The Guardian reported yesterday on a new legal threat for firms in the United Kingdom: huge fines for cyber security failures. Why would the government decide to add insult to injury? The goal is to force companies to get their act together.
Increasing pressure
We reported earlier on the rise of ransomware and noted just yesterday in our announcement of a ransomware protection app the massive costs to business these attacks can have. These attacks have also hit the National Health Service, causing significant disruption to public services. The UK government is now looking for ways to increase pressure on companies to implement preventive measures and improve processes of dealing with cyber attacks.
While bugs in code and their consequences are to some degree inevitable, there is a lot organizations can do to prevent their infrastructure from attacks and to react adequately once a breach has taken place. The goal of the new penalties is thus not to punish those who, despite all effort, get hacked. Rather, it is to increase the cost for those who decided not to invest in prevention and protection.
If, thus, a major cyber attack results in disruption to services such as transport, health or electricity, an investigation is started. If it is concluded that the victim of the cyber attack had failed to take measures to prevent or deal with security failures, a fine of up to 4% of yearly turnover can be given.
Notification of potential ransomware in Nextcloud
How to protect your business
This is merely another reminder of the growing threats businesses face. Picking the right technologies to depend on is the first and perhaps most important step in protecting your infrastructure.
Sadly, vendors are often hostile to security researchers reporting vulnerabilities. Many invest little beyond what gets them marketing attention.
Here are a few factors to consider to avoid such vendors:
Does the vendor develop its software in a secure way? A transparent process with security reviews of new designs, code reviews and use of pentesting tools all help avoid bugs in the process of writing code.
Have these processes been verified by an independent third party? It is worth downloading a report and flipping through it and checking what the conclusions were.
Is there a public Security Bug Bounty program with relevant payouts? On security platforms like HackerOne you can easily check statistics of responsivity and payments, giving you an idea of how serious a vendor takes security.
How is their security track record? Security mistakes are rarely heavily advertised but you can often find reports by independent researchers complaining their findings were not taken seriously. Or you find issues mentioned and discussed on prominent security lists like the famous Full Disclosure list. A search in the archives can be enlightening!
And a last point: encryption is great. Modern encryption cyphers are rarely broken. Instead, crypto is bypassed! Amazon’s Kindle and Samsung Galaxy protections were bypassed by replacing the key or remove the signature checking code. Bad development practices and a lack of security reviews isn’t fixed with encryption!
I love crypto, it tells me what part of the system not to bother attacking
“When we have welcoming communities of contributors, open source software gets better and more useful to everyone.” Limor Fried, Electrical Engineer, Inventor and Founder of open-source hardware company Adafruit We believe in this ideal and love to work with our community. We are always looking to involve more people in Nextcloud, bringing in their ideas, […]
In Nextcloud Hub 8, we introduced interactive widgets, a completely new mechanic that lets you share, access and interact with items from various apps in a compact widget format throughout your platform.
Nextcloud, a leading provider of open-source collaboration software has partnered with epiKshare to deliver Nextcloud One — a fully managed, secure and compliant cloud solution hosted in Germany.
We save some cookies to count visitors and make the site easier to use. This doesn't leave our server and isn't to track you personally!
See our Privacy Policy for more information. Customize
Statistics cookies collect information anonymously and help us understand how our visitors use our website. We use cloud-hosted Matomo
Matomo
_pk_ses*: Counts the first visit of the user
_pk_id*: Helps not to double count the visits.
mtm_cookie_consent: Remembers that consent for storing and using cookies was given by the user.
_pk_ses*: 30 minutes
_pk_id*: 28 days
mtm_cookie_consent: 30 days