Hackers Could Decrypt Your GSM Phone Calls

Researchers have discovered a flaw in the GSM standard used by AT&T and T-Mobile that would allow hackers to listen in.

Most mobile calls around the world are made over the Global System for Mobile Communications standard; in the US, GSM underpins any call made over AT&T or T-Mobile networks. But at the DefCon security conference in Las Vegas on Saturday, researchers from BlackBerry are presenting an attack that can intercept GSM calls as they’re transmitted over the air and then decrypt them to listen back to what was said. What’s more, this vulnerability has been around for decades.

Regular GSM calls aren’t fully end-to-end encrypted for maximum protection, but they are encrypted at many steps along their path, so random people can’t just tune into phone calls over the air like radio stations. The researchers found, though, that they can target the encryption algorithms used to protect calls and listen in on basically anything.

“GSM is a well-documented and analyzed standard, but it’s an aging standard and it’s had a pretty typical cybersecurity journey,” says Campbell Murray, the global head of delivery for BlackBerry Cybersecurity. “The weaknesses we found are in any GSM implementation up to 5G. Regardless of which GSM implementation you’re using there is a flaw historically created and engineered that you’re exposing.”

The problem is in the encryption key exchange that establishes a secure connection between a phone and a nearby cell tower every time you initiate a call. This exchange gives both your device and the tower the keys to unlock the data that is about to be encrypted. In analyzing this interaction, the researchers realized that the way the GSM documentation is written, there are flaws in the error control mechanisms governing how the keys are encoded. This makes the keys vulnerable to a cracking attack.

“It’s a really good example of how the intention is there to create security, but the security engineering process behind that implementation failed.” – CAMPBELL MURRAY, BLACKBERRY

As a result, a hacker could set up equipment to intercept call connections in a given area, capture the key exchanges between phones and cellular base stations, digitally record the calls in their unintelligible, encrypted form, crack the keys, and then use them to decrypt the calls. The findings analyze two of GSM’s proprietary cryptographic algorithms that are widely used in call encryption—A5/1 and A5/3. The researchers found that they can crack the keys in most implementations of A5/1 within about an hour. For A5/3 the attack is theoretically possible, but it would take many years to actually crack the keys.

“We spent a lot of time looking at the standards and reading the implementations and reverse engineering what the key exchange process looks like,” Murray says. “You can see how people believed that this was a good solution. It’s a really good example of how the intention is there to create security, but the security engineering process behind that implementation failed.”

The researchers emphasize that because GSM is such an old and thoroughly analyzed standard, there are already other known attacks against it that are easier to carry out in practice, like using malicious base stations, often called stingrays, to intercept calls or track a cell phone’s location. Additional research into the A5 family of ciphers over the years has turned up other flaws as well. And there are ways to configure the key exchange encryption that would make it more difficult for attackers to crack the keys. But Murray adds that the theoretical risk always remains.

Short of totally overhauling the GSM encryption scheme, which seems unlikely, the documentation for implementing A5/1 and A5/3 could be revised to make key interception and cracking attacks even more impractical. The researchers say that they are in the early phases of discussing the work with the standards body GSMA.

The trade association said in a statement to WIRED: “Details have not been submitted to the GSMA under our coordinated vulnerability programme. When the technical details are known to the GSMA’s Fraud and Security Group we will be better placed to consider the implications and the necessary mitigation actions.”

Though it may not be that surprising at this point that GSM has security issues, it’s still the cellular protocol used by the vast majority of the world. And as long as it’s around, real call privacy issues remain too.

Source | https://www.wired.com/story/gsm-decrypt-calls/?verso=true

National awareness plan on managing cybersecurity, cybercrime at year-end

KUALA LUMPUR: A national awareness plan on the management of cybersecurity and cybercrime will be launched at the end of this year, Deputy Prime Minister Datuk Seri Dr Wan Azizah Wan Ismail said today.

She said the plan, which was being developed by the National Cyber Security Agency (NACSA), was expected to be implemented in January 2020, targeting four groups – children, youths, adults and parents, as well as organisations.

Dr Wan Azizah, who is also chairman of the E-Sovereignty Committee, said various parties were involved in developing the plan, including government agencies, the private sector, industries and non-governmental organisations.

The plan was an effort to address cyber threats comprehensively besides the National Cyber Security Strategy which was still being developed, she said.

“One of the things that we (the government) stress is the management of cybersecurity and we have the National Cyber Security Strategy … where we look at cyber attacks in other countries. This is important for us to protect the banking system and so on,” she told reporters in a special interview at her office in Parliament House in conjunction with the first anniversary of the Pakatan Harapan (PH) government.

The National Cyber Security Strategy, among others, covers the management of cyber incidences through an active cyber defence approach which outlines proactive, integrated action at every layer of system defence and information and communications technology of the country.

Dr Wan Azizah said Malaysia is also aware that international collaboration is very important and necessary to improve the effectiveness of the management of cybersecurity and cybercrime.

She said that among the initiatives that are being implemented is developing the ASEAN Regional Forum (ARF) Cyber Security Work Plan which is a joint plan for cybersecurity among ARF member countries.

Dr Wan Azizah said Malaysia, together with Australia, has developed the ‘Cyber Point of Contact’, which is a database of the list of liaison officers in member countries, to get assistance and cooperation during cyber incidences. – Bernama

Source | https://www.theborneopost.com/2019/05/08/national-awareness-plan-on-managing-cybersecurity-cybercrime-at-year-end/

Israel Neutralizes Cyber Attack by Blowing Up A Building With Hackers

The Israel Defense Force (IDF) claims to have neutralized an “attempted” cyber attack by launching airstrikes on a building in Gaza Strip from where it says the attack was originated.

As shown in a video tweeted by IDF, the building in the Gaza Strip, which Israeli fighter drones have now destroyed, was reportedly the headquarters for Palestinian Hamas military intelligence, from where a cyber unit of hackers was allegedly trying to penetrate Israel’s cyberspace.

“We thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work. HamasCyberHQ.exe has been removed,” said the Israeli Defence Forces on Twitter.

However, the Israel Defense Force has not shared any information about the attempted cyber attack by the Hamas group, saying it would reveal the country’s cyber capabilities.

According to Judah Ari Gross of Times of Israel, the commander of the IDF’s Cyber Division said, “We were a step ahead of them the whole time,” and “this was one of the first times where Israeli soldiers had to fend off a cyber attack while also fighting a physical battle.”

However, it’s not the first time when a country retaliates to a cyberattack with a physical attack. In 2015-16, the U.S. military reportedly killed two ISIS hackers—Siful Haque Sujan and Junaid Hussainof Team Poison hacking group—using drone strikes in Syria.

The commander did not reveal the name of the target, but did say that the cyber attack by Hamas was aimed at “harming the way of life of Israeli citizens.”

The tension between Israel and Hamas has increased over the last year, with the latest conflict began on Friday after Hamas militants launched at least 600 rockets and mortars at Israel and shot two Israeli soldiers

In retaliation to the violence by Hamas, the Israel military has carried out their own strikes on what it claimed were hundreds of Hamas and Islamic Jihad targets in the coastal enclave.

So far, at least 27 Palestinians and 4 Israeli civilians have been killed, and over 100 of them have been injured.

The IDF said its airstrike targeted and killed Hamed Ahmed Abed Khudri, who the Israel military reportedly accused of funding the Hamas rocket fire attacks by transferring money from Iran to armed factions in Gaza.

“Transferring Iranian money to Hamas and the PIJ [Palestinian Islamic Jihad] doesn’t make you a businessman. It makes you a terrorist,” IDF wrote in a tweet that included an image of a Toyota car in flames.

In a new development, Israel has stopped its air strikes on the Palestinian territory and lifted all protective restrictions imposed near the Gaza area, after Palestinian officials offered a conditionalceasefire agreement with Israel to end the violence.

Source : https://thehackernews.com/2019/05/israel-hamas-hacker-airstrikes.html?m=1

MORE DEDICATED CYBER-SECURITY STAFF NEEDED IN HEALTHCARE INDUSTRY

  • Industry that deals with copious amounts of personal, exploitable data
  • Organisation-wide education and awareness are crucial

AS THE adoption of digital technology in the healthcare industry accelerates, there is an increasing need to protect another side of patients’ and healthcare organisations’ well-being – the security of their personal data.

This emphasis on protecting data and mitigating cyber-threats is reflected in the industry’s significant investment into cyber-security.

According to a recent survey by Palo Alto Networks, about 70% of healthcare organisations in Asia-Pacific say that 5% to 15% of their organisation’s IT budget is allocated to cyber-security.

However, despite substantial budgets, there seems to be a need for the healthcare industry to catch-up with industry peers in terms of cyber-security talent, with only 78% having a team in their organisations dedicated to IT security, the lowest among other industries surveyed. This is also well-below the industry-wide average of 86%.

“As an industry that deals with copious amounts of personal, exploitable data, it can be disastrous if this data enters the wrong hands.

“Healthcare organisations need to ensure they are always updated on new security measures, and change their mindset from a reactive approach to a prevention-based approach instead, akin to how they remind patients that prevention is better than cure,” says Sean Duca, vice president and regional chief security officer for Asia-Pacific, Palo Alto Networks.

Risk factors

Aside from monetary loss associated with data breaches and availability of connected devices which monitor patient lives, healthcare professionals are most worried about the loss of clients’ contacts, financial or medical information – 30% have cited loss of details as key.

Fear of damaging the company’s reputation among clients comes next at 22%, followed by 17% citing company downtime while a breach is being fixed as a concern.

Cyber-security risks in healthcare organisations are also amplified with BYOD (Bring Your Own Device), with 78% of organisations allowing employees to access work-related information with their own personal devices such as their mobile phones and computers.

In addition to this, 69% of those surveyed say they are allowed to store and transfer their organisation’s confidential information through their personal devices.

While 83% claimed there are security policies in place, only 39% admit to reviewing these policies more than once a year – lower than the 51% of respondents from the finance industry, a sector also known to hold sensitive client data.

Call to get in shape for the future

As more healthcare organisations fall prey to cyber-attacks, such as ransomware, a lapse in data security is a real threat to the industry, hence organisation-wide education and awareness are crucial towards ensuring that the right preventive measures are implemented and enforced.

Fifty-four percent of the respondents have cited an inability to keep up with the evolving solutions being a barrier to ensuring cyber-security in their organisations, and 63% of respondents attributed this to an ageing internet infrastructure as the likely main reason for cyber-threats, should they happen.

Here are some tips for healthcare organisations:

Ensure that medical devices are equipped with up-to-date firmware and security patches to address cyber-security risks. Medical devices are notoriously vulnerable to cyber-attacks because security is often an afterthought when the devices are designed and maintained by the manufacturer. These precautionary measures may include having an inventory on all medical devices, accessing network architecture and determining patch management plan for medical devices, as well as developing a plan to migrate medical devices to the medical device segment.

Apply a zero-trust networking architecture for hospital networks, making security ubiquitous throughout, not just at the perimeter. Healthcare organisations should look to segment devices and data based on their risk, inspecting network data as it flows between segments, and requiring authentication to the network and to any application for any user on the network.

Practices such as BYOD and some employees’ ability to store and transfer confidential information through their personal devices put them at a higher risk of phishing attacks. To prevent this, healthcare providers should ensure that staff undergo regular end-user security training to reduce successful phishing. Cyber-security best practices can be taught as a new hire class for every employee.

As healthcare organisations migrate portions of their critical infrastructure and applications to the cloud, it becomes imperative for an advanced and integrated security architecture to be deployed to prevent cyber-attacks on three-prongs: the network, the endpoint and the cloud. Traditional antivirus will not be effective in guarding against advanced malware such as ransomware which continuously changes to avoid detection.

Source | https://www.digitalnewsasia.com/digital-economy/more-dedicated-cyber-security-staff-needed-healthcare-industry

Top 10 operational risks for 2019

The biggest op risks for 2019, as chosen by industry practitioners

We present annual ranking of the biggest op risks for the year ahead, based on a survey of operational risk practitioners across the globe and in-depth interviews with a selection of industry personnel. The risks are listed in order of magnitude of threat, with this year’s largest risk being data compromise.

#1: Data compromise  

The threat of data loss through cyber attack, combined with an awareness among managers that defences are vulnerable, has made data compromise a perennial concern for op risk practitioners of all stripes. But the advent of strict new data protection regulation has intensified those fears, helping propel the category to the top of our annual survey for the first time.

Collecting multiple datasets and storing them in one place presents a single, tempting target for hackers. Companies have responded by compartmentalising data and storing it across several locations in an effort to reduce the potential loss from a single breach.

“You have to assume hackers will get through, and what do you do then? It can be just making sure you are storing data in several places, splitting your data so [hackers] getting into one file won’t get what they need,” says one senior risk practitioner.

The EU’s General Data Protection Regulation (GDPR), introduced in May 2018, aims to tighten consumer safeguards around data disclosure. No prosecution has yet used the full scope of penalties – the regulation allows a fine of up to 4% of global revenue – but companies are wary of a sizeable additional loss associated with, for example, a major data breach due to negligence.

Other areas of GDPR may have attracted less attention, but still pose significant potential sources of operational risk. Companies must provide customers with access to their own data, including the ability to correct or erase it in some cases; and they must report a data breach within 72 hours.

New regulations are also offering up enticing targets for hackers, though: their targets are broadening beyond financial services firms to encompass intermediaries and even the official sector. For example, the EU’s Mifid II markets regime requires trading platforms and investment firms to collect personal information on the counterparties to every trade – not just a potential privacy issue, but a new and worrying point of entry to would-be hackers. As the data is passed from firm to platform and from platform to regulator, it becomes exposed to attack.

Some banks are taking advantage of the new market in cyber crime to adopt a more proactive defence strategy. Cyber criminals use the unindexed “dark” web to offer stolen data for sale. By monitoring this black market, institutions may gain advance warning of attacks, or even discover stolen data whose theft had gone unnoticed.

An active defence should also include penetration testing, both online and physical. Often the critical weakness in a cyber security plan sits, as IT managers put it, between chair and keyboard.

In a landmark case in October 2018, US authorities fined fund manager Voya Financial $1 million after a security breach allowed hackers to steal the personal details of thousands of customers. The hackers gained access by making repeated phone requests for password changes, pretending to be Voya subcontractors. Resetting the passwords was explicitly banned by Voya’s policies, but its employees did it nonetheless.

#2: IT disruption

Cyber attacks conjure images of masked figures gaining access to the IT network of a company or government and making away with millions, yet the reality is often more prosaic. Malware designed merely for nuisance value can cripple firms’ operations, while the origin of attack is often not rogue criminal but state entity: the WannaCry and NotPetya ransomware events of 2017 were widely attributed to state-sponsored sources.

“Hackers are more organised and some countries have malicious, not criminal intent,” says an operational risk consultant. “They might not get anything out of it apart from bringing systems down and causing disruption.”

The past year has not seen as many high-profile disruptive cyber attacks as the previous one, which may go some way to explaining why IT disruption slips to second place in Risk.net’s 2019 survey.

However, risk experts still see cyber attacks as an ever-present menace.

Distributed denial of service (DDoS) is one of the most common forms of attack. DDoS data from two security specialists provides a conflicting picture: Kaspersky Lab reports a decline in overall attacks by 13% from 2017 to 2018. Corero says that among its customers, the number of events in 2018 was up 16% year-on-year.

Banks remain vulnerable, even the largest. In April 2018, it was revealed that a co-ordinated DDoS attack had disrupted services at seven major UK lenders, including Barclays, HSBC, Lloyds and RBS. The National Crime Agency and international partners responded by shutting down a website linked to the attacks that offered DDoS services for a small fee.

As banks shift more of their retail and commercial activity online, a growing fear is that a widespread cyber event could cripple an institution’s activity. Dwindling branch networks are reducing the “hard” infrastructure that lenders could previously rely on to maintain essential services.

“Banks may be taking channels offline as firms move away from the high street and close their branches,” says the head of operational risk at a bank. “So one route they have which offers them a certain type of resilience may not be there in a few years’ time and they may be wholly dependent on the digital side.”

#3: IT failure

Though usually overshadowed by its attention-grabbing cousin – the threat of a cyber attack – the risk of an internal IT failure is never far off risk managers’ minds. When such failures happen, their financial, reputational and regulatory consequences can easily rival the damage from high-profile data theft.

It is probably no coincidence that the danger of a self-imposed IT debacle is the third-largest operational risk in 2019’s survey: it follows a year in which a botched system migration cost UK bankTSB more than £300 million ($396 million) in related charges and an unknowable sum in lost customers.

And it’s a risk that is only likely to grow in importance, op risk managers acknowledge: “The more we interconnect, the more we have online banking and direct [digital] interaction between our clients and ourselves – the more IT structures can be disrupted,” says a senior op risk executive at a major European bank, summing up a view expressed by several risk managers.

The Basel Committee on Banking Supervision is co-ordinating various national and international efforts to improve cyber risk management. Last year it set up the Operational Resilience Working Group – its first goal has been “to identify the range of existing practice in cyber resilience, and assess gaps and possible policy measures to enhance banks’ broader operational resilience going forward”, the committee said in a November 2018 document.

On a national level, operational resilience – including against IT failures – is an area of focus for the Bank of England. The central bank defines it as “the ability of firms and the financial system as a whole to absorb and adapt to shocks”. In July, it published a joint discussion paper on operational resilience with the UK’s Prudential Regulation Authority and Financial Conduct Authority.

Speaking at the OpRisk Europe conference in June, the PRA’s deputy chief executive Lyndon Nelson said: “It is likely that the [BoE] will set a minimum level of service provision it expects for the delivery of key economic functions in the event of a severe but plausible operational disruption.”

#4: Organisational change  

Organisational change – sometimes called ‘strategic execution risk’ – refers to the grab bag of things that can go sideways in the midst of any transition: switching to a new system from an old one, new strategic objectives, adjustments to new management edifices, errors or just bad decisions, etc.

The catalyst can come from any number of directions – mergers or acquisitions, divisional reorganisations, a strategic change in business mix. Unfortunately for financial firms, none of these are mutually exclusive ­– most are largely unavoidable.

Banks and buy-side firms are subject to the currents of consumer taste and the need to keep pace with rivals. Often, firms might be prompted into action by a shift in the nature of the threats they face: witness cyber risk’s long journey from the domain of IT to the risk team.

New regulation may also force change, requiring a company to divert resources, redeploy personnel or create new departments entirely – as in the case of the Fundamental Review of the Trading Book, for instance.

Problems arising during technology upgrades or changes are perhaps the most often mentioned risks in this threat category. But geopolitical rumblings can add to the difficulties in changes to a hierarchy or embarking on a new business strategy, says one risk professional. One senior op risk consultant says the atmosphere it produces can lead to dangerous operational mis-steps.

Brexit will soon probably provide many such examples. With a disorderly exit by the UK from the European Union this month almost a certainty, banks and brokers are setting up new entities on mainland Europe at a breakneck speed that almost guarantees problems – some as simple as staffing up and resource management.

“With political and economic risk increased, especially by Brexit, the time available to handle change is squeezed,” says the consultant. “That leads to potential errors in execution.”

#5: Theft and fraud

Despite slipping a place on this year’s list, theft and fraud is still many operational risk managers’ worst nightmare. The idea of a massive heist by enterprising hackers, mercenary employees or plain old bank robbers, possibly followed by fines and penalties, keeps the category near the top of the op risk survey year after year.

Inside jobs made up the top three of 2018’s biggest publicly reported op risk losses: Beijing-based Anbang Insurance lost a shattering $12 billion to embezzlement; in Ukraine, $5.5 billion vanished from PrivatBank in a ‘loan-recycling’ scheme; and in New Delhi, the Punjab National Bank lost $2.2 billion to wayward employees working with a fugitive diamond dealer.

These top losses were the result of old-fashioned crimes in the emerging world. At US and European banks though, it’s the cyber component of theft and fraud that looms large – despite the absence of even a single incident on the top 10 list.

“You can commit theft and fraud anonymously. You can go multicurrency, bitcoin,” comments a senior operational risk executive who says theft and fraud make up the biggest loss at the North American bank where he works. “You can be on the other side of the world, funds in hand, before anyone realises the money is missing.”

According to ORX News, the total of publicly reported losses attributable to cyber-related data breaches and instances of fraud and business disruption was $935 million worldwide in financial services last year. Over half those incidents involved fraud.

Cyber fraud comes generally in one of two sorts: one sows chaos, then grabs data en masse in the ensuing turmoil; the other zeros in on individuals to drain their accounts.

A large-scale attack could consist of millions of small transactions, like a $1 charge on a credit card, each likely unnoticed by the cardholder. In a targeted attack, thieves try to pry loose enough data from a customer’s social media persona to get access to their bank account. Other, more sophisticated schemes look for the weak points in authentication systems like biometrics. Some apps, for instance, can replicate a person’s voice patterns and fool voice ID systems.

“Equifax taught us that you need to move away from knowledge-based authentication to more activity-based identification,” says an op risk head at a second North American bank, for instance, something like asking people what their last two transactions were. In 2017, hackers stole data such as names, birthdates and Social Security numbers on nearly 148 million people from Equifax’s online systems.

#6: Outsourcing and third-party risk

Outsourcing key infrastructure or services to third parties is a tantalising prospect for many firms. The incentive is to harness the expertise of specialist providers, or to save costs. Or, ideally, a combination of the two.

The trade-off for many risk managers is a lingering concern about losing oversight of vital business functions. The prevalence of breaches via third parties and growing regulatory scrutiny of this area, not to mention the build-up of risk in certain systemically important platforms, are the focus of anxiety.

“If cloud platforms are correctly configured, they can enhance security, as well as creating efficiencies and reducing costs for customers,” says a UK cyber insurance executive. “However, if there was an incident that took down a cloud provider such as AWS or Azure, or a component part of the cloud infrastructure, this could cause an outage for thousands of individual companies.”

Regulators are zeroing in on outsourcing risk, too. The European Banking Authority (EBA) finalised outsourcing guidelines in February 2019, with a view to providing a single framework for financial firms’ contracts with third and fourth parties.

Financial institutions are also concerned about their reliance on crucial financial market infrastructuresuch as trading venues and clearing houses. Unlike IT or payroll systems, these are services that are difficult if not impossible to replicate in-house – as banks have tried to do with some troublesomevendor relationships.

Successful trading venues and clearing houses typically achieve a critical mass of liquidity that makes it very difficult for viable competitors to thrive. Without a credible threat to leave CCPs, banks lack the leverage to persuade the service providers to supply information on data or cyber security practices that might allow risk managers to properly assess threats.

#7: Regulatory risk

This year, the usual complement of regulation plus roiling new issues placed regulatory risk in seventh position on the list.

Chief among shifting regulatory expectations, anti-money laundering (AML) compliance has taken centre stage since the Danske Bank Estonian episode came to light in 2017. As much as €200 billion ($226.1 billion) in ‘non-resident’ money coursed through Danske’s modest Tallinn branch from 2007 to 2015.

Danske’s chief and chairman were ousted. The Danish financial regulator has imposed higher capital requirements, and the US Department of Justice has begun a criminal investigation. The EBA is looking into whether regulators in Denmark and Estonia were remiss. Estonia has ordered Danske to shut the branch.

“On AML, there are huge regulatory expectations there,” says one operational risk executive at an international bank. “We have a huge programme in the group to try and comply with their requirements.”

Elsewhere, changes to data protection legislation presents its own matrix of requirements for banks spanning continents, beginning with the EU’s GDPR.

“There are so many privacy regulations that raise issues from a regulatory risk standpoint. It’s a patchwork of regulations at the state and federal levels,” says an operational risk executive at one North American bank.

Banks are also warily eyeing further regulatory intervention from the Basel Committee on operational resilience – a broad initiative that sets out regulators’ expectations on a number of business continuity topics, including a minimum response time to return to normal operations after a platform outage.

#8: Data management

A conversation with any op risk manager will land, sooner or later, on the issue of data management. It could be concerns about data quality, particularly of historical data stored on legacy systems, which carries with it problems such as format and reliability. Or it could be the risk of missteps when handling customer data – inappropriate checks on storage, use or permissioning – that now come with the added threat of eye-watering fines from regulators.

Taken together, it’s no surprise that data management has made it into the top 10 op risks as a discrete risk category for the first time this year. It is considered separately from the threat of data compromise, where data breaches share the common driver of a malicious external threat.

Much of the impetus behind firms’ drive to beef up standards around the storage and transfer of personal data stems from the tightening of regulatory supervision on data privacy and security around the world – most obviously GDPR. Firms operating within the EU or holding data on EU citizens – which puts just about every firm around the world in scope, to some degree – may be heavily fined for falling foul of the regime, for instance, by failing to explicitly gain consent from individuals to retain and use their data.

As data management and compliance headaches multiply, the financial sector is pushing to use machine learning to augment the modelling of everything from loan approvals to suspicious transactions. In a sense, the methods offer a fix to downplay human errors. However, dealers have acknowledged machine learning models’ predictive power leaves them open to potentially unethical biases, such as inadvertently discriminating against certain customer groups because the bank’s data shows a higher risk of non-payment based on other customers historically served there.

Poor data management has consequences for everyday compliance exercises, such as filling in mandatory quarterly risk control self-assessment forms to the satisfaction of regulators. Banks “are missing robust data management processes to ensure that data is reliable, complete and up to date, and that reports can be generated [in a timely manner]”, the head of op risk at one Asian bank tells Risk.net.

#9: Brexit

Brexit covers such a wide range of possible risk events that some participants in this year’s survey disputed whether it should be included as a standalone chapter at all; but a significant number argued strongly that it should, with its collective drivers likely engendering a common set of specific risks for banks and financial firms for years to come.

At the time of writing, the UK is a fortnight away from leaving the EU, although speculation about a delay ranging from two months to two years is growing. Nor is there any clarity on the state of the UKEU relationship after the March 29 deadline. Anything from a long delay or a cancellation to an abrupt “no-deal” crash exit remains possible; this may have changed by lunchtime on the day this article is published.

Many financial firms whose business is affected by Brexit have given up waiting for lawmakers to finalise negotiations over the terms of the split and are pushing ahead with contingency plans. Banks and brokers are setting up new entities in mainland Europe, a process that is fraught with operational risk, particularly given the accelerated timescale for its completion.

Third-party risk from new supplier relationships; legal risk from repapering numerous financial contracts; people risk from hiring and training new personnel; these and other effects of the relocation will put additional strain on the operational resilience of companies.

Particularly in the case of a Brexit with no deal, industry practitioners fear a general increase in stress on almost every aspect of operations. One survey respondent points out: “If you have a hard Brexit, how resilient are your operation processes in terms of new requirements? If you think about it, overnight you go into new tariff regimes. So you have a portfolio with every operational risk you’ve ever seen.”

#10: Mis-selling

Mis-selling drops a few places on this year’s top 10 op risks, a reflection – or perhaps a shared hope among risk managers – that the era of mega-fines for crisis-era misdeeds among US and European banks might finally be over. They would do well to check their optimism, however: as the recent public inquiry into Australia’s financial sector that has excoriated the reputation of the nation’s banks shows, another mis-selling scandal is never far away.

Firms have shelled out a scarcely credible $607 billion in fines for conduct-related misdemeanours since 2010, the bulk of them related to fines and redress over mis-selling claims. 2011 and 2012 saw the heaviest losses, with the bulk of the fines for residential mortgage to payment protection insurance (PPI) mis-selling concentrated here.

The cumulative impact of fines and settlements has taken a huge toll on bank capital: as a recent Risk Quantum analysis shows, op risk now accounts for a third of risk-weighted assets (RWAs) among the largest US banks, while UK lenders still face hefty Pillar 2 capital top-ups from the Bank of England, largely as a result of legacy conduct issues.

Under the advanced measurement approach to measuring op risk capital which most US banks use, sizeable op risk losses can heavily skew a model’s outputs. But from a capital point of view, there are hopeful signs that with the severity and frequency of losses decreasing, RWAs are starting to see agradual rolldown for most banks – though the US Federal Reserve has privately made clear it will not sign off any more changes to bank op risk models, leaving their methodologies frozen in time.

While Australia’s banks emerged relatively unscathed from the 2008 global financial crisis, they too are now feeling the sting of public ire following a series of mis-selling and conduct-related scandals, the first of which claimed the scalp of Commonwealth Bank Of Australia chief executive Ian Narev last year, dealing a severe blow to the bank’s reputation.

The Royal Commission enquiry it helped spark had far wider ramifications beyond the bank. The fallout is still being felt, with National Australia Bank announcing on February 7 that its chief executive Andrew Thorburn and chairman Ken Henry would both step down.

Source | https://www.risk.net/risk-management/6470126/top-10-op-risks-2019

Three films about corporate cybersecurity and cyberwar

While stories about breaches and cyberattacks have only become commonplace in the news relatively recently, Hollywood has had an interest in cybersecurity for some time now. To coincide with the Oscars, we’re taking a look at several popular films that dealt with cyberattacks on companies or government institutions, industrial espionage, and cyberwar, in order to take away some lessons for businesses.

Endpoint security and the problem with critical infrastructure.

In Skyfall (2012), one of the latest James Bond films, the British Intelligence Service, MI6, is under attack, and is trying to stop vital information from being leaked to the public. In turn, Bond is fighting to survive, and struggling to stay relevant in a world where the figure of the field agent is becoming less important thanks to technological advances, and where popular services such as social networks can put an agent’s privacy at risk. Silva, a cybercriminal, and the film’s bad guy, manages to interfere with satellite signals, attack the London Underground, tamper with elections in several African countries, and destabilize the stock market… All from a computer.

Although the film contains such important concepts as the protection of critical infrastructures, and is the first Bond film to use a cyberattack as a lethal weapon, there is one serious error that needs to be highlighted. The employees of MI6 get their hands on a computer belonging to Silva, the criminal hacker, and connect it to the intelligence service’s network to extract information from it.

Accessing the network via an infected endpoint endangers the organization’s entire infrastructure, and is an important example of how simple mistakes in a business environment can put our privacy at risk. Despite this slip up, Q, the technology expert at MI6, says, one might say quite rightly: “I’ll hazard I can do more damage on my laptop, sitting in my pyjamas before my first cup of Earl Grey than you can do in a year in the field.”

The documentary Zero Days (2016) investigates the by now well-known sophisticated computer worm Stuxnet, which is suspected to have been developed by the United States and Israel in order to sabotage the Iranian nuclear program in 2010. Stuxnet also managed to make its way onto a private network via an infected endpoint – in this case a pen drive – which injected malicious code onto the programmable logic controllers (PLC) used to automate the nuclear power station’s processes.

The worm took over more than 1,000 machines in the industrial environment, and forced them to self-destruct. This attack became the first known digital weapon in international cyberwar, the first virus capable of paralyzing functioning hardware.

The malware leveraged multiple zero day vulnerabilities in order to infect Windows computers, specifically targeting nuclear centrifuges used to produce the uranium needed for weapons and nuclear reactors. Despite being created specifically to affect nuclear facilities in 2010, it seems that Stuxnet has mutated and spread to different organizations outside the industrial sector. 

Human error in cyberwar

In the film Blackhat (2015), after attacks on nuclear power stations in Hong Kong and on the Chicago Stock Exchange, the US and Chinese governments are forced to cooperate in order to protect themselves. In light of these new threats, the FBI turns to a convicted cybercriminal, Hathaway, to help discover who is behind the IT attacks: a black hat hacker seeking to get rich by bringing down the stock market.

In this case, several of the attacks are carried out by the black hat using a RAT (Remote Access Trojan), a piece of malware that can take over a system via a remote connection.Those collaborating with the FBI also fall back on two important weapons to attack corporate networks: an email with an attached PDF containing a keylogger.

This tool is used to access a piece of software exclusive to the National Security Agency (NSA), which is not willing to collaborate with the FBI. As with the other two films discussed here, they also use an infected pen drive as an attack vector, in this case to gain access to a bank’s network and drain the accounts of the cybercriminal who is wreaking so much havoc.

Cybersecurity lessons

These three examples from the film industry can provide us with some valuable tips for a business environment:

  • Pen drives must never be inserted in our systems if you don’t know where they come from, or without first running a malware analysis. To carry out a scan like this, advanced platforms such as Panda Adaptive Defense provide a detailed vision of all endpoints. It’s also vital to scan files that come in as attachments.

  • Attachments from unknown senders or people who aren’t in our address books must never be opened.
  • We need to make sure that our employees know how to deal with social engineeringattacks and such common mistakes as connecting unknown devices to the corporate network.

Source |https://www.pandasecurity.com/mediacenter/news/7-best-cybersecurity-films/

Cyber espionage warning: The most advanced hacking groups are getting more ambitious

The top 20 most notorious cyber-espionage operations have increased their activity by a third in recent years – and are looking to conduct more attacks, according to a security company.

The most advanced hacking groups are becoming bolder when conducting campaigns, with the number of organisations targeted by the biggest campaigns rising by almost a third

A combination of new groups emerging and threat actors developing successful strategies for breaking into networks has seen the average number of organisations targeted by the most active hacking groups rise from 42 between 2015 and 2017 to an average of 55 in 2018.

The figures detailed in Symantec’s annual Internet Security Threat Report suggest that the top 20 most prolific hacking groups are targeting more organisations as the attackers gain more confident in their activities.

Groups like Chafer, DragonFly, Gallmaker and others are all conducting highly targeted hacking campaigns as they look to gather intelligence against businesses they think hold valuable information.

Once attackers might have needed the latest zero-days to gain access to corporate networks, but now it’s spear-phishing emails laced with malicious content that are most likely to provide attackers with the initial entry they need.

And because these espionage groups are so proficient at what they do, they have well tried-and-tested means of conducting activity once they’re inside a network.

“It’s like they have steps which they go through, which they know are effective to get into networks, then for lateral movement across networks to get what they want,” Orla Cox, director of Symentec’s security response unit told ZDNet.

“It makes them more efficient and, for organizations, it makes them harder to spot because a lot of the activity looks like traditional enterprise activity,” she added.

In many of the cases detailed in the report, attackers are deploying what Symantec refers to as ‘living-off-the-land’ tactics: the attackers uses everyday enterprise tools to help them travel across corporate networks and steal data, making the campaigns more difficult to discover.

Not only is the number of targeted campaigns on the rise, but there’s a larger variety in the organisations being targeted. Organisations in sectors like utilities, government and financial services have regularly found themselves targets of organised cyber-criminal gangs, but increasingly, these groups are expanding their attacks to new targets.

“Often in the past they’d have a clear focus on one sector, but now we see these campaigns can focus on a wide variety of targets, ranging from telecoms companies, hotels, universities. It’s harder to pinpoint exactly what their end goal is,” said Cox.

While intelligence gathering remains the key goal of many of these campaigns, some are beginning to expand by also displaying an interest in compromising systems.

This is a particularly worrying trend, because while stealing data in itself is bad enough, attackers with the ability to operate cyber-physical systems could be much worse.

One group Symantec has observed conducting this activity is a hacking operation dubbed Thrip, which expressed particular interest in gaining control of satellite operations — something that could potentially cause major disruption.

In the face of a rise in targeted attacks, governments are increasingly pointing the finger not just at nations but individuals believed to be involved in cyber espionage. For example, the United States named individuals it claims are responsible for conducting cyber attacks: they include citizens of Russia, North Korea, Iran and China. Symantec’s report suggests the indictment might disrupt some targeted operations, but it’s unlikely that cyber espionage campaigns will be disappearing anytime soon.

Source | https://www.zdnet.com/article/cyber-espionage-warning-the-most-advanced-hacking-groups-are-getting-more-ambitious/

HEALTHCARE SECURITY SOLUTIONS

Protecting human lives is the job of healthcare organizations.
Protecting the digital lives of their patients is ours.

With FBI warnings about cyberattacks against healthcare organizations, the FDA’s concern about insecure medical devices, and complex regulatory requirements, such as GDPR, you may be facing significant challenges when it comes to protecting patients’ private information.  At Trend Micro, we understand the healthcare industry’s unique security requirements, and we provide layered solutions that fit your existing infrastructure, won’t strain your IT resources, and will grow and change in step with your evolving IT strategy.

Detect breaches caused by targeted attacks, unsecured medical devices, and security gaps. TrendMicro Network Defense helps you detect, analyze, and respond to network breaches, targeted attacks, and advanced persistent threats. Trend MicroTM Deep Discovery—the heart of the Network Defense solution—achieved the top score in the 2017 NSS Labs Breach Detection tests, and has been named a “Recommended” Breach Detection System for 4 years in a row.

•    Secure all of your end users as they use tablets, smartphones, legacy systems (such as devices running Windows XP), and kiosks. Trend Micro User Protection has consistently achieved the best overall performance and the lowest false-positive rates according to AV-Test.org. With proactive
monitoring of all personally identifiable information, you can significantly reduce the risks associated with data loss—a critical security and business concern for healthcare organizations.

• Protect Patient Portals and other critical applications even as you move toward cloud- based server deployments. Trend Micro’s Hybrid Cloud Security provides advanced server security that was purpose-built for physical, cloud, virtual, and hybrid deployments. Since 2009, the independent analysts at IDC have ranked Trend Micro as the global leader in server security.

“With Trend Micro solutions, we see which types of threats we are facing and can quickly resolve them before they affect our system. This makes us very confident with our HIPAA, FERPA, and PCI compliance audits.”
Jaime Parent, Associate CIO, Vice President IT, Operations at Rush University Medical Center

All of our solutions are powered by XGenTM security, a blend of cross-generational threat defense techniques that protect servers and applications across the modern data center and the cloud – all while preventing business disruptions and helping with regulatory compliance. Our smart, optimized, and connected technology ensures that everything is working together to give you visibility and control across the evolving threat landscape. SMART. OPTIMIZED. CONNECTED.

When you deploy Trend Micro’s User Protection, Hybrid Cloud Security, and Network Defense, your organization’s network, endpoints, and servers will be protected with one integrated security framework.  Trend MicroTM Control ManagerTM provides a centralized management console that gives you total, unified visibility across your entire security infrastructure—making it simple for small security teams to monitor and respond to security concerns across the organization with minimal resources. You will be able to protect user financial and health data, prevent breaches and data loss, and secure end-user behaviors and endpoint devices, making it easy to comply with regulatory requirements, such as GDPR, HIPAA, HITECH, PCI DSS, and more.

With a network like ours, spread across the entire country, being able to secure mobile and desktop devices under one platform simplifies the security for our network and improves our team’s productivity.
Greg Bell, IT Director at DCI Donor Services

To give you the best protection against today’s threats, Trend MicroTM Smart Protection NetworkTM delivers proactive global threat intelligence against zero-hour threats by:

• Using big-data analytics to examine data from hundreds of millions of sensors around the globe, and processing more than 16 billion threat queries daily

• Identifying new threats fifty times faster than average, according to recent tests conducted by NSS Labs

• Blocking 1 Billion ransomware attacks, and identifying 500,000 new threats, each and everyday

For us, Trend Micro is at the top of its game when it comes to virtualization security—I believe no one can touch them.
David Kelly, Virtualization Manager at Beaumont Hospital

To read success stories from our healthcare customers, and for more information on how
Trend Micro can help your organization meet its obligation to secure patient data and protect
critical corporate information, please visit:
http://www.trendmicro.com/us/business/industries/healthcare/index.html
If you’d like to discuss how to tailor a Trend Micro security solution to meet your specific
needs, please contact us by visiting:
http://www.trendmicro.com/us/about-us/contact/index.html

Which countries have the worst (and best) cybersecurity?

With so much of our information (including incredibly personal data) being found online, cybersecurity is of the utmost importance.

So just where in the world are you cyber safe – if anywhere?

Our study looked at 60 countries and found huge variances in a number of categories, from malware rates to cybersecurity-related legislation. In fact, not one country is « top of the class » across the board. All of the countries we analyzed could do with some significant improvements.

However, there were some countries that lacked significantly in a variety of areas and others who outperformed the majority of countries. So with that in mind, we’ve created rankings for these 60 countries, from the least cyber safe to the most cyber safe.

Our methodology: how did we find the countries with the worst cybersecurity?

We considered seven criteria, each of which had equal weight in our overall score. These were:

  • The percentage of mobiles infected with malware – software designed to gain unauthorized access to, destroy, or disrupt a device’s system
  • The percentage of computers infected with malware – software designed to gain unauthorized access to, destroy, or disrupt a computer’s system
  • The number of financial malware attacks – malicious programs created to steal a user’s money from the bank account on their computer system
  • The percentage of telnet attacks (by originating country) – the technique used by cybercriminals to get people to download a variety of malware types
  • The percentage of attacks by cryptominers – software that’s developed to take over a user’s computer and use its resources to mine currency (without the user’s permission)
  • The best-prepared countries for cyber attacks
  • The countries with the most up-to-date legislation

Apart from the latter two, all of the scores were based on the percentage of attacks during 2018. The best-prepared countries for cyber attacks were scored using the Global Cybersecurity Index (GCI) scores. The most up-to-date legislation was scored based on existing legislation (and drafts) that covered seven categories (national strategy, military, content, privacy, critical infrastructure, commerce, and crime). Countries received a point for having legislation in a category or half a point for a draft.

For each criterion, the country was given a point based on where it ranked between the highest-ranking and lowest-ranking countries. Countries with the least cyber-secure scores were given 100 points, while countries with the most cyber-secure scores were allocated zero points. All of the countries in between these two scores received a score on a percentile basis, depending on where they ranked.

The total score was achieved by averaging each country’s score across the seven categories.

All of the data used to create this ranking system is the latest available, and we have only included countries where we could cover all of the data points.

Which is the least cyber-secure country in the world?

According to our study, Algeria is the least cyber-secure country in the world. It was the highest-ranking country for lack of legislation and computer malware rates, and also received a high score in the categories for mobile malware and preparation for cyber attacks.

Other high-ranking countries were Indonesia, Vietnam, Tanzania, and Uzbekistan.

Some countries ranked at the top of one category but did better in others, improving their overall score. Germany received the highest score for financial malware, and China received the highest score as the country where most telnet attacks originated from.

The highest-scoring countries per category were:

  • Highest percentage of mobile malware infections – Bangladesh – 35.91% of users
  • Highest number of financial malware attacks – Germany – 3% of users
  • Highest percent of computer malware infections – Algeria – 32.41%
  • Highest percentage of telnet attacks (by originating country) – China – 27.15%
  • Highest percentage of attacks by cryptominers – Uzbekistan – 14.23% of users
  • Least prepared for cyber attacks – Vietnam – 0.245 score
  • Worst up-to-date legislation for cybersecurity – Algeria – 1 key category covered

Which is the most cyber-secure country in the world?

Our findings revealed Japan to be the most cyber-secure country in the world. It scored incredibly low across the majority of categories, only scoring a little higher in the preparation for cyber attacks and legislation categories.

Other top-performing countries included France, Canada, Denmark, and the United States.

As before, some countries scored well in one category but had other scores that brought their average up. These include Ukraine, which had the lowest financial malware rate, and Uzbekistan, Sri Lanka, and Algeria, which had the lowest telnet attack scores.

The lowest-scoring countries per category were:

  • Lowest percentage of mobile malware infections – Japan – 1.34% of users
  • Lowest number of financial malware attacks – Ukraine – 0.3% of users
  • Lowest percent of computer malware infections –  Denmark – 5.9% of users
  • Lowest percentage of telnet attacks (by originating country) – Algeria, Uzbekistan, and Sri Lanka – 0.01%
  • Lowest percentage of attacks by cryptominers – Denmark – 0.61% of users
  • Best prepared for cyber attacks – Singapore – 0.925 score
  • Most up-to-date legislation for cybersecurity – France, China, Russia, and Germany – all 7 categories covered

Overall cybersecurity rankings (from the worst to the best)

Rank Country Score Percentage of Mobiles Infected with Malware Financial Malware Attacks (% of Users) Percentage of Computers Infected with Malware Percentage of Telnet Attacks by Originating Country (IoT) Percentage of Attacks by Cryptominers Best Prepared for Cyberattacks Most Up-to-Date Legislation
1 Algeria 55.75 22.88 0.9 32.41 0.01 5.14 0.432 1
2 Indonesia 54.89 25.02 1.8 24.7 1.51 8.8 0.424 4
3 Vietnam 52.44 9.62 1.2 21.5 1.73 8.96 0.245 2
4 Tanzania 51.00 28.03 0.7 14.7 0.04 7.51 0.317 1.5
5 Uzbekistan 50.50 10.35 0.5 21.3 0.01 14.23 0.277 3
6 Bangladesh 47.21 35.91 1.3 19.7 0.38 3.71 0.524 3.5
7 Pakistan 47.10 25.08 1.4 14.8 0.4 6.07 0.447 2.5
8 Belarus 45.09 9.33 0.7 31.1 0.04 9.73 0.592 3
9 Iran 43.29 28.07 0.8 12.7 1.71 4.51 0.494 2
10 Ukraine 42.58 10.85 0.3 28.7 1.17 7.6 0.501 3
11 Nigeria 42.54 28.54 0.7 15.6 0.89 4.54 0.569 2
12 Peru 41.25 13.81 0.9 16.6 0.22 6.29 0.374 3
13 China 40.80 25.61 1.4 11.8 27.15 1.73 0.624 7
14 Sri Lanka 39.59 13.71 1.1 18.8 0.01 3.61 0.419 3
15 India 39.30 25.25 0.7 21.8 2.59 4.4 0.683 3.5
16 Greece 39.06 5.78 2.3 21.6 0.73 1.77 0.475 4
17 Romania 39.02 6.42 1.2 24.6 0.61 3.21 0.585 2
18 Ecuador 38.29 14.13 0.7 16.8 0.4 3.73 0.466 2
19 Azerbaijan 38.20 6.53 0.9 26.7 0.03 7.13 0.559 4
20 Egypt 38.03 18.8 1.3 20.2 7.43 4.01 0.772 4
21 Bulgaria 37.86 7.96 0.4 21.5 10.57 2.74 0.593 4
22 South Korea 37.16 7.14 2.8 14.3 3.57 3.1 0.782 3
23 United Arab Emirates 36.88 9.14 1.9 20.7 0.09 2.99 0.566 4
24 Philippines 36.79 23.07 0.6 23.8 0.1 2.94 0.594 4
25 Morocco 36.47 10.61 1.5 21.7 0.11 3.01 0.541 4
26 Slovakia 35.57 5.32 0.6 22 0.13 2.76 0.362 3
27 Tunisia 35.54 9.85 1.2 21.5 0.1 2.78 0.591 3
28 South Africa 34.39 9.9 1 13.4 0.64 2.51 0.502 2
29 Kenya 34.16 21.43 1.2 17 0.15 3.39 0.574 5
30 Brazil 33.57 4.73 1.8 21.4 0.7 3.49 0.579 3
31 Latvia 33.05 6.25 1.4 23.1 0.17 4.17 0.688 4
32 Saudi Arabia 32.99 10.15 0.7 20.7 0.11 2.72 0.569 3
33 Portugal 32.79 5.25 1.9 20.9 0.09 1.63 0.508 5
34 Thailand 32.42 7.26 1 19.7 0.79 4.27 0.684 3
35 Malaysia 31.79 15.46 2.1 21.7 0.24 2.87 0.893 5
36 Italy 28.31 5.24 1.3 18 1.75 1.14 0.626 4
37 Argentina 28.11 11.71 0.9 18.8 0.86 2.11 0.482 6
38 Russia 28.02 10.11 0.6 23 7.87 6.89 0.788 7
39 Colombia 27.69 12.52 0.5 16.4 0.52 2.01 0.569 4
40 Poland 27.36 5.83 0.8 19.9 1.23 1.73 0.622 4
41 Hungary 27.30 7.28 0.8 20.2 0.3 4.19 0.534 6
42 Mexico 27.17 10.49 0.7 19.5 0.73 1.43 0.66 4
43 Croatia 27.09 3.66 1.8 15.2 0.05 1.91 0.59 5
44 Germany 26.48 3.41 3 15.7 1.11 0.91 0.679 7
45 Austria 25.76 2.94 1.4 12.3 0.12 0.84 0.639 3
46 Spain 24.12 5.14 0.8 18.6 1.1 1.56 0.718 4
47 Turkey 23.20 8.94 0.8 15.6 1.82 2.17 0.581 6
48 Belgium 21.03 4.11 0.4 13.5 0.07 0.97 0.671 3
49 Czech Republic 20.37 5.68 0.5 10.9 0.34 1.44 0.609 4
50 Australia 16.34 5.47 0.8 14.5 0.37 0.88 0.824 5
51 Singapore 15.13 8.18 0.8 8.5 0.14 1.61 0.925 4
52 Netherlands 15.00 3.71 0.6 8.1 0.32 1.06 0.76 4
53 United Kingdom 14.15 3.68 0.7 10.5 1.07 0.88 0.783 5
54 Sweden 13.78 3.15 0.4 11 0.45 1.31 0.733 5
55 Ireland 13.41 3.73 0.5 7.9 0.06 0.85 0.675 5
56 United States 12.20 7.68 0.5 10.3 4.47 0.71 0.919 5.5
57 Denmark 12.04 1.98 0.4 5.9 0.04 0.61 0.617 5
58 Canada 11.19 3.91 0.4 14.3 0.47 0.81 0.818 6
59 France 10.58 4.72 0.4 16.2 0.67 1.12 0.819 7
60 Japan 8.81 1.34 0.5 8.3 1.23 1.1 0.786 6

 

What can we take away from these findings?

Despite some countries having clear strengths and weaknesses, there is definite room for improvement in each and every one. Whether they need to strengthen their legislation or users need help putting better protections in place on their computers and mobiles, there’s still a long way to go to make our countries cyber secure.

Plus, as the landscape of cybersecurity constantly changes (cryptominers are growing in prevalence, for example), countries need to try and get one step ahead of cybercriminals.

Sources:

https://securelist.com/it-threat-evolution-q3-2018-statistics/88689/

https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-R1-PDF-E.pdf

https://csis-prod.s3.amazonaws.com/s3fs-public/Cyber_Regulation_Index.pdf?4tIe15nR2.LSc8dh9ztuvwpohH1t4dHF

https://www.comparitech.com/fr/blog/vpn-privacy/cybersecurity-by-country/

How smart hospitals are dealing with cybersecurity

The healthcare industry is using technology to improve the work of the sector’s professionals and patients’ lives – but how is it confronting cyber threats?

Is there a difference between going digital and becoming a smart hospital? Apparently, there is.

Dr Milind Sabnis, healthcare director at Frost & Sullivan, explained at the 9th Healthcare Innovation Summit that going digital and generating data is not enough.

Instead, healthcare institutions must be able to make sense of the data and derive actionable results to be successful.

“A smart hospital is a hospital that optimises, redesigns, and builds new clinical processes, management as well as infrastructure to provide a valuable service or an insight which was not there before, and in the process, help achieve better patient care, experience as well as operational efficiency”, he explained.

Senior stakeholders — from regulators, policymakers and healthcare institutions to practitioners and technology providers — agree that the pressure is on to integrate ICT and medical technologies into healthcare services effectively.

In Dr Sabnis’ view, smart hospitals look into three areas of development to reduce operational costs, improve margins, reduce staff burden, increase the recovery rate, and improve satisfaction and experience of the patient.

First, they look at managing logistics more efficiently. Second, they make sure that their staff provides positive patient experiences through clinical excellence. And third, they introduce innovative services and technology initiatives to keep operations patient-centric.

“Whether you like it or not, smart transformation is coming. If you do not prepare for it, do not acclimatise yourself to it, you are going to be extinct,” Dr Sabnis concluded.

Cybersecurity in healthcare

James Woo, CIO of Farrer Park Hospital, emphasised that even smart hospitals today must be future-ready in at least four domains — people, processes, technology and cybersecurity.

Of these, security is among the top concerns.

“Cybersecurity is actually very important. Why? Because even though you have built everything, without that at the end of the day, you have nothing”, explained Woo. “All your people, processes and technologies are not going to work.”

It is a fact: healthcare institutions cannot rely solely on their firewalls to defend against such intrusions. Research has shown that hackers can enter a network and lie dormant for 140 days before detection.

Hence, healthcare institutions are embracing a robust security strategy for protection today and in the future.

Rethinking primary healthcare  

Professor Barbara Starfield, from the John Hopkins Bloomberg School of Public Health, defines primary care as “that level of health service systems that provides entry into the system of all new needs and problems.”

She said it also provides person-focused care over time and care for all unusual conditions and coordinates integrated care given elsewhere.

Simply put, there is much more to do in primary care than just the episodic care usually given to patients.

“In a bigger scheme of things, the way we integrate care within primary care is very important”, affirmed Dr K Thomas Abraham, Advisor at SATA CommHealth. “We need to understand that there could be vertical integration and horizontal integration.”

He said vertical integration involves integration within hospitals or other institutions where care is given while horizontal integration is between practitioners or within the industry.

“I think the future is about how we empower our patients through the use of technology, through the use of different resources that are available for their care”, Dr Abraham said. “Self-care is important; this is how you manage patients and reduce the cost of healthcare and prevent them from being hospitalised.”

How can technology help patients?

A study has shown that socioeconomic factors, as a determinant of health, contribute 40 percent to a person ’s general health and well-being, while clinical care contributes only 10 percent.

This leads healthcare professionals to start looking more closely at patients’ environment as well as individual characteristics and behaviours.

Today, technology also makes it possible to care for patients remotely.  A study conducted by Accenture reveals that virtual care solutions in primary care can generate savings of up to US$10 billion annually for the industry.

However, while mobile health (mHealth) and telehealth solutions undoubtedly raise staff efficiency and reduce the cost of services, it also opens up new paradigms in healthcare.

“Today’s technology has the power to aid the healthcare sector in many ways – integrated care, self-care, social care, and virtual care”, concluded Dr Abraham. “These are not new things to us, but if we put greater effort into finding new ways of advancing these areas, we are definitely going to see better primary care, and it would definitely make better outcomes for our patients too.”

Source | https://www.cio-asia.com/article/3311696/health-care-industry/how-smart-hospitals-are-dealing-with-cybersecurity.html