Archives for posts with tag: Infosecurity

Last Friday our clients’ comments were published in hundreds of different publications across the UK, US, France and Germany, here is how we did it:

On Thursday morning reports started to surface that Yahoo was expected to announce a huge data breach so we notified our clients straight away and asked them to prepare comments on the information that was available so that we could jump on the story as soon as it broke. Our clients prepared comments and then it was just a waiting game.

Around 8pm on Thursday night the story broke, Yahoo had officially announced the breach. So we immediately told our clients and asked if they needed to update their comments given the new information. As many of them are based in the US, they were still at work so getting a quick response wasn’t difficult.

By 9pm we had issued the comments to national and security press. Minutes later, Al Jazeera asked for a television interview and we managed to get a client on air that same evening.

Before even getting into the office the next morning we were already getting interview requests from the likes of ITN and International Business Times UK, let’s just say it was a very busy day of rushing around trying to get clients to TV studios in ridiculously tight deadlines (it’s situations like this that a private jet would be useful). We also asked our teams in France and Germany to translate the comments and issue them out (these are regions where responding to news like this is not the norm).

200387165-001The results were pretty incredible, the Press Association article syndicated across 447 publications, so the clients that were lucky enough to be mentioned in the article achieved a year’s worth of coverage in one day! Hits included, the Daily Mail, Independent and Huffington Post. In France, Le Figaro (a big national newspaper) even covered the story and other hits included InformatiqueNews.fr and Speicherguide in Germany.

What was interesting was that the few clients who were not quick enough to give us comment on Thursday did not get much coverage at all, even though we had sent their comments out on Friday morning before 10am. This is likely to be because journalists were so saturated with comments that they only used the first batch they received and wanted to push their stories out as soon as possible. So it really paid off that we were prepared to work unsociable hours on Thursday night (although let’s hope this doesn’t start happening too often).

 

So unless you live under a rock you’ve probably heard of the new augmented reality app Pokémon GO, which has attracted huge attention across the world. However, one of the unfortunate lessons we have learned working in cyber security is that if something is popular with consumers, then you can guarantee it’s also going to be a big hit with hackers.

The App was first released in the US, Australia and New Zealand, however people from other countries didn’t want to be left out so found ways of downloading it outside of official app stores.

pikachu

This raised some security concerns which our client, Proofpoint, decided to delve into and research. Upon researching they discovered that a malicious app, pretending to be the official Pokémon GO app, was carrying malware known as DroidJack.  Proofpoint wrote a blog detailing the findings and Eskenzi pitched it out to national press, IT publications and other consumer websites. Quite frankly, the results were far beyond anything we could ever have hoped for.

We picked up an amazing 533 pieces of coverage in the UK, France, Germany and Canada in one week. These include The Independent, The Telegraph, Mirror, Express, The Guardian, Wired, the list goes on and on…and on.

Predicting which news story takes off is out of our control, however, when we align pop culture, global appeal, solid research and strategic media outreach, the chances of success are in our favour.

But more importantly, Pokémon GO has now been released in the UK and is safe to download from trusted sources so knock yourselves out, some of the Eskenzi staff have certainly jumped on the bandwagon.

IE_Logo_Trash-970x546

So, week two of 2016 here at Eskenzi was most definitely no shrinking violet compared to last week’s phenomenal results!

This week, Microsoft released its final patches for Internet Explorer 8, 9 and 10 along with an “End of Life” notice, to encourage users to switch to Internet Explorer 11 and Microsoft Edge, currently only available on Windows 10.

These changes were originally announced back in August 2014, and it is estimated that these older, legacy browsers could account for more than 20% of web traffic. Computerworld reported that as many as 340 million Internet Explorer users are still using IE 8, 9 or 10! NetMarketShare estimates that Internet Explorer accounts for 57% of the browser market, compared with 25% for Chrome, 12% for Firefox and 5% for Apple’s Safari – That’s a lot of people using browsers that are now potentially unsafe, and can no longer be patched.

This means that Internet Explorer won’t receive any more security updates, or other patches. Those still using the browsers could be vulnerable to security threats and even hacks; depending on what other (if any) security software is installed.

A story of this type throws open the rapid response doors for Eskenzi clients, many of which had sound advice on what users, who still use Internet Explorer 8, 9 or 10, can do to ensure they stay protected, despite this news.

Four Eskenzi clients commented on this story – ESET, Tripwire, AppRiver and Bromium – and one from our sister agency, SmileOnFridays – Tenable, which resulted in over 250 pieces of coverage across National newspapers, business publications and trade press.  The coverage obtained was truly global, with publications in the UK, United States, France, Germany, Kenya, Japan, Ghana and Argentina (and many more!) reporting on the news with commentary from our clients included.

Hits include the BBC, The Metro, Business Reporter (included with The Daily Telegraph), BT, SC Magazine, Dark Reading and Yahoo! News.

Several journalists reached out to Eskenzi for specific commentary, as we are so well known to those who report in the security and technology space, knowing they would get great quotes to use in their stories, as well as sound advice for businesses and consumers alike.

We’re lucky to work with so many amazing clients who can, at the drop of a hat, pull amazing quotes and advice out of the bag. I wonder what week three will deliver.

2016-01-06-image-6

logo-date+slogan(banner)

Just back from my hols and it’s heartening to see that whilst I’ve been away so many great movers and shakers in the IT security world have signed up to get involved in Security Serious Week in October. So many of the CISO community have already committed their time for free to offer seminars and webinars on a host of great subjects including Unilever, BT, Canon, Lloyds Bank, HSBC, GSK, Publicis Groupe, Markit, Willis and The Economist to name but a few!  Our loyal analysts including Ovum, Quocirca and IDC are on board and yesterday I was delighted that the Department for Culture, Media and Sports have agreed to get stuck in with events during the week and rally other Government departments to do so too – way to go!  The week should be incredibly insightful to any organisation wishing to become more security savvy!  So if you’re an IT security specialist or IT security organisation that wishes to impart your pearls of wisdom to other businesses to make them more Security Serious then why not organise a webinar or seminar. We’ll promote it for you on www.itsecurityguru.org and www.securityserious.com.    We’ve also got loads of companies participating in the press photocall at 12 noon on 26th October outside the Tower of London (find out more at www.securityserious.com) – where everyone will have a banner with their logo on it to show the world they’re “Taking Security Seriously”.  By participating in the day not only will you be counted as a company that’s Security Serious but it’ll be a great networking event as we’re all going to meet in the pub after the photocall – CISOs, analysts, press, vendors and other IT security professionals.  Hopefully, by getting together new contacts will be made and we can work together to make UK Plc a safer place to do trade Online! If you want to brainstorm how you can get involved then email me Yvonne@eskenzipr.com!

hacker
That’s a pretty far flung suggestion, but after my conversation with a “grey hacker” (that’s someone that works on the good side and also a little on the bad side) I’m not sure it’s so far-fetched. The truth is, I love talking to hackers. I think it’s becoming a bit of “thing” of mine, all because I’m trying to get my clients and their “hacker mates” to write a short story book made up of fictional hacker tales – based on the semi-truth. So in my quest to get this book written, I’m interviewing lots of hackers to get their thrilling tales from the underground. Well you could knock me over with a feather with what I’m currently hearing – it’s the most exciting venture I’ve undertaken in a long while.

Only last week my grey hacker friend was telling me about a bloke he met down the pub who has a rather interesting way of boosting his yearly income to pay for his wife’s new car or their expensive annual holiday. He manipulates share prices in what could be dubbed rather brilliant.

This is how it goes. He’s a very proficient IT consultant, called into major organisations to sort out all sorts of IT security issues from fire-fighting to unravelling an IT project that’s gone wrong and needs sorting out. He always chooses one year contracts, which gives him plenty of time to get familiar with the company and the company to get familiar with him. As an IT programmer, he has to get the back-door passwords or admin passwords which basically give him access to everything. He doesn’t use these for anything sinister at all for at least the year. He does a great job for the company and gets paid a fair price. Just before the company goes public with their profit announcements, he goes in through the back door and changes the figures. Of course no-one notices and the figures are very poor and surprises everyone – so of course the price drops. He buys a lot of stock but not so much that people notice he’s bought them, maybe just $50-$75k. Once the accountants have noticed that something has gone awry with the balance sheets, they re-issue the profit announcement and tell the world there was a terrible internal mistake and the price shoots up and he makes a very healthy profit.

That’s clever, obviously hugely illegal, immoral and very wrong – but you have to admire the guy and he’s never been caught because he doesn’t brag about it, isn’t greedy and leaves no trace behind him. I’m not saying this has happened in the case of Tesco’s – because when you read between the lines they look like they’ve just been pretty rubbish at “creative accounting” – but then my more paranoid brain says to me just imagine if there was a hacker that had screwed with their figures and now they’re having to make wonderful excuses to cover their tracks!

You see this book really is messing with my head – but I can’t wait to get all my contributions in from the hackers so you can read it and have your imagination run riot too!

bug picture

So what bugs really bite at CISOs?

  1. Malware bugs
  2. Those Hacker buggers
  3. Their staff
  4. Or lack of staff
  5. State on state bugs

Actually, what really gets their goat is No.2, the staff who continually mess everything up for them, and then No. 3, the lack of trained, skilled staff who know how to stop the stupid people screwing up their systems.

How do I know this? Because once a year Eskenzi PR organises the IT security analyst & CISO forum where we get a room full of very outspoken CISOs who really don’t hold back when it comes to sharing their thoughts, bug-bears and irritations with their peers.  A few select vendors are invited to hear from the community who buy their wares and we also fly in a dozen of the world’s top analysts who learn from these heated and honest exchanges.

Looking in from where I sit, I’d have thought they would be most worried about all the external threats tirelessly trying to get in their networks from every angle.  However, these breaches and bugs are not what get these guys riled up; that’s par the course – something they expect and can almost prepare for.  What they all share is a real frustration in that they can find the technology to prevent the breaches and bugs, but their users turn it all on its head with their stupidity – and it’s a problem that doesn’t seem to want to go away.

One comment I especially liked was “you can’t take the IdioT out of the user” – it’s what they do with the data that’s the biggest problem!  Another observation came from an impressive female CISO who said that 100% of computer crime involves people.  Obvious, but she’s right and it makes you think!

Okay – here’s the lesson: we must learn to respect the data we use on a daily basis. That means wherever it is and whenever we’re using it, we need to consider whether it is valuable and, if it falls into the wrong hands, what harm could it do to ourselves, the customer and of course the company?

However, one eminent venture capitalist who attended our event cited a recent Economist article that stated that stock prices are often unaffected by breaches, which starts to make me really confused – what’s it all about if you can suffer a major breach and then it doesn’t really affect the company –  why bother?  Maybe that’s why CISOs are so relaxed about external threats!

But it does cost money to sort out the mess that users make when they infect a system by opening an infected email or uploading infected data from a contaminated USB.

Apart from being hugely frustrated by their internal staff, which was definitely shared by all concerned, it seems that the second really big pain point is the lack of skilled people in IT security.  There just isn’t the quality or quantity and, when you do find someone, they just don’t know how to communicate to get their message across.  There was a common thread in the discussion, where they felt that when they did find the right people with the right skills they then couldn’t fit in with the culture of the company.  The big question is how do you turn geeks into people’s people in order to get the funds for IT security from the board?  One very smart CISO, (although saying that all the CISOs that attend our event are the smart ones that take a real effort in collaborating and pushing the boundaries) gets a digital agency to help with his messaging and visuals so that when he has that very small window of opportunity to talk to the board, they quickly get it!

They all believe that, in order to get things done in IT security, you’ve got to become a good communicator – which means investing in training to communicate well so you can be compelling and convincing.  You need to talk to the board in the language they understand and that goes for the users themselves.

Another smart suggestion to get skilled people to push the IT security message was from a CISO who had employed the CEO’s PA to come and work for him, as she knew exactly the culture of the company and how to get around everyone to get them to listen. She knew politically who to push and who to ask to get things done.  So employing internally and drawing talent from other parts of the company was definitely a method that had worked for this particular CISO.

Everyone thought that a framework of the right questions that the board should ask the CISOs was a good way to go, and badly needed.

I suppose the conclusion to the day was that no matter what happens out there, the CISO’s biggest concern is to keep their own houses in order; and that means training their staff to respect the data they deal with and getting them the right employees who know how to communicate to help them to do this.

Yvonne Eskenzi Yvonne@eskenzipr.com

panel_heart

With information security making headline news more than ever before, we have seen an increase in quantity and quality of coverage for our clients. With over 1200 clippings this quarter (and counting) publications we have featured in include:

  • Reuters
  • The Guardian
  • The FT
  • BBC
  • The Daily Mail
  • The Observer
  • The Telegraph
  • The Register
  • SC Magazine

It’s safe to say it’s an exciting time to be in the industry – and we’re looking forward to what the next quarter brings!

IT Sec Analyst Forum Logo NEW

The seventh IT Security Analyst & CISO Forum will take place in London in June. The event is available to just 10 vendors and gives you a unique opportunity to brief most of the world’s top IT Security analysts on how you differ from your competitors, your product roadmap and to explain why you’re a leader in your space.

Thirteen analysts attend the event, but you get to choose which of these you’d like to brief.  The analyst meetings happen all on day one.

The second day is based around the CISO roundtable, which has grown in popularity amongst the CISO community, with many attending year after year and now bringing their CISO colleagues as they find it so fruitful.  During this day, you get to join in their roundtable discussion and you choose who you’d like to sit with at the roundtable lunch.

The event is limited to just 10 IT security vendors; however there are 2 places still available so if you would like to attend please give Yvonne a call on 0207 183 2832.

Image

Here at Eskenzi PR, we like to have our fingers firmly on the pulse of cyber security news and trends.  We have noticed recently announcements from the likes of HP and CrowdStrike that companies are now starting to jump on the “crowdsource” bandwagon and are beginning to realise that the best way to combat cyber security threats is to share information.

Crowd source / open source, whatever you want to call it – this is a message that our client, AlienVault has pioneered since the company’s inception.  In fact, it is the basis of its business.  AlienVault’s Open Threat Exchange (OTX) is an open and collaborative platform that has become the largest threat information repository with over 8,000 contributors from more than 140 countries that share threats every day.  Barmak Meftah, CEO and president of AlienVault commented:

“We welcome [these] announcement[s] and see [them] as further validation of what we’ve known for a long time: Crowdsourcing or open source threat intelligence is the only way organisations have any hope of combating the ‘bad guys’.  We’ve learned first-hand that being open and collaborative are the essential requirements to sharing and disseminating the comprehensive threat intelligence that no one company could ever collect in isolation.  The era of closed systems and proprietary enterprise solutions to address the security concerns of organisations around the world is over.”

It is great to see this openness in the security industry catching on with more and more companies; after all if we all work together, it will go a long way towards furthering our goals.

– Beth

Every day we hear about another data breach, more and more it is becoming a common headline for personal data being lost by a company. Working in the security industry we use these stories as a way to educate the general public and other companies on how to secure their data, what tools to use and how to avoid becoming the next big breach or having your details in the wrong hands…but when will the public as a whole learn?

Sitting in a company meeting last week, we discussed all the different breaches that had happened over the year..as the breaches were mentioned it occurred to me that someone I know has probably lost their details in every one of those breaches….but do they know their details have been lost? Have they taken any actions?

Have they stopped using that website? My guess probably not.

Have they stopped using that bank account? Again probably not.

Have they proactively gone and changed all their passwords? Maybe for some – not all!

Being in the security industry, you become more aware of what is going on and inevitably more cautious. But as data breaches become more of a common daily occurrence, are people sitting up and taking action to protect themselves?

According to a survey by Symantec, 19 people fall victim to cybercrime every minute in the UK – this goes to show that no matter how many breaches we as a nation are still failing to protect ourselves. Why is this? Is it not our job to protect our own data? Do we think the companies should be taking extra steps to look after our data and we cannot do anything? Or with the rise of social networks do we all believe that all our data is out there for all to see – so why protect it?

Maybe its because we do not see how a small piece of information such as our password or date of birth could be of such high value to a hacker who can then access our bank accounts and have a shopping spree at our own expense…