Hale, the director of business and operations at the UK payment processor, was a keynote speaker at the Westminster eForum, where he described how people – rather than hardware or software – are the most common cause of a security incident.
“Our biggest threat is ourselves…it comes down to what we do or don't know, and if we overestimate our capability, or our risk,” said Hale.
This point was later picked up by Admiral Alan West, the former parliamentary under-secretary of state for security and counter-terrorism, who cited an example where his group told a company not to use USB sticks laid around in the office, but they ended up doing so anyway. “People behave badly even when you tell them not to,” he said.
Ruth Davis, head of cyber, justice and emergency services of UK technology trade association TechUK (formerly known as Intellect), picked up on this at the event by saying that most people don't listen to guidance.
“I think people are broadly aware what is a threat – the problem is that they think it won't happen to them. Although businesses know attackers are targeting them, and are after IP, not keeping up with how targeted and what parts organisations are at risk.”
CHAPs (Clearing House Automated Payment System) offers same-day British sterling fund transfers, and Hale detailed at the event how it turns over some £70 trillion in the UK per annum. To guard against any security issues, Hale says that it has implemented the RTGS SWIFT system – for payment systems worldwide – which sees the firm move to an offsite back-up solution if primary and secondary operations are taken down.
The back-up measures are extensive and disconnected from the primary service; the system entails an “entirely different service” on another tech stack, on a different software solution and running in a completely different country. “That's because we understand the risk appetite and set cyber strategy correctly.”
Hale has little time for regular complaints for poor cyber security implementation, and says that a well-drafted cyber security programme should be imaginative, assume the worst, be flexible in response, rigorous, built on team work and ensure regular practise.
Of the regular complaints, he points to several examples where they have proved invalid. ‘It would be impossible' was said of HMS Titanic – which sank in 1912 – and ‘it never happened before' could be applied to Twin Towers, or the earlier Kamikaze attacks during World War Two . ‘It really isn't plausible', says Hale, has often been said of the disappearance of Malaysia Airlines' MH370 aeroplane.
In particular, he cited the Titanic as evidence that people are the weak link in security.
“Titanic was a ship ahead if its time; it was built by the best engineers in Belfast, it was reckoned to be unsinkable and the captain had never had a major incident – yet we all know the story that thousands of people died.”
He added that engineers ‘believed their own hype' about being unsinkable, that the design was insufficient in the event that the six supposedly water-tight compartments flooded, and that iron rivets were used rather than steel - mainly because of price. The Lifeboats were also insufficient and removed because they are not “aesthetically pleasing", a case he says where form was put before safety.
These lifeboats eventually left without the full complement of people on board, and even a nearby California ship didn't come to help HMS Titanic because the crew and captain had apparently been offended.
“It's the perfect metaphor of what can, and what will go wrong [in security].
“Cyber security is all about engaging organisations, managing leadership and making sure people have the skills to be ready. It's all about mind-set – we have to accept we are the biggest risk and practise rigorously.”