cyber security in britain - new statesman...this is another reason why high proﬁle attacks are...

Cyber security in Britain: What challenges lie ahead?

Anthony Browne Jo Bryce Peter Davy David Lacey

Adrian Leppard Francis Maude Steve Reed Peter Sommer

McAfee is now part of Intel Security.

RISKMANAGEMENT

NS_Cyber_SupplementOverview_Jan2015 (SUBBED).indd 1 03/02/2015 09:47:27

2 | NEW STATESMAN | 6 – 12 FEBRUARY 2015

There is an age-old debate about the gap between “the business” and “IT”, and nowhere is this more acute

than when it comes to information secu-rity. The chief executive and the rest of the board know that security is impor-tant, and that the threats are increasing. But they often lack the depth of techni-cal knowledge to fully understand the risks to their business, which means they do not know what security investments are needed.

Yet ultimate responsibility for any se-curity breach falls to the top table. Some of the biggest breaches in the past year have led to executives paying the ultimate price and losing their jobs. That’s got to be a wake-up call for any board member. So what options do the chief information of-ficer (CIO) or chief information security officer (CISO) have when trying to com-municate security risk to the board?

It’s good to talkThe first step, of course, is to make securi-ty a responsibility for everyone around the boardroom table. A World Economic Fo-rum report examined cyber security risk-management practices within some of the world’s largest companies, and found that senior management’s time and attention

was the single biggest driver of maturity in managing cyber security risks.

Regulation and compliance This is traditionally one of the main rea-sons for CEOs and CFOs to sign off on security investment. There is a danger in just ticking boxes, however, and being compliant doesn’t necessarily mean your business is secure.

Scare tacticsChief information officers have often re-sorted to fear to try and justify IT security investment. While there is a responsibili-ty to make the board aware of risks, “world might end” scenarios aren’t the best ap-proach. The tech analyst Gartner studied 300 board presentations on risk and secu-rity and concluded that using FUD (fear, uncertainty and doubt) to get board sup-port doesn’t work. “Executives don’t want to hear how bad everything will be if they don’t invest”, says the analyst.

Good cyber security requires investment, so how can chief information officers show the board it’s worth the money?

Starting the conversation

RiskRather than hearing worst case scenarios and then being presented with the se-curity collection tin, the board wants an honest assessment so that it can make judgments on what is an acceptable level of risk. Locking everything down is both impractical and too expensive.

Does the company know what its most sensitive data is? IT security profession-als need to identify the top information security risks to the business and assign risk factors to each of them. The board can then make an informed call about where to place its security investment bets.

Return on investmentThe best language for justifying security investment to the board, of course, is that of business value and return on invest-ment. Chief information officers should talk about the enabling effects of new se-curity technologies. For example, think of how some banks are deploying two-factor authentication, where customers are given their own card reader to use alongside the online interface. This approach boosts customer confidence in digital and online services and reduces losses from fraud. lGert-Jan Schenk is president of EMEA & Canada at Intel Security

Ultimate responsibility for any security breach falls

to the top table

IN PARTNERSHIP WITH INTEL SECURITY

McAfee is now part of Intel Security.


CONTENTSC

OV

ER

: ST

ASS

JA M

RO

ZIN

SKI

New Statesman3rd FloorFarringdon Place 20 Farringdon Road London EC1M 3HGTel 020 7936 6400Fax 020 7936 [email protected] enquiries, reprints and syndication rights: Stephen Brasher [email protected] 731 8496

Supplement EditorsGareth JonesCharlotte SimmondsDesign and ProductionStassja Mrozinski

Commercial DirectorPeter Coombs(0)20 3096 2268Head of PartnershipsEleanor Slinger (0)20 3096 2275 Special Projects Manager Penny Gonshaw(0) 20 3096 2269

The paper in this magazine originates from timber that is sourced from sustainable forests, responsibly managed to strict environmental, social and economic standards. The manufacturing mills have both FSC and PEFC certification and also ISO9001 and ISO14001 accreditation.

First published as a supplement to the New Statesman of 6 – 12 February 2015. © New Statesman Ltd. All rights reserved. Registered as a newspaper in the UK and USA.

The battle continuesSwitching on a computer

has become as commonplace as turning on the television or making a cup of tea. Most of us do so without fear or inhibition; indeed we are generally enthusiastic for the possibilities that technology offers. Increased efficiency and broader conversations are among the upsides to a world now lived partly on Earth, partly online.

Yet with growing digital dependency has come new pitfalls, and a new breed of criminality. There is no question

that cybercrime is on the rise in Britain and around the world, and an entire industry – cyber security – has grown in order to treat this growing malady.

This special report brings together leading voices from the government and the opposition, from the police force, industry and centres of cyber academia. The report questions how safe the UK is today; with high-profile hacks regularly hitting the headlines, online fraud on the increase, and cybercrime now among the top risk priorities for

4 Peter DavyRise of the smart attackCyber crimes are becoming more organised and high-profile. Can security keep up?

9 Francis MaudeShelter from the stormThe head of the cabinet’s cyber strategy unpacks the direction of travel for the UK

11 Steve ReedCrime up, capacity downThe Labour shadow minister calls the government’s current strategy complacent about a growing threat

15 Peter SommerBehind the criminal mindHacking statistics must be considered within the context of motivation and outcome

Bigger, better hacks are the new norm Online fraud is keeping police alert

3 18

government and businesses, the answer is: not very. Yet as our range of contributors prove, the fight back is being waged with vigour and enthusiasm.

The internet has opened doors, and through them enter vulnerabilities. As Minister for the Cabinet Office Francis Maude writes on page 9, a single cyber attack could cross borders, demanding a coordinated international response. Within such interconnected networks we must surely examine our collective responsibility. l

This supplement, and other policy reports, can be downloaded from the NS website at newstatesman.com/page/supplements

18 Adrian LeppardFighting back against fraudEducating the public will be critical if the police are to keep on top of Britain’s most costly crime

25 David LaceyGhosts in the machineThere is a real threat facing national infrastructure from sophisticated cyber terrorists

28 Anthony BrowneBeyond Butch CassidyWhat is the UK banking sector doing to fight back against cyber bank robbers?

29 Jo BryceHere be pirates?Rights holders say that illegal filesharing costs them millions, but consumers don’t consider it criminal

6 – 12 FEBRUARY 2014 | NEW STATESMAN | 3


Cyber risks are now in the top three concerns for UK businesses. Ac-cording to insurer Allianz’s annual

“Risk Barometer” survey, worries over cybercrime, IT failures, espionage and data breaches are up significantly in the last year, to third from seventh place a year before. Globally it has also risen – to number five.

Partly, this is down to coverage of big attacks, admits Allianz Global Corporate & Specialty head of fidelity Nigel Pear-son. From the hacking of Sony Pictures Entertainment, allegedly by North Ko-rea (according to the FBI), to losses at US retailers such as Home Depot, where 56 million payment card details were ex-posed, cybercrime was rarely out of the news in 2014.

It was also the year of scares that

came with fantastic sounding names such as Poodle, Shellshock and Heartbleed. Take into account the recent hacking of the Pentagon’s Twitter and YouTube accounts and networking giant Cisco Systems’ warnings that more than half of the websites affected by Heart-bleed remain vulnerable nine months later, there is little sign of that letting up in 2015.

But high-profile attacks and cyber’s prevalence on businesses’ risk registers are also a symptom of an everyday chal-lenge.

In January, a survey for the British Re-tail Consortium showed most retailers reporting a rise in cyber-attacks.

More widely, Pearson points to The In-formation Security Breaches Survey pub-lished by the Department for Business,

Innovation & Skills (BIS) last April. This showed 81 per cent of large organisations and 60 per cent of small businesses re-porting a cyber breach in the last year.

“The simple fact is that organisations know they are having breaches,” he says. “It’s their own experience, as well as me-dia coverage of some of the big attacks, that’s driving interest.”

In this context, the big stories are useful reminders of both the range of risks – from straightforward theft and fraud, to corporate espionage and “hacktivism” – as well as the difficulty of keeping intruders out for even the biggest companies.

A growing business

Part of the problem is that cyber crimi-nals are increasingly organised. Recent years have seen a commercialisation of

Hacking has become an increasingly professional industry, with cybercrime reportedly costing the UK economy billions. Can protective technology fight back?

By Peter Davy

Rise of the smart attack

THE OVERVIEW



GE

TT

Y IM

AG

ES

the cybercrime support industry, noted a report by EU police agency Europol’s Eu-ropean Cybercrime Centre in September. Those with technical expertise are offer-ing “crime-as-a-service”, selling it on to enable those without to undertake more sophisticated attacks.

“Go back a few years and it was hobby hackers behind attacks, but with time they’ve realised they can specialise in one aspect and work with others specialising in others. It’s the traditional industri-alisation of an industry,” explains Adrian Nish, head of cyber threat intelligence at defence and security group BAE Systems.

This is another reason why high profile attacks are worth keeping an eye on for everyone – particularly if they break new ground or exploit previously unknown vulnerabilities. As Richard Horne,

cyber security partner at consultants PwC, says, “There is a criminal market in tools and techniques, so once a tool has been used in one attack it is typically available to others.”

The increasing sophistication of attacks has also coincided with other trends,

Horne adds. First, there has been an increasing re-

liance on digital processes and a grow-ing interconnectedness – take, for ex-ample, the rise of cloud computing and staff bringing their own devices, such

as mobile phones and tablets, to work (the “bring your own device”, or BYOD, trend). This has seen a rise in the number of potential access points for attackers. At the same time, there is greater scope for mass breaches of customer data or other sensitive information due to the trend to digitise and consolidate information.

“It all means the potential impact in terms of the scale of breaches is growing,” summarises Horne.

The costs and economic impacts of cyber attacks vary widely, but the 2014 Global Report on the Cost of Cyber Crime, published by researchers at the Pone-mon Institute in October, calculated the average annual cost of cybercrime to those surveyed in the UK was $5.93m (£3.90m). Overall, the Center for Strate-gic and International Studies put the

Poster child: the hack at Sony Pictures, which led to the cancelled release of The Interview, was one of several high-profile cyber scandals in 2014

t

Those with technical expertise are offering “crime-as-a-service”



to scan and analyse ever-larger amounts of information can help in the fight against crime. “It is extremely useful for detecting odd patterns of behaviour that might be a cyber attack,” he says.

The government is also putting ef-fort into helping businesses stave off the threat. In January it announced a range of new measures including an update to its 10 Steps to Cyber Security guide for busi-nesses and a new report detailing com-mon cyber attacks against industry and how to stop them. It follows moves with its Cyber Essentials certification scheme, launched last June, for companies able to demonstrate they are taking specific steps to mitigate the risk of cyber breaches.

Longer-term, EU discussions also con-tinue regarding the draft Network and Information Security directive that could introduce mandatory minimum security standards. While focused on critical sec-

tors such as transport, energy and bank-ing, it is likely to have a wider impact, ac-cording to Chris Forsyth, a partner in the London IP/IT practice of lawyers Fresh-fields Bruckhaus Deringer.

“Even though the directive will de-fine entities to which the obligations ap-ply, it will only be meaningful if they are obliged to flow through those obligations with their suppliers and contractors,” he explains.

In the meantime, though, the UK gov-ernment has preferred voluntary ap-proaches, encouraging businesses to improve and to share best practice. Initia-tives among the banks and financials ser-vices industry to share information on at-tacks and risks are held up as models that could be followed.

More to do

The government argues this is all hav-ing some impact. The Department of Business, Innovation & Skill’s annual FTSE 350 Cyber Governance Health Check, published in January this year, shows increased awareness and action. However, concerns persist, particularly around smaller firms but also even among larger, more mature entities. The Bank

“Detering attacks is the opposite of dating; look as unattractive as possible”

t annual cost to the UK economy in 2013 at 0.16 per cent of our annual GDP. This figure rockets up to 0.64 per cent of GDP in the US, and 1.6 per cent in Germany.

An evolving risk

The threats are ever-changing. At a gen-eral level, new malware (viruses, trojans or worms) continues to proliferate, with monitoring firm PandaLabs recently stat-ing that 227,747 new malware samples are released each day. Trends from pre-vious years are likely to continue, such as attacks on payment systems that saw success with Home Depot and Target, among others. Likewise, nation states are predicted to continue and increase their activity, whether to disrupt business (as with Sony) or with espionage in mind.

Security experts are keen to highlight other areas as well. One is the rise in “ran-somware”, which encrypts victims’ own data so criminals can demand payment to unlock it. The last year has seen vic-tims targeted through hazardous adverts on big-name websites such as Yahoo and AOL, and the coming year may see ran-somware developers target cloud stor-age services such as Dropbox and Google Drive, McAfee has warned.

The “internet of things”, meanwhile, has already had a scare from Heartbleed, with internet-connected printers, video-conferencing systems and even thermo-stats revealed to be vulnerable, as well as websites. IT group Gartner estimates that 4.9 billion connected things (whether domestic appliances, building security systems, cars or other devices) in use in 2015 will be 25 billion by 2020.

According to David Emm, principal security researcher at security software company Kaspersky Lab, the risks are only going to grow: “As more and more areas of our life have been computerised or made digital, that has increased the risk because it is another area that cyber criminals can go after.” Concerns and attacks will also continue to focus on a range of other ar-eas, such as the use of the cloud and vul-nerabilities caused by the continuing rise of BYOD.

Fighting back

Not all technological developments are working against businesses, though. Pro-tection is also increasing in sophistica-tion. Nish, for instance, notes that devel-opments in big data, with computers able

of England, for instance, warned before Christmas that senior bank staff were still failing to take the threat of cyber attack seriously. According to those in Allianz’s survey, meanwhile, cyber risks were the most likely to be underestimated by their businesses.

So what can be done?

First, businesses should use the tools at their disposal to make it as hard as they can for attackers.

“It is the opposite of dating; they have to make themselves look as unattractive as possible,” says Steve Durbin, manag-ing director of the Information Security Forum, a global not-for-profit organisa-tion that provides members with infor-mation on how to deal with cyber risks.

That will include investing in techno-logical defences and education for staff who are so often the weak link. It may also mean altering the very way business is done.

“It requires thinking about how your business operates and almost redesign-ing your processes to be securable,” says Horne. “For example, do you need to send the data to a third party? Do you need to give a third-party access to your network, or could you collaborate using a cloud service and therefore not expose your network to someone else?”

More fundamentally, the lessons from high profile attacks are that even com-panies with the largest resources are not able to be entirely secure. A report for the Information Technology Faculty of char-tered accountants group ICAEW last No-vember supports the case that businesses are improving, addressing previous ar-eas of weakness, including basics such as patch management, and becoming better at protecting against attacks. However, it also found cyber attackers were growing in sophistication faster.

“There is a growing gap between busi-ness capabilities and cyber attackers’ ca-pabilities,” warns ICAEW’s head of IT faculty Richard Anning.

While businesses must do all they can to protect themselves, he says, a key part of the planning must also be to prepare for the worst and plan for what happens when attackers do get in. “You have to assume you are going to be compro-mised,” he says. As Durbin puts it, “It is not a case of if, but simply when.” lPeter Davy is a freelance writer

THE OVERVIEW



Until a few months ago, if someone said “Sony”, most people would think of televisions, films and cam-

eras or (perhaps if you’re old enough) the iconic Walkman. Whatever first came to mind, it probably wasn’t hackers, flawed cyber security and damaged reputations. It probably is now.

In light of their recent major security breach, the name Sony now has sober-ing connotations for board members and chief officers. The consequences of not be-ing fully prepared for a cyber attack have been revealed in many more ways than the global giant could ever have feared.

“When Sony Entertainment chief ex-ecutive Michael Lynton said there is ‘no playbook’ for dealing with a cyber attack, he was right; you can’t do cyber security by numbers. But there does appear to be avoidable failings,” says Joe Jouhal, man-aging director of UK cyber security and forensic experts, Avatu.

“In the past, most organisations have concentrated on preventing a breach. But digging the moat and building the walls high is outmoded these days. The cyber threat landscape is much more se-vere, damaging and sophisticated now.” Jouhal believes that today, adversaries are

at least as resourceful and creative as the defender, with the added benefit of secre-cy and surprise. The attacker always has the first move, making penetration of the perimeter inevitable. He also points to the staggering number of cyber attacks taking place all the time . A report by PwC late last year put it at 117,339 a day.

“We’re kidding ourselves if we think we can stop anything and everything,” he says. “I certainly wouldn’t bet my reputa-

tion on it. And I’m amazed other people, some in very senior positions, still do.”

Denial is no longer an option. Jouhal says that a change of mindset is required to make businesses more resilient and better prepared.

“James Comey, the FBI chief, said there are two kinds of companies in the US: those who know they’ve been hacked, and those who’ve been hacked but don’t know it. I’m in no doubt the UK situa-tion is similar.” It is important, therefore,

In a world where more than 100,000 cyber attacks take place every day, it would be wise for chief executives to prepare for the worst

Would you stake your reputation?

that organisations face up to the reality of the situation, he adds. “An organisation that acknowledges a breach has probably already happened is more risk-savvy than one with a strategy based on keeping the marauding masses at bay.”

Despite some large organisations up-dating their approach, many organisations remain at real risk whether they know it or not, says Jouhal. “Everyone, absolutely everyone, has something worth stealing. If hackers come looking they will find some-thing of value. According to a 2014 global study conducted by Hewlett-Packard and the Ponemon Institute, it takes organisa-tions on average 170 days to discover they have been infected, and a further 45 days to remedy it.

Ultimately, prevention is important, but detection and response is absolutely critical, Jouhal says. “This is not a case of ‘what you don’t know won’t hurt you’. Ignorance is not bliss in the cyber security world. All it does is increase the chance of reputational damage, for chief officers and boards as individuals, and the company as a whole.” lWebsite: www.avatu.co.uk Phone: 01296 621121 Email: [email protected]

It takes organisations an average 170 days to

discover they are infected

IN PARTNERSHIP WITH AVATU



Forewarned is forearmed; educa-tion is one of the best ways to miti-gate cyber risk. At the University of

Oxford, Saïd Business School is leading the way. Cyber security is part of a core subject in the Oxford MBA and the Execu-tive MBA programme, which is aimed at senior general managers. While it does not detract from the traditional essentials for an MBA, the school now considers cyber an essential element of the programme.

Rather than teaching executives to mas-ter technology, they can be given the tools to assess their position: in an electronically enabled environment, where do we look for risks, and what level of risk is accepta-ble? What questions should managers ask their technical and HR teams, and how do they recognise a good answer? How can managers develop strategic operations for the company that anticipate cyber risk? Building on the success of this model, Saïd is announcing a new programme for sen-ior executives which will launch in June 2015 (www.sbs.oxford.edu/cyber).

Saïd’s commitment to a multi-discipli-nary approach has already resulted in two large and continuing research programmes in this area: the Corporate Insider Threat Detection (CITD) project and the Global

Cyber Security Capacity Centre. The CITD project, funded by the Centre for the Protection of National Infrastruc-ture, is aimed at detecting and managing cyber threats from “insiders” (employees and others with legitimate access to corpo-rate systems).

This multi-university project combines the expertise of computer scientists, psy-chologists, criminologists, visual analyt-

ics experts, as well as Saïd’s academics, to focus on the technical and non-technical aspects of managing cyber security, par-ticularly at the board level. The business school’s Professor David Upton has been conducting surveys of senior executives, as well as writing case studies on compa-nies around the world. The cases are not just descriptions of events, they capture the real dilemmas of real managers.

Working on a broader scale, the Capac-ity Centre is developing a global resource for cyber security capacity building. What

Saïd Business School is forging ahead with innovative courses in cyber security capacity, designed for executives and managers

Education is the best form of defence

makes a country “good” at cyber security, and how can this be improved? Directed by Professor Sadie Creese, in partnership with Professor Upton at the Business School and others, the Centre is funded by the Foreign and Commonwealth Offi ce. It has created a holistic model, looking at cy-ber policy, cyber defence, responsible cy-ber culture, effective legal and regulatory frameworks, controlling risks through technology and processes and effective training for the workforce. The web portal is now online, and the team will be using its tools to evaluate countries around the world in the coming months.

Looking ahead, the Business School will develop new multi-disciplinary research programmes; for example, by extend-ing and applying the Capacity Centre’s capability maturity model to individual enterprises. It will also continue to grow the set of high-quality teaching cases and teaching materials, so they can be taught throughout the world, in other business schools, university departments and com-panies. Combining cutting-edge research with innovative teaching, Saïd Business School is poised to become the pre-emi-nent destination for educating managers and executives in cyber security. l

What makes a country “good” at cyber security, and how can it improve?

IN PARTNERSHIP WITH SAÏD BUSINESS SCHOOL




VIEW FROM GOVERNMENT

In the wake of the recent cyber attack on Sony Pictures, it was reported that staff had to unearth a long-abandoned

machine from the basement so they could issue payslips to employees. Others had to resort to notebooks to carry on working; some were sent home altogether. The fact that one of the world’s largest and most powerful entertainment brands almost ground to a halt is testament to how com-pletely the digital revolution has trans-formed the way we live and work.

Several nation states are actively seeking to exploit digital networks, but attacks like these can also come from organised crimi-nals, terrorists, hackers or even an indi-vidual with a grudge. The threat is serious and growing, but the government is reso-lute in our determination to help keep the internet open, free and safe for businesses and individuals alike – all part of our long-term economic plan to ensure Britain is one of the safest places in the world to do business online.

Three years ago we laid out the first com-prehensive national Cyber Security Strat-egy, backed by funding worth £860m. Committing such a large amount of new money at a time of economic restraint is a good indication of how highly cyber secu-rity ranks on our list of priorities.

Much of our investment has been di-rected at beefing up our security and law enforcement capabilities. We’ve es-tablished a National Cyber Crime Unit within the new National Crime Agency and launched a Computer Emergency Response Team, CERT-UK, with respon-sibility for coordinating our response to a national cyber incident.

Digital technology is constantly chang-ing and no single organisation can keep up

by working alone. Last year, we launched the Cyber Security Information Sharing Partnership, through which government and businesses can exchange informa-tion on threats and vulnerabilities - in real time. Over 800 organisations have joined already. The more partners that join, the more information that’s shared, the better the overall picture and the greater our col-lective resilience.

Cyberspace is a world with permeable borders. A single cyber-attack could be routed through servers hosted in dozens of different countries, and this requires an international response.

That’s why earlier this month David Cameron and President Obama agreed on cooperation between our two countries. This includes establishing a joint cyber

cell on both sides of the Atlantic, so that UK and US cyber teams and intelligence and security agencies can share informa-tion about threats from common cyber adversaries. We will also conduct regular exercises to test the resilience of the most important networks in our two countries. The first will simulate an attack on banks in the City and on Wall Street; future ex-ercises will test critical national infrastruc-ture.

This cooperation extends to ensuring we have the right people with the right skills coming into the workforce. A new Fulbright Cyber Security Award pro-gramme will offer cyber research place-

ments for up to six months in both the UK and the US, and a hackathon between uni-versities in Cambridge Massachusetts and Cambridge England will pit the best of US and UK talent against each other with the aim of stimulating the next generation of cyber defenders.

Whenever I meet young people in-volved in cyber security, whether at uni-versity or working in apprenticeships or with start-up companies, I’m blown away by their ability and sheer brain power. Our cyber expertise is recognised around the world, particularly in America, where a long line of British computer scientists and digital entrepreneurs have made their mark, from Alan Turing and Tim Berners-Lee to Apple’s Jonathan Ive. This presents a massive opportunity for jobs and growth.

A number of UK-based cyber firms are already opening up offices in the US and we want others to follow in their foot-steps. That’s why we’ve produced the first ever Cyber Exports Strategy. We aim to export £2bn worth of products and services worldwide annually by 2016. As part of this a new cyber security envoy has been appointed to help British small busi-nesses and first-time exporters promote their business interests across the US. Our message is simple: UK firms are creative, talented, competitive and ready to work with you. This combination of ambition and partnership abroad, coupled with our continued vigilance online, will en-sure the UK’s digital future is secure and prosperous, so we can continue to benefit from the many ways in which the internet is transforming our lives. lFrancis Maude is Minister for the Cabinet Office and Paymaster General

The government’s cyber strategy is promising stronger US cooperation and hackathons that identify young talent

Shelter from the storm

We need the right people with the right skills coming

into the workforce

By Francis Maude



Possibly the one thing worse than finding out that a government has been spying on millions of citizens

over the internet, is the ramifications of those revelations.

Leaked US National Security Agen-cy documents threw into sharp relief what a sophisticated intelligence organi-sation is capable of. These revelations ex-acerbate long-standing tensions between nations over the governance of the inter-net and how best to protect citizens and security interests.

European Commission officials have made their stance clear, seeking an in-ternet model specific to Europe, operat-ing under European legal principles and norms of behaviour. Already, our Europe-an networks may be splintering from the global internet with the European Union Court of Justice ruling, last May, that data subjects could request that search engines remove links to material that they feel is no longer relevant or outdated. There have been tens of thousands of requests to Google to “be forgotten”, and we will increasingly see different search results in Europe than elsewhere.

Whether we like it or not, the future of the internet is one of the state determin-ing what citizens see. States will erect bar-

riers to protect themselves against cyber security threats to their national internet, and will be tempted to control how data moves across national borders.

We risk a Balkanisation, which could destroy the internet as a global forum for the unfettered exchange of ideas, free speech and trade. A disparate hotchpot of isolated internets operating under diverse regulatory regimes forcing firms to repli-cate data centres, filter communications and change encryption architectures to

meet different national requirements.Global business must contribute to the

growing international debate on inter-net governance, to drive both economic growth and human rights. Not a tech-nical discussion for the International Telecommunications Union, but a socio-economic debate better suited for the likes of a G20 or WTO summit of global busi-ness leaders.

I firmly believe in increased data protec-tion and enshrining an individual’s right

As the world wide web becomes more regulated, we risk destroying a global forum for free exchange

The internet at a crossroads

to privacy. However, despite the best of intentions, laws can be complex, problem-atic and burdensome.

Cisco estimates that over the next 10 years, the potential value created or shift-ed by the adoption of the internet of things will be $14.4tn globally*. We risk legal structures suited for legacy technology, out of date and unfit for purpose.

We are already seeing a growing cyber insurance market as companies fear great-er litigation by individuals affected by any data breach. And with a future of more connected devices and more sophisticated processing of data, who can fathom how these new technologies will play out and the privacy and surveillance issues they will generate?

The internet is at a crossroads. Now is the time for international collaboration to achieve the economic promise of the inter-net. If we get this wrong, we end up with a fragmented and economically inefficient internet which would do more harm than good and have an economic and social cost for everybody. lStephen Bonner is a partner at KPMG in the UK cyber security practice

*Embracing the Internet of Everything to Capture Your Share of $14.4tn, 2013

Now is the time for international

collaboration

SPONSORED BY KPMG

By Stephen Bonner



VIEW FROM LABOUR

Online crime is growing at an unprec-edented rate. Yet in January, when I asked the crime prevention minister

Lynne Featherstone about the govern-ment’s approach to this form of crime, she replied that “up to now, cybercrime has been a lesser interest”. Later in the par-liamentary session, when Conservative MP Karen Bradley was challenged about the low levels of prosecutions for online fraud, she explained that “cybercrime is a crime that we are getting to grips with”.

Cybercrime threatens everyone who uses the internet, and that’s nearly all of us. Her Majesty’s Inspectorate of Constab-ulary (HMIC) recently reported that only 3 out of 43 police forces across the country had a comprehensive strategy to tackle cy-bercrime, and that (on average) less than 2 per cent of police staff had taken up full training in responding to cybercrime, as offered by the National Cyber Capabilities Programme and the College of Policing.

With the government appearing unin-terested in the problem, and the police left without the tools to tackle it, we are see-ing online and cybercrime rise rapidly in this country. A slew of figures expose the mounting scale of the problem: between 2013 and 2014 online banking fraud went up by 71 per cent according to Financial Fraud Action, while e-commerce fraud went up by 23 per cent, card fraud up 15 per cent and remote banking fraud up by 59 per cent over the same period.

If these figures related to street robber-ies, burglaries or pickpocketing there’d be an outcry and a traditional Home Office

crisis. Instead, hidden behind closed doors and with low priority, cybercrime is grow-ing and the government isn’t responding.

In 2013 the Home Affairs Select Com-mittee report on cybercrime said that “there appears to be a black hole where low-level e-crime is committed with im-punity”, and rather than responding to the growing threat to the British public “at a time when fraud and e-crime is going up, the capability of the country to address it is going down”. The National Audit Office suggested that action is so slow it could take 20 years to develop the skills needed to respond effectively to cybercrime in this country.

Despite these warnings, a year later in 2014 HMIC found that “the gap between the threat and police capacity is widen-ing”. The government has been warned repeatedly about the growing risk but it has looked the other way and crowed about other crime statistics that don’t ac-curately reflect card and online crime. The government is blind to the fact that crime is changing, not falling. It has moved on-line where criminals feel safer from detec-tion and prosecution, and it’s growing fast.

Instead of complacency, we need a gov-ernment that takes online crime seriously. More and more people shop online, bank online, socialise online and share personal information online. They are all at risk from cybercriminals and online fraudsters who are laughing in the face of Govern-ment ministers who stand idly by as the criminals swindle billions of pounds from people and businesses every year.

Yvette Cooper, the Shadow Home Sec-retary, announced in 2012 that Labour would introduce a “Teach First” style pro-gramme to get the best maths and IT grad-uates into the police force. We need highly skilled graduates able to start closing the capability gap between the criminals and the police.

We also know it’s not good enough that police forces, stretched thin by govern-ment cuts, haven’t been in a position to train their officers to respond to modern crime and haven’t got strategies in place to deal with cybercrime. Labour has been pushing amendments to the Serious Crime Bill, in the teeth of Tory and Lib Dem opposition, to make sure that every police force has a strategy for cybercrime so that every citizen, wherever they live, can feel safe from the cybercriminals who are going undetected.

Crime has changed in this country: it’s moving into cyberspace. We need more effective national expertise to tackle it, and stronger international partnerships to combat this growing global phenomenon. I find it shocking to see Tory and Lib Dem ministers ignore the risk or pretend it’s all new to them when the truth is it’s been growing for years.

Cybercrime is a direct threat to our economy and the personal finances of millions of people who shop and bank online. We need a new government that recognises the threat and is prepared to act against it. lSteve Reed is Labour MP for Croydon North and a shadow home office minister

Cybercrime is rising, but our ability to tackle it is not. Why isn’t the current government doing more?

Crime up, capacity downBy Steve Reed


Traditional cyber security defences such as anti-virus (AV) software and fi rewalls no longer possess the capa-

bilities to protect our personal data against advanced threats. Indeed, even anti-virus company Symantec has declared that “AV is dead”. While traditional technologies are becoming redundant, threat patterns and behaviours are growing. Templar Executives, a team of cyber security ex-perts, is uniquely placed to provide cours-es accredited by CESG (the information security arm of GCHQ) that can raise cy-ber resilience within organisations.

Andrew Fitzmaurice, chief executive of Templar Executives, believes “more sophisticated and coordinated attacks on the internet of things are on the horizon. Open-source codes, free and widely avail-able, will also feature on threat analysts’ ‘watch-list’ as a source of data breaches. To withstand these threats, it is vital that organisations grow their cyber resilience.” He adds: “The best solution for businesses to protect their information will be to em-bed holistic cyber security. This encom-passes people, processes, policy and cul-ture supported by IT.”

Templar Executives’ unique all-encom-passing approach provides cyber security training, advisory services and solutions

to businesses and public organisations in order to mitigate fi nancial, operational and reputational risks from internal and exter-nal cyber threats.

Three of its Cyber Academy courses (ac-credited by CESG) provide delegates with capabilities in leadership and govern-ance, information risk management, and knowledge of best practice in social media and relevant data protection legislation. The three unique courses – Board-level

Cyber Security for Senior Information Risk Owners (SIROs), Cyber Security for Information Asset Owners (IAOs), and Cyber Security Awareness – refl ect the need for holistic cyber security by extend-ing training from the boardroom all the way down to the shop fl oor. Each course focuses specifi cally upon a different level of business, and highlights the roles and responsibilities required to foster a culture that values and protects information.

“A survey of information security breaches by the Department for Business,

People, processes, policy and culture are crucial elements of eff ective cyber security

Looking beyond technology

Innovation & Skills highlights that people are the weakest links in the chain”, says Fitzmaurice. “It found that 58 per cent of large organisations and 22 per cent of small ones suffered staff-related security breaches in 2014. It is important for busi-nesses to realise the need to be proactive, rather than reactive, in order to protect themselves against the coming years’ threats”. Courses provided by Templar Executives emphasise the important role that people play in cyber security, help-ing delegates to identify and protect their company’s core assets, understand risk appetite and identify proactive measures.

To build businesses’ cyber resilience, the government has launched the Tech Partnership Training Fund, which pro-vides match funding for employers to stimulate increased investment in training and to support business growth and com-petitiveness. Funding opportunities are available for up to 50 per cent of the cost of training, subject to a maximum grant of £500 per learner. Templar Executives’ courses are eligible for this, providing businesses with the opportunity to build cyber maturity. lTelephone: (0)203 542 9079Email: [email protected]: www.templarexecs.com

22 per cent of small organisations suff ered staff -related breaches

IN PARTNERSHIP WITH TEMPLAR EXECUTIVES




The National Audit Office issued an update on the National Cyber Secu-rity Programme (NCSP) in Septem-

ber 2014. One of the key findings was that the

programme struggled to communi-cate in a way that meets the needs of non-critical public services and small to medium-sized enterprises (SMEs). The common thread is that these or-ganisations face persistent but less sophisticated threats.

Since the report, the Department for Business, Innovation & Skills has devel-oped a number of resources, guides and standards to address these shortfalls, but their technical nature is not resonating with the intended audience and the mul-tiple new standards are causing confusion and frustration.

Unfortunately, things are unlikely to get any clearer in the short term as another technical, measure-based cyber standard is planned, this one for compa-nies wishing to do business with the UK Ministry of Defence.

One can only hope that its implemen-tation is simpler and smoother than the Cyber Essentials Scheme, which has three different certification bodies using their own interpretation of the requirement.

Even the government departments, for whose supply chain Cyber Essentials was developed to protect, are reportedly una-ware of its purpose or implementation.

Such security standards, based predom-inantly on technical measures, are un-likely to meet the challenge of the public services market.

In our experience, it is the case that most SMEs involved in this market lack the technical skill, budget and authority over their internal IT-based services to be able

to implement all the controls that most standards demand.

Although the NCSP classes threats to SMEs as “less sophisticated” (compared to, say, an attack on national defence sys-tems), “sophistication” is a relative term.

The effect of failure in information confidentiality, integrity, availability and non-repudiation (an increasingly impor-tant need to guarantee authenticity and validity) can be catastrophic for the service

Keeping SMEs and public services safe will require helping its leaders to manage their risks, not creating more technical frameworks

Re-thinking the rule book

provider and service user alike. Success in the public services market will come from helping business leaders to manage their risk appetite within an environment they cannot control (the internet) – assessing the threat to their business in a way that is evidence-based, pragmatic, realistic and achievable.

Business owners need to be provided with options and solutions, with mitiga-tion measures, rather than constant refer-ral to insensitively applied rules.

Finally, SMEs need to be able to form trusted partnerships with security service providers with whom they can share their most sensitive risks.

The NCSP would do well to help organ-isations manage their risk appetite at an appropriate leadership level and operate securely through prioritised risk manage-ment, using a combination of technical, procedural and physical measures.

This requires non-technical, business-focused measures to play a greater part in the NCSP and the guidance it produces. lC3IA is a security and technical services SME with experience in secure systems engineering and information securityTelephone: (0)12 0272 1123Email: [email protected]: www.c3ia.co.uk

IN PARTNERSHIP WITH C3IA

Most SMEs lack the technical skills and

budget to implement standardised controls



The “dark net”, sometimes called the dark web, is a collection of hidden, virtual networks layered on top of

the visible internet. Thousands of web servers and other types of system such as chat servers and mail servers are hosted within the dark net, and typically they are accessed by users running easy-to-use anonymity software such as Tor and I2P.Dark net servers are not normally indexed by search engines.

The primary objective of these systems is to provide anonymity to users accessing the sites in addition to hiding the location of the servers themselves, thus making any dark net hosted systems difficult to take down or associate with its operators.

The most well-known hidden service was probably The Silk Road (in its first iteration), a so-called “dark net market” which ran from 2011 through to late 2013 before being seized and shut down by US law enforcement authorities. The Silk Road turned over millions of US dollars in its relatively short lifetime. Today there are half a dozen significant dark net mar-kets run by various anonymous opera-tors and dozens of more minor markets. Over the last four years we estimate that approximately one billion US dollars has been transacted collectively by the markets. Nobody knows how many hid-

den servers are hosted in the various dark nets, but undoubtedly it is at least 10,000 – carrying a combination of web traffic, file transfers and file sharing traffic, voice and data messages and other types of data.

Digital Assurance has spent nearly two years studying and analysing all aspects of the dark net, its services, its users and those who operate some of the key hid-den systems. One of our areas of study included the dark net markets which are a group of largely self-policing, anonymous

version of eBay-like sites. In the over-whelming majority of cases, these markets prohibit products or services associated with taboo topics such as child abuse and services intended to cause direct physical harm. They do, however, allow access to illicit and prescription drugs, or fraudu-lent identity documents.

Our research indicates that, as of Octo-ber 2014, the main dark-net markets were turning over around £20m per month (al-most exclusively in Bitcoins) and that illic-it drugs were by the far the most popular

The visible internet reveals only a fraction of what actually exists, and there is plenty to be learnt from what we can’t see

Decoding the dark net

products. There are approximately 2,500 dark net vendors who are relatively ac-tive, and probably around a thousand who have been active but appear to no longer be vending openly.

One of the most interesting findings was the scale of hacking and other elec-tronic attacks that permeate the dark net. The majority of these attacks are aimed at dark net sites such as markets, rather than at the regular internet. Presumably this is because the rewards are potentially very high (in excess of 100 million dollars has been “stolen” in a variety of hacks or scams in the last 18 months alone).

Despite the relentless bad press that the dark net receives there is nonethe-less a great opportunity afforded by dark net technologies for both individuals and commercial organsisations to legally lev-erage. From securing remote workers to facilitating new routes to customers, there is much that we can take from the dark net to improve our own security. For instance, did you know that Facebook launched its first dark net site in November? lDigital Assurance, based in Westminster, can provide world-class advisory, consult-ing and technical services in all things dark net. Come in and see us some time. Clear net: http://www.digitalassurance.com Dark Net: http://digitalass6qi2nt.onion

Despite relentless bad press, the dark net affords

great opportunities

IN PARTNERSHIP WITH DIGITAL ASSURANCE



HACKS AND ATTACKS

Apparently plausible cyber-scare stories hit the national press at the rate of about two or three a month.

There are reports of actual attacks, crimes and data breaches, alongside announce-ments and predictions from government officials, law enforcement, academics and, less plausibly, people wanting to sell security products and services. How do you evaluate them? How afraid should you be? For the media and marketers, it’s the scarier the better. But for your average person or business with systems to pro-tect the question is: “How little do I have to do and still stay safe?” There are a few primary points to understand about how cyber attacks really work that can help to answer this question.

Our world is heavily dependent on reli-able computer systems, communications and data. There is no longer any real dis-tinction between our “cyber” selves and the rest of our lives. So our anxiety about cybercrime is fully justified. But bear in mind that most computer disasters (un-intended or deliberate) are caused by poor design, inadequate testing, flawed upgrades, clumsy management and human error.

Most media reports of cyber incidents are, in the early stage, incomplete and in-accurate. When assessing a cybercrime in-cident, the mundane explanation is much more frequently true than the exotic. Most cyber-attackers use already-known meth-ods. That tends to mean there are available detective, preventative and mitigating remedies – such as malware and intru-sion detection software, firewalls and, for Distributed Denial of Service attacks that attempt to overwhelm a computer system

and disable a service, facilities which can expand capacity.

Attacks often have a strong social engi-neering component, tricking the unwary user into downloading code which gives control to an external perpetrator. Never underestimate the possibility of the in-sider – a corrupted employee or an injected covert operative.

You need three things for a success-ful attack: first, code capable of deliver-ing a payload (the harmful data within malware) so as to cause damage or open a backdoor for later exploitation; second, a means of getting it to your target with-out premature detection, and third, a de-tailed knowledge of your target. The more complex and sophisticated the targeted computer system, the more likely it is to have backups and recovery plans – and the more difficult it becomes for the attacker to acquire accurate and complete intelli-gence. In the case of Stuxnet, the famous computer virus discovering in 2010 that aimed at slowing down Iranian nuclear centrifuge development, the research had to include testing weaknesses in how the centrifuges worked.

A weapon, including cyber weaponry, is not merely something destructive. The deployer wants certainty not only of suc-cess, but that the outcomes do not create unwanted damage to either themselves or their allies. The real danger of a major attack is that the results lose control – cas-cading into other systems with unpredict-able consequences.

Cyber attacks don’t take place simply because someone has the technical capa-bility. There is nearly always a motive and an ambition – to get publicity for a cause,

to send a warning signal to an opponent of future action, to promote disruption, to raise funds via extortion – and only some-times to cause real damage. The ambitions are best understood in a wider political context – history, ideology, religion, dis-putes over land and access to resources.

Which brings us to the problems of at-tribution. Disguising the source of an at-tack is trivially easy because at any one time there are, worldwide, millions of poorly-secured computers which can be taken over and from which an attack can be made to appear. Even the more sophis-ticated test – “this attack code has spe-cific characteristics” – can be unreliable as hackers borrow code from each other. Attribution has to include motivation, and that makes it an art as much as science. Be wary of any near-instant attribution which is over-confident and “definitive”.

Statistics need careful scrutiny. How do you define an “attack”? An email pur-portedly from a bank you have never heard of asking you to “update your de-tails” is technically an attempted fraud equivalent to the value of what’s in your bank accounts – except that you ignore it. But what is the threshold that makes us call it an attack? Do we count mal-ware that is routinely thrown out by anti-virus software?

Cyber attacks and cybercrimes are real enough, but the person who has to de-vise a security policy, whether for nation state, a business or for personal use, needs a strong dose of sobriety. lProfessor Peter Sommer is an academic working in public policy and as an expert witness www.pmsommer.com

How does a cyber attacker actually operate? A detailed knowedge of the target is just one of the requisite attributes

Behind the criminal mindBy Peter Sommer


Cyber security experts have predict-ed that by 2025 we will have wit-nessed a significant cyber security

attack that will result in loss of life and property amounting to billions of dol-lars. Heartbleed and Shellshock are two recent examples of how security bugs in software can have large and costly conse-quences.

Newton Lee, author of Counter Terror-ism and Cyber Security: Total Informa-tion Awareness, observed that increasing global interconnectivity means that “eve-ryone shares the responsibility of secur-ing cyberspace”. The advantages of our modern world being so interconnected are immense, and it appears nothing will slow it down. However, the electronic advantages we all enjoy introduce a fa-miliar juxtaposition: the balance between freedom and security.

Dwight D Eisenhower once reflected: “If you want total security, go to prison. There you are fed, clothed, given medical care and so on.

The only thing lacking... is freedom.” We have been in the cyber security business long enough to know that our customers need both security and freedom. Security means assurance,

and freedom means the ability to safely achieve the cost, speed and operational efficiencies that interconnectivity offers.

As computing platforms proliferate, high value data that has previously been partitioned will increasingly be brought together in the cloud. This is going to make it more challenging for security pro-fessionals to isolate and protect critical data and systems.

The good news for organisations that require such protection is that when they choose Deep-Secure, they are choosing products that give them the ability to bal-ance the needs of security and freedom – an approach lacking in the design of many other cyber security solutions that don’t consider business protection in this way.

Preparing for a cyber warAt the core of our products is defence.

But are we in the midst of a cyber war? Perhaps it is more a battle of wit and will

With greater interconnectivity comes greater risks, and that means taking responsibility not only for ourselves but for others, too

Balancing freedom and security

to gain, by subversion and deception, the opportunity to cause chaos and disrup-tion. The cyber war could be, as has been suggested, a new arms race. But does that mean we should only be looking out for our own best interests? Certainly not.

The character of Kambei Shimada, while speaking in the 1954 Japanese film Seven Samurai, said that fighting a bat-tle doesn’t just mean thinking selfishly. “This is the nature of war,” he explained. “By protecting others you save yourself. If you only think of yourself you’ll only destroy yourself.”

As Newton Lee observes, and NATO it-self has said, we are all responsible for safe-guarding not just ourselves, but defending the assets of our suppliers, partners, em-ployees, customers and their entire supply chains – if we do that then we all benefit. lIf you want to be amongst those businesses that use the power of the internet and interconnected systems to move your busi-ness forward, and to maintain the control, security and confidentiality of your infor-mation assets, why not call Deep-Secure and ask how we can help you?Telephone: (0)168 4892 831 Email: [email protected]: www.deep-secure.com

IN PARTNERSHIP WITH DEEP-SECURE

The cyber war could be, as has been suggested,

a new arms race




In early November 2002, a group of in-formation security professionals gath-ered in Petersfield, East Hampshire,

for a pizza lunch. By the time lunch was finished, Trusted Management (TML) was born. Since TML’s inception, the way technologies are used and the impact that this has on security have also changed.

So what have been some of the biggest shifts in the past 12 years?

Dial-up access to the internet, originally achieved using modems and telephone networks, has been replaced by the much faster broadband. Computing power has increased dramatically during TML’s time, but along with that performance gain has come a dramatic fall in computer price and wider spread usage.

Today’s smartphone or tablet computer could only be conceived of (but not built) in 2002, and the smartphone has as much, if not more power than the PCs available in 2002.

Looking across to the field of informa-tion and cyber security, a lot of software technologies developed and in use around 2002 are still with us, and many of them are still giving us major headaches. In fact, a lot of software found in various operat-ing systems has been around for a very

long time, and as a result was not neces-sarily coded with security in mind.

Some of the newer “convenience” de-vices that have developed – such as the USB flash drive – can be a source of mal-ware. Email is another good example of a modern tool for carrying malicious ma-terial. Regular staff awareness events or poster campaigns are a must to educate against these threats. Sometimes this malware can lie in the most unexpected of modern technologies: even (would

you believe it) in e-cigarettes, which have been traced to malware outbreaks when charged from a USB port.

This raises the issue of staff bringing their own electronic devices into work and whether there is a formal acceptable use policy that covers company facilities.

Part of TML’s offerings include under-taking IT and information security re-views and we find that in many instances, we could almost have written the report

Looking backward shows how far technology has come, and how many new threats have been generated as a result

Keeping up with the times

before entering a client’s premises. Typi-cal findings include: out-of-date software or applications outside of vendor support, staff with system administrator rights on their own PC or with more access rights than their company role requires, and applications using default password and system documentation that has not been properly maintained.

It is a wonder that more serious security breaches haven’t occurred. It could be, of course, that companies don’t know they have been breached, and this is where we come into the picture. A detailed review of an IT operation by TML can identify weaknesses not just in the IT infrastruc-ture and systems, but in the way that it is managed.

What makes our approach different? We get to know companies upfront, rath-er than simply jumping in with a “stand-ard” review. It is this true understanding of the value of a company’s information assets that will define our approach to se-curity. lPeter Wenham is a founder of Trusted ManagementWebsite: www.trusted-management.comTelephone: (0)147 3834 980Email: [email protected]

IN PARTNERSHIP WITH TRUSTED MANAGEMENT

Malware can lie in unexpected technologies,

even an e-cigarette


CYBER POLICING

A2013 report on the internet habits of the UK claimed that we spend an average of 43 hours online each

month. This will only have increased since, and it now seems that every pur-chase we make is either researched or bought online.

The principles of an open and free in-ternet have created a level playing field for all, but this goes for criminals as well, who have exploited technology to not only make vast sums of money but also evade law enforcement.

These criminals are organised, with the British Retail Consortium estimating that 59 per cent of retail fraud is commit-ted by organised groups. The technology enables criminal gangs, as well as anyone with an internet connection, to target individuals, businesses or governments without ever having to show their face.

Contrast this with the fraud investiga-tor that has to traverse, decipher and de-code multiple cultural and legal systems in an attempt to catch criminals without

the traditional tools of CCTV, forensics or crime scene analysis.

Fraud is estimated to cost our economy a total of £30bn, making it far and away the most financially costly crime (with-out considering the emotional impact). This equates to £500 lost by every citizen in the UK.

Ask a room of people who has been a victim of burglary, and a small percentage will put their hand up. Ask them if they have been the victim of online fraud and nearly all will raise their hand. But how many will report the fraud compared to the burglary? More than half of fraud in-volves an online element.

While the vast majority of crime has continued to fall over the last 10 years, re-

Fraud is the country’s most costly crime, yet few know how to stay safe online. That must change, says London’s police commissioner

By Adrian Leppard

Fighting back against fraud

ported fraud increased by 60 per cent in the five years between 2007/08 and 2013 (according to the British Crime Survey).

This increase is partly down to better reporting and awareness, with the intro-duction of a national fraud reporting cen-tre, Action Fraud, but it is without doubt that the rise in crime prevalence is real. And it is growing in both financial cost and complexity.

Despite this, the number of fraud in-vestigators has remained the same, with approximately 1,500 across England and Wales. With 850,000 reports to Action Fraud last financial year (2013-14) alone, it is clear that with the current budget con-straints policing cannot keep up with the demand.

Individuals, businesses and govern-ments need to do more to protect and prevent online fraud and cybercrime. For example, there is still no legal or regula-tory compulsion for businesses, includ-ing banks, to report fraud. This is part of the reason why it is estimated that 80


With the current budget constraints policing

cannot keep up


Out in force: police officers disrupt thousands of websites a month to prevent online criminal activity

per cent of fraud goes unreported. That’s potentially millions of crimes that face no investigation, and therefore no pros-ecution and no subsequent intelligence to utilise. It means that fraud investigators are working in the dark. If we can under-stand the scale and complexities better, then we can help shape the response in terms of investigation and prevention.

Despite the enormity of the task at hand, the UK is in a good position to be at the forefront of tackling cybercrime. Police forces, government and the public and private sector are operating in ever closer alliance, sharing information and resources globally to disrupt and disman-tle the networks attempting to exploit the internet for criminal capital.

My officers disrupt 3,000 websites, phone systems and bank accounts a month to help prevent fraud against gov-ernments, businesses and individuals. We have estimated that the City of Lon-don Police alone is preventing the loss of approximately £500m a year through

our disruption and enforcement work. But while some businesses recognise the threat posed by cybercrime, such recog-nition is not universal or widespread.

Large businesses and institutions are required to report cyber attacks, yet there is still no regulatory standard that could prevent them becoming a victim in the

first place. Law-enforcement agencies are becoming increasingly successful at tar-geting the most serious offenders. How-ever the scale of the challenge is so large that “prevention” (helping businesses and individuals protect themselves) is the only long-term way of combating the escalating threat.

I have been calling for a national cam-paign to educate all on the risks of cyber

enabled fraud. Everyone knows how to protect their home, but few know how to protect themselves from malware or phishing scams. There is a wealth of ad-vice already available, but until we all un-derstand the steps we need to take to stay safe, the dangers will persist.

This means reaching into schools, businesses and individuals’ lives to help them understand the online world in far greater detail.

We already release fraud alerts through the Action Fraud neighbourhood alerts scheme, telling people about the latest scams and how to prevent becoming a victim. Over 200,000 people are signed up and this is growing.

It is by talking directly and plainly to the public, and reacting to emerging threats, that we will be able to empower people to spot fraudsters and prevent crimes that can destroy lives and damage businesses. lAdrian Leppard is the commissioner of the City of London policeSH

UT

TE

RST

OC

K


I have been calling for a national campaign to educate on cyber fraud


By Bill Walker


Hardly a day goes by where there is not something in the news about cyber security, the latest victims and

the measures taken to mop up the dam-age. Despite this, many companies still do not pay much attention to cyber security issues within their own business. Cyber security is often wrongly dismissed as something that is only a concern for IT departments. So long as there are secu-rity protocols and firewalls in place, many company directors assume their business is safe from attack. This isn’t the case.

Social engineeringSome 51 per cent of the worst security breaches in 2014 were caused by staff.* Without adequate training, staff are the biggest security risk. They down-load files that contain malware, they lend out passwords, and can even be manipulated into providing sensitive in-formation – a tactic known as social engi-neering. Even the most advanced security systems can be bypassed if attackers are able to obtain information such as staff login details, so you can’t solely depend on technical solutions for protection.

Why it’s vital to educate staffWhen it comes to cyber security, there is not a one-size-fits-all training

programme. Every organisation faces dif-ferent threats depending on the nature of their business and its systems. Staff need to be educated on the specific threats they may face. By staff we mean everyone, in-cluding outside suppliers with access to internal systems.

Education cannot be a one-off, tick-box exercise. It must be a continuous process, with comprehensive training for new starters (including temporary staff) and regular refresher sessions for permanent staff. The best way to accomplish this is to develop unique training programmes tailored exactly to the needs and risks of the business.

Continuous learning can reduce the threatAt QA, we have the breadth and expertise to create and deliver the learning solu-tion you need. You can have confidence in our programmes because we’ve delivered training to SMEs, two-thirds of the FTSE 100, and to local and central government bodies. Our cyber security trainers have a combined industry experience of over 300 years and ensure smooth transitions back to work through post-course support. Learning becomes convenient because of our easy-to-reach centres in nationwide locations. QA’s options ensure a flexible and quality learning experience. We offer:

Most security breaches occur where the armour is weakest: people. Here’s how businesses can ensure they are less vulnerable

Don’t be an easy target

l Cyber security training courses and certificationsThese are comprised of topical seminars, over 50 technical courses on the latest products, and courses to prepare for lead-ing cyber security certifications;l Bespoke e-learning programmesProviding a combination of informative videos and interactive questions to ensure the user fully understands and complies with the company security policy;l QA Executive Master’s – an MSc in Cyber SecurityThis is a unique, part-time master’s degree specifically designed for IT professionals, to ensure your security measures are one step ahead of the hackers.

Is it possible to stop all breaches? Unfor-tunately not. But when faced with robust security, criminals are more likely to move on and look for an easy target. Make sure your business isn’t that easy target. lBill Walker is the technical director and cyber security specialist at QA

Website: www.qa.com/NScybersecurity Email: [email protected]: (0)845 757 3888

*Information Security Breaches Survey, Department for Business, Industry and Skills. Survey conducted by PwC (2014)

IN PARTNERSHIP WITH QA



Cyber security risks are perceived to be unpredictable, a perception fed by media coverage of the latest major

cyber attacks affecting large companies. However, if these attacks are examined more closely, more often than not the root cause of a successful attack was that cyber defences did not cover all vulnerabilities in the affected company’s IT systems. Many cyber attackers opportunistically exploit commonly known vulnerabilities in weak IT systems. That means some incidents could have been predicted and avoided, had the organisations in question taken steps to identify and address them.

Dealing with the predictableThe government has recognised this, and in July 2014 introduced the Cyber Essen-tials Scheme to provide all organisations with a basic framework of measures that can be put in place to deal with the pre-dictable aspects of cyber security risk. So what are some of these cyber essentials?

First is boundary firewall and inter-net gateway controls, which ensure that vulnerable systems are protected behind securely managed network firewalls, thereby denying internet-based hackers easy access to IT systems.

Second is secure configuration con-trols, which ensure that internet-facing

systems are configured to provide only the services required for fulfilling their role.

Third is user access controls, which min-imise the opportunity for hackers to gain network access using an insecure privi-leged, inactive or default account. Fourth is malware protection, which reduces an attacker’s chances of deploying viruses on the company network through e-mail or web phishing, and fifth is patch manage-ment, which ensures that the correct soft-ware patches are applied to any vulnerable systems in the minimum amount of time.

While by no means a silver bullet against all cyber attacks, an organisation that fol-lows the scheme can gain some comfort that it could be resilient against common, opportunistic attackers.

Coping with the unpredictableFollowing a scheme such as Cyber Essentials allows a company time to focus on coping with the unpredictable side of cyber security, including targeted cyber attacks. The key is to be prepared for what you can’t predict. So what are some tips?

Identify the company information or systems that could have value to a cyber criminal, and might therefore be targeted in an attack. This could include personal information, intellectual property, or payment systems. Use this information

Cyber security starts with addressing what you can predict, and anticipating what you cannot

Benefiting from Cyber Essentials

to further bolster security measures in these areas. Maintain employees’ secu-rity awareness to keep them sharp and on the alert for potential security breaches. Attackers often target employees directly as a means of gaining access to IT systems. Draw up and practice a plan to deal with cyber attacks when they occur. Knowing exactly what to do in the event of an at-tack puts you back in control of the situa-tion and in a strong position to reduce the impact of the attack on the business.

Lastly, consider cyber insurance to pro-vide support and cover financial losses in the event of an attack. Cyber insurance providers often reduce their premiums for Cyber Essentials certified companies.lContact us for more information on how to follow the Cyber Essentials SchemeTelephone: (0)203 7286 555 Email: [email protected]: www.csriskmanagement.co.uk/ cyberessentials

IN PARTNERSHIP WITH CS RISK MANAGEMENT

RISKMANAGEMENT



Penetration testing is the process of identifying exploitable vulner-abilities and security deficiencies.

In its most simple form, it is an attack on digital systems, business processes and people, with the intention of identi-fying security weaknesses. Penetration tests target three main areas. First is peo-ple. You need to understand how aware your employees are about the safety of the business. Manipulating people is of-ten the fastest route for accessing highly sensitive information.

Second, process: How can the process-es within a business be manipulated? For example, testing the staff joiners, mov-ers and leavers process may show where excessive privileges are granted, giving a user access to information systems that they should not have.

Third, technology: Whether it be your contact database or your firewall, it is wise to check the level of security it offers. Is it the right level for the type of information that it holds?.

So when it comes to chosing a test-ing firm, what should you look for? We would say two things. First, talent. With

every penetration test, you should be engaging with highly skilled and experi-enced professionals who have the right tools to carry out the testing. A penetra-tion test is not without its risks – things will break, and alarms will go off – so they need to know what they are doing.

Second, ensure a clear agreement. The team you hire should have a test plan so you know the order in which alarms will

go off. They should have rules of engage-ment so you know which alarms will go off, and which should not. Finally, they should have a reporting plan to ensure you will receive the content you need.

There are different ways to run a pen-etration test. The best approach will de-pend on budget, available staff, time, number of systems or applications, com-pliance requirements, regulatory controls and information sensitivity. So what are

The best way to understand your security weaknesses is to simulate an attack. But how do you do this safely?

Putting strength to the test

the different types? There is the “white box”, where the testing team has full access to the target environment. Com-monly, they will have been supplied with network diagrams, and have access to hardware, the operating system, build documentation and application details. The significant advantage is that this ac-celerates the process and returns far more accurate results. A “grey box” test simu-lates an attack from a trusted insider, with the testing team using appropriate user-level privileges and user accounts to ac-cess systems. This type of test is perfect for targeting information systems, appli-cations and network devices. In a “black box” test, the team simulates an external attack. This is the truest representation of a hacker attacking your systems, but is also the most expensive.

Finally, don’t forget to follow your gut. If you find yourself not trusting either the integrity or the capability of the test team, it is best to walk away. lIf you need help or advice, call (0)161

850 3901 and we will happily help you

get the most from your penetration test.

www.hedgehogsecurity.co.uk

When it comes to chosing a testing team, look for

talent and trustworthiness

IN PARTNERSHIP WITH HEDGEHOG SECURITY



The younger generation has grown up with a lifetime of trust in hand-held devices and intelligent envi-

ronments. Our personal cyber security risk now extends across all aspects of our lives: in our homes, during our travel, and in our schools and workplaces.

When the motorcar was invented, a man walked in front of it with a red flag and its speed was limited for safety rea-sons. As technology and legislation has advanced, the perceived risk in travelling on a modern road has fallen. This is partly because every UK driver has to pass a test and adhere to clear rules and controls if they wish to drive on a public road.

As yet, there is no Highway Code equivalent for using a computer or other device on a network, and the majority of us are relatively blind to the risks as we zip around the virtual landscape. We can buy anti-virus software and firewalls, but few understand them, or know what is good or bad.

Without a code, we are left to apply our own judgments on what is safe and ap-propriate. In fact, many give no thought at all to this, or just assume that manufac-

turers and internet providers have safe-guards “built in”.

While to a degree individuals can get away with blissful ignorance as the risk radius is relatively small, companies have a broader responsibility to their employ-ers, customers and communities. While it’s the reputational harm to high profile brands and individuals that most often make the news, companies should be

aware that malicious attacks can see their intellectual property stolen, their privacy compromised and their assets damaged.

Codes are emerging throughout the industrialised world, and in the UK we have the Cyber Essentials scheme. This is a minimum layer of controls for risk miti-gation. For many types of central govern-ment contracts this is mandatory, and it is being encouraged for local government and related agency contracts. It is also be-

Most of us are ignorant to the hazards of technology – and there is no equivalent of the “highway code” to guide us

Caught without a code

ing adopted and built upon throughout the supply chains of the largest companies in the UK and the world. Cyber Essentials will likely be the future for all companies working in and supplying to the UK. The National Cyber Skills Centre was set up in 2013 to raise awareness of cyber risk, to promote adoption of Cyber Essentials, and to provide employers with a cost-effective and credible series of awareness and knowledge development courses.

Can we insure against cyber risks in the same way as other business risks? In short, this is an emerging area and the UK is following the lead of America. But with certainty, it is those with appropri-ate controls, governance and policies to address the threats that will get the low-est premiums, and those without may be uninsurable. Cyber security is a risk that may be become very expensive, if not im-possible, to buy a way out of. lProf Richard Benham is a professor of cyber security management and Dr Stephen Wright is general manager at the National Cyber Skills [email protected]

www.cyberskillscentre.com

The scale of security risk is too big for each of us to

tackle alone

IN PARTNERSHIP WITH THE NATIONAL CYBER SKILLS CENTRE



Cyber-attacks, data breaches and hacking incidents are often in the headlines and can cost businesses

millions. Yet until recently, very few busi-nesses in the UK have considered insuring against such risks.

Those who have realised how depend-ent they are upon data and electronic com-munication are now looking at ways to minimise their exposure to risk. Clearly, prevention is better than a cure, so im-proving cyber security, staff training and working towards certifications such as Cyber Essentials all reduce the likelihood of a cyber incident. However, as with tra-ditional business risks, insurance is avail-able to mitigate the costs in case the worst should happen.

Historically, businesses have insured their equipment against timeless risks such as fire and flood, so it is no surprise that cyber insurance can be a strange concept to understand. What exactly is “cyber”, and how do you put a value to something as intangible as data?

There is the temptation for directors to throw responsibility for cyber issues at the IT staff, ignoring the fact that a cy-ber breach could be more catastrophic than a fire. This is not helped by the fact that cyber insurance in the UK is still in its infancy, which means that many in-surance brokers struggle to understand it

themselves and won’t therefore discuss it with policy holders. When it comes to coverage, there are a growing range of po-lices available. Some are comprehensive, offering essential post-incident support, while others are flimsy to say the least. A good policy can offer the following:

Although cyber insurance is still in its infancy, businesses should consider it just as they would consider protection from a fire or a flood

Insuring against cyber breaches

When one considers the wide range of potential breaches a business could suffer – from accidentally leaving a smartphone on the train to a deliberate malicious criminal attack – along with the potential costs in terms of professional support, litigation, lost income and reputational damage, it is surprising that cyber insurance is regularly overlooked as an area for investment.

And a new development in this field is that some organisations now insist busi-nesses in their supply chain have cyber in-surance. They reason that if one business is working with another, there is potential for accidental or deliberate data breaches, such as contaminated emails.

If cyber insurance is in place then it can be claimed against by the third party which has suffered the breach.

Some of the most expensive breaches in 2014 came via the sup-ply chain, because criminals are tak-ing advantage of the fact that we are all electronically connected.

If your business uses electronic systems and handles data, then you are at risk and should consider speaking to a specialist broker about adding cyber insurance to your insurance portfolio. lDuncan Sutcliffe is director at Sutcliffe & Co Insurance BrokersWebsite: www.sutcliffeinsurance.co.ukPhone number: 01905 21681

IN PARTNERSHIP WITH SUTCLIFFE & CO.

• Cover for accidental and malicious breaches;

• Cover for internal and external causes;

• Cover for breaches to own data and third party data;

• IT support to restore systems;• Legal support and costs;• Crisis management consultants;• Payment of fines and penalties;• Payment of ransoms;• Cover for social media, libel, slander

and copyright issues;• Cover for paper data;• Cover for phone hacks;• Cover for lost income;• Cover for breaches at outsourced

service providers;• Cover for injury and physical damage

resulting from a breach;• Cover for costs of notifying data

subjects of a breach;• Breach notification services.


SHU

TT

ER

STO

CK


CYBER TERRORISM

What should we make of the threat of cyber terrorism? Should we prepare for a catastrophic melt-

down of critical services along the lines of a James Bond film? Or are we overblow-ing the threat, just the infamous Y2K bug? You have to look hard to find signs of impending doom – but the evidence is there if you examine the trends.

In 2007, for example, the Estonian government’s online services were hit by a Denial of Service attack (the kind designed to cripple a network for its us-ers), prompting an expansion of NATO’s cyber capability. Since then we’ve seen large scale thefts of payment card data and reports of intrusions into Western government systems, generally blamed on Chinese hackers. We had the Stux-net computer worm attack on an Iranian

nuclear enrichment laboratory in 2010, which showed that even the most pro-tected environment can be penetrated by a determined adversary. More recently we’ve seen threats to Sony’s business in-terest, which paradoxically boosted their online sales.

None of this activity raises eyebrows or causes sleepless nights for the major-ity of citizens. Yet governments have elevated cyber security to the top of the security agenda. If the threat is so high, why are we not experiencing ma-jor catastrophes? We could assume it’s because our critical national infrastruc-ture is well protected against intrusions. Or perhaps it’s because there is no one out there sufficiently capable and mo-tivated to launch a damaging attack. But is this true?

Fitting new security to old systems takes time, making a cyber terror-attack on critical national infrastructure a real and dangerous possibility

By David Lacey

Ghosts in the machine

Smoke and mirrors: our industrial plants were not designed with sophisticated cyber threats in mind

t


CYBER TERRORISM


At first sight it would seem reasonable to imagine that our critical infrastructure is secure. After all, it is run by reputable companies and overseen by responsible regulators. But today’s threats are sophis-ticated, defined by attackers who are able to research, find and exploit an unknown weakness in a system – or the money to buy this on the black market.

The most sophisticated attacks are termed “advanced persistent threats”. These attacks are designed to bypass the most commonly used security products, exploiting unpublished flaws in IT prod-ucts and flying through anti-virus scan-ners. Manipulating a user to download malicious coding will invoke a sophisti-cated framework of software modules, each designed to carry out a specific task, such as inspecting the software environ-ment, installing back doors, searching for files, stealing credentials, transmitting stolen data, or taking over the control of a target system.

Measured against this, our current cy-ber defences are arguably outdated and ineffective. And the situation is not im-proving. The reason for this is simple: security comes at a cost and takes time to establish. Unfortunately, it’s time we can’t spare.

The underlying problem is that the systems that deliver our critical national services were not designed to deflect at-tacks of the scale and sophistication of today’s cyber threats. It’s not surprising, as security solutions always lag behind identified problems. It can take months to develop a fix to a newly discovered flaw, and longer for companies to find and fund the resources to implement the fix.

Retrofitting security measures to old systems is far from easy. It’s often prohib-itively expensive, and sometimes plain impossible to achieve. And changes are not helped by the industry’s tendency to outsource the management of outdated systems to low-cost service providers. Contracts with third parties can present a major complication and barrier to change.

It is only logical that businesses will prefer to make money, rather than spend it. As such, many businesses only spend on security when their arms are twisted by regulators.

But compliance is a poor motiva-tor, encouraging a tick-box response rather than an effective strategy. Compliance can also discourage innova-

tion by promoting well-established prac-tices over novel solutions.

Dangerously, it also breeds a mono-culture of identical security measures, which aids the attacker, who only has to test a new attack vector against a limited set of defensive technologies. It can take years for industries to discover a new form of attack. Security managers refer to the time taken to detect intrusions as the “dwell time”. Even top companies struggle to get this time down to under a month.

We must assume that there will always be more covert intrusions taking place in the UK than those we know about, and many of them will be targeted at our criti-cal national infrastructure, especially the SCADA (supervisory control and data ac-quisition) systems that run the industrial plants that control our supply of oil, gas, electricity and water.

These systems have become progres-sively more extended and powerful. Un-

fortunately, they have not become more secure. Many are already open to attack, especially through exploits of “zero-day” (undiscovered) vulnerabilities.

SCADA technology has been hacked over and over again since the day it was first introduced in the 1980s, generally without any major catastrophe or public-ity. But the potential for damage remains, and it is the big plants that are generally the easiest to destroy because heavy ma-chinery can generate big power surges.

Other essential services in the govern-ment, financial and retail sectors are simi-larly vulnerable to a sophisticated cyber terrorist attack.

This has been repeatedly demonstrated by the growing number of reported data breaches. If you can steal the data, you can also cripple the services.

The potential therefore exists for a massive, coordinated attack on critical national infrastructure.

This exposure will not go away, nor be adequately countered by business-as-usual security efforts. It will continue to grow with the increasing availability of

knowledge and attack tools put to use by would-be attackers.

What are some of the other challeng-es that we face in the battle against big cybercrime? Speed and agility are the keys to survival and success in a net-worked society, but you’ll see little ref-erence to these in contemporary cyber security standards.

Similarly, there is a lack of emphasis on the new technical skills needed to defend complex, networked infrastructures. Ex-ecutive boards need to become comfort-able with the fact that it’s better to have a team of computer geeks defending busi-ness assets than an executive in a suit set-ting out a strategy.

The long term is even scarier, epito-mised by the internet of things, a world in which sensors and devices can be ac-cessed by citizens through the World Wide Web.

Just as we rushed to exploit the original internet with nothing more than obscuri-ty for our security, so we are just as likely to embrace a world in which privacy, se-curity and safety take a back seat to satisfy our thirst for consumerism, technology and convenience.

What’s missing is the big incident: the wake-up call that irrevocably alters our perception and demands an absolute re-sponse. Today it is fairly easy to envisage the toxic blend of capability and motiva-tion in the form of jihadists and rogue states and where that might lead us.

In the past, young hackers may have been driven into the arms of organised crime by hard-nosed law enforcement authorities. Instead we should seek them out, and persuade them to use their tal-ents for the good of society, before their loyalties are hijacked by those who would do harm to others. Governments posture but do not possess the skills, resources or determination to fix the problem. They promote eye-catching initiatives such as competitions and war games, rather than attempt to dismantle the barriers to deci-sive security action.

Just as 9/11 transformed our counter terrorism effort, you can bet that a ma-jor cyber terrorist attack would change our complacency. The inescapable fact is that attacks, not common sense, are what drive forward innovation in the world of cyber security. lDavid Lacey is a cyber security consultant and writer for Computer Weekly

A team of computer geeks is better at defending businesses than a suit

with a strategy


6– 12 FEBRUARY 2015 | NEW STATESMAN | 27

FBI Director James Comey has noto-riously been attributed with saying: “there are two kinds of big compa-

nies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked.”

Recent high profile cyber intrusion into major companies demonstrate that can impact us all. The cost of such breaches, as estimated by the Ponemon Institute, averages $8.6m per US company in 2014.

Unfortunately, recent hacks have dem-onstrated that too many executives only realise the full impact of cyber breaches after suffering the indignity of security failure, reputational and financial losses, the legal ramifications of data protection failure, and the subsequent erosion and loss of trust. It’s a matter of corporate risk – the cost of doing business – but do we re-ally understand its impact?

Our information assets are often more valued by external parties, criminals, ex-employees and the curious hacker. No matter how good our boundary security mechanisms become, the fundamental problem is that technical systems follow their programmed rules and people don’t. It is this weakness that is persistently ex-ploited; exposing insecurities to any sys-

tem interfacing people to machines. In this insecure cyber world, we need to

acknowledge that our systems have been, and are being, penetrated. We need to de-sign systems to become tolerant to insider threats, and understand the impact of data breaches to our business, customers, sup-ply chain and brand image.

We need to be assured of how our in-formation flows, and the data transit path-ways that it takes.

We need to know where and by whom

our critical data is stored and retrieved. We also need more innovation in education, creating appropriate NQF level 4-7 de-grees that create and build human capac-ity in security and associated professions. The investment needs to be substantial and sustained to address the complex is-sues of assuring modern socio-technical systems that form the infrastructure of e-commerce and cyberspace. More effort is needed by governments, companies and

Bournemouth University’s new Cyber Security Unit is using cyber simulations to create better information architecture

Smart systems, smarter security

individuals to become resilient to cyber intrusion and better educated about cyber exploitation and data protection.

We need better enforcement of compli-ance and security controls and better co-operation in breach reporting, e-discovery and digital investigations.

Bournemouth University’s new Cyber Security Unit (BUCSU) is discovering new exploitation risks through synthetic cyber simulations, digitally investigating offensive cyber network attacks to create more assured architecture for information processes, storage and transmission.

The BUCSU addresses the growing skills shortage with its new framework of MSc and BSc degree programmes, creat-ing a 10-year, job-retention-through-ed-ucation programme that focuses on skills training and core competencies, support-ing UK Skills Councils’ apprenticeships and developing student placements. l

For more information on knowledge

exchange, education and security

assurance consultancy, contact:

Dr. Christopher Richardson

Telephone: (0)120 2966 670

Website: www. bucsu.bournemouth.ac.uk

Email: [email protected]

We must acknowledge our systems have been,

and are being, penetrated

IN PARTNERSHIP WITH BOURNEMOUTH SECURITY CYBER UNIT



THREAT TO BANKING

The way we bank is being radically changed by technology. The take-up of online banking, for example, has

been huge, with people in the UK mov-ing a billion pounds a day online. The number of mobile apps being downloaded is doubling each year. This is great news for customers and businesses, who now have more ways to do their banking than ever before.

For the tech-savvy customer, new ways of banking have made life easier. The downside is that, in parallel, tech-savvy criminals now have new and different ways in which to try and steal your cash.

Just as some aspects of banking, such as postal orders, are steadily becoming a thing of the past, so too are former staples of financial criminal activity, such as bank robberies. There were just 89 bank rob-beries in the UK last year, compared to 693 just two decades before – a fall of nearly 90 per cent.

If Butch Cassidy and the Sundance Kid were alive today, they would more likely be tricking people to send them money out of their account through a boiler-room rather than telling people to “stick ‘em up” in the wild west.

So as criminals work out new ways to get their hands on people’s money, the banks are working to build new defences in order to keep that money safe. The government estimates that each year the banking in-dustry spends more than £700m annually fighting cyber criminals.

This investment goes toward research-ing, developing and launching new tech-nology. One of the most well-known has been the introduction of chip and pin

technology, which has reduced card fraud. Anti-virus and browser technology keeps your online account safe, and most banks require you to tap in extra security details on a separate authentication device when you make a new payment to someone through your online account.

As banks strengthen their systems, criminals increasingly target what they see as the weak link in the chain – the cus-tomers. This criminality often takes place through “social engineering”; such as try-ing to befriend people online or on the phone and attempting to trick people into parting with their money. This is known as vishing or phishing. Our latest consum-er research has found that over eight mil-

lion people could be susceptible to these sorts of scam.

So what are banks doing to address this? One method is offering “self-protect” pre-vention advice through the bank’s own websites and through bodies such as the BBA. We recently developed an informa-tion campaign called “Know Fraud No Fraud” which outlines the “eight things your bank will never do” – such as asking you to transfer your life savings into a new “safe” account.

But it’s not just individual customers who are being targeted – the UK bank-ing industry itself is regularly targeted by hacktivists, criminal gangs and even

governments of other countries. Many are looking to expropriate funds, stop the bank’s systems from working or to steal valuable customer data. As geo-political tensions grow, so too does the threat we face.

The London banking centre is one of the biggest targets. Thankfully, due to the hard work of the banks, law enforcement agencies and the UK government, we are also one of the countries that is best pre-pared to withstand these attacks.

The Bank of England is taking this very seriously – indeed, it has run a num-ber of “war games” simulating what a major attack might look like, known as the Waking Shark exercises. The indus-try is working closely with the National Cyber Crime Unit and the UK’s new com-puter emergency response team (CERT-UK) to develop responses to the latest threats. The BBA is also about to launch a new Financial Crime Alert Service that will allow government bodies, law en-forcement agencies and financial institu-tions to share intelligence.

The fight against crime is not a new one, but banks are increasingly finding them-selves on the front line. There are now tens of thousands of people working in banking whose job it is to fight crime on a daily basis.

We won’t always be able to prevent every cyber-attacker and scammer, but we can work hard to make sure we’re putting these modern Butch Cassidys out of business. lAnthony Browne has been chief executive of the British Bankers’ Association since 2012

From major simulation exercises to new technology, the British banking industry is working to keep on top of cyber robbers

Beyond Butch Cassidy

The banking industry spends more than £700m

fighting cyber criminals

By Anthony Browne



ILLEGAL FILESHARING

The arrest of Hans Fredrik Lennart Neij, a co-founder of the Pirate Bay, last year returned the question of file-

sharing as a cybercrime to the spotlight. Despite difficulties associated with estab-lishing its prevalence, and its economic impacts, there is evidence that fileshar-ing is widespread (British Phonographic Industry research from 2010 suggests that 29 per cent of UK consumers engage in music filesharing), and costly to the involved industries. For example, it has been estimated that the UK music indus-try loses £180m annually, and the film and TV industry £152m, as a result. At the global level, it has been estimated that the economic losses associated with the file-sharing of software, music and films range between $30bn and $75bn, and that this will increase to $240bn by 2015.

A variety of legal, regulatory and educa-tional strategies have been implemented, which aim to change consumer attitudes and reduce levels of engagement. The fo-cus of these awareness messages has been on communicating the economic impacts, and the legal and ethical status of fileshar-ing. However, it is difficult to measure and evaluate how effective they have been.

A question related to this issue focuses on how ordinary people view filesharing, and whether those who engage in the be-haviour see themselves as cybercriminals. Downloading a file is an infringement of the rights holder’s copyright, and means that the holder could bring a civil liability case against the individual. It is treated as a cybercrime in academic literature and gov-ernment discourse, yet it is not a criminal offence unless the individual is involved

in large-scale distribution of infringing material for financial gain.

Empirical research has attempted to identify barriers to reducing levels of file-sharing, and in particular consumer atti-tudes and beliefs. However, the majority of this research does not actively talk to consumers about their opinions and ex-periences. There have been a small num-ber of qualitative studies taking this ap-proach which suggest that many perceive filesharing to be a relatively normalised and everyday behaviour. It also appears that “raising awareness” of the unethical nature of filesharing is not an issue: many are aware that filesharing is perceived as unethical consumer behaviour by policy makers and the involved industries, but do not view such claims as justified.

It is interesting that many have devel-oped clear justifications for rationalising their behaviour. These focus on challeng-ing the claimed ethical status of the behav-iour and its economic impacts, as well as industry profits and changing patterns of consumption associated with the internet.

A central issue that is often overlooked in debates about filesharing is consumer trust in rights holders and policy makers themselves. This relates to the validity of claims about prevalence and economic im-pacts, as well as industry profits and lack of transparency in the calculation of lost rev-enue. There are arguments that challenge the costs claimed by the entertainment industry, and the assumptions on which those are based. For instance, the “lost sale” argument assumes that every film or music track downloaded would have been purchased legitimately. However, there is evidence that many consumers who download would not buy the legitimate version, were that their only option.

These arguments are used by those who engage in filesharing to justify their behaviour, and defer responsibility to the industry and government. This sug-gests the need to consider mechanisms for increasing transparency and build-ing consumer trust as part of filesharing reduction strategies. While consumer attitudes and justifications may not be acceptable or defensible to the in-volved industries or policy makers, they are, nevertheless, beliefs which shape consumer behaviour. Effective strate-gies for challenging them must suffi-ciently engage with consumer concerns and justifications, and address the lack of consumer trust which represents a significant barrier to the effectiveness of any strategy for addressing the issue. Dr Jo Bryce is the director of the Cyber-space Research Unit at the School of Psychology at the University of Central Lancashire

Businesses claim filesharing costs millions, yet many people don’t consider it a cybercrime. Dialogue between rights holders and consumers is needed

Here be pirates?

Pirate Bay co-founders Neij and Sunde

By Jo Bryce



This year, organisations will find it more “normal” than ever to be hacked – as common as catching a

cold. Just like the human immune sys-tem, organisations are constantly under attack from bugs and viruses. Staying healthy means businesses will need to build an immune system.

That will not mean just building a tough line of defence to keep attackers on the outside (or in other words, preventing the illness). It also means managing threats and security events when they occur, just as the human immune system has learnt to deal with viruses. It is about how well you recover from a security breach and how quickly you counter the threat, not just how you prevent it in the first place.

This year will see a proliferation of mal-ware that is tailored for specific organisa-tions, hard-coded for their particular envi-ronment, so that it can go undetected for days or even weeks. For example, in the Sony Pictures attack at the end of 2014, malware was tailored to spread via the company’s server infrastructure, and sat in its network for a lengthy period before releasing the attack.

Like the common cold, cyber threats

mutate and multiply into reorganised versions of previous strains. According to McAfee Labs, they do so at a rate of 65,000 new pieces of malware every day. Where hackers can get in, they will. With so many threats on the horizon, the trick is to be prepared to recover from attacks as quickly as possible.

However, budgets are not infinite and it’s a fallacy to think that more money will automatically be allocated to IT security

as threats grow. With so many areas open to attack, organisations need to assess risk and justify where to spend money. More importantly, they need to justify where not to spend money.

It is important to do this, and there will be plenty of cyber attack advisers sharing their “I told you so” stories. Some security professionals are now using qualitative ca-pability maturity models (CMMs) and risk models to prove in the event of a breach

Cyber security is not just about preventing attacks, but managing them when they happen

Building the immune system

that they’ve spent the available money wisely.

Many businesses feel they can’t fully trust anyone anymore. This can be miti-gated by safeguarding their network using the right technology, as well as proactively identifying intruders, whether external or internal, through the use of advanced forensics and analytics. These can raise the alarm early and send alerts to those responsible for IT, data or network assets. This technique is called security informa-tion and event management (SIEM).

There are dozens of methods for doing this, but the most cost efficient method is combining all the solutions that have already been implemented (such as anti-virus and firewalls) to form a comprehen-sive cross-organisation detection sensor. If these connections are done correctly then businesses can have a holistic view of their IT operations, so at to detect and address most security incidents or events that might constitute a threat. lDr Gerhard Knecht is head of global security services and compliance at UnisysLook out for Unisys’ latest Security Index findings this summer at www.UnisysSecurityIndex.com

How well you recover from a breach is as

important as preventing it

IN PARTNERSHIP WITH UNISYS

By Gerhard Knecht



A security breach can have very sig-nificant impacts on the economic wellbeing of an organisation, and

ultimately to its “value”. Recent hacks of major companies such as Sony, eBay and the US retailer Target highlight the ever growing threat to assets and reputation.

What do we mean when we say value? An organisation’s value is an accumula-tion of its assets, whether those assets are its brand, its intellectual property, the information and intelligence it relies on to run its business, or its actual physical assets. Security breaches lead to asset val-ues diminishing, either through theft or damage. Damage to brand and the theft of information can be some of the most costly consequences of a breach and some of the most difficult to repair.

Many of the recent high profile secu-rity breaches have their origin in failures to comply with policy, or in behavioural issues with staff. Vulnerabilities in an or-ganisation’s security largely arise from the behaviour of its people. Memory sticks, password sharing and bring-your-own-device policies are just some of the challenges to assuring that physical and information assets are secure.

The traditional approach to protecting physical and information assets has been prohibition, putting in place a rigorous system of physical and electronic barriers to protect the crown jewels. Organisations have responded to bigger threats by build-ing bigger barriers, higher fences and more complex firewalls, trying to repel malevo-lent actors seeking to gain access.

For a time this sufficed, and in general terms those who are threatened have been

able to stay ahead. However, in a world where threats are ever more sophisticated, and vulnerability is increasingly difficult to mitigate, it is no longer sufficient to simply build more and bigger barriers.

If an organisation wants to minimise the risk of security breaches and potential loss, it needs to get a clear understanding of the risks that are hidden in their em-ployee behaviours. By way of example, some staff may think that it is OK to use a

Building bigger barriers doesn’t mean more security; we should be looking instead at employee behaviour

Not just fences and firewalls

memory stick in the company laptop, or to share passwords with colleagues. By not designing in security at the start, and in a way that enables employees to easily com-ply, then we can create an overhead that makes it even more difficult for people to do their day job. This only encourages staff to seek ingenious new shortcuts for bypassing security.

Surveying staff in order to understand their concerns is one way to come to terms with where security may be getting in the way of employees doing their job, par-ticularly if that survey is anonymous. The survey can be combined with a structured interview process to create a rich picture of the strengths and weaknesses of the organisation’s security. The way to gain the deepest understanding of employee risk is to use an approach that incorpo-rates an assessment of employee aware-ness, and their confidence in how secure their current habits are. This is a powerful tool by which to establish where the real behavioural risks exist. lAndrew Cooke is a security director at AtkinsWebsite: www.atkinsglobal.com/securityEmail: [email protected]: (0)207 1212 000

Damage to brand can be the most costly and

difficult to repair

IN PARTNERSHIP WITH ATKINS GLOBALIN PARTNERSHIP WITH ATKINS


Let us say you are the chief executive of an international corporation woth millions of pounds, and your next

board-assigned objective is to enter two exciting, opportunity-filled markets in the next six months. Or perhaps you own a small online business, and are thinking of expanding. Then it happens: you get hacked. You lose money and invaluable data. Then you get dragged into lawsuits and, perhaps most importantly, you lose credibility in front of your customers.

There is a high chance that in either of the scenarios you did not see the hack coming. Corporations and SMEs alike get hacked on a daily basis.

Public interest in cyber security is at a high point, indeed it has rarely left the news during the past year. The data thefts, blackmail and denial-of-service attacks on Sony Pictures Entertainment had omi-nous consequences – people saw their personal details leaked online, and a ma-jor film premiere was cancelled. We’ve seen Syrian and Ukrainian combatants use cyber tactics, and social media sites used to promote terrorist activities.

Large-scale cyber thefts of money and data continued unabated. Cybercrime is

currently doing economic damage to indi-vidual businesses. Relentless and systemic campaigns use ransomware, personal and financial information theft and other cy-ber enabled-fraud. This transfer of routine criminal activity from the physical to the online world will continue.

But how can you protect your com-pany from an opponent you know so lit-tle about? At the PGI Cyber Academy in

Bristol, the only facility of its calibre in Europe, we help leaders and managers of organisations grasp the issues through our world-class Executive Cyber Awareness course. Designed for executives and sen-ior managers with a non-IT background, this two-day immersive course will en-able them to understand the mind-set of cyber criminals and what needs to be done to mitigate cyber security risks.

At PGI, we also provide cyber security services to clients across all sectors from

The single most effective step a company can take against cybercrime is educating its senior board

Security starts at the top

government, police, FTSE 100 companies, critical infrastructure and SMEs. We train executives, IT staff and cyber security teams. We test and evaluate systems, pro-vide protective monitoring and incident response. We analyse and report threats, while studying human factors and risks.

The relative immaturity of corporate knowledge about cyber threats and the damage that they can do to businesses has already taken a massive toll. In our experience, the single most effective step a company can take towards cyber security is for its executive board to spend a few hours discussing the threat and mitigation measures in language that everyone can understand, while consid-ering the opportunities improved cyber security brings. Our internationally recognised team is at your disposal for a discussion, so feel free to contact us. lWebsite: www.pgitl.com/ our-capability/cyberTelephone: (0)20 7887 2699Email: [email protected] press information, contact Ruxandra Gheordunescu Telephone: (0)774 9124 359Email: [email protected]

IN PARTNERSHIP WITH PGI CYBER ACADEMY

Spend time discussing the threats in a language

everyone understands


cyber security in britain - new statesman...this is another reason why high proﬁle attacks are...

Documents