In a panel themed Future of Cyber Security - Threats, trends and technologies at last week's Digital Transformation Expo Europe, the panelists were pretty much in agreement that the focus needs to be on people, both users of cyber-security technologies and the general public, whether at home or at work. And technology should be subservient to enabling them to securely go about their business.
For Chi Onwurah, Shadow Minister for Industrial Strategy, Science and Innovation and MP for Newcastle upon Tyne Central, the main trend seen is the more joined up approach to technological development and regulation, as well as a more political agenda to it, including issues of privacy/surveillance and the use of encryption.She noted how many people are now scared of operating online.technology, fearful in case something goes wrong and their data or identity is stolen.
Josh Reynolds, senior associate from Tessian, said that one of the main issues was still very much around phishing. He noted that while security gateways helped, phishing was often no longer relying on malicious links but instead leveraging human relationships. He cited a recent BEC attack, stealing millions of dollars via an alleged Dubai company takeover achieved by impersonation of a CEO, in which the scam was built up over months, but then the thieves struck quickly.
Paul Ducklin, principle research scientist at Sophos described how te industry has, "Gone from keeping bad stuff out to keeping good stuff in," adding that, "If we all raise the bar of cyber security a bit, it can help us all." But he emphasised how we can't just rely on technology and that we need to take some ownership of cyber-security ourselves.
Karla Reffold, founder, BeecherMadden said that further training was the big thing we we still need to do. Technology, software and hardware, is an enabler, but the crooks have already realised less is more, and we also need to invest more in the human as we are making it too easy for crooks at the moment.
Zoë Rose, ethical hacker at Rose Security suggests the emphasis should be on the humans who implement the solution, saying we need the focus, and understand why is a solution designed in this way. Our tech people need to understand how it works, what it means to be phished, how it happens and how to identify it. Otherwise attacks will keep happening. She agreed that the solution isn't technology, its people. and making the products better by being people focussed.
Chi concurred saying: "Training and securing people drives the technology. But for all your people, not just the technologists or finance. We have a huge skills gap (in the population at large) which is getting bigger. Everyone needs to feel in control of the technology they use. They need to understand the value of data, eg giving one tick on a 15 page document that agrees to handing over all their location data for all time is not being transparent."
Reynolds added that understanding of data is too often left to tech guys, whereas we need to understand our own data and how it can be used in order to provide protection.
Rose said one way she did this was providing staff at companies with individual privacy disclosure reports - achieved by going online and finding publically available intel that can be used for tailored phishing campaigns and presenting to those staff. She suggests that understanding the value of data and helping people understand how to hack enables them review their own vulnerability.
Ducklin suggest that it is counter-productive for IT departments to seek to force people to learn about risks, whereas if people are treated sensitively they can realise that these risks matter in their private lives, and are happy to improve their understanding, which also benefits their employer. The work/life mix has changed and what we learn at work is important for our day to day lives. He adds that the idea that we just have to be better than and beat others is a poor way to view security, and we should want to bring up others too, including altruism that benefits others.
Rose agreed saying that intrinsic motivation is brilliant for long term- learning whereas externally imposed learning has a short impact.
Onwurah called on people to emphasise to the current government that we ae in only in the ‘baby- pool’ of cyber security, but with smart cities, smart home and lives, and the advent of pervasive iot will open up our lives online, and both companies and individuals will face an exponentially increasing threat, hence the need to prepare, train and educate entire populations, leaving no-one out.
When conversation came back to technology, and the perennial issue of how companies deal with the plethora of tech products, Rose noted that while there are so many solutions not every one fits you. "The role of cyber security professionals isn’t to find the sexiest solution, but find what suits your organisations' risk and what solution fits it, looking at the situation, regulatory environment, different threat actors, different people. The newest, coolest product isn’t always the best solution - in fact a free product might sometimes be the best solution as you need to accommodate the people operating it. If it can’t be maintained, or doesn’t cover something you need, it’s not right for you."
Ducklin says that we shouldn’t complain about there being too much choice, too many vendors and too much overlap. The opposite, he points out, is just picking someone to do it all for you - so you could just go with say Google, and one person who thinks they have everything sorted. "I like the idea of idea of divide and conquer. There isn't just one solution. Don’t collect logs if you don’t use them. And don’t think you are spoilt for choice."
Reynolds noted how keeping solutions internal allows you to adapt more than outsourcing and also echoed the view that its more important to find the solution that works for you.
However Onwurah pointed out that the vast majority of companies have no board and no CTO hence the government needs to set incentives and rewards for these small businesses to find solutions that work for them. She also noted how just 50,000 organisations have taken up Cyber Essentials - the government recommended minimum level of cyber-security needed to bid for government contracts - out of millions of companies and organisations. Onwurah suggested that maybe insurance requirements should now need to stipulate a certain level of cyber-security, whatever the size of a company.
She added that while the government has done a lot to defend say CNI from nation state attacks, more needs to be done at the SME level where perhaps we need to see some huge failures to get headlines to encourage change as its not getting the traction that it should.
Ducklin suggested that the government was "on a hiding to nothing," as people would say provision was too basic if they keep things simple or that it was elitist if it was more complex. He added that the ICO is already a great resource on GDP. Rose agreed that the resources from the NCSC are really good and there is lots of information out there. However Onwurah said that IOT standards in particular could be much better.