Over the past 12 months, 81 per cent of large organisations and 60 per cent of small businesses suffered a security breach, according to the government's latest Information Security Breaches Survey. And the problem is not going away. Dr Andrew Armstrong, senior security consultant at Perspective Risk, highlights the ways in which companies can best protect themselves - and their data.
Q. How would you define the risks to information security for the UK's firms?
A. As companies demand more capability from their IT systems, so the need to secure those resources increases exponentially.
Trends such as BYOD (bring your own device) and cloud computing raise as many questions as answers. Our increasing reliance on the internet and technology is proved by the growth in data gathering, predictive analytics and IT automation. Security threats in this “internet of things” are broad and potentially devastating.
Cyberspace is an increasingly attractive hunting ground for criminals, activists and terrorists motivated to make money, cause disruption or even bring down corporations and governments through online attacks.
Companies must be prepared for the unpredictable, but they also have increasing amounts of regulation to contend with. For example, most governments have already created, or are in the process of creating, regulations that impose conditions on the safeguarding and use of personally identifiable information (PII), with penalties for companies that fail to sufficiently protect it. Firms need to treat privacy as both a compliance and a business risk issue, in order to reduce regulatory sanctions and the commercial impact of any breach.
Q. Much more attention is being given to cyber security risk than ever before, so why isn’t the problem going away?
A. The major problem is that we play catch-up, and there is a degree of inevitability. We have seen a 92 per cent increase in the use of bugs, such as the conficker worm, ransomware, script kiddies and spear phishing emails over the past 12 months. Keeping up with threats, techniques and trends is a full-time job.
Trying to hide behind a couple of firewalls has proven to be ineffective in the early detection of these types of attacks. Fraudsters are using sophisticated phishing schemes to steal personal and business information, and then using this information in social engineering schemes to get others to assist in the fraud process. Staff awareness and training are essential components in combating cybercrime. But where people are involved, a focus on putting the customer first will always provide opportunities for compromise.
Q. So how should companies react?
A. The corporate mindset needs to move from a focus on building ever higher walls, to a realisation that breaches have occurred and will continue to occur. Companies need a second line of defence, manned by an information security team, and a more holistic approach to threat detection and remediation.
If we had a crystal ball, we would probably see a radically different IT security management function in the future – one where the manager isn’t just managing the security of the company’s resources, but is also actively involved in managing governance, risk and compliance.
Q. Most people would assume phishing attacks are obvious – but what can the most sophisticated ones look like?
A. Phishing is basically someone trying to get you to do something, or tell them something through email, that enables them to compromise you in some way. But it’s not just about the famous Nigerian 419 scams – which lured people into giving their bank information with the promise of huge riches – or about rogue links or attachments that
are easy to spot.
One of the toughest phishing scams to detect and deter are “man in the middle” attacks. These involve malicious websites that look legitimate; they may even appear to be the real website of the company you’re looking for, though they are fake. The goal of a phishing scammer is to gain access to any information you type in, such as login details or credit card information, which can be collected via fraudulent websites.
Spear phishing emails – where an attacker has used information gleaned from calling the switchboard or looking at social networking profiles and interactions – can also be sophisticated. People might not think they are a worthwhile target, but they can provide a foot-in-the-door to their organisation or someone in their network.
Q. How can firms adequately protect the reams of sensitive data they hold?
A. The number of data breaches is going up – and the amount of data stored is growing at around 50 per cent a year. Trying to protect it all is both inefficient and expensive. So we are seeing a move to information-centric security.
This involves taking a more risk-based approach to protecting confidential information, from source code to customer records to employee data. There are technologies that aim to evaluate the sensitivity of individual pieces of information and then apply security controls directly to movable chunks of it.
Credit card data, for instance, can be automatically encrypted if stored on the system, or, if that same information is shared within a company, rules can be established preventing users from copying or pasting or removing the information.
We need to make the security go where the data goes, rather than keeping data tied to secure locations. Who in their right mind would put a security guard at every door in the company? It should be the same for data handling, with bodyguards assigned only to sensitive or confidential pieces of information.
However, the first step entails sifting through the files to determine what is sensitive and confidential. Experience has taught me that before an audit, a company will tell you they have four credit card files. However, when we go in, we find 40 files.
Q. How can companies promote employee compliance with their workplace security policies?
A. Most company policies are the result of compromise. The quickest route is to take a top-down approach, which puts technology at the heart. But this method often fails because people don’t like to be put in boxes, so they will do what they can to circumvent the controls.
The more intensive option is a bottom-up approach, starting with the people and how technology can serve the needs of the company. However, what tends to happen is that the security manager will write a technical policy to make his life easier, which is distributed to the senior management team who rewrite it to make their life easier. The result will not be perfect, but it trundles along and is updated as required.
A good way of looking at the compliance conundrum is to consider what happens when you need a new pair of shoes for a work function. You have two choices. You can decide to match the shoes with the rest of your outfit, and shop around until you find a suitable product that feels comfortable. Or you can leave shopping until the last minute, rush into the shop and buy whatever it has in stock. The shoes might be too small or too large, might pinch or cause blisters, but you try to wear them in the hope that they will be comfortable, given time.
From a compliance perspective, both shoes are a good fit – they contain the foot. It doesn’t matter if they are the wrong colour, the wrong size or cause blisters – as long as they contain the foot. Eventually, you will discard them and find something better that meets your needs. And that’s what happens with compliance. Technology requirements should be designed around human requirements. Otherwise, we are doomed to a life of audit non-conformity reports and corrective action plans.
Q. Should the approach differ for small and large companies?
A. Risk is risk. All companies, whether they are an SME or a large enterprise, encounter similar risks. It is more a matter of the scale of risk exposure, and how you manage it.