A panel of experts has warned that few businesses have sufficiently robust recovery plans, meaning that once they’re attacked, they’re sent into a panic.
Chairing the panel at IT conference IP EXPO earlier this month, Peter Sommer, cyber security expert and professor at the London School of Economics, explained that some cyber attacks will inevitably break through an organisation’s defence.
“One of the inevitabilities is some attacks will get through, so you need to know what you’ll do about it,” said Sommer. “There’s not enough thinking about how recovery takes place. During the process of recovery, firms get in a panic about losing customers and investors. They know that there’ll be litigation coming, and they need to work out what happened, and find evidence. That discipline is not sufficiently high up the priority chain,” he added.
James Lyne, global head of security research at Sophos, agreed.
“I give a massive plus one to that!” Lyne exclaimed. “I’ve been involved in so many incidents where people are running around screaming, or covering up by deleting emails which show they made a mistake. There are more and more attacks where there’s a ransom model [to be allowed to reclaim data that the criminals have encrypted]. You have basically no chance of retrieving that data without an effective model of recovery. It’s both a leadership role and hugely important area of technical skill and policy.”
Troels Oerting, former cyber crime chief at law enforcement agency Europol, and current group CISO at Barclays, said that security needs to be embedded in organisations’ DNA, and a simple strategy is not enough.
“Culture eats strategy for breakfast. Management can have all kinds of strategies for increasing security, but if it’s not embedded in the DNA then we read it and throw it away. I’m also a huge fan of standards. You don’t need to be an engineer to drive a car, but you might need to be half a hacker in order to be secure.
“We need better standards in software and hardware. I want privacy and security, but my customers want convenience. So we need to crack that and find a way to offer both,” said Oerting.
He continued, explaining that smaller firms are even less likely to invest in security than their larger counterparts.
“We’ve implemented [best practice] in banking, but I’m concerned about the lower end, like startups and SMEs. To build up a firm’s security is very costly, so they might cut corners sometimes,” said Oerting.
“Young companies struggle and want to get product out and get income in, and the security guy says ‘Stop! we need more testing!’ He’s seen as the person dragging the company back,” added Sommer.
Dave Palmer, director of technology at security firm Darktrace, stated that the problem is compounded by the message coming from the boardroom.
“I’d say an even bigger drag on mid-size companies is the board of directors where they say it’s not acceptable for there to be a security incident,” said Palmer. “There will be incidents, but [if they demand none] they just won’t hear about them. The security guy will make suppliers sign an NDA to say don’t tell the boss if we have an incident. So boards need to support security teams and be okay about there being an incident. If your strategy is ‘don’t have an incident’, then you’re doing it wrong,” Palmer said.
Oerting agreed: “Have a graceful way to deal with it, we’ll all be hacked, there is no absolute security on the internet.”
Windows 10 security
Sommer then noted that the panel all appeared to be very positive about the security built in to Windows 10, Microsoft’s latest operating system, but asked: “Is it hopelessly complex? Is the complexity itself a problem? It has become too hard to test, so are there more opportunities to find holes?”
Oerting remained positive about Windows 10, but warned that hackers will increasingly attack mobile platforms.
“Windows 10 is very good and more secure than anything else we’ve seen. The majority of our products will be delivered on mobile platforms in the future, so you’ll see a gradual move to that. Right now there aren’t so many exploits on mobile platforms, but it’ll come because criminals will go where the money is.”
“I can’t be entirely positive about the Windows 10 user interface,” said Lyne. “But they’ve done a great job working with the security community. Building something simple that does the things we want takes an insane amount of code, and it has constant updates, running faster than ever before, and with that come bugs. So there’ll always be a constant fight to get it right.
“Microsoft have taken a long time to get to where they should have been, but now they lead amongst many. Microsoft learnt about this the hard way. That doesn’t mean they’re immune, but it’s a lot harder to write an exploit [targeting the latest Windows operating system] today than ever, but then when you try to exploit IoT [Internet of Things] devices, it’ll be like going back to Windows 95 in terms of security,” argued Lyne.
Palmer stated that in some cases security teams just get trampled in the rush to new, shinier kit.
“Every time we talk about complexity, users hear flexibility. We say we want you to have less, and they’re already starting to walk away. It’s like when mobiles and tablets started to take hold, and security teams said ‘never on my network!’ Look at it now!
“Everyone chooses smart devices over laptops. Some just look at their watch today and not even their phone! We can’t stand in the way of complexity, though I’d love to be able to! Then you find facilities management have rolled out an Internet of Things smart building which you had no idea about, and it’s on your network!”
Pulling the conversation back to the central point, Oerting reiterated that the solution is about involving security in the conversation from the outset.
“You have to start with new ideas by involving the security teams, then you get security by design,” he concluded.