DATA SECURITYPAGE 07

‘MOST WANTED’HACKER SPEAKS

PAGE 10

BIG EURO FINESARE ON THE WAY

PAGE 03

C-SUITE GUIDE TOCYBER SECURITY

_ 21.March. 2014

DATA SECURITY

raconteur.net twitter: @raconteur 03

Ȗ Data security chiefs are often perceived as the deniers of new technology, a barrier to busi-ness innovation and the naysay-ers who can never fix machines quickly enough.

“When you walk in the room, there’s a negative connotation,” a colleague told Quentyn Taylor, director of information security at Canon Europe. The forthright member of staff pithily conveyed the conception employees tend to have of those in charge of protect-ing the enterprise.

And this situation has been exacerbated over the years by an unwillingness to make informa-tion security a true business asset, rather than a nuisance.

Yet those who choose the more progressive route are the ones who will not only do a better job of protecting the business, but will also create additional value through security.

Here’s where some experience of cognitive dissonance comes in handy. For chief informa-tion officers (CIOs) to become a positive force in the business paradoxically means being two things at once: completely invis-ible and more visible than they ever have been.

In an ideal world, protection around staff software is as close to invisible as possible. Authentica-tion is one example where security can innovate and stay out of the way simultaneously. Logins for all an employees’ tools could be initiated over their smartphones, which would contain codes to verify identities. Combined with a Bring Your Own Device strategy, this could help incorporate peo-ple’s mobile phones, tablets and laptops into the workplace, and make signing in simpler than it ever was.

Yet the IT team should also make sure they are visible and known to every part of the organisation as a boon to the business. Often this will mean embracing risk, saying “yes” rather than “no” to fresh ideas, even when they appear to be riddled with dangers at first glance.

“Security used to be synonymous with compliance. It was about ticking boxes, rather than what was necessary or right for the busi-ness,” says Mark Brown, director of risk and information security at consultants EY. “Businesses have started to realise this is a risk-based world in which we live. It’s now about questioning why rules are there in the first place.”

It’s in those instances, when IT security specialists can approve ideas and even contribute to them while their bosses expect the oppo-site, where CIOs will surprise and thrive. The more ambitious the CIO, the greater the benefit for everyone involved. “Go after the big fish. Go after the big issue,” Mr Taylor says. “Risk is what makes the world go round.”

Chief executives would be wise to involve their security and tech-nology teams in almost every big decision. This should spur adult conversations around what tools could be used to facilitate and protect new projects, as well as the need for cross-disciplinary educa-tional programmes.

With C-level executives and IT teams working closer together, along with other organisational departments, the response to attacks, even the most advanced strikes, will be more effective. With everyone involved in the process of securing the business, hackers will not find it as straightforward as they have done to uncover weaknesses.

It would be easy to regress in today’s turbulent environment, though. Over the last year, the world has witnessed the aftermath of the most severe case of insider attack ever seen, in the form of Edward Snowden. As a contractor at Booz Allen Hamilton, he managed to acquire and leak classified US National Security Agency docu-ments, threatening the reputation of

intelligence agencies the world over.With some basic social engineer-

ing techniques, he managed to bypass security layers at the big-gest spy agency on the planet. His actions not only proved even the most risk-averse of organisations were vulnerable, but destabilised trust in the agency’s tech partners, who happened to be some of the biggest cloud computing providers in the world.

Meanwhile, the rise of the “Inter-net of Things”, which will see con-nected devices, from smart TVs to Google Glass, proliferate and appear in workplaces, is expanding organisations’ attack surfaces.

At the same time, whether spon-sored by governments or organised

criminal gangs, hackers’ attempts continue to get more sophisticated and widespread. When retailing giants, such as Target, are being compromised, it’s clear any com-pany, regardless of industry or size, can be hacked.

Achieving the cultural change to make security a business enabler is far from simple. The company might not even know when it has reached that position. “Security is a journey not a destination. That is the point. You never know when you’ve made it,” Mr Taylor adds.

But the era of the maligned, untrusted data protection chief is reaching its denouement. The day of the dynamic, collabora-tive and popular security leader is dawning.

Far from being a brake on enterprise, IT security should be a business enabler, writes Tom Brewster

OVERVIEW

INFORMATION SECURITY CAN BUILD BUSINESS

Chief executives would be wise to involve their security and technology teams in almost every big decision

DISTRIBUTED IN

STEPHEN ARMSTRONGContributor to The Sunday Times, London Evening Standard, Monocle, Wallpaper* and GQ, he is also an occasional broadcaster on BBC Radio 4 and Radio 2.

TOM BREWSTERFreelance journalist covering information security, whose work has appeared in The Guardian and WIRED, he was named BT Security Journalist of the Year in 2012 and 2013.

CHARLES ORTON-JONESFormer Professional Publishers Association Business Journalist of the Year, he was editor-at-large of LondonlovesBusiness.com and editor of EuroBusiness magazine.

STEPHEN PRITCHARDTechnology, telecoms and science writer, he contributes to a number of newspapers, including the Financial Times and The Independent on Sunday.

EDWIN SMITHWriter and editor, he has contributed to The Guardian, The Independent, The Independent on Sunday, The Sunday Telegraph, London Evening Standard, City AM and Private Eye.

JONATHAN WEINBERGFreelance technology writer and owner of a small media business, he believes constant innovation is crucial for long-term success.

PUBLISHING MANAGER John Okell

DESIGN, ILLUSTRATION, INFOGRAPHICSThe Surgery

MANAGING EDITORPeter Archer

PRODUCTION MANAGERNatalia Rosek

COMMISSIONING EDITORTom Brewster

Although this publication is funded through advertising and sponsorship, all editorial is without bias and sponsored features are clearly labelled. For an upcoming schedule, partnership inquiries or feedback, please call +44 (0)20 3428 5230 or e-mail info@raconteur.net

Raconteur Media is a leading European publisher of special interest content and research. It covers a wide range of topics, including business, finance, sustainability, lifestyle and the arts. Its special reports are exclusively published within The Times, The Sunday Times and The Week. www.raconteur.net

The information contained in this publication has been obtained from sources the Proprietors believe to be correct. However, no legal liability can be accepted for any errors. No part of this publication may be reproduced without the prior consent of the Publisher. © Raconteur Media

Share and discuss online at raconteur.net

CONTRIBUTORS

04 05

DATA SECURITY DATA SECURITY

raconteur.net twitter: @raconteur raconteur.net twitter: @raconteur

now facilitating such collabora-tion in earnest. The Cyber Security Information Sharing Partnership has been widely praised by those participating.

In late-January, Foreign Sec-retary William Hague signed the UK up to the World Economic Forum’s principles on cyber resil-ience, along with 70 companies and government organisations across 15 industries and 25 coun-tries. Its aim is to forge a “respon-sible and collective approach to ensuring secure, resilient digital global networks”.

The drive for change has also emerged out of frustration at the failures of old, ineffective forms of protection. Anti-virus is continually proven incapable of stopping modern malware, while the firewall has been made almost redundant by the explosion of mobile devices connecting into corporate networks.

To achieve a high level of resil-ience, security has to stop being a purely technical issue. This, in turn, means techies have to start talking sensibly about data protec-tion to the rest of the business.

“This requires the technical people, who would tradition-ally focus on point solutions to specific technical threats, to translate the potential impact of

Ȗ One of the biggest failures of the security industry since the begin-nings of the internet age has been the separation of its functions from both individuals and busi-nesses. Rather than mesh security with the aims of the organisation and its employees, many decided security was simply a necessary evil, best left to unsocial special-ists to cope with. Even within IT, protecting data was often separate from the daily tasks of the team.

The data indicates this has had a wholly negative impact on a busi-ness’s ability to protect against dig-ital attacks and respond to them. The Ponemon Institute’s 2013 Cost of Cyber Crime Study showed that over the last four years, the time it takes to resolve an attack has risen by an astonishing 130 per cent.

But times are changing. The siloed approach is, for the good of businesses and internet security as a whole, being culled. What is striking about this progressive new world, in which resilience to digital attacks is core, is that it is non-technical C-level executives who are being asked to lead the way, creating a flexible, holistic approach. They are the ones who can bring together the disparate parts of the organisation and external partners so that everyone knows how to keep themselves

and their employer safe from mali-cious hackers.

“Cyber threats and resilience are not just an issue for the security function: they require the involve-ment of every discipline within an organisation, its partners and stakeholders,” says Steve Dur-bin, director of the Information Security Forum, an independent advisory body.

“A co-ordinated approach led by senior business leaders – prefer-ably the chief executive or chief operating officer, certainly a board member – is needed. Organisa-tions need to co-ordinate with customers, suppliers, investors, the media and other stakehold-ers, so that resilience enables the organisation to prepare and respond to events that are impos-sible to predict.”

This concept of sharing is at the core of cyber resilience. In sharing information on threats and best practices, organisations are better protected. The UK government is

Security has to stop being a purely technical issue and techies have to start talking sensibly about data protection to the rest of the business

For those of us who have actually lived through an incident, it becomes very apparent very quickly just how far security readiness appears to be from the reality

By sharing information on threats and best practice, organisations are better protected and more resilient against cyber attackers, as Tom Brewster reports

UNITED FRONT CAN FOIL THE HACKERS

RESILIENCE

Ex-hacker on security

Page 07

security incidents into terms and language that business and non-techy people will understand,” says Brian Honan, founder of security-focused BH Consulting.

Businesses are increasingly car-rying out regular stress tests involving employees from inside and outside IT. A recent probe of financial firms’ resilience, known as Operation Waking Shark II, was co-ordinated by the Bank of Eng-land, bringing together the City’s big players.

The European Union Agency for Network and Information Security also sets up regular cyber scenarios, looking at how critical infrastructure would respond to a severe attack, such as an attempt to knock power stations offline. Such practices are now filtering down to businesses of all kinds.

While every organisation should consider frequent assessments to determine which holes need filling

with security appliances and where policies need updating, more inno-vative approaches to building resilience at the technological and intelligence levels are emerging.

The term “offensive security” has been gaining traction in recent months. It does not amount to hacking back, as many feared it would, but instead involves the identification of adversaries by planting fake data on a company’s servers, tricking hackers into steal-ing the information and watch-ing where they go. The attackers remain unaware they are being watched, giving away their tactics and their motives.

Why would a chief executive care about who is hacking them? Dmitri Alperovitch, co-founder and chief technology officer at CrowdStrike, one of the offensive security indus-try’s best-known providers, gives this simple analogy: if a thief broke into a business’s premises, stole all the files and disappeared, the chief executive would want to know who was behind it. The same goes for the digital realm.

“You won’t find a single company that is not going to be interested in knowing that answer,” he says. That’s another reason why it’s the chief executive, not just the chief information officer, who is pushing for more proactive security.

Ȗ Every organisation should expect to be breached. Cyber criminals don’t care about the size of the target, only whether it is vul-nerable and sitting on some kind of tradable data. Yet each incident response strategy will differ.

Take NASDAQ, which was hit by a security breach in autumn 2010, when hackers planted malware on a company server.

Kostas Georgakopoulos, now a regional head of security at finan-cial services firm UBS, had only been chief information security officer at the stock exchange for a matter of weeks when the attack hit. As with any breach, Mr Geor-gakopoulos and his team had to

determine whether it was severe enough to call in law enforcement. It was. Then it was time to bring in the lawyers.

“You really need to have external counsel engaged and there are very good firms who can give you very solid advice,” he says.

They helped to determine how to disclose the issue to regulators and the wider public. Revealing the breach to the press took until Feb-ruary 2011, but it was just a matter of hours before the decision was made to inform the US Securities and Exchange Commission.

One of the biggest surprises for Mr Georgakopoulos was the level of government involvement, including

INCIDENT RESPONSE

Organisations must be ready for a possible security breach, as Tom Brewster discovers

INTO THE BREACHFOR NASDAQ…

Foreign Secretary William Hague backs a

global drive for resilient digital networks

assistance from the National Secu-rity Agency, which helped NASDAQ determine its way forward. He says: “They are very professional in what they do – very thorough.”

A technical response was also needed and this was something Mr Georgakopoulos initiated immedi-ately he learnt of the compromise. If there’s one thing security chiefs come to realise during an incident response, it’s that their existing defences are vulnerable. “Com-panies may believe they have ade-quate security controls in place,” he says. “For those of us who have actually lived through an incident, it becomes very apparent very quickly just how far that readiness appears to be from the reality.”

NASDAQ already had an incident response plan in place, which was one of the key reasons it

ting data at the heart of the busi-ness has supported a major shift of sales from the high street to the internet, helping to reduce costs and increase margins.

The change is not restricted to tra-ditionally consumer focused indus-tries. Power and utilities companies are now focussing on leveraging smart-grid technologies to drive new consumer-focused ways of working.

Getting startedManaging data and driving consumer insight are becoming synonymous with business transformation. If you need advice about driving insight from your data to inform your trans-formation decisions and achieve new competitive advantage, contact Mark Brown mbrown1@uk.ey.com or 020 7951 7519

1 http://www.ey.com/GL/en/Services/Advisory/EY-CIO-Born-to-be-digital-The-rise-of-the-digital-business

Turning data risk into business reward

Digital technologies, such as mobile, social media and the cloud, make it possible to collect and analyse data about customers’ needs and prefer-ences, and use it to build stronger, more personalised, higher-value business relationships.

But while the abundance of cus-tomer data can help businesses succeed, it also introduces new and pressing risks. In the data-centric environment, failure to protect, man-age and store digital information effectively can have major repercus-sions, from crippling regulatory pen-alties to long-term damage to con-sumer and stakeholder confidence.

To protect a business against data risks, it’s necessary to understand exactly what the regulatory obligations are, what kinds of security events rou-tinely happen on the network, which data is most critical to the business and how it can be ring-fenced to maximise security. Data risk needs to become a regular topic in the boardroom.

For truly innovative businesses, though, securing data is just the first step. The real opportunity is in unlocking new insight from data to transform the business. As well as “how can I protect my data?” the question becomes “how can I use it to increase my competitive advantage?”

The role of the “digital-ready” CIOIn making the transition from risk to reward, chief information offic-ers (CIOs) have a critical role to play. As the person with the greatest vis-ibility of information in the business, the CIO is ideally placed to release insight from siloed IT systems and put it in its rightful place at the very

heart of the business. With a vision-ary, digital-ready CIO, it becomes possible to implement digital tech-nologies and big data strategies to support business transformation on the back of data risk manage-ment activities. According to recent research from EY, this is exactly what more than half of all CIOs in technol-ogy-intensive industries are doing. 1

Reaping the rewardsTime and time again, EY sees the ben-efits of effective data risk manage-ment for business transformation. Across the consumer products sector, we are seeing our clients seek to har-ness customer data to migrate from a pure-play, business-to-business operation to a direct-to-consumer approach, now capable of deliver-ing targeted, real-time, geo-sensitive marketing and promotions to indi-vidual customers – wherever they are.

For another of our customers, a major global travel retailer, put-

With an effective enterprise data risk management strategy and a visionary chief information officer, data risk can be converted into business reward, says Mark Brown, director of risk and information security at EY

The real opportunity is in unlocking new insight from data to transform the business

In the data-centric environment, failure to protect, manage and store digital information can have major repercussions

With a visionary, digital-ready CIO, it becomes possible to implement digital technologies and big data strategies

Our clients seek to harness customer data to migrate to a direct-to-consumer approach

came away relatively unscathed. Surprises were inevitable, but it could fall back on pre-ordained proce-dures when its time came. “It’s not really an information secu-rity programme that needs to be prepared, the business needs to be prepared,” Mr Georgakopoulos adds. “The business stakeholders must be vested in the success of that pro-gramme.”

The final piece of the puzzle in a typical incident response programme, if there is one, is the communications response. The PR push following a breach is key to ensuring long-term trust in the organisation. NASDAQ was fortu-nate it only had to notify a small subset of customers using a single product, making the outreach pro-gramme that much simpler.

“We didn’t have to notify 100 million users. We acted very quickly internally and externally to mitigate the risk and the threat,”

says Mr Georgakopoulos. Not all organisations are so lucky.

Target, a US retailer robbed of 40 million credit card details in the lead up to Christmas, saw sales decline 5.3 per cent year-on-year thanks to the breach. Its chief infor-mation officer resigned soon after.

At least the company has sur-vived to tell the tale. That hasn’t been the case for MtGox, an exchange for the virtual currency Bitcoin. Soon after hackers made off with £300-million-worth of coins, it announced bankruptcy. Sometimes there is no way back from the breach.

07

DATA SECURITY

raconteur.net twitter: @raconteur

Ȗ Kevin Mitnick’s story is the classic tale of poacher turned gamekeeper – rewritten for the digital age.

A teenage fixation with “phone phreaking” – also an adolescent pursuit of Apple founders Steve Jobs and Steve Wozniak – devel-oped from hacking telephone systems to computer networks that saw him use a combination of tech-nical skills and “social engineering” to gain illegal access to informa-tion, systems and companies.

After being convicted of copy-ing software from DEC’s network in 1988, the LA-born Mr Mitnick was sentenced to 12 months in prison, followed by three years of supervised release. However, during this time he hacked into the voicemail system of telecoms company Pacific Bell, an event that prompted the issue of a warrant for his arrest.

He became a fugitive and acquired notoriety as “the most wanted hacker in the world” before eventually being tracked down after two-and-a-half years on the run. He was again convicted of hacking-related crimes and served five more years’ prison.

But since his release in 2000, he’s gone straight and, as well as talking at cyber security confer-ences all over the world, now uses his expertise to help Fortune 500 companies protect themselves from security threats.

In more than a decade, he says, there has been no company that

has stood up to the rigours of his “penetration testing”. There are some isolated pieces of code that, on their own, remain secure. But when granted permission by a cli-ent to use social engineering meth-ods, such as researching employees through LinkedIn, before posing as a trusted organisation and encouraging them to click on a link or open a file, he has a 100 per cent success rate.

“It’s much easier to break a sys-tem than it is to protect it,” he says,

speaking over the phone from San Francisco. “Don’t forget that as an attacker I only have to find one person and convince them to make a bad decision. The larger the com-pany, the more facilities they have and so the easier it is.”

Mr Mitnick describes social engineering as a “timeless art”, whereas the technical element of the process, hacking, is constantly becoming more sophisticated. “Vulnerabilities are identified, patched and fixed, then more are discovered. It’s a cycle that will continue until new technology or a trusted operating system comes along that could break that cycle,” he says.

One of the most sophisticated and notorious hacks in recent times has been Stuxnet, a virus widely thought to have been the manifestation of an attack by the US and Israeli governments on the Iranian nuclear programme.

The malware, which was dis-covered in 2010, was designed to

One of the most infamous hackers in cyberspace, turned security adviser, tells Edwin Smith that no technology is completely secure

‘DON’T BE THE LOW-HANGING FRUIT’

spread through Microsoft Win-dows before targeting only Sie-mens industrial control systems, the type of systems that were used to regulate centrifuges at the Natanz uranium enrichment facil-ity at the time.

The worm made adjustments to the operating programmes of the centrifuges, while simultaneously replaying recorded system values that gave the impression they were functioning as normal.

So, is this type of activity – cyber warfare enacted by governments – a good example of state-of-the-art, sophisticated hacking tech-niques? It’s quite sophisticated,” says Mr Mitnick. “It bypassed all the anti-virus software; it was military-precision malware. But I’m kind of surprised they got caught, that they allowed the code or the malware to venture out into the wild where people were able to pick it up as something mali-cious and analyse it to find out what happened.

“I’m sure it’s the tip of the iceberg; I’m sure there is mali-cious software, which has been developed by nation states, that we don’t know about – that we haven’t discovered.”

It makes sense, then, that the Stuxnet hack, which Mr Mitnick views as the most sophisticated to have become widely known, is one that was always designed to become public. “Edward Snowden had clearance,” he says. “But get-ting four hard drives of informa-tion out of the NSA [US National Security Agency] without any help or being noticed shows he really understood the logging.”

When asked about Wikile-aks founder Julian Assange’s recently published comments that Snowden was the ninth best hacker in the world, while Assange himself was the third, Mr Mitnick is politely dismissive: “[Assange] is so busy with Wikileaks, I doubt he is still practised at getting into companies like I do.”

In leaked extracts of his upcom-ing book, Google’s executive chair-man Eric Schmidt describes China as the most “sophisticated and prolific” hacker of foreign companies. But Mr Mitnick, again, isn’t impressed by the claim, pointing out that it would be dif-ficult for Mr Schmidt to have the first-hand knowledge needed to establish this.

Mr Mitnick does say, however, that any major nation would have the means to compromise the security of a company such as Google. “If I’m the Chinese gov-ernment and I want to hack into Google, do you know how I would do it?” he asks. “I would have a sleeper agent at Stanford [Univer-sity] and just have them get a job at Google [after graduation]. Easy.”

But for most companies it’s criminals, not governments, that

are the main threat to cyber secu-rity. Organised crime outfits have considerable budgets, Mr Mitnick says, but they are unlikely to invest in paying talented hackers unless there is a significant return on investment.

“There’s no silver bullet,” he says. “The best thing businesses can do is mitigate the risk so the bad guys will go after another target. You do not want to be the low-hanging fruit. You want to make yourself a hard target, build protection and have the ability to detect when hackers have com-promised your network so you can do damage control.”

He adds: “No tech in the world can protect you 100 per cent.”

But perhaps, one day, that could change. Mr Mitnick is loath to make predictions about the future of hacking and cyber security beyond its constant evo-lution. But, when pushed, he does offer something.

“Maybe there will be a different internet created,” he says, “one for more secure communications that would make stuff hard to steal, with new protocols, a new net-work. It would basically be ‘inter-net number two’, to solve all the problems of internet number one.

“Maybe that’s what’s on the horizon: a new internet for com-merce and finance that’s not really susceptible to the same type of attacks that have developed in the wild, wild West.”

It’s an intriguing thought, cer-tainly. But it’s obvious why Mr Mitnick would be reluctant to discuss it; it might just mean he’d have to retire.

INTERVIEW

Share and discuss online at raconteur.net

The best thing businesses can do is mitigate the risk so the bad guys will go after another target

Former hacker-in-chief Kevin Mitnick now

lectures on cyber security

MAKING THE WORLD A SAFER PLACEIs your business protected against the threat of unauthorised access? Do you know what to do if a breach occurs? NCC Group’s specialist cyber incident response team is available 24/7 to provide advice and to help you understand, contain and mitigate any breach. Our world-leading experts are at the forefront of security research. We use this unrivalled knowledge to fight the threats that you face every day. NCC Group is a global information assurance firm, passionate about changing the shape of the internet and making it safer.

For more information on the risks associated with cyber security: Visit: www.nccgroup.com/datasecurityCall: +44(0)845 8686301Email: datasecurity@nccgroup.com

We are your trusted global security advisor

NCCG The Times 264x338 V7.indd 1 13/03/2014 17:42

08 09raconteur.net twitter: @raconteur raconteur.net twitter: @raconteur

DATA SECURITYDATA SECURITY

08 09

Ȗ A decade ago, IT departments were wrestling with the dilemma of preventing access to restricted websites during office hours.

Fast forward ten years and the much-embraced policy of Bring Your Own Device (BYOD) pre-sents a new sort of headache.

It had been feared sensitive data would be put at risk through BYOD if employees’ personal smartphones, tablets and laptops were used for work purposes.

But with many of these worries overcome, it is now wearable tech-nology such as Google Glass and smartwatches that are presenting new challenges.

These internet-connected devices capture real-time images and video or send and receive cor-porate data, often without any sign of being used.

Richard Allgate, of InTechnol-ogy Managed Services, believes they could lead to mobile policies having to be torn up and rewritten.

He explains: “As most wearable

tech is paired with a smartphone, IT managers need to consider if it’s possible to remotely wipe wristbands and other wearables if someone loses them.

“Since these devices are more likely to get lost, the IT depart-ment needs to have some way to extract data. What about the devices that can work on wi-fi? IT needs to ask itself what informa-tion will they hold and will they need to provide a separate form of device management and security.”

Sarah Burke, an employment solicitor at Thomas Eggar, agrees. She foresees a range of issues, among them smartwatches, caus-ing employees to be connected to e-mails for even longer, which could breach working time regulations.

She adds: “Employees will be able to record information about the business and the people they work with far too easily. In addi-tion to this, employers are unlikely

to know when information is being recorded, making it almost impos-sible to control the risks. Employ-ers should, therefore, ensure they pre-empt the risks and put in place a specific policy to cover the use of wearable technology at work.”

BYOD has brought a wide range of benefits to companies and organi-sations, big and small, such as cost-savings and increased productivity.

Ollie Ross, head of research at the Corporate IT Forum, says it can cause a 40 per cent produc-tivity increase and is especially important for Generation Y or Millennials, born between the early-1980s and early-2000s, who are more engaged by using the latest tech.

And user-orientated IT solutions company LANDesk found it could save companies £150,000 over five years as employees purchase their own devices.

But Dave Bailey, chief technical officer of cyber security at BAE Systems Applied Intelligence,

warns: “BYOD policies improve flexible working and allow busi-nesses to be more agile. How-ever, if firms fail to protect their employees’ devices, they risk incurring increasing disclosure and financial penalties, not to mention the likelihood of falling victim to cyber attack.”

Such risks can prove costly. Check Point’s second global mobile security report suggested eight out of ten companies had been subject to a mobile security incident in the past 12 months. Four out of ten respondents faced remediation costing more than $100,000, while for one in seven this was more than $500,000.

Derek Skinner, regional direc-tor of investigations, Europe, the Middle East and Africa, at Absolute Software, says he has known of devices stolen in the UK or United States ending up in Vietnam or Mongolia.

BRING YOUR OWN DEVICE

The advantages of allowing staff to use their own technology at work could outweigh security implications, as Jonathan Weinberg reports

MANAGING RISKOF USING YOUROWN DEVICES

Share and discuss online at raconteur.net

If firms fail to protect their employees’ devices, they risk incurring increasing disclosure and financial penalties, not to mention falling victim to cyber attack

He adds: “With any stolen device, the risk is uncontrolled access to the sensitive corporate files and e-mails stored within it or even on the company’s servers. This kind of data breach can result in some serious penalties for the business. The Information Com-missioner’s Office can fine firms up to £500,000 for a data breach and there are calls to raise this number even higher.”

Research from Robert Half Tech-nology revealed that some 50 per cent of chief information officers (CIOs) see security of BYOD as the biggest challenge, but 37 per cent concede it has improved employee retention and satisfaction.

One potential solution could be so-called “containerisation” alongside a policy of Choose Your Own Device (CYOD) from a specified list of secure and IT-managed products.

Jonathan Foulkes, vice presi-dent of mobile product man-agement at Kaseya, says: “Con-tainerisation is uniquely suited to BYOD because it segregates enterprise and personal assets in the device.

“With a containerised approach, IT establishes and manages encrypted, policy-enforced ‘con-tainers’ in each personal device that give controlled access to e-mail, documents and applica-tions. Enterprise data is encrypted at rest and in flight, and if a device is lost or stolen, IT can wipe the containers without disturbing personal assets.

“There is no enterprise need for users to set device-level security, as only their personal data is at risk should they choose to leave their devices unprotected.”

He adds it can also help shield internal networks from attacks and malware as only the secure containers connect to the enter-prise network.

Future aspects of containerisa-tion could see companies create their own internal app stores for devices to use or develop their own application programming inter-faces and cloud-based services to share data off-device via the cloud.

Jean-Claude Bellando, director of marketing solutions at Axway, believes the previously traditional path of desktop virtualisation is now just one of many options.

He says: “While desktop vir-tualisation has previously been the solution of choice for BYOD policies, the 21st century has brought with it many alternatives. Employees not only want to access their workload from the comfort of their own home, but also the comfort of their own device.

“However, when deploying a virtualised desktop solution, it is difficult to prevent data from mov-ing from the virtual environment to an unprotected one.”

Another less talked about risk of BYOD is known as Bring Your Own Network (BYON).

This is where employees use their mobile phone to tether it to another device and share internet connectivity. This turns it into a personal hotspot.

Nathan Pearce, security and cloud expert for F5 Networks, explains: “This means they can, in some cases, bypass the cor-porate network security rules and access websites, apps and other services that are otherwise banned by IT.”

He believes this should be countered by focusing less on the device level and more at a net-work level, controlling who can access corporate data, what they can access and where they can access it from.

But for London’s Camden Coun-cil, BYOD has been a success. The organisation is embracing the policy in partnership with enter-prise mobility management leader MobileIron. It first rolled out a programme three years ago and the council’s CIO John Jackson believes the benefits far outweigh the risks. Its system supports a range of devices and operating systems, including Android, iPads, laptops, desktops and Windows-based tablets or phones.

He says: “There comes a time when, if you don’t introduce BYOD within the workplace, you are going to be faced with dis-gruntled employees and miss an opportunity to improve produc-tivity, adopt innovative working practices and save money. There have been concerns that personal devices will lead to data leaks and malware. By building a robust, private cloud and monitoring infrastructure we avoid this.”

Mr Jackson feels BYOD is encouraging a working “revolu-tion”, replacing traditional desk and office-based working, which is no longer sustainable. Local authorities, he says, are being encouraged by government to offer solutions that enable flex-ible working.

“Employees want new ways of working, and to use the devices they know and love within the workplace to get their jobs done more efficiently. It’s that simple,” he says. “However, it needs to be done right, especially in terms of security. Devices need to be secure and locked down, and a policy needs to be implemented which employees are aware of.

“BYOD is here to stay. No longer can we turn a blind eye and ignore it. We need to embrace the consumerism of IT, rather than attempt to stifle it.”

STAFF USING THEIR OWN TECHNOLOGY AT WORK

WHAT IS DRIVING BYOD?

Source: Cognizant

Source: Cognizant

BYOD POLICY ALREADY IN PLACE

Source: Good Technology

BYOD SUPPORT BY INDUSTRY

Source: Cognizant

DEVELOPING AN EFFECTIVE BYOD POLICY

POLICY ELEMENT

TRADITIONAL IT POLICY

BYOD POLICY

DEVICE CONFIGURATIONS AND OPERATING SYSTEMS

STANDARDISED COMPLEX AND HETEROGENEOUS

MOBILE APPLICATIONS AND DATA

FULL COMMAND AND CONTROL OVER DATA AND APPS

LIMITED CONTROL OVER CORPORATE PARTITIONS, DATA AND APPS

DEVICE TRACKING AND MONITORING

FULL IT CONTROL OVER EVALUATING HOW DEVICES ARE USED, WITH NO EXPRESS PERMISSION REQUIRED FROM USERS

CLARIFICATION OF HOW DEVICES ARE TRACKED AND MONITORED, AS WELL AS WHICH PORTION OF THE DEVICES AND DATA WILL FALL UNDER THE POLICY'S PURVIEW

COST REIMBURSEMENT NO PROVISION FOR REIMBURSEMENT OF COMPANY-OWNED DEVICE COSTS

DEFINITION OF WHO PAYS FOR WHAT, BASED ON AN UNDERSTANDING BETWEEN EMPLOYEES AND EMPLOYER

WHAT DO CURRENT BYOD POLICIES COVER?

have security/acceptable use policies

plan to implement separate business and personal data solutions

wipe devices when they are lost/stolen/employee leaves

have a policy to wipe corporate data while leaving personal data intact

require mobile security or management agent to be installed

restrict BYOD to specific platforms or devices

Source: Cognizant

34% 41% 39% 40% 57% 42% 34%44%UK INDIA AUSTRALIA CANADA US GERMANY GLOBALNETHERLANDS

56.5%

52%

51.3%

46%

36%

31%

29.5%

29.5%

28%

25%

23%

35% 10% 8% 6% 5% 3.5% 2% 2% 2% 1% 1% 1%

1%

IMPROVED EMPLOYEE SATISFACTION

INCREASED WORKER PRODUCTIVITY

GREATER MOBILITY FOR WORKERS

MORE FLEXIBLE WORK ENVIRONMENTS FOR EMPLOYEES

REDUCED IT COST

ATTRACTING/RETAINING HIGH-QUALITY STAFF

BETTER QUALITY OF DEVICES USED BY WORKERS

BETTER CARE AND/OR LONGEVITY OF DEVICES

REDUCED DEVICE MANAGEMENT REQUIREMENTS FOR IT

FASTER ON-BOARDING OF EMPLOYEES AND THIRD PARTIES

IMPROVED BUSINESS CONTINUITY

OTHER FIN

AN

CE

/ IN

SUR

AN

CE

HE

ALT

HC

AR

E

PR

OFE

SSIO

NA

L S

ERVI

CE

S

MA

NU

FAC

TUR

ING

TRA

NSP

OR

TATI

ON

/ LO

GIS

TIC

S

LEG

AL

SOF

TW

AR

E

GO

VER

NM

ENT

CO

MM

UN

ICAT

ION

S

RE

TAIL

LIFE

S

CIE

NC

ES

ENTE

RTA

INM

ENT/

M

EDIA

10 11raconteur.net twitter: @raconteur raconteur.net twitter: @raconteur

DATA SECURITYDATA SECURITY

10 11

GET READY FOR NEW EU DATA PROTECTION A new European Union data protection regime seeks to safeguard citizens’ privacy and will introduce stringent regulations affecting businesses across Europe, writes Stephen Pritchard

Ȗ At some point in 2015 or, if bureaucracy permits, even this year, Europe will have a new frame-work for information privacy.

It would be wrong, though, to dis-miss the forthcoming General Data Protection Regulation as another example of Brussels arcana. The new rules will force an update to data protection laws across the EU and require some far-reaching changes to how European compa-nies do business.

The new regime is no mere tweak to existing rules. It has support at the highest levels in the European law-making system and replaces a set of less binding rules which first came into play in 1995. That, of course, was a world before broadband, tablet computers, smartphones and big data.

The EU is playing catch up with rapidly changing technology. But it is also bringing its data protec-tion framework in line with laws in other parts of the world, as well as with the way we use personal information today.

Some of the new clauses are mun-dane. Others may cause board mem-bers to break out in a cold sweat.

Chief among these is the new penalty regime. Guy Bunker, a security expert and vice presi-dent at Clearswift, a technology vendor, describes the new pen-alties as “killer sized”. Others have described them as com-pany busting.

The EU will gain the power to fine companies up to 5 per cent of their annual, worldwide turnover or up to €100 million, whichever is greater. This puts almost all previous data protection laws in the shade.

Even if, as lawmakers suggest, it will only be used for the most fla-grant and repeated breaches, it is a very serious sanction indeed, and an increase on the 2 per cent pen-alty in early drafts of the regula-tion, although that was uncapped.

“Nor is it the case that fines will only be levied for the most seri-ous contraventions,” warns Vinod Bange, partner at law firm Taylor Wessing. “You could be fined for not having a privacy impact assess-ment or not having the proper systems of controls around sub-ject access requests.” The EU law is a move away from the British, outcomes-based regulation to the more prescriptive, Continental approach, he adds.

Firms that suffer a data breach will, under the new rules, also have a legal duty to disclose the loss. Breach disclosure is not a new concept; it is now widespread across the United States, following legislation pioneered in California.

Some businesses, principally, tele-communications providers and inter-net service providers, already have to disclose breaches within 24 hours.

A similar measure to force com-panies to tell their customers or “data subjects” about a breach is proposed under the new regu-lation, although it is possible this disclosure deadline may be extended to 72 hours.

Either way, it will be a significant new burden on businesses’ IT departments, not least because the latest generation of hacking tools is designed to go undetected. Equally, it is hard for large busi-nesses with complex networks to know exactly where all data is, leading to what some experts worry could be over-reporting of data losses.

Firms handling personal data will also need to carry out data privacy impact assessments. The idea is to encourage another principle of the new law, privacy by design. Com-panies need to build privacy into their processes and, if there could be a specific risk around personal data, carry out a risk assessment.

In addition, under the legal “right to be forgotten”, EU citizens can demand companies erase informa-tion held on them or even retrieve their data to send to another provider. Companies processing even relatively small numbers of records – 5,000 data subjects in a year – will need to appoint a data

protection officer.These rules will inevitably

impose new burdens on compa-nies, especially those that have lagged behind in their data protec-tion measures.

At the same time, the regulation should create a level playing field across Europe. Businesses will, for example, be able to nominate their main country of business as the one where their data protection measures will be regulated.

And, as businesses depend more and more on data for their opera-tions, there is a case for good prac-tice around data management and security. “Across Europe, they are trying to create a baseline [in data privacy] where everyone adheres to a minimum level,” says Mark Brown, director of risk and infor-mation security at EY, the profes-sional services firm.

Mr Brown suggests that firms should act now, and carry out a gap analysis to establish their level of compliance and how that might need to change. This should include looking at which data is gathered and why, where it is held, and for how long.

With the right to be forgot-ten, data destruction is almost as important as data protection. These steps could also identify areas where firms may still be legal, but might benefit from improv-ing data protection measures, for example by improving the pro-tection of their own intellectual property or bolstering customer trust. This is the view held by many in the data security industry.

“The driver is common sense,” says Dietrich Benjes, director for the UK and Middle East at technol-ogy vendor Varonis. “It is ensuring personal information doesn’t leak or isn’t misused. You have to iden-tify that information, who holds it and the security controls around it. Treat data like a business asset.”

Andy Heather, vice president for Europe, the Middle East and Africa at Voltage Security, concedes: “When anyone says the word regu-lation, the first thing that springs to mind is increased cost.

“On the other hand, the attention being paid to information security, because of the high fines, makes it easier to get funds allocated to solv-ing problems. It is not negative. It is going to have a positive impact.”

And, although businesses might not welcome additional or finan-cial burdens, the EU moves are a response to a more dangerous cyber world.

“The original driver [for the law] was, hand on heart, to protect indi-viduals from being exploited and abused by the next generation of crime,” concludes Clearswift’s Mr Bunker. “It is a response to a need to protect citizens.”

REGULATION

These rules will inevitably impose new burdens on companies, especially those that have lagged behind in their data protection measures

Share and discuss online at raconteur.net

CASE STUDY

For businesses across Europe, proposed EU data protection regulations pose both technical and practical challenges.Teleplan, a Dutch company with operations in the UK, provides repair and warranty services to computer and consumer electronic brands. Should your PC or tablet fail, there’s a good chance it will be Teleplan that will arrange a repair at its factory near Amsterdam’s Schiphol airport or send out a replacement device.But this means the company has to take special care of customer data. Not only might there be personal information on the smartphones or tablets it repairs, but it also has to collect delivery and warranty information from customers. This data might seem mundane, but it still has to be protected.According to Teleplan’s vice president of client solutions Sven Boddington, protecting data on devices means strict controls and a “chain of custody” around who handles a smartphone, tablet or PC.For customer data, it means collecting the minimum amount of information Teleplan needs to do its job. It needs serial numbers and possibly a shipping address, but it would not, for example, ask for a customer’s date of birth as a matter of routine. Making sure the company collects only the information it needs is as important as protecting the information it holds, says Mr Boddington.But the new laws also present an opportunity to do more with data. One change, during the drafting of the data protection regulation, has been to make it easier for companies to use “anonymised” data, stripped of personal information.This, Mr Boddington says, could allow Teleplan to provide technical feedback to the electronics companies, based on the types of repairs they carry out which, in turn, could help them develop better products.

WHO IS STEALING DATA?

92%of data breaches are external

Source: Verizon 2013 Data Breach Investigations Report

UK PENALTIES FOR DATA BREACHES

2011-2012

£791k2012-2013

£2.6m9

organisations fined20

organisations fined

Source: ICO

UK AVERAGE PER CAPITA COST OF DATA BREACH

Source: Ponemon Institute/Symantec

PROPOSED EU FINES

£500kcurrent UK

maximum fine

5%of worldwide turnover

up to €100m

40%of companies don’t fully understand the ten main

provisions of new EU regulation

87%can’t estimate the new

rules’ cost

Source: UK Information Commissioner’s Office (ICO)

33

reliability, but not enough about secu-rity. Business schools should teach entrepreneurs about opportunities in security. To some extent, education can change to reach broader popula-tions with internet course delivery. Using the internet to protect cyber-space is a long-term, but necessary, strategy. Proactive education at all levels can eventually do much to make infrastructure safer.

The global importance of cyber security and the dynamism of cyber-space are growing in recognition. Not one person or company can effect change alone. Society needs diverse government, industry and academia partnerships to create a much broader and deeper security awareness and competency in the population.

Northrop Grumman is a leading global security company, and has more than 30 years’ experience in cyber security and information assurance http://www.northropgrumman.com/cybersecurity

ates unknown vulnerabilities. In the wrong hands, analytical tech-niques can generate sophisticated cyber exploits automatically. Mas-sive cloud malware could analyse infrastructure for vulnerabilities and develop attack strategies in seconds.

Failing to mitigate infrastruc-ture threats could cause losses of many economic, environmental and health benefits possible through digitisation. However, there are strategies and tactics that partner-ships can execute for mitigation.

First, organisations can take immediate steps. There is action-able information published on Gov.uk including, for example, 10 Steps to Cyber Security by CESG, GCHQ's information security arm. Government and industry partner-ships must implement legal and reg-ulatory measures to reduce cyber crime. Multi-national partnerships must enforce agreements address-ing state-sponsored activities. Cur-rent measures are insufficient. Costs of inaction increase rapidly. We need collaborative action now.

Second, information sharing part-nerships must operate faster. Most sharing centres exchange threat information manually with limited automation. Some threat analysis services provide information for auto-matic processing, generally lists of IP addresses and “indicators of compro-mise”. This is reactive. Sharing part-nerships must become more proac-tive in analysing and disseminating forward-looking cyber intelligence.

Third, government, industry and academic partnerships must be more open to innovation. For example, more approaches are needed to incubating security companies with various incen-tives. New ways are needed to attract people to professions that improve infrastructure security, and new frameworks for security as a science with the rigour of physics and mathe-matics. Newton’s Laws for cyberspace have not yet been developed.

Finally, cyberspace education needs to be reassessed. Today’s discussions about cyber workforce shortages focus on specialists. While clearly important, more is needed. There are basic practices that the billions of internet users should employ to improve security. Product designers and engineers learn about quality and

Partnerships needed to combat future cyber threats

The UK National Cyber Security Strategy emphasises the impor-tance of partnerships among gov-ernment, industry and academia, both domestic and international, to meet the primary objective of the strategy, “making the UK one of the most secure places in the world to do business in cyberspace”.

The cyber threat is broad and com-plex, and focuses on networks and data in both the public and private domain largely to steal money and intellectual property. Threats will grow in frequency and sophistica-tion because adversaries can afford new technology and techniques, including cloud and mobile comput-ing, big-data analytics and artificial intelligence. But no single organisa-tion has the necessary capabilities to mitigate all the risks. Partner-ships are therefore critical and must include information-sharing, gov-ernance, research and education.

While today’s threats are signifi-cant, threats to critical infrastruc-ture will be even greater by 2020. With industries accelerating digitisa-tion to improve services and reduce costs, there are many new cyber threats to sectors, such as electric power, oil and gas, national security, and transportation. These threats are not only to financial and infor-mation security, but also to opera-tions and safety. Examples such as Stuxnet and Shamoon have dam-aged operations in significant ways. These cases are modest compared to what could happen this decade.

In 2020, the internet will have vastly more devices and we will have far more sophisticated cyber adver-saries. The “Internet of Things” brings many benefits, but also cre-

Urgent action is needed to counter cyber threats to UK business and national security, says Northrop Grumman Corporation

Information-sharing partnerships are essential to mitigate cyber risks

Making the UK one of the most secure places in the world to do business in cyberspace is our primary objective

Massive cloud malware could analyse infrastructure for vulnerabilities and develop attack strategies in seconds

Most sharing centres exchange threat information manually with limited automation

1010010001010101000110101011010100101011101001011010100101000000011010100101001010110110110100100010001001010110011001011010111001110010010101110011001000001100101001101111100111000110001100110011100101010011010100101110100110011000100101000001100011000000000011110101001010111100111011001001010110011010011010101101011010101011001010010110011010111010101010

TAKING CARE OF DATA – AND BUSINESS

2012

£752013

£80

12 13raconteur.net twitter: @raconteur raconteur.net twitter: @raconteur

DATA SECURITYDATA SECURITY

12 13

30k newly infected websites distributing malware every day

Source: Sophos

37%of UK directors and senior decision-makers are given training in cyber security, compared with 86% in the United States and 58% globally

Source: BT Security

23%of employees say data security is not their responsibility

Source: Absolute Software

35%of cyber attacks are attributable to wetware

Source: Ponemon Institute/Symantec

33%of employees describe the security culture of their workplace as moderate or lax

Source: Absolute Software

HUMAN FACTOR

Ȗ There’s hardware. There’s soft-ware. And there’s wetware – that’s the human bit in the technology chain. Hackers have long realised that Homo sapiens are the weak-est point in any security wall. Wet-ware vulnerabilities are now their number-one target.

Humans have so many defects. They are curious. Take the USB stick scam. Hackers load USB sticks up with malware and scatter them in the target company’s car park. Humans wander out of their offices and notice these colourful bits of plastic. They pick up the sticks, activate them to see what they contain and cheerfully click on the poisoned files therein.

“The best ones are shiny neon flashing USB sticks,” reports for-mer Met Office cyber crime officer Adrian Culley, now a consultant with Damballa. “I know of two large and credible organisations that were undone like that. Chuck 20 sticks on the ground and some-one will pick one up.”

Humans are trusting. With a bit of coaxing, unwary staff can be per-suaded to disclose passwords over the phone or via e-mail. Some of the approaches are breathtakingly direct. Gavin Watson, senior secu-rity head at security consultancy Randomstorm, tells a chilling tale.

He says: “A call to the reception-ist will say something on the lines of ‘Hi, I’m about 20 minutes from the office, but I’m caught in traffic. I’ve got a contractor coming in to service our routers, I know we’re

not supposed to let anyone in without supervision, but we’ll be charged for another call out if we miss this appointment. Please can you give him a visitor’s badge and show him up to my office, and I’ll be there as soon as I can.’

“This gives the receptionist a plausible scenario for the arrival of a stranger on site, the sanction from a superior for breaking the company policy covering supervi-sion of visitors and the comfort factor that her boss will be on the scene shortly to greet the visitor and take control of the situation.”

Humans are lazy. By default they will choose passwords which are too short and too easy to either guess or to crack via brute-force guessing. The leak of 150 million Adobe passwords last year pro-vided a profound insight into how people formulate their passwords. Nearly two million Adobe users opted for “123456”. The top 100 of most common passwords is littered with the obvious, from “password” to “letmein”.

Tragically, users routinely create passwords using their dog’s name, birth date, mother’s name and other basic building blocks. The stratagem of “social engineering” involves hackers using Twitter and Facebook to harvest personal details from targets to facilitate password-cracking.

All it takes is one slip-up. The mother lode is an e-mail account. Let Sian John of Symantec explain just how bad this is for your busi-ness: “If I have control of your e-mail I have the keys to the safe. Because all your other accounts will be tied to it. I simply request a password reset for the thing I want to gain access to; a link will be sent to your e-mail. I can very quickly capture your entire eco-system.”

Even when staff are being vigi-

Cyber attacksget serious

Page 14

PEOPLE ARE SO WET WHENIT COMES TO SECURITYCharles Orton-Jones explores ways to strengthen cyber security in the face of human weakness

Using the first letter from each word in a song lyric, with vowels replaced by numbers, is a simple way to create long yet easy-to-remember passwords

lant there is a danger they will be undone by a clever hack. In 2011 security firm RSA got hacked. The method was “phishing”. Hackers e-mailed an Excel spreadsheet to low-level employees called “2011 recruitment plans”. When opened the document exploited a vulner-ability in Flash to give hackers a foothold within RSA’s systems. Small amounts of sensitive data were leaked before the attack was repelled. And RSA, note, is one of the world’s most respected cyber security firms.

A Raconteur poll of 60 security experts revealed a cornucopia of tactics used by hackers to exploit humans. Here are just a few: paying old employees for their passwords; stealing a staff mobile phone to gain access; using browser pop-ups; bribing security guards; look-ing over the shoulder of staff to see their passwords or to view notes stuck to computers with passwords written on them (shamefully com-mon); and walking into a venue and sitting down at a terminal.

Ready to panic? In fact, a lot can be done to mitigate the human threat. Let’s start with pass-words. Dr Kevin Curran, senior lecturer in computer science at the University of Ulster, says: “For a hacker with the comput-ing power to make 1,000 guesses per second, a five-letter, purely random, all-lower-case password, such as ‘kjxyu’, would take about four hours to crack, but if we were to increase the number of letters to 20, then the cracking

time increases to 6.5 thousand trillion centuries.”

Passwords should reset every few months and not be shared across sites. Mnemonics are valuable. Using the first letter from each word in a song lyric, with vowels replaced by numbers, is a simple way to create long yet easy-to-remember passwords.

Training is vital. The consensus is that lectures aren’t much good. Staff doze off. You’ll need to get creative to make sure the mes-sage sticks. PhishMe is a service which runs simulated phishing attacks so staff can learn to spot attacks. Founder Rohyt Belani says: “Providing training in peri-odic bite-sized segments, rather than a large information dump once a year, keeps your staff continually engaged and allows you to train them on a variety of attack techniques.

“Once users can recognise phishing attacks, organisa-tions should encourage them to report suspicious e-mail to the internal security team, a process which turns your user base into

an additional source of threat intelligence.”

In particular, don’t bamboozle your staff. Catalin Cosoi, chief security strategist at Bitdefender, strongly advises against trying to train staff in complicated secu-rity protocols. “Keep in mind the limitations of humans while you set security policies,” he says. “To take a simple example, demand-ing a password which contains letters, numbers and punctuation that changes every month is just begging for half of your staff to write them down on post-its and the other half to use ‘Password1’, ‘Password2’ and so on.”

It may be better to limit the access technophobic staff have on your system. Does a junior mem-ber really need unfettered access to vital financial and client data?

Finally, recognise you will never be totally hacker proof. If Microsoft and Sony can fall prey to criminals, it is folly to suppose you are immune. When all it takes is a wally with a big mouth to let the hackers in, every firm is vulnerable.

11

for production purposes, it must be stored in compliance with the compa-ny’s data retention policy and applica-ble legal requirements. Issues to con-sider include whether backup occurs on-site or off-site and whether these cross international borders. Are the back-ups governed by other countries’ privacy and data protection laws?

Protected data, including archives, files, physical copies and any other versions created during the lifecy-cle of the data, needs to be rendered unusable, unless there is an excep-tion to the rule, such as data subject to legal holds and disclosure requests.

Even once robust policies and pro-cesses have been put in place, organ-isations need to remain continuously vigilant, ensuring they monitor regu-latory changes and stay up to date with frameworks such as ISO 27001. They must also develop strong inci-dent-handling and remediation policies to cope with any potential breaches, and ensure these can han-dle cases which have cross-border or inter-jurisdictional ramifications.

Although much discussion has occurred around the creation of international standards for data security and privacy controls, a true international set of standards has not yet been developed.

Until that happens, meaningful pro-tections for data, both domestic and international, will remain an issue for organisations of all kinds and sizes. Those conducting business interna-tionally, contracting with international vendors or hosting data with inter-national data centre providers must develop effective strategies to meet their current and future obligations.

Daniel Charboneau is responsible for the information security program at Epiq Systems, Inc. For more information contact epiqteam@epiqsystems.co.uk

sider the lifecycle of that information and ensure implementation of secu-rity measures is integral to each stage of the cycle:

How businesses receive data will affect how they deal with it. Com-monly accepted, safe methods of receipt include website capture using secure socket layer technology; file transfer using a secure file transfer program, virtual private network or file encryption; or physical transfers using a secure media room to image and ingest the data, supplemented by background checks on personnel.

Identification of the type of data that is being acquired is important. Is it per-sonally identifiable information (PII), an image or a document and, if so, what type? These are treated differently under foreign data privacy regulations.

How the data will be stored affects what protection controls are required. If the data is PII or poten-tially PII, then there could be a legal requirement to store it in a disk-based encryption format and encrypt back-up copies of the data.

Once a business has securely trans-ferred data across the border, it must make it available for use. This will require encryption at every stage of the process, leveraging encryption-key management to prevent decryp-tion in countries to which that data must not be transferred and control-ling access to systems that critical data may traverse, such as network paths.

Data must only be used for author-ised purposes and in compliance with applicable laws. Application controls and metadata-tagging generated during the index may be used here.

When the data is no longer needed

Safeguarding cross-border data files

The world of business now relies on cross-border data transfers in a way that would be unrecognisable to a technologist from just 20 years ago. Advances in technology have enabled data to be moved rapidly and stored indefinitely, which has delivered a host of business and user benefits allowing the global distribution of work and knowledge, 24-hour busi-ness operations and convenience for users and customers.

However, this reliance on data has also increased the risk businesses face from security breaches or loss of information, particularly as data moves across institutional and geo-graphic boundaries. At the same time, regulations concerning the transfer of information and privacy have become much more common-place, typically forbidding or restrict-ing cross-border transfers unless certain conditions have been met.

To protect data effectively when engaging in cross-border transac-tions, organisations need to con-

CO

MM

ERC

IAL FE

ATUR

E

Protecting data, both domestic and international, remains an issue for organisations of all kinds and sizes, says Daniel Charboneau

when engaging in cross-border transactions, organisations need to ensure implementation of security measures is integral to each stage of the cycle

14 15raconteur.net twitter: @raconteur raconteur.net twitter: @raconteur

DATA SECURITYDATA SECURITY

14 15

Businesses must secure the key to encrypted data passed to a third-party cloud provider, says Paul Simmonds

IT’S ALL ABOUTTHE DATA, DUMMY

Ȗ Ten years ago, a group of leading global chief information security officers (CISOs) came together to form a think-tank called the Jericho Forum. We all had a common prob-lem – our organisations needed their corporate data to flow freely outside the corporation’s security perimeter to partners, joint ven-tures and a plethora of other bodies with which we did business.

The term “de-perimeterisation” was coined to describe what was happening to us and the challenge we faced. We wrote 11 “command-ments”, principles upon which to

design for this new paradigm. Com-mandment nine asked the question: “How do you manage data in an environment you don’t control?”

Now let’s fast forward to today and a world of always-on con-nectivity, computing performed in the cloud, using someone else’s computing resource or sharing a common application, bring your own device, using a device I pur-chase and maintain to do my day job, while we live in a post-9/11 world where the spooks would like access to all this data.

The recent Snowden revela-

tions introduced us to terms such as PRISM and Tempora, the American and British surveillance programmes, but primarily alerted us to the scale on which the US National Security Agency was sur-veilling the world.

That it was going on was well known prior to Snowden, with the US Patriot Act and Foreign Intel-ligence Surveillance Amendment Act (FISAA) in force since 2008, and the UK’s Regulation of Inves-tigatory Powers Act since 2000, all containing “gag” clauses pro-hibiting cloud vendors and inter-

net service providers from letting their clients know what they are being obliged to hand over.

If the Snowden revelations have done anything, it’s to bring to the attention of chief executives and chief financial officers the risks involved, and put a lie to those many cloud salespeople who assured businesses their data was totally safe with them.

As a CISO, how long do you think you would have a job if you took the secret recipe for Coca-Cola, wrote it on a postcard and announced to your board that you planned to give it to a third party to look after? However, a number of people – you don’t know who or how many – from that third party can see it and, if someone obtains a court order to read that postcard, the third party will be legally prohibited from telling you.

Unfortunately this is what count-less companies have been doing

and continue to do today. And not only with company secrets, but also with sensitive personal data they are legally obligated to keep secure under UK and EU data pro-tection legislation.

Meanwhile, Microsoft has openly admitted that the US Patriot Act and FISAA apply to any data centre of an American corporate, irre-spective of where in the world it is located. So “solutions” proffered by US companies of keeping your data physically in an EU-located data centre seem rather hollow.

In addition, many European countries have laws on the statue book giving them similar pow-ers, making claims from niche local vendors, offering EU or country-centric data centres, seem equally dubious.

So can businesses securely use the cloud environment and cloud services? The answer is a resound-ing yes. But only if you can answer that original question: “How do

you manage data in an environ-ment you don’t control?”

There are solutions out there which allow you to do just this. They encrypt your data before it leaves your control and enable you to retain the key, while still letting the cloud provider operate – search and index – that data. Technically it’s known as format and oper-ations-preserving encryption.

Critical to any encryption solu-tion is key ownership. To the auditor who asks, “How do you guarantee this data is secure?” the answer is, “Because I, and not the third party, have the key”. The information security industry is taking these challenges seriously.

So we can secure data for a company looking to use a cloud solution. But looking at the future, we are rushing headlong into a world with ever-increasing amounts of our data in the cloud and where it is critical to secure this data.

To have any chance of achieving our goal, we need a single, consist-ent global solution for identifying people, the devices we use and the organisations we interact with, allowing us to simply and easily encrypt our private data, both in transit and while stored in the cloud. That, however, remains a little way off.

OPINION

Organised cyber crime is on the increase, posing a serious threat to organisations with valuable data, as Stephen Armstrong reports

WHEN CYBER ATTACKERSGET DOWN TO BUSINESS

Ȗ The Stuxnet virus attack on Iran’s nuclear programme is the stuff of spy stories – a sliver of computer code sneaks on to illic-itly obtained Siemens computers either on a USB or under the cover provided by a massive overload of the system through a denial of ser-vice assault.

The code disrupts Windows 7, causing sensitive centrifuges to whirl out of control while telling technicians that all was going smoothly. As many as 1,000 centrifuges were permanently damaged, meaning Iran’s nuclear programme slowed and the chance of a bomb moved further off.

Mikko Hypponen, chief research officer at Finnish anti-virus firm F-Secure, believes Stuxnet was the work of governments, probably the United States and Israel. “We face three kinds of online attacks: criminals, hacktivists and nation states,” he says. “Of these, nation states have the greatest power.”

Over the past three years, how-ever, it’s become clear that it’s not just James Bond who has to worry about so-called advanced persis-tent threat (APT) attacks like Stux-net. It is becoming more appar-ent that any business handling valuable data, from blueprints for important new designs to financial

data from customers and suppli-ers, is at risk of compromise by talented, well-funded hackers.

“Five years ago, the internet was like the high street with companies selling to consum-ers,” says David Emm, senior security researcher at Kaspersky Lab. “Now the internet is cen-tral to almost every company’s business, connecting them with suppliers, employees, custom-ers and partners. With extended supply chains, any company is only as safe as its least protected employee or supplier.”

He cites Icefog, a recent cyber-espionage campaign targeting

governments, military contractors, maritime and ship-building com-panies, telecom and satellite opera-tors, tech companies and mass media across South Korea, Japan, the United States and Europe.

Icefog arrives through phishing e-mails and exploits vulnerabilities in Microsoft Word and Excel on both PC and Mac, opening a back door that allows hackers to hand-pick sensitive documents, com-pany plans, e-mail account details and network passwords. This kind of customable assault, previously the preserve of nation states, is now for sale on hacking sites.

“APT attackers aren’t usually lurking on massively used public sites like Google,” says Darien Kindlund, director of threat research at FireEye. “They’ll focus on smaller, very specific sites vis-ited by experts and senior staff in the area they hope to find victims.

“Once they’ve compromised one of these sites – a research site, say – they’ll do passive reconnaissance, watching who is visiting at what time and with what protocols to craft a combination of seemingly simple techniques into a very targeted attack on a single well-researched victim.”

Protecting against APTs is criti-cal to all organisations, but simply beefing up a company’s own IT isn’t enough. “If your employees connect to your network using their devices, they can easily get infected with malware at a coffee shop or while working from home,”

ADVANCED PERSISTENT THREAT

warns Shel Sharma, product man-agement leader at Cyphort. “Secu-rity deployed at the firewall will have no opportunity to find and alert you about the malware.”

Tech firms have been com-promised via their legal firms, employed to file patents. Car com-panies have faced attacks via engi-neering support companies. The Syrian Electronic Army, a collection of computer hackers who support the government of Syrian President Bashar al-Assad, rerouted visitors to The New York Times and to Twit-ter by hacking their domain name system register companies.

With unplanned IT outages, the most debilitating source of supply chain disruption – outpacing bad weather, transport network disrup-tion, bankruptcy and earthquakes – placing secure IT at the heart of contracts with the suppliers is key. Although it may not be enough.

“With more and more companies using one of a handful of cloud providers, the insurance industry is starting to rethink the way it covers corporates against data loss,” says Stephen Wares, head of

Paul Simmonds is chief executive of the Global Identity Foundation, and was formerly chief information security officer at AstraZeneca and ICI

Any business handling valuable data is at risk of compromise by talented, well-funded hackers

We are rushing headlong into a world with ever-increasing amounts of our data in the cloud and where it is critical to secure this data

European cyber risk practice at insurance broker and risk man-agement specialist Marsh.

“Some insurers may have as many as 1,000 clients using the same cloud provider and thinking about the way they provide cover if that company is compromised has to change as the risks change. There are 30 insurers on the Lon-don market spending the next year or so working through their data to see what that means.”

If the possibility that compensa-tion for loss from cyber attacks will decrease sounds alarming, Mr Wares is keen to point out that scary headlines can sometimes just be scare stories.

“Very big numbers are being floated about the number of APT attacks at the moment,” he says. “Those numbers don’t really tally with the actual experience of many business owners. The chal-lenge for the future is to develop good predictive modelling so that the benefits and the risks of deci-sions, like which cloud service provider to use, can be indepen-dently understood.”