News & Updates

Sign up to be the first to be informed of our news & updates

 

Search

ISO/IEC 27001 is the international standard for information security management systems (ISMS) and was developed to help companies of all sizes, in any industry and virtually any country, systematically secure their confidential and business critical data. The framework helps organisations to implement a robust approach to information security and introduces controls across people (education and training), process (policies and procedures) and technology (systems and software) to effectively manage and mitigate risk and safeguard information assets.


gif

So why should companies take the time to invest in ISO/IEC 27001 certification? Here we look at some of the major benefits:


  • Peace of mind – certification ensures all your company’s confidential data is secure, which may include financial records, intellectual property, and other commercially sensitive information, as well as employee and customer records.


  • Globally recognised - with 165 member countries, ISO 27001 certification is recognised all around the world and quickly and easily demonstrates your organisation’s commitment to information security.


  • Compliance - there are a growing number of complex laws and regulations relating to information security and the threat of prosecution and/or huge fines for non-compliance is very real. ISO 27001 gives you the ideal framework to help your organisation manage its regulatory and legal requirements and stay compliant.


  • Enhances reputation - certification builds trust and confidence in your company and reassures existing or potential customers and stakeholders that you are committed to safeguarding their information, as well as other business critical and confidential data.


  • Competitive advantage - the additional credibility that certification brings can increase commercial opportunities and help your company win additional business and new customers from competitors who are not certified.


  • Greater security awareness - a joint ‘Psychology of Human Error’ survey by Stanford University and Tessian found that 88% of data breaches were caused by human error, 43% of employees had made a mistake that compromised cybersecurity and 25% of employees had clicked on a phishing email at work. Incidents such as these can have serious consequences for any business; however, ISO 27001 certification means far greater information security awareness amongst staff, which reduces the likelihood of an incident occurring in the first place.


  • Cost savings – the aim of ISO 27001 is to implement a robust ISMS to prevent security incidents from happening and with one survey reporting the average cost of a breach as $3.86 million in 2020 (https://www.ibm.com/security/data-breach) the cost of implementing ISO 27001 is likely to be minimal when compared to the potential financial impact of a breach.


  • Efficiency - business operations are streamlined as policies and procedures are all clearly defined and documented. In addition, by reducing the number of incidents the overall disruption to day-to-day operations is minimised.


  • Futureproofing – the framework helps your business to continually review potential risks and weaknesses and implement appropriate controls that improve the way you manage your organisation’s information security.


The breadth of the Fortis service portfolio enables us to offer a variety of information security and risk management solutions and helping our clients to achieve the information security compliance standards they need to operate with confidence is just one of the areas in which we specialise.


From a simple one-off gap analysis against the ISO/IEC 27001 standard, through to complex multi-standard integrated management systems, Fortis offers comprehensive certification services that can be tailored to suit your organisation’s specific requirements. For more information about how Fortis can help protect your business please contact enquiries@fortiscyber.co.uk



15 views0 comments

Updated: Jun 30

A ransomware attack on a food-logistics firm in the Netherlands that caused six days of disruption to supplies at the country’s largest supermarket chain is thought to be the result of a vulnerability that was widely reported in March, when Microsoft revealed it had uncovered zero-day bugs being used to attack on-premises Microsoft Exchange servers.


The attacks are believed to have originated from a Chinese state sponsored hacking group, who were able to access email accounts, exfiltrate data and plant malware to enable long-term remote access, as well as launch a new strain of ransomware.


The last 12 months has seen an explosion in cyber-attacks as criminal networks have exploited confusion around the pandemic and opportunities created by the sudden mass transition to remote working. As a result, nearly 50% of organisations fell victim to some type of breach last year and one of the fastest growing threats in cyber security is ransomware. Deep Instinct’s 2020 Cyber Threat Landscape Report found that ransomware attacks had increased by 435% in 2020.


Below, we look at some of the latest trends in ransomware and how it is evolving:


  • In the past ransomware attacks might have just resulted in data being encrypted, but we are now seeing a significant increase in data exfiltration – the unauthorised of removal sensitive data from an organisation’s network.


  • Exfiltration is also linked to the growth of double extortion attacks, where threat actors will look to maximise their chances of profiting from an attack. As well as encrypting confidential information and then demanding a ransom to decrypt it, cyber criminals will then either threaten to sell the data they have harvested, such as customer credentials, or release it into the public domain unless an additional fee is paid.


  • Ransomware groups are increasingly maintaining their own dedicated leak sites on the surface web or dark web where they can publish confidential information of targeted organisations not willing to meet their ransom demands or threaten to make the data public on the leak sites as part of a double extortion strategy.


  • Threat actors are now engaging in big game hunting, whereby high-value organisations that are most likely to lead to big pay-outs are specifically targeted. After an initial compromise, cyber criminals are no longer immediately deploying ransomware to a single device. Instead, they are taking time to understand the company’s operations, exploit additional vulnerabilities, exfiltrate data, and gain access to critical systems that will enable them to cause maximum damage by disabling the entire network.


  • Ransomware as a service (RaaS) is growing in prevalence as new, smaller variants become available on the dark web. These are usually offered via a monthly subscription service, as a one-off charge, or may involve sharing a percentage of the profit with the provider, but in all cases these business models are particularly appealing to hackers as there are low entry costs and minimal technical skills required to launch attacks.


  • We are also increasingly seeing new sectors targeted. Over the past year there has been a sharp rise in attacks on local government, hospitals, and other healthcare organisations, as well as educational institutions, with the University of Portsmouth reportedly having to close its campus just recently due to a ‘ransomware attack.’


Unsurprisingly, the cost of ransomware is growing, and it is not just limited to the financial costs of paying ransoms. There are a multitude of other costs that can result from an attack, such as the cost of disruption and lost productivity, damage to a company’s reputation, loss of customer confidence, and the possibility of legal costs and fines from regulatory bodies. All are in addition to any costs associated with incident response and remediation, which can be particularly significant for organisations with large networks and complex infrastructure.


With the frequency and sophistication of ransomware attacks predicted to grow significantly companies need to take a proactive approach to protecting their business.


Alongside taking pre-attack activities to prevent ransomware from bedding into your systems, ensuring a comprehensive and a robust incident response procedure is in place. This is essential to effectively manage and minimise their damage, and enable the business to recover quickly – reducing financial impact to revenues. In the event of a security incident, the immediacy and effectiveness of the initial response has a direct and significant impact on the level of disruption and costs to the business.



gif


With advanced threats increasing rapidly, organisations also need to thoroughly investigate any Indicators of Compromise (IOCs) and breaches to help determine the cause and source of the incident and ensure that it has been dealt with effectively. It is possible a full digital forensics investigation could have helped the Dutch food-logistics company identify any indicators of compromise, identify exploitation activities and ensure no backdoors were left open to enable the hackers to access their network again and deploy ransomware.

Fortis offers comprehensive, certified and experienced Incident Response and Digital Forensic services that can be tailored to suit your organisation’s specific requirements, including investigations mentioned in this article. For more information about how Fortis can help protect your business from ransomware and other threats please contact enquiries@fortiscyber.co.uk

8 views0 comments



We are holding a 1-day course covering PAS 499:2019 Digital Identification And Authentication Compliance in Q2 2019.

It will be led by one of the authors of PAS 499:2019 so it will be a rare opportunity to hear from one of the subject matter experts!

Please find details in the flyer. If you have questions or want to register interest please email enquiries@fortiscyber.co.uk or message me directly through LinkedIn. Those on the interest list will be offered a reduced rate.




#authentication #authorization #governance #identities #GRC #Digitalidentification #PSD2 #OpenBanking #EntrustDatacard



Training Options to Fit Your Needs


1-Day PAS 499:2019 Digital Identification And Authentication Compliance Training

(Delivered In-Person)

Designed for mid- to senior-level professionals and executives, this in-person delivered short course enables you to identify, develop and plan effectively for the upcoming requirements in the provision of digital services for Strong Customer Authentication within PSD2.


PAS499 is a British Standards Institute developed code of conduct that has been supported within the financial services industry by the Payment Systems Regulator (PSR), UKfinance and TechUK to name just a few. PAS 499 sets out recommendations for organizations to meet security, regulatory, and usability requirements in the provision of digital services. In addition to PSD2, it develops on other recent legislative developments ranging from the Electronic Identity, Authentication and Signatures Regulation (eIDAS) to the General Data Protection Regulation (GDPR).


The PAS is going to be published as a standard in April 2019 and the one-day course is a perfect opportunity for you to become aware of the level of governance changes and risk requirements it outlines affecting your organisation before it gets made public.


The training session will be delivered by one of the primary authors of the PAS 499 standard.

Over one day, you will learn the key points about digital identification and authentication in general terms, usability and regulatory requirements to assist in achieving PAS 499 compliance, and its accreditation scheme rules. This will include practical information that will enable you to manage auditor expectations, meet regulatory requirements, and leverage your company’s investment in existing internal controls in support of your governance, risk and compliance goals and objectives.


PAS 499 training covers the following concepts:


 Identity Validation

 Identity Proofing

 Enrolment

 Authentication

 Delegated Authority and Authorization

 Security and Usability

 Authentication Risk Model


We will provide you with a wide variety of materials for the training session, including notebook and a take-away reference workbook based on the PAS 499 compliance training content.


When?

Coming during Q2 2019! Register here to be part of the "Interest List"! Those on the interest list will be offered a reduced rate.


Interested but not quite certain?

We understand that the best laid plans can change, which is why Fortis Cyber Security Limited offers a generous cancellation and refund policy.


For in-person classroom training, you can receive a full refund when you cancel up to 21 days prior to the beginning of class.


Contact details: enquiries@fortiscyber.co.uk


Let us bring the session to you.

Email enquiries@fortiscyber.co.uk to discuss on-site or private in-house training.

4 views0 comments