Welcome to the latest edition.


Contents
(click a subject to jump to item)

      Introduction »
      The Stimulation Piece – (continued from the March 2015 Newsletter) »
      Burrill Green Consulting »
      Training »
      Security Solutions Now »
Introduction

We continue on from our last newsletter with our thinking on cyber security. We highlight again our Corporate & Cyber Security Executive Masterclass which embraces an ever-growing area of essential activity and investment attention.

Over the past few years, much time has been spent on stressing the necessity for convergence between Security and IT. We strongly agree.

We equally strongly teach that Security should be converged with all business functions - all stakeholders - and our Masterclass course scenarios ensure multi-functional engagement and deliberation. For those who fear convergence leading to one function taking over another, fear not. Our approach means working together in harmony and with shared purpose, and maximising strengths so that the service to organisations is greater than the sum of the parts. As you will see in our stimulation piece, co-operation and shared approaches will be vital to maintaining appropriate levels of risk mitigation in an ever-challenging world of threats and attacks.

We will also report on recent activities and opportunities across the group.
The Stimulation Piece (continued)

Here we have collated a number of sources to capture industry thinking about trends in threats and solutions in the coming months. The chart below represents inputs from 17 organisations and maps some 130 views into a number of categories:





(Sources include: Blue Coat, Damballa, FireEye, Fortinet, Forrester, Gartner, IDC, ImmuniWeb, Kaspersky Lab, Lancope, McAfee, Neohapsis, Sophos, Symantec, Trend Micro, Varonis Systems, Websense. Image: ZDNet)

The first two - "New attack vectors & platforms" and "Evolution of existing cybersecurity solutions" show how attack and defense are interlocked. In the first level, several commentators highlighted "new bugs in old, widely-used code" (Kaspersky Lab), such as Heartbleed/OpenSSL and Shellshock/Bash. Apple was the main new platform under the spotlight. Why this should be so now is because they are big enough to be worthy of attention from ill-doers. FireEye makes the point this way -"Apple's increasing enterprise footprint means malware writers will adjust their toolset".

A wide range of predictions falls into the second level ("Evolution of existing cybersecurity solutions"), where, "Automated security tools and solutions will no longer be efficient," (Immuniweb) if used without a human element of intervention. Hackers will work harder to evade what have become known as " sandboxing techniques" and fob off investigators by "throwing more red herrings into their attacks to thwart investigators and intentionally planting evidence that points to an unassociated attacker".

A number of predictions mention specific new attack vectors and platforms, like the Internet of Things (IoT), mobile technology, social networks, big data and analytics, cloud services, retail point-of-sale and payment systems, web technology and open-source software. Opportunities for hackers will continue to expand as internet penetration carries on. Things that were hardly conceivable only two or three years ago are now emerging. For instance, recently a drone was hijacked via a backdoor in its Linux-based control software. That could play havoc with pizza deliveries in the future!

On the Internet of Things (number 3 in the chart), "Your refrigerator is not an IT threat. Industrial sensors are." That is, malhackers are more likely to target M2M communication in automated industries like power generation and oil or gas extraction than try to "melt the butter or spoil your milk" in your smart fridge (Websense). We noted this kind of attack in our book, Value from Security, where we talked about an attack on the NYSE, not on the software of the trading system, but on the computers and the software controlling cooling in their data centres. Forrester reckons, "A wearables health data breach will spur Federal Trade Commission action soon" - something that businesses in wearable-based employee wellness programs need to get their heads around.

Mobile platforms (4) remain highly tempting for hackers and cybercriminals. Further, the extending introduction of mobile payment systems such as Apple Pay put icing on the Temptation Cake. Mobiles can also be hacked as a gateway into data the devices can freely access in the cloud.

People and social networks (9) are another attack point for hackers, using knowledge of and from target victims to gain access to other critical systems and data. This is a kind of digital social engineering approach where the victim is ignorant of the process until disaster strikes.

Join this up with big data and analytics (13) and the emerging picture can get really scary. "Even when encrypted or anonymised, the vast amount of data being collected on people through social networks, credit-card transactions, security cameras and digital footprints are increasingly being pieced together into a frighteningly complete picture. This threatens not only individuals but government organizations, corporations and their business partners "(Varonis Systems). To counteract this, Symantec believes that "Machine learning will be a game-changer in the fight against cyber-crime".

Cloud services (14) are another cybersecurity battlefield. Cloud and IaaS (Infrastructure as a Service) companies will need to compete on how well they manage and protect data while also providing productivity-enhancing functionality to clients. IDC sees security software itself moving into the cloud: "Enterprises will be utilizing security software as a service (SaaS) in a greater share of their security spending. By the end of 2015, 15% of all security will be delivered via SaaS or be hosted and by 2018 over 33% will be". This is a threat or an opportunity - it all depends whose eyes you are seeing this with.

It’s not all about attacks on our own personal data, or governments fighting data wars between nation states. Retail operations (15) will continue to get increased attention in 2015 and beyond: "Hackers target points of sale, or ATMs" (Kaspersky Lab). Forrester, in their inimitable way predicts that "Retail security budgets will increase by double digits in 2015". Other new avenues of attack noted in the 2015 predictions include open-source software and vulnerable third parties such as links in the supply chain or malware-infected advertising (next new word -"malvertising").

High-profile security breaches (5) will also continue to make headlines this year but they may come from newer alarming areas, like healthcare data. Few other single types of record contain as much Personally Identifiable Information (PII) that can be used in a multitude of follow-up attacks and various types of fraud.

Encryption and privacy (6) will continue to increase to try and protect consumer or organisation privacy. Malware will also increasingly hide behind encryption. This trend brings back into the spotlight the positioning debates between key agencies like government, legal and media practitioners. With a growing awareness of security and privacy concerns with revelations of intelligence agency spying through data breaches, encryption is finally becoming more of a default choice. Law enforcement and intelligence and security agencies are unhappy about it, under the belief that it will adversely impact safety, while citizens are threatened about how they are being ‘criminalised’ by governments demanding more and more data about all aspects of everyday life. This is made more complex, especially for globally-operating enterprises, because rules and laws differ from region to region. Data will be more secure in the EU (proposed Data Protection Regulation), but what will happen in the US? A US firm is likely at some point to be implicated in a significant breach of EU data. The prospect of multimillion dollar fines and suits following customer breaches leads Forrester to predict that "$100 million 'cyberinsurance' policies will become the norm" - which is probably making certain law practices salivate at the prospects.

The evolution of organisations' security strategies (8) will be interesting to monitor. Demands as a result of attacks will mean that for many they will elect not to run their own security operations centre (SOC) because of costs and resource considerations, and that businesses in some cases will shift from a "peacetime" to a "wartime mindset". Outsourcing security is a subject that continues to create much noise and debate within the security profession. Furthermore, cybersecurity's increasing profile means that security (but probably not for the best reasons) will finally raise its profile in the Board room By 2018, 75% of chief security officers (CSO) and chief information security officers (CISOs) may report directly to the CEO, not the CIO.

There needs to be a greater push, away from a still clearly vital response to actual events and threats, and one towards what we referred to before as advanced detection, and organisations investing in "hreat detection and response" methodologies and systems are likely to be in greater demand.

"State-sponsored and politically motivated attacks (11) will continue to increase in frequency" (McAfee). Politically motivated attackers will extend to target private citizen and cyberwarfare/terrorism will increasingly be conducted by loosely affiliated cells independent from, but in support of, nation-state causes and agendas.

Along with new activities, there will continue to be the slew of new words and neologisms coming along as well. "Ransomware" (12) is where money is extorted in exchange for releasing some restriction (such as data encryption) on an infected system. This is likely to increase - "Scammers will continue to run profitable ransomware scams," (Symantec) and, "Ransomware will evolve its methods of propagation, encryption, and targets" (McAfee).

As we travel the world and try and get on with the business of providing organisations with the means to continue to conduct their business and flourish, we can also expect to see further developments in biometrics and multi-factor authentication. Cybercrime will grow and cybersecurity skills will need to be provided and developed. We have our own specialist skills and learning programmes in this vital subject. It’s going to be a busy time.

As we have said for a long time, it's no longer sufficient for organisations just to guard the network perimeter with a firewall and install antivirus software on endpoints. CSOs and CISOs need to continually monitor the evolving threat and to replace an "If we get hacked" mindset with a "When we get hacked" one.

Social, mobile, big-data, cloud and other digital-transformation strategies will all be exposed to new kinds of cyberattacks. In addition to the now elementary and foundational requirements of firewalls, antivirus software, VPNs, intrusion detection/protection systems and advanced threat defenses, investment will be required in new counter-cybercrime tools, the skilled people to operate them and cyberinsurance policies for the ultimate last resort.

We are here to help CSOs get cybersecurity's increasingly high profile much and more needed attention in getting the case addressed in the Board room. We have our own Corporate & Cyber Security Executive Masterclass, a world-leading programme designed specifically to support this need. Burrill Green is also able to provide guidance and advice to individual CSOs who need help in understanding how they can lead or be more involved in cybersecurity issues within their organisation.

For more on this, contact John Hedley, our Director of Training here »
Burrill Green Consulting

On 19th May, David Burrill, in cooperation with Praesidio, our Danish partner company, gave a workshop for Henley Business School Denmark on Crisis Management & Corporate Reputation.  Here is a link to an interview that David gave about the subject:






For more about Praesidio and their complementary services you can contact:

Susanne Diemer

Tel: +45 3155 4525
Email: susanne@praesidiogroup.com 

Aside from continuous appearances on public platforms, we also continue to develop our own Business School product, the latest being our Corporate & Cyber Security Executive Masterclass which we referred to in the Stimulation Piece. For more details about the prospectus with another of our core strategic partners, the MIS Training Institute, just click here »

Further, we also conduct a number of coaching and mentoring programs for senior executives, whether they are bedding down in new roles, or are surrounded by fresh challenges where a confidential and objective sounding- board can often unlock ways to move forward. Our global experience may well help organisations to develop ways of addressing risks and threats in proven and rapid ways, reducing time and costs in getting to viable solutions and processes. To see how this service might be appropriate for you, just call or email David Burrill initially on +44 1233 625838 or david.burrill@burrillgreen.com

Another growth area for Burrill Green is helping companies to ‘sell’ the value of Corporate Security across the spectrum from Board to ‘shop floor’. It is essentially a highly professional branding project that enables CSO's and their (generally) ExCom/CSuite level line managers to make a credibility and recognition breakthrough. There are three principal facets to this: one is to design a strategy that will enable the more creative CSOs to turn aspirations for their function into achievement; the second is to provide the sort of external professional consultancy report which is sometimes seen by company leadership as a prerequisite for change; and the third is to convert any key stakeholder doubters, such as heads of other functions, into allies who will recognise that there is danger and no future keeping their functions or Security in silos and seek Convergent Success. Frankly, we would be surprised if any other consultancy could help you to the degree that BurrillGreen can in this context. Again, if you are interested in this service, contact David Burrill on +44 1233 625838 or david.burrill@burrillgreen.com
Training

The Burrill Green trainers are in high demand in the second half of 2015. In the coming months we have training commitments across the globe, including Brazil, Canada, South Korea, Taiwan and Thailand. In case you elected to jump straight into the Newsletter at this point, here is a repeat from a previous section about our own Business School's latest product, the Corporate & Cyber Security Executive Masterclass. For more details about the prospectus with another of our core strategic partners, the MIS Training Institute, just click here »

We are accepting applications for this most challenging 5-day course now. Two of these Masterclasses are currently scheduled in the remainder of 2015 - in Copenhagen (26 - 30 October) and London (7 - 11 December) and one, though there will be more, in 2016 in Copenhagen (7 - 11 March). For further details and advice on applications, please contact our Director of Training, John Hedley, on john.hedley@burrillgreen.com or +44 7534 993244

Looking further ahead, we are at an advanced stage of discussion with a partner company in India to enable us to market and deliver three Masterclass courses in different cities on the sub-continent in 2016. We are excited at the prospect and the new challenges this will bring.

Feedback on Burrill Green training continues to be extremely enthusiastic. A recent one-day in-house training session on Crisis Management in South America ran out of time, due to the intense level of participation and debate. The delegates spontaneously and unanimously decided to re-convene the next day to follow the crisis scenarios through to the nail-biting conclusion!

Our distance learning courses are also working very well. Participants on the courses with backgrounds as diverse as new mid-career recruits, those entering security from other areas such as corporate relations, intelligence analysts looking for a move into security management, as well as security managers taking the course as a development opportunity, have all praised both the content and the delivery of courses.
Security Solutions Now

On the frontline of our response service the team continues to be very active. Operations, investigations and due diligence have taken up much of our time and effort during the period. Our services continue to be requested at regular intervals. Burrill Green has been active in Central and South America, in Denmark in conjunction with our partner Praesidio, and also in Europe.

Counterfeiting is on the increase and this has been reflected in the number of investigations in this specialist area. Clients have also been concerned about fraud and theft and hold concerns about security of large and small gatherings given the increased threat from terrorist groups.

As ever, please feel free to contact Geoff Gillion, our Director Operations, for a realistic and reasonable quote for a service to meet your requirements on +44 7903 474357 or geoffrey.gillion@burrillgreen.com
Our associates continue to take Burrill Green experience and learning around the world, and we continue to build partnerships with like-minded organisations serving the needs of a demanding security world. We always welcome discussions about further ways we may be able to help, so don't hesitate to get in touch.

See you next time,

David, Kevin and your whole team at Burrill Green.
Newsletter Archive:

March 2014 issue »

July 2014 issue »

December 2014 issue »

March 2015 issue »