This week I met with Tony Anscombe, senior security evangelist at AVG, to discuss the company's recent research into education and trends around the "Digital Coming of Age".

Published in April, the survey took in 4,400 parents of 14- to 17-year-olds in 11 countries. It found that around half of UK parents were friends with their children on Facebook, a fifth had seen explicit or abusive messages on social networks, and the same number suspected their children of accessing online pornography.

Only 30 per cent of UK parents were concerned about the effect that their children's social media use might have on their job prospects; 59 per cent believed that schools were effective in teaching their teens to responsibly navigate the internet.

Anscombe said education around online safety is a challenge for parents as there is some misunderstanding about whether they, or the school, should be responsible – cyber bullying, he said, was an example of something that happens both in and outside of school.

He said: “Sixty per cent of parents admitted to snooping on their [children's] web history, so are they in denial about what their children are doing? Also, how many parents do not get it? Do they understand that what goes online could affect [a child's] prospects? The private sector is now searching on people's names. People need to understand that what goes online stays online, and to educate parents is very important.”

Will Gardner, CEO of ChildNet International, said: “We know from our work in schools that children and young people are using a wide range of devices to surf the net and we also hear from many parents who are confused about how their children are getting online and what they are doing online.

“One of our key messages is to encourage parents to talk with their children and young people about what they're doing online, who they're talking to and to find out whether they have any safety concerns. It's great when families can connect online, but offline conversations are also a key part of staying safe online.”

While not strictly a business story, what interested me is that the education factor is getting to be more and more prominent. Who is responsible: parents or the school? Are they even up to speed to be able to teach on these subjects?

These children, after all, are the next generation of executives.

Virtualisation giant VMware recently scrambled to release security patches for an ESX server hypervisor source code leak that was published in April.

The patch repaired critical vulnerabilities that could have enabled an attacker to execute malicious code remotely on the host and leave an end-user's virtualised environment susceptible to a compromising cyber attack.

Among other things, the incident called into question the security of virtualised data and, for some, how the eventual migration to a virtualised network infrastructure would ultimately impact an organisation's security standing.

No doubt the transportable nature of a virtual environment generally adds another layer of complexity in the overall security of the network that can often leave holes if organisations aren't aware of the location of their data or what it takes to secure it.

But whether virtual data is more or less secure largely depends on the calibre of organisations' security posture, experts say, and opinions on how to secure a virtual environment are as numerous and diverse as the organisations that house them. There is no single answer, you need to assess what that environment is, what they're trying to do and put the proper pieces in place.

The security of the virtual system will largely depend on the nature of the organisation as well as the type of virtual data and infrastructure needing to be secured. But regardless of how complex or unique the organisation's infrastructure needs, there are some basic security requirements that are necessary throughout all virtual environments.

First, while organisations will progressively virtualise more and more of their infrastructure, they still need to adopt some kind of hybrid environment and create some kind of a balance with both physical and virtual security mechanisms to adequately secure their data because, ultimately, whether secured via a physical or virtual system, data stored via the virtual environment needs to be protected.

Also, physical security is at the core of the network. You need to secure the perimeter of that virtual environment, whether private or public cloud, and you still need to protect those physical assets and links.

Your virtual environment is running on some type of hardware, there are physical servers, there's physical storage, network, etc. Security devices are definitely necessary to protect the perimeter of these environments.

Also, in a multi-tenant or multi-client environment, the providers need to configure segregated security zones just as they would in physical environments. At this point, they will be required to invest in secure virtual appliances to secure these zones from each other so that traffic won't be required to route out of the virtual environment through physical security appliances and routed back into the virtual environment to employ a proper security zone.

The beauty of these virtual machines is that they could be running anywhere in that cloud, but the cloud provider needs to segregate one tenant from another tenant to make sure there's no leak.

There are certain compliance regulations that need to be met, so there is no potential security issues. You need to make sure you have a rock-solid security policy and segregate those aspects in a virtual environment as well. You could have assets that shouldn't be talking to or sitting near other data on the physical servers. You need to secure inter-VM traffic and different workloads on the same physical host. You don't generally have that issue in a physical environment.

In addition, it's essential to have a central management system that can monitor both their physical and virtual security environments via a single pane of glass in order to avoid the efficiency bottlenecks and productivity gaffes created by complicated multi-management servers.

Finally, as with physical data, virtual data is often most vulnerable when it's lost or unaccounted for. However, unlike physical systems, the mobile nature of virtual systems enables workloads to be transported easily from one host or server to another. As such, organisations increasingly are required to have security policies that reflect that development.

It's not something you see in the physical world. That server is never going to move. In a virtualised environment, they've got full load-balancing set up. You could see that workload move, and you need to be able to secure that.

Jason Bandouveres is a senior product specialist at Fortinet

Twitter has said that it wants to work more closely with the UK public sector.

As the micro-blogging site confirmed it now had more than ten million users in the UK, it told BBC News that it wanted to "work closer with government and policy makers in the UK", saying it was a priority to "protect and defend" the voice of those users.

Twitter's UK general manager Tony Wang said it is hiring a public policy manager who would work with "government, various ministries, members of parliament as well as law enforcement".

He claimed that legal issues, such as the naming of people who have taken out super-injunctions and spreading information during last year's riots, were evidence that Twitter needed to work locally and "emphasised the importance of being a global company".

As well as becoming the voice du jour of the media and the place where news is broken first (sometimes whether people like it or not), Twitter has also become one of the key communication channels for personalities, businesses and the public sector.

Quite what Twitter wants to achieve is not clear; Wang said this appointment is to work with people in government and agencies, but could it be more of a PR role in ‘what not to tweet'? Or one that takes guidance on security of the site should it face any security issues (although its move to set all users to HTTPS by default may well be a tick in the security box)?

Wang would not comment to the BBC on the Government's surveillance plans outlined in the Queen's Speech last week, saying only that its views would be "conjecture".

Bear in mind what happened when BlackBerry said it would co-operate fully with the Home Office and police following the London riots…

We have recently looked at some of the accreditation programmes that are available for security professionals, as well as some of the education courses.

Back in January, I attended a presentation by Kevin Jones, the professor of dependability and security of socio-technical systems at City University London. In September, Jones's department will launch an MSc in information security and risk; I caught up with him to learn more about his plans and what the intention of the course is.

Jones told me that the course would create an educational programme that combines the technical capabilities of security and business issues; its location close to the City of London (the University is based in Islington) will draw people to the part-time course, he said.

He added: “With the Masters, we thought about the expertise and what skills people need that are not being satisfied. We will not teach technical things as we are not looking for a unique niche. We get asked a lot about security, but it is not good for the non-security types, so we teach critical business functions.

“A key part of security is to be business-aware, so this is a programme for people who want to be the CISO and talk to the board and be part of the security team. It is not about technologies like encryption or the firewall, it is about managing security and how to communicate issues at an executive level.”

He said professionals often lack the ability to communicate their achievements and projects to the right audience. “[The board] will ask how much money is spent, what is the potential exposure, and a good CISO can answer both,” he said.

“Security needs a full career path… we are putting this together on how to progress. This is not a post-graduate course, it is for those who want to get to the next level.”

This point was raised at the 2011 Gartner security conference by former SAB Miller CISO and 2011 SC Magazine "information security person of the year" Mark Brown, who said that if CISOs do not engage their board, they could lose "chief officer" from their job title within five years and that they needed to become business enablers.

Back in January, Jones spoke at the Infosecurity Europe press conference and said that better knowledge is needed at all levels, with a need to communicate and for people to be trained to present issues to a variety of levels.

He said: “The modern CISO has to be comfortable in the modern space, manage conflicting requirements but be aware of business risk and cost implications, and communicate that properly – too much risk and the company fails. The CISO needs to communicate all things to all levels, which is a difficult role as they have to speak geek and business fluently. We have a cultural gap that we need to fill.”

Jones said an undergraduate programme may be added in September 2013. The MSc launching this September is a two-year part-time course, with two modules per ten-week term and a project to be completed.

Jones said: “There will be no exams, it will be marked on professional reports. For the application process, each entrant will be degree-educated with four to five years' experience; it will be a small group so we can evaluate on a case-by-case basis.

“For the first year, we are expecting six to ten people and we will ramp that up as we polish the course; this is not off-the-shelf and it will be much more interactive. There will be two members of staff committed to this and we will get guest speakers in.”

What City is offering is certainly different from other courses in that it is teaching business, rather than technical, skills, but with a sprinkling of the former not unexpected. As Jones said, this is the first year of a freshly created course – and put a group of techies together and they will likely talk shop. Doing that to the board is what this course will aim to achieve.

Tomorrow will mark 75 days until the start of the London Olympic Games and the debate is likely either raging or completely uncovered on how to deal with the impact.

A few weeks ago we looked at the challenges and some possible solutions to the various business challenges that the Olympics and Paralympics will pose, and 24 days on, I hope that it was of some use. Certainly the attitude was one of ‘allow staff to work remotely' and use VPN connections, have strong authentication methods and consider the strength and security of personal connections and devices.

Talking recently with F5, it had a different attitude – deny everything. Everything, I asked. Yes, everything, said Nathan Pearce, EMEA product manager at the vendor.

To rewind a little, he said that when it comes to remote working, the main challenge is dealing with untrusted things entering the data centre.

He said: “It is easy to manage and run an SSL outside a network, but with 50,000 employees you have to have a lot of trust. So you treat your building as leased office space, as an internet space and a hot-desk suite and think about the architecture you have inside and outside the office.”

So I asked Pearce if what he meant was to ensure nothing from outside the perimeter enters the network and/or data centre? He said "definitely", as "that is where it becomes a problem".

“There are issues on security, of denial-of-service, so it is not about trusting the user, it is about the integrity of the data,” he said.

“This is the smart way of doing things. This will help people, and those going on about the death of the corporate LAN will know that consumer WiFi is not secure. People know not to connect to different WiFi networks; for those who go down that line, there is only one way.”

Agree or disagree? Some may say that this view is paramount to locking a network down, and that denying all is playing the ‘Doctor No' role of not allowing employee freedom. Or is that simply the best tactic?

The announcement on Wednesday of the Draft Communications Bill demonstrates the gulf between the pro-privacy camp in Europe (and their respect for Article 8 of the European Convention on Human Rights) and our increasingly 'Big Brother' government.

The bill allows government agencies to access internet service providers' (ISPs) logs to see who is contacting whom and who is looking at what online.

It is ironic that while Europe is currently discussing the expansion of individuals' rights to protect their data, the UK government seems set on removing protections for our private lives – we wonder how the European Commissioner will react to these new proposals.

The proposals make it easier for the Government to access ISP logs of websites and applications visited, and when and where and for how long phonecalls were made (including those made over the internet), without the need for cumbersome authorisation.

One can see that there might be an argument for removing the burden to obtain prior authorisation to look at this information, where the national security interest is genuine and timing does not permit the following of normal process. However, this should be the exception, not the rule, and certainly not a blithe sanction of a wholescale snoop on our private lives.

Whether or not the proposals will infringe upon our EU data protection laws depends on these restrictions, and the devil will be in the detail. In order not to infringe upon our EU laws, the snooping must be fair, justified and proportionate to the objective.

Ideally, privacy-impact assessments would be undertaken before such data-sharing takes place to ensure the snooping meets these criteria, and the Information Commissioner would have the right to audit this ‘right to snoop'. The Government has promised it will strengthen independent oversight and allow a complaints tribunal.

However, the burning question on everybody's lips is in what circumstances the right itself can be exercised, and that remains to be seen. This is also currently only at the bill stage, and with the popularity of the Government on the wane, it is likely to face fierce opposition during its discussions by Parliament.

Sarah Needham is a data protection specialist at law firm Taylor Wessing

When it comes to government and cyber security, there is a definite case of the good, the bad and the ugly.

The good has been in work such as the Cyber Security Strategy, launched last November to propose a single reporting hub for information exchange and a cyber crime unit within the National Crime Agency. While not all is great about that proposal, and ISPs and former Home Secretary John Reid were among those who were critical, it did show some initiative and forward thinking by government into this sector.

If there were a bad, well then there could be plenty of evidence. Take the government's continued use of Internet Explorer 6 (as reported in 2010) or the more recent proposals on voice, email and internet monitoring that came under huge criticism from the public and world wide web inventor Sir Tim Berners-Lee.

Finally, there has to be an ugly, and for me this came last week. I read about Francis Maude's comments in a typically short story in Metro and found the basis of it via the Press Association. I was hoping that the man who created a panic around petrol had been misquoted, but having read the story, it seems that the Metro writers picked the finest comments from Maude.

Maude, who is the Minister for the Cabinet Office and Paymaster General, said that as UK government computer networks are "regularly targeted" by foreign intelligence agencies and groups working on their behalf, the London Olympics "will not be immune to cyber attacks by those who would seek to disrupt the Games".

We know this could be the biggest challenge businesses face this decade, hence why preparation is key and it is right for those in positions not to cause unnecessary panic with statements using scare tactics.

I have no doubt that with all eyes on London for more than a month as the Olympics and Paralympics dominate the summer sporting calendar, not to mention an overlap into the start of the English Premier League (best in the world, don't you know), cyber criminals will use this as a base for online phishing and malware attacks.

As for attacks on infrastructure and government networks, yes it could happen, but spreading FUD (fear, uncertainty and doubt) will achieve nothing, and I anticipate more will have read the reports, considered them and moved on to the next page. A threat and a possible solution, combined with a 'keep calm and carry on, we've got it covered' message, is a much more ethical way of speaking to the public on cyber security.

Among the new companies I met at last week's Infosecurity Europe show was one that described its offering as "security intelligence and analytics" – or "what the SIEM does not see or what the firewall doesn't have a signature for".

Although not a start-up – it was established five years ago – this was a first move into the UK for Solera Networks.

President and CEO Steve Shillingford and CTO Joe Levy told me that its technology was about offering the extended visibility that log management and security incident and event management (SIEM) failed to achieve.

Levy said it is creating events as the impact is often not detailed, and what evades detection is what users are concerned about. He said: “This complements the SIEM and log management as there may be an instance where something has never been seen before in an attack or there is no idea what the file was.

“It is about masses of information, companies are handling terabytes of data and correlating it is hard. It is not there to block, it is just about working in real time.

“Customers want historical retrospection, when you have a security event you want to go back and see it, to go into the network and see what happened on the network. There is also better sense overall on how log data is used, and with deep packet inspection and software analytics, they are the core of our technology.”

Shillingford said it is about collecting information from layers two to seven and being able to protect that data – but said that has ended with data being held by third parties. In terms of the foundation of the company, he said that influence was drawn from what Novell had done in the early 90s; in this instance, though, it was about converting packet data into readable files to define policy.

A file is then reverse-engineered or sandboxed for deep packet inspection so that all files can be seen. “Look at the evolution of network security, the packet flows to the file level,” he said.

He added that it is a platform with a high-speed database and outer platform for analytics, and visualisation is done on the cloud and also on the box.

Last week the company launched a new version of its DeepSee platform, which it said provided the ability to "un-box" the power of security intelligence and big data analytics technology. Shillingford said this was about decoupling software from the appliance and to the virtual machine so that it can be installed onto any server.

He admitted that there had been some barriers to adoption, particularly as the rate of technology can often mean that it is out of date in two years, so the intention was to take barriers out and make software installation possible.

“There is some standalone technology, so we say run our software without our box and refresh the cycle. We are delivering this in an easy-to-deploy, software-based solution, which means that any enterprise can have full visibility, situational awareness and intelligent incident response,” he said.

Joining the company in the past 12 months as vice-president of marketing was John Vecchi, who I last met when he was in a similar position at Check Point. I asked him to summarise Solera's offering; he said other vendors are "all doing the same thing with preventative technology that is based on known signatures".

He said: “This company is doing something different, others won't say what to do when you are breached and still be secure. If you have not been breached then it will happen, so this is the next emerging market and we are now bringing technology to after the event to know what was taken from the network and if it was still there.

“It is very interesting, for me it is like the genesis of the intrusion prevention market, but now everything is next generation and this will be the next mainstream technology.”

Ahead of the Infosecurity Europe show last week, I caught up with AEP Networks, a developer of highest-grade security technologies that was acquired by a military contractor last September.

In the $75m (£48m) acquisition, the defence and aerospace company acquired AEP for its links to the UK government's national technical authority for secure electronic communications.

The company has rebranded as Ultra Electronics AEP Networks, and talking to SC Magazine last week, CTO Mark Darvill said that the offer from Ultra Electronics came when it wanted to complete its cyber security portfolio. A UK-based company with contracts to governments, Darvill said that this has allowed AEP to become UK-centric, but the acquisition was far from the first move into cyber security by Ultra.

He said: “They've got a number of other companies in the cyber security space. Probably the major one is 3TI in the US who do security cyber systems and also encrypted wireless LAN. There are about five or six in the UK and US that do everything from top-secret cryptos through to voice analysis and all sorts of things.

“This is additive to their current portfolio. I guess one of the big differences between a Lockheed Martin approach and Ultra Electronics is Ultra's view is that when they acquire companies of a certain size, they stay as standalone entities.

“So, from my point of view, post-acquisition, although we have a different reporting line now and things like that, the company is primarily running on the same business plan that it developed pre-acquisition.”

Last week the company announced two product launches. The first is an addition to its Keyper range, the Ultra Safe Keyper Plus, an FIPS 140-3 level 4 ready hardware security module (HSM).

Darvill said that this is a new variant and is the most secure HSM available, and is aimed at a new NSA standard by including FIPS 140-3 encryption and including new elliptic technologies for the physical encryption of the data and the key material itself.

He said that the ‘elliptic curve' has been demanded more and it is used in this product around the mathematics of the delivery and encryption of key material. He also said that this has advanced tamper-proofing, which means that if it is tampered with, the key material it holds within it is destroyed.

“It's the only device in the world that does that. The FIPS 140 level 4 standard is the one that defines this tampering and we're the only people that make this type of device in the world,” he said.

“If you can imagine the key material that some of our customers put into this; it could be a government root key, for instance, or a DNS root key – and if they lose that key or have it stolen then, effectively, either their network or their data or whatever it is they're trying to secure with that could be compromised.”

He also claimed that this is separate to a server as it sits on the network and responds to people who need something signed; Darvill said this is safer than putting it onto a server because no matter how secure the server may be, the operating system is always open to vulnerabilities and to being attacked, and it's sometimes quite difficult to see whether it has been attacked.

Also launched last week was Ultra Protect 7.4, a mobile application that enables secure access to work applications on the move and BYOD policies with virtual access to the office via mobile devices.

The company claimed that Ultra Protect 7.4 helps to safeguard data by not allowing information to be stored or saved on the device and providing full encryption between the device and server, so if a device is lost, stolen or transferred, corporate information is always protected.

Darvill said: “The Ultra Protect is basically a secure application access gateway to provide extremely secure access for users, irrespective of the endpoint device that's being used. Basically, the user authenticates via this device using two-factor authentication and then will gain access to WebTop, which is like a single webpage and is the only thing that they can see and has icons on that represent which applications they are allowed to gain access to.

“Based on the individual user or the group that the user is in, they will see a range of applications and potentially data as well. So, with 7.4, we've made the solution even more secure as it uses key material to encrypt the sessions between the end-user and the servers that they're trying to gain access to.

“From the user's point of view, the big thing that we've incorporated much more solidly into the product is the mobility access through the smartphone and tablet access, it is really centred on bring your own device. This solution now is very much focused to allow them to gain access to applications and data while ensuring the integrity and security of the data at the core.

“Effectively, we're now implementing three-factor authentication.”

I asked Darvill if this was BYOD but aimed at large enterprises, critical national infrastructure companies, governments and the defence community. “It is for where people want to give people access to information and to applications and data on the move but do want that stringent level of security that goes with it,” he said.

We finished by moving back to the acquisition; I asked Darvill if the added capabilities of Ultra Electronics had influenced these launches. He said they had been in development pre-acquisition and AEP's raison d'être and core values had not changed.

“What you will see coming out over the next couple of years is more innovation. So we're doing more around some very advanced areas and including, in a year or two, areas like quantum encryption. We've got to take a fairly long-term view on some of the really new stuff,” he said.

Last week I met with vendor Bit9, who after starting out in the whitelisting sector have repositioned themselves as a protector against advanced persistent threats (APTs).

Talking to president and CEO Patrick Morley, he said that the move from application whitelisting, where only allowed applications and software are permitted to execute, came from the Aurora attack on Google in early 2010.

“Aurora changed our perspective and our view on the posture so now we offer application whitelisting as part of the solution but it is now about APT protection,” he said.

“We watch everything and IT make decisions on what to allow, they set up a policy and decide on whether things are allowed in or not. Our customers are very ‘IP heavy' and the people who buy our technology are anyone who is targeted.

“People buy security information and event management (SIEM) and deep packet inspection technologies, and then us, so that they have protection on the network and on the host side, laptop and on the server in the data centre.”

He said that the combination of whitelisting and APT protection can help prevent emails with malicious attachments, such as the one that hit RSA last year, so that the attachment is not permitted to run and is not trusted.

He said: “You cannot try and figure out where the bad stuff is, so you allow what is trusted to run. In trusted computing, the only way to protect is to flip it and say if it is trusted or not.”

Morley said that the trusted model was the way forward as, while technology is needed, it is "hard to protect people from themselves". He compared the business to being like the filtering around the Apple App store as it vets files to give the IT team a test rating on what is running. “You add a policy to determine what comes in, rather than tell you what is running,” he said.

The company formed eight years ago, with Morley, who was previously president and CEO of Imprivata, joining in 2008. Research by Bit9, released today, found that 54 per cent of UK businesses expect a cyber attack in the next six months, with it expected to be perpetrated by hacktivists (59 per cent) or disgruntled employees (31 per cent).

The survey of 1,020 IT managers found that corporate competitors were seen by 35 per cent as a greater threat than cyber criminals (23 per cent). Morley said: “It is quite different from in the US, where they see the nation state hacker first and in-house IT as last.

“We are seeing the biggest transfer of intellectual property that the world has ever seen. It's not just traditional cyber criminals who are looking to steal financial information, but there is a steady rise in the number of organised groups such as hacktivists and nation states who are intent on breaching company security to gain access to customer information or intellectual property.”

On what was seen as being at risk, 60 per cent said personal customer information, 50 per cent customer financial information, while only 29 per cent said intellectual property.

With every threat or trend, a vendor finds its niche that customers are looking for. The concept of trust in security is critical – whether it is to do with access, whitelisting or computing, if you can put a seal of approval on what is entering your enterprise, you are adding security. What Bit9 offers makes sense as it can add this seal, and in times when you want to prevent more than malicious payloads, this could make sense to many users.