Home Tags ISO 27001

Tag: ISO 27001

InfinityQS Upholds ISO 9001:2015 & ISO 27001:2013 Certifications

Prestigious certifications demonstrate company’s ability to achieve and maintain an integrated process approach to deliver quality management systems and meet information security standardsInfinityQS® International, Inc. (InfinityQS), the global authority on data-driven manufacturing quality, announced today that it has successfully sustained its certification to the International Organisation for Standardization (ISO) 9001:2015 and ISO 27001:2013 standards. In doing so, the company reaffirms its ability to achieve, maintain, and continuously improve an integrated process approach to deliver quality... Source: RealWire

MyLife Digital celebrates ISO 27001 certification

MyLife Digital is delighted to announce its successful certification for the ISO 27001 information security standard.Audited by LRQA, MyLife Digital ran various early initiatives as part of the robust requirements for certification.
It also implemented a rigorous staff training and awareness programme for information security, as well as running effective risk assessment and risk treatment activities.John Hall, CEO of MyLife Digital, commenting on the achievement, says, “As an organisation handling the personal data of millions... Source: RealWire

Azure Security Center Now Guards Windows Server 2016 VMs

Microsoft has added Windows Server 2016, its latest server operating system, to the roster of virtual machines supported by its Azure Monitoring Agent cloud-based threat protection offering. With the holidays out of the way, Microsoft has returned to r...

Travel booking systems ‘wide open’ to abuse – report

Let me check my Rolodex... T for Travel Agent ... Legacy travel booking systems disclose travellers’ private information, security researchers warn. Travel bookings worldwide are maintained in a handful of Global Distributed Systems (GDS) built around mainframe computers linked to the web but without adequate security controls, say the researchers. “The systems have since been interwoven with web services, but still lack several web security best practices,” according to researchers from German security firm Security Research Labs. The three largest travel booking systems - Amadeus, Sabre, and Travelport - administer more than 90 per cent of flight reservations as well as numerous hotel, car, and other travel bookings. All three systems use a booking code (aka PNR Locator, a 6-digit alphanumeric string such as 8EI29V) to access and change travellers’ information. This authenticator is printed on boarding passes and luggage tags. The firm claims anybody able to find or take a photo of the pass or tag can theoretically access the traveller’s information – including email address and phone number – through the GDS or an airline’s website. Traveller information is also at risk of hacking because authentication strings can be vulnerable to brute-force attacks, say the researchers. Two of the three main GDSes assign booking codes sequentially, further shrinking the search space needed for a brute force attack. Airlines and GDS systems fail to block IP addresses after a large number of unsuccessful booking attempts, claims the firm. “Given only passengers’ last names, their bookings codes can be found over the Internet with little effort,” the researchers conclude. Obtaining a booking code opens the door to all manner of abuse, the researchers claim. The booking overview typically contains contact information such as phone number, email, postal address, travel dates and preferences, and often passport information. Worse yet, most airlines allow flight changes - some even cancellations for a voucher - potentially allowing hackers to steal flight credits and travel for free. By changing the frequent flyer information in the booking, a fraudster can steal miles without taking any flights. Lastly, knowing details of a booking that has just been made – which is possible in GDSes that use sequential booking codes – creates a launchpad for hackers to target travellers for social engineering, asking for their payment info or frequent traveller credentials, claims the firm. El Reg invited Amadeus, Sabre, and Travelport to comment on the research. In a statement, Amadeus said it was reviewing the findings. Amadeus is assessing the findings of the research on travel industry security, and we have upgraded security to our own properties. We give the security of customer systems and data the highest priority and our systems and processes are under continuous review. We will take these findings into account and work together with our partners in the industry to address the issues that have been exposed here and seek solutions to potential problems. Travelport offered a generic statement (below) saying that it takes security seriously without commenting on the specifics of Security Research Labs’ research. Cyber security and the privacy of customer data are critical priorities for Travelport and an area in which we invest extensively in and lead in. As such, we make ongoing investments in our own systems, and also engage with the various industry bodies we participate in, to implement any changes recommended in support of the general digital travel booking ecosystem. In recognition of our focus in this area, earlier this year, we were the first GDS to be certified for ISO 27001 compliance, an industry standard acknowledging our commitment to responsibly manage both our data and that of our customers worldwide. We’ve yet to hear back from Sabre. “Global booking systems have pioneered many technologies including cloud computing,” the researchers conclude. “Now is the time to add security best practices that other cloud users have long taken for granted.” “In the short-term, all websites that allow access to traveller records should require proper brute-force protection in the form of CAPTCHAs and retry limits per IP address,” they add. Details of the research were presented at the 33C3 conference last week, in a talk entitled Where in the World Is Carmen Sandiego?: Becoming a secret travel agent (slide deck, pdf). A 60-minute video of the presentation can be found here. ® Sponsored: Customer Identity and Access Management

Semafone wins new US contracts totalling $7.5 million

New deals for UK payment technology provider include multi-million dollar contract with Fortune 500 insurer

Guildford, UK – December 7 2016Semafone, which provides secure payment software for call centres, has reported three new client wins in North America worth $7.5 million, only six months after opening its headquarters in Boston.

The company’s substantial investment in its North American operations has contributed significantly to Semafone’s 30 per cent growth in its customer base worldwide.

The new US customer deals include:

  • A Fortune 500 insurance company, which will use Semafone’s solution to shield payment card information from agents and recordings, maintain regulatory compliance and minimise the risk of data breaches.
  • One of the most recognisable retail brands in the US.

    This company will work with Semafone to simplify PCI DSS compliance and help its call centres provide a better customer experience.
  • A large US telecommunications service provider, which Semafone will help to reduce the scope of PCI compliance in two of its call centres.

“This past year has been one of remarkable growth for the business,” said Tim Critchley, Semafone CEO. “Opening our North American headquarters and hiring high-calibre people has given us the foundation to extend our reach to some of the largest and most respected US companies within the insurance, communications and retail spaces.

“We look forward to continued success in 2017 as we help companies secure their call centres, fight fraud, maintain a positive brand reputation and keep customers’ most sensitive data safe.”

In addition to significant customer deals across the globe, Semafone has also formed strategic partnerships with other leading call centre solution providers, including BT Wholesale and Secure Co, to support a growing roster of worldwide clients.

In another testament to Semafone’s successful year in North America, the company won three 2016 CNP Awards, recognising its market-leading patented payment method for call centres.

Semafone recently expanded its global accreditations by gaining Level 1 Service Provider Status against v3.2 of the PCI DSS in North America.

Already a Level 1 Service Provider in Europe, a Visa (Europe) Merchant Agent and a global ISO 27001 company, Semafone attained this accreditation to mirror and extend current and new services into North America.

This includes Semafone’s in-house development and existing Payment Application Data Security Standard (PA DSS) products.

As a result, customers can rapidly access unique enhancements and updates to Semafone’s products, created with the PCI standards in mind.

For more information about Semafone, please visit: www.semafone.com

About Semafone
Semafone believes in the phrase, “You can’t hack what you don’t hold.” The company’s patented payment method enables call centres to secure sensitive payment card data to comply with PCI DSS, while providing positive experiences for customers and agents alike.

By shielding callers’ payment card information and other PII from agents, and keeping sensitive data out of the call centre’s infrastructure, Semafone’s solution helps to minimize the risks associated with potentially brand-damaging data breaches and fraud.

Semafone has achieved the four leading security and payment accreditations: ISO 27001:2013, PA DSS certification for its payment solution, PCI DSS Level 1 Service Provider and is a Visa Level 1 Merchant Agent.

The company was founded in 2009 and serves a wide range of industry sectors including financial services, media, retail, utilities, travel and tourism and the public sector.

Customers include Sky, TalkTalk, AXA and Virgin Holidays. North American customers include Rogers Communications, Consolidated Communications, Aviva Canada, Aimia, Amica and TVG.

BT offers a hosted version of Semafone’s technology - BT Cloud Contact PCI. Major investors include Octopus Investments and BGF (Business Growth Fund).

###

For more information please contact:
Xanthe Vaughan Williams / Lisa Coutts
Fourth Day PR
Xanthe@fourthday.co.uk / lisa.coutts@fourthday.co.uk
020 7403 4411

Thoughtonomy Achieves ISO 27001 Certification

Thoughtonomy is delighted to announce that it has achieved certification to the International Organisation for Standardization’s ISO 27001:2013 standard.
ISO 27001 is a globally recognised certification that provides verification an organization is committed to the protection of assets and information governance.This externally audited certification analyses the business and demonstrates the implementation of data security management processes and controls to keep information secure.

As part of the certification organisations also commit to, and are assessed against, a continual program of review, validation, and improvement. ISO Logo Since its conception, Thoughtonomy has been focused on ensuring information security and data protection are treated as a priority within both the architecture and governance of the Virtual Workforce platform, and its business and support methodologies.

The achievement of ISO 27001 Certification serves to validate and demonstrate to its customers the rigorous measures taken to protect information assets within the business. Terry Walby, CEO of Thoughtonomy commented, “Achieving ISO 27001 certification is another exciting landmark in Thoughtonomy's evolution as a business.
It demonstrates our commitment to information security in alignment with industry best practices, and the delivery of an assured, secure, and proven automation platform to our customers.

The fact that we achieved certification without any major or minor non-conformities is testament to our outstanding services and support team." About ISO/IEC 27001ISO is an independent, non-governmental international organization with a membership of 163 national standards bodies.

Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market relevant International Standards that support innovation and provide solutions to global challenges. The ISO/IEC 27000 family of standards helps organizations keep information assets secure. Using this family of standards helps organizations manage the security of financial information, intellectual property, employee details and information entrusted to them by third parties.
ISO/IEC 27001:2013 provides requirements for an information security management system, which is a systematic approach to managing sensitive information so that it remains secure, and covers people and processes as well as IT systems and applications. About Thoughtonomy:The Thoughtonomy Virtual Workforce® is an as-a-service automation platform.
It uses software to replicate the interactions of people and technology to automate a wide range of operational and support processes quickly, cost effectively and reliably.

Deployed non-disruptively, it requires no replacement of systems, deployment of agents, software development or system integration. Headquartered in London, UK, Thoughtonomy work with leading service providers, integrators, outsourcers and enterprise clients globally to realise the enormous potential of virtual workers as part of a delivery organisation. Contact:Victoria White, Thoughtonomy, +44 (0)333 577 5730, info@thoughtonomy.com

You’ve been hacked. What are you liable for?

'It won't happen to me...' but best be prepared Hacking is big news and we’re all susceptible.
In the UK, hackers could face jail time under the Computer Misuse Act, but the question on many businesses’ minds will be where the liability lies if they are hacked. The list of successful mega breaches continues to grow; extra-marital affairs site Ashley Madison hit the headlines last summer when data was exposed about its 37 million users, although it appeared many of those were fake accounts.

Earlier this year, Yahoo! revealed the numbers behind its 2014 data breach – 500 million user account credentials were stolen. In 2016, the SWIFT financial payments system was hacked, and this came after another group using the same approach stole $81m from the Bangladesh central bank.

Even the US central bank, the Federal Reserve, detected more than 50 cyber breaches between 2011 and 2015, according to cybersecurity reports obtained through a freedom of information request. Regulator fine Telecoms company TalkTalk has the dubious honour of having received the largest fine ever imposed by the Information Commissioner’s Office – £400,000 – for a cyber attack which allowed access to customer data “with ease”.

The ICO’s investigation revealed that Talk Talk could have prevented the attack by taking simple basic steps to protect customer information. The TalkTalk fine is far lighter than the £3m fine issued by the then-FSA in 2009 for not having adequate systems and controls to protect customers’ confidential information. But even that fine seems small compared to the new fines on the way under GDPR.
In general, failing to take appropriate measures could lead to a fine the higher of €10m or 2 per cent of an undertaking’s total worldwide annual turnover.
If coupled with other data breaches, these figures could be doubled to €20m and 4 per cent. One of the difficulties facing organisations is that data protection legislation is vague when it comes to specifying the standards of protection required.

The Data Protection Directive and the UK Data Protection Act both require the data controller to “implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access”. This concept is carried over to the new EU General Data Protection Regulation, which will be enforced throughout the EU – yes, including the UK – from May 2018.
In fact, it also requires the controller to build in data protection by design and by default. What does this actually mean though? What measures are appropriate? Well, the ICO has not yet stipulated a particular minimum threshold for protection, but it generally penalises organisations that suffer the loss of unencrypted laptops and mobile devices.

The GDPR itself suggests pseudonymisation and data minimisation as part of a data controller's approach to protection. While the vagueness in the legislation might mean businesses aren’t clear on what they have to do, it also means the law doesn’t have to be constantly updated to specify the latest industry standards on data security.

Besides, every CISO I’ve spoken to has a clear understanding of what measures are appropriate, and it’s just whether they can persuade the CFO to allocate the budget for it. Espionage In March of 2016, a Chinese businessman pleaded guilty to conspiracy to hack computer networks of US defence contractors holding information about the Stealth Bomber, which he was claimed to have passed to the Chinese government. If you operate in the defence industry, you are likely to have made various promises to the government under the Official Secrets Act or the US and other national equivalents. You will probably have a fairly good idea of what is expected of you, so we need not go into detail here, save to reiterate that breaches could amount to jail time. Business failure While state-sponsored hacking does happen, it seems most breaches are actually the result of either criminal activity or "kids messing around".

The Chinese government might not be after your business secrets, but your competitor might.

According to a Secure Works report published earlier this year, hacking a competitor could be as cheap as $500 per mailbox. You should attempt to quantify how much it would cost your business if you are unable to prevent others from seeing your customer database or your price list. Or in the worst-case scenario, all your business data is scrambled. Love or hate Coca Cola and KFC, their businesses are based on keeping their recipes secret and out of the public domain.
If their recipes leak out, it could destroy their business. Why pay a premium for use of information if you can use it for free and develop a competitive product? Lawsuits While it’s unlikely you will get compensation from someone who hacks your data, you might have to pay out to your customer or supplier for any losses they sustain as a result. Every commercial and technology agreement I draft, whether I’m acting for a supplier or a customer, has a clause clarifying that both sides will protect confidential information.

This usually acts as a reminder of the general law of confidentiality, but the greater the perceived value of the information in question, the more the clause will supplement that with extra detail.

At the least it will say a party will use information disclosed to it only for the purposes of the agreement and will disclose it only to those people who need to know it and for the purposes of the agreement. A more robust clause might require the parties to get individual employees or subcontractors to execute a confidentiality undertaking.
Some clauses will say a party will protect the other’s confidential information to the same standard as it protects its own and, in any event, no less than a reasonable standard.
It will often have an acknowledgement that if the confidentiality obligation is breached, compensation would not be an adequate remedy and that a court injunction would be vital to protect confidentiality – although compensation will often be payable too though, if it is too late for an injunction. Finally, many agreements contain an indemnity for breach of data protection or confidentiality obligations. Some business partners will undertake a data security audit of your business to ensure you have adequate measures in place.
Some will rely upon a warranty that you comply with ISO 27001 or some other data standard. At the least, it will turn upon whether you took a reasonable standard of care under the circumstances.

There will be no point relying upon a force majeure exception – an event beyond your reasonable control – if you should have taken stronger security measures.
In its criticism of TalkTalk, the Information Commissioner effectively issued a harsh warning to other organisations: “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations.

TalkTalk should and could have done more to safeguard its customer information.
It did not and we have taken action.” It is worth taking note of two recent court rulings (although neither involved hacking).
In October of 2016, the High Court granted an injunction preventing the misuse of confidential information obtained under customer-supplier relationship relating to the production of edible infused oils.
In June this year, in the culmination of a long-running dispute over misuse of confidential information, the Court of Appeal upheld a judgment that a business rival set up by ex-employees had to pay $485,000 compensation for developing a competitive mosquito net product indirectly using confidential information. Reputation damage and loss of customers Ultimately, if your customers desert you because you have lost their confidence after a data breach, this might be more costly than regulatory fines and legal action.

TalkTalk admitted to losing 101,000 customers and £60m due to the hack.

The fine they received from the ICO pales in comparison against this level of loss and is higher even than the new fines under the GDPR. It won’t happen to me Many businesses are convinced it won’t happen to them. Kevin Mitnick, arguably the world’s most famous hacker and now a trusted security consultant, commented recently that 80 per cent of US businesses have been hacked – many not even aware of it – and HR and sales departments are the most often hacked because they are the least computer security aware. It is clear to me that affordable data breach fines will be phased out under GDPR, and Brexit is unlikely to change that.

Also, businesses have a clear remedy for a breach of confidence.
It might be time for you to reassess your data security and your confidentiality obligations. ®

Securing Office 365? There’s always more you can do

Don't just accept the defaults and hope for the best Wherever you look there's yet another SME or enterprise migrating to Office 365.

This says a lot for the attractiveness of cloud-based office suites, and perhaps it also says something about the attractiveness of letting someone else look after one's SharePoint and Exchange servers rather than having to fight with their maintenance and upkeep internally. It also says a lot about the security of the platform: if there were any serious concerns there wouldn't be so many people using it (the figure I have to hand cites 60 million business customers as of spring 2016). What this tells us, though, is not that it's the Fort Knox of cloud-based office software: it merely says that it's secure enough for commercial organisations to accept it into their infrastructure.

Any system has scope for improvement, or for the user to layer further security mechanisms on top to make the setup even more attractive.
So what does Office 365 give us, and what can we do to take it further, security-wise? Underlying directory services One of the reasons people tend to trust Office 365 is that it's based on the directory service that everyone knows and is familiar with: Active Directory.

Cloud-based AD integrates with its on-premise peer very straightforwardly, and although in the past one tended to use outward federation (that is, AD was hosted and managed in-house and federated/synchronised to an external AD server) the story is now far more bi-directional, so you can manage the AD setup either internally and externally and it'll sync in either direction. Let's face it, it's difficult to criticise the fundamental security capabilities of a cloud-based AD setup because we've all been using it in-house for years and years. Securing other apps The other benefit you get if you adopt the Enterprise Mobility Suite on top of Office 365 is the ability to bring the user authentication of a variety of apps into a single user database.
Interestingly EMS gives you more than you'd be able to do with an in-house AD setup.
So as well as providing native AD authentication you can point all manner of other stuff at it – ODBC lookups, LDAP queries, Web services and of course other native AD servers.

But more interestingly there's a pile of specific support for a wide range of popular cloud-based apps (Salesforce is the one that's generally cited, so let's not buck the trend) and so you can move away from your plethora of separate user databases and toward a single integrated directory service. Two-factor authentication The problem with centralising your authentication, though, is that the impact of a breach on your central authentication database is far greater than a breach on a single application's own internal user database.
So the first thing you'll probably want to add to your Office 365 setup is two-factor authentication (2FA).

To be fair to Microsoft they do provide a 2FA mechanism of their own, but many of us already use third-party 2FA (RSA's SecurID is probably the best known, though more recently I've used Symantec's VIP offering) and it's understandable to want to stick with what you know.

And without trying to sound disparaging to Microsoft, there's something to be said for picking a different vendor for your 2FA in the interests of putting your eggs in more than one vendor basket. Happily the 2FA vendors are happy to sell you their 365-connectable offerings as they're becoming nicely established and stable. Edge protection We mentioned earlier that managing your own in-house Exchange setup can be something of a chore, and quite frankly who can blame you for wanting to ship it off to the cloud for Microsoft to look after it? I've seen it done more than once, and the relief on the faces of the mail server admins was palpable.

But I also wouldn't blame you for considering persevering with and potentially even expanding some or all of the edge protection you have for inbound email – it's been common for many years to adopt a hosted anti-malware and/or anti-spam offering and to funnel all your inbound email through it on its way to the Exchange server.
So of course Microsoft's mail infrastructure has its own anti-malware mechanisms (and they're very proud of it) but again, by sticking with a third-party offering layered around it you can bring an additional layer of security, visibility and reassurance to yourself and your management. Going in the other direction, Data Leakage Protection (DLP) is also something that you're increasingly likely to need these days, what with the tendency toward accreditations such as PCI-DSS and ISO 27001.

Again there's a selection of DLP tools and policy features with Office 365, but a third-party approach is very much an option. Security monitoring Regardless of whether your installation is on-premise or in the cloud, security monitoring is absolutely critical if you're serious about security.

The market to be in these days is selling Security Information and Event Management (SIEM) software and appliances: storing, collating and analysing log data and the associated response and remediation brings massive benefits, particularly if you're aiming toward some kind of formal security or similar accreditation. Office 365 provides APIs into which SIEM platforms can hook in order to deduce what's occurring in the cloud installation and alert you to potential issues; and as with the likes of DLP and 2FA the vendors of SIEM products are now commonly supporting Office 365 to pretty much the same extent as they support on-premise kit.

Does Office 365 have in-built SIEM? Yes, there are tools that provide you with forensic analysis features and of course there's event logging, but SIEM isn't a core concept for Microsoft and so unless you have a very small setup you'll look to third-party SIEM offerings for the functionality you need, either in a dedicated, targeted SIEM solution from someone like LogRhythm or Splunk or in a multi-function package from the likes of Proofpoint. Backups One of the big differences between the cloud-based world and the on-premise setup is the need for and the implementation of backups.
It's common to decide that the requirement for backups to protect against complete system failure (i.e. disk crashes causing data loss) is much reduced in the cloud thanks to the robust physical implementation of the underlying storage layer.

But remember that physical crashes are just part of the need for backups: the risk of inadvertent deletion of data doesn't go away when you shift the installation into the cloud.

As with some of the other concepts we've mentioned there are built-in tools such as version control and rollback, automatic retention of items in recycle bins, and so on.

But again you're likely to want more, and again you can look to the market as there's a growing selection of options out there. Are we spotting a trend here? We've been talking so far about augmenting Office 365 with security features that don't come as standard, or that do come with the system but are perhaps not so attractive as those of separate products whose developers are more focused on the subject area.

The thing is, though, that aside perhaps from the discussion on backups, little of these supposed shortcomings are unique to Office 365 – they exist in on-premise setups too.

And that makes sense: we're not saying Office 365 is particularly deficient, just that the whole reason all these third party products and services exist is that you can't reasonably expect Microsoft (or any other of your vendors) to have a perfect solution in every specialist field of security as part of its office suite. What do the Office 365 experts think? Aonghus Fraser, CTO at C5 Alliance (), echoes the idea that the service has its own features but they're not the whole story. He notes: “There are a number of areas that should be considered – some are in addition to Office 365 but there are also newer or lesser-known security features or services that can complement that native Office 365 security and cover all bases”. Endpoint security's high on his list. “Whilst there is protection at the server-side for O365 including Exchange and SharePoint Online, it is recommended that a strategy for endpoint protection for devices is implemented.

This can range from leveraging native O365 & Microsoft services such as InTune to ensure that a minimal level of patching and AV is enabled (using Windows Defender) to third party solutions such as Sophos Endpoint which can work on devices and in conjunction with firewalls to detect and isolate compromised devices”. Following up his point about new features that wink into existence, he cites a recently introduced built-in feature: “Advanced Security Management is a new service providing global and security administrators with the facility to detect anomalies in your tenant – alerts for abnormal behaviour, and alerts for activities that might be atypical.

Examples could include logging in from unusual locations, mass download by a single user (suggesting a data leakage risk) or administrative activity from a non-administrative IP address”. The non-technical elements Our original request to Aonghus was for three observations, of which we've just mentioned two; the third is non-technical but absolutely key. He states: “It is essential to ensure that business policies are regularly maintained in line with Office 365 capabilities such as Multi-Factor Authentication and Data Leakage Prevention in order for security to be optimised whilst taking into account employee productivity”. It's key to ensure your business is able to work effectively and in a governed way as you evolve into the cloud world: “An understanding of the implications on users of implementing some security measures is essential to ensure that users are well-informed and do not try to bypass the measures due to lack of understanding or usability or productivity being severely compromised.
If the measures are too draconian users will find a way to circumvent them; business decisions need to align with the security recommendations in order for the right balance to be achieved”. People as a problem Aonghus touched on the issue of ensuring that staff are well informed and don’t try to side-step security measures, but it’s worth remembering that even with a strong staff awareness programme there’s still a risk of inappropriate inactivity.

And you can’t really blame your staff for falling for the occasional phishing attack: some are so sophisticated that even the most aware staff member will be taken in eventually. As Joe Diamond, Director of Cybersecurity Strategy at ProofPoint puts it: “The level of social engineering to craft a convincing lure is what makes phishing so successful. We see this used across attacks that use malware, and those that don’t – such as business email compromise spoofing attacks and phishing for credentials”. Joe continues: “While end user education serves an important role, you cannot rely on it.

Focus on where your users digitally communicate the most – email, social sites, and mobile apps – and put in the protection needed to shield advanced attacks from ever reaching your end users”. As for the complexity of attacks these days: “The attack on customers of National Australia Bank that Proofpoint recently identified is a perfect example of how to the naked eye, the emails and links were virtually indistinguishable from legitimate bank communications.

The email content tricked recipients into entering credentials to verify their account and provide accounts details, before redirecting to the legitimate banking site.

The URL [looked] legitimate, but a letter was swapped with Unicode and encoding in the URL hid suspicious code”. In short Like any system of its kind, Office 365 is sufficiently secure in its basic form but there's always more you can do – either to make it easier to exploit what it inherently does or to add further layers of protection and reporting on top of what you get “out of the box”. You may decide when you move to Office 365 that you can wind down some of the extras you bolted onto your on-premise system simply because technology's moved on and the inherent provision in Office 365 is good, but any cloud email service is fair game for an attacker because a compromise of a single system serves up multiple victims so you're unlikely to want to throw away all the extras that can help you provide a layered security model as you evolve to a cloud setup. Oh, and one more thing: moving to the cloud doesn't make you immune from the long-standing tradition of stereotypical bad practice.

Aonghus gets the last word in this respect: “Accepting the default settings without considering whether, for example, the password expiry policy is appropriate is something that is often left – a 'hope for the best' approach or assumption that Microsoft defaults are right for you is not a good strategy where security is concerned”.

Amen. ®

CWCS Managed Hosting Gains Industry Recognition for Quality, Secure and Reliable...

Awarded G-Cloud 8 framework supplier status Awarded PCI DSS Level 1 Service Provider Status Nottingham, 30th August 2016: CWCS Managed Hosting has gained significant industry recognition for the quality, security and reliability of its cloud services.

The company has been awarded G-Cloud 8 framework supplier status and PCI DSS Level 1 Service Provider status; demonstrating CWCS’ leadership as a trusted managed hosting provider.Karl Mendez, Managing Director comments: “When it comes to cloud services, there’s no company more passionate about providing quality, secure and reliable hosting, backed up with technical expertise and supreme customer service.

Being awarded G-Cloud supplier status, and PCI DSS Level 1 provider status further highlights this.”CWCS Awarded G-Cloud 8 Framework Supplier StatusCWCS Managed Hosting has been awarded G-Cloud 8 framework supplier status for its public and private cloud, as well as dedicated servers, virtual firewall appliances and email security filtering services.

These services are now available via the G-Cloud framework on the Digital Marketplace and CWCS has been awarded the status under the Infrastructure as a Service category.Mendez says: “Being given G-Cloud 8 framework supplier status means we can serve a broader base of public organisations, in more regions. We already work with a number of City and County Councils as well as NHS Trusts, and achieving this accreditation will enable more public sector organisations to come on board more quickly.”The G-Cloud framework is an agreement between government and suppliers of cloud services.
It enables public sector organisations to purchase services without the need to undertake a full tender process. When public sector bodies buy through the framework, the process is generally faster and less expensive.

As suppliers have already been vetted, those procuring services can be confident in the suppliers within framework.CWCS Awarded PCI DSS Level 1 Service Provider Status – PCI DSS Compliant HostingWhen it comes to data protection and specifically protection of cardholder data, you can never be too careful or too thorough in your processes, controls and overall security levels.

CWCS Managed Hosting ensures on-going auditing of their security levels and has been awarded PCI DSS (Payment Card Industry Data Security Standard) Level 1 Service Provider status following a recent audit.The auditors confirmed, “Ultima Risk Management Ltd (URM) conducted an onsite audit of CompuWeb Communications Services Ltd (CWCS) and have found sufficient evidence and controls to find it compliant with the Payment Card Industry Data Security Standard (PCI DSS) as a Level 1 Service Provider (the highest level of validation).” The award is for CWCS’ primary data centre in Nottingham.Mendez says of the accreditation: “The PCI Level 1 status provides peace of mind for our clients that their data is in the safest of hands.
In an era where data hacking and data breaches happen, clients can trust us with their data security. Our ISO 27001 certification further highlights our commitment to secure hosting and secure data.For more information about CWCS Managed Hosting and its services, call +44 (0) 800 1 777 000.-Ends- About CWCS Managed HostingCWCS Managed Hosting is a specialist business and enterprise-level managed hosting company offering cloud hosting and dedicated servers.
It is also committed to leading the way in hosting services, which is demonstrated in the numerous awards and titles that CWCS has received over the years.CWCS was founded in 1999 and operates from two highly secure data centres in the UK.

The company also has US and Canada data centre facilities.

CWCS offers 24/7/365 support to thousands of customers worldwide and works hard to provide each client with the best solution.

CWCS is accredited to security standard ISO 27001.For more information visit - www.cwcs.co.uk For further informationCaroline TarbettJoshua PRCaroline.tarbett@joshuapr.com+44 (0) 7914 014145

Retailers and manufacturers missing out on billions of dollars in laptop...

Survey shows on average 71% of consumers in US and UK will buy new laptops every two years if offered innovative and irresistible guaranteed future value promotionsChertsey, Surrey, 22nd August 2016: On average 71% of consumers across the UK and USA will upgrade to a new laptop within two years if retailers guarantee them a rebate of 50 per cent on the original purchase price of their current model, according to a new survey of 1,000 consumers split between the two countries.

This could help reset the decline of the PC market due to longer upgrade cycles and mobile-device cannibalization as mentioned by Intel CEO Brian Krzanich at a recent investor conference.[1] Opia Survey Infographic The survey, conducted by polling firm Censuswide for risk-managed sales promotion expert Opia, reveals that 73% consumers in the US will upgrade if they are made such an offer, along with 69% in the UK. “Guaranteed future value (GFV) offers have huge potential to help retailers and manufacturers on both sides of the Atlantic bust out of ever-longer refresh cycles in the laptop market,” says Steve Gales, sales director at Opia. “With more than 17 million units shipped in the US in the last quarter of 2015 and an estimated nine million UK consumers obtaining a laptop or notebook in the year, the revenue boost from customers upgrading more often could be colossal.

The average US citizen, for example, spends $500 on a new laptop and if they do that every 2.5 years, instead of every five, retailers and manufacturers will see revenue rocket by more than $170bn in a five year period. “Many consumers are hanging on to laptops for five years or more, putting up with ever-poorer performance because they fear having to spend on a new device.

Although there are slight differences between the two countries, the survey shows that GFV can remove that fear, encouraging consumers to make new purchases more regularly.” The survey also reveals that 69% of consumers across the two countries view a new laptop as less expensive if the resale value is guaranteed to be 50% of what they paid for it, provided they upgrade within two years. “Since most respondents (59%) in the two countries have previously taken up some form of promotional offer to buy a laptop, they are already open to suggestion if the offer is compelling. Retailers who don’t act fast to implement closed loop upgrade promotions are subjecting themselves to ever-longer refresh cycles and lower revenues.” says Gales. The findings showed that in the US and UK, an average of 85% of consumers wait more than three years before buying a new laptop.
In the US, 69% said they did not buy a new PC or laptop because new models were too expensive and are waiting for the right offers compared with 63% in the UK. “These survey results demonstrate clearly how retailers and manufacturers failing to use risk-backed GFV promotional mechanisms are doing themselves out of a significant amount of business. One final example from the survey reveals 35% of US consumers and 30% of UK consumers said a 50% GFV offer could encourage them to buy a more expensive model when they come to upgrade”, concludes Gales. [1] http://www.fool.com/investing/2016/06/10/intel-corporation-ceo-brian-krzanich-explains-the.aspx -Ends- Notes to editorsOpia is an industry expert in risk managed sales promotions, with a proven track record in results-driven business and consumer campaigns for brand owners in the hi-tech, telecoms, FMCG, retail and automotive sectors.
Supported by a 24/7 customer service team working in 18 languages, Opia’s global reach enables it to offer multilingual redemption campaigns in over 60 countries, including EMEA, North and South America and Asia-Pacific. Opia is a subsidiary of media company Village Roadshow and has been an integral part of its Digital Division since 2015. Opia is compliant to the ISO 9001 quality management standard and the latest ISO 27001: 2013 standard for data security. For more information, please contact:Jen RookWhiteoaks PR+44 (0)1252 727313 ext. 276jenniferr@whiteoaks.co.uk

Databarracks launches Cyber-DRaaS to protect against ransomware

Press Release Disaster recovery specialist Databarracks has launched a new DR service designed specifically to target cyber threats.

Cyber-Disaster Recovery as a Service (Cyber-DRaaS) identifies cyber-attacks early and enables users to roll back to the last clean replication point in Databarracks’ secure DR environment. Peter Groucutt, managing director at Databarracks, explains: “As a business continuity provider, we have a very unique view of cyber threats. We are called into action when defences have been breached and we need to get a customer back up and operating as quickly as possible.

Cyber threats like ransomware and malware are the fastest-growing concern we hear from our customers around business continuity and the single biggest cause for significant recovery. “Traditional disaster recovery isn’t optimised for cyber-attacks. Recovering from ransomware would mean trawling through historic versions of backups in order to find clean data then starting a lengthy recovery process. “Our new Cyber-DRaaS uses replication to bring a fresh, continuity-led approach to cyber security.
It offers a double-edged approach to cyber security, blending aggressive scanning and detection technologies with pro-active continuity planning.

This means organisations can safely resolve cyber threats whilst continuing to support their business as usual processes. “By combining our award-winning DRaaS platform with Trend Micro’s Deep Security, we’ve automated the process of finding the most recent clean replica of an organisation’s production systems.

The result is that organisations can recover from ransomware or malware infections within the same Recovery Time Objectives offered by our DRaaS platform, which can be as little as 15 minutes, whilst automatically recovering to the most recent Recovery Point.” Groucutt concludes: “Ultimately, cyber threats aren’t going anywhere. We understand the increased importance of protection at the perimeter, now it’s time for organisations to be proactive about their cyber security and business continuity.

Cyber-DRaaS is the perfect first step.” To find out more about Cyber-Disaster Recovery as a Service and how it works, visit the website here http://www.databarracks.com/disaster-recovery-as-a-service/cyber-disaster-recovery-as-a-service/ - Ends - About Databarracks:Databarracks provides ultra-secure, award winning Disaster Recovery, Backup and Infrastructure services from UK-based, ex-military data centres. Databarracks is certified by the Cloud Industry Forum, ISO 27001 certified for Information Security and has been named as a “Niche Player” in Gartner’s Magic Quadrant for DRaaS for two consecutive years.

For more information, please see: http://www.databarracks.com Contact:Nick Bird/Paul MooreSpreckleyTel: +44 (0) 207 388 9988Email: databarrackspr@spreckley.co.uk

Hopeless Vic agencies have two years to hit infosec best practice

Or something will happen, as bad as being hacked Government agencies in the Australian state of Victoria will have two years to move from near ground zero to stand up fully-fledged and updated information security, risk, and governance policies. The requirements are a big ask for agencies in the southern state, previously described as in information security turmoil after ignoring formal security policies for years. It is, however, unknown if non-complying agencies will face fines or penalties.

The commissioner has been contacted for comment. The agencies will each year need to demonstrate compliance to the state commissioner against 18 areas within the just released Protective Data Security Framework [PDF] . Audits in previous years have found agencies had lax or non-existent security policies and controls.

The best guide for agencies was the Australian Signals Directorate's lauded but non-compulsory top four security controls and the Commonwealth Information Security Manual. Agencies will also be required to submit to out-of-band audits. The requirements cover data and information security along with governance, and physical and personnel security. Much of the prescriptions fall in line with existing Federal information security recommendations, are proportionate to the size of the agency, and are non-prescriptive in terms of technology and implementation. Various areas of governance consumes a dozen of the 18 requirements, each with four underlying protocols. It demands formal security management frameworks; risks registers; policies and access regimes; regularly staff training; incidence response; business continuity; Data security controls must be updated and maintained and applied to shared public data, while information security mechanisms must also be established and updated. The protocols for each condensed down require evidence of executive buy-in, updating over time, and alignment with various standards including ISO 27001, 27002, 22301, and 31000. Contractors must also need the new requirements. ®