Steve Durbin, Managing Director of the Information Security Forum, spoke recently at Counter Terror Expo 2016 on the dangers posed to businesses by cyber crime. MOD DCB features writer Paul Elliott was there to hear how businesses can protect themselves against this evolving threat.
Cyber attacks are becoming much more sophisticated, and much more targeted. Security experts will tell you that phishing attacks targeting an individual are often not just to obtain personal information but also to gain a route into a corporate enterprise. People are rarely chained to their desks at work these days. As a workforce we have the capability to be very mobile and the fact that we now move around significantly more than before is opening up new threat opportunities for cyber crime.
How many devices do people carry that allow access to both personal and corporate information? This opens up opportunities for other users to access data тАУ for тАШman in the middleтАЩ type attacks when using public WiFi systems, for instance. From the corporate standpoint it creates the challenge of controlling that information. It is surely unreasonable to put a process in place for a sales organisation that, say, prohibits the use of public WiFi on the road. A degree of reality has to exist in the way security professionals put in place guidelines for businesses, regardless of the difficulties. By the same token, businesses though need to protect the weakest link in their overall security chain, whatever that might be.
The key focus for a lot of cyber criminals remains corporate. No business is immune from being targeted by a cyber criminal and intellectual property (IP) theft is on the increase.
Steve Durbin is the Managing Director of the Information Security Forum and he believes we have to take a тАШbusiness decisionтАЩ focused approach to the way we deal with these issues.
Speaking recently at Counter Terror Expo 2016 in London, Mr Durbin said: тАЬIt is about trying to understand the impact of a particular loss to your business. WeтАЩre all short of resource, so the challenge of course is to focus that resource in the areas that make the most sense тАУ both in terms of mobility to protect the enterprise and the information, but also in the effectiveness of that. So thereтАЩs a bigger discussion to take place across the enterprise in terms of risk appetite and impact on the business.тАЭ
The so-called тАШInternet of ThingsтАЩ is gaining momentum. The Internet of Things offers a lot of benefits but it also presents a lot of security challenges. Certainly, cyber criminals are very aware of it and the ability to manipulate devices should not be underestimated. Among other possibilities, the Internet of Things offers the ability to take data locating where one is at any point in time and provide it to a marketing organisation. Criminal access to such information could potentially be dangerous, particularly in the corporate environment.
The Internet of Things also allows remote access to devices in the working environment. Mr Durbin commented: тАЬAn organisation in the United States told me that theyтАЩre very dependent on devices. One day their manufacturing plant burst into life when it was in shutdown. Actually, it wasnтАЩt an attack; what happened was someone quite inadvertently managed to access their network and the machinery burst into life тАУ the only way they could shut it down was to disconnect it from the internet. It shows what could happen though.тАЭ
Then we come to the issue of insiders, which is probably one of the most sensitive areas for organisations today. No-one likes to think they employ someone in their organisation who is stealing their intellectual property. Mr Durbin says insiders can be split into three categories. ThereтАЩs the accidental insider, the person who just makes a mistake; thereтАЩs the negligent insider, somebody who is very aware of corporate policy but decides for good reason in his or her mind to go around it; and then thereтАЩs the out-and-out malicious insider who is there for personal profit or to steal IP and so on.
Mr Durkin continued: тАЬWhat probably concerns me most of all is manipulation of data. Think about the amount of code that exists in every single system we use today. Think again about the challenge in the Internet of Things, in accessing data from various locations. And then think about our decision-making that is increasingly based on intelligence from our computer networks, from our systems and software. All you need to do is manipulate and change one or two elements of code and before you know it business decisions are racing off in the wrong direction. How do you monitor that? How do you track that? ThatтАЩs a significant issue.тАЭ
Of course we have to trust our employees and the people we work with, but Mr Durbin says it comes back to the fact that you need to focus on the relevance of the information that youтАЩre using, its importance to your organisation and the way in which it is protected. The insider threat is probably one of the more difficult areas that need to be addressed from a security standpoint. On the one hand there has to be trust, and on the other recognition of the potential for a breach in some shape or form.
What will the impact of all of this be on business? Mr Durbin expects weтАЩre going to see an increase in regulation. Recently the EU reached a decision on general data protection regulation, which will come into force over the next two years. The cost of compliance with this should not be underestimated; neither should the size of the task. It doesnтАЩt just affect people operating within the EU. If you hold information relating in any shape or form to an EU citizen then the new EU legislation will need to be observed. YouтАЩll also need to prove youтАЩre observing it.
Mr Durbin explained: тАЬIncreased regulation is something that is set to continue. The cost of compliance will increase. We will see more downtime тАУ weтАЩve already seen the number of attacks increase. There is a huge cost associated as well with reputational damage, not just with getting systems back up and running. Look at some of the recent breaches in the UK тАУ take TalkTalk for example. Coming off the back of that breach they lost a fair amount of their subscribers. One hundred thousand people are no longer buying from TalkTalk.
тАЬThereтАЩs also the threat to competitor advantage. IтАЩve done a lot of work recently in terms of trying to position security as a key enabler of competitor advantage. Our ability to compete is clearly focused on our ability to take advantage of advances in technology. There isnтАЩt a company that IтАЩm aware of that isnтАЩt dependent in some shape or form on technology. That means that you are open to cyber risk. That means that your ability to compete within your environment has cyber as a threat.тАЭ
The impact on business of all these issues is significant. To protect themselves businesses need to be focusing on the basics тАУ reducing the risk of attack. Put malware protection in place. Mr Durbin says a large number of breaches come about because businesses donтАЩt have the most recent malware in place across their networks. Also, monitor whatтАЩs going on in cyber space so youтАЩre aware of changes. Mr Durbin warns if you havenтАЩt reviewed your information security policy within the last 12 months itтАЩs probably time to do so now. Cyber moves very quickly and if youтАЩre taking a compliance-based approach rather than looking forward as well you could be heading for trouble.
Put in place a response team and practice. Conduct a risk assessment to identify some of the threats and vulnerabilities you might be open to and put in place the necessary control selections. And embed security at the very beginning of a business project тАУ you donтАЩt want to be trying to retrofit security.
Look at the people youтАЩre sharing information with. Very often you can harden your own system but the weakest link remains the third party who perhaps can be trusted. Understand what the implications are of a breach or an attack on your business. Make sure that your legal counsel understands what the legal implications of a breach might be. You need to determine the way in which you will respond тАУ PR is the same.
As Mr Durbin says, security has a lot to do with us as individuals. A lot of us take our work home, so continue to push security awareness and stress that security starts at home. The cyber threat will only evolve further and we all have a role to play to ensure resilience.
For more information, visit: www.securityforum.org
Quote тАУ тАЬThere isnтАЩt a company that IтАЩm aware of that isnтАЩt dependent in some shape or form on technology. That means that you are open to cyber risk. That means that your ability to compete within your environment has cyber as a threatтАЭтАУ Steve Durbin, Managing Director, Information Security Forum
