Recently I seem unable to avoid reading material on security risks associated with the use of technology. It is certainly a good thing that the topic has a growing profile as that can positively drive upward awareness of the risks. However, I do worry that many articles only tend to articulate the risks and remain silent on the potential benefits arising from technology enabling our lives. Writing about the dangerous downsides of how easily Internet of Things (IoT) context devices can be hacked will definitely get attention. This is fine if we also gain the value of people being more aware and then engaging on an informed basis with technology and related information security risks.
I noticed recently that the New York Stock Exchange (NYSE) had sponsored and circulated a publication called Navigating The Digital Age: The Definitive Cybersecurity Guide (for Directors & Officers) to every NYSE listed company board member. This was produced in partnership with Palo Alto Networks and a wide and impressive range of contributing writers and organisations. I found it an excellent read. What I particularly liked was the recognition clearly conveyed that people as much as technology (or process) are at the heart of both the information security threat and the defences. The need to educate both the consumers of technology enabled solutions and those operating and defending them was well articulated.
The criticality of all of us being aware of the risks to our data and the steps we can take to mitigate them is becoming clearer to most people. The publicity around corporate hacks like Sony and the recent press around the cyber “front” in the current challenging situation in the Middle East are hard to avoid. However, in recent weeks the questions I have been asked most often around information security have been related to stories on many and various IoT devices that have allegedly proved vulnerable to hacking. People have raised many concerns with me on a wide range of devices from connected car systems to house alarms to healthcare wearables to pacemakers. I remember reading, but annoyingly cannot now find, an article which used the term “Internet of Nosey Things” in its discussion of the type and value of data involved.
Indeed the ISACA 2015 Risk Reward Barometer declared that its 7000+ contributors saw IoT as being the prime area of information security concern. The survey reported that over 70% of respondents saw a medium to high likelihood of attack via such devices either in the consumer or in corporate context as they become more common in the workplace. This concern is then compounded by the (ISC)2 Global Information Security Workforce Study 2015 which forecasts that we will simply not have enough security skilled people in the workforce to provide adequate defences. They see the gap being as many as 1.5 million security workers too few by 2020.
If that forecast proves true then we need to have placed information security at the centre our technology design process. In fact if you look at the automation and machine to machine implications of IoT then we clearly have to ensure our defences are not operator dependent. The imperative to automate defences is nicely highlighted by the HP Cyber Security Report 2015. This is a sobering read of results from interviewing 252 companies in 7 countries. What particularly stood out in the material is that the time to recover from a cyber-attack has risen from 14 days in 2010 to 46 days in 2015; that the number of successful attacks reported has risen by 46% since 2012; and that the average cost of cybercrime per participating company was $7.7m.
So having started saying I was wary of scare mongering articles on information security I have now drifted towards the negative perspective. It is quite hard to avoid when considering this topic I fear. As the benefit delivered by technology is huge and alluring so does it comes risk and as ever some people don’t see a problem with acting illegally to make money. In that sense this challenge is nothing new and we have a good track record across many societies of working out how to protect ourselves (eventually?!) from such threats.
Perhaps we do indeed need a digital age Magna Carta or its mirror incarnations across the globe. The content of this updated Magna Carta was built on the input of over 30,000 people having begun as an initiative focused on school children. The British Library site hosting the debate has lots of other excellent material worth reviewing. The good news is that the debate is still open as to what this digital age Magna Carta should state. Why don’t you go and place your vote?
Images via Shutterstock,com.
Like many of us I tend to notice articles flagging up the next big skills set demand wave. Recently an article caught my eye proclaiming that now is the time to have cyber security skills. A recent study called Global Information Security Workforce 2015 released by (ISC)2 reports that there will be an estimated 1.5 million people too few with skills in this key area. The study has been conducted annually since 2004 reporting a workforce shortage at each time, however it seems that the supply to demand gap is now accelerating.
The importance of this workforce aspect in relation to cyber security demands is also highlighted in a report I recently read by Accenture entitled “Intelligent Security: Defending The Digital Business“. In it they summarise the most common issues challenging organisations in having an effective response to cyber security, namely:
- Linking security and business.Tie security programs to business goals and engage stakeholders in the security conversation.
- Thinking outside the compliance (check) box.Go beyond control- or audit-centred approaches and align with two key elements: the business itself and the nature of the threats the enterprise faces.
- Governing the extended enterprise.Establish appropriate frameworks, policies and controls to protect extended IT environments.
- Keeping pace with persistent threats.Adopt a dynamic approach including intelligence, analytics and response to deal with a widening variety of attacks.
- Addressing the security supply/demand imbalance.Develop and retain staff experienced in security architecture planning and design, tools and integration to increase the likelihood of successful outcomes.
Supporting the report they also have a very good infographic that is worth a visit “Take A Security Leap Forwards“.
The point Accenture make that compliance to a given industry’s cyber security regulations is only a good starting point particularly resonates. This is a discussion I have had many times over recent months with colleagues. Meeting compliance requirements is only the minimum level to achieve. It also often tends to be associated with relatively static time based audits rather than real-time monitoring and indeed adaptation. It is pretty clear that the sophistication of externally originated cyber-attacks evolves extremely rapidly. The points attacked are those where defences are strongest and in the hyper-connected digital world securing the perimeter or specific “citadels” within that perimeter is challenging. The defenses need to be real-time, automated, holistic and appropriately funded to both meet the risk and reflect the asset value.
It seems to me that the last year or so has seen a growing understanding of the importance of the Chief Information Security Officer (CISO) role. Based on hearsay it seems that they are having an easier task in obtaining adequate funding for their function. Of course the tooling needs to match the sophistication and evolutionary pace of the cyber attackers. The CISO needs to be enabled to engage with new and disruptive technologies as their emerge so they can define a layer defensive strategy that does not become perceived as a blocker but rather adding value and an absolute necessity. Constructive, frequent and open access to the senior leadership team of any business is critical for a CISO that is empowered to bring real value to their organisation. Often the decision points will be difficult as concepts such as innovation, agility and pace are confronted directly by valid concerns on information integrity and protection appropriate to the value it represents.
As ever in the world of technology there is money to be made by vendors providing tooling that enables appropriate levels of security in the digital world. A recent Financial Times article by Hannah Kuchler highlighted that the cyber security market is now estimated as a $15bn-$20bn over the next three years. The article reports that venture capital funding flowing into this area exceed $1bn for the first time in the first quarter of 2015. Apparently the venture capital funding for the whole of 2014 for cyber security was $2.3bn, itself an increase of 33% over 2013. The money is certainly flowing into the cyber security space. Given the recent experiences of Sony and the publication of information the hackers extracted by WikiLeaks it does start to seem rather unsurprising.
All that said I do think many organisations face their biggest cyber security risk from threats that are far from new to us. The first is the often depressing factor of your own company’s people doing something that in hindsight they would fully accept as being dim. This is often despite the act exposing the corporate information being heavily and frequently communicated as unacceptable. However, in my career to date the threat that has caused me most issues has been obsolete software. Obsolete software that is not listed in the IT asset database and might be lurking under a desk or part of the “shadow IT” world procured on a credit card and forgotten. This software is no longer being actively patched for security vulnerabilities by the vendor. It is so easily missed and the first time you become aware of its existence might well be a very unfortunate moment. Sounds trivial compared to the sophisticated cyber attacker but it does represent an easy access point for them. There are many examples of obsolete software that has been around long enough to be very well embedded. The next one I think might create a few issues for many of us is MS Windows Server 2003 which goes out of support in mid July 2015. Might be worth another check to be sure you will have no surprises in late July?
Image via Shutterstock.com.
I recently met the CIO of a large technology company on the banks of Stickle Tarn below Pavey Ark in the Lake District. We both had dogs that we were restraining from leaping onto the frozen tarn and worrying about a third dog that was right out in the middle of the ice. We turned to each other to comment on the idiocy of allowing the dog onto the creaking ice and realised that we had meet in 2012 at a conference. We decided to do the walk back down to the New Dungeon Ghyll Hotel together and chat over a pint or two. During our descent I (rather boringly!) asked what was his number one concern right now in a work context. The reply was not what I was expecting although you would always assume it is in the top 10 worry list items for any CIO, it was data loss. They had noticed an increasing level of attack on their network and web facing servers over recent months and were working on the premise that it is primarily aimed at intellectual property theft rather than the data and systems they host for clients. After an interesting discussion of the security issues and approach being taken on which I must remain silent we moved on to other topics.
Over the last few pints before we parted company we talked about the shadow IT and budget raider issues I blogged about in my last post. I was not surprised that he confirmed the issues were real to him and ones he was experiencing within his company. He was more bullish about handling the challenges that some other CIOs with whom I’ve discussed the topic but agreed they were current and requiring time and attention to address.
Later that week I read a report published by KPMG on data loss which I was planning to talk about in this post. However, earlier today I read a great blog post on the same topic/report by Sarah Green on the Harvard Business Review site so will instead leave you to read it here.
As a result I have room to talk about a related bee in my bonnet instead! The point in the report on technology companies being one of the primary targets for hackers was telling as I am convinced that Apple have been hacked.
I think the system relating to Apple iTunes gift cards has been compromised. I was recently given a £15 gift card which when I tried to redeem it was declared by iTunes to have “already redeemed”. Now this was a brand new untouched card from which I had personally scratched off the code cover myself so I knew that this could not be true, unless the card was a duplicate or the underlying system compromised. Expecting that a) Apple would be helpful and refund my money and that b) this would prove to be an isolated issues caused by a system glitch I contacted Apple and searched the support forums.
What I found was a number of people posting with similar stories of woe across different countries and that the unhelpful implicit “well you must be mistaken as that code is reporting as already redeemed” position taken by Apple support was consistent. My card was apparently redeemed in June 2012 so clearly my trying to redeem the same code in January 2013 meant I was the one at fault. There is even a video of a chap posted to the Apple support forum using a clearly virgin card and obtaining the “already redeedmed” message; last I read he had made no progress in having Apple accept that there was a problem and he was not trying to re-use an old card. To my shame I gave up arguing with Apple as for £15 it was simply not worth the hassle (and as it was a gift I lacked a receipt to prove date of purchase), however I certainly will not be buying any iTunes gift cards in the future and I remain convinced that their system has been compromised in some way. If you are interested here is one of the support forums where people are reporting the issue.
It would seem that denying and ignoring the issue appears to have been a successful strategy for Apple to date. I suspect that they will probably ride out the “noise” without any real publicity or PR damage. However, I do think that they are skating on thin ice with this approach and eventually this type of customer angst does rebound and cause damage. Denial of security breaches is tempting but ultimately transparency, acknowledgement of the issue and a declared plan to correct is probably the better strategy.