Defence Estate Optimisation Programme – Industry Events

12-14 DECEMBER 2017 – LONDON

 

The Defence Infrastructure Organisation (DIO) is holding a series of specialist industry events for the construction and infrastructure sector to provide an update on the progress of the Defence Estate Optimisation (DEO) Programme.

Sessions will focus on funding and strategic corporate opportunities, disposal and development opportunities for surplus sites, and construction and technical requirements for building projects to be undertaken on MOD retained sites.

This event follows an introductory industry day held in December 2016 and the industry webinar on the London estate in February this year, after the Better Defence Estate announcement in November 2016. The DEO Programme aims to reduce the MOD’s built estate by 30 per cent and re-provide a substantial amount of new facilities on core sites.

 

Interested parties are invited to attend the below days:

 

Tuesday 12th – Funding Advisors (ie Private Finance)

Wednesday 13th – Property Advisors (ie Disposal Agents & Development Partners)

Thursday 14th – Construction Delivery Partners and Strategic Construction Advisors (ie Design & Construction Management and Technical Specialists)

 

For more information, and details of how to register for the event, please email: DIOASP-EOInfo@mod.gov.uk.

 

Please note, spaces are limited.

 

For more on the strategy, please watch our video: https://lnkd.in/d49rr9Q.

 

Cyber security in defence supply

Cyber security is once again on the front pages and tops the list of security concerns following another round of high-profile attacks.

With the sector experiencing exponential growth, and the technology falling into every area of industry, business, finance, health, government, and personal sectors, cyber security underpins the continued development of the global digital economy. Its technologies protect our personal data and messages online, safeguard the intellectual property of businesses and secure our critical national infrastructure.

techUK’s Cyber Security programme is an active leader in the sector, providing a channel for the industry to engage with commercial and government partners giving intelligence on the threat landscape, as well as increasing cyber exports, stimulating awareness, and demand, for cyber security in the UK.

Providing secretariat for the Cyber Growth Partnership, a government backed initiative chaired by Matt Hancock, techUK is fully immersed in stimulating demand and growth for the sector.

We spoke to Talal Rajab, Head of Programme for techUK's Cyber and National Security programmes, about the sector and its focus through

Talal rajab

We spoke to Talal Rajab, Head of Programme for techUK’s Cyber and National Security programmes, about the sector and its focus throughout 2017.

Having originally joined techUK as Programme Manager, Talal manages strategic relationships between Government and industry members on cyber and national security related issues, in particular through the Cyber Growth Partnership. He also leads techUK’s work on the Investigatory Powers Act and has led on a number of cyber security related research projects.

This year, techUK is keen to focus on government strategy, initiatives and awareness, in particular aligning with the National Cyber Security Centre, and becoming a key partner between industry, pubic sector and government.

Talal explained that techUK’s work encompasses public sector cyber security, such as DWP or HMRC or local government, where there is a vast amount of opportunities for cyber security companies as government puts forward this whole digital-first and digital-transformation agenda.

“We are looking at the challenges local government is facing for example. How are they positioning themselves for 2017 and what does industry need to know about in terms of what is coming on the horizon? Therefore creating an informed supplier community that knows what the challenges are for local government, as well as an informed buyer, who knows what they need.”

techUK also supports Private sector growth, with a focus on financial services and the whole world of connectivity.

He said: “There are a lot of opportunities out there. It is a vast market and it can be quite difficult if you are a cyber SME to understand whom you need to speak to, or what sectors you need to focus on, etc. So we do a whole host of leadership work on these topics in partnership with other trade bodies. For example we work with the Federation of Small Businesses to talk about cyber security for SMEs, with the British Bankers Association to look at some of the banks, and the British Retail Consortium to look at retailers and the retail sector. The idea behind that is to bring their members together with our members to talk about some of the key issues and try to create some network opportunities for people.”

The other area techUK can help members is in export. Many of the UK-born cyber security companies are small and can find the export market difficult to negotiate. And the UK has a great reputation in this sector, so there are growing numbers of opportunities to sell our capabilities.

Talal says: “They see the UK as a world leader in this regard so some of these companies find it easier selling aboard than they do here. We will run workshops for some of these companies, help bring in foreign delegations to talk to some of the companies and network with them and so forth.”

Cyber security is a massive issue for industry, and next year sees GDPR introduced. We asked Talal if this really is going to be the game changer it is being heralded as.

“Without wanting to sit on the fence there are two ways of looking at it.” He says, “One is that it is over-hyped, that we have been here before with various legislation and GDPR will not be that instant change that a lot of people are thinking it is going to be. However, there is another school of thought that sees it as the big game changer, especially for large organisations who could be fined 4% of global turnover! and that can really, really dent their revenue. So in that case, GDPR is going to make them take cyber security more seriously. Discussions that we are having with other organisations and some of our own members is that they are putting in policies and procedures now in order to be compliant by May 2018.

“I would say an area of concern is further down the line in the supply chain, when you have got SMEs and small businesses who haven’t heard of GDPR and when this starts to come into play they are going to be completely surprised and shocked by it, or think they are not relevant, won’t be affected by it when in fact they will.”

Is this where CyberEssentials would come in?

The problem is, it’s needed across the board, not just defence. Every company across the UK needs to get their cyber security essentials in order. Cyber Essentials, is a good scheme, while not perfect, it does provide a very good basic foundation for cyber security within an organisation.

“If you look back to 2014, the government announced that they would mandate Cyber Essentials for all public sector contracts that involved confidential and sensitive information, I would argue that should be extended to all providers to the public sector. It just makes sense, and what we see with MOD doing it, is that has changed. We are getting a lot of companies in Andy’s (Andy Johnston – techUK Defence) programme in defence approaching me saying what is Cyber Essentials and how do I get it?”

In order to meet demand, techUK have run workshops for Cyber Essentials to help their members, and demand continues to grow: “I have spoken to a member who provides CyberEssential Certification, and they have been approached by a company that provides fleet cars in Wales. They now need to go through Cyber Essentials because it was part of their contract. All this is a good sign that cyber security is high on the agenda for most businesses.”

So the message is clear, cyber attacks are developing and becoming more sophisticated all the time, therefore your cyber protection needs to be robust. Taking small steps can help you clear that worry and can help you win contracts you would otherwise miss out on.

 

If you would like to join our community and read more articles like this then please click here

The post Cyber security in defence supply appeared first on Defence Online.

Building Information Assurance into the heart of your projects

A full lifecycle IA approach for suppliers and buyers 

Information Assurance (IA) is now a well-established countermeasure to the growing cyber threat that all organisations and citizens face. The UK Government’s new Cyber Security Strategy 2016-21 is testament to the importance we should all afford the issue.

This importance is particularly applicable to the defence sector. For some time, the Government has insisted that all its suppliers conform to the new Cyber Essentials Scheme (CES). This went up a gear in April 2017 with the Ministry of Defence’s (MOD) launch of the Cyber Security Model (CSM). To be compliant, the MOD supply chain will now need to have Cyber Essentials or Cyber Essentials Plus and information security governance policies in place. 

While schemes and standards like CES and ISO27001 are a good start, in practice IA isn’t always integral to our working practices and systems. Often we pay lip service to it or add it as an afterthought. In major defence projects, especially ones that involve sensitive information, this is just not acceptable. IA must be built in all the way through.

IA Inside from Ascentor is designed to help buyers and suppliers do exactly that – making IA holistic, integrated and effective throughout the project lifecycle.

Caption: IA Inside: designed to integrate Information Assurance into the four main lifecycle phases of every project

IA Inside: designed to integrate Information Assurance into the four main lifecycle phases of every project

“In over a decade of working with public sector buyers and suppliers, we have rarely seen a joined up approach to IA. At best it’s fragmented, at worst it’s missing altogether. Bolting IA on at the end just isn’t viable so we’ve come up with the IA Inside concept to help all the actors on the IA stage.” Dave James, Managing Director of Ascentor

Here’s how it works:

IA Inside for Buyers

Specification Phase

Identifying information risks and protecting your information should not simply be a question of conformance to policy; it is good business practice. The earlier you analyse your requirements the better, so you can embed them in the specification and lay the foundation for a robust approach to securing your information.

Procurement Phase

Once the specification contains IA requirements, it’s important to give them focus and weight during the procurement phase. The Invitation to Tender (ITT) could highlight IA by setting scored questions seeking both the supplier’s IA approach to the project and the supplier’s corporate IA credentials.

Buyer Benefits

Building IA into the heart of your projects will save you money and reduce risk. Remember the principles of Total Quality Management and structured software engineering? Defects found early in the process are easier and quicker to fix, and therefore cheaper to fix, than those found later. It makes perfect sense, so why not do the same for IA?

MOD Benefits

IA Inside would help the MOD assess and specify its information risks, and ensure they are handled in accordance with JSP440 and to the satisfaction of the accreditor.

 

IA Inside for Suppliers

Tender Phase

As IA increases in importance and starts to feature explicitly in ITTs, suppliers treating IA seriously will be in a stronger position. When IA is implicit, hidden or missing altogether, suppliers can often treat it as something to ignore or trade-off in favour of lower cost, taking a “we’ll worry about it later if we win” attitude. With IA Inside, this won’t work any longer.

Delivery Phase

By the time delivery commences on an IA Inside project, the IA elements will be built in to the approach. Suppliers will need to deliver on their promise rather than go back to the drawing board when IA is mentioned.

Supplier Benefits

IA superiority is starting to count. Having robust IA from both a business and project perspective should enable you to build competitive advantage. You may also save money as you will enter the delivery phase with IA well-defined and budgeted, so there will be no risk of you having to add functionality from your contingency fund.

 

This article was submitted by Dave James, MD of Ascentor. Ascentor provides support and guidance to public sector organisations and departments that have very high value and sensitive information assets. www.ascentor.co.uk

The post Building Information Assurance into the heart of your projects appeared first on Defence Online.

Cyber security – protecting your data

Following several rather embarrassing security leaks over the last year, cyber security and cyber threats are at the top of the table.

In the second of our series of interviews we speak with Vince Warrington, founder of Protective Intelligence, about cyber security, cyber essentials and the application of the DCPP in 2017.

Vince is a leading Information Assurance and Cyber Security expert with over 15 years’ experience heading-up large-scale, organisation-wide IT and cyber security programmes for central Government departments, blue chip private companies and well-known voluntary organisations across the globe.

Vince founded Protective Intelligence in 2005 to provide an optimum IT and cyber security service to enable organisations to effectively prevent accidental data leaks, secure their IT networks successfully and deliver robust security awareness training for all staff and stakeholders. His mission is to educate businesses, charities and Government departments to move away from traditional IT security models, to one where everyone within an organisation works towards the common goal of protecting information through joint responsibility and co-ordinated thinking.

It’s good to speak to you today, Vince, can we talk about cyber security.

Certainly, one of the schemes the Government would like to see businesses take-up is called Cyber Essentials. It’s a very good programme, essentially (pun intended!). There are two levels to it: Cyber Essentials, and Cyber Essentials Plus. Both are based around a self-assessment test, measured against five criteria:

  1. Boundary firewalls [to prevent unauthorised access]
  2. Secure configuration [setting up systems securely]
  3. User Access control [restricting access to those who need it]
  4. Malware protection [ie. using anti-virus software]
  5. Patch management [ie. updating software]

Building on the base level, the Plus level adds a penetration test to the assessment, where an outside body will independently test your resilience. The scheme was devised by GCHQ to be repeatable and attainable, and makes sure your organisation is covering the basics of good cyber security.

These five key areas are vital to cyber security, and if you are getting these right – whether through Cyber Essentials or not – you should be reasonably secure against the most common forms of cyber attack. Implementing Cyber Essentials is estimated to stop 70-75% of the most common attacks organisations would receive daily. Cyber Essentials really is the basic building blocks of a good cyber defence – the surprising thing is, in my experience, is that a lot of companies of all sizes are still getting this wrong!

I have heard people saying ‘It’s a government thing, it’ll be long-winded and complicated’ but it really isn’t. Accreditation should be achievable for all but the very smallest organisations and, in any case, is what companies should be doing to protect their data anyway.

There is also the DCPP, which is a really good scheme for risk profiling and determining which category a contract falls into in the defence sector.

How do you think the Government can encourage take up of the scheme?

We’re already seeing government tenders being issued where a key qualifying criterion is being Cyber Essentials accredited. This is not surprising, as security becomes more and more important – and it is a government standard after all! We’ll see the requirement spreading from core central government and the defence sector into areas such as construction, where there are a lot of big contracts and associated data. The government feels there needs to be more basic cyber security hygiene – and it will get to the point where no company will be able to take on any public sector contract without certification. So eventually you’ll even see companies that provide transport to schools, for example, needing Cyber Essentials.

It will also pass down the supply chain, especially where we see larger companies sub-contracting aspects of public sector contracts down to smaller organisations.

Do you think that’s a general problem across the UK, that companies aren’t aware of the importance of cyber security to their company – they see it happening to banks and financial institutions but don’t realise that they are just as much of a target?

We see it all the time. While I think organisations, as well as the general public, slowly becoming more aware of the issue of cyber security, part of the problem is that the information put out tends to be technical in nature and, as a consequence, not very approachable. There’s a lot of information out there, but it doesn’t actually mean anything to most people. Sometimes the industry itself doesn’t really help matters by using jargon.

There is a big problem that organisations don’t comprehend the problem and think “why would anyone want to hack us?” But it really is an issue for everybody, as the majority of cyber attacks aren’t targeted at all. When using a tool such as ransomware, the cyber criminals operate a ‘shotgun’ approach and attempt to hit multiple targets in one swoop – often millions of email addresses in one go. As the nature of these attacks is somewhat random, anyone can become a victim, from your Grandma right through to a major bank.

Why do you think this is?

People don’t realise how much data is out there on them. I often say to people that this isn’t an IT problem – it’s a people problem. We need to understand how vulnerable our information can be and what it can be used for. So, looking at it simply as an IT problem is not going to work. We need to engage with people about the issues.

We like to think of ourselves as logical creatures that have emotions, when actually we are emotional creatures who can think logically. So a key part of solving the cyber security issue is making sure we can discuss it by appealing to both the logical and emotional side. We often hear that 123456 or QWERTY are still the most used passwords, so why do people do that? It’s because the IT industry has created a scenario where we have made passwords so difficult to remember that we forget them, and so people use something easy.

Yes, I see your right – it isn’t really a business issue – it’s a people issue.

You will always get some people in organisations who don’t care, but most people do want to help protect their data, their company’s and customers, but don’t really know how to do it. That’s where good cyber security people shine – they can make the end users care about protecting data.

What do you see as the main causes for concern in 2017?

The one that’s stands out to me is ransomware attacks. This is where infected emails are sent out and, if the malware is activated by opening the attachment or clicking on the weblink, it locks up your computer. You then must pay the ‘ransom’ to be unlocked or restore from a backup.

Most these attacks are completely random, they’re sent out to millions of email addresses at a time. They are not targeted and can go to anyone. It doesn’t matter to the criminal if it goes to a major corporation, a small business or an individual – they will most likely get their ransom paid.

Sadly, you can no longer think it can’t happen to you. Recent stats have shown that over half of all crime in the UK is fraud or computer-based crime, which is an incredible figure.

It will be something the defence sector really needs to think about.

The defence sector not only needs to worry about the same threats as most organisations face, they also should worry about Advanced Persistent Threats (APTs). This is where advanced cyber nations (such as Russia and China) are interested in our data and want to understand what our nation’s defence capability is. One of the really interesting things we’re seeing is how certain cyber groups, such as the Russian ‘Fancy Bears’ team who recently leaked athlete’s data, are increasingly being linked to Russian intelligence services, blurring the lines between cyber criminal and nation state actor. There will be an increase in these groups being used as plausible deniability within cyber espionage in future.

Like hacking in the US elections?

It is things like that which will make senior politicians and business leaders sit up and take notice of the threats and how vulnerable we can be. As threats intensify, people will look closer at preventative measures. There are problems with industrial control systems, which were never intended to be connected to the internet but have been made to do so for a variety of purposes, such as remote monitoring. In the past, there might have been ten people in a power plant monitoring the cooling system, but now it’s one guy with a laptop at home – but he’s also surfing the web, chatting, playing games etc. on that same laptop and the ‘air gap’ between systems has been eroded. It is an area where the Government and industry needs to catch up on.

Is there anything else you see as a major issue?

One of the big things we will see is the Mirai malware code. This code affects the Internet of Things (IoT) devices. So, you have CCTV cameras, DVRs, heating systems, fridges – I’ve seen an internet connected hairbrush which will go on market later this year – all becoming a part of the internet. The danger with many IoT devices is that they’re quick and easy to produce but they don’t have security included in them by design – there’s quite a lot of bad practice going on.

The Mirai code was designed to infect IoT devices to create a large, malevolent computer network called a ‘Botnet’. This network will then send out masses of data to certain websites and businesses in order to knock them offline. There have been some very significant attacks in the last year due to Mirai, and I’d expect to see an increase in volume and frequency of Mirai-based attacks this year and beyond. So if you’re a big defence company, you’re likely to see people trying to knock you off line with Mirai based Distributed Denial of Service (DDoS) attacks, possibly accompanied by ransom demands.

It certainly has happened in finance and defence won’t be far behind that.

 

The message is clear, industry, government and public need to be aware of their cyber security requirements and keep up-to-date. Cyber Essentials can put you on the path to a safer digital future.

The post Cyber security – protecting your data appeared first on Defence Online.

Tools to help you succeed in defence procurement

Event organiser BiP has some great tools to help your business win in the defence market – come and see us at DPRTE’s Defence Procurement Centre.

DPRTE’s official event organiser is the BiP Group, a company which specialises in helping the public and private sectors work more effectively together.

At the Defence Procurement Centre we will enable delegates to interact with defence procurement specialists and learn about all aspects of defence procurement from buyer and supplier perspectives. The centre will help you to succeed, whether your goal is reducing risk or increasing your organisation’s chances of tendering success.

Our experts, along with experts from the Ministry of Defence, will be there to support you with advice and solutions on all areas of defence procurement. For those wanting to learn about the Doing Business with the MOD Team – Supply Chain Development, team leader Phil Margerison will also be on hand with advice and support on winning defence contracts.

The BiP Group is also promoting Cyber Essentials at DPRTE. Any supplier bidding for a contract involving the transfer of MOD identifiable information must be Cyber Essentials certified.

To give yourself the best possible chance of winning the contracts that matter in 2017, you need to include Cyber Essentials certification in your defence procurement strategy.

Daniel Selman, MOD Deputy Head of Cyber Security, says: “Cyber Essentials provides the foundation for good cyber security. It demonstrates that an organisation is doing the simple things well and means they are likely to be able to prevent a lot of attacks being successful.’’

The BiP Group is also responsible for several highly regarded publications, both online and in print.

These include Defence Contracts International, the world’s leading provider of global defence-related opportunities and intelligence.

DCI is the only business development solution created specifically for suppliers to the defence industry where you can find defence and defence-related contracts online.

DCI helps businesses to win defence contracts by helping them to:

  • Engage earlier – With more time you can spot opportunities earlier, identify future requirements pre-tender, stop wasting time searching, and only receive contracts relevant to your business. Be more proactive – not reactive.
  • Be more competitive – We give you insights your competitors don’t have, connect you with key buyer networks and supply you with intelligence on what buyers want and what they buy. Be one step ahead of your competitors.
  • Sell more effectively – We help you identify what to bid for and what to ignore so you can stop wasting time searching.

Another BiP Group service is Defence Online.

Defence Online connects the defence community with insight, intelligence and opportunities. It is the UK’s fastest-growing community of defence industry professionals, allowing buyers of defence-related services to connect with each other as well as thousands of suppliers and industry experts globally.

Our new website is an unrivalled gateway to a wide range of engagement tools, including webinars, news features, MOD announcements, stakeholder pages and much more.

Defence Online enables you to:

  • Keep connected with industry news and market insight.
  • Engage with suppliers of all sizes.
  • Keep up to date with forthcoming defence events and conferences.

Another invaluable BiP Group service is PASS Training. With 30 years of experience and unrivalled expertise, the training, consultancy and support services provided by PASS (Procurement Advice and Support Service) set the standard for professional development.

Through practical guidance and training PASS can help improve efficiency, reduce risk, improve transparency and achieve value for money for your organisation.

The BiP Group invites you to come along and see us at DPRTE to find out more about the subjects highlighted in this article and how we can place your business in front of key decision makers in the defence industry.

 

If you would like to join our community and read more articles like this then please click here

The post Tools to help you succeed in defence procurement appeared first on Defence Online.

Cyber security – protecting your data

Following several rather embarrassing security leaks over the last year, cyber security and cyber threats are at the top of the table.

In the second of our series of interviews we speak with Vince Warrington, founder of Protective Intelligence, about cyber security, cyber essentials and the application of the DCPP in 2017.

Vince is a leading Information Assurance and Cyber Security expert with over 15 years’ experience heading-up large-scale, organisation-wide IT and cyber security programmes for central Government departments, blue chip private companies and well-known voluntary organisations across the globe.

Vince founded Protective Intelligence in 2005 to provide an optimum IT and cyber security service to enable organisations to effectively prevent accidental data leaks, secure their IT networks successfully and deliver robust security awareness training for all staff and stakeholders. His mission is to educate businesses, charities and Government departments to move away from traditional IT security models, to one where everyone within an organisation works towards the common goal of protecting information through joint responsibility and co-ordinated thinking.

It’s good to speak to you today, Vince, can we talk about cyber security.

Certainly, one of the schemes the Government would like to see businesses take-up is called Cyber Essentials. It’s a very good programme, essentially (pun intended!). There are two levels to it: Cyber Essentials, and Cyber Essentials Plus. Both are based around a self-assessment test, measured against five criteria:

  1. Boundary firewalls [to prevent unauthorised access]
  2. Secure configuration [setting up systems securely]
  3. User Access control [restricting access to those who need it]
  4. Malware protection [ie. using anti-virus software]
  5. Patch management [ie. updating software]

Building on the base level, the Plus level adds a penetration test to the assessment, where an outside body will independently test your resilience. The scheme was devised by GCHQ to be repeatable and attainable, and makes sure your organisation is covering the basics of good cyber security.

These five key areas are vital to cyber security, and if you are getting these right – whether through Cyber Essentials or not – you should be reasonably secure against the most common forms of cyber attack. Implementing Cyber Essentials is estimated to stop 70-75% of the most common attacks organisations would receive daily. Cyber Essentials really is the basic building blocks of a good cyber defence – the surprising thing is, in my experience, is that a lot of companies of all sizes are still getting this wrong!

I have heard people saying ‘It’s a government thing, it’ll be long-winded and complicated’ but it really isn’t. Accreditation should be achievable for all but the very smallest organisations and, in any case, is what companies should be doing to protect their data anyway.

There is also the DCPP, which is a really good scheme for risk profiling and determining which category a contract falls into in the defence sector.

How do you think the Government can encourage take up of the scheme?

We’re already seeing government tenders being issued where a key qualifying criterion is being Cyber Essentials accredited. This is not surprising, as security becomes more and more important – and it is a government standard after all! We’ll see the requirement spreading from core central government and the defence sector into areas such as construction, where there are a lot of big contracts and associated data. The government feels there needs to be more basic cyber security hygiene – and it will get to the point where no company will be able to take on any public sector contract without certification. So eventually you’ll even see companies that provide transport to schools, for example, needing Cyber Essentials.

It will also pass down the supply chain, especially where we see larger companies sub-contracting aspects of public sector contracts down to smaller organisations.

Do you think that’s a general problem across the UK, that companies aren’t aware of the importance of cyber security to their company – they see it happening to banks and financial institutions but don’t realise that they are just as much of a target?

We see it all the time. While I think organisations, as well as the general public, slowly becoming more aware of the issue of cyber security, part of the problem is that the information put out tends to be technical in nature and, as a consequence, not very approachable. There’s a lot of information out there, but it doesn’t actually mean anything to most people. Sometimes the industry itself doesn’t really help matters by using jargon.

There is a big problem that organisations don’t comprehend the problem and think “why would anyone want to hack us?” But it really is an issue for everybody, as the majority of cyber attacks aren’t targeted at all. When using a tool such as ransomware, the cyber criminals operate a ‘shotgun’ approach and attempt to hit multiple targets in one swoop – often millions of email addresses in one go. As the nature of these attacks is somewhat random, anyone can become a victim, from your Grandma right through to a major bank.

Why do you think this is?

People don’t realise how much data is out there on them. I often say to people that this isn’t an IT problem – it’s a people problem. We need to understand how vulnerable our information can be and what it can be used for. So, looking at it simply as an IT problem is not going to work. We need to engage with people about the issues.

We like to think of ourselves as logical creatures that have emotions, when actually we are emotional creatures who can think logically. So a key part of solving the cyber security issue is making sure we can discuss it by appealing to both the logical and emotional side. We often hear that 123456 or QWERTY are still the most used passwords, so why do people do that? It’s because the IT industry has created a scenario where we have made passwords so difficult to remember that we forget them, and so people use something easy.

Yes, I see your right – it isn’t really a business issue – it’s a people issue.

You will always get some people in organisations who don’t care, but most people do want to help protect their data, their company’s and customers, but don’t really know how to do it. That’s where good cyber security people shine – they can make the end users care about protecting data.

What do you see as the main causes for concern in 2017?

The one that’s stands out to me is ransomware attacks. This is where infected emails are sent out and, if the malware is activated by opening the attachment or clicking on the weblink, it locks up your computer. You then must pay the ‘ransom’ to be unlocked or restore from a backup.

Most these attacks are completely random, they’re sent out to millions of email addresses at a time. They are not targeted and can go to anyone. It doesn’t matter to the criminal if it goes to a major corporation, a small business or an individual – they will most likely get their ransom paid.

Sadly, you can no longer think it can’t happen to you. Recent stats have shown that over half of all crime in the UK is fraud or computer-based crime, which is an incredible figure.

It will be something the defence sector really needs to think about.

The defence sector not only needs to worry about the same threats as most organisations face, they also should worry about Advanced Persistent Threats (APTs). This is where advanced cyber nations (such as Russia and China) are interested in our data and want to understand what our nation’s defence capability is. One of the really interesting things we’re seeing is how certain cyber groups, such as the Russian ‘Fancy Bears’ team who recently leaked athlete’s data, are increasingly being linked to Russian intelligence services, blurring the lines between cyber criminal and nation state actor. There will be an increase in these groups being used as plausible deniability within cyber espionage in future.

Like hacking in the US elections?

It is things like that which will make senior politicians and business leaders sit up and take notice of the threats and how vulnerable we can be. As threats intensify, people will look closer at preventative measures. There are problems with industrial control systems, which were never intended to be connected to the internet but have been made to do so for a variety of purposes, such as remote monitoring. In the past, there might have been ten people in a power plant monitoring the cooling system, but now it’s one guy with a laptop at home – but he’s also surfing the web, chatting, playing games etc. on that same laptop and the ‘air gap’ between systems has been eroded. It is an area where the Government and industry needs to catch up on.

Is there anything else you see as a major issue?

One of the big things we will see is the Mirai malware code. This code affects the Internet of Things (IoT) devices. So, you have CCTV cameras, DVRs, heating systems, fridges – I’ve seen an internet connected hairbrush which will go on market later this year – all becoming a part of the internet. The danger with many IoT devices is that they’re quick and easy to produce but they don’t have security included in them by design – there’s quite a lot of bad practice going on.

The Mirai code was designed to infect IoT devices to create a large, malevolent computer network called a ‘Botnet’. This network will then send out masses of data to certain websites and businesses in order to knock them offline. There have been some very significant attacks in the last year due to Mirai, and I’d expect to see an increase in volume and frequency of Mirai-based attacks this year and beyond. So if you’re a big defence company, you’re likely to see people trying to knock you off line with Mirai based Distributed Denial of Service (DDoS) attacks, possibly accompanied by ransom demands.

It certainly has happened in finance and defence won’t be far behind that.

 

The message is clear, industry, government and public need to be aware of their cyber security requirements and keep up-to-date. Cyber Essentials can put you on the path to a safer digital future.

The post Cyber security – protecting your data appeared first on Defence Online.

Contracting, Purchasing and Finance (CP&F) Update

The Contract Purchasing & Finance (CP&F) programme is about the provision of an end to end eProcurement system and associated business processes which span the commercial, purchasing and financial accounting functions for the department. As an extension to this it includes the provision of more complete, reliable and accurate management information.

The programme is being rolled out in phases, starting with Release 2 which was the finance functionality, this happened in December 2016. Then Release 3, which is demand capture and contract management, this was implemented to different teams from May 2018 through to December 2018. And Release 4 which will cover sourcing is due to start in the second half of 2019.

For further information and updates about the CP&F programme please visit the GOV.UK Website.

The post Contracting, Purchasing and Finance (CP&F) Update appeared first on Defence Online.