Cybersecurity Threats and Vulnerabilities - Six Degrees Group
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Whitepaper
Cybersecurity Threats
and Vulnerabilities
What every business needs to know
This whitepaper provides an overview of the most recent cyber-attacks, the types of
incidents and vulnerabilities that exist, and how businesses – particularly financial
services, investment firms and the (re)insurance market – can take preventative
measures to safeguard their systems and data from cybersecurity threats.
6dg.co.uk
1 Six Degrees
Foreword
It’s time for a paradigm shift in the
way we view cybersecurity.
The organisations I speak to are all too aware of the risks they face, whether
from rogue internal operators, ever more sophisticated email attacks,
ransomware, or any number of other threat vectors that could – if exploited
– result in serious financial, operational and reputational damage.
The threats are known, documented and evidenced. But the fact remains
that even mentioning the world ‘cybersecurity’ in the boardroom can elicit
eye rolls, shuffling in seats and muttered excuses to leave. Cybersecurity is
viewed as a necessary evil; a distraction; something for the IT department
to worry about.
These outdated attitudes need to change. Cybersecurity is not the
‘Department of No’.
Effective cybersecurity requires continual top-down engagement
throughout the organisation, and that starts in the boardroom. Cybersecurity
needs to be put on the executive agenda; it should be placed in the context
of the continuing success of the firm in terms of the impact of any breach.
The Department for Digital, Culture, Media & Sport’s Cyber Security
Breaches Survey (2019) found that embedding knowledge and
understanding of cybersecurity within management boards is a strong driver
of behaviour change, but only just over a third of businesses (35%) have
a board member or trustee with specific responsibility for cybersecurity.
Although this figure is higher for finance or insurance firms (56%) there is
still plenty of room for improvement in this area.
2 Six Degrees 2
Awareness is vitally important, but education needs to remain punchy,
clear and concise. In our experience we’ve found that implementing robust
cybersecurity is 30% education and 70% buy-in. Executives will ask ‘why
should I care?’ – you need to be able to make them aware of current risks
and relate these back to your business to highlight their relevance.
Get it right and the conversation in the boardroom will shift towards the
benefits that cybersecurity can bring. Ultimately, good cybersecurity
practices enable an efficient and productive business environment: far from
being the ‘Department of No’, effective cybersecurity goes hand in hand with
an organisation’s financial, operational and reputational success.
The truth is there’s no silver bullet when it comes to making your
organisation safe from cyber threats. No one piece of software, staff training
programme or cybersecurity review will deliver end-to-end protection.
You can’t just throw some money at the problem and hope it goes away.
Cybersecurity is an evolving threat requiring an ongoing iterative strategy
with regular reviews across the organisation.
This whitepaper will support you in raising the importance and
understanding of cybersecurity in the boardroom. It will give you insight into
who is attacking organisations like yours – and why – the types of cyber-
attack you face, and some best practice steps to get you started on your
cybersecurity journey. I hope that it supports a positive paradigm shift in the
cybersecurity conversations you have within your organisation.
Phil Atkin
Product Director - Cyber Security and Compliance
Six Degrees
3
Introduction
As organisations we operate in an increasingly
connected world. This brings with it many opportunities
and efficiencies, but also opens businesses up to new
threats. The online world is home to a sophisticated,
constantly expanding and evolving community of
criminals and hackers that seek to exploit vulnerabilities
in organisations’ systems.
Cybercrime has seen significant
growth over recent years, in tandem A growing threat
with the continual advancements we The number of firms
see in technology. The threat of cyber- reporting cyber incidents
attack is ever present as organisations has risen from 45% last year
further embrace technology, deploy to 61% in 2019
more mobile devices, and adopt an - Hiscox Cyber Readiness Report 2019
‘anywhere, anytime’ way of working.
Whilst some industry sectors remain The financial services
at a higher risk than others, recent industry is a key target
media headlines have highlighted 480% increase in breaches
that every industry sector is at risk reported to the FCA in 2018
regardless of size, location or systems. (145) compared to 2017 (25)
- FCA data, year-end December 31 2018
In creating this whitepaper we
aim to highlight the seriousness of
cybersecurity, how cyber-attacks The cost of a breach
can have a detrimental effect on an £9,270. The average annual
organisation and its reputation, and cost for medium-sized
how organisations can safeguard businesses that lost data or
their systems and data from potential assets after breaches*
security vulnerabilities. - Cyber Security Breaches Survey 2019
*Note: This figure is likely to overlook indirect,
long-term and intangible costs of breaches e.g. lost
4 Six Degrees
productivity or reputational damage.
So what is cybersecurity and what To demonstrate the
does it focus on?
Cybersecurity is focused around the importance of cybersecurity,
following key areas: this whitepaper covers a
range of real-life cyber-
Data confidentiality – keeping your
business (and personal) data safe attacks, including hacking,
and out of reach from unauthorised security vulnerabilities and
access as part of the Data data theft, from a range of
Protection Act 2018 regulation that
every business is bound by. industry sectors.
Data integrity – keeping data
Contents
restricted and stopping unauthorised
parties from creating, altering or
A Hacker’s Manifesto 06
deleting the data.
Types of Cyber-Attack 08
Authenticity – ensuring that the Best Practices and
data is correct (authentic) and free Preventative Measures 15
from any fabrication or forgery. Incident Response Plan 20
Six Degrees of Cyber Security 22
Useful Resources 24
References 25
About Us 26
The threat of cyber-attack is ever present as organisations
further embrace technology, deploy more mobile devices, and
adopt an ‘anywhere, anytime’ way of working.
5
A Hacker’s Manifesto
Today, threat actors are becoming increasingly polarised.
Lower end hackers, often called ‘script kiddies’, tend to use
pre-packaged tools that are widely available for purchase on
the dark web to launch relatively primitive yet still effective
cyber-attacks.
Meanwhile, more sophisticated hackers specialised task forces are being set
have become involved in phishing and up by governments to capture the
spear phishing attacks to facilitate cybercriminals and reduce the threat
fraudulent payments. And at the higher posed by cyber-attacks.
end, possibly even up to nation state
level, hackers have become increasingly
involved in industrial espionage. Disclaimer: Not all hackers
are cybercriminals. Ethical
Why Are Hackers Successful? hackers attempt to gain access
Hackers are human, come in all to computer networks in order
different shapes and sizes and have to test their security. At Six
different agendas. A well organised Degrees, a lot of the penetration
and highly skilled hacker will always testing work we carry out for
seek new ways of breaking new clients could be considered
technology software and protected ethical hacking. For this
business systems in order to complete whitepaper, however, we will
their mission. However, they can also focus on the other end of the
make mistakes and in some cases spectrum – what you could term
leave an audit trail for cyber forensics ‘unethical’ hacking.
to trace them. As a result of this,
6 Six DegreesWhat Motivates Hackers?
In many cases, hacking is very much an organised crime. The severity of a cyber-
attack depends on the information that hackers are trying to intercept or steal,
along with the types of systems they are trying to infiltrate. In terms of financial
services, hackers are often looking to:
Steal financial information. This can include bank account
STATEMENT
details, credit card details, social security numbers, national
insurance numbers and any other valuable information they can
use to commit fraud against employees, customers, or both.
Obtain highly sensitive business information. Attackers often
attempt to gain access to target systems and, once inside,
stay undetected whilst they move laterally across the network.
Exploiting elevated privileges, they aim to steal data such
as customer details, business plans, marketing strategies,
investment details, sales forecasts and financial data.
Install viruses, malware and execute DDoS (Distributed Denial-
of-Service) attacks to impair the organisation and create chaos
across the sector and stock exchange.
Create general disarray. Some cyber-attacks such as the Petya
ransomware, first discovered in 2016, were ineffective at making
money. Instead, it seems that their primary motivation was
causing as much chaos and damage as possible.
7Types of Cyber-Attack
The financial services and insurance sectors are recognised
as some of the most advanced sectors in the world, and are
highly attractive to cybercriminals because they offer ready
electronic access to funds and markets.
Cyber-attacks on financial services and
insurance firms are becoming more Barclays Bank Hack
frequent, sophisticated and widespread. A group of hackers stole £1.3 million
To identify potential risks, vulnerabilities in 2013 by hijacking the IT systems of
and threats that cyber-attacks can a Barclays Bank branch. In order to
have on financial services organisations launch the attack, a hacker posed as
we’ve compiled a categorised list, an IT engineer to access the branch
along with real life examples in which in Swiss Cottage, North London. Once
cyber-attacks against well-known they had gained access, the hacker
organisations have been successful in planted a device that allowed the
the past: group to access the Barclays Bank
network remotely and transfer money
Human Risk into their own accounts.1
1. Physical Access
Gaining direct physical access to
a company’s IT infrastructure and
connecting devices to intercept and
transmit highly confidential and secure
information outside the network.
8 Six Degrees2. Insider Malicious Activities 3. Stolen Equipment
A rogue employee steals or destroys Leaving laptops, smartphones and
data. This can be for personal reasons, other devices unattended or subject
but is often on behalf of a third party. to theft can provide hackers with the
Cybercriminals have been known to opportunity to access the data stored
target office cleaners, for example, on the device, and potentially access to
persuading them to steal or destroy the network they are connected to.
confidential data.
Bank Breaches Caused by Lost
Morrisons Hack Equipment
In 2014, a disgruntled employee of the In 2016, cloud security firm Bitglass
Morrisons supermarket chain leaked reported that one in four breaches
a database that included payroll (25.3%) in the US financial services
details of over 100,000 employees. sector were due to lost or stolen
The employee worked as an IT auditor devices – more than hacking, which
for the firm and leaked the data in accounted for 20% at the time.3
‘revenge’ for what they saw as an
incorrect and unfair disciplinary
procedure.2
94. Hard Copies of Sensitive Data Some relevant regulatory requirements
An employee may carry highly sensitive to be aware of:
information in files and folders that
are at risk of ending up in the wrong ISO27001
hands. This data can be reproduced Under section 18.1.3 Protection of
without any audit trail and may even be records, it states that “The system
published online. of storage and handling should
ensure identification of records and
National Security Agency Leak of their retention period as defined
In 2017, National Security Agency by national or regional legislation
employee Reality Leigh Winner printed or regulations, if applicable. This
out a top-secret intelligence report system should permit appropriate
that detailed Russian interference in destruction of records after that
the previous year’s US elections. She period if they are not needed by
then posted the printed document to the organisation.”
a news outlet, who published it online
shortly thereafter.4 GDPR
Article 5(1)(f) of the GDPR concerns
the ‘integrity and confidentiality’ of
5. Destruction of Data personal data. It says that personal
The disposal of computer equipment data shall be:
should be carried out correctly through
approved companies to ensure that ‘Processed in a manner that
highly sensitive data is permanently ensures appropriate security of the
destroyed. Highly sensitive papers personal data, including protection
should always be securely shredded. against unauthorised or unlawful
processing and against accidental
loss, destruction or damage,
using appropriate technical or
organisational measures’
10 Six DegreesTechnology Risk 7. Ransomware
Ransomware’s primary aim is to extort
6. Phishing money from businesses and individuals
Targeting clients of a particular financial who are infected. It achieves this by
firm through phishing emails to gain encrypting files that are saved locally
access to a user’s sensitive information. and on shared drives connected to
The email is carefully crafted to look affected machines. Once files have
legitimate to the user, encouraging been encrypted, the user is notified
them to click a link. Once the link is and asked to pay money in Bitcoins (an
clicked, a hacker can gain access to the online value and payment method) in
files and folders on the computer and order to obtain a key that will unencrypt
possibly take ownership of the user’s the files.
account, sending instructions to the
financial institute to move or transfer WannaCry Ransomware
money into the hacker’s accounts. On Friday 12th May 2017 news
broke of a successful cyber-attack
Phishing Attack on US Firm on the NHS that resulted in severe
In 2015, an accountant working at a operational issues for hospitals
US firm received an email supposedly throughout the United Kingdom.
from her CEO requesting a transfer of The NHS – along with hundreds
$737,000 to a bank account in China of thousands of other victims in
that day. This was followed up by 150 countries – were attacked by
an email from a lawyer with a letter WannaCry ransomware. WannaCry
attached containing the company is only the latest of a number of
stamp and the CEO’s signature. The strains of ransomware to emerge in
money was transferred, and it was recent years, following the likes of
only by chance the next day that the CryptoLocker, CryptoWall,
CEO found out about the transfer and and Locky.6
explained that he had never
requested it.5
118. Viruses 10. Trojan Horses
Clicking corrupt links and installing These can be a combination of viruses
infected software can download and and worms that can be found in
install a virus onto your computer software trial versions, emails and web
systems. The virus attaches itself to browsers. A Trojan can gather highly
another program or file in order to secure information without the user
reproduce and to execute its code even knowing about it.
which affects the computer.
11. Software Vulnerabilities
9. Worms Using out of date software or
A self-sustaining running program operating systems can pose potential
that replicates over networks using risks. Hackers are always seeking
protocols. Worms can be designed to ways to infiltrate software, and out of
monitor and collect server and traffic date versions are always at risk of
activities to then transmit back to the being exploited.
cyber-attacker.
12. Internet of Things
Conficker Worm With the number of devices connected
Having seen the success of using to the Internet continually increasing,
worms to propagate ransomware in it is highly likely that we will see more
the WannaCry attack (see previous attackers using the Internet of Things
page), it’s possible that hackers may (IoT) to commit crimes. The research
be encouraged to use this automated company Gartner predicts there will be
and faster method of spreading 26 billion devices connected worldwide
malware through a network and by 2020. Many internet-connected
beyond. Prior to WannaCry, the last devices sold to consumers lack basic
significant worm was Conficker in cyber security provisions. With so many
2008, which initially infected over devices unsecured, vulnerabilities will
9 million systems and is still being continue to be exploited and used
detected in 2019, affecting systems for activities (such as DDoS attacks)
that have still not been patched.7 without the user’s knowledge. Current
attacker business models are still in
their infancy and mostly focused on
DDoS. Many of the machines that
12 Six Degreeshave been compromised to date are 14. Supply Chain Compromises
not well suited for crypto-mining (due Cybercriminals can target legitimate
to low processing power), or man-in- commercial software downloads and
the-middle attacks (due to the need to patch updates, compromising end users
break secure connections). and damaging the reputation of the
software providers.
Hacked via a fish tank
A casino in North America recently Metro Bank Fraud Attack
had its data breached after hackers In February 2019 Metro Bank revealed
were able to get onto the casino’s that some of its customers had been
network via an internet-connected hit by a fraud attack that targeted
fish tank.8 a weakness in the text messaging
systems used by telecoms companies
13. Crypto-Jacking to verify bank transactions. A
Cybercriminals deliver cryptocurrency spokesperson for Metro Bank claimed
miners through malware. If a user that they were part of a wider attack
visits a compromised website, on British banks.
malware is installed that utilises their
computer’s spare processing power to In order to launch the attack, hackers
mine digital currency. exploited flaws in SS7 - a protocol
that telecoms companies use to
coordinate how they route texts and
calls throughout the world.9
Cybercriminals can target legitimate commercial software
downloads and patch updates, compromising end users and
damaging the reputation of the software providers.
13Regulatory Risk
Third party data breaches
15. Changes in Financial Regulations Third party data breaches are a
With recent changes in the financial growing concern within the industry
services sector, all data now has to be and have been for some time. A
stored for longer and has to be stored misconfigured server of a third-party
securely for a period of time. In the vendor exposed millions of bank
event of any investigation, this data may loan and mortgage documents that
be transferred outside the company’s belong to Ascension, a Texas-based
network to an authorised third-party. a data and analytics company for the
Once data leaves the company’s financial industry. The documents
network, the company can no longer contain sensitive information for many
protect it. major financial institution including
CitiFinancial, HSBC Life Insurance,
Wells Fargo, CapitalOne and some
U.S. federal departments. The third
party involved, OpticsML, provides
OCR (Optical Character Recognition)
services to convert paper documents
and handwritten notes into computer-
readable files.10
14 Six DegreesBest Practices and Preventative Measures
As we’ve already discovered, cyber-attacks and hackers can
come in many different shapes and sizes, and their purpose
or aim can be very much different for each attack.
When considering preventative
measures, you should think about the
possibility of a cyber-attack and where
there may be vulnerabilities. Cybercrime
is not just about IT security processes, it Physical Cybersecurity
is about people’s access to computers. security and IT
For example, it wouldn’t be very
effective having all the latest security
patches and software installed within
the IT infrastructure if an unauthorised
person could walk into your server Security
awareness Accreditations
room and walk out with a piece of training
crucial equipment.
So let’s first look at physical security: All doors containing access to IT
Ensure the premises has equipment should be locked with
monitored CCTV. only authorised personnel
having access.
Entrance points to the building
should be manned with visual IT cabinets and cages should remain
verification of identity. locked and a log book kept of entry.
Ensure all visitors sign in and are Empower staff to challenge people –
escorted in the building. ask to see their entry badge if one is
not displayed. 15Cybersecurity and IT: Enforce an Access Control Policy
Ensure that all systems are to outline user privileges and
password restricted. restrictions – not all users need
access to every system and data.
Enforce good password policies – You should also monitor each login
National Institute of Standards and across the network to identify
Technology (NIST) advice is now to failed attempts and potential
utilise longer passphrases. security breaches.
Length is the key, and not perceived Enforce an Acceptable Use Policy for
complexity from a human angle all users outlining what is and is not
which means nothing to a brute acceptable behaviour. This usually
force attack. Good passphrases involves using the Internet, the
are at least 15 characters long, and types of sites that should not be
should only to be changed if there is accessed and using the systems for
a suspicion that they may have been personal use.
compromised. Microsoft, for example,
is removing password expiry controls Enforce a Mobile Device Policy
from its software. outlining user responsibilities,
security and encryption of the data,
Conduct regular tests on your IT the process for reporting a lost or
systems to check for vulnerabilities stolen device, and remotely wiping
and weaknesses. the device to remove all data.
Backup data and systems at least
once per day.
16 Six Degrees 16Ensure you have an Incident Adopt a white-listing approach for
Response Policy outlining who is recognised emails and black-list
responsible for managing security suspicious emails, block senders and
incidents, how incidents should be spam to protect your mailbox.
reported and investigated, and how
these should be communicated to Ensure that you keep all your
the affected parties. systems and software up-to-date
with the latest updates.
Be vigilant when opening emails –
check the subject line and the
name of the sender before opening
the email.
Do not click links in emails unless
you know where they are directing
you (if you hover over the link it
will expose the destination URL in
the bottom left hand corner of your
screen). If it is going somewhere you
do not recognise, don’t click it.
If you receive attachments from
people you do not recognise, do not
open them. Only open attachments
in emails if you are expecting them.
Be vigilant when opening emails – check the subject line and
the name of the sender before opening the email
17Security awareness training: program will change behaviour and
An appropriate programme of lower risk. There are a number of
security awareness training is cybersecurity providers who can
essential for any firm wishing to stay advise you on best practices and
safe from cyber-attack. help you to implement effective
programmes that will allow you to
More than 90% of security breaches engage and train your staff in the
involve human error, with careless importance of cybersecurity and how
mistakes ranging from lost or stolen they can help to protect
laptops to clicks on malicious links in your business.
phishing emails.
Cybersecurity champions are a great
To change security behaviour, way to embed security principles in
employees need to know what to do, your business. You should allocate
care enough to improve and then do responsible owners within each
what’s right when it matters. operating location and business
area; they will help to influence their
An effective – and we stress departments and drive cybersecurity
effective – security awareness engagement on the ground.
18 Six DegreesAccreditations
Standards such as Cyber Essentials
Plus provide good practice frameworks,
allowing you to benchmark your firm’s
cybersecurity posture. Just remember
that these standards provide minimum
best practice measures; attaining one or
more standards does not in and of itself
make your firm secure.
As organisations we need to move
away from seeing attainment of these
‘badges’ as a sign of good security in
itself. Cybersecurity should be viewed
like data privacy in that it is a path
along which the company should travel.
There is no ‘end game’ – the danger with
accreditations is the inevitable drop off
in compliance once a certificate has
been awarded. Embedding good process
and design into BAU functions is the key
to a successful cybersecurity strategy.
Standards such as Cyber Essentials Plus provide good
practice frameworks, allowing you to benchmark your firm’s
cybersecurity posture.
19Incident Response Plan
Very few organisations (16% of businesses)11 have formal
cybersecurity incident management processes in place.
Although the finance and insurance Incident Response Plan Components
sector is leading the way with around Ideally an IR plan should include the
2 in 5 (43%) having an incident
12
following six components:
management process in place, this
continues to be the area in the
Government’s 10 Steps to Cyber Security
1 Incident Classification.
Classifying different types of
guidance where organisations are least
13
incident, typically unauthorised
likely to have taken action. access, malicious code, denial of
service and inappropriate usage.
Cybersecurity is not limited to theft
or intercepting information; it is
about recovering from a cyber-attack,
2 Data Classification.
Understanding the importance of
protecting your IT infrastructure’s various types of data, the respective
integrity and taking additional stakeholders and different impacts
preventative measures to ensure that it and responses.
does not happen again.
To minimise the impact of any cyber-
3 Performance Targets.
Setting out targets for each different
attack, businesses should create an incident type and data type.
Incident Response (IR) plan. IR plans
are designed to manage cybersecurity
incidents in order to speed up recovery,
4 Operating Models.
Defining operating models and
reduce damage and costs, and enhance RACI classifications based on data
the confidence of stakeholders. Plans classification. Includes decision
must be sufficiently detailed to be useful makers and escalation plans.
and flexible enough to cope with a
myriad of potential incidents.
20 Six Degrees5 Identify Weaknesses.
Continually working to identify and
Absolutely key to IR plans is that they
are thoroughly and regularly tested – the
remedy weaknesses in the IR plan. first time you use an IR plan should not
be when you have an incident. ‘Table
6 Tools and Guidelines.
Tools for use in the event of an
top’ exercises to identify weaknesses in
process are essential.
incident, such as checklists, and
guidelines for key considerations Clear communication with all
such as compliance. stakeholders is essential too. Also, legal
requirements such as the 72 hour initial
Building an Incident Response Plan breach notification to the ICO (under
The following steps should be the DPA and GDPR requirements) if it is
considered when building an IR plan: suspected that personal data is involved,
Understand the Environment. must be considered.
Start with your DR plan, BCP and
understanding of your business
people and processes.
Identify Key Data. Identify your key
data, understand the associated risks
and develop a response for each.
Only 16% of
Build the IR Plan. Build your IR plan, businesses have
making sure to engage with key formal cybersecurity
stakeholders.
Business Integration. Integrate the
incident management
IR plan into your business’s everyday processes in place.
processes. Its value will increase the
more it becomes a part of operations.
21Six Degrees of Cyber Security
Now more than ever, cybersecurity is something that all
businesses should take seriously, especially those within the
finance sector.
This whitepaper has provided an your business data. Through taking the
overview of high-profile incidents that following six security steps you can
have taken place in the past twelve to significantly reduce your business’s
eighteen months, types of cyberattack, exposure to cybercrime:
information on hackers and some
examples of how regulatory bodies are 1. Secure Your Systems
focussing on the threat of cyberattack.
This has been balanced by information 2. Educate Your Employees
on best practices, preventative
measures that can be taken and 3. Manage Your Data
how to plan for the worst, should it
ever happen. 4. Implement Cybersecurity
Governance
The main take away from this
whitepaper should be that any business, 5. Employ a CISO or vCISO
regardless of its size or reputation,
is at risk from cyberattack. The key 6. Stay Up-to-Date
to minimising the risk of attack is to
remain active and engaged. Simply
deploying systems and leaving them
running is not sufficient – you should
be continually assessing the security
of your systems, the knowledge of
your employees, the effectiveness of
your processes and the integrity of
22 Six Degrees1. Secure Your Systems 4. Implement Cybersecurity
Introduce security measures such as Governance
antivirus, endpoint protection, two Governance is a key element of a
factor authentication, mail filtering and robust cybersecurity strategy. The
intrusion detection. Ensure that systems cybersecurity threat landscape is
are securely protected by firewall and constantly shifting, and the FCA
remain constantly updates with the continues to reiterate the importance
latest security patches. Consider the of cybersecurity to all regulated firms.
use of threat detection / intelligence Cybersecurity governance is a key
services and outsourced security aspect of any business’s security
operations functions, if they do not exist preparedness, and to implement
within your company. governance throughout your firm
you will need representation and
2. Educate Your Employees engagement from the top down.
Perhaps the single greatest risk to
your data is your employees. Make sure 5. Employ a CISO or vCISO
that they are trained on how to use All firms should have a CISO or virtual
email and browse the Internet safely, CISO (vCISO) in place. Your firm needs
and ensure that their access to dedicated personnel with no conflict of
systems (especially remotely) is interest to hold security responsibilities
controlled and secure. and protect you against both external
malicious actors and insider threats.
3. Manage Your Data
Managing data is about securely holding 6. Stay Up-to-Date
and classifying information, but also Cyber threats are constantly evolving,
about controlling how it is accessed and your business can’t stand still
by third parties and how it leaves the when it comes to being prepared for
business. Every time data enters the attack. Stay up-to-date with threats
world outside your private network, it and vulnerabilities, keep your systems
becomes virtually impossible to control. patched to the current levels and
continually educate your employees.
For support on improving your cybersecurity posture, contact us at
brilliance@6dg.co.uk or call +44 (0)20 7858 4935
23Useful Resources
The Financial Conduct Authority runs regular cyber coordination groups, bringing together firms across different
financial sectors to share their cyber experiences and practices. Their purpose is to promote understanding and
awareness and aid improvement. Their March 2019 cyber security industry insights document includes notes on a
wider range of areas from governance and identifying and protecting assets, to detection and response including
testing and refining your approach.
Read more here: https://www.fca.org.uk/publication/research/cyber-security-industry-insights.pdf
The National Cyber Security Centre is the UK’s independent authority on cyber security, supporting and working
collaboratively both private sector businesses and public sector organisations to reduce harm from cyber security
incidents in the UK. They have compiled a helpful Board Toolkit to encourage essential discussions to ensure Boards
are bought into improving the cybersecurity of the organisations.
Check it out here: https://www.ncsc.gov.uk/collection/board-toolkit
The Department for Digital, Culture, Media and Sport publishes an annual Cyber Security Breaches Survey, with
statistics and insights taken from a survey of UK businesses and charities. The report helps organisations to
understand the nature and significance of cybersecurity threats faced and what others are doing to mitigate risks
and stay secure.
You can view their 2019 survey here: https://www.gov.uk/government/statistics/cyber-security-breaches-
survey-2019
Raconteur published a Cybersecurity special report in The Sunday Times in February 2019, challenging business
leaders and policy makers on their terms. The report explores threat detection, threat prevention, contingency
planning and holistic security solutions as well as focusing on business consequences of security breaches.
Explore these topics here: https://www.raconteur.net/cybersecurity-2019
For the latest news and updates on cyber attacks and tips on how to keep your business safe, check out
6dg.co.uk/news
24 Six DegreesReferences
1
https://www.telegraph.co.uk/news/uknews/crime/10322536/Barclays-hacking-attack-gang-stole-1.3-million-
police-say.html
2
https://www.itproportal.com/2015/07/16/morrisons-2014-data-leak-was-an-act-of-bizarre-revenge/
3
https://www.theregister.co.uk/2016/08/25/us_bank_breaches_survey/
4
https://www.nytimes.com/2017/06/06/us/politics/reality-leigh-winner-leak-nsa.html
5
https://www.fbi.gov/news/stories/business-e-mail-compromise
6
https://www.csoonline.com/article/3227906/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-
responsible.html
7
https://www.welivesecurity.com/2016/11/21/odd-8-year-legacy-conficker-worm/
8
https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/
9
https://uk.reuters.com/article/us-britain-metro-bank-fraud/britains-metro-bank-hit-by-fraud-attack-
idUKKCN1PT1RJ?il=0
10
https://www.normshield.com/major-third-party-breaches-revealed-in-january-2019/
11
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2019
12
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2019
13
https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security
25Six Degrees
Six Degrees is a cloud-led managed service provider. It works as a collaborative
technology partner to businesses making a digital transition.
Always placing clients at the heart of its strategy, Six Degrees’ passionate teams combine
technical expertise and deep sector specific knowledge to innovate, craft, and manage
the right solutions to power their businesses.
The breadth and strength of Six Degrees’ technology is its foundation. Solutions range
from data and application performance management through to colocation and unified
communications, all with private, public, and hybrid cloud at its core.
Six Degrees works collaboratively and builds long-term partnerships through exceptional
services that match its clients’ needs. It continually innovates the right solutions to enable
clients’ brilliance.
For more information, visit www.6dg.co.uk, email brilliance@6dg.co.uk
or call +44 (0)20 7858 4935
CNS Group –
A Six Degrees Company
CNS Group gives its clients access to the most dedicated experts in Information
Assurance and Cyber Security.
The Group aims to ensure focus and specialisation within its companies in order that
each group company is second to none and brimming with excellence, experience
and enthusiasm. CNS’ customers vary in size, from FTSE 100 and large public sector
organisations to SMEs, but are united in the importance of digital information to their
business and in their desire for pragmatic, knowledgeable help in securing their systems
and data and meeting their connectivity requirements.
By working with us, you can be assured of access to the latest security intelligence; to an
understanding of the latest regulatory requirements; and to experts in cyber security and
Information Assurance.
The Group’s clear mission statement is to save our client’s time, worry and expense by
remaining at their side; helping them to build, manage and continually improve their IT
business systems with confidence.
For more information, visit www.cnsgroup.co.uk
26 Six DegreesYou can also read
