Technology
Why baselining security is key to improving cyber hygiene
Phil Robinson, Principal Consultant at Prism Infosec
Poor cyber hygiene remains a major cause of security breaches. The National Cyber Security Centre (NCSC) Annual Review 2023 revealed that the highest proportion of incidents it had dealt with this year were the result of the exploitation of unpatched common vulnerabilities and exposures (CVEs) affecting public-facing applications which could have been prevented through better cyber hygiene.
But what is cyber hygiene? There’s no strict definition, although the general consensus is that it’s a number of simple routine measures adopted to secure sensitive data and minimise risk from cyber threats. As most cyber threats are relatively unsophisticated, adopting these measures can prove highly effective. In the case of the CVEs mentioned above, effective patch management (an integral part of ensuring good cyber hygiene) would have seen critical updates prioritised and applied, potentially reducing the risk of compromise.
The most common measures adopted, according to the Cyber Security Breaches Survey 2023 government report, are keeping malware protection updated (ie anti-virus), backing up to the cloud, password management, restricting administrative access rights, and using network firewalls, with two thirds of businesses having these in place, although staff training should also be included here to mitigate the insider threat.
Is cyber hygiene getting worse?
However, the report notes that there has been a consistent decline in some areas of cyber hygiene across the last three waves of the survey. The use of password policies fell from 79% in 2021 to 70% in 2023, deployment of network firewalls from 78% to 66% (although this in practice could be due to an increased prevalence of cloud computing and deployment of Zero Trust Network Architecture), restricting administrative rights from 75% to 67%, and policies to apply software security updates within 14 days fell from an already low 43% to 31% (this was even more marked among the retail and wholesale sector where the rate fell from 41% to 29%). In addition, only 18% of businesses had instructed staff in the form of security awareness training over the course of the year.
The shift has occurred in the micro and SME sectors, although among medium businesses the number placing security controls on their devices dropped sharply (from 91% to 79%) as did agreed processes for phishing emails (from 86% to 78%). When adding to this the economic pressures which have seen these businesses cut back resources, it is clear that the downward spiral may well be set to continue, leaving these smaller businesses particularly vulnerable to attack. So, what can they do to improve security practices and reduce the likelihood of compromise?
One of the easiest ways to improve cyber hygiene is to implement an approach based on compiance with an existingbaseline cyber security standard. There are a number of particular standards and guidance that can be used, such as: Cyber Essentials (CE and CE+), ISO 27001 (and more wider the ISO27000 series) as well as the NIST Cybersecurity Framework (CSF).
Awareness of these standards is still relatively low, with only 14% saying they had heard of CE, 9% adhering to ISO27001 and 3% to working with the NIST standard but uptake is increasing. The NCSC report found 30% of micro and SME businesses became compliant with CE for the first time this year, with 4% of micro organisations signing up to CE and 17% to CE+.
The Cyber Security Longitudinal Survey Wave 2, which only covers medium, large and very large companies, reports a higher uptake, with 25% adhering to CE, 11% to CE+ and 17% to ISO 27001. It did find that organisations were more likely to adhere to one of the standards if they had experienced a cyber incident in the last twelve months and this is worrying as it suggests even those companies with access to more resources are not acting until after they’ve been breached.
Why standards are the perfect way to increase cyber hygiene
The tide is turning, however, with 35% of businesses being motivated to get CE compliant to generally improve security, compared to 22% pursuing compliance to bid on government contracts and 15% for commercial contracts. Several initiatives have also sought to spread the word and in January 2023 the NCSC launched its Funded CE Programme offering financial assistance for those seeking accreditation.
From a cyber hygiene perspective, CE provides a comprehensive basis with five technical controls covering boundary firewalls and internet gateways, secure configurations, user access controls, malware protection and patch management. Today, however, only a fifth of businesses currently comply with all five, according to the Breaches Survey. Of those that do fully comply, 66% had experienced an incident according to the Longitudinal Survey, which meant they only went ‘all in’ after the event, at which point they realised the value of the controls in enabling them to identify and manage incidents.
In contrast to CE, which is driven by the UK Government, ISO 27001 is an international standard and demonstrates an organisational commitment to managing information security. Last year it was consolidated down from 14 to four areas: Organisational, People, Physical and Technological. The list of controls was cut from 114 to 93, with 11 new ones added, while 57 have been merged and some removed, and five new attributes have been introduced to align with digital security. All changes which make it much more relevant to SMEs.
ISO27001 can take some time to achieve but is valid for three years while CE and CE+ are renewed annually. CE is a self-assessment while CE+, an extension of CE, requires third party involvement with an assessor carrying out a technical audit and vulnerability scans.
What is clear is that poor cyber hygiene can leave the business open to attack but that putting in place a minimum level of security can significantly reduce the chance of being compromised. These baseline standards all provide a route for organisations that are short on time and resources to improve their cyber hygiene. In fact, the NCSC states that 80% fewer cyber insurance claims are made with CE in place, revealing just how effective making these small changes can be when it comes to mitigating attacks. So rather than viewing such compliance as an outlay, organisations need to view these standards as a vital investment in protecting their processes and assets.
You may like
Business
The need for speed: Why fintechs must supercharge background checks to stay competitive
Source: Finance Derivative
By Luke Shipley, Chief Executive Officer and co-founder at Zinc
In the fast-paced world of finance, and particularly where finance and technology intersect, hiring candidates with the right skills is crucial for staying ahead of the competition. For fintech firms, conducting fast yet thorough background checks is key to balancing regulatory compliance with the need for speed.
However, financial regulations in the UK demand rigorous oversight to safeguard consumer data, prevent fraud, and maintain financial stability. As part of these regulations, fintech companies must conduct thorough background checks to ensure new hires align with compliance standards, mitigating risks to both the company and its customers. These checks involve verifying critical information such as financial history, credit reports, criminal records and employment history, which are essential for determining the suitability of candidates handling sensitive financial data. These checks are both time-consuming and resource-intensive, slowing down the hiring process.
Fintech firms can sustain rapid growth and meet regulatory obligations without sacrificing operational efficiency by streamlining this crucial part of the hiring process with the right tools. This also enables HR teams to focus on creating a positive experience for new hires, rather than burdening them with additional administrative tasks. Implementing efficient systems that reduce these checks from weeks to days allows companies to swiftly onboard talent, maintain customer trust, and stay competitive.
Challenges of traditional background checks
Traditional background checks in the fintech industry are complex and time-consuming due to the stringent regulatory requirements that financial organisations must follow. Verifying candidates’ financial history, running credit reports, conducting Disclosure and Barring Service (DBS) checks, and confirming employment history for the past several years are all critical tasks. These checks are not only meticulous but also require coordination with external agencies, which often slows down the process.
Manual handling of these background checks can extend the hiring timeline by weeks or even months, creating operational inefficiencies for fintech companies that need to scale quickly in a competitive industry. Prolonged hiring cycles can also lead to delays in onboarding vital talent, putting added pressure on already stretched teams.
For HR departments, managing these extensive checks manually places a heavy administrative burden. The time spent gathering documentation, verifying information, and coordinating with third parties diverts HR professionals from focusing on more strategic initiatives, such as talent acquisition and improving the candidate experience. As a result, the manual process not only hinders recruitment efficiency but also affects the company’s ability to attract top talent in a timely manner.
Role of technology in streamlining background checks
Here, technology plays a crucial role as it revolutionises the background check process in fintech by reducing manual interventions and simplifying time-consuming tasks. Automated platform systems now handle complex steps like identity verification, credit checks, and employment history validations far more efficiently than traditional methods. These technologies not only speed up the process but also provide one centralised place for employee documentation and improve accuracy by reducing the risk of human error in verifying critical information.
Automation also allows fintech companies to complete thorough background checks in a fraction of the time, continuing to ensure global compliance without delaying the hiring process. HR teams are freed from the burden of manual data gathering by automating repetitive tasks and reminder emails so they can focus on higher-value activities, such as candidate engagement and talent strategy.
Moreover, integrating background check platforms with existing HR systems streamlines recruitment workflows. This integration ensures a seamless transfer of data, and provides real-time updates on the status of each candidate’s background check. The result is a faster, more efficient hiring process that allows fintech firms to onboard new employees quickly, creating a positive reflection of their brand at every stage of the onboarding process.
Improved candidate experience
Technology in recruitment not only benefits HR teams but also significantly enhances the candidate experience. Automated systems cut down lengthy waiting periods, helping candidates move through the hiring process more swiftly.
From digital applications to real-time status updates, candidates enjoy a seamless, transparent process, which minimises stress and uncertainty. This streamlined approach improves communication and ensures that candidates are informed at every stage of their check progress, fostering trust and keeping them engaged. Additionally, modern tools like AI-driven assessments or automated interview scheduling save time, allowing candidates to focus on showcasing their skills rather than dealing with logistical hassles. Fintech companies can improve their overall employer branding by providing a more efficient and organised hiring process, attracting top talent who appreciate a modern and tech-forward experience.
It is why speeding up background checks is crucial for fintech companies aiming to stay competitive. By leveraging modern technology, these companies can benefit from greater efficiency, regulatory adherence, and an enhanced candidate experience. Fintech firms should embrace tech-driven solutions to balance speed and regulatory requirements, ensuring a smooth, transparent, and efficient hiring process.
Business
Three key questions on the road to AI adoption
By Gert-Jan Wijman, VP & GM EMEA, Celigo
In the world of IT, there is rarely a period when some technology trend isn’t promising to deliver greater efficiency, productivity, and competitive advantage.
Few trends, however, have ever been met with the level of attention, expectation, and investment that AI is currently receiving. Usually, we would expect to see diversity in how businesses react to new technologies as they learn and experiment, but in a recent survey of more than 1,200 global enterprise Operations and IT leaders, Celigo found that 97% of respondents already view AI as ‘critical to driving operational improvements in the coming year’. That’s amazing when you consider that less than 10 years ago, there weren’t machines considered reliable enough to provide language or image recognition at a human level.
Of those 97%, the vast majority are already well into the swing of actively investing in AI: over three-quarters of businesses indicate that they have dedicated specific resources and budget to AI, while over four-fifths have a formal strategy or roadmap in place for AI implementation. However, usage does not automatically turn into benefits, and the sheer level of interest and effort in AI adoption only raises the stakes for businesses that need to show real ROI from their exploration of this new technology.
The data, and our experience based on working with IT customers, suggest that there are a few key questions which can point the way towards successful strategies that overcome roadblocks on the path to AI adoption.
Who leads the AI charge?
Whether the technology in question is a tailor-made solution or a plug-and-play tool, the process is usually driven by IT teams. However, there are signs that for AI that isn’t the whole story. Just 26% of businesses, in fact, say that IT is at the forefront of their AI mandate, and over half allow users to implement AI solutions without formal IT oversight.
There are multiple reasons for this. For one, IT teams are often overburdened as it is, leaving them with little breathing room to take charge of something as all-encompassing as AI adoption. But at the same time, part of the promise of AI is the way that it can democratise access to technology, making complex processes more intuitive.
Indeed, 68% of businesses say they approve of a Citizen Developer mindset, in which knowledge workers are empowered to innovate processes in ways that were typically reserved for technology specialists. Such an approach has obvious benefits in terms of sharing the workload, and has the advantage that departments and teams are the experts in what capabilities would best augment their own workflows.
While there are clearly advantages to allowing citizen developers to play a role in implementing AI, it also exacerbates risks, particularly on grounds of security and data governance.To empower Citizen Developers safely, businesses first need a modern approach to integration.
Where does AI happen?
All AI applications start with good data. While any given department will have its key platforms for gathering and managing data – customer relationship management platforms, enterprise resource planning platforms, collaboration and productivity platforms, and so on – the best results will come when those data sources are brought together in a holistic way that can generate deeper insights.
The challenge of integration has been growing for a long time, as businesses lean on ever more cloud services to carry out day-to-day business. Having many specialised tools available can help teams to excel in their work, but it also makes connecting the business’s IT infrastructure together in a unified way exponentially more complex.
The arrival of AI is adding real urgency to this challenge: while employees may be able to find ways of navigating across many data sources, AI needs data to be available in a more frictionless way. Our survey found that businesses are expecting to exploit a huge diversity of data sources and types through their AI adoption, from cloud platforms and APIs to user interaction tracking and user feedback data.
In this context, investing solely in the end-goal of AI implementation risks either outcomes that underperform due to a lack of data or outcomes that create governance issues through inexpert data integrations. Attention should also be paid to technologies like Integration Platforms-as-a-Service (iPaaS), which can significantly simplify and normalise the underlying data integration challenge. Organisations should also place attention on the upskilling of staff through training so as to maximise the benefit of AI to the business.
How are AI benefits shared?
While security was the most common risk identified by respondents to our survey, 46% said that fears around jobs being replaced by AI are a concern in their organisations. As the Citizen Developer mindset suggests, however, AI is no different to any other technology in that it is ultimately by and for people.
Just as the adoption of specialised platforms by different teams can create data silos and integration challenges, permitting unchecked team-level innovation without IT oversight can ironically reinforce the very barriers that data integration aims to dismantle. This paradox highlights the delicate balance between fostering innovation and maintaining a cohesive, interconnected IT ecosystem. While team autonomy can drive rapid advancements and tailored solutions, it may inadvertently perpetuate isolation and fragmentation across the organisation’s data landscape. The challenge lies in cultivating an environment that encourages innovation while simultaneously ensuring new technologies and processes align with broader organisational goals for data accessibility and integration.
In order to maintain security while promoting the freedom to self-implement, it’s imperative that companies have a clear strategy on balancing the two. Establishing a clearly documented AI policy, for instance, can alleviate uncertainty over what is and isn’t allowed as people explore the technology. Creating an open culture of learning and experimentation can be helped with social feedback loops like lunch-and-learns, where non-technical employees share what has worked for them and IT leaders can offer their expert advice.
Over time, almost every business will experience AI as a critical driver of operational improvement. When so many businesses are investing so heavily, though, the real winners will be those who take the smartest path to the destination.
Business
How can the financial sector ensure a safe future with software escrow?
Source: Finance Derivative
Director of Global Strategic Accounts at Escode, Andy Ramsbottom, highlights the importance of software escrow in a volatile financial climate and how venture capitalists and private equity firms can mitigate the risks of investment in tech.
Recent volatility across global markets has underscored the importance of being proactive in protecting capital, particularly when investing in the tech sector. For venture capitalists (VCs) and private equity firms (PEs), protecting investments whilst navigating a turbulent financial climate is paramount.
With the UK’s tech funding showing signs of recovery, now is the time for investors to take decisive steps to make sure their investments are sound. One of the most effective tools at their disposal is software escrow—a crucial mechanism that ensures the security and continuity of their investments.
Preparing for volatility
Financial shocks can happen unexpectedly. So, VCs and PEs must adopt strategies that protect their investments from unforeseen risks. Software escrow provides an invaluable safety net that allows investors to verify the assets they are investing in and ensure that their capital is being used wisely.
By leveraging escrow agreements, investors can mitigate risks associated with the software lifecycle. This includes ensuring that source code and intellectual property (IP) are securely held by an independent third party, ready to be released if certain conditions are met, such as a default by the software developer. This mechanism not only protects the investors’ capital but also gives them greater confidence in their investment’s long-term viability.
When does an investment need software escrow?
- Single lender agreements: In high-risk software investments, a single lender agreement is invaluable. It ensures that a developer’s IP is securely held and can be transferred to the lender in case of a default. This safeguard is particularly critical in scenarios where the success of the investment hinges on the continued operation and development of the software.
- Mergers and Acquisitions (M&A): During M&A transactions, software escrow offers a layer of security by ensuring that the acquired code and platforms have been independently verified. This process not only strengthens the credibility of the vendor but also reduces the risk for the acquiring entity. The escrow agreement also consolidates all necessary documentation, simplifying compliance with legal and regulatory requirements.
- In the due diligence process: During the investment process, an investor and their legal counsel can use Escrow as part of their due diligence. Escrow agreements can include regular verification testing, ensuring that the software being invested in remains functional and compliant with all regulations. For VCs and PEs, software escrow isn’t just about mitigating risks—it’s about ensuring the success and continuity of their investments. By putting these safeguards in place early, investors can protect their capital and ensure that their investments are resilient to any future disruptions.
A proactive approach to risk mitigation
A well-structured software escrow agreement can be the difference between a successful investment and a costly failure. By preparing for potential disruptions early on, investors can safeguard their interests and ensure the long-term success of their investments. Escrow agreements not only protect the current investment but also enhance the prospects of a smooth and profitable exit for investors.
With the assurance of a secure investment, VCs and PE firms can focus on planning their exit strategies. Escrow agreements provide an additional layer of security, making the business more attractive to potential buyers. When selling a software company, having an escrow agreement in place reassures acquirers that, in the event of significant disruptions, the source code and other critical assets will remain accessible. This reduces perceived risks, potentially expediting the sale process and leading to a higher valuation.
A software escrow agreement signals that the company is proactive in mitigating risks, showcasing robust governance and risk management practices. This is particularly appealing to buyers and investors who prioritise stability and continuity in their acquisitions.