Data Management

SurveyMonkey Goes to Ireland

Posted on by Andy Miller

California-based online survey software company SurveyMonkey has opened a datacentre in Dublin with a view to attracting enterprise customers in the EMEA region.

SurveyMonkey

SurveyMonkey, which was established in Portland by Ryan and Chris Finley, has more than 750 employees globally and is estimated to have more than 600,000 paying users across more than 300,000 organisational domains.  190 countries and territories use the SurveyMonkey platform which is a cloud-based, online survey tool that is offered for free, or SaaS.

The company now has offices in San Mateo, Portland, Seattle, Dublin, Ottawa, and Sydney.  The Irish office was opened in 2014 and currently has around 50 employees.  SurveyMonkey went public in 2018.

Why A Datacentre In Dublin?

There are several good reasons for the move to Dublin coupled with a focus on wooing EMEA enterprise customers, such as:

  • 16% of SurveyMonkey’s revenue during the first quarter of 2019 came from sales to the enterprise sector.
  • More than one-third of SurveyMonkey’s business revenue comes from outside the US, with the majority in Europe.
  • There is a huge opportunity for growth that’s offered by companies where SurveyMonkey has been adopted (as the free version) through back-door ‘shadow IT’, and where those enterprises can be encouraged to legitimately adopt the use of the software as company-wide deployments by being reassured that the data they collect is stored in a European data centre (Dublin). This has been termed a ‘land and expand’ strategy.
  • Dublin is ranked as one of the best places to work in Ireland and offers many benefits to tech companies and start-ups.

Phased Approach

SurveyMonkey’s strategy, of which the Dublin datacentre is a part, is a phased one with the first phase being to acquire new customers, and phase two focusing on migrating customers who already have a lot of data stored in their SurveyMonkey accounts.

In addition to expanding across Europe, SurveyMonkey will also be looking at making customers aware of the other services that it offers.

What Does This Mean For Your Business?

SurveyMonkey knows that the Europe /  EMEA region already delivers plenty of revenue and that there’s a great opportunity to expand further. Placing a datacentre in Europe may be very attractive to (and reduce risk for) enterprise customers who must be very careful about where their data is stored (refer GDPR) and who always want to reduce complexity about data storage.

This story also shows how the ‘shadow IT’ use of software has provided a way in and can be part of a successful strategy for growth and expansion.

Survey Shows Half OF UK Firms Have No Cyber Resilience Plan

Posted on by Andy Miller

A survey commissioned by email security firm Mimecast and conducted by Vanson Bourne has revealed that even after GDPR’s introduction, more than half of UK firms have no Cyber Resilience Plan.

What Is A Cyber Resilience Plan?

An organisation’s cyber resilience is its ability to prepare for, respond to and recover from cyber-attacks, and a Cyber Resilience Plan details how an organisation intends to do this.  Most organisations now accept that the evolving nature of cyber-crime means that it’s no longer a case of ‘if’ but ‘when’ they will suffer a cyber-attack.  It is with this perspective in mind that a strategy should be developed to minimise the impact of any cyber-attack (financial, brand and reputational), meet legal and regulatory requirements (NIS and GDPR), improve the organisation’s culture and processes, protect customers and stakeholders, and enable the organisation to survive beyond an attack and its fallout.

More Than Half Without

Mimecast’s survey shows that even though 51% of IT decision-makers polled in the UK say they believe it is likely or inevitable they’ll suffer a negative business impact from an email-borne cyber-attack in the next 12 months, 52% still don’t have a cyber resilience plan in place.

Email Focus

Email is a critical part of the infrastructure of most organisations and yet it is the most common point of attack. It is with this in mind that the Mimecast survey has focused on the challenges that managing the security aspects of email present in terms of cyber resilience and in achieving compliance with GDPR.

E-Mail Archiving

One potential weakness that the survey revealed is that only 37% of UK IT decision-makers said that email archiving and e-discovery are included in their organisation’s cyber resilience strategy.  When you consider that email contains a great deal of personal and sensitive company data, it’s protection should really be at the core of any cyber resilience strategy.

Also, for example, in relation to GDPR, not having powerful archiving systems to enable emails to be found and deleted quickly upon a user’s request could pose a compliance challenge.

Human Error

Human error in terms of not being able to spot or know how to deal with suspicious emails is a common weakness that is exploited by cyber-criminals.

What Does This Mean For Your Business?

If the results of this survey reflect a true picture of what’s happening in many businesses, then it indicates that cyber resilience urgently needs to be given greater priority, particularly since it is now a case of ‘when’ rather than ‘if’ a cyber attack will occur.  Also, the risks of not addressing the situation could be huge in terms of risks to customers and stakeholders and the survival of the business itself, particularly with the huge potential fines with GDPR for breaches.

E-mail, and particularly email archiving (what’s stored, where and how well and quickly it can be searched) poses a serious challenge. Businesses should reassess whether their email archiving strategy is effective and safe enough and security should go beyond archive encryption to guard against impersonation attacks and malicious links.

Bearing in mind the role that human error so regularly plays in enabling attacks via email, education and training in this area alongside having clearly communicated company policy and best practice in managing email safely should form an important part of a company’s cyber resilience.

Google Offers Auto-Delete of History After Three Months

Posted on by Andy Miller

Google is joining tech giants Facebook and Microsoft by offering users greater privacy of their data which for Google will give its users the option to automatically delete their search and location history after three or eighteen months.

What’s The Problem?

According to Google, feedback has shown that users want simpler ways to manage or delete their data, and web users have been more concerned about matters of their data privacy after several high profile data breaches, most notably that of Facebook sharing 50 million profiles of its users data with analytics company, Cambridge Analytica back in 2014.

The Change

Google already offers tools to help users manually delete all or part of their location history or web and app activity.  The addition of the new tool, which is scheduled to happen “in the coming weeks” will enable users to set up auto-delete settings for their location history, web browsing and app activity.

With the new tool, users will be able to select how long they want their activity data to be saved for – three months or eighteen months – after which time Google says the data will automatically be deleted from the user’s account.

The new automatic deletion will be optional, and the manual deletion tools will remain.

Facebook and Microsoft

At the beginning of May, Microsoft announced several new features intended to improve privacy controls for its Microsoft 365 users, with a view to simplifying its data privacy policies.

Also, Facebook’s Mark Zuckerberg recently announced a privacy-focused road map for the social network.

Google’s Tracking Questioned

Back in 2018, the ‘Deceived By Design’ report by the government-funded Norwegian Consumer Council accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not benefit their privacy.

In November 2018, Google’s tracking practices for user locations were questioned by a coalition of seven consumer organisations who were reported to have filed complaints with local data protection regulators. Although Google says that tracking is turned off by default and can be paused at any time by users, the complaints focused on research by a coalition member who claimed that people are forced to use the location system.

Furthermore, research by internet privacy company DuckDuckGo in December 2018 led to a claim that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

What Does This Mean For Your Business?

The introduction of GDPR and high-profile data breach and privacy incidents such as the Facebook and Cambridge Analytica scandal have made us all much more aware about (and more protective of) our personal data and how it is collected, stored and used by companies and other organisations. It is no surprise, therefore, that feedback to Google showed a need for greater control and privacy by users, and the announcement of the new (optional) automatic deletion tool also provides a way for Google to get some good data privacy PR at a time when other tech giants like Facebook and Microsoft have also been seen to make data privacy improvements for their users.

Current details about how to manually delete your Google data can be found here https://support.google.com/websearch/answer/465?co=GENIE.Platform%3DDesktop&hl=en and the ‘My Activity’ centre for your Google account, where you will most likely be able to make your automatic settings can be found here: https://myactivity.google.com/.

School Enlists Chinese Help To Upgrade To Enhanced Wi-Fi

Posted on by Andy Miller

The Lytchett Minster School in Dorset recently made the news among IT commentators after demonstrating how it could overcome the connectivity challenges of its rural location, cut costs and increase efficiency by upgrading its on-site network with Chinese company TP-Link’s enhanced Wi-Fi.

Challenges

As recently featured by Computer Weekly, the school had to contend with a rural campus location and the resulting poor connectivity, next to a grade II listed 18th century manor house, and a rudimentary system of ageing individual home-user access points (APs) mounted in school corridors which required users to disconnect and reconnect when roaming around.   Also, the old wireless network was not voucher-based and was insecure (the pre-shared key could be compromised), which meant that staff had to reset each AP’s password individually (with remote authentication dial-in user service help) and users had to keep reconnecting each of their devices to the network.

As is the case with so many schools, Lytchett Minster School had to make its limited budget go as far as possible in the upgrade.  This meant the need to minimise price per AP and annual licensing fees while getting the best value, efficient and effective wireless infrastructure solution.

Requirements

It was decided that the most important requirements on the school’s list were power over Ethernet (PoE), Radius authentication, centralised management, provision of multiple service set identifiers (SSIDs) and voucher authentication.

TP-Link Chosen

The school chose Chinese company TP-Link to upgrade their on-site network based on features offered, value for money, and the fact that TP-Link builds its hardware itself instead of outsourcing and, therefore, doesn’t charge licensing fees.

Founded in 1996 by two brothers and based in Shenzhen, China, TP-Link is a manufacturer of computer networking products and is now the world’s number 1 provider of consumer Wi-Fi networking devices, shipping products to over 170 countries.

Change

Changing to the upgraded, enhanced Wi-Fi meant that the old APs could be moved from corridors into classrooms for optimum performance and coverage. The changes to a better enhanced Wi-Fi network also meant that access control lists could issue users with vouchers that restricted network access at the subnet according to core user group, out of hours separate public access SSID could be offered to users of the school’s sports facilities, larger numbers of staff iPads and phones could be used for teaching, and special provisions could be made for the BYOD policy for  sixth form students.

The new system also enabled easier, centralised management of the network with data from each AP being displayed to the IT department on large screens, with no more need to perform network reboots (as these can happen automatically at 6 am every day to avoid disrupting lessons), and the ability to carry out all key tasks from a central interface.

What Does This Mean For Your Business?

This story is an example of how the potential of an organisation (a school in this case) was limited by poor Wi-Fi provision, partly due to its rural location and old, inadequate hardware. The school showed that today, it is possible for a school based in Dorset to choose a Chinese tech firm as a partner to deliver a business-class wireless network solution that meets all operational requirements within budget, and without the extra cost of ongoing licence fees. An enhanced Wi-Fi system of this kind also offers the convenience, transparency and ease of centralised control.

1 Million+ UK VAT-Registered Companies Still To Register With Making Tax Digital

Posted on by Andy Miller

A Freedom of Information request has revealed that with a little under a week to go to the deadline for registration, more than 1 million UK VAT-Registered Companies have still not signed up to HMRC’s Making Tax Digital (MTD) programme.

MTD

HMRC’s MTD was announced back in 2015 and requires VAT registered UK companies to keep digital records and file quarterly reports with the taxman. The first phase of the programme, MTD for VAT, is rolling out on 1st April, with the first digital quarterly VAT returns due to be submitted by 7th August.

MTD offers businesses the chance to move to an easier, more convenient, full cloud accounting solution rather than their own (often spreadsheet-based) legacy systems. For HMRC, having everything digitalised should allow them to save costs, time and resources, improve accuracy, and get revenue more quickly. HMRC says that the MTD programme should “make it easier for individuals and businesses to get their tax right and keep on top of their affairs.”

Other Taxes – Not Digital Submission Until 2020

The UK announced in July 2017 that more time would be needed before an MTD-style programme could be mandated for taxes other than VAT until at least April 2020.

Also, the government announced earlier this year that because it is focusing on support for businesses in the transition to MTD it will not be mandating Making Tax Digital for any new taxes or businesses in 2020.

FoI Request

The FoI request that revealed how many businesses still hadn’t registered for MTD was submitted by Float, a cashflow forecasting software company. The information in response to the FoI request showed that as of 18th March 2109 only 55,520 businesses were registered with the scheme. HMRC has since said that 70,000 business have now registered, which means that companies are registering at a rate of around 3,000 per day.

Criticism

HMRC has been criticised for not contacting many companies about the changes.  For example, it was revealed that as recently as last November, only 40% of companies had heard about the new programme.

What Does This Mean For Your Business?

2018 to 2019 has been a challenging year for businesses with the preparations and introduction first of GDPR, followed by the uncertainty surrounding Brexit overshadowing many other issues. It may be true to say that many businesses are reactive and are busy just keeping on top of business most of the time and in a situation like this where the communication from HMRC about MTD has been poor, it’s not surprising that many businesses have still not registered. It may also be fair to say that many accountancy firms haven’t been as proactive as they could have been in informing their customers about MTD and its deadlines.

The introduction of MTD will undoubtedly require work and time in getting figures into a new and unfamiliar digital platform, but if it makes it easier for companies to stay on top of their tax affairs into the future, this will be a good thing, not least for the exchequer.

Microsoft And Adobe Team Up To Fight Salesforce

Posted on by Andy Miller

Microsoft and Adobe are teaming up to make it easier for users of Adobe’s marketing software to find and target potential customers for business goods on Microsoft’s LinkedIn, thereby fighting their common competitor Salesforce.com Inc.

What Is Salesforce?

Salesforce is a market leading American cloud-based CRM platform. The company’s 2018 revenue was $10.5 billion, most of which came from sales of the CRM platform itself although the company also makes a lot of its revenue from selling other applications that work with the platform.

Adobe

California-based multinational Adobe Inc. became most widely known for products like Photoshop, but the company has more recently turned its attention to making the software used for business marketing campaigns e.g. Adobe Experience Cloud and Advertising Cloud Creative. The recent acquisition of leading marketing automation platform Marketo by Adobe for nearly $5 billion has meant that there has been a coming-together of Adobe Experience Cloud’s content personalisation capabilities and Marketo’s lead engagement and account-based marketing. This has enabled Adobe to work better at combining data and personalisation in its products, thereby giving it some more of the pieces that it needed to challenge big marketing automation players such as Oracle and Salesforce.

Microsoft

Microsoft is known, of course, for its Window OS and Office suite, but it also has Dynamics 365 which is software that allows salespeople to track deals. One major and vital asset that it can bring together with Adobe to tackle Salesforce is the LinkedIn platform, which Microsoft acquired in 2016 for $26 billion.  This platform is used as a valuable tool by business-to-business marketers to generate new business and is a very powerful and tempting asset to have access to for any company that is seriously looking to become a major contender in the marketing automation market.

Combined

Market analysts have noted that the combined effort of Adobe and Microsoft will essentially mean that it will be much easier for users of Adobe’s marketing software to find and target teams of potential customers for business goods via LinkedIn. The integration of Adobe and Microsoft will allow them to fill in the gaps that either company had in making marketing content (via Adobe) and being able to target large numbers of B2B prospects (via Microsoft’s LinkedIn), thereby enabling them to bring a much broader offering to market against Salesforce.

What Does This Mean For Your Business?

If you’re a business-to-business marketer the synergy and broad scope offered by the joining of these two companies could provide a level of value and potential leverage that surpasses that of the current market leader, Salesforce.  The move looks set to cause a serious stir in the marketing automation market and could prove lucrative for Microsoft and Adobe, as well as providing new knowledge insights and opportunities to both companies that could shape further product developments.

Businesses Delayed Security Breach Disclosure

Posted on by Andy Miller

An FoI request to the Information Commissioner’s Office (ICO) has revealed cause for concern over whether businesses on the run up to the implementation of GDPR were preventing, detecting and responding to security threats and breaches in a good and compliant way.

Delay In Identifying and Reporting

An FoI request to the ICO by threat detection and response firm Redscan found that, in the year leading up to the implementation of GDPR on 25th of May, many UK businesses appeared to be routinely delaying data breach disclosure to the ICO.

The data revealed in the request indicated that companies took an average of 60 days to identify that they’d been a victim of a data breach and an average 3 weeks after discovery to report a breach to the ICO.  The worst offending business (in the data revealed) took a massive 44 months to identify a breach, and some organisations took an average of 142 days to report their breaches to ICO.

Financial and Legal Quicker at Identifying & Reporting Breaches

The FoI data did, however, show that financial and legal sector organisations were better at identifying and reporting breaches.  For example, financial services firms took 37 days to identify a breach and legal firms took 25 days.  These figures compare favourably to the general business category where companies took 138 days to identify breaches.

Also, when it came to reporting the breaches, financial services companies took an average of 16 days and legal firms an average of 20 days.  These figures, again, compare favourably to ‘general business’ category organisations which took 27 days on average to report breaches to the ICO.

Full Impact Not Reported

The requested data also showed that 9 out of 10 businesses did not fully specify the nature and impact of the breach to the ICO.

Dates Not Reported

The same figures showed that 21% of businesses did not report the breach incident date, and 25% did not report the breach discovery date to the ICO. It may be fair to assume that these figures could indicate that businesses may have either lacked awareness about the breaches or perhaps made a conscious decision to withhold important information due to fear of the consequences.

Most Hacks Happen At Weekends

The FoI data also showed that hackers tend to prefer attacking at the weekends as this is most likely to be the time when many Monday to Friday businesses are not monitoring for threats and essentially have their guard down, and attackers have two days to break into systems.  For example, the requested data showed that more than three-quarters of incidents happen on a Saturday.

What Does This Mean For Your Business?

This data relates to behaviour before the introduction of GDPR, but with GDPR now in place, and with the legal risks (big fines) and reputational stakes now escalated, businesses need to make sure that they can be compliant going forward.

Attacks are getting more diverse in nature, are occurring across a wider front, and are becoming more sophisticated.  Businesses must, therefore, make sure that they have the appropriate skills, technology, controls and procedures in place to identify a breach in the first place

Also, businesses now need to make sure that they report identified breaches in enough detail, and within 72 hours of becoming aware of the breach, where feasible.  These things are now vitally important as reporting requirements are much stricter under GDPR.

The fact that most businesses are hit by hackers at weekends indicates that businesses need to ensure that they have 24/7, 7-day-a-week controls, defences and procedures in place to be able to protect their systems and the data they hold.

New 1TeraByte (Yes, TeraByte) MicroSD Cards Launched

Posted on by Andy Miller

Both Micron and Western Digital’s SanDisk brand have announced at the Mobile World Congress that they are launching the first 1TB microSD cards.

A First

Up until now, companies haven’t been able to produce anything above 128GB, so the jump to a 1TB capacity card is a big jump that could mean less reliance on the Cloud for storage, and better performance from smartphones and other devices.

Micron

Micron Technology, Inc., the US global corporation based in Idaho has announced the launch of the c200 1TB microSDXC UHS-I card, an innovative removable MicroSD Card that boats a terabyte of A2 grade storage with V30 certification.  This should mean that although it can seriously ramp-up the performance of a smartphone, it could suitable for any number of devices and gadgets.  The new card uses an (up to) 100MB/s read-write rate, which means that it can support and can store up to 40 hours of 4K HDR video, thousands of 40MP+ photos, and mobile.

Micron reports that the new card leverages 96-layer 3D quad-level cell (QLC) NAND technology, thereby providing cost-effective storage for consumer electronic devices.

The Micron website says that the new c200 1TB microSD card “gives consumers the freedom to capture, share, store and enjoy more content while supporting their mobile-centric lifestyles.”

When For Micron?

Micron can only say that the new MicroSD should be broadly available, sometime in Q2 2019.

SanDisk

Western Digital’s SanDisk Extreme “microSDXC™ UHS-I” MicroSD card is available in both 512GB and 1TB capacities, and can reach speeds up to 160mb/s with A2/V30.  It can be used in Android™ smartphones, action cameras and drones, and offers supports 4K UHD video recording, full HD video and high-resolution photos.

Also A2 rated, the card reads up to a reported 160MB/s, and writes up to 90MB/s, thereby providing fast app performance on smartphones.  Its fast read speeds should mean that users can save a lot of time e.g.when transferring high-resolution photos and video.

When For Sandisk?

Reports indicate that it will not be available until April, and as a guide, expect a price tag of $449.99 for the 1TB version, and $199.99 for the 512GB version.

What Does This Mean For Your Business?

The huge storage capacity and the speed of these new cards is, of course, good news in terms of versatility and flexibility, saving time, and requiring less reliance on moving and storing everything in the cloud. A card like this is, however, likely to set you back around £375 but you may decide that this is a price worth paying for the extra capacity, speed and convenience.

Although these two new cards are A2 standard, so are suitable for running applications, most microSD cards are slower in practice than stated in the tech spec, and most devices don’t try to run applications from SD cards.  Also, being removable cards, they can still be lost or stolen, and could, therefore, be a security/data security risk depending on what you have stored on them, not to mention the expense of having to buy another one. You may decide that a fast, standard microSD card is still good enough, and you’re prepared to still rely upon secure cloud storage for most things.

It is also worth remembering that a new, super-fast SD Express standard, part of the wider SD 7.1 strategy, could soon be introduced, and could deliver read speeds of up to 985MB/s (if there were products that lived up to the standard).

$180 Million Password Taken To The Grave

Posted on by Andy Miller

115,000 customers of the of Canadian digital platform Quadriga are believed to be owed C$250 million, but C$180 ($137.21 million) in cryptocurrencies have been frozen after the platform’s founder, who was the only person with the password to the platform’s stored funds, died in December 2018.

What Is Quadriga?

QuadrigaCX is a Canadian cryptocurrency exchange/platform, which allows the trading of Bitcoin, Litecoin and Ethereum.  QuadrigaCX, was founded by Gerald Cotten and was Canada’s largest cryptocurrency exchange until 2019 and has 363,000 registered users.

Cold Storage

As part of QuadrigaCX’s security measures, ‘Cold Storage’ was used for most of the Bitcoins within their system. Unfortunately for Quadriga, it is this part of the system, where the bulk of their funds are stored that is ultimately protected by one main password that was known only to the late founder, Gerald Cotton.

Dead

Mr Cotton died aged 30 from complications related to Crohn’s disease while he was volunteering at an orphanage in India.

Widow Under Pressure

With so much money owed to customers, Mr Cotton’s widow, Jennifer Robertson is reported to have found herself under pressure to find the password.  It has been reported that Robertson, who was not involved in Cotten’s business while he was alive and does not have business records for QuadrigaCX, has conducted repeated searches for the password.

Although Robertson has Mr Cotten’s laptop, she has (so far) been unable to access the contents because it is encrypted, and no one has the password or recovery key for it. Additional attempts to decrypt the laptop have also been unsuccessful.

It has also been reported that Robertson has consulted an expert to help recover details from Cotten’s other computer and cell phones, although the expert’s attempts have been reported to have had only ‘limited’ success to date.

QuadrigaCX has now filed for “creditor protection” in an attempt to avoid bankruptcy.

Customers Unable to Withdraw Funds

In the meantime, customers have reported online that they have been unable to withdraw their funds from the platform for months, that they have only received limited information, and that the website was also recently taken down for maintenance.

What Does This Mean For Your Business?

This story highlights some of the risks associated with cryptocurrencies, and a how a lack of regulation and a market that’s still in its relatively early stages can leave investors in unusual, worrying situations such as this one. In many other types of financial business where there is that level of funding involved, it would also be highly unlikely that a single password known only to one person would play such an important role. Some would say that it’s ironic that passwords are often considered now to be much less secure than other security tools, and yet this password-controlled system has confounded even the experts so far.  What is also ironic is that the ‘cold storage’ of funds, in this case, was introduced as a security measure to protect customer funds but has ended up being so secure customers have no access to those funds.

Looking at the size of QuadrigaCX and the number of customers it has, cryptocurrencies clearly still provide a useful and valuable opportunity for trading and investment. They have, however, had a turbulent life to date, making the news for many negative reasons.  For example, just for bitcoin, regulations and restrictions in some countries (e.g. China), hacks, its volatility, a negative image from its use by international criminals and from its use in scams, a lack of knowledge about how to use it, and the fact that the high price of just one bitcoin made it (even more) niche, meant that it became a commodity and a fast-buck opportunity rather than an actual, useful currency, and the over-consumption and over-inflated value of bitcoin lead to its spectacular fall in value.  There have also been well-publicised falls in value for crypto-currencies like Ethereum’s ‘eher’ and Ripple’, and Tether found itself being investigated by the U.S. Department of Justice over possible manipulation of bitcoin prices at the end of 2017.

All this said, many governments and banks would still like a ‘piece of the action’ of cryptocurrencies, and many market analysts see a future for them as a part of a wider ecosystem.

Naming and Shaming of Companies With Poor Cyber Security

Posted on by Andy Miller

A report from the Cyber Security Research Group and the Policy Institute at King’s College London, has suggested that the government could help combat high cyber-crime levels by naming (and shaming) companies with poor cyber-security.

Who?
The Cyber Security Research Group at King’s College London brings together experts with backgrounds in international relations, security studies, strategic studies, intelligence, public policy, informatics and computer science in order to promote better research into cyber-security.  The other research partner in this case, the Policy Institute at King’s College London is an independent research institute focusing on using evidence and expertise to tackle societal challenges.

Cyber-crime Levels

The report highlights the fact that government’s 2018 data breach survey showed that 4 in 10 businesses experienced a cyber-security breach or attack in 2017-18 should be grounds to enable the public to see what steps are being taken by companies (or not) to keep users safe online and to protect their data.

Championing The ACD Programme

The report also champions the government’s Active Cyber Defence (ACD) programme, which was developed by the National Cyber Security Centre (NCSC) for the public sector, as something that could bring benefits if rolled-out to the private sector too, and/or if at least the tools and techniques of ACD could be extended beyond the public sector.

The report points to the relative success that ACD has had in bringing about a fall in scam emails from fake government addresses, and in shutting down thousands of “phishing” sites that pose as government agencies in order to steal users’ personal information.  Symantec figures, for example, show that phishing rates have increased across most industries and organisation sizes, and in this latest report, Tim Stevens, convenor of the Cyber Security Research Group at King’s College London notes that, according to his research findings, ACD could be rolled out beyond the public sector legally, cheaply and efficiently, with few obstacles, and could help to tackle phishing. The report, therefore, urges non-public sector organisations to engage more actively with the NCSC in order to deploy ACD as a tool to better tackle cyber-crime in the UK.

According to the National Cyber Security Centre (part of GCHQ), the ACD defence programme can be used to tackle cyber attacks in a relatively automated and scalable way. Last February, when the results of the NCSC’s Active Cyber Defence programme figures were published, they showed that UK share of visible global phishing attacks dropped from 5.3% (June 2016) to 3.1% (Nov 2017), and that 121,479 phishing sites hosted in the UK had been removed, and 18,067 sites worldwide that were spoofing UK government sites had been removed as a result of the ACD programme.

What Does This Mean For Your Business?

Reputations are valuable and vitally important to businesses, as should be cyber-security defences, and making sure that strong data protection measures are in place is critical. With this in mind, the idea that there could be a public naming and shaming of companies with poor cyber-security could be one way to incentivise action to be taken to bring about improvements and contribute to the tackling of cyber-crime across the private as well as the public sector. 

The NCSC, for example, has been working with companies for some time anyway with the ACD programme to help them protect their customers.  For example, the NCSC launched a collaborative online platform where BT has been able to share its threat intelligence data with other UK ISPs, and the NCSC has offered support to BT to help strengthen its security and block malicious malware infections. 

As acknowledged, however, in the Cyber Security Research Group and the Policy Institute at King’s College London report, ACD is not a finished product but a work in progress, and it is not a single entity, amenable to simple, one-off deployment. Also, a government programme that is extended to the private sector could face suspicion as being perhaps a way of the government scanning and collecting data about private organisations.  For this reason, the CSRG and King’s College London Report recommends perhaps putting a buffer between the government’s intelligence community and third parties in the form of regulatory authorities in each sector e.g. the Charity Commission in the third sector.

In reality, effective cyber-security comes from a large number of factors working together, including education and training as well as deploying relevant technologies, but the figures from the success of the ACD programme so far, show that it, or tools based upon it, could have real value as part of a number of measures that could help reduce cyber-crime for private as well as public sector organisations.