Organizations undergo digital transformation for a variety of reasons, including maximizing insights derived from data, streamlining operations, and adjusting workflows for hybrid work.

There’s no doubting the benefits. But there are potential traps along the road that businesses must also avoid, not least in the form of cyber security risks. 

Typical risks may arise from failing to provide adequate resources to match a project’s ambition, lacking proficiency to handle a multi-cloud setup, and failing to align with security frameworks. These ‘bear traps’ can be more prevalent if digital transformation is rushed, and organizations speeding up their efforts must be double vigilant because, with haste, comes a lack of focus. 

Prioritizing security, not project outcomes

Security must be the primary concern for any organization undergoing digital transformation, says Rick Hemsley, UK&I government and public sector cyber security lead at EY. That’s the bottom line. Organizations need to “integrate security considerations into every aspect of the development of new systems, processes, and products,” and those that fail to do so “will only be able to take a reactive, whack-a-mole approach to cyber security, instead of adopting a proactive mindset”.

There’s more to avoiding traps than putting security at the heart of digital transformation, though. Organizations need to learn to think differently about security too, says Frank Kim, SANS Institute fellow, cloud curriculum lead, and CISO-in-residence at YL Ventures. “A key metric in the past would have been the mean time to failure, or for something bad to happen. 

“But in the modern world, we look at the mean time to recover,” he tells ITPro. “We don’t think about the mean time to failure because we are expected to fail on a regular basis, so recovery is more important.” 

This approach resonates with a new attitude towards risk, where risk can’t be eliminated entirely, but needs to be understood and managed effectively. 

Speeding up processes heightens risk level

Organizations that decide to speed up digital transformation efforts put themselves at greater risk of leaving cyber security gaps waiting to be exploited, says David Sarginson, head of software development at digital transformation consultancy Opencast. “More change means more risk,” Sarginson explains. “The more change you introduce at any time increases complexity, and therefore the chances of unanticipated consequences.”

Further complications arise from organizations having a multi-cloud setup, Kim adds, and staff needs to be familiar with the nuances of different cloud setups, he says. “Your security team must be knowledgeable in a multi-cloud environment in each of these areas including the pitfalls, the configurations, and the mistakes that could be made. Ideally, architect from the start what those best practices are into your infrastructure.” 

When process speeds are accelerated, there’s less time to get to grips with the nuances, and more opportunity for gaps in security to manifest because security likely won’t be baked in at the outset. “[By] designing best practices directly into the infrastructure code and set-up, you’re providing a paved road for internal stakeholders that need to move to the cloud and adopt these processes,” Kim continues. “When you go off the paved road you know when to pay attention a little more.”

Instigating the right culture

Effectively dealing with cyber security risks associated with digital transformation, whether it’s been sped up or it’s happening at a slower pace, requires a risk-based approach from the outset, says Hemsley. The CIO and security teams should have the right level of knowledge and resources to “create a security framework which is defined by proactivity”, he says.

Achieving this might need an element of cultural change, and Kim confirms this isn’t always easy. “An organization can’t change culture overnight,” he says. “Depending on the size and the nature of the organization it takes anywhere from three to ten years to change.” 

Once organizations then undergo a process of risk awareness, sufficient resources must be allocated, and all employees should be trained on cyber security best practice, adds Sarginson. In addition, his advice includes using frameworks, where possible, like the NIST Cybersecurity Framework or ISO 27001. This may help to make implementing protections more efficient by removing the need to work out a security posture from first principles.

Ultimately, avoiding cyber security bear traps involves taking the proper technical steps and the right cultural ones – or as Kim puts it: “It’s not just about implementing new technology, like lift and shift. It’s about building out your people and building out your processes.” 

Risk awareness and risk management are crucial to safeguarding an organization’s assets from cyber attack, according to conventional wisdom. But how effective are these strategies if businesses are now told it’s not a matter of if, but when, disaster strikes? 

This “when, not if” theme arises again and again in modern cyber security discourse – suggesting falling victim to cyber crime is an inevitability. Being targeted, and cyber criminals successfully pulling an attack off, are two different things, though. Risk management and risk awareness are both concepts designed to make life as difficult as possible for an attacker. 

By an entire business engaging in the process of identifying and evaluating potential threats, they can offer organizations a certain base level of protection. While many might question whether these efforts – from not just the security teams – are worth the bother if an attack is ‘inevitable, they might keep organizations just on the right side of a serious incident.

Building risk appetite

Risk awareness and risk management are different things, explains EY’s UK&I government and public sector cyber security lead, Rick Hemsley.

“Whereas risk awareness refers to the proactive measures taken by organizations to educate their employees and stakeholders about potential cyber security risks,” he says, “[risk] management centers around the identification, assessment, and mitigation of potential risks to a company.”

Within these two definitions lie many distinct actions and activities: some technical and some cultural. Among the most important is defining the organization’s risk appetite, ensuring this is understood across the organization, and making sure mitigations are in place that respond to risk appetite. 

Risk appetite is a fundamental element of risk awareness and risk management. You can’t protect against everything. A person leaving their home in the morning might get their pocketbook stolen or there might be a water leak while they’re away. They can insure against loss of credit cards and water damage. But only if they’ve assessed the possibility, and put in place a mitigating strategy. They’ll do neither if they don’t think the risks are worth addressing – which is where risk appetite factors in.

Risk awareness is essential

Risk awareness is arguably the most crucial aspect, says David Adams, Grc security consultant at Prism Infosec. “Risk management won’t be effective if risk awareness is not included as a strategy.” 

Staff entrusted with implementing controls will only live up to expectations if they understand why it’s important to the organization and aware of the risks of not acting. But risk awareness isn’t just something for the tech team to consider. It must be embedded in the thought patterns and working practices across the organization. 

“The risk management strategy may well advise that personnel only work on encrypted personal applications, and in the risk awareness strategy this would be regularly communicated to staff but made relevant to them, perhaps in the form of awareness training,” explains Adams.

Can we measure how effective risk management is?

One of the issues around promoting risk awareness through an organization is it’s not always easy to measure. A risk management strategy of, say, using threat analysis to identify attempted cyber attacks, and showing which attacks are thwarted, can generate data used to demonstrate how effective these systems are and justify spending on them. 

It’s more difficult to measure the effectiveness of risk awareness in this way. An organization can, howeer, test how well its people understand the various risks it’s identified, and measure how they implement approved behaviors. It can ealso nsure that strong systems are in place, for example by implementing a zero trust framework for technology. 

Frequent and overt testing, as well as measuring people’s attitudes towards risk, can itself alienate staff, as can putting in place technology requirements that feel intrusive to actually getting work done. 

The goal should be to guard the organization, not to corral its people. And, in any case, we can’t compare two real-world scenarios – with and without a strong risk awareness strategy in place – to quantify the effect of the strategy.

Does risk management make a difference?

What organizations can do is be aware of the risks humans bring. Last year, the World Economic Forum (WEF) said 95% of cyber security  issues could be traced to human error. 

Normalising appropriate behaviours can help an organization diminish the risk of human error by increasing awareness of the consequences of certain actions – or absence of certain actions. 

The key is for the organization to ensure people feel part of the strategy, not that the strategy is foisted upon them. “A good risk awareness strategy helps create a security-conscious culture across the company, making it more resilient against attacks,” Hemsley tells ITPro. 

Adams puts it another way: “Security is the responsibility of us all and people are now much more conscious of this fact. But when it comes to the individual, relevance is key. It’s vital to make the strategy meaningful to staff.”

In the end risk awareness is a key component of how an organization handles the risks its exposed to. When the organization’s people are aware of these risks, and understand how their individual actions can help – or hinder – the organization in facing up to the very real prospect of attacks, they can play a part in mitigation. 

When cyber attacks are a matter of when, not if, every possible strategy and mitigation that helps an organization deal with its appetite for risk is a strategy worth having, regardless of how much effort it might take to implement.

The disruptions of recent years have opened our eyes to entire new categories of risks, both seriously affecting business operations and negatively impacting customer experiences. A failure to respond to these threats can have a significant effect on the future of the organisation.

This paper highlights the need to transform legacy risk management approaches, and shares three key pillars that can enable businesses to proactively respond to, and overcome, the risks they face.

Download now to learn how to get ahead of the curve with real-time risk visibility, how to ensure risk management is a company-wide responsibility, and how internal audits can improve risk posture.

Provided by  ServiceNow

Digital transformation creates a variety of new opportunities, but unfortunately can also result in the increase of risks, and the more an enterprise can understand the risks it faces - especially as a company-wide initiative - the more successful their digitisation will be.

This special edition guide can help your employees better understand how they can be part of a successful digital risk management strategy, with practical advice on how to apply learnings to real risk management situations.

Download now to learn:

• The basics of risk identification and management
• How to manage digital risk
• As well as five tips for successful digital transformation

Provided by

The management of third-party risk is no longer simply a box to tick for regulatory compliance. Since the global pandemic, third-party risk management (TPRM) has become an important priority to ensure the impact of an attack, or disruptive event, on partners and suppliers is limited.

A study by Forrester showed that demand for TPRM technology is at an all time high, so this commissioned report identifies and evaluates 12 of the most significant and leading TPRM service providers to see how each one measures up.

View now to see each vendor’s current offering and market presence, as well as how they score on flexibility, reporting, and value to help you identify the right one for your business needs.

Provided by

In a new hybrid world of work, distributed workforces and remote access points to business networks are prime targets for cybercriminals, looking to exploit the weakened security measures of multiple unmanaged devices.

This guide shares relatable cyber security breach examples, highlighting key areas at risk, and how Zero Trust security measures could reduce risk exposure and support your current cyber security measures.

Download this white paper now to fully understand your own risk exposure, and learn why additional protection measures—including zero-trust architectures—are critical to stop data breaches.

Provided by

Cloud and cyber security orientated certifications continue to be the highest paying for IT professionals, the latest research from Skillsoft has revealed.

The digital learning firm analysed data from thousands of IT professionals around the world as part of its annual IT Skills and Salary survey, resulting in a list of the top paying certifications in the industry today.

However, while the report reveals that the top jobs to have higher salaries associated with them, those figures are the culmination of several factors, Skillsoft said – including the ability to apply certified skills at work, job role, continuous professional development, tenure, and hard work.

With this in mind, the three highest paying credentials were found to be:

1. CISSP – Certified Information Systems Professional

Salary: $104,862.96

Price: $749

Top of the pile, the CISSP certification has been compared to earning a master’s degree in IT security as it equips professionals to effectively design, implement, and manage a cyber security programme.

The exam itself focuses on eight key areas within information security, including security and risk management, asset security, security architecture, software development security, and more.

Candidates require a minimum of five years of paid, relevant work experience in two or more CISSP domains. Those that lack the experience can still take the exam, and become an Associate of (ISC)2 if they pass.

2. AWS Certified Solutions Architect – Professional

Salary: $100,718.97

Cost: $300

Solutions architects are currently among the most in-demand tech roles, with organisations requiring professionals to design, deploy, and support complex cloud infrastructure. This certification from AWS validates a professional’s ability in this area.

The cloud giant recommends two or more years of hands-on experience and familiarity with a scripting language, Windows, Linux, and many AWS services.

3. CISM – Certified Information Security Manager

Salary: $97,303.57

Cost: $575 for ISACA members, $760 for non-members

As cyber security continues to be a top priority for organisations, the ISACA’s Certified Information Security Manager (CISM) certification highlights an individual’s ability to lead security teams and efforts effectively.

It validates a professional’s ability to manage, design, and assess an enterprise’s information security and proves expertise across information security governance, information security risk management, information security programme, as well as incident management.

IT professionals must have five years of relevant professional work experience before they can sit the exam.

Tech salaries continue to rise

The findings align with recent research from Hired, which found that tech salaries have continued to rise despite the pandemic and recent economic struggles around the world.

In the US, the highest paying tech roles were found to be Engineering Management ($196,193), Software engineering ($160, 469), Product Management ($157, 602), Developer Operations ($156, 321), and Design ($153, 005).

In the UK, the average UK tech salary has increased year-over-year from £76,000 in 2021 to £83,000 in 2022, with half of employees expecting a salary increase by next year.

The aim is to keep salaries high to win over top talent, meet candidate expectations, as well as prevent future job-hopping, the firm said.

“Employers continue to explore new markets and time zones for the best talent while valuing the efficiency of responsive, engaged candidates,” Hired explained. “Jobseekers still maintain a lot of power in the market.”

Leading business executives have grown more fearful of a looming macroeconomic downturn in 2022, more so than ransomware attacks or the effects of the Russian invasion of Ukraine.

Data released by Gartner this week for Q2 2022 showed that ransomware has slipped to the third-most feared emerging risk to businesses, overtaken by economic uncertainty after it took the top spot in Q1.

The potential economic downturn jumped from fifth to first between Q1 and Q2 of 2022, Gartner’s Emerging Risk Reports showed.

The top five emerging risks to business - Q2 2022:

1. Macroeconomic downturn
2. Escalation of conflict in Europe
3. State-sponsored cyber attacks
4. Energy price inflation
5. Key material shortages

“The top five risks reported by respondents were notable both for their interconnectedness and origination outside of the organisation,” said Chris Matlock, vice president at the Gartner legal, risk and compliance practice.

“While interconnected, many of the top risks send conflicting signals on the state of the economy, which makes the role of emerging risk management (ERM) leaders especially crucial in filtering the most relevant, organisation-specific information up to the c-suite and board.”

Gartner said it was ‘notable’ that all of the top five risks were external factors – outside the direct control of a business – and the impact of each would be felt differently depending on the industry and location of the business.

The leading risk, macroeconomic downturn, was described by Gartner as a high-impact factor on businesses, the full effects of which are expected to be felt over the next two years.

A shortage in key materials will also be a high-impact factor that affects businesses within a year, it said. Many technology companies are already reeling from supply chain issues, chiefly from the semiconductor shortage.

State-sponsored cyber attacks are considered high-impact for businesses, too, with Gartner predicting the fullest effects of the threat to be felt between one and two years in the future.

The most-feared risks are likely to be long-term influencers on business decisions, the analysts said. There is no apparent date by which the conflict in Ukraine will end, nor is there one for the associated sanctions placed on Russia by global nations.

Businesses are advised to continually reassess their macroeconomic outlook and regularly conduct both top-down and bottom-down risk assessments, balancing the findings from each.

They are also advised to embrace the risks presented to their industry and use them as an opportunity for understanding that could eventually propel a company ahead of competitors.

Auditing is an independent consulting activity, intended to help organisations improve their operations, as it evaluates ways to improve risk management. However within the technology industry, auditors are being replaced by automation, and with CFOs looking to reduce spending, the function of audit and compliance could become obsolete.

The audit process needs to change for the better, and with emerging technology, there’s great potential for auditing to adapt and drive real value in relation to data analytics and risk management monitoring.

Download this whitepaper to learn where audit technology is headed, and what it means for your organisation.

Provided by

In today’s hybrid working world, with the increased number of devices, data and systems, the risk to global IT is significant, making the regulatory environment more complex.

With IT leaders facing more challenges than ever before, the differing regulations and compliance frameworks means a vast amount of work for an often resource-limited team. But being able to get to a stage of IT compliance, ready for audit, is achievable with the right technology.

Download this whitepaper to understand the key components when it comes to being IT audit-ready - including process, technology, and people - with clear steps to follow, ensuring your business gets there.

Provided by

Key risk indicators (KRIs) can help predict adverse events that may impact your organisation and are widely considered an essential part of good governance. These indicators link to a range of operational risk-management activities and processes, making them especially beneficial as metrics of changes in a company’s risk profile.

Here, you’ll learn how to implement, manage and maintain KRIs within your IT department:

• Choosing appropriate KRIs can benefit your organisation
• Examples of effective KRIs
• KRIs/KRI selection worksheet
• Implementing automated reporting

Provided by

While it’s easy to see the benefits of bringing third parties on board – higher revenues and lower costs - outsourcing can introduce a significant threat of risk that can bring long-term reputational and financial damage to your organisation.

In this e-book, you’ll learn about the challenges of third-party risk management, the differences between vendor risk management (VRM) and third-party risk management (TPRM) and discover a framework to help mitigate this risk:

• Essentials of third-party risk management
• Ways third parties can introduce risk
• Real-life third-party failures
• Robust TRPM framework to ensure good governance

Provided by

The Cyber Resilience Think Tank is an independent group of industry influencers dedicated to understanding the cyber resilience challenges facing organisations and providing possible solutions, with this paper in particular focussing on AI.

For CISOs using vendors that employ AI, it’s less about what intelligence their tools provide, and more about how the organisation’s internal security team can integrate external AI tool findings into their broader security programs.

Provided by

The most productive security teams are going beyond the use of tactical tools for investigation and reporting of security incidents. Instead, they are taking a more strategic, proactive, platform-oriented approach to identifying and assessing security-related risks, proving compliance, and maturing the flexibility and resilience of ongoing operations.

Read this report to learn about the evolution of security monitoring capabilities and discover what comprehensive security technologies companies are investing in to support their work from anywhere (WFA) / hybrid work model.

Provided by

IT security and compliance are key concerns for all organisations. Not only are threat landscapes increasing, poor oversight of their IT and a lack of headcount means compliance tasks have to be done manually.

Having an effective security and risk management approach, which assesses the security of infrastructure & workload environments - and prioritises remediation quickly - is essential.

Download this whitepaper for key considerations around security and compliance in Linux environments, with recommended tools and actionable insight.

Provided by

Modern technology is evolving just as fast as the business landscape and to stay ahead, organisations need to remain informed, protected, collaborative and goal-focussed in real time and in all situations.

Having modern governance can enable your business to remain productive while progressing with your digital transformation, so that you can emerge stronger than the competition.

Download this whitepaper to learn best practices and insights in:

• Strategy & governance
• Security & collaboration
• Risk & accountability

Provided by

Marsh McLennan has announced the launch of its cyber risk analytics center to help clients better understand the risks they face.

In addition to providing a holistic view of cyber threats, the platform helps businesses evaluate the effectiveness of existing and prospective control mechanisms, economic impacts of risks, and more.

The center integrates the cyber security capabilities of Marsh McLennan’s Marsh, Guy Carpenter, Mercer, and Oliver Wyman businesses.

Commenting on available features, Marsh McLennan said its analytics center delivers a comprehensive suite of tools and critical risk insights, ranging from malicious code to complex webs of digital connections.

Per reports, the center will be led by the firm's managing director Scott Stransky.

Marsh McLennan's global network of commercial, government, and academic partners will also assist with research and development through the center.

“Cyberattacks routinely cause millions of dollars in loss to our clients and billions of dollars in loss to the global economy every year. It is no surprise that business, government, and other leaders continue to rank cyber risk as one of the most pervasive and urgent risks for society,” said John Doyle, president and CEO of Marsh and vice chairman at Marsh McLennan.

Doyle added, “For many leaders, however, their concern exceeds their ability to measure and manage cyber risk alone. Our investment in the Marsh McLennan Cyber Risk Analytics Center will help clients confront this risk by connecting them with experts and capabilities from across our businesses, data-driven insights, and a global ecosystem of risk and cybersecurity experts.”

Lastly, the firm aims to enhance the cyber modeling and analytics ecosystem, so clients can make informed decisions about how they identify, prepare for, and recover from cyber risk.

Ensuring your business continuity and compliance in the age of disruption is becoming a top priority, with more and more organisations investing in cyber risk management and awareness.

The ANZ Mimecast Special Edition of Cyber Resilience For Dummies explores how to:

• Be both cyber secure and cyber resilient
• Defend your organisation from phishing scams and ransomware
• Reduce the impact of cyber disruptions
• Train your team to stay cyber aware

Fill out the form below to access the free resource.

Businesses that only monitor passively, fixing problems once they’ve already happened, will always be one step behind, and this will eventually show in dropped revenue after many bad customer experiences. Observability, however, can prevent you from falling into this trap.

Observability is an active approach that helps you understand why things are going wrong, that gives you metrics and actionable insights so that you can do better next time. This whitepaper distils the topic of observability down to ten key principles, as defined by developers and engineers.

Download it now to start applying these principles to your observability practice today.

Privileged Access Management (PAM) is a vital aspect of risk management and security. It has become one of the fastest growing areas of cyber security in recent years as cyber crime and compliance regulations grow.

Hijackers are drawn to the increase in privileged accounts and the valuable information held there, and so a strong PAM solution is now essential for upholding regulatory compliance and keeping accounts secure. This whitepaper provides an overview of PAM and the catalysts for its growth.

Download it now for a clear outline of the requirements of a strong PAM solution and advice for selecting the right vendor for your business needs.

Bigleaf Networks has announced a new AI-based feature called Risk Monitoring within its Cloud-first SD-WAN platform. The feature addresses the most pressing problem IT companies face today: high risk-alert noise.

"The complexity of networks in today's IT-lean enterprises where they have tens or hundreds of cloud applications running across hundreds or thousands of branch and home internet connections has reached a point where all sense of control and excellence has been lost," said Joel Mulkey, co-founder and CEO, Bigleaf.

"People can't process and troubleshoot the volume of alerts and events on networks anymore. It's not a matter of not wanting to. It's that there's simply too much information, most of which is noise. You've got to have intelligent software to solve this problem. By building a platform that takes control of processing and interpreting those events, we've now established true network control for our customers."

Through contextual alerting, Bigleaf’s Risk Monitoring feature allows companies to reduce the unabating noise. The widget translates high-volume network events into prioritised, actionable risks, slashing the risk-alert noise levels by almost 50%.

Proving its point further, Bigleaf exposed as many as 12 risks in the initial launch of its new feature. The risks include, among others, extended periods of elevated health alarm levels, critical traffic volume exceeding the capacity of backup circuits and site outage.

The feature can also highlight the top three risks out of all risks triggered by a site. Each risk alert presents an easy-to-understand explanation of a threat and how to solve it to allow quick decision-making. Any scenario that poses a risk to a customer's business or its site's continuity will trigger an alert.

"This new feature brings incredible relief to daily pain our customers and others in the industry feel. It also brings significant value to our MSP partners who now have a tool that lets them see risks across all of the companies they manage and helps them better determine where they should spend their limited time and resources to keep their customers happy," continued Mulkey.

Existing Bigleaf customers can access the feature by logging into their Bigleaf web dashboard.

Digital transformation is a concept that has dominated the business world for some time now. Everybody’s planning it, doing it or wondering why they haven’t taken the leap yet.

The benefits to your company can be endless, from streamlining processes to making your next big innovation. Of course, the value of digital transformation has been particularly prominent in the last year, where COVID-19 and its associated lockdowns completely upended the way many businesses operate at a fundamental level. Digital transformation went rapidly from a ‘nice to have’ to an essential for allowing employees to work remotely and continuing to serve your company’s customers. Organisations of all kinds adopted cloud services and productivity and collaboration apps to keep their staff working even though they were stuck at home.

In a recent McKinsey Global Survey of executives, respondents estimated that the digitisation of their customer and supply-chain interactions and of their internal operations had been accelerated by three to four years. As for the share of digital or digitally enabled products in their portfolios, those had been moved ahead by as much as seven years.

Respondents also said that they are anticipating the majority of these changes to be long lasting. Many have already made significant investments in time, money and resources to ensure that these are changes that will endure.

Outside of the pandemic, another specific motivator of digital transformation is the opportunity to eliminate risks that stem from legacy processes. However, at least in the short term, this will bring forth new pressures which will alter an organisation’s risk profile.

That’s because digital transformation is a catalyst for change. As workflows migrate to the digital realm, organisations are met with a host of new threats which affect their risk profile. This is demonstrated in RSA’s 2020 Digital Risk Report, which includes findings from a study conducted across the globe which asked the question: ‘How has your organisation’s risk profile changed over the past two years, due to its digital transformation?’ Respondents also reported how they expect their risk profile to change over the following two years.

The results are in. In Western Europe, 87% stated that digital transformation is expanding their risk profiles due to new or increasing risk. The principle is a simple one: as an organisation’s digital surface area expands, more things come into contact with it.

Over the following two years, this statistic is expected to drop by a fraction, yet the unpredictability and ubiquitous nature of cyber risk could mean a greater period of time must elapse before risk profiles truly settle in the wake of digital transformation. What’s more, these patterns are similar globally, with North America and the APJ region yielding equally startling results.

There exists an ongoing tug-of-war. On the one side are the digital transformation initiatives essential to modern-day business survival, pulling enterprises towards success; on the other are the risks such initiatives simultaneously cause.

Digital transformation must dig in its heels to win the match, something that can only be achieved if management teams keep a close eye on both ends of the rope.

Build your risk profile

While risk profiles may more traditionally refer to health and safety, taking the time to identify what risks your digital transformation will unearth will allow your organisation to avoid them.

An organisation’s risk profile is comprised by evaluating the variety of threats faced. Numerical values are assigned to variables, quantifying the threat level each poses. The risk profile is closely associated with the risk appetite; that is to say, the amount of risk an organisation is willing to take on. Balancing the two is the key to ensuring digital transformation initiatives prove to be a success.

Here, organisations must ask themselves what threats a digital transformation initiative will come into contact with, and whether they are manageable or too hefty a meal for their appetite.

For instance, will transitioning from physical data centres to a cloud provider be too great a shift in controls? If you cannot afford the protocols that ensure cloud security, your appetite is too small and the initiative should, for now, be put on hold.

How to manage risk

Building a risk profile allows the organisation to identify where their security and risk management is lacking, and subsequently expand their capabilities in these areas. RSA’s 2020 report found that respondents indicated a desire to invest in risk management solutions proportional to the extent of digital transformation. With your risk profile in front of you, management can ensure that they spend the right amount on the right things to elevate initiatives.

This proportionality is indicative of the desire to keep pace with the rapid change that comes part and parcel with digital transformation. Effective digital risk management can keep digital initiatives on schedule, and ensure their effectiveness; conversely, retrofitting controls after implementation is generally much more costly and less effective.

There is no avoiding that a crucial element in managing risk is an expansion of resources. A flexible budget is necessary to handle the risk landscape’s rate of change. Expertise must be invested in to oversee security measures including threat detection and response, network security, and vulnerability management.

Managing risk isn’t solely about tackling the negative symptoms caused by digital transformation; instead, organisations must focus on the cause, namely, the initiative itself. Balancing the costs and benefits of initiatives, both in isolation and as part of wider movements, is the most effective method of addressing risk profiles that are threatening to spiral out of control.

While digital transformation is essential in the modern-day, too much of a good thing threatens to negate its benefits.

Organisations depend more than ever on digital business operations and digital products and services to compete. While digital transformation abounds with new business opportunity, it also introduces new and unknown risks.

The RSA Digital Risk Report 2020 offers important global perspectives from 1,050 organisations on the state of digital risk including top risk management priorities, the changes being implemented to manage risk today and drivers for future investment.

Download it now to explore the opportunities and risks involved in digital transformation.

With cloud computing promising to increase flexibility, scope for scalability, automatic updates and simplified collaboration, it’s no wonder that cloud-adoption is at the heart of most organisations’ digital transformation strategies.

Yet on the way to achieving these benefits, organisations face an array of new security challenges, including obscured visibility into users, data and applications, an endless stream of tech changes security teams must stay on top of, and an increasingly diverse ecosystem of employees and third parties using these services.

This whitepaper snapshots the changing security landscape, identifying the key challenges digital transformation projects face, and the myriad of tools available to resolve them.

Micro Focus has seen its shares collapse and CEO depart after it issued a sales warning to investors this morning.

The British company, which completed an $8.8 billion "spin-merge" with the software division of Hewlett Packard Enterprise (HPE) in September 2017, warned year-on-year revenue is likely to fall by between 6% and 9%.

Previously it had predicted a slowdown of just 2% to 4% for the 12 months ending 31 October 2018, but worse than expected results in January have caused it to downgrade its forecast.

The company's shares fell 41% to their lowest value since 2006 as markets opened in London, hitting 11.16. The price has continued to fall throughout the day.

CEO Chris Hsu, who joined Micro Focus from HPE following the spin-merge last year, departed the company with immediate effect on Sunday. Stephen Murdoch, until now the organisation's COO, has taken Hsu's place.

In a blog post, TechMarketView analyst Angela Eager pointed squarely at the HPE deal as the cause of the problem.

"It was always going to be a big meal but Micro Focus is finding it harder to digest HPE Software than expected," Eager said.

"There will be a knock-on effect on adjusted EBITDA (earnings before interest, taxes, depreciation and amortisation) margin percentage (which is the KPI Micro Focus rates above revenue), although the company says it will be mitigated by the cost reduction programme which is ahead of schedule. Micro Focus now expects an Adjusted EBITDA margin percentage of approximately 37%, which is way down on the 46.2% of the year ending April 2017 (prior to the HPE Software merger)."

Other areas blamed by Micro Focus for its troubles include implementation issues with a new IT system that has cause problems with sales efficiency, the ability to transact with partners and cash collection; sales staff attrition due to integration and the IT-related issues: disruption of ex-HPE global customer accounts as a result of the spin-merger; and continued sales fulfilment issues, particularly in North America.

In an interview with Bloomberg, Kevin Loosemore, chairman of Micro Focus, said: "Clearly we have let people down with this execution and we have to rebuild that trust."

He remained positive about the HPE deal, however, adding: "The strategy remains the same. We believe this deal will turn out to be a good deal. We think the market in infrastructure software will continue to consolidate and we hope to participate in this consolidation."

Businesses using Apple and Cisco products will now qualify for better cybersecurity insurance terms as part of a deal with European insurer Allianz, the companies announced on Monday.

Companies could also qualify for reduced, or even no, deductibles as part of the deal with Allianz, which said the service is designed to help a wider range of organisations protect themselves against ransomware and malware threats.

Those companies using Cisco's Ransomware Defense suite, which is offered as part of Cisco's security portfolio, as well as those that have rolled out iPhones, iPads and Macs to their employees, will qualify for the favourable terms.

The contract will also offer a "Cyber Resilience Evaluation" provided by services firm Aon, which will assess a company's security posture and recommend ways to improve its defences. Organisations will also have access to Cisco and Aon's incident response teams in the event of a malware attack.

Allianz has said the move is an attempt to address the trend of companies failing to take our cyber security insurance at a time when malware attacks have become a daily occurrence.

US cyber security premiums amounted to $1.35 billion in 2016, according to data gathered by Reuters from the National Association of Insurance Commissioners, and Monday's deal may go some way to entice businesses looking to protect their systems.

The move is also the latest in a string of deals Apple has struck with B2B companies, including a long-running partnership with IBM to enhance enterprise mobility through a range of applications and services and a business app development deal with SAP.

A deal with Accenture last year also saw the creation of a suite of tools to help businesses better engage their users through iPhones and iPads.

Apple has confirmed to IT Pro that there are no specific requirements for how Apple products are purchased, and that businesses would qualify regardless of whether devices are procured or used through BYOD schemes.

"The choice of technology providers plays a critical role in any company's defense against cyber attacks," said Apple CEO Tim Cook. "That's why, from the beginning, Apple has built products from the ground up with security in mind, and one of the many reasons why businesses around the world are choosing our products to power their enterprise."

An Allianz spokesperson told IT Pro this offering "will be available initially in the US market, with the intention of expanding globally in time".

However, what's still uncertain is the exact terms of the contracts, and although Allianz has said deductibles will be non-existent in some cases, it isn't clear to which cases that would apply.

The news that an insurer will now dictate which security products qualify for the best deals has drawn concern from the security industry.

"It's reasonable for home contents insurers to give residents discounts if they have dead-bolts, window-locks and an alarm - but it would be outrageous if insurers instructed that these had to be for specifically branded locks or alarms," said David Emm, principal security researcher at Kaspersky.

"What makes theirs a better-informed decision than the customers, or an independent reviewer? This move in the cyber-insurance industry sets a worrying precedent. By being guided towards certain providers, customers won't have full freedom to choose the best product."

Picture: Shutterstock

A US federal judge has ruled that Microsoft cannot block a startup from accessing data held on its LinkedIn platform, a decision that is likely to have further implications for social media companies wishing to control data that is considered publicly available.

San Francisco judge Edward Chen sided with tech firm hiQ Labs, granting a preliminary injunction that ordered LinkedIn to remove any blocks preventing the startup from accessing profile data, according to Reuters.

"To the extent LinkedIn has already put in place technology to prevent hiQ from accessing these public profiles, it is ordered to remove any such barriers," read the court order.

HiQ Labs required access to the data, which is considered publicly available, to build algorithms designed to predict employee behaviour through their social media activities. The service provides "a crystal ball that helps you determine skills gaps or turnover risks months ahead of time", according to its website, essentially alerting bosses to employees thinking of leaving a firm.

The company has hailed the ruling as a major victory for those relying on public data to deliver services.

"HiQ believes that public data must remain public, and innovation on the internet should not be stifled by legal bullying or the anti-competitive hoarding of public data by a small group of powerful companies," the company said in a statement to Reuters.

LinkedIn has been battling with the startup since May, when it sent a cease and desist order to hiQ Labs in an effort to stop the company lifting profile data from its site. It argued that the use of its data in this way was a breach of its terms of service, and potentially went against the Computer Fraud and Abuse Act (CFAA).

LinkedIn said it planned to challenge the decision, according to a statement to Reuters.

"We're disappointed in the court's ruling," said LinkedIn spokeswoman Nicole Leverich, to IT Pro. "This case is not over. We will continue to fight to protect our members' ability to control the information they make available on LinkedIn."

The decision leaves social media companies in a tricky spot. Users signing up to the service, particularly job hunting sites like LinkedIn, rely on the ability to have their profile publicly accessible to others, yet they do not necessarily want their data being used by third-party platforms. Currently, the only way to prevent data from being scalped from social media sites is to make your account private.

For organisations both large and small, cyber attacks are a constant concern, with a recent study revealing that 68% of business leaders feeling like their risks are increasing. Accountability for breaches and incidents now extends far beyond IT, and organisations are beginning to push cyber security responsibility into the hands of the executive team and board.

Business leaders don't want to be making headlines for being the latest victim of a data breach, and as a result, are actively trying to manage risk. Cyber threats represent the lion's share of potential harm, and strategies to deal with security need to be aligned with wider business priorities. A survey by the Enterprise Strategy Group showed that four in 10 executives and directors now want security status reports for cyber risk associated with end-to-end business processes.

So how can boards step up to the cyber security challenge and work effectively with CISOs?

Expand board expertise

Business leaders are beginning to understand that cyber security is an enterprise-wide risk management concern, not merely an IT issue. While the CISO role is evolving, the makeup of the board is evolving too.

Corporate boards are looking for increased technical literacy and are actively pursuing digital directors and advisors that can deliver high levels of both technical and business acumen.

All board members need to fully understand the role they play in overseeing cybersecurity and push for board-specific reporting and cyber security transparency. This combination increases the board's availability to ask the right questions and provide the right communication opportunities for the CISO.

Build collaborative relationships with the CISO

Collaboration is the essence of good cyber security practices, and that's why all parties need to work together to ensure clear lines of communication and incident preparation. One way to strengthen collaboration is for executive leaders and board members to be proactive about working hand-in-hand with CISOs. This will allow everyone to position themselves within the company and withstand the incessant onslaught of attacks.

Nearly one-third of board members are dissatisfied with the quality of information they get regarding cyber security risk, so CISOs and board members must work together to have meaningful conversations with all parties involved by telling them what information they want and how often they need it. An open dialogue about current threats, emerging attack patterns and incident response protocol leads to smarter decisions and better business outcomes.

However, the boards should also remember that cyber security doesn’t end with the CISO, but also the team of cyber security experts managed by them. Like many parts of the tech industry, cyber security is rife with difficult working conditions and stressful conditions, which enable a culture of toxicity and bullying. A recent survey found that 47% of cyber security professionals have experienced some degree of bullying behaviour in the office, something that Respect in Security co-founder Nikki Webb claims has been further magnified by the shift to remote working.

Moreover, reporting workplace harassment is often looked down upon due to the misconception that doing so means that the victim is disloyal to the company or the community. Respect in Security found that, of 302 professionals surveyed, 16% said they wouldn’t report an instant of harassment, either by choosing not to (9%) or because of fear (7%), and the lack of discussion surrounding harassment in the cyber security sector means that the issue is likely just the tip of the iceberg.

Last year, Jinan Budge, principal analyst for security and risk at Forrester Asia Pacific told IT Pro that a toxic work environment leads to lower productivity, making the organisation more vulnerable to cyber threats:

“The ultimate problem with a toxic culture is that it means you’re not looking after the organisation’s cybersecurity, which is effectively the team’s sole reason for being. I’ve seen this happen – teams are so busy dealing with in-fighting that they’re unproductive. Sometimes the biggest enemy is not actually the adversary, but the team itself,” he said.

Understand the impact of cyber threats

While many businesses have developed cyber security strategies and business continuity plans, the government's Cyber Governance Health Check showed that less than a fifth (16%) of the board had a comprehensive understanding of the impact of loss or disruption associated with cyber threats. That's despite 96% of them having a cyber security strategy in place.

In addition to showing support for a company's cyber security strategy and initiatives, boards should actively engage the CISO to work with them on other organisational approaches, such as incident response programmes, which need to be continuously reevaluated and updated to address increasing activity in cyber attacks.

Expect security reporting discipline

Security is now a key business function and should be treated that way. It is vital to ensure CISOs know what reporting metrics and benchmarks are valuable to the board by applying a reporting discipline with consistent benchmarks and actionable information.

Although approaches and formats may vary, board members look for regularity in reporting from CISOs. Some look for programme-level updates for defined benchmark presentations where any important changes are highlighted. Boards and CISOs, then, should work together to develop a functional reporting system which can be delivered regularly.

Be clear about your innovation needs

In an industry where every operational change is technology-driven, continual investment in new functions and capabilities to spark innovation is essential. At the same time, there is a balance to be struck between innovation and introducing technology that risks your business effectiveness, and this can create a state of constant security and compliance catch-up.

Business growth may be at the heart of most organisations, but the board is charged with helping to determine the trade-offs between risk and returns. Clearly communicated financial and operational risk tolerance prioritisation from the board and executive team will allow the CISO to effectively manage expectations.

Request regular attendance at meetings

Where CISOs were once asked to appear at meetings on specific occasions, CISO attendance at regular board meetings is now much more common. Boards should proactively allocate time at board meetings to hear from the CISO and examine future trends and risks as well as more immediate priorities.

"Cyber security is a mainstream business risk, and board members need to understand it in the same way they understand financial or health and safety risks," said Ciaran Martin, CEO of the NCSC.

As cyber threats continue to evolve, it may not be possible to completely eliminate the possibility of falling victim to an attack. But with a proactive cybersecurity strategy in place that is supported by the board, research has shown that financial losses in the event of a successful attack are lower.

Google has come up with five rules to create human-friendly AI - superseding Isaac Asimov's Three Laws of Robotics.

The tech giant, whose DeepMind division recently devised an AI capable of beating the world's best Go player - believes AI creators should ask themselves these five fundamental questions to avoid the risk of a singularity in which robots rule over humankind.

Google Research's Chris Olah outlined the questions in a research paper titled Concrete Problems in AI Safety, saying: "While possible AI safety risks have received a lot of public attention, most previous discussion has been very hypothetical and speculative.

"We believe it's essential to ground concerns in real machine learning research, and to start developing practical approaches for engineering AI systems that operate safely and reliably."

Published in collaboration with OpenAI, Stanford and Berkley, the paper takes a cleaning robot as an example to outline the following five rules.

Avoiding negative side effects: Ensuring that an AI system will not disturb its environment in negative ways while completing its tasks.

Avoiding reward hacking: An effective AI needs to complete its task properly without cutting corners.

Scalable oversight: AI needs to learn from feedback, and should not need continuous feedback from a human programmer.

Safe exploration: AI needs to avoid damaging objects in its environment as it performs its task.

Robustness to distributional shift: AI should be able to adapt to an environment that it has not initially been conditioned for, and still perform.

Google has thrown much of its resources at developing deep learning and AI, amid a backdrop of fear of robots, voiced by luminaries including SpaceX founder Elon Musk and scientist Stephen Hawking.

DeepMind is working on a failsafe that would effectively shut off AI in the event it attempted to disobey its users.

Other firms including Microsoft are exploring AI, getting AI to tell stories about holiday photos, and debuting its tween chatbot, Tay, which spouted rude replies on Twitter.

Microsoft has expanded its bug bounty programme to include new web and application technologies that are due for release in the coming months.

The company's latest programme will focus on the web application frameworks .NET Core and ASP.NET Core RC2 beta builds, which were revealed last month.

Jason Shirk, senior director of Microsoft's Security Response Center, said the latest programme will run until 7 September this year.

The platforms for testing will be Windows, OS X and Linux.

Rewards for qualifying bug discoveries will range from a minimum of $500 up to $15,000, depending on the severity of the security flaw.

In order to qualify for a reward, researchers must submit an eligible and previously unreported bug. Accepted submissions include remote code execution (RCE) faults, security design flaws, remote denial-of-service (DoS) holes, spoofing weaknesses, information leaks and XSS vulnerabilities.

"Bounties will be worked alongside the Security Development Lifecycle (SDL), Operational Security Assurance (OSA) framework, regular penetration testing of our products and services, and Security and Compliance Accreditations by third party audits," said Shirk.

This new programme has succeeded Microsoft's previous CoreCLR and ASP.NET 5 beta bounty hunts.

Other Microsoft bounty programmes include the ongoing Nano Server beta, Online Services, and Mitigation bypass and Bounty for Defense programme.

More information about the .NET Core and ASP.NET Core RC2 programme can be found on the Microsoft blog and technet programme page.

The RC2 application can be downloaded here.

Microsoft frequently runs bug bounty programmes on its services. In 2014 it ran a programme for Office 365.

A man who supposedly erased his entire company with a single line of faulty code has admitted to crying wolf.

Marco Marsala invented the whole story as a guerrilla marketing ploy in order to promote his start-up, which provides outsourced server management, according to an interview with Italian publication Repubblica,.

Marsala gained internet notoriety last week, after news broke that he had apparently torpedoed his entire web hosting company by accidentally wiping the servers with the command 'rm - rf'.

In a now-deleted post on the support website Server Fault, he asked if there was anything he could do. General consensus was that the error was irreversible. In the words of one commenter: "you're going out of business. You don't need technical advice, you need to call your lawyer".

It turns out, however, that the open-source Ansible platform actually prevents catastrophic errors such as this - at least, according to Marsala.

"The command that I mentioned in the article is harmless but it seems that almost no one has noticed", he said. "Almost every serious administrator uses it but among those who answered no one seems to know."

The story of nuking an entire company with one command is not completely fabricated, though - Marsala claimed that it really happened to an acquaintance. "There was an article in the newspaper", he added.

Marsala also told the publication he invented the story as "an experiment", in order to test how knowledgeable developers are about this type of thing. "With the inaccuracies that are there in the online comments I could write a book", he said.

15/04/2016: Hosting provider accidently obliterates his company with one line of bad code

A web host appears to have accidently wiped the entire computer network for his company and its clients, obliterating his business in the process.

Hosting provider Marco Marsala accidently instructed his computer to delete everything stored on his servers, removing all of his own company data and that of his 1,535 customers.

After running the destructive code on his own network, Marsala turned to Server Fault, a forum for server experts, to seek assistance for how he might recover his lost data.

Unfortunately, instead of a workable solution, one after another, the experts told him, "your company is now essentially dead".

The problem command was rm -rf', a piece of code that will delete everything it is instructed to. The rm' portion tells the computer to remove; the r deletes everything within a select directory; and the f stands for force', instructing the computer to ignore the standard warning notifications that come when deleting critical files.

Usually, this piece of code would be used only to wipe specific directories that it was directed it. But because Marsala made an error in his selection, he managed to accidently instruct the computer to wipe everything.

"I run a small hosting provider with more or less 1,535 customers and I use Ansible to automate some operations to be run on all servers," wrote Marsala on the forum.

"Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line."

In a situation such as this, the natural expectation would be for a hosting provider to reach for its system-wide backup. But it seemed that Marsala had managed to lose that, too.

"All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script)."

One respondent felt Marsala's should have kept his backups separate from all of his other server data.

"Backups need to be offsite, offline, and incremental. That you could delete them from your main server means they weren't what I would call backups," wrote Tim.

Others were more blunt in their appraisal of the situation, such as Andr Borie, who wrote: "If you really don't have any backups I am sorry to say but you just nuked your entire company".

Michael Hampton wrote: "You're going out of business. You don't need technical advice, you need to call your lawyer".

IT Pro contributor Stephen Pritchard wrote last year that firms neglect disaster recovery plans at their peril. In this particular case, perhaps a watertight insurance policy may also be necessary.

Uber has launched an official bug bounty programme, and is offering cash rewards of up to $10,000 (7,049) for the discovery of errors in its systems.

The transport company ran a trial programme with 200 security researchers last year who found almost 100 bugs, which Uber said it has already fixed.

The success of that trial is why it has chosen to launch a public bug bounty programme now.

In addition to up to the monetary reward for the discovery of "critical issues", Uber said it is creating a "first-of-its-kind loyalty reward programme" to incentivise the security community to help quash bugs in its systems.

"Even with a team of highly-qualified and well trained security experts, you need to be constantly on the look out for ways to improve," said Joe Sullivan, chief security officer at Uber.

"This bug bounty program will help ensure that our code is as secure as possible. And our unique loyalty scheme will encourage the security community to become experts when it comes to Uber."

Uber's first reward programme season will commence on 1 May and will last 90 days.

Bug tracers will be eligible for the reward programme once they have found four issues that have been accepted by Uber as genuine bugs.

If they then find a fifth issue within the 90-day session, they will get a bonus payout equivalent to 10 per cent of the average payouts for all the other issues found in that session.

Uber has put together a rolling guide to show researchers how to find different classes of bug across its codebase.

More information about the programme can be found here.

Bug bounty programmes are a fairly common part of the ecosystem for large tech businesses today, with Microsoft recently adding OneDrive to its bug bounty programme.

Although Uber's technical presence has set an example for others, the company has been fighting court battles over its car sharing networks. Most recently two Uber executives in French denied their involvement in what has been deemed an "illegal" taxi service.

The most commonly used password of 2015 was '123456', according to an annual list from security firm SplashData.

The company has been compiling a list of the world's most common passwords, and by extension the "worst passwords", for five years, reminding people that a poor password leaves them more exposed hacking or having their personal details accessed.

SplashData's report was compiled from more than two million leaked passwords during 2015. '123456' and 'password' have held onto the top two positions since the first list in 2011.

Other passwords in the top 10 include 'qwerty', 'football' and 'baseball'.

Last year, however, the top 25 most common passwords also included 'starwars', as well as terms that could well be related to the popular sci-fi series, which was a talking point throughout 2015.

New terms in the 2015 list that bear relation to Star Wars included: 'princess' (as in Princess Leia) and 'solo' (as in Han Solo). Not to mention the returning term 'master' (as in Jedi master).

Other passwords on the 2015 list that did not appear on the 2014 list included 'welcome', 'login' and 'passw0rd'. The Force was not strong with these passwords, SplashData quipped.

Having a strong password is not a guarantee of security. 2015 witnessed major hacks against TalkTalk, and previously unknown sites like Ashley Madison. But it's not just online account information at risk. A poor password on a Wi-Fi router or your tablet computer could expose you to data theft locally.

In the five years that SplashData has been compiling its list, many of the passwords in the top 25 -- often basic numerical strings '1234567890' -- have remained that same.

In order to better protect themselves, the company recommends that people use passwords or passphrases of 12 characters or more with mixed types of characters; avoid using the same password over and over again on different websites; and use a password manager to organise, protect and generate random passwords.

Reflecting on this year's list, SplashData CEO, Morgan Slain, said: "We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers."

The full list of 2015's 25 most commonly used passwords is below:

• password
• 12345678
• qwerty
• 12345
• 123456789
• football
• 1234
• 1234567
• baseball
• welcome
• 1234567890
• abc123
• 111111
• 1qaz2wsx
• dragon
• master
• monkey
• letmein
• login
• princess
• qwertyuiop
• solo
• passw0rd
• starwars

Endpoint security company Lumension has unveiled the latest version of its Lumension Endpoint Management and Security Suite (LEMSS), which offer enterprises enhanced protection against advanced persistent threats (APTs).

The company is particularly keen to emphasise LEMSS 7.3's ability to protect against reflective memory injections (RMIs) that it claims can be virtually impossible to detect or remove.

Alan Bentley, SVP worldwide at Lumension, told IT Pro: "These types of attack compromise legitimate applications through their memory.

"The difficulty with memory-based threats is, if it is not doing anything through the OS, is not using OS functions or is not writing anything to disk, it will go undetected by traditional antivirus."

Bentley explained that anything sat in the memory, such as an RMI, can be got rid of by rebooting the affected machine, it is often too late by then, as the code from the RMI has been used to compromise the target application with malicious code.

While this is not a method of malware infection that is seen very often, Bentley believes it is something that is going to increase in popularity among the cyber criminal community.

The organisation also intends to introduce new mobile device management (MDM) functionality to LEMSS, although that is not included in the current 7.3 release.

"This whole MDM space is moving very quickly with the bring your own device (BYOD) initiatives and what people require seems to be changing almost weekly. So we decided to start where we knew our customers wanted to go," said Bentley.

"We talked to a number of our customers and asked if we were to bring in on platform MDM, what that would need to look like and have decided to build it up ourselves. Just like the rest of LEMSS, it is about giving visibility to administrators and assigning different policies and protections according to device type, ownership and so on," he concluded.

LEMSS with MDM capability is expected to be available in the latter half of the year.

Security vendor Cryptzone has spoken out about NETconsent's management buyout, denying an inability to integrate its acquisitions was the cause of the breakup.

Cryptzone chief Einar Lindquist spoke to IT Pro after NETconsent's CEO Dominic Saunders claimed his firm had struggled to give NETconsent the attention it needed after acquiring the firm in 2010.

Saunders also claimed Cryptzone had found it difficult to integrate its other acquisitions and manage UK-based NETconsent from its base in Sweden.

Lindquist said acquiring a company is "always a challenge", let alone one that is based overseas.

"You have to keep in mind when you acquire a business you don't acquire the product, you acquire people. It sounds very brutal, but that is the way it is, and we acquired the full team of NETconsent," he said.

"So they didn't need us to manage the business, they needed us to integrate the business and that is not easy when you are in two different countries," he added.

However, these difficulties were not a factor in the decision to part ways, Lindquist said.

Instead, a decision to retrench in the company's core business of security was the deciding factor, he claimed.

Lindquist told IT Pro he had spoken with Saunders when he took over as Cryptzone's CEO in June 2012, telling him he would not have "the muscle or economy" to support NETconsent given the direction the company had decided to take over the next few years.

"We decided then that it was a good chance for him to take care of NETconsent, which has been a good acquisition for us and is a good buyback for him. It is a win-win," Lindquist added.

The company is in the process of doing a management buyout with another of its 2010 acquisitions, Swedish firm SE46, Lindquist revealed.

"[Secure access product AppGate and security for SharePoint] will be our main offerings in the future, which means that is where we are going to invest our money," he said.

"NETconsent and SE46 have been good acquisitions, but are not where we are going in the future, so it is a very conscious decision [to divest]."

Cambridge University is set to open a centre to study the possible dangers of advanced artificial intelligence.

The proposed Centre for the Study of Existential Risk (CSER) will open on campus next year by philosophy professor Huw Price, cosmology professor Martin Rees, and Skype co-founder Jann Tallinn.

The centre will look into the possible ways artificial intelligence could "threaten our own existence".

We shouldn't take artificial general intelligence (AGI) for granted.

"At some point, this century or next, we may well be facing one of the major shifts in human history perhaps even cosmic history when intelligence escapes the constraints of biology," said Price.

"We need to take seriously the possibility that there might be a Pandora's box' moment with AGI that, if missed, could be disastrous. I don't mean that we can predict this with certainty, no one is presently in a position to do that, but that's the point! With so much at stake, we need to do a better job of understanding the risks of potentially catastrophic technologies."

Price, alongside his colleagues questioned whether the increasing amount of technological progress will increase humanity's chance of survival.

"Think how it might be to compete for resources with the dominant species," said Price. "Take gorillas for example the reason they are going extinct is not because humans are actively hostile towards them, but because we control the environments in ways that suit us, but are detrimental to their survival."

People from the fields of science, policy, law, risk and computing from across the university and outside are set to become advisors to the new centre.

"The basic philosophy is that we should be taking seriously the fact that we are getting to the point where our technologies have the potential to threaten our own existence in a way that they simply haven't up to now, in human history," said Price.

COMMENT: I was recently talking to someone who brute forced a BT Business Hub, the sort used by hundreds of thousands of businesses across the UK, using hardware costing less than 35 and it supposedly took him less than 48 hours to crack the 10 character default WPA key.

Invest just a little more money and that timescale starts to look like an absolute age. The truth is that it's a lot easier than you may imagine to breach the network perimeter these days, and if an attacker is determined enough then the chances are they will succeed.

Iit's better to assume your organisation has already been compromised and develop defences based around that assumption.

Even large corporates can fall foul of the weakest link scenario, with the hacker following a likely looking 'suit' home and cracking the most likely default Wi-Fi router encryption. From here it's a relatively simple journey to the machine they have attached to the corporate VPN.

"All organisations are susceptible to being breached and anything contrary to that fact is false," claims Marcus Carey, a security researcher at Rapid7. "It is impossible to eliminate all risk when it comes to network security." IT security is all about minimising the risk level through the use of defence in-depth strategies and incident response plans: detect and destroy is the motto of the day.

So is it right to suggest, as I have done in the introduction to this piece, that a network breach is all but inevitable? Perhaps unsurprisingly opinion is divided on this one. Wade Baker, director of risk intelligence at Verizon, reckons that taking such a view is "unhelpful at best" and points out that "97 per cent of the attacks analysed in the 2012 Verizon Data Breach Investigation Report were avoidable, without the need for organisations to resort to difficult or expensive countermeasures."

He does, however, admit that the security industry has long been guilty of placing the emphasis on prevention and not enough into detection and response. "Risk mitigation implies companies assume an almost passive role, checking no alarms have been tripped and watching who is trying to climb over the walls," Baker insists, concluding "I would suggest that we need agile security teams that can take a proactive role and not only monitor external attacks, but also gain visibility of what is going on inside the network to check no one has sneaked past defences."

Darien Kindlund, senior staff scientist at security specialist FireEye, is succinct in his disagreement. "In fact, it's better to assume your organisation has already been compromised and develop defences based around that assumption," he told IT Pro. "You will be less surprised and better prepared, accordingly".

Or, as Arun Sood from SCIT Labs puts it: "The current cyber security approaches rely on prior knowledge of the vulnerabilities and the threats. However, the current approaches are in-adequate. Ensuring reliable and accurate knowledge of the vulnerabilities and the attacker, is impossible - there are far too many threads to track at any one time. Attempts at increasing probability of detection leads to rapid increase in false positives and thus security operations costs. Thus we believe that intrusions are inevitable. Mitigation strategies are required for limiting the losses".

Dead duck security?

But if the mitigation argument holds up, where does that leave attack prevention? Is it really pointless to try and prevent a breach, and should resources therefore be focused on containment instead? Filippo Cassini, vice president of International Systems Engineering at Fortinet, certainly doesn't hold with the 'pointless' argument, suggesting that leaving prevention out of the equation "would be like taking away seat belts from a car because we have airbags." Or as

Kevin Dowd, CEO at CNS says "surviving an advanced and sustained attack would be difficult for many businesses, but that doesn't mean they should give up." Indeed, he believes they should have counter measures in place that make an attack too challenging in terms of the resources needed. "This is where most businesses could do better," Dowd insists. "Often, SMEs think that they are too small or not visible enough to be a target."

Consequently, detective capabilities are often weak, the Verizon 2012 Data Breach Investigations Report found that 92 per cent of incidents were discovered by a third party, and businesses end up developing their security strategy under duress.

Mitigating post-hack is more difficult and expensive. "We estimate that every pound spent up front on security measures is worth ten pounds after a breach, when businesses can be faced with high emergency response rates and consultants on site for longer than would have previously have been necessary," Dowd adds.

Much of this can be mitigated into oblivion by getting rid of the sensitive data in the first place - by out sourcing payments so as to avoid holding card data, for example - and improving the governance structure.

In conclusion

It's all very well talking about mitigation in terms of containment and analysis, but this whole argument surely stands or falls on whether the breach itself is detected in a timely fashion. I would argue that, in far too many instances, detection doesn't happen until weeks after the breach event itself and sometimes those weeks can run into months.

Verizon's Baker told me that amongst the more advanced attacks he has investigated, such as those which target intellectual property, which are difficult to spot "many take a year or more to pinpoint, and we suspect that many more are simply never discovered by the victim."

I'm not suggesting that breach mitigation is a red herring, and it's certainly no dead duck either, but for mitigation strategy to work successfully it has to be coupled with effective real-time breach detection technology to prevent data loss.

"To be successful in attack mitigation you need to firstly, understand what's happening and then target your resources appropriately to contain and eradicate the threat," says Don Smith, director of technology at Dell SecureWorks, who warns that learning from your mistakes is a vital link in the chain and one that reactive mitigation alone is unlikely to forge.

"If your focus is always on reacting to successful breaches you are going to be the easiest target and will be breached a lot," Smith says. "You need to focus on prevention, monitoring and how you successfully respond to a breach, not spend all your time looking at the past."

RSA chairman Art Coviello opened his company's premier conference today by saying security providers have been "going through hell in the last 12 months."

Coviello was in boisterous mood during the RSA 2012 keynote as he took to the stage a year after the successful hack of his own business, saying the industry was facing some "harsh realities."

"Never have so many security firms been attacked directly," Coviello said.

"An attack on one of us is an attack on all of us, but together we can all learn from these experiences and emerge from this hell, smarter and stronger than we were before.

An attack on one of us is an attack on all of us.

"As Winston Churchill once said, if you're going through hell keep going... We must fight back the only way we know how, through creativity and innovation."

Coviello issued a rallying call for the industry to produce different kinds of technologies, insisting vendors needed to move away from the old, perimeter-focused mentality.

The industry should focus on creating technologies that leverage big data to gather information on threats to then counter them, he said.

The end point protections of old are not good enough, nor are they flexible enough, the RSA chairman added.

"Today's systems are a patchwork of controls... serving up far too much data and not enough intelligence," he said.

Earlier today, RSA moved to align itself with a security start up that is pushing such innovation and moving away from the classic signature-based models.

The deal with Zscaler will see the two selling a product that combines the agent-less, cloud-based model of the start up with RSA's well-known authentication services.

A load of vendors have chosen to hone in on the cloud craze on the first day of RSA 2012, including HP and the host itself.

HP announced an expansion of its Security Intelligence and Risk Management (SIRM) offerings, which together are similar to other security information and event management (SIEM) products, such as IBM's recently-updated QRadar platform.

The SIRM offering builds on HP's major acquisitions in the security sector over the past two years, including Arcsight, which was seen as the leader in the SIEM space.

RSA NetWitness Live has been instrumental to our customers in detecting and defeating advanced threats.

It also ties in Fortify and TippingPoint technology, packing in various pieces to help companies get a good view over " traditional, mobile and cloud environments."

The HP EnterpriseView feature, which starts at $250,000, gives an overall view of security, including a dashboard and heat map designed to let users know where the greatest risk lies.

The HP Application Security Monitor (AppSM), which starts at $5,000 per application server, brings centralised searching, reporting and analysis covering Java/.Net applications, including mobile ones.

Those two features are expected to arrive "soon," whilst others, including HP Mobile Application Security, the HP Compliance Stack and the HP TippingPoint Next-Generation Intrusion Prevention System are already available.

The host with the most?

Not to be outdone by partners on the first day of its flagship conference, RSA introduced an update of its NetWitness technology, acquired last year by EMC.

NetWitness Live has been given something of a turbo boost with 30 per cent more threat content and integration with RSA's analytics platforms to give companies a greater knowledge about dangers facing their networks.

"RSA NetWitness Live has been instrumental to our customers in detecting and defeating advanced threats," said Amit Yoran, senior vice president and general manager of RSA's security management and compliance division.

"By tapping into the collective intelligence and analytical skills of the global security community, the RSA NetWitness Live service helps organisations significantly enhance their situational awareness and shorten their time to respond to potential threats."

The cloud-based technology brings together information from the global intelligence community, amounting to around 100 different sources - 300 less than IBM's aforementioned QRadar service.

As for the analytics integration, customers will now be able to share relevant threat data across the RSA NetWitness for Logs platform and the RSA NetWitness Spectrum malware detection product.

The event has also seen Qualys, one of the original proponents of cloud-based security, launch its open source web application firewall.

More cloudy announcements are expected over the next couple of days, so check back at IT Pro for all the latest from RSA 2012.

Did you know that 6 June 2012 is IPv6 launch day?

Nope me neither, but according to the Internet Society it is and everyone, it says, should be thinking about making the permanent move from their current IPv4 network to the new whizz-bang IPv6 one.

So will you be one of them? More to the point, are there any pressing security reasons why you shouldn't?

Arbor Networks has published the results of some research into the first wave of Distributed Denial of Service (DDoS) attacks on IPv6 networks, and the good news is that the figure is pretty damn low with just four per cent of those operating such networks reporting DDoS activity.

Time and research has shown that IPv6 is not more secure than IPv4.

In fact, the chances are high that these are not actually the first DDoS attacks against IPv6 networks at all, but rather the first ones that have been detected and reported. Which is also good news. It means that, at long last, we are starting to see discussions on this kind of threat in relation to IPv6.

But in less good news, the reports of DDoS attacks targeting IPv6 networks do suggest that as adoption amongst organisations picks up pace, so does the value to the bad guys.

Indeed, the fact that these attacks are happening at all suggests that the bad guys are also adopting IPv6 as they need a platform from which to launch them, and that platform has to be an IPv6 endpoint. That they have managed to compromise enough of these to launch DDoS attacks at all is worrying, and raises questions about how well those networks are being secured against such an eventuality.

"More than six years ago, one of the frequent rallying points for IPv6 was that it was more secure than IPv4... Time and research has shown that IPv6 is not more secure than IPv4," said Arbor Networks engineer Bill Cerveny.

Many security experts with an engineering bent seem to readily agree, with the consensus of opinion being that the notion of greater security was based around the time at which IPv6 was being developed (mid-nineties) when the internet had not yet experienced the growth we have seen since. That growth had a knock-on effect of creating masses of fresh security threats.

While IPv6 may well have been 'more secure' in terms of the earliest threats, there is really no great body of evidence to suggest it has any real advantage over IPv4 when it comes to the current threatscape. The truth is that it's just as exposed, and possibly more so. We have already seen evidence of old IPv4 threats surfacing on IPv6 and there will be IPv6 specific vulnerabilities to throw into the risk assessment mix as well.

So is that reason enough to think that the Internet Society has jumped too soon with the IPv6 launch day idea? Certainly not. IPv6 has been around for what seems like forever (especially given the never-ending media obsession with reporting how many IP addresses it can support) and DNS use within IPv6 was given the go-ahead in 2008 to coincide with the Olympic Games of that year, which made good use of it. Today some three per cent of domain names and 12 per cent of internet connected networks support IPv6 according to the Global IPv6 Deployment Progress Report.

I'm not suggesting that the time is now for everyone to start their migration from IPv4, but what I am saying is that the time is certainly long overdue for everyone to be investigating how that migration can be made in a timely and secure fashion. For too long people have been happy to have their heads buried neck deep, ignoring the arrival of IPv6, courtesy of the 'lack of security' comfort zone.

Although the IP address sky has yet to fall, despite media Chicken Little claims that it has been doing just that for ten years or more, the fact is addresses are running out and at some point the move to IPv6 will be necessary.

Juniper Networks has acquired intrusion prevention firm Mykonos Software for $80 million, as it looks to up its security game against rivals like Cisco.

According to the networking firm, Mykonos offers the only intrusion prevention system in the industry "capable of detecting an attacker before an attack is in progress."

Mykonos places what it calls "a random and variable minefield" over web applications by inserting various "detection points" in bits of the app's code, in areas like forms and server files.

The company tries to ensnare hackers during their reconnaissance phase of their attacks, meaning it holds a niche position in the security market. Mykonos also calls its product an "intrusion deception system."

Once hackers have been caught, Mykonos can then track them beyond their IP addresses by identifying the attackers' device.

"Mykonos' intrusion deception technology is an innovative defence against zero-day web attacks, automated hacker tools, malicious web content, and similar threats aimed at companies' websites and web applications," said Jeff Wilson, principal analyst atInfonetics Research.

"There are opportunities for Juniper to sell standalone and integrated versions of the Mykonos solution."

David Koretz, chairman and chief executive officer Mykonos Software, was excited by the prospect of taking the product to bigger firms.

"We believe the combination of Mykonos' ground breaking technology and Juniper's proven expertise in delivering innovative security products at the largest scale, will enable us to provide solutions to immediate and pressing security threats for the largest enterprises and public sector institutions," Koretz said.

Juniper will be hoping to bounce back in 2012 after a weak 2011. The company's fourth quarter results showed revenue declining six per cent year-over-year, marking a poor end to the year that surprised the company's owners.

IBM has issued the first major update of the security information and event management (SIEM) software it bought in its Q1 Labs acquisition, claiming it is blowing the competition out of the water with the amount of data feeds it has collated.

Big Blue said the QRadar Security Intelligence Platform, built mainly of Q1 Labs sauce rather than IBM's own code, draws together 400 sources on threats giving IT pros a wider knowledge of dangers facing their networks.

IBM has hooked up its own X-Force threat feed to the SIEM offering, which monitors 13 billion security events per day.

A host of other Big Blue offerings have been integrated into QRadar, including IBM Security Identity Manager and IBM Security Access Manager to mitigate the insider threat.

There are no vendors that can cover that breadth and that's really the value we bring.

Future integration modules are also being released for non-IBM products, including Symantec DLP, Websense Triton, Stonesoft, Stonegate and others.

"Essentially we support Symantec and McAfee and can extend to others. We don't support HP Arcsight," IBM told IT Pro.

Martin Borrett, director of the Institute of Advanced Security at IBM, said there had been a "wealth of excitement" around what Big Blue could do with Q1 Labs technology.

"We've been trying to figure out how IBM can take it to the next level, integrating our research and existing product line," Borrett told IT Pro.

"At this stage, apart from driving more scalability into the platform itself with new appliances, it's really about those flows in and out. We had all the insight from the X-Force but it just wasn't plugged into the platform in the way that it will be now. It's really about that crucial integration."

The release also marks another major moment for IBM in establishing itself as a major security services player.

However, it faces strong competition in the SIEM space, with Symantec already offering a well-respected product, HP running its Arcsight-based offerings and McAfee set to boost its presence in the market after acquiring Nitro Security.

Borrett said IBM had "significant differentiation" in the market, thanks to the large number of sources QRadar can access and the insight it can get from the data.

"There are no vendors that can cover that breadth and that's really the value we bring," he claimed.

"The depth of the analytics we can get out of the Q1 platform I think is significantly stronger and better than our competition. Because of the context we can do it in... and the real-time capability [QRadar] is significantly better than the competition."

As for the SIEM market in general, with major players coming in and swamping the market, Borrett claimed there was still room for smaller players to partner with bigger vendors to supply more insight for bigger offerings.

"The important thing is that those capabilities integrate into these other platforms and into our platforms in particular," he added.

Symantec is telling IT departments to disable its remote access software solution pcAnywhere after a source code leak meant the product faced an "increased security risk."

The security giant said it was reaching out to customers to warn them of additional dangers, after it admitted source code relating to various products was stolen.

Hacktivist group Anonymous had threatened to release Symantec source code earlier this month, leading the Norton provider to admit a breach in 2006 had compromised information.

Symantec recommends disabling the product until we release a final set of software updates.

Prior to today's revelation, Symantec had simply asked IT departments to ensure best practices with pcAnywhere use. The reviewed advice indicates the 2006 hack exposed more than initially thought.

"Symantec has taken an aggressive position to ensure pcAnywhere customers are protected. At this time, Symantec recommends disabling the product until we release a final set of software updates that resolve currently known vulnerability risks," a spokesperson said.

"For customers that require pcAnywhere for business critical purposes, it is recommended that customers understand the current risks, ensure pcAnywhere 12.5 is installed, apply all relevant patches as they are released, and follow general security best practices."

From the 2006 hack, affected products include old versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), as well as pcAnywhere. Symantec Endpoint Protection (SEP) 11.0 and Symantec AntiVirus 10.2 also inherited a very small amount of exposed code.

Google has continued to realign its services, cutting away unwanted fat to ensure it isn't wasting time and money on unneeded products.

The email disaster recovery product Google Message Continuity (GMC), launched in December 2010, has been closed.

The internet giant said it wanted to focus on Google Apps, which includes an email disaster recovery capability.

All GMC customers can continue to use the service until their contract runs out.

We've been sticking to some old resolutionsthe need to focus on building amazing products.

The Needlebase data management platform, acquired from ITA Software, is also set for the scrapheap on 1 June 2012 and is being considered for integration into other Google services.

"As we head into 2012, we've been sticking to some old resolutionsthe need to focus on building amazing products that millions of people love to use every day," said Dave Girouard, vice president of product management at Google, in a blog post.

"That means taking a hard look at products that replicate other features, haven't achieved the promise we had hoped for or can't be properly integrated into the overall Google experience."

Picnik, the online photo editor acquired in 2010, has been ditched and will be put to rest on 19 April. The Picnik team will continue to work at Google, however, contributing to other photo software.

Google has made the premium version of Picnik free to everyone until it is killed off. Those who have already paid for a premium suscription are to be given a full refund in the coming weeks.

The Social Graph API, which made data about public connections between users available to developers, will be retired on 20 April. It was not getting the adoption Google wanted.

Google is still placing a heavy emphasis on a more social experience for its users, recently updating search to reflect this.

However, the changes came under fire from Twitter, which claimed Google was warping results so users would not be presented with the most valuable results.

Symantec has backtracked on how source code relating to its products was leaked, revealing its own network was hacked in 2006.

The revelation came after hacktivist group Anonymous claimed it was going to release the full source code of Symantec's flagship Norton anti-virus software.

The security giant said it believed the data acquired by hackers came after a hack in 2006, although it could not confirm to IT Pro how the break-in took place.

Symantec customers - including those running Norton products - should not be in any increased danger of cyber attacks.

Earlier this month, Symantec confirmed some source code relating to older enterprise products had been stolen. At the time, it claimed Norton products were unaffected and its own network had not been breached.

Hackers calling themselves The Lords of Dharmaraja threatened to publish the information online, saying they acquired the information from the Indian military.

From the 2006 hack, affected products include old versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack) and its remote access software solution pcAnywhere.

Symantec Endpoint Protection (SEP) 11.0 and Symantec AntiVirus 10.2 inherited a very small amount of exposed code, the company said. There are no indications customers data has been stolen, it added.

"Due to the age of the exposed source code, except as specifically noted below, Symantec customers - including those running Norton products - should not be in any increased danger of cyber attacks resulting from this incident," a spokesperson said.

"Customers of Symantec's pcAnywhere product may face a slightly increased security risk as a result of this exposure if they do not follow general best practices. Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information. Since 2006, Symantec has instituted a number of policies and procedures to prevent a similar incident from occurring."

Symantec said businesses do not need to take any additional steps to protect themselves as a result of the hack. The company recommended customers ensure their software is up to date.

For any IT departments still concerned about the source code leak, Symantec has set up an advice page here.

Symantec did not disclose the 2006 hack publicly at the time, meaning it has taken between five and six years for the breach for the security firm to reveal what happened, or that the company did not know source code had gone missing back then.

RSA was heavily criticised for not immediately publicly disclosing a breach last year, when information relating to its SecurID product was compromised.

Oracle today released patches for 78 flaws in its software, covering the majority of its products.

A total of 16 are categorised as critical, meaning they could be exploited for remote code execution.

"Most of their products, including the acquisitioned PeopleSoft, JD Edwards, Weblogic and the recent Sun/MySQL lines, are affected by this update," advised Wolfgang Kandek, CTO of security company Qualys.

"Only PeopleSoft and the virtualisation products are not affected by this critical rating - everybody else should pay close attention to the release.

"One notable exception is the Java programming language as it is updated on a separate schedule and had its last release in December 2011."

You can find the full list of affected products here.

Oracle's list of patches makes for a busy January for IT departments, following Adobe and Microsoft announcements from earlier this month.

Microsoft, which usually keeps January quiet for patching, issued seven security bulletins covering eight vulnerabilities. One of those covered the BEAST SSL flaw highlighted by researchers last year.

Researchers found a way to exploit a long-known flaw in TLS (Transport Layer Security) that could have undermined the security credentials of the SSL cryptographic protocol and affected millions of sites. However, little emerged from the discovery and the Redmond giant now has Windows users' backs covered.

Adobe, meanwhile, addressed critical flaws in Reader and Acrobat on the same day (10 January).

Both Microsoft and Adobe have welcomed the new year by announcing some notable patching days for IT departments to be aware of.

Microsoft usually keeps Patch Tuesdays quiet in January, but has issued seven security bulletins for eight vulnerabilities.

One of those is a critical remote code execution vulnerability in Media Player, although for users of Windows 7 and Windows 2008 R2 its severity is downgraded to 'important.'

The remaining bulletins are ranked as important. One of those covers the BEAST SSL flaw highlighted by researchers last year.

Next Tuesday it will be interesting to see, which exact Windows features are involved and how this vulnerability can be used by attackers.

Researchers found a way to exploit a long-known flaw in TLS (Transport Layer Security) that could have undermined the security credentials of the SSL cryptographic protocol and affected millions of sites. However, little emerged from the discovery.

"Bulletins three and five, while rated 'important' both involve Remote Code Execution, most likely through a specifically crafted input file to one of the Windows standard programs and should also be high on your list of bulletins to look at," recommended Wolfgang Kandek, CTO of Qualys.

"Bulletin two stands out as it is tagged as 'Security Feature Bypass,' which is a new category. Next Tuesday it will be interesting to see which exact Windows features are involved and how this vulnerability can be used by attackers."

Adobe will join Microsoft in issuing updates tomorrow (10 January). It will address critical flaws in Reader and Acrobat.

"These updates will include fixes for CVE-2011-2462 and CVE-2011-4369, previously addressed in Adobe Reader and Acrobat 9.x for Windows," Adobe said in its advisory.

Oracle is also due to issue its quarterly security update on 17 January, making it a busy month of patching for IT managers.

For those who haven't seen the announcement, can you recap what BlackBerry Mobile Fusion is and why IT departments should be getting excited?

We're announcing BlackBerry Mobile Fusion. It's a next-generation enterprise mobility solution. It's really our entry into the multi-platform mobile device management (MDM) marketplace.

For many years we've provided MDM for BlackBerry smartphones. Over the last few years, we've seen a significant increase in customer demand to

extend the management capabilities that they've already got with their

BlackBerry platform into other areas.

With this introduction we're also providing device management for the PlayBook and enabling customers to manage iOS-based and Android-based

smartphones and tablets from a single user interface. If a business user has a mixture of devices, such as a personal BlackBerry smartphone and a corporate-issued PlayBook, with perhaps another device maybe largely corporate or personally liable, it will enable their IT department to manage those devices all from a single console.

We've seen a significant increase in customer demand to extend the management capabilities that they've already got with their BlackBerry platform into other areas.

The customer demand has been coming from the enterprise because of the rise of consumerisation and a real willingness to allow personally liable or bring your own devices and policies into the workplace.

We do have a lot of customers out there who are extremely security

conscious, particularly in the public sector and financial services, so we don't expect all customers will want to put this type of technology in, but certainly many of them have been asking for this kind of service for some time.

We acquired a company called Ubitexx at the end of May and we've been working on [making use of] its technology since then to get it to market. BlackBerry Mobile Fusion includes not only existing BlackBerry management for smartphones but also the new mobile device management for PlayBooks, Android and iOS devices.

We've had [interest] from our partners and both enterprise and SME-focused operators across, as well as systems integrators - they also want to provide MDM as a service to their clients as the number of devices increases in the workplace and as many of them will be personally liable rather than corporate issued.

When will it be available to businesses?

We've been running betas with customer across the European region, North America and Asia Pacific for some time now. Closed beta opens in January and customers can register their interest for that. We expect full availability at the end of March.

Will you be taking that time and feedback to iron out any issues and bugs?

Yes. We're getting some really strong feedback from our beta customers. They tend to be some of our really large customers with large device estates. Also, it's a really evolving marketplace. We've been in the MDM space for many years but this is really our first step into multi-platform MDM. We see that as a real growth market. There are a lot of companies entering that space. It's a really nascent market.

So it's a growth opportunity as well as a platform development opportunity more widely.

How can customers register interest in the beta programme?

They can register for news updates on the BlackBerry Mobile Fusion website, contact their BlackBerry account manager or their mobile operator...

The first step is to register interest. We've got large number of beta customers already so the closed beta will be available from January and the general availability will be March.

We've not put a cap on beta numbers at the moment but we've had a lot of interest in the first beta. We've tended to work with our largest customers for the first set of betas as we want really big device

estates but don't have a cap on it.

We have the ability to scale those betas up really fast. We're well versed in large beta programmes as it's super important for us to get that customer feedback before we fully launch.

You said this product was borne out of customer demand, was that in mind when you acquired Ubitexx?

The Ubitexx acquisition was really in response to customer demand. [It's also based on] what we've heard in last few years as our consumer retail business has grown enormously.

If you take the UK, we have more than eight million users in the UK market and many of those are consumers. Those consumer users are bringing their BlackBerry smartphones into previously quite locked-down enterprise environments and requesting that the IT department connect their mail and applications. Last year, when we launched BlackBerry Enterprise Service Express (BESX) and new capabilities like BB Balance, that was in response to personal liable bring your own BlackBerry devices coming into the workplace so this is just an [extension] og that.

It's also worth pointing out that across our whole portfolio now we have introduced quite a few MDM capabilities. Earlier in the year we launched BlackBerry Protect, which gives remote lock and wipe

and location discovery for lost or mislaid phones over the air (OTA) for an individual consumer user. That's a cloud-based service. We also introduced the BlackBerry Management Centre, which allows small and medium business, up to 100 users, to do many of the same things. Again as a cloud-based service. We've now got MDM for our own products all the way from an individual user right up to the largest enterprise. We wanted to extend that at the top end to allow larger businesses to support other platforms.

We've got a big installed base of customers who are using our MDM

capabilities already so our first initiative is to help them deal with bring your own device (BYOD) and personally liable devices. Then we'll look at how we roll out BB Mobile Fusion to others. So, initially, it's [just aimed at] large corporates and public sector organisations.

What are the headline features? As an IT manager why should I choose BlackBerry Mobile Fusion rather than A N Other MDM solution?

The reason you'd come to us first of all is you prob already have BlackBerry device management in your corporate infrastructure, so being able to upgrade that to simply add BlackBerry PlayBook device management, iOS and Android smartphone and tablet device management means not having to invest in a new device management platform. That's really what customers have been telling us. That they already manage their BlackBerry smartphones, and they'd like to be able to manage other devices, and multiple devices per user through a single user interface and single experience rather than having to have several different pieces of software or services.

Some 90 per cent of the Fortune 500 already have us in their IT infrastructures so it's a natural extension for them as they start introduce a multi-platform or BYOD policy.

Does it just slot on to what they have already then?

Absolutely. It is a new user experience... Our current user experience for device management is web-based anyway. This just adds an extra layer. It will be familiar but will allow the IT department to get asset management, configuration, security, lock and wipe, administer users at either an indiviual or group level but also deal with environments where you have multiple devices per user.

It's BlackBerry, Playbook, iPad and Android management capabilities.

What about usability? Can users expect the same experience?

Yes. We put a lot of effort into making the user experience was smooth and graphically rich. The IT department wants something quick and simple to use that is easy on the eye as well.

The real difference thing here is if you're looking at a user, you'll be able to see all of their devices in one management console. It will show you the status of all those devices even though there will be a different set of policies and management capabilities potentially for each device.

With BlackBerry devices we have security and management built in from the hardware right through the infrastructure to our device management software. We're now providing device management for third party devices, so the APIs may not be available for all of them. We have BlackBerry Balance for example and that level of functionality is not yet currently available for iOS and Android. It may well be in the future.

Our committment is that we will allow our customers to manage those third-party devices to the greatest extent that we can and secure them to the greatest extent we can.

Which is a bigger draw for businesses - security or managability?

Security and the ability to apply security polices remotely and

OTA is probably one of the most important things for many of our customers.

But [from a priority standpoint] security and management are on a par as it really differs from customer to customer. The public sector, particularly defence and local government and financial services, need to be secure and this is possibly higher up the IT director or CIO's list of concerns. In other sectors, pure manageability aspects might rank more highly. It really depends on the individual customer and

security sensitivity of that industry.

Some may think it's a bit of a risky move, supporting competing devices. Is this brave on RIM's part or something you have to do to respond to customer demand?

It's about responding to customer demand. We've benefited enormously from consumerisation as business. The large number of BlackBerry smartphones going into consumer channels are coming back into the enterprise and users with their individual handsets are asking to have corporate applications and mail on those devices.

We're fully supportive of cosumerisation and of helping our customers and making it as easy as possible for them to secure and manage devices on whatever platform. We see it as an opportunity.

The MDM market is a real growth area. Wee have this heritage in device

management of BlackBerry smartphones and a large customer base so extending that to other operating systems is really a natural step for us.

Is it the case BYOD and consumerisation is invetiable so you might as well make it safe and secure?

That's spot on.

Can we expect further moves, like the acquisition, in response to different business needs?

Yes. Certainly when it comes to device management and security. This year has been one of our biggest years for introducting device management capabilities all the way from BlackBerry protect to the BlackBerry Management Centre fo SMEs. We recently anouncned BB Cloud Services for Microsoft Office 365 and cloud-based device management for

Microsoft customers.

Whether it's the individual user all the way up to the largest corporate business or public sector organisation, we want to respond to their requirements for managing and securing, locking and wiping and scaling up those devices. The simple demand of employees and end users to have more mobility in their working lives and have more

control, is encouraging organisations across the board to open up their doors to consumerisation.

Do you have any details about pricing?

BlackBerry Mobile Fusion is going to be price competitive. We're already price competitive in pure device management terms for BlackBerrys so now we will be [here].

We're not releasing detailed pricing info yet, it will be released in the new year but, absolutely, our intention is to be as price competitive [as we can] for device management of other operating systems.

One thing we hear from customers a lot is there is a significant value associated with having a single platform for device management. It's only when you have that single platform you can compare the cost of ownership, the TCO the reliability and the impact on the business of the different smartphones and tablet platforms and operating systems you're using.

From a customer point of view, they want to be able to look across their whole estate at old versions of device X to new devices and

tablets and different form factors of the future and be able to

say this is the reliabilty of this device in this particular user environment, this is the cost, the data efficiency, the security and be able to compare those.

We see a lot of demand for that comparative cost not just in terms of the device themselves and the data they use but also the cost of managing and securing them. That's another driver behind us launching BlackBerry Mobile Fusion.

Our general message to customers is consumerisation is something we encourage them to embrace but we also recognise that they may be in a very security conscious industry or mindset so the ability to control policies is absolutely essential. We give them that ability to take a different approach.

Someone in a less security conscious role in the same organisation may want to use BESX and allow them to bring their own BlackBerry smartphone in and have a different level of access and control over apps and emails. And have a diff set of policies to someone in the same organisation who has a BlackBerry and iOS or Android-based device. It's that ability to take the policies and apply them by either user or group across multiple devices per user. Customers want flexibility.

UTM appliances are a simple one-stop security shop for many businesses but not everyone wants to cough up for the full works, especially if they don't need all those features. GFI's WebMonitor 2011 is a software-based alternative that focuses purely on web content security and is hosted on your own hardware platform.

The latest R3 version supports the ThreatTrack service which uses GFI's SandBox malware analysis tool to check web sites to see if they're harbouring malicious content. These are added to the ThreatTrack data feeds which WebMonitor uses to check sites being accessed so it can block them immediately.

Previous versions had limited IM app controls but, along with Windows Live Messenger, R3 can now block Yahoo! Messenger, Gmail chat and other IM portals including Facebook. Streaming media also comes under WebMonitor's remit and a soft blocking feature allows trusted users to override a warning page and continue browsing.

WebMonitor is available in three versions with the WebFilter Edition enforcing policies for web content filtering, browsing time and media streaming. If you just want anti-virus scanning, phishing protection, IM app controls and ThreatTrack then check out the WebSecurity Edition which uses scanning engines from Norman, BitDefender or Kaspersky.

WebMonitor supports two deployments, but the gateway mode is easier as it doesn't need any extra router configuration.

On review covers the UnifiedProtection Edition which combines everything from the other two versions. The price we've shown includes dual scanning engines from Norman and BitDefender. Kaspersky is an extra 12 per seat which does increase costs significantly.

Prior to installation you must decide how you want to deploy WebMonitor. The simple proxy mode only requires one network port on the host, but your router must block all web traffic coming from the LAN. We opted to load it in gateway mode on a Windows Server 2008 R2 system with two network ports as this doesn't require any router changes. Ensure you have all required ports active before loading the software as the installation wizard only offers deployment choices based on what it can see.

The WebMonitor console is a tidy affair that provides a top level dashboard of graphs and tables showing current web activity. Options are provided for viewing general web traffic, blocked sites, the most popular categories and so on. Each panel can be moved around using drag and drop.

The Dashboard provides plenty of detail on real time web activity and can be customised using drag and drop.

Web access is controlled with policies applied to users, groups and IP addresses. Separate policies are used to manage web content access, browsing periods, anti-virus scanning, streaming media, file downloads and IM apps.

For web filtering you can choose from over seventy WebGrade categories. For each one you can block or allow them, or use the quarantine option which blocks access to a site and makes the user wait for administrative approval.

Selected users and groups may be permitted to browse certain categories or web sites, but time-based policies can be used to restrict how long they can access them for. These limits can be based on daily, weekly or monthly usage or you can apply download limits in KB or MB for these periods instead.

HTTPS scanning comes as standard and WebMonitor provides a wizard that runs through certificate creation. The host system can also cache downloaded files and web content to improve response times.

Virus scanning policies are accessed from the WebSecurity console section. You can choose from a list of file types, pick the engines for scanning and decide whether to delete or quarantine infected files. When downloading files, users can be redirected to a web page showing their progress and only when the file is deemed to be safe will they be allowed to save it to their system.

You could use GFI's ReportPack instead, as this free component can do this for you. WebMonitor must be configured to download its logs to a SQL database and we had no problems using the freely available SQL Express 2005. You'll need the Management Studio Express to create a new database and owner. Add these details to the WebMonitor Reporting page and it'll download all its data on first contact with the database.

For a freebie, the ReportPack is to be recommended as it provides a complete set of default reports covering a wide range of activities and trends. These can be customised to suit, date ranges of up to a year can be applied and the results exported to formats such as PDF, Word and Excel and emailed as well.

GFI's WebMonitor is better value than many security appliances and can run on lowly specified host systems. We found it performed very well during testing and is capable of enforcing a wide range of AUPs in the workplace.

So what's our verdict?

Verdict

Businesses and educational establishments that want quality web content management and monitoring, but don’t want to pay a premium for an appliance, should consider GFI’s WebMonitor. Host hardware requirements are quite reasonable, the software is easy to deploy and it has a good range of top performing security measures and reporting tools.

Memory: 4GB Hard disk: 12GB OS: Windows XP SP2, Vista, 7, Server 2003, Server 2008

The security software market rebounded well in 2010 following a disappointing 2009, Gartner has claimed.

The market grew 12 per cent last year as total revenue hit $16.5 billion - up from 2009 revenue of $14.7 billion.

"Products within the security market are undergoing rapid evolution, in terms of both new delivery models with security as a service showing increasing popularity and new technologies being introduced, often by startup companies," said Ruggero Contu, principal research analyst at Gartner.

"Key vendors continued to expand their product portfolios, buying companies where appropriate and expanding their reach into emerging markets."

Symantec remained the dominant force in the industry, although experienced below average growth over the year.

It achieved 18.9 per cent market share in 2010, compared to McAfee on 10.4 per cent in second place.

Out of the top 5 players, Trend Micro in third saw the lowest growth with 5.8 per cent.

IBM was in fourth, followed by EMC, which achieved an impressive 25.6 per cent growth over 2010.

As for a breakdown of the different segments of the market, Gartner noted more mature areas like endpoint security and web access management showed single-digit growth.

In comparison, areas including security information and event management (SIEM) and secure web gateway products experienced double-digit growth.