Steve Durbin, Managing Director of the Information Security Forum, spoke recently at Counter Terror Expo 2016 on the dangers posed to businesses by cyber crime. MOD DCB features writer Paul Elliott was there to hear how businesses can protect themselves against this evolving threat.
Cyber attacks are becoming much more sophisticated, and much more targeted. Security experts will tell you that phishing attacks targeting an individual are often not just to obtain personal information but also to gain a route into a corporate enterprise. People are rarely chained to their desks at work these days. As a workforce we have the capability to be very mobile and the fact that we now move around significantly more than before is opening up new threat opportunities for cyber crime.
How many devices do people carry that allow access to both personal and corporate information? This opens up opportunities for other users to access data – for ‘man in the middle’ type attacks when using public WiFi systems, for instance. From the corporate standpoint it creates the challenge of controlling that information. It is surely unreasonable to put a process in place for a sales organisation that, say, prohibits the use of public WiFi on the road. A degree of reality has to exist in the way security professionals put in place guidelines for businesses, regardless of the difficulties. By the same token, businesses though need to protect the weakest link in their overall security chain, whatever that might be.
The key focus for a lot of cyber criminals remains corporate. No business is immune from being targeted by a cyber criminal and intellectual property (IP) theft is on the increase.
Steve Durbin is the Managing Director of the Information Security Forum and he believes we have to take a ‘business decision’ focused approach to the way we deal with these issues.
Speaking recently at Counter Terror Expo 2016 in London, Mr Durbin said: “It is about trying to understand the impact of a particular loss to your business. We’re all short of resource, so the challenge of course is to focus that resource in the areas that make the most sense – both in terms of mobility to protect the enterprise and the information, but also in the effectiveness of that. So there’s a bigger discussion to take place across the enterprise in terms of risk appetite and impact on the business.”
The so-called ‘Internet of Things’ is gaining momentum. The Internet of Things offers a lot of benefits but it also presents a lot of security challenges. Certainly, cyber criminals are very aware of it and the ability to manipulate devices should not be underestimated. Among other possibilities, the Internet of Things offers the ability to take data locating where one is at any point in time and provide it to a marketing organisation. Criminal access to such information could potentially be dangerous, particularly in the corporate environment.
The Internet of Things also allows remote access to devices in the working environment. Mr Durbin commented: “An organisation in the United States told me that they’re very dependent on devices. One day their manufacturing plant burst into life when it was in shutdown. Actually, it wasn’t an attack; what happened was someone quite inadvertently managed to access their network and the machinery burst into life – the only way they could shut it down was to disconnect it from the internet. It shows what could happen though.”
Then we come to the issue of insiders, which is probably one of the most sensitive areas for organisations today. No-one likes to think they employ someone in their organisation who is stealing their intellectual property. Mr Durbin says insiders can be split into three categories. There’s the accidental insider, the person who just makes a mistake; there’s the negligent insider, somebody who is very aware of corporate policy but decides for good reason in his or her mind to go around it; and then there’s the out-and-out malicious insider who is there for personal profit or to steal IP and so on.
Mr Durkin continued: “What probably concerns me most of all is manipulation of data. Think about the amount of code that exists in every single system we use today. Think again about the challenge in the Internet of Things, in accessing data from various locations. And then think about our decision-making that is increasingly based on intelligence from our computer networks, from our systems and software. All you need to do is manipulate and change one or two elements of code and before you know it business decisions are racing off in the wrong direction. How do you monitor that? How do you track that? That’s a significant issue.”
Of course we have to trust our employees and the people we work with, but Mr Durbin says it comes back to the fact that you need to focus on the relevance of the information that you’re using, its importance to your organisation and the way in which it is protected. The insider threat is probably one of the more difficult areas that need to be addressed from a security standpoint. On the one hand there has to be trust, and on the other recognition of the potential for a breach in some shape or form.
What will the impact of all of this be on business? Mr Durbin expects we’re going to see an increase in regulation. Recently the EU reached a decision on general data protection regulation, which will come into force over the next two years. The cost of compliance with this should not be underestimated; neither should the size of the task. It doesn’t just affect people operating within the EU. If you hold information relating in any shape or form to an EU citizen then the new EU legislation will need to be observed. You’ll also need to prove you’re observing it.
Mr Durbin explained: “Increased regulation is something that is set to continue. The cost of compliance will increase. We will see more downtime – we’ve already seen the number of attacks increase. There is a huge cost associated as well with reputational damage, not just with getting systems back up and running. Look at some of the recent breaches in the UK – take TalkTalk for example. Coming off the back of that breach they lost a fair amount of their subscribers. One hundred thousand people are no longer buying from TalkTalk.
“There’s also the threat to competitor advantage. I’ve done a lot of work recently in terms of trying to position security as a key enabler of competitor advantage. Our ability to compete is clearly focused on our ability to take advantage of advances in technology. There isn’t a company that I’m aware of that isn’t dependent in some shape or form on technology. That means that you are open to cyber risk. That means that your ability to compete within your environment has cyber as a threat.”
The impact on business of all these issues is significant. To protect themselves businesses need to be focusing on the basics – reducing the risk of attack. Put malware protection in place. Mr Durbin says a large number of breaches come about because businesses don’t have the most recent malware in place across their networks. Also, monitor what’s going on in cyber space so you’re aware of changes. Mr Durbin warns if you haven’t reviewed your information security policy within the last 12 months it’s probably time to do so now. Cyber moves very quickly and if you’re taking a compliance-based approach rather than looking forward as well you could be heading for trouble.
Put in place a response team and practice. Conduct a risk assessment to identify some of the threats and vulnerabilities you might be open to and put in place the necessary control selections. And embed security at the very beginning of a business project – you don’t want to be trying to retrofit security.
Look at the people you’re sharing information with. Very often you can harden your own system but the weakest link remains the third party who perhaps can be trusted. Understand what the implications are of a breach or an attack on your business. Make sure that your legal counsel understands what the legal implications of a breach might be. You need to determine the way in which you will respond – PR is the same.
As Mr Durbin says, security has a lot to do with us as individuals. A lot of us take our work home, so continue to push security awareness and stress that security starts at home. The cyber threat will only evolve further and we all have a role to play to ensure resilience.
For more information, visit: www.securityforum.org
Quote – “There isn’t a company that I’m aware of that isn’t dependent in some shape or form on technology. That means that you are open to cyber risk. That means that your ability to compete within your environment has cyber as a threat”– Steve Durbin, Managing Director, Information Security Forum
