Cyber security news roundup June 2016

A roundup of cyber security news and developments over the past few months.

UK developments:

• The Department for Culture, Media & Sport (DCMS) reported that two thirds of large UK businesses were hit by a cyber breach or attack over the past year. The Cyber Security Breaches Survey, based on a telephone survey of 1,008 UK businesses and 30 in-depth interviews, found that the most common attacks detected involved viruses, spyware or malware and urged businesses to take more steps to protect themselves.
• The Parliamentary Culture, Media and Sport Committee published Cyber Security: Protection of Personal Data Online, the report of its inquiry into cyber security following the attack on TalkTalk last year. Key recommendations include sentences  of up to two years for convictions relating to obtaining and selling personal data unlawfully, and a system of escalating fines administered by the Information Commissioner's Office (ICO) for failures to report, prepare for or learn from data breaches. Also see commentary from Out-Law.
• Endpoint security software company Avecto reported that 30% of councils had suffered at least one ransomware attack during 2015, with one council suffering 13 separate attacks throughout the year. The findings are based on a Freedom of Information (FOI) request to 46 councils in England.

Advice & guidance:

• CESG published new guidance for public sector bodies on keeping bulk personal data safe.
• CERT UK published advice on mobile malware (also see this CESG guidance on safe use of mobile devices and the Internet published earlier this year; in the U.S. the Federal Communications Commission launched an inquiry into mobile device security updates).
• The Australian Cyber Security Centre published guidance on Microsoft Office macro security.

Cyber security reports & analysis:

• Akamai published its latest State of the Internet – Security reports, for Q4 2015 and Q1 2016. Notable findings include continued significant growth in the number and frequency of DDoS and web application attacks, with the vast majority of DDoS attacks based on reflection attacks using stresser/booter-based tools.
• Microsoft published volume 20 of its Security Intelligence Report covering July – December 2015 as well as longer term trend data on industry vulnerabilities, exploits, malware, and malicious websites.
• IBM and the Ponemon Institute published the 2016 Cost of Data Breach Study: The Impact of Business Continuity Management (BCM). The study found that BCM can “reduce the per capita cost of data breach, the mean time to identify and contain a data breach and the likelihood of experiencing such an incident over the next two years.”
• Gartner published its top 10 security predictions for 2016. These included the prediction that to 2020, 99% of vulnerabilities exploited will continue to be ones known about by security and IT professionals for at least one year, and that by 2020 a third of successful attacks experienced by enterprises will be on their shadow IT resources.