it “delivers” on speeding business up remains to be seen?