- Email: [email protected]
Cyber-security: who will provide protection?
FEATURE
Cyber-security: who will provide protection? Chris McIntosh
Chris McIntosh, ViaSat UK Despite attacks from Stuxnet to Sony demonstrating the very real IT security threats organisations face, legislation is still slow to act. The EU’s data protection legislation, originally due to come into effect this year, has suffered repeated delays. Sources have claimed it has been pushed back to 2016, a date that has already been called unrealistic by those closest to it. In the face of state sponsored cyber-attacks, advanced fraud from cyber-criminals and the damage from single data breaches affecting millions of customers, clearly an organised response to the cyber-security threat is needed. The question now is: who will provide it?
The state of cyber-security
challenge which is evolving and affecting more organisations by the day.
Cyber-security now is very much like the early days of automotive safety, when seatbelts were introduced for the first time. While hardly anybody today would doubt the benefits a seatbelt provides, it took the combined incentives of legal pressure and gradual cultural changes to make wearing a seatbelt part of behaviour. A similar, two-pronged approach is now needed to combat cyber-attacks. Governments need to provide incentives for creating robust cyber-security, as well as the legal force to punish those organisations that do not act as responsible businesses or custodians of sensitive customer data. This needs to go hand in hand with a change in corporate culture, to one where threats are understood, managed and mitigated with the same rigour as other business risks. This must replace a culture where cyber-security is merely paid lip service, or acts as a simple tick box on an audit sheet. Only then will UK businesses begin to address a global
Government and the public sector
December 2015
Recent data breaches, such as millions of TalkTalk customers being exposed to fraud after a major loss of sensitive information, demonstrate the urgent need for a robust defence. While TalkTalk has taken steps to prevent any repeat of its breach, it is only a matter of time until we hear of the next business whose customer base has been put at risk by cyber-attack.
“A business could simply choose to take a calculated risk that it will occasionally have to pay a fine, which would represent a minor setback to overall profits” The priority of governments should be to do everything possible to minimise losses like these and mitigate the risk. While the government has given powers
to organisations such as the Information Commissioner’s Office (ICO) to impose penalties, in too many cases these potential fines are woefully low. The ICO’s maximum financial penalty of £500,000 pales in comparison to Ofcom’s recent £800,000 fine on BT for late delivery of applications, or the Financial Conduct Authority fining RBS, NatWest and Ulster Bank £42m for IT failures. Even when it does impose its largest fines, organisations can still appeal the decision or pay early to reduce the penalties further. This is clearly an ineffective incentive for businesses generating millions of pounds of profit a year. Such a business could simply choose to take a calculated risk that it will occasionally have to pay a fine, which would represent a minor setback to overall profits.
“The simple fact is that criminal organisations and hackers have far more resources, and most importantly time, at their disposal than any single potential target. Over time, any defence will be penetrated” One of the major proposals of the EU data protection legislation is making financial penalties proportional to an organisation’s annual turnover. This Continued on page 20...
Computer Fraud & Security
19
FEATURE/CALENDAR ...Continued from page 19 would represent a much more notable risk to businesses, and act as much more of a stick for the ICO.
“The simple fact is that criminal organisations and hackers have far more resources, and most importantly time, at their disposal than any single potential target. Over time, any defence will be penetrated” In order to change attitudes in this way, the government both needs to put robust laws in place and ensure that those laws keep pace with technology, rather than how IT was used a decade ago. For example, the current Data Protection Act dates back to 1998, before the current explosion of online activity and when the threat of cyber-attack was much smaller than today. UK laws need to make current cyber-security best practice mandatory. This includes ensuring that all customer data is encrypted, as is credit card information in PCI DSS compliance, and is deleted when no longer needed.
The importance of preparation While the government can impose order with laws, motivation also has to come from within the organisation. Many will see the examples of ‘car crash’ cyber-attacks in the news, but too often think that it such attacks only happen to others. Organisations need to realise that cyber-attacks are no longer just a likelihood, they are an inevitability. The simple fact is that criminal organisations and hackers have far more resources, and most importantly time, at their disposal than any single potential target. Over time, any defence will be penetrated. As a result, the most important lesson for any organisation is ‘prepare to fail’: any cyber-security strategy should assume that security has been breached and work backwards from there. For instance, when 20
Computer Fraud & Security
Sony’s PlayStation Network was breached, the main damage wasn’t due to immediate downtime. Instead, it was that the hackers were able to steal passwords and personal details that were stored in plain text. If Sony had prepared to fail, it would have encrypted all of that data, ensuring that even if its databases had been sucked dry of information, any thieves would have found it next to useless. This isn’t to say that ‘traditional’ security, such as firewalls, anti-virus and the people in an organisation, should be ignored. Organisations need to combine the three Ps of People, Process and Planning in any cyber-security strategy. They should remember that an attacker will always look for the weakest link in any system, and ensure that even the weakest part of their armour is protected. When planning a new project that will add new data and access points to the organisation, one of the very first questions should be, ‘How will we protect this?’. This approach has to cover all aspects of security, from technology such as anti-virus and encryption, to policies and best practices that workers follow from the CIO to the shop floor.
Holistic approach It is clear that a robust cyber-security framework equipped to deal with escalating threats will need both internal and external motivations to make organisations protect themselves. Laws must more closely reflect the times we live in and deter those handling data irresponsibly, while organisations themselves must recognise cyber-security, and the inevitability of attack, as essential parts of their IT strategy. Then and only then can we be sure we are adequately guarding against the wolf at the door.
About the author Chris McIntosh is CEO at UK encryption specialist ViaSat. Prior to this, he was a Lieutenant Colonel in the Royal Signals serving in a number of theatres and roles. McIntosh holds a BSc in Computer Science, an MSc in Design of Computer Systems and an MBA.
EVENTS 6–8 January 2016 Real World Cryptography Workshop Stanford, CA, US www.realworldcrypto.com/rwc2016
15–17 January 2016 Shmoocon 2016 Washington, DC, US www.shmoocon.org
5–6 February 2016 BSides Huntsville Huntsville, Alabama, US http://bit.ly/1O3psud
19–21 February 2016 International Conference on Information Systems Security and Privacy Rome, Italy www.icissp.org
22–26 February 2016 Financial Cryptography and Data Security Barbados http://fc16.ifca.ai/
29 February–4 March 2016 RSA Conference 2016 San Francisco, US www.rsaconference.com
2–5 March 2016 NullCon Goa, India http://nullcon.net/website/
9–11 March 2016 ACM Conference on Data and Application Security and Privacy New Orleans, LA, US www.codaspy.org/
10–11 March 2016 BSides SLC Salt Lake City, UT, US www.bsidesslc.org
December 2015
Cyber-security: who will provide protection? Chris McIntosh
Chris McIntosh, ViaSat UK Despite attacks from Stuxnet to Sony demonstrating the very real IT security threats organisations face, legislation is still slow to act. The EU’s data protection legislation, originally due to come into effect this year, has suffered repeated delays. Sources have claimed it has been pushed back to 2016, a date that has already been called unrealistic by those closest to it. In the face of state sponsored cyber-attacks, advanced fraud from cyber-criminals and the damage from single data breaches affecting millions of customers, clearly an organised response to the cyber-security threat is needed. The question now is: who will provide it?
The state of cyber-security
challenge which is evolving and affecting more organisations by the day.
Cyber-security now is very much like the early days of automotive safety, when seatbelts were introduced for the first time. While hardly anybody today would doubt the benefits a seatbelt provides, it took the combined incentives of legal pressure and gradual cultural changes to make wearing a seatbelt part of behaviour. A similar, two-pronged approach is now needed to combat cyber-attacks. Governments need to provide incentives for creating robust cyber-security, as well as the legal force to punish those organisations that do not act as responsible businesses or custodians of sensitive customer data. This needs to go hand in hand with a change in corporate culture, to one where threats are understood, managed and mitigated with the same rigour as other business risks. This must replace a culture where cyber-security is merely paid lip service, or acts as a simple tick box on an audit sheet. Only then will UK businesses begin to address a global
Government and the public sector
December 2015
Recent data breaches, such as millions of TalkTalk customers being exposed to fraud after a major loss of sensitive information, demonstrate the urgent need for a robust defence. While TalkTalk has taken steps to prevent any repeat of its breach, it is only a matter of time until we hear of the next business whose customer base has been put at risk by cyber-attack.
“A business could simply choose to take a calculated risk that it will occasionally have to pay a fine, which would represent a minor setback to overall profits” The priority of governments should be to do everything possible to minimise losses like these and mitigate the risk. While the government has given powers
to organisations such as the Information Commissioner’s Office (ICO) to impose penalties, in too many cases these potential fines are woefully low. The ICO’s maximum financial penalty of £500,000 pales in comparison to Ofcom’s recent £800,000 fine on BT for late delivery of applications, or the Financial Conduct Authority fining RBS, NatWest and Ulster Bank £42m for IT failures. Even when it does impose its largest fines, organisations can still appeal the decision or pay early to reduce the penalties further. This is clearly an ineffective incentive for businesses generating millions of pounds of profit a year. Such a business could simply choose to take a calculated risk that it will occasionally have to pay a fine, which would represent a minor setback to overall profits.
“The simple fact is that criminal organisations and hackers have far more resources, and most importantly time, at their disposal than any single potential target. Over time, any defence will be penetrated” One of the major proposals of the EU data protection legislation is making financial penalties proportional to an organisation’s annual turnover. This Continued on page 20...
Computer Fraud & Security
19
FEATURE/CALENDAR ...Continued from page 19 would represent a much more notable risk to businesses, and act as much more of a stick for the ICO.
“The simple fact is that criminal organisations and hackers have far more resources, and most importantly time, at their disposal than any single potential target. Over time, any defence will be penetrated” In order to change attitudes in this way, the government both needs to put robust laws in place and ensure that those laws keep pace with technology, rather than how IT was used a decade ago. For example, the current Data Protection Act dates back to 1998, before the current explosion of online activity and when the threat of cyber-attack was much smaller than today. UK laws need to make current cyber-security best practice mandatory. This includes ensuring that all customer data is encrypted, as is credit card information in PCI DSS compliance, and is deleted when no longer needed.
The importance of preparation While the government can impose order with laws, motivation also has to come from within the organisation. Many will see the examples of ‘car crash’ cyber-attacks in the news, but too often think that it such attacks only happen to others. Organisations need to realise that cyber-attacks are no longer just a likelihood, they are an inevitability. The simple fact is that criminal organisations and hackers have far more resources, and most importantly time, at their disposal than any single potential target. Over time, any defence will be penetrated. As a result, the most important lesson for any organisation is ‘prepare to fail’: any cyber-security strategy should assume that security has been breached and work backwards from there. For instance, when 20
Computer Fraud & Security
Sony’s PlayStation Network was breached, the main damage wasn’t due to immediate downtime. Instead, it was that the hackers were able to steal passwords and personal details that were stored in plain text. If Sony had prepared to fail, it would have encrypted all of that data, ensuring that even if its databases had been sucked dry of information, any thieves would have found it next to useless. This isn’t to say that ‘traditional’ security, such as firewalls, anti-virus and the people in an organisation, should be ignored. Organisations need to combine the three Ps of People, Process and Planning in any cyber-security strategy. They should remember that an attacker will always look for the weakest link in any system, and ensure that even the weakest part of their armour is protected. When planning a new project that will add new data and access points to the organisation, one of the very first questions should be, ‘How will we protect this?’. This approach has to cover all aspects of security, from technology such as anti-virus and encryption, to policies and best practices that workers follow from the CIO to the shop floor.
Holistic approach It is clear that a robust cyber-security framework equipped to deal with escalating threats will need both internal and external motivations to make organisations protect themselves. Laws must more closely reflect the times we live in and deter those handling data irresponsibly, while organisations themselves must recognise cyber-security, and the inevitability of attack, as essential parts of their IT strategy. Then and only then can we be sure we are adequately guarding against the wolf at the door.
About the author Chris McIntosh is CEO at UK encryption specialist ViaSat. Prior to this, he was a Lieutenant Colonel in the Royal Signals serving in a number of theatres and roles. McIntosh holds a BSc in Computer Science, an MSc in Design of Computer Systems and an MBA.
EVENTS 6–8 January 2016 Real World Cryptography Workshop Stanford, CA, US www.realworldcrypto.com/rwc2016
15–17 January 2016 Shmoocon 2016 Washington, DC, US www.shmoocon.org
5–6 February 2016 BSides Huntsville Huntsville, Alabama, US http://bit.ly/1O3psud
19–21 February 2016 International Conference on Information Systems Security and Privacy Rome, Italy www.icissp.org
22–26 February 2016 Financial Cryptography and Data Security Barbados http://fc16.ifca.ai/
29 February–4 March 2016 RSA Conference 2016 San Francisco, US www.rsaconference.com
2–5 March 2016 NullCon Goa, India http://nullcon.net/website/
9–11 March 2016 ACM Conference on Data and Application Security and Privacy New Orleans, LA, US www.codaspy.org/
10–11 March 2016 BSides SLC Salt Lake City, UT, US www.bsidesslc.org
December 2015