Over the last few years we have seen a lot of high-profile data breaches of large companies, in which data, financial and personal information have been sold on the black market. The significant rise in cyber attacks in this period has made the entire world wake-up to the fact that our data is not safe and companies should be doing more to protect themselves, their employees and their clients from potential threats.
Recently, the number of corporations that have come under attack by cyber criminals who have gained access to corporate systems through emails and social engineering, has increased and only last week, it was reported that a gang of 49 suspected cyber criminals that broke into corporate email accounts and diverted customer payments were arrested by European authorities.
Today, people and businesses want immediate access to data from anywhere in the world and although cloud computing and connected businesses have many benefits, companies are often worried about the risks involved. At Infosecurity Europe 2015 (Infosec), cyber security professionals came together to discuss how best to manage the multitude of conflicting and complicated risks and priorities, as companies become more connected.
Chris Richter, Senior Vice President of Managed Security Services, Level 3 Communications, said that firms need to understand what makes them a target in the first place, “companies need to understand the threats to their data and what makes them a target,” and communicate more about their data breach experiences. “It’s important to share data breach information to expose breaches,” said Richter during a keynote session at Infosec.
Regulations are affecting how companies manage consumer and client data and according to Stuart Sharp, Vice President of CipherCloud, they are having an impact on cloud computing. “Regulations such as the Data Protection Act apply across all industry sectors and companies right now are trying to better understand regulatory risk. Companies do not understand what the regulations mean now, or what they may mean in the next 18 months which is making them question how they can move to the cloud, whilst covering themselves from a regulatory perspective.”
In the EU, many companies are struggling to deal with increasingly strict data privacy laws, a situation which Sharp says is impacting the adoption of cloud and new applications. “Stricter EU regulations is impacting the adoption of cloud and implementing new applications. Because of the uncertainty surrounding these regulations companies are maintaining outdated in-house applications that the business doesn’t like.”
Sharp says that the Data Protection Act is interpreted in each country and for companies that do business in multiple countries, there is a variety of regulatory requirements depending on where their data resides or travels to. “Globally each country will also have their own set of regulations, which asks the question how can companies maintain a global-wide application whilst meeting all of these local requirements?”
According to Sharp companies are often worried that if they move to the cloud they add new risks, which is why CipherCloud is trying to remove these risks and enable companies to get all the benefits. “CIOs and CCOs are currently feeling at a loss because they have to tackle the problem of these regulations and also find what tools are available to deal with it,” says Sharp.
CipherCloud recently collaborated with law firm, DLA Piper to produce a compliance resource called "Meeting European Data Protection and Security Requirements with CipherCloud Solutions," that explains how proper encryption and tokenisation of sensitive data can support compliance with both the existing EU Data Privacy Directive and pending EU Data Privacy Regulation. “In several EU jurisdictions, properly encrypting and tokenising data before migrating it to the cloud enable companies to meet the protection threshold mandated by privacy laws.”
Although regulation plays a major role in data management, Richter believes that “the cyber security landscape is not getting better it’s getting worse,” and that “too many companies fear the auditor, more than they fear the hacker.”
Sharp says that because companies do not have the resources or the time to protect all of their data, they should be focusing on their core assets. “With the growth of data and the fact that it is going to so many places, companies do not have the time or resources to protect everything and need to know which are their core assets.”
Sharp also believes that companies are struggling to know where their data is and also what their employees are already using. They should also be classifying their data to enable them to identify and focus on the sensitive data which is more likely to be a target. “Companies have to take data classification on board as a standard and necessary process, if they then identify their sensitive data they can focus their resources on that area.”
Another factor that many experts at InfoSec said was important when tackling cyber threat is communication. Many of the speakers said that companies and departments should be communicating with each other about their experiences of data breaches in order to expose and potentially stop future threats. “Organisations need good conversations about risk management,” said Mark N Jones, Heathrow Airports Limited, during a keynote panel session.
However, according to Shan Lee, Head of Information Security at JUST EAT, many organisations tend to hide their experiences rather than talk openly about them. “Traditionally people hide their risk threats, but now we are getting better at sharing,” said Lee.
Vicki Gavin, Head of Business Continuity and Information Security at The Economist Group believes that companies should be working together to get the best results. “Nobody wins the business continuity war we are all in this together,” said Gavin.
Sharp believes that companies can better protect themselves and their employees against potential threats if their IT and Security departments work more closely together. “Security is often seen as a blocker rather than an enabler, however, the security team has the opportunity to analyse what clouds the employees are using then can tell the IT department where the demand is, which would enable IT to focus on meeting that requirement and provide what the employees need, rather than them having to use unsecure and unauthorised websites.”
Protecting your identity
Paul Simmonds, CEO, Global Identity Foundation, a global not-for-profit foundation that wants to fix identity problems and make the world a safer place by keeping data private, said that 90 per cent of financial threat and credit card fraud is due to issues with identity. “If you look at the financial threat that’s out there, it’s predicted that criminals are getting away with around $350bn a year, credit card fraud is around $35bn a year and at its root cause 90 per cent of this is due to a lack of identity.”
Simmonds says that we are making it easy for cyber criminals to steal our identities. “We are making it terribly easy for criminals to impersonate us because all of our information is already out there.” He also says that companies could make better risk-based decisions if they had more accurate information. “There is a huge amount of misinformation because it is not coming from the primary source, therefore the more accurate first-hand information that a company receives, the better they can understand context and can make good risk based decisions which is critical for the financial community.”
So how can consumers better protect their identities? Simmonds believes that at the moment there is no easy way, however, in order for companies to better protect themselves and their staff, training and sharing data is vital. “Better training is key, all the way through to implementing better systems and sharing authoritative data.”
According to Richter, “hacking is becoming a commercial business” and 1,800 new distinct families of viruses have been detected in the past year. He also said that 40 per cent of the top 10 data breaches in 2014 were due to lapses in non-technical controls, which includes mistakes and a lack of governance.
Richter classifies cyber attackers into four different groups:
- Hacktivists who are making a political statement
- Organised Criminals who are attacking for financial gain
- Nation States who want to gain an advantage over other countries
- Insiders who can be classed as malicious employees that want to hurt the credibility of the company or benign employees that are unaware of what they are doing
Richter said that companies need to accept the “new normal” because cyber threats are not going to go away and that “if your data is exposed online, someone out there will want it and will profit from it.” He also said that the financial industry isn’t the only industry that is a target. “A healthcare record is more valuable than credit card data because a hacker could steal someone’s identity.”