By Nick Hawkins, Managing Director of Everbridge EMEA
Cyber-attacks are a constant threat to organisations. Nick Hawkins, Managing Director of Everbridge EMEA, discusses how cloud-based communications platforms can help an organisation improve emergency communications and recover from the effects of a cyber-attack.
In today’s globalised business environment, organisations of all sizes face the prospect of falling victim to a cyber-attack or IT outage that could cause serious damage to its infrastructure and ability to operate.Despite the improvement of cyber-security techniques, criminals have developed sophisticated ways to disrupt systems and steal data. The need to prepare for cyber-attacks is more important than ever.
True cost of cyber-attacks
According to Cisco’s 2017 Annual Cybersecurity Report[i] more than one third of the organisations that experienced a cyber breach in 2016 reported a loss of customers, business opportunities and revenue. The 2017 SonicWall Annual Threat Report[ii] reported an increase from 3.8 million ransomware attacks in 2015 to 638 million in 2016.
Cyber-attacks cost UK businesses a total of £34.1 billion[iii] between Summer 2015 and 2016, with each attack costing an average of £4.1 million and taking 31 days to resolve. Whilst large corporations—that invest millions of pounds in cyber-security—have the potential to recover easily from such a crisis, for most Small/Medium Enterprises (SME’s) and Non-Governmental Organisations (NGO’s) cyber breaches can have more far-reaching and detrimental consequences.
No business is safe
On Friday 12th May, the NHS experienced a national cyber-attack. Hackers attacked the backbone of the NHS, tapping into computers, telephone lines, MRI scanners, blood-storage refrigerators and theatre equipment. Surgeons resorted to using their mobile phones to communicate with one another and critical information such as x-ray imaging was transported around the hospital on CD’s.
In the NHS’s case, the malware tapped into Windows XP. Some reports state 90% of NHS trusts run at least one Windows XP machine. The NHS is becoming increasingly reliant on machines which are connected to the internet.
Firewall renewal dates for PC’s will be logged, however, it is easier to forget when a portfolio of internet enabled devices need to be updated for security. With the internet of things (IoT) expected to consist of millions of new connected devices in the future – this issue will become more critical.
Investing large sums of money into cyber-security is not a pre-requisite for success, as shown by a number of recent high profile cyber-attacks against large corporations all over the world—including the BBC, Sony’s PlayStation Network, HSBC and eBay.
Sony lost control of its entire network. Hacker group Guardians of Peace stole personal information from tens of thousands of current and former workers and published them on the web. This included social security numbers, salaries of top executives and five Sony-produced movies.
It is not just large organisations that are targeted; government departments and agencies, rail networks and local businesses regularly find themselves in the same position. When attacks occur, crucial services are compromised and the reputational impact can quickly reduce consumer confidence and brand value. Large scale attacks also have the ability to impact share price value. Planning what to do when a cyber-attack occurs is important, but how victims communicate in an attack is equally critical.
Importance of effective communication in a crisis
In the event of an emergency,effective communication is crucial. When IT systems go down an organisation needs to be able to communicate with its employees and co-ordinate an effective response. The longer this process takes, the bigger impact the crisis will have.
A successful cyber-attack can affect multiple communication methods:
- If your phone and voice mail system is VOIP-based, you may lose your company phone system.
- If your employee hotline runs through your voice system, this could also be lost.
- If your company website is hosted in-house, it may go down, meaning customers, employees, the general public, and the media cannot find you.
- If company telephone bridges are running through your phone network, they may not be available.
- If the core network is compromised, every computer becomes a standalone machine with no access to company record. Human resource information, employee contact information, vendor lists, or other key phone lists may be inaccessible.
With multiple resources affected, how will you communicate? A critical communication platform can be used for the following:
- Employee information: pushing information to employees about the company status and messaging.
- Conference bridges: using toll-free conference bridges for employee, vendor, senior management, Board of Directors, and other key stakeholder phone calls.
- Stakeholder groups: using pre-defined groups that had been created for key stakeholders to push information via phone, text or email.
As no business or organisation is totally immune from the dangers of a cyber-attack, it is vital that crisis management plans are in place to minimise impact and ensure a return to business-as-usual practice as quickly as possible.
An effective crisis management plan consists of two key components: quick, reliable and secure communication with all employees to notify them of the situation and the efficient deployment of resources to resolve the issue.
It is important that businesses consider the following questions to prepare for a cyber-attack:
- What threats could impact your organisation?
Companies have to understand the type of threat the organisation could experience and the impact it could have. For example, it could result in loss of services or data. The solution will differ depending on the threat.
- Do you have a response plan?
Cyber-attacks often happen out of office hours. An IT incident response plan must be in place to combat an attack even if it happens at 5am. An efficient response plan will include methods of communication for specific stakeholders. Alerts will also differ depending on if the attack has just occurred and if malicious code has laid dormant on the network. IT engineers require different instructions to regular employees.
- Who needs to be included in an IT incident response plan?
- IT Security:is likely to fix the issue. If an organisation does not have a dedicated security team, employees must be assigned to deal with a security crisis when it occurs.
- Incident Team: who is going to co-ordinate the response? Who should be contacted following a breach and how are you going to reach them? Define an escalation point.
- Legal-counsel: if, for example, customer credit card details are stolen, legal support may be necessary.
- Who are your stakeholders?
There area number of stakeholders that should be considered. For example, if customer data is stolen, the following stakeholders would need to be consulted:
- C-level executives – businesses must consider when and how to consult their C-suite. For example, it may be necessary for the CEO to release a statement.
- Media relations department – to ensure strategic messaging is in place when informing customers about the incident and handling inquiries from the press.
- Customer services – need to be informed to prepare for incoming customer enquiries.
- Employees –employees must be kept up to date throughout the process to ensure they are prepared for calls from customers and the press. Employees must be aware of when and how to escalate queries.
- Customers – organisations are legally obliged to inform customers of a data breach. The ability to communicate with customers en masse in real time is important.
How to prepare communications in your response plan
- Assess:What is happening? What is the impact?Determine the likelihood, severity, and impact of the incident
- Locate: Who is in harm’s way? Who can help? Identify resolvers, impacted personnel, and key stakeholders
- Act:Which team members need to act? What do they need to do?
- Analyse: What have we done before? What worked? How can we improve communications?
- Communicate and collaborate: What should employees do? Notify employees on what action to take and keep stakeholders informed
Power of cloud-based communications platforms
As cloud-based critical communications platforms are not reliant on one network, organisations that used the platform to send out an emergency notification are assured that the message will get to the right people. Most organisations rely on internal email to communicate in the event of a crisis, despite the fact that a cyber-attack might impact the entire email network. In doing so, organisations are exacerbating the issue and potentially providing hackers with critical company information.
By having a system that operates entirely independent of an internal communications network, organisations can ensure that the bilateral lines of communication between management and staff remain open—even in the event of a cyber-attack or IT outage that may compromise an internal network, or a rush of calls which may overload a telecommunications network.
By using cloud technology to automate the time-intensive emergency cascade process, resources can be deployed far more effectively and efficiently than before, ensuring that the safety of everyone involved is better protected. In doing so, communications technologies can not only help protect business assets but save the lives of employees. In an emergency organisations cannot waste time searching spread sheets and schedules to manually notify employees.
Multi-modal, two-way communication
Critical communications platforms are already deployed by many businesses, local authorities and national governments around the world to warn and advise people in the event of a crisis. These incidents can range from sourcing a relevantly-skilled IT technician to repair a broken server, to engaging with the public during a terror threat. Central to the success of critical communications platforms are two key functions. The first is the capability to deliver messages using a variety of different methods – this is known as multi-modal communications. No communications channel can ever be 100% reliable 100% of the time, so multi-modality transforms the speed at which people receive the message. Multi-modality facilitates communication via multiple communication devices and contact paths including email, SMS, VoIP calls, social media alerts and mobile app notifications, amongst many others.
Multi-modality ensures that it is easier to receive a message. Two-way communication makes it simpler to confirm a response. In a critical emergency every second counts, so organisations can use communications platforms to create and deliver bespoke templates that require a simple push of a button to respond to. In doing so, the level of response to critical notifications can increase significantly.
For instance, if a cyber-attack compromises an e-retailers website, every second costs the business money. An IT engineer must be located and available to help as fast as possible. Two way communications enables the business to send an alert to the IT team giving them the option to reply with “available and onsite”, “available and offsite” or “not available”. Organisations can build a clear picture of the incident and prepare for downtime if necessary.
Combined, multi-modality and two way communications transform critical communications from an incident alerting platform into a communications tool where organisations can respond smarter and faster. In situations where multi-modal communications and response templates are deployed together, response rates to messages increase from around 20% of recipients to more than 90%.
Critical communications in action
CLS operates the largest multicurrency cash settlement system in the foreign exchange (FX) market. Launched in 2002 and owned by the world’s leading financial institutions, the organisation operates globally and offers settlement services for 18 currencies. On average, CLS settles USD 5 trillion of payment instructions every day for its clients.
CLS needed a solution that would streamline its IT incident management practices.
After extensive research CLS chose to implement Everbridge’s mass notification and IT incident management tools to provide it with a multifunctional communications platform that could send notifications to high numbers of people and devices in an efficient and reliable way. Everbridge’s platform ensures that in the event of an incident, there is no delay in informing employees and management of the situation and deploying resources to resolve it.
As technology continues to advance, cyber-attacks are on the rise and organisations need to have the tools in their armoury to be able to communicate and recover quickly in the event of a crisis. It is an organisation’s response to a cyber-attack that will determine the severity of its impact. Critical communications platforms can help businesses prepare for a breach to limit downtime and damage. Companies have a duty of care to keep customer information secure. Legal implications could be applied if responsibilities are not fulfilled. An efficient, well-practiced incident response plan can maintain brand reputation and ensure a business is not forever known for the number of customer bank details or thousands of pounds worth of revenue it lost.
Iron Mountain releases 7-steps to ensure digitisation delivers long-term benefits
Iron Mountain has released practical guidance to help businesses future-proof their digital journeys. The guidance is part of new research that found that 57% of European enterprise plan to revert new digital processes back to manual solutions post-pandemic.
The research revealed that 93% of respondents have accelerated digitisation during COVID-19 and 86% believe this gives them a competitive edge. However, the majority (57%) fear these changes will be short-lived and their companies will revert to original means of access post-pandemic.
“With 80% still reliant on physical data to do their job, now is a critical time to implement more robust, digital methods of accessing physical storage,” said Stuart Bernard, VP of Digital Solutions at Iron Mountain. “Doing so can enhance efficiency and deliver ROI by unlocking new value in stored data through the use of technology to mine, review and extract insight.”
When COVID-19 hit, companies had to think fast and adapt. Digital solutions were often taken as off-the-shelf, quick fixes – rarely the most economical or effective. But they are delivering benefits – those surveyed reported productivity gains (27%), saving time (20%), enhancing data quality (13%) and cutting costs (12%).
So what now?
The Iron Mountain study includes guidance for how to turn quick-fixes into sustained, long-term solutions. The seven-steps are designed to help businesses future-proof their digital journeys and maximize value from physical storage:
1) Gather insights: The COVID-19 pandemic allowed organisations to test and learn. Companies should ensure these insights are fed into developing more robust solutions.
2) Use governance as intelligence: Information governance and compliance are fundamental to data handling. But frameworks aren’t just a set of rules, they hold valuable insights that can be turned into actionable intelligence. Explore your framework to extract learnings.
3) Understand your risk profile: A key early step is to analyse where you are most vulnerable. With data in motion and people working remotely, which records are at risk? What could be moved into the cloud? Are your vendors resilient?
4) Focus where you will achieve greatest impact: To prioritise successfully, you need to know where you will achieve the largest impact. This involves looking beyond initial set-up costs towards the holistic benefits of digitisation, including reducing time spent on manual scanning, and the risk of compliance violations.
5) Reach out and collaborate: We are all in this together. Your IT, security, compliance and facility management teams are all facing the same challenges. Ensure you collaborate across functions to develop robust, integrated solutions.
6) Find a provider who can relate to your digital journey: For companies that still rely heavily on analogue solutions, digitisation can be daunting and risky. It pays to find a vendor who has been on the same journey, understands your paper processes and can guide you through the digital world.
7) Prioritise and evolve communication and training programmes: To reap the full rewards from any digitisation initiative, thorough and continuous communication and training is critical. Encouragingly, our survey found that 81% of data handlers have received training to work digitally which is an excellent step in the right direction, but consider teams beyond data handling to truly succeed.
The research was commissioned by Iron Mountain in collaboration with Censuswide. It surveyed 1,000 data handlers among the EMEA region. It found that the departments that have digitised more due to COVID-19 include IT support (40%), customer relationship management (36%), and team resource planning (34%).
3D Secure: Why are fraudsters still slipping through the net?
By Tim Ayling, VP EMEA, buguroo
There is a constant tension between keeping online payments secure, and offering an easy and frictionless user experience. Digital transformation – especially accelerated by the global pandemic – leaves consumers expecting online services to be seamless. Customers are even liable to abandon a process altogether if they encounter a hurdle.
Financial regulation and security protocols exist to help ensure that a balance is maintained between offering customers this frictionless experience, and keeping them and their funds safe from fraud attacks.
What is 3D Secure?
3D Secure is one such protocol. This payer authentication system is designed to keep card-not-present (CNP) ecommerce payments secure against online fraud. The card issuer uses 3D Secure when a card is used to pay for something online, authenticating the customer’s identity based on personal identifiers, such as the three-digit CVV code on the back of a card, as well as the device they’re using to make the payment and their geolocation or IP address.
3D Secure is important because although transactions can be accepted or denied based on the level of risk, it’s not always as clear as ‘risky’ or ‘not risky’. A small number of transactions will have an undetermined or questionable level of risk attached to them. For example, if a legitimate customer appears to be using a new device to buy goods online, or appears to be attempting to make the transaction from an irregular location. In these instances, 3D Secure provides a step-up authentication, such as asking for a one-time password (OTP).
Getting the right balance
3D Secure is a helpful protocol for card issuers, as it allows banks to comply with Strong Customer Authentication as required by EU financial regulation PSD2 as well as increase security for transactions with a higher level of risk – thereby better filtering the genuine cardholders from fraudsters.
This means that the customers themselves are better protected against fraud, and the extra security helps preserve their trust in the bank to be able to keep their money safe. At the same time, the number of legitimate customers who have their transactions denied is minimised, improving the customer’s online experience.
So why are fraudsters still slipping through the net?
Fraudsters are used to adapting to security protocols designed to stop them, and 3D Secure is no exception. The step-up authentication that is required by 3D Secure in the instance of a questionable transaction often takes the form of an OTP, a password or secret answer known only by the bank and the customer. However, there are various ways that fraudsters have devised to steal this information.
The most common way to steal passwords is through phishing attacks, where fraudsters pretend to be legitimate brands, such as banks themselves, in order to dupe customers into giving away sensitive information. Fraudsters can even replace the pop-up windows that appear to legitimate customers in the case of stepped-up authentication with their own browser windows disguised as the bank’s. Unwitting customers then enter the password or OTP and effectively hand it straight over to the fraudsters.
Even when an OTP is sent directly to a customer’s phone, fraudsters have found a way to intercept this information. They do this through something called a ‘SIM swap scam’, where they impersonate their victim and manage to get the legitimate cardholder’s number switched onto a different SIM card that they own, thereby receiving the genuine OTP in the cardholder’s place.
This is especially an issue for card issuers when taking into account the liability shift that is attached to using 3D Secure. When a transaction is authenticated using 3D Secure, the liability moves to lie with the card issuer, not the vendor or retailer. If money leaves a customer’s account and the transaction was verified by 3D Secure, but the customer says they did not authorise the transaction, the card provider becomes liable for any refunds.
How AI and Behavioral Biometrics can be used to plug the gap
Banks need to find a way to accurately block fraudsters while allowing genuine customers to complete online payments. AI can be used alongside behavioural biometrics as an additional layer of security to cover the gaps in security through continuous authentication of the customer.
Behavioural biometrics can collect and analyse data from thousands of parameters around user behaviour such as their typing speed and dynamics, or the trajectory on which they move the mouse, throughout the entire online session. AI processes are used to dynamically compare this analysis against the user’s usual online profile to identify even the smallest of anomalies, as well as against profiles of known fraudsters and typical fraudster behaviour. AI then delivers a risk score based on this information to banks in real time, enabling them to root out and block the fraudulent transactions.
As this authentication occurs invisibly, the AI technology can recognise if the customer is who they say they are – and that it isn’t a fraudster trying to input a genuine OTP they have managed to steal through phishing or SIM swapping – without adding any additional friction.
Card issuers cannot decline all questionable transactions without losing customers, while approving them without additional checks poses security issues that can result in financial losses as well as losses in customer trust. Behavioural biometrics is a foundational technology that can work simultaneously to 3D Secure to keep customers’ online payments safe from fraud while maintaining a frictionless experience and minimising the risk of chargeback liability for banks.
Track and Trace and Other Lost Data
By Ian Smith, General Manager and Finance Director at Invu
You, like me, were probably amazed by the now infamous loss of the over 16,000 positive test results in the track and trace system due to an Excel spreadsheet error.
You, like me, probably wondered how the Government could get something so important so wrong?
But perhaps we should ask are we standing in a greenhouse launching stones?
Data risks from software
Today we are spoilt with software offerings that help us with both our personal and our work lives.
Microsoft Excel is a powerful application and offers many functions now that required moderately complex macro writing in the past, seducing all of us into submitting more data for it to analyse. In finance, we tend to solve all those problems our applications cannot address using Excel.
In finance, we also know the risks of formula errors, and if we have relied on it enough, we will have our own war stories to go with these risks. Yet, we often continue to use the tool for operations that make those folks with an information technology background shake their heads.
These Excel files nowadays may find themselves resident on a local file server or one of the many file servers in the cloud (like those from the big three, DropBox, Google Drive and Microsoft OneDrive or other less well-known file sharing applications). Many of us use these in multiple ways.
Beyond finance and Excel, there are now many applications that we run our data through and leave data stored in the form of documents, comments and notes.
The long-standing example is email. We today receive many documents via email, with content in the body often providing context. Email systems then become the store for that data. While this works from a personal point of view, for a business working at scale, the information stored this way can be lost to the rest of the business. Just like data falling off a spreadsheet when there are not enough rows to capture the results.
More recently, we have seen easy to consume applications develop in many areas like chat and productivity. Take for example task management apps, my own preference being Monday.com (I am sparing you the long list of these). The result of the task and how we got there, in the form of attachments or comments, are often stored in the application. Each application we touch encourages us to leave a bit of data behind in its store.
Many of these applications can have a personal use and an initial personal dalliance is what sparks up the motivation to apply the application to a business purpose. Just like the “Track and Trace System”, they can often find themselves being used in an environment where the scale of the operation overwhelms their intended use.
In our business lives, combining the use of applications in this way by liberally sprinkling our data across multiple systems often stored in documents (be they Microsoft Word, email, scans or comments and notes) puts us on the pathway to trouble.
Imagine how Matt Hancock felt explaining to Parliament that the world-class track and trace system depended on a spreadsheet.
Can you imagine a similar situation in your business life? Say, for example, that documents or data in some form was lost because of the use of disparate systems and/or applications that were not really designed for the task you assigned to them.
Who would be your Parliament?
Now you can see yourself in the greenhouse, you may not want to reach for that metaphorical stone.
If these observations create some concerns for you, you may want to consider the information management strategy at your business. You have a strategy, even if it is not addressed specifically in documents, plans or thought processes.
These steps may help figure out where you are and where you want to go.
- Assess your current environment.
Are you a centraliser, with all the information collected in one place? Or is all your data spread across multiple stores, as identified above? Are you storing your key business information on paper documents, or digitally or a mix of both.
- Assess your current processes.
Do your processes run on a limited number of software applications? Or do you enable staff to pick their own tools to get things done? The answer to this question is often a mix of both where staff bridge the gaps in those applications using tools like MS excel. A key application to think about is how the data in email, particularly the attachments, is made available to the business.
- Design a pathway for change and implement it.
Start with the end in mind. I suggest the goal is to enable the right people to have the right access to the information they require to do their job in real-time. I believe the way to effectively do this is to go digital. The fork in the road is then whether to centralise your information store or adopt a decentralised approach.
My own preferred route is to centralise using document management software that enables all your documents to be stored in one place. Applications like email can be integrated with it, significantly reducing the workload required to file and store the data. The data can then be used in business applications using workflows. Thinking these workflows through will help you assess the gaps between your key business applications and consider whether tools like excel are being stretched too far.
Tax administrations around the world were already going digital. The pandemic has only accelerated the trend.
By Emine Constantin, Global Head of Accoutning and Tax at TMF Group. Why do tax administrations choose to go digital?...
Time for financial institutions to Take Back Control of market data costs
By Yann Bloch, Vice President of Product Management at NeoXam Brexit may well be just around the corner, but it is...
An outlook on equities and bonds
By Rupert Thompson, Chief Investment Officer at Kingswood The equity market rally paused last week with global equities little changed...
Optimising tax reclaim through tech: What wealth managers need to know in trying times
By Christophe Lapaire, Head Advanced Tax Services, Swiss Stock Exchange This has been a year of trials: first, a global...
Young adults lean towards ‘on-the-job’ learning as 6 in 10 say pandemic has impacted educational plans
Six in 10 (61%) of 16-25s agree learning ‘on-the-job’ is the best way to get on the jobs ladder in the current environment 59%...
Five things to consider when organising a remote work Christmas party
By Kate Palmer, HR Advice and Consultancy Director at Peninsula Christmas is usually a time of cheer and celebration, and...
Reasons to remote manage in a socially distanced world
By Paul Routledge Country Manager D-Link UK and Ireland As the world continues to adapt in varying degrees to the...
Barclays announces new trade finance platform for corporate clients
Barclays Corporate Banking has today announced that it is working with CGI to implement the CGI Trade360 platform. This new...
An unprecedented Black Friday: How can retailers prepare?
Retailers must invest heavily in their online presence and fight hard to remain competitive as a second lockdown stirs greater...
What’s the current deal with commodities trading?
By Sylvain Thieullent, CEO of Horizon Software The London Metal Exchange (LME) trading ring has been the noisy home of...