The threat to financial services and other firms from hackers, malware, hacktivists, insiders and the global nature of IT security threats was outlined by two UK government ministers at the first day of the Infosecurity Europe 2013 trade show, running this week at Earls Court in London, and illustrated by the latest Information Security Breaches Survey (ISBS) from PwC which showed 87% of small businesses and 93% of large ones had a security breach last year. A panel of chief information security officers (CISOs), including representatives from RBS and Bank of America Merrill Lynch also discussed the key skills needed for the job, reports Neil Ainger, in front of their peers at the show.
The importance of information security was never more obvious than on the first day of the Infosecurity Europe 2013 trade show on 23 April in London when many of the 10,000 attendees were digesting the news of the twitter account hack against Associated Press, which yesterday sent out false reports of an attack on the White House and erroneous reports of injuries to Barack Obama, briefly destabilising financial markets.
The 2013 infosec trade show got underway, before news of the attack circulated, with an opening keynote speech from Chloe Smith, UK Minister for Political and Constitutional Reform in the Cabinet Office, who outlined the UK’s cybercrime strategy. This consists of two elements: to assist firms in fighting against online threats to their intellectual property and business operations by providing funding, partnership and security services expertise, and secondly, to provide the infosec industry with 100 apprenticeships, money, standards and support, as well as adding information security to the school curriculum, so that it can grow without fear of a skills shortage and become an export winner for the UK.
“There are 2,300 UK firms in the cyber security sector,” explained Smith, “26,000 jobs and it is worth £3.8bn, with £800m of that in export earnings. The UK government is launching a cyber growth initiative to provide advice, partnerships and to grow this industry further.”
Infosec Breaches Survey 2013
The need to battle the growing threat of distributed denial of service (DDOS) attacks, identity theft to perpetrate fraud, and battle the myriad other IT security threats facing corporations around the world was illustrated in an afternoon presentation outlining the latest 2013 Information Security Breaches Survey (ISBS) from PwC and the government’s Department for Business, Innovation and Skills (BIS).
Prefaced by a video presentation by David Willets, UK Minister for Universities and Science, who said the government “recognises that this isn’t solely a military issue” [see the Mandiant report for more on this], and added that solutions “require governments, businesses and everyone to work together”, the minister went on to warn that the ISBS survey showed:
• 23% of firms have not carried out any form of security risk assessment.
• 26% of the 1,365 IT security survey respondents hadn’t briefed their board about security risks in the last year, and 19% have never done so.
• 31% do not evaluate how effective their security expenditure is.
The headline figure of 93% of large corporations suffering a security breach last year, was quite stable in comparison to last year’s report, explained Chris Potter, the ISBS report’s author and a partner at PwC, who has been running the survey for over a decade and has it peer reviewed by infosec trade bodies such as ISC2, IET and ISACA, the global security and data efficiency organisation which has more than 100,000 members across 180 countries.
The 87% of small businesses that suffered a breach, however, was up from 76% last year and “the burden of the ‘clean-up’ costs of such an attack against smaller firms is disproportionately harder to bear,” pointed out Potter.
“More worryingly, there are bigger and more breaches to clean up, which are costing more money to deal with,” added Potter, referencing the survey result that show companies - of whatever size - experienced 50% more breaches on average than a year ago. The full results of the 2013 Information Security Breaches Survey can be seen here. The average cost of the worst security breach against a large corporation during the past year was estimated at a high of £850,000 by PwC, with some firms suffering losses in excess of £1m from a single attack, and others a lower figure of £450,000, but remember this is the average cost of the worst single attack and many companies suffered multiple attacks. Those previously targeted are also likely to suffer more breaches, found the survey.
The key skills of a chief information security officer (CISO) were discussed in the afternoon at Infosecurity Europe 2013 when a panel discussed how to ‘Survive and Thrive’ as an infosec professional in front of hundreds of their peers at the show.
Simon Riggs, regional information security officer for Europe, Middle-East and Africa (EMEA) at Bank of America Merrill Lynch (BAML), explained that as a CISO you are part of the senior management team and need to communicate with your colleagues. “Don’t get too technical in a business meeting,” he warned, and always remember to balance the business needs with the security and risk assessment requirements.
This need for balance was a stance the panel, which included Paul Swarbrick, CISO, at the UK NATS air traffic controller and John Meakin, CISO at RBS’ Markets and International Banking division, agreed with because, as was pointed out by Matthew Ford at the consumer Reckitt Benckiser Group: “perfect security is a misnomer. You always need to consider the business case too [and what you can afford].”
“I have seen so many security teams make an enemy of the business by being too rigorous and not communicating enough - in a clear enough manner - about what they were doing, you would not believe it,” said RBS’ Meakin.
The point being that yes, of course you have to do your day job and protect the business from internal and external IT security threats, but you also need to set a coherent strategy as a CISO and communicate it, and accept that there won’t always be enough budget to do everything that you’d like to do. “As long as you’ve explained the risks of inaction to your senior management colleagues then that is fine because a clear risk versus reward assessment can then be done.”
“Incidents are always going to happen; it’s a fact of life for a CISO,” continued RBS' Meakin. “It’s how you react that is crucial.”
A Risk-based Approach
This is a point that was mirrored earlier in the day by Michael Paisley, head of operational risk, at Santander, during a panel discussion entitled ‘Risk: Fostering a risk-based approach to information security’. As he said: “We are all risk management guys - yes even you techie IT security guys sitting at the back! There is no such thing as an information security risk; there is just risk.”
In other words, work with your colleagues to assess risks of all stripes and respond accordingly to them in a flexible way, based upon prior planning and the knowledge that you have acquired as an information security professional. As the morning’s panel concluded understanding risk exposure and applying risk management techniques to information security is integral to improving an organisation’s security posture and cyber resilience in an increasingly threatening, globalised world.
Co-op Bank Assurance Project
The skills of risk assessment and of CISOs were displayed in action by Mark Henry, IT security assurance manager at the Co-operative Bank, who explained a project that his bank has undertaken with Accuity and the Information Security Forum (ISF) to introduce an integrated security management system. The morning case study in the business strategy theatre at Infosecurity Europe 2013, explained how the bank’s new management system was designed, built and operated to take account of a wide variety of risk and compliance activities and standardised against the ISO 27001 security standard, for example, and PCI DSS for any IT upgrades or projects involving card payments. All IT projects at the Co-op Bank are now undertaken against assurance standards such as ISACA’s COBIT framework, ISO 20000 for IT and service management quality assurance, ISO 22301 for business continuity management and so forth, to ensure a minimum level of consistent IT quality.
Accuity has provided its Stream data reporting and oversight software to ensure a dashboard is available to managers at the Co-op Bank to check on progress during this on-going IT assurance project, which was started in 2011, and to continually assess performance in the future.
“The ISF Standard Good Practice stipulations are the key baseline that we measure ourselves against in terms of information security,” explained Henry, while other standards are deployed as appropriate, such as ISO 9001 for product and service quality management. “Anyone, building in UNIX for example will do so following the usual technical standards, but also measure themselves against the ISF stipulations, and any other relevant standards to that particular area - say, the PCI DSS card payments security standards, for instance, if an application is being developed in that area.”
Management has certainly been a key requirement in this large and on-going Co-op Bank IT assurance project. “The point is we want an integrated risk management structure so that we can make informed management decisions in the future,” concluded Henry. That includes information security risks, among much else. Having such an integrated structure will certainly prove useful as multiple threat vectors from hacktivists, insiders and criminal fraudsters are increasingly directed against companies around the world.