A new Internet tipping point – consumers getting more power… and responsibility

I’ve recently come of age in the world of the Internet, it’s 21 years since I first signed up for my Demon Internet account. Using a modem at speeds we wouldn’t recognise these days, I was just grateful to get online! The ability to email people outside of my organisation and to find pieces of code (yes I did purport to write code all those years ago) was invaluable.

It wasn’t long before we started to do minimal ecommerce, buying from Amazon and the like. For me this included discovering the wide range of books online that I could buy and learn from. As the ‘Information Super Highway’ – as it was then called – got more popular, so we were enticed onto the highway with a simple trade: our data in exchange for free access to content. And we all want something for free, thinking that it won’t ever cost us!

Read more…

If you have any further questions, please contact us.

5 Growing Pains for Chief Data Science Officers

The role of The Chief Data Science Officer (CDSO) is new and evolving – and with evolution comes opportunities and challenges. We’re finding that CDSOs are faced with growing pains on several fronts – and if businesses can’t find a way to properly address some of these issues, the role of the CDSO could be at risk.

CDSOs are joining companies where the business case for their role is left ambiguous. This makes it difficult for them to demonstrate their value the organization. In an effort to define role and responsibilities, CDSOs must work with multiple stakeholders to forge strategic partnerships and carve a pathway to success.

Here’s where to start:

1) Avoid perpetuating “ivory tower” perceptions

The first order of business for CDSOs is to justify their existence and establish how they can contribute value to the organization. Start by building relationships. CDSOs need to work with business owners and subject matter experts to get deep into the business decisions and problems, and identify opportunities where they can use data and analytics to generate insights that enhance decision making. Failure to demonstrate value to the business can raise doubts about the legitimacy of the role.

Often, CDSOs are stepping into companies where there are multiple teams of functional analytics experts managing their data and technology platforms across multiple business units. CDSOs need to work with these existing groups to determine the right organization and operating model that can enhance the value they bring, while not slowing down the existing initiatives of business units.

2) Build Relationships with the C-Suite

Historically, enterprises have focused on traditional data warehousing, reporting and business intelligence in their use of data. But, now that every business function wants to use technology to advance their business goals, the enterprise needs to use data in new ways to make better decisions. Enterprises should use data exploration to inform business analytics. Tapping data to prepare for a possible future is the CDSO’s specialty and everyone’s interest. The CDSO should work with the CIO to educate the C-Suite and beyond on the importance of putting more organizational emphasis on predictive analytics. According to our 5th Annual Digital IQ Survey, C-Suite executives who effectively collaborate are far more likely to outperform their peers.

3) Find the funding

The governance mechanisms for funding in most organizations often confer power to those with the funds – typically P&L owners – and C-level committees. Given the role CDSOs and teams play as a “shared service” traversing IT and business functions, it is important for them to be able to make a direct request for funds as opposed to through one of the many groups they work with or support. To secure funds, CDSOs should pull out all the stops with visualizations, demos and prototypes to “make it real” to business owners how they can enhance their performance with improved analytics.

4) Navigate the vendor landscape

As with any emerging area, the field of data science is filled with a host of start-ups and established companies claiming to offer just the ‘right’ solution for the company. CDSOs must carefully evaluate products based on the organization’s business case – and that’s no easy feat given the multitude of options in today’s crowded marketplace.

Some tools are designed as horizontal offerings that are shallow and not as deep, but more easily integrated across business units. Other solutions plunge into a particular industry or functional area, but are ‘special-purpose’ tools that aren’t versatile nor can be easily integrated with existing solutions.

By the time the company realizes they need something different, executives can sometimes invest a lot of time and money trying to make the product work. It’s a chore trying to move onto something different, especially explaining the shift to senior management. Decisions around when to use proprietary vendor solutions versus open-source alternatives is also a challenge that CDSOs need to grapple with.

5) Change the decision-making mindset of executives

In our recent global Big Decisions Survey, more than 58% of executives made decisions based on their own intuition or experience or those of others. Only 29% relied on data-driven decisions. Executives say they want to use analytics and data, but it’s still not prevalent at companies, in the C-Suite or beyond. Technology companies and younger employees are much more accustomed to using data to steer the ship, but most executives make decisions based on their gut reactions.

Executives can be hesitant to use more advanced data and analytics techniques to inform their actions, especially if the data contradicts what they feel is the right way to go. CDSOs must break deeply ingrained habits using an “art” and “science” approach to data. Creating compelling, visual proof-of-concepts/prototypes with simulation and gaming elements can allow executives to combine their intuition and experience with data & analytics to improve decision making.

We’ve only scratched the surface of the many issues that CDSOs are struggling with as they navigate uncharted waters. We’ll delve into each of these areas more and explore how CDSOs can chart a course for success. In the meantime, let us know if you have any other additions to our list.

Attacks against Israeli & Palestinian interests

This short report details the techniques being used in a series of attacks mostly against Israel-based organisations. The decoy documents and filenames used in the attacks suggest the intended targets include organisations with political interests or influence in Israel and Palestine. Although we are unable to link this campaign to any already documented in open source, it bears similarities to some described by others previously[1],[2].

The earliest samples in the campaign we have identified date back to the summer of 2014. The number of samples discovered and relatively small scale of infrastructure suggest the attackers have limited resources with which to conduct attacks.

More details…

If you have any further questions, please contact us.

Will VENOM’s strike poison your shared infrastructure?

The fangs of a newly-found security vulnerability in virtual computing systems were revealed by security researchers at CrowdStrike last week. Named “VENOM” its announcement calls attention to a previously unrecognized risk that may impact millions of systems around the world, as well as disrupt normal business as IT organizations scramble to patch affected systems.

VENOM stands for Virtualized Environmental Neglected Operations Manipulation. It affects some, but not all, virtualization management systems in use within organizations and cloud service providers today. It highlights a weakness in some virtual systems where a hacker after gaining access to one company’s secure network could then jump to other independent companies that just happen to share virtual server space.

This new vulnerability appears to be of a similar scale to the Heartbleed vulnerability discovered in OpenSSL last year; however, this new issue has the potential to impact across organizational and company boundaries. Most organizations use server virtualization in some form today. The use of “cloud” servers crested the 50% mark this last year and is expected to hit 86% adoption by 2016, according to CIO Insights.

Read more…

If you have any questions, please contact us.

When data hinders, not helps

Many organizations operate a dedicated department specifically for combatting Cyber Security threats. These are typically called “SOCs”, or Security Operation Centres.

The SOC collates information from across the organization and from external agencies to form a strategy to prevent, detect and respond to cyber attacks and security issues. The more data the SOC has access to, the more accurate a security picture they can obtain, and more detailed analysis can be performed, either to investigate issues or help prevent them from occurring. But more access means more data to analyse.

The nature of security threats has changed significantly in recent years and the “security in depth” principle has led to the implementation of numerous security-specific technologies into the organization. Which creates yet more data for the SOC to monitor and react to.

This creates a new problem; how much data is too much data?

Let’s examine a fictional 250-person company, and watch what happens to the amount of data the SOC has to process.

In 2005, this organization would have had a number of servers, a firewall, some first generation anti-virus programs, a basic network, and some basic web services. It typically generated around 6.5gb of log data per day; all of which the SOC would examine for specific signs of security issues. With a small team, and in a 2005 threat landscape, this was achievable.

However, in 2015, that same organization has doubled in size. It has new offices, it has VPN and mobile devices, it has new business applications, it has additional security technology such as malware filters, data loss analysers and intrusion detection systems. It has the latest generation of web technology. The threat profile is now very different and much more advanced. The resulting log data per day is now 30gb per day.

The net effect? An increase in log volume of over 450%

When data hinders

Chances are, the organization has not invested in resources for the SOC for financial reasons after the financial crisis, so the existing team is now overstretched and in danger of not being able to correctly detect and prevent security issues.

In addition there is a heightened awareness of cyber risks at senior levels in organisations and increased regulatory scrutiny of how cyber risks are being managed, creating additional expectations and pressure on the SOC.

This combination of factors makes managing a SOC and meeting the increasing expectations of key stakeholders a challenge. There are however some useful strategies that can help to address this very modern problem. I will discuss them in more detail in future blogs, but here is a quick overview:

  1. Know the Enemy
    The SOC is responsible for detecting and preventing security issues from occurring, but it can only do this effectively if it knows what it is supposed to be detecting. Leading SOCs invest in external intelligence sources to help prioritise SOC spend and resource to focus on the threat detection and mitigation with the greatest risk.
  2. Know the business
    Often a large organization will operate in silos, with departments not necessarily communicating its activities to other areas. This can have a dramatic affect on the SOC, as something as simple as an application upgrade can suddenly increase log data with no warning. An effective SOC will establish a two-way dialog with key business areas regarding security trends, recent findings, and upcoming business activities.
  3. Know the assets
    A good SOC knows where all the important assets are, and focuses its energies on monitoring and protecting those assets. Each asset has a formal security rating, and the rating will dictate the security precautions required. For example, protecting customer data is far more important than protecting the stationery ordering service.
  4. Know the data
    Knowing the difference between a message and a warning is a key skill of the SOC, and it makes sense to invest in a working framework and SIEM applications which help filter and prioritise messages. Create dashboards which show only security-specific information. For example if there were 10,000 successful logons on to an e-banking service this is not really a security concern; however, if a customer logs on from 3 countries at the same time, that is an issue that needs a SOC reaction.
  5. Know your staff
    Managing the SOC often involves lots of repetitive activity watching data. This can quickly lead to complacency and missed signals. Just as important, it can result in demotivation, burn out, reduced performance and even loss of staff. One way SOCs are overcoming this is to rotate staff around functions, so every member of the team is required to spend 25-30% of their time working on new dashboards, on new filters, improving forensic performance, trend analysis, attending security events and interacting with the other departments.

Transforming the SOC to meet the challenges of today requires an intelligent approach to how companies manage cyber security and its own critical information assets. To discuss how PwC can help you improve the effectiveness of your cyber security management, please contact Euan Ramsay.

Sanctions: US action on cyber crime

On 1st April, President Obama issued an Executive Order (“EO”) giving the US Government the right to respond to cyber attacks. The US is the first country to take the step of establishing a economic sanctions programme in response to alleged cyber attacks. This was not an “April fool” spoof, but the timing could have made people think twice.

The EO will potentially impact both individuals and other entities (called Specially Designated Nationals (SDNs) or “designees” for short) if they are seen as responsible for attacks that are based on “cyber enabled activites”which threaten the national security, foreign policy goals, economic health, or the financial stability of the US.

The White House blog has explained that the EO will be used to impose targeted sanctions against the “worst of the worst” malicious cyber actors, as well as companies that knowingly use stolen trade secrets.

Specifically, the EO authoriszes the Treasury Department’s Office of Foreign Assets Control (OFAC) to freeze the designees’ assets.

Although no one has have yet been named, we think this EO was issued with specific threat actors in mind and we may expect designations to follow shortly. Given the EO’s broad scope that covers “entities” (including foreign governments and their affiliates), it may also be used to helpdeter state-sponsored cybercrimes.

Once designees are announced, US persons, companies and financial institutions should then take steps to ensure they do not engage in prohibited dealings with them. Additionally, the EO suspends any entry into the US by any individuals determined by OFAC to meet the criteria for designation.

Designation could have much wider consequences for businesses outside of the US, because an entity in which an SDN has a 50 percent or greater interest is also blocked. This means U.S. persons and businesses may not engage in negotiations, or enter into contracts, or process transactions involving a blocked individual when that blocked individual is acting on behalf of the non-blocked entity that he or she controls.

As we have seen in the recent past financial institutions who do not comply with their sanctions related obligations can be exposed to significant criminal and civil penalties for violations of the US International Emergency Economic Powers Act (IEEPA) or other US state based state legislation.

Companies doing business in the critical infrastructure sectors listed below should also monitor any future designations of persons or entities as Specially Designated Nationals (SDNs), and consider developing an initial plan for compliance. If you are working in the industries or contracting with them in the US, then take note.

The US Government defines “critical infrastructure sector” as:

  • Chemical;
  • Commercial Facilities;
  • Communications;
  • Critical Manufacturing;
  • Dams;
  • Defence Industrial Base;
  • Emergency Services;
  • Energy;
  • Financial Services;
  • Food and Agriculture;
  • Government Facilities;
  • Healthcare and Public Health;
  • Information Technology;
  • Nuclear Reactors, Materials, and Waste;
  • Transportation Systems;
  • Waste and Wastewater Systems.

In addition, institutions that are targeted by cyber criminals will see an increase in government inquiries to assist them in building cases against potential targets of these new sanctions.

The EO does not define “cyber enabled activities,” but OFAC stated in its FAQs that it will likely define the term to include any act that is primarily accomplished through or facilitated by computers or other electronic devices.

Please contact me if you have any further questions.