I’m Peter Webster, chief executive of Corps Security, and this is where I examine the issues affecting the security industry. My thoughts and opinions are intended to generate debate and whether you agree or disagree with them, you’re welcome to post your comments below.
2014 has already seen cyber-criminals making the headlines and if the experts are to be believed this is just the tip of the iceberg, with the number and seriousness of cyber attacks predicted to rapidly increase. To demonstrate the scale of the problem, according to the 2012 PwC information security breaches survey 93 per cent of large corporations and 76 per cent of small businesses were affected.
In the last week or so we’ve heard about how Bitstamp – one of the world’s largest Bitcoin exchanges – had to halt withdrawals after being hacked, and why Tesco also had to deactivate some customers’ accounts after their login names and passwords were shared online.
The ways in which criminals are evolving their methods is exemplified in CryptoLocker. This comes in the form of a phishing email that contains malware within PDF files from banks, couriers or other seemingly legitimate sources. Once opened, the malware encrypts the contents of the hard drive and any other shared drives. There are also reports of hackers grabbing video of how victims use their computers, so that they can steal from online bank accounts. This enables them to evade the checks that look for unusual behaviour by identifying how a user starts their browsers accesses a bank’s website and enters data.
Not surprisingly, the UK government is taking the issue seriously too, and at a summit of regulators and intelligence chiefs, the business secretary, Vince Cable, said that there was a growing threat of disruption to everyday life. To back up his argument, he cited a 2012 cyber attack on Saudi Arabia’s national oil company, which shut down 30,000 of its computers.
It is clear that organisations have to be more aware than ever of how to protect themselves against hackers by having an effective cybersecurity strategy in place. However, I have become increasingly concerned that cybersecurity is being used as a buzzword simply to evoke a sense of panic. It seems to me that while boards of directors are more than willing to invest large sums of money in the latest firewalls and encryption methods, they often fail to realise the part that physical security such as CCTV, access control and manned guarding plays in a successful cybersecurity strategy.
To illustrate my point, I recently read an interesting comment by Jan Veldsink, who consults to businesses on IT security and has developed the Business and Cyber Robustness Executive MBA module at Nyenrode Univeriteit in The Netherlands. He states, ‘The word cybersecurity provides a false impression. It promotes the suggestion that if you pump enough money into firewalls and good ICT systems, you’ll be safe. That’s not the case. Dealing with cybercrime is not just a problem for the IT department. You have to train every part of your organisation.’
To put it bluntly, there’s no point in having the best firewall in the world if people can simply walk into a building, take IT hardware such as servers and hard drives containing sensitive and business critical data, and walk straight out again.
Then there is the issue of poor internal security – passwords by written on Post-It notes and stuck on desks for all to see, memory sticks left lying around and incorrectly addressed mail. This scope for human error was also highlighted in research conducted by Trend Micro, which revealed that 27 per cent of smartphone users have had up to three work devices lost or stolen and 25 per cent of people who only use their mobile device for work have emailed sensitive data to the wrong person.
The consequences of these types of events are immense. There are a number of UK and European laws that govern corporate liability for data breaches, and fines can be as high as £500,000. This is in addition to the cost in terms operational downtime and business continuity, while not forgetting reputational damage – all of which can far outweigh the price of a fully coordinated and integrated security strategy.
So why doesn’t this happen as a matter of course? It usually comes down to the ‘silo mentality’ – adopting a collaborative approach to dealing with cybersecurity has little to do with external influences and everything to do with internal cross-departmental cultures. In other words, physical security and IT teams do not communicate effectively to better understand their respective roles and how they are, in fact, reliant on each other to keep business operations safe from harm.
There is no ‘one size fits all’ solution to devising a security strategy and each organisation will have its own unique considerations. That’s why using an external specialist security services provider can be highly beneficial, as it will be able to carry out a full threat and risk assessment. This can also contribute to an overall cybersecurity strategy by ensuring that surveillance and access technology, as well as manned guarding, are full optimised to protect IT infrastructure.
Cybersecurity is important but it will only work if the rest of the pieces of the security jigsaw are in place.