Not knowing who or what is on your network is leaving organisations vulnerable to cyber-crime including ransomware. Although there are technical issues, training and personnel is a bigger problem. That was the message from a panel discussion at SC Congress London Thursday 15 February.
The moderator of the panel – Sarb Sembhi, CTO and CISO at Virtually Informed – began the discussion with statistics showing the impact that cyber-crime is having on business.
“What we have seen over the past year, the crime statistics, cyber crime report 2017 said there has been a 100 percent increase in attacks over the past two years, and cyber-attackers have moved from stealing credit card data to wanting long term profits from stolen identities.”
Over 90 percent of accounts opened in the UK in 2015-2017 were fraudulent, totalling 83 million accounts, he said.
The crime survey of England and Wales recorded 4.7 million cases of computer misuse and fraud from September 2016 to Sept 2017, a slight decrease on the previous period. Meanwhile, 68 percent of frauds involved cyber and 23 percent of computer misuse cases involved loss of money.
The cyber-crime tactics and techniques 2017 state of malware report by ThreatMatrix incidents of ransomware attacks have increased by more than 90 percent. “In the UK, many corporations are worried about that, so security of your network is very important,” Sembhi said.
Philip James, a partner at law firm Sheridan's, said that network security from a legal perspective is to not just being able to protect your data but also knowing when it is being accessed.
Neil Sinclair, the chief operating officer at the London Digital Security Centre, said that the hardest problem for his organisation is engaging with the right people in small-to-medium-size businesses who have responsibility for cyber-security in their organisations. They sometimes visit businesses with a police officer which helps to underscore the importance of cyber-security and encourages managers to speak more openly about their cyber-security challenges.
Many SMEs who don't employ a cyber-security professional find the amount of information and advice available to them to be overwhelming, Sinclair said. “If we are going to be successful, we have to pare down what we are throwing out there.” he added.
Ed Tucker, formerly head of cyber-security at HMRC and now CISO at DP Governance, said lack of understanding of the network environment was a major contributor to security breaches.
“How many people know exactly how many devices they have connected to their network? How many people understand what services and applications they have and whether they talk to each other, and what protocols they use?” he asked.
He said that users continue to be bad at the basics and “they have been for years and years. The problem is that it's the really hard stuff to fix… And it's really hard to define what ‘normal' is.”
Meanwhile, it's wrong to say that attacks are getting more sophisticated, he said. “In fact, most attacks are not sophisticated because everybody is rubbish at the basics. The problem is that there is not a breach in the history of breaches that is down to one thing in isolation.”
Tony Collings said: “The first problem is, do you know what's on your network? Most people don't and particularly when dealing with IoT and mobile apps, they probably shouldn't be there or they are introducing vulnerabilities to your network that are putting your risk profile through the roof.”
He added: “It's a real challenge. You need to look at what you've actually got. Once you do, ask what it does and is it important? Where does it sit in your business threat matrix? How do you defend and how do you protect? And if you don't need it, don't have it on your network.”
Tucker summed up the threat from staff as, “We need to teach people to protect the corporate by protecting themselves. It's a big problem. The real skills gap is that people don't understand cyber-security.”